Quotulatiousness

November 25, 2011

This explains why Google dropped out of my “referer site” log

Filed under: Administrivia, Technology — Tags: , , , — Nicholas @ 12:24

John Leyden explains how a change in the way Google handled search requests was reflected in my blog’s referer log by Bing suddenly becoming the top search engine for folks visiting Quotulatiousness:

Google made secure search the default option for logged in users last month — primarily for privacy protection reasons. But the move has had the beneficial side-effect of making life for difficult for fraudsters seeking to manipulate search engine rankings in order to promote scam sites, according to security researchers.

Users signed into Google were offered the ability to send search queries over secure (https) connections last month. This meant that search queries sent while using insecure networks, such as Wi-Fi hotspots, are no longer visible (and easily captured) by other users on the same network.

However Google also made a second (under-reported) change last month by omitting the search terms used to reach websites from the HTTP referrer header, where secure search is used. The approach means it has become harder for legitimate websites to see the search terms surfers fed through Google before reaching their website, making it harder for site to optimise or tune their content without using Google’s analytics service.

I’d assumed that there had been some kind of change in the way Google was handling searches, because even though Google pretty much disappeared from my logs (having been the #1 referring site forever), the volume of traffic remained about the same.

November 19, 2011

Internet users’ password security still hasn’t improved

Filed under: Technology — Tags: , , , , — Nicholas @ 10:03

Do you use any of the following terms as your password? If so, congratulations, you’re helping keep the rest of us from being as easily hacked as you are:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

This list is from SplashData, who produce (among other things) a password-keeper utility. Last year, Gawker published the 50 top passwords in a graphic:

Here’s a word cloud from my an earlier post on passwords:

Other posts on this topic: opportunities for humour with your bank’s secret questions, xkcd on the paradox of passwords, Passwords and the average user, More on passwords, And yet more on passwords, and Practically speaking, the end is in sight for passwords.

November 14, 2011

Retired Gurkha soldiers changing the face of security services in Britain

Filed under: Asia, Britain, Military — Tags: , , — Nicholas @ 12:14

An interesting article at the BBC website details how many retired Gurkha soldiers have found civilian careers in security a good follow-up to their military service:

It has been suggested that some Gurkhas are struggling to cope with the cost of living in the UK, with the British Gurkha Welfare Society saying about 25,000 of those who retired before 1997 still only receive a third of the pension of their British and Commonwealth former comrades.

But a recent study suggested that Gurkhas of working age are the most economically active and self-reliant social group in Britain.

The University of Kent research found the employment rates among Gurkha men and women are particularly high, at 95% for men under 60 and 93% for women under that age.

It also showed that security is the most popular job for male veterans. Ex-military people joining the security industry is nothing new, but security companies are capitalising on the Gurkhas’ formidable reputation.

G4S set up Gurkha Services in 2007 and it now employs at least 600 people across 27 contracts.

They are involved in guarding the UK’s “critical infrastructure”, such as power stations and railways, from vandals, protesters and thieves. Rarely a day goes by without some story about how cable theft has disrupted a train journey or caused a power outage. Now Gurkhas are the new front line against the crime wave.

October 16, 2011

Rick Mercer on the (secret) border security negotiations

Filed under: Cancon, Government, USA — Tags: , , — Nicholas @ 10:42

September 10, 2011

How much damage to personal liberty will the new US/Canadian security deal inflict?

Filed under: Cancon, Economics, Liberty, USA — Tags: , , , — Nicholas @ 11:35

An article in the Globe and Mail discusses — in very general terms — the new security deal negotiated between the US and Canadian governments:

U.S. and Canadian negotiators have successfully concluded talks on a new deal to integrate continental security and erase obstacles to cross-border trade.

Negotiators have reached agreement on almost all of the three dozen separate initiatives in the Beyond the Border action plan, said sources who cannot be named because they are not authorized to speak publicly on the matter. The few remaining items mostly involve questions of wording and should be settled in time for an announcement in late September.

[. . .]

Opponents have raised alarms that an agreement would cost Canadians both sovereignty and personal privacy. But failure to implement the agreements could further impair the world’s most extensive trading relationship, and put manufacturing jobs across the country at risk.

Details of the agreement are closely held. But goals outlined earlier include specific proposals to co-ordinate and align such things as biometrics on passports, watch lists, inspection of containers at overseas ports and other security measures.

[. . .]

Canadians who believe that the United States has sold its liberty because of fears for its security, or who resist any further economic integration with the troubled economic giant, are likely to oppose the Beyond the Border proposals.

I don’t oppose trade with the US — far from it — but I do feel very strongly that the US has reduced the liberties of its citizens in pursuit of security (check the topic SecurityTheatre for lots of examples). I don’t want to see that trend exported to Canada in exchange for better economic access to their markets.

September 9, 2011

Opportunities for humour with your bank’s “secret questions”

Filed under: Humour, Technology — Tags: , — Nicholas @ 09:15

If you do online banking, you’ve probably been asked to provide additional security checks beyond your userid and password. Some banks only allow you to select answers from pre-selected questions, but others get you to provide both the question and the answer. In a post from more than a year back, Bruce Schneier offers a few combinations that lighten the mood (and there are lots of funny — and weird — suggestions in the comment thread):

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

August 16, 2011

Charles Stross on the future of network security

Filed under: Science, Technology — Tags: , , , — Nicholas @ 12:40

Charles isn’t a professional in network security, but he has a good track record of exploring the consequences of new technology in his science fiction works. He was invited to give the keynote address at the 2011 USENIX conference.

Unlike you, I am not a security professional. However, we probably share a common human trait, namely that none of us enjoy looking like a fool in front of a large audience. I therefore chose the title of my talk to minimize the risk of ridicule: if we should meet up in 2061, much less in the 26th century, you’re welcome to rib me about this talk. Because I’ll be happy to still be alive to rib.

So what follows should be seen as a farrago of speculation by a guy who earns his living telling entertaining lies for money.

The question I’m going to spin entertaining lies around is this: what is network security going to be about once we get past the current sigmoid curve of accelerating progress and into a steady state, when Moore’s first law is long since burned out, and networked computing appliances have been around for as long as steam engines?

I’d like to start by making a few basic assumptions about the future, some implicit and some explicit: if only to narrow the field.

August 10, 2011

xkcd on the paradox of passwords

Filed under: Humour, Technology — Tags: , , , — Nicholas @ 10:10

He’s absolutely right, you know . . .

June 22, 2011

Carr: LulzSec versus the CIA

Filed under: Government, Technology, USA — Tags: , , , , — Nicholas @ 07:50

Paul Carr is somewhat dismissive of the hacking exploits of the LulzSec group:

For the past few weeks, a hacker collective called LulzSec has been leading American and British authorities a merry dance. The group’s targets are seemingly random – Sony, the CIA, contestants of a reality TV show, the Serious Organised Crime Agency (Soca) – but their stated motive has remained constant: “we’re doing it for laughs”, or, to put it in internet parlance, “lulz”.

If one is to believe the media coverage – particularly here in the US‚ no one is safe from the ingenious