Quotulatiousness

April 21, 2013

Documentary War for the Web includes final interview with Aaron Swartz

Filed under: Liberty, Media, Technology — Tags: , , , , , — Nicholas @ 08:51

CNET‘s Declan McCullagh talks about an upcoming documentary release:

From Aaron Swartz’s struggles with an antihacking law to Hollywood’s lobbying to a raft of surveillance proposals, the Internet and its users’ rights are under attack as never before, according to the creators of a forthcoming documentary film.

The film, titled War for the Web, traces the physical infrastructure of the Internet, from fat underwater cables to living room routers, as a way to explain the story of what’s behind the high-volume politicking over proposals like CISPA, Net neutrality, and the Stop Online Piracy Act.

“People talk about security, people talk about privacy, they talk about regional duopolies like they’re independent issues,” Cameron Brueckner, the film’s director, told CNET yesterday. “What is particularly striking is that these issues aren’t really independent issues…. They’re all interconnected.”

The filmmakers have finished 17 lengthy interviews — including what they say is the last extensive one that Swartz, the Internet activist, gave before committing suicide in January — that have yielded about 24 hours of raw footage. They plan to have a rough cut finished by the end of the year, and have launched a fundraising campaign on Indiegogo that ends May 1. (Here’s a three-minute trailer.)

Swartz, who was charged under the Computer Fraud and Abuse Act, faced a criminal trial that would have begun this month and the possibility of anywhere from years to over a decade in federal prison for alleged illegal downloads of academic journal articles. He told the filmmakers last year, in an interview that took place after his indictment, that the U.S. government posed a more serious cybersecurity threat than hackers:

    They cracked into other countries’ computers. They cracked into military installations. They have basically initiated cyberwar in a way that nobody is talking about because, you know, it’s not some kid in the basement somewhere — It’s President Obama. Because it’s distorted this way, because people talk about these fictional kids in the basement instead of government officials that have really been the problem, it ends up meaning that cybersecurity has been an excuse to do anything…

    Now, cybersecurity is important. I think the government should be finding these vulnerabilities and helping to fix them. But they’re doing the opposite of that. They’re finding the vulnerabilities and keeping them secret so they can abuse them. So if we do care about cybersecurity, what we need to do is focus the debate not on these kids in a basement who aren’t doing any damage — but on the powerful people, the people paying lots of money to find these security holes who then are doing damage and refusing to fix them.

March 21, 2013

The technological imbalance between security and threats

Filed under: Government, Liberty, Technology — Tags: , , , — Nicholas @ 09:17

Bruce Schneier on the power of technology in a security context:

A core, not side, effect of technology is its ability to magnify power and multiply force — for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems.

The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side — it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction.

For the most part, though, society still wins. The bad guys simply can’t do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced?

I don’t think it can.

February 28, 2013

Cybersecurity … can it be anything more than fear + handwaving = “we must have a law!”

Filed under: Business, Government, Law, Technology — Tags: , , , , , — Nicholas @ 00:01

At Techdirt, Mike Masnick fisks “the worst article you might ever read about ‘Cybersecurity’”:

There has been a lot of discussion lately about “cybersecurity” “cyberwar” “cyberattacks” and all sorts of related subjects which really really (really!) could do without the outdated and undeniably lame “cyber-” prefix. This is, in large part, due to the return of CISPA along with the White House’s cybersecurity executive order. Of course, the unfortunate part is that we’re still dealing in a massive amount of hype about the “threats” these initiatives are trying to face. They’re always couched in vague and scary terms, like something out of a movie. There are rarely any specifics, and the few times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = “we must have a law!”

However, I think we may now have come across what I believe may top the list of the worst articles ever written about cybersecurity. If it’s not at the top, it’s close. It is by lawyer Michael Volkov, and kicks off with a title that shows us that Volkov is fully on board with new laws and ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response. As with many of these types of articles, I went searching for the evidence of these risks, but came away, instead, scratching my head, wondering if Volkov actually understands this subject at all, with his confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.

[. . .]

There’s been plenty of talk about these Chinese hacks, which definitely do appear to be happening. But, what economic activity has been undermined? So far, the hacks may have been a nuisance, but it’s unclear that they’ve done any real damage. It is also unclear how CISPA helps stop such hacks, other than making Congress feel like it’s “done something.”

Are there issues with online security that need to be taken seriously? Yes, absolutely. Do we need legislation to deal with those problems? That’s debatable, and we’re still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help. Unfortunately, this article keeps us waiting. But, it did make us laugh. Unintentionally (we think).

December 4, 2012

Tumblr gets trolled

Filed under: Media, Technology — Tags: , , , , — Nicholas @ 09:58

The Register‘s John Leyden on the JavaScript troubles inflicted on Tumblr the other day:

A worm spread like wildfire across Tumblr on Monday, defacing pages on the blogging website with an abusive message penned by a notorious trolling crew.

The outbreak was triggered by the GNAA, a group of anonymous troublemakers who get their kicks from winding up bloggers with offensive posts.

Tumblr temporarily halted the publication of new journal posts to prevent the worm from spreading further before restoring the service to normal a few hours later.

[. . .]

“It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages,” wrote Graham Cluley, senior technology consultant at Sophos.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post — our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” he added.

December 3, 2012

The feudal technopeasant internet

Filed under: History, Liberty, Technology — Tags: , , , , , — Nicholas @ 11:20

Bruce Schneier on the less-than-appealing state of user security in today’s internet:

It’s a feudal world out there.

Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.

These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.

Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.

Of course, I’m romanticizing here; European history was never this simple, and the description is based on stories of that time, but that’s the general model.

And it’s this model that’s starting to permeate computer security today.

November 12, 2012

Firefox users more likely to stay on old version longer than other browser users

Filed under: Technology — Tags: , , — Nicholas @ 08:47

John Leyden summarizes the recent findings about how quickly users update their web browsers after a new release:

Nearly one in four netizens are using outdated web browsers and are therefore easy pickings for viruses and exploit-wielding crooks.

The average home user upgrades his or her browser to the latest version one month after it is released, according to a survey of 10 million punters. Two thirds of those using old browser software are simply stuck on the version prior to the latest release — the remaining third are using even older code.

Internet Explorer is the most popular browser (used by 37.8 per cent of consumers), closely followed by Google Chrome (36.5 per cent). Firefox is in third place with 19.5 per cent.

Firefox users tend to be the worst for keeping up to date with new software releases, according to the survey by security biz Kaspersky Lab. The proportion of users with the most recent version installed was 80.2 per cent for Internet Explorer and 79.2 per cent for Chrome, but just 66.1 per cent for Firefox.

Old-codgers Internet Explorer 6 and 7, with a combined share of 3.9 per cent, are still used by hundreds of thousands of punters worldwide.

October 27, 2012

Do you use a stupidly easy-to-guess password?

Filed under: Technology — Tags: , , , , — Nicholas @ 11:15

SplashData has released an updated list of the top 25 passwords gleaned by hackers from stolen password files:

# Password Change from 2011
1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged
4 abc123 Up 1
5 qwerty Down 1
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New

If you recognize any password on this list … do yourself a favour and change it to something not on the list, preferably using more characters (including upper and lower case letters, numbers, and symbols). And don’t use the same password on multiple sites! SplashData sells a password keeper application that is quite useful (I’ve been using it for years now), and is available for multiple platforms.

October 24, 2012

UN report says the internet is too vulnerable to terrorist use

Filed under: Liberty, Technology — Tags: , , , , — Nicholas @ 14:21

Mike Masnick views with alarm a new UN report that deserves to be viewed with alarm:

Ah, the UN. As highlighted by Declan McCullagh, a new report from the United Nations Counter-Terrorism Implementation Task Force, clocking in at an unwieldy 158 pages (pdf) warns that this old internet of ours is just too damn open, and that means terrorists can use it. Thus, it has to stop the openness. The report really is just about that bad: if terrorists might misuse it, it’s bad and must be stopped. The costs of locking up all this openness are brushed aside, if they’re even considered at all. Among the problems? How about open WiFi?

    ISPs may require users to provide identifying information prior to accessing Internet content and services. The collection and preservation of identifying information associated with Internet data, and the disclosure of such information, subject to the appropriate safeguards, could significantly assist investigative and prosecutorial proceedings. In particular, requiring registration for the use of Wi-Fi networks or cybercafes could provide an important data source for criminal investigations. While some countries, such as Egypt, have implemented legislation requiring ISPs to identify users before allowing them Internet access, similar measures may be undertaken by ISPs on a voluntary basis.

It seems like it should be a general rule that, if you’re supporting something that includes better surveillance tools by saying, “Hey, Egypt — the same country that recently had the people rise up to force out a dictator, who tried to shut down the internet — does it!” perhaps you don’t have a very good argument.

The report is basically one big “OMG! But… but… terrorists! Kill it!”

October 18, 2012

Domestic terrorism less common in the US now than in the past

Filed under: History, USA — Tags: , , , , — Nicholas @ 10:42

At the Cato@Liberty blog, Benjamin Friedman looks at the history and compares it with today’s constant worry about US domestic terror operations:

Homegrown terrorism is not becoming more common and dangerous in the United States, contrary to warnings issued regularly from Washington. American jihadists attempting local attacks are predictably incompetent, making them even less dangerous than their rarity suggests.

Janet Napolitano, Secretary of Homeland Security, and Robert Mueller, Director of the Federal Bureau of Investigation, are among legions of experts and officials who have recently warned of a rise in homegrown terrorism, meaning terrorist acts or plots carried out by American citizens or long-term residents, often without guidance from foreign organisations.

But homegrown American terrorism is not new.

Leon Czolgosz, the anarchist who assassinated President McKinley in 1901, was a native-born American who got no foreign help. The same goes for John Wilkes Booth, Lee Harvey Oswald and James Earl Ray. The deadliest act of domestic terrorism in U.S. history, the 1995 Oklahoma City Bombing, was largely the work of New York-born Gulf War vet, Timothy McVeigh.

As Brian Michael Jenkins of RAND notes, there is far less homegrown terrorism today than in the 1970s, when the Weather Underground, the Jewish Defense League, anti-Castro Cuban exile groups, and the Puerto Rican Nationalists of the FALN were setting off bombs on U.S. soil.

[. . .]

After the September 11, the FBI received a massive boost in counterterrorism funding and shifted a small army of agents from crime-fighting to counterterrorism. Many joined new Joint Terrorism Task Forces. Ambitious prosecutors increasingly looked for terrorists to indict. Most states stood up intelligence fusion centers, which the Department of Homeland Security (DHS) soon fed with threat intelligence.

The intensification of the search was bound to produce more arrests, even without more terrorism, just as the Inquisition was sure to find more witches. Of course, unlike the witches, only a minority of those found by this search are innocent. But many seem like suggestible idiots unlikely to have produced workable plots without the help of FBI informants or undercover agents taught to induce criminal conduct without engaging in entrapment.

October 5, 2012

IT security magazine gets trolled

Filed under: Humour, Media, Technology — Tags: , , — Nicholas @ 08:04

At The Register, John Leyden talks about the researchers who finally got sick of being asked to write articles (unpaid) for the “biggest IT security magazine in the world”:

Security researchers have taken revenge on a publishing outlet that spams them with requests to write unpaid articles — by using a bogus submission to satirise the outlet’s low editorial standards.

Hakin9 bills rather grandly bills itself as the “biggest IT security magazine in the world”, published for 10 years, and claims to have a database of 100,000 IT security specialists. Many of these security specialists are regularly spammed with requests to submit articles, without receiving any payment in return.

Rather than binning another of its periodic requests, a group of researchers responded with a nonsensical article entitled DARPA Inference Checking Kludge Scanning, which Warsaw-based Hakin9 published in full, apparently without checking. The gobbledygook treatment appeared as the first chapter in a recent eBook edition of the magazine about Nmap, the popular security scanner.

In reality there’s no such thing as DARPA Inference Checking Kludge Scanning (or DICKS, for short) and the submission was a wind-up. Nonetheless an article entitled Nmap: The Internet Considered Harmful — DARPA Inference Checking Kludge Scanning appeared as the lead chapter in recent eBook guide on Nmap by Hakin9.

July 12, 2012

Säkerhetsbloggen does some preliminary analysis of Yahoo’s 453,000 leaked passwords

Filed under: Technology — Tags: , , , , , — Nicholas @ 10:01

As we’ve noticed before, there are lots of really, really bad passwords in use:

Recently, Ars Technica reported about a leak by “D33ds Company” of more than 450.000 plain-text accounts from a Yahoo service, which is suspected to be Yahoo Voice.

Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.

[. . .]

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Other bits of password-related idiocy are here.

May 30, 2012

New in the battle against Somali pirates: private convoys

Filed under: Africa, Middle East, Military — Tags: , , , , — Nicholas @ 09:40

At the BBC News site, Martin Plaut reports on the latest attempt to quell piracy off the shores of Somalia:

Off the pirate-infested waters of Somalia, a new force is taking shape.

The private company Typhon is preparing to operate alongside the world’s navies, offering protection to cargo vessels sailing around the Horn of Africa.

But unlike other private security firms which put guards on board other people’s ships, it will offer vessels of its own.

The chief executive of Typhon, Anthony Sharpe, says the plan is to rendezvous with cargo ships which sign up for their protection and form them into a convoy.

The company says it will establish what it is describing as an exclusion zone of one kilometre around the ships.

The company is buying three boats, which are currently being fitted out in Singapore.

Each of its craft will have up to 40 security officers, drawn from former British Royal Marines, as well as a crew of 20.

The ships will be fitted with machine guns and the staff will have rifles.

April 10, 2012

The easy days of piracy are fading rapidly

Filed under: Africa, Middle East, Military — Tags: , , , , — Nicholas @ 09:05

Strategy Page has an update on the anti-piracy efforts off the Somalian coastline:

After two years of immense prosperity, the last year has been a disaster for the Somali pirates. For example, in the last eight months, only six ships have been captured, compared to 36 ships in the same eight month period a year ago. Pirate income is down 80 percent and expenses are up. Pirates have to spend more time at sea looking for a potential target, and when they find one, they either fail in their boarding efforts (because of armed guards, or better defense and more alert crews) or find anti-piracy patrol warships and armed helicopters showing up. Unlike in the past, the patrol now takes away the pirates weapons and equipment, sinks their mother ships and dumps the pirates back on a beach. The pirates claim that some members of the anti-piracy patrol simply kill pirates they encounter on the high seas (some nations have admitted doing this, at least once, in the past). But no one does this as official policy, and the rules are still basically “catch and release.” The big change is that the patrol has become much better at detecting pirates, on captured fishing ships, and shutting these pirates down. Often the pirates bring along the crew of the fishing ships, to help with the deception. But the patrol knows which fishing ships have “disappeared” and quickly identify those missing ships they encounter, and usually find pirates in charge. The anti-piracy patrol also has maritime reconnaissance aircraft that seek to spot mother ships as they leave pirate bases on the north Somali coast, and direct a warship to intercept and shut down those pirates. The pirates have been losing a lot of equipment, and time, and money needed to pay for it.

[. . .]

Pirates have responded by finding new targets (ships anchored off ports waiting for a berth) and using new tactics (using half a dozen or more speedboats for an attack.) The pirates still have a powerful incentive to take ships. In 2010, for example, pirates got paid over $200 million in ransom. The year before that it was $150 million. Most of that was taken by the pirate gang leaders, local warlords and the Persian Gulf negotiators who deal with the shipping companies. But for the pirates who took the ship, then helped guard it for months until the money was paid, the take was still huge. Pirates who actually boarded the ship tend to receive at least $150,000 each, which is ten times what the average Somali man makes over his entire lifetime. Even the lowest ranking member of the pirate gang gets a few thousand dollars per ransom. The general rule is that half the ransom goes to the financiers, the gang leaders and ransom negotiators. About a quarter of the money goes to the crew that took the ship, with a bonus for whoever got on board first. The pirates who guard the ship and look after the crew gets ten percent, and about ten percent goes to local clans and warlords, as protection money (or bribes).

[. . .]

For the last four years, Somali pirates have been operating as far east as the Seychelles, which are a group of 115 islands 1,500 kilometers from the African coast. The islands have a total population of 85,000 and no military power to speak of. They are defenseless against pirates. So are many of the ships moving north and south off the East Coast of Africa. While ships making the Gulf of Aden run know they must take measures to deal with pirate attacks (posting lookouts 24/7, training the crew to use fire hoses and other measures to repel boarders, hanging barbed wire on the railings and over the side to deter boarders), this is not so common for ships operating a thousand kilometers or more off the east coast of Africa. Ships in this area were warned last year that they were at risk. Now, the pirates are out in force, demonstrating that the risk is real.

April 1, 2012

“Off the Somali coast, everyone is looking for a big payday”

Filed under: Africa, Law, Military — Tags: , , , , — Nicholas @ 11:54

Strategy Page on recent developments in the anti-piracy campaign off the Somali coast:

To get around laws, in many ports, forbidding weapons aboard merchant ships, security companies operating off the Somali coast have equipped small ships to serve as floating arsenals. The security guards boards, in port, the merchant ships they are guarding, then meet up with the gun ship in international waters so the guards can get their weapons and ammo. The process is reversed when the merchant ships approach their destinations or leave pirate infested waters (and put the armed guards off onto the gun ship.) Maritime lawyers fret that there are no proper laws to regulate these floating armories, or that if there are applicable laws, everyone is not following them. It’s also feared that some enterprising lawyers will seek to represent the families of pirates shot by these armed guards. Off the Somali coast, everyone is looking for a big payday.

In the last three years, more and more merchant ships, despite the high expense, have hired armed guards when travelling near the “Pirate Coast” of Somalia. It began when France put detachments of troops on tuna boats operating in the Indian Ocean, and Belgium then supplied detachments of soldiers for Belgium ships that must move near the Somali coast. These armed guards are not cheap, with detachments costing up to $200,000 a week. There are now over a dozen private security companies offering such services. What makes the armed guards so attractive is the fact that no ship carrying them has ever been captured by pirates. That may eventually change, but for the moment, the pirates avoid ships carrying armed guards and seek less well-defended prey.

November 25, 2011

This explains why Google dropped out of my “referer site” log

Filed under: Administrivia, Technology — Tags: , , , — Nicholas @ 12:24

John Leyden explains how a change in the way Google handled search requests was reflected in my blog’s referer log by Bing suddenly becoming the top search engine for folks visiting Quotulatiousness:

Google made secure search the default option for logged in users last month — primarily for privacy protection reasons. But the move has had the beneficial side-effect of making life for difficult for fraudsters seeking to manipulate search engine rankings in order to promote scam sites, according to security researchers.

Users signed into Google were offered the ability to send search queries over secure (https) connections last month. This meant that search queries sent while using insecure networks, such as Wi-Fi hotspots, are no longer visible (and easily captured) by other users on the same network.

However Google also made a second (under-reported) change last month by omitting the search terms used to reach websites from the HTTP referrer header, where secure search is used. The approach means it has become harder for legitimate websites to see the search terms surfers fed through Google before reaching their website, making it harder for site to optimise or tune their content without using Google’s analytics service.

I’d assumed that there had been some kind of change in the way Google was handling searches, because even though Google pretty much disappeared from my logs (having been the #1 referring site forever), the volume of traffic remained about the same.

Older Posts »
« « “[Fill-in-the-blank] is now a clear and present danger”| JourneyQuest virtues: Forgiveness and Eloquence » »

Powered by WordPress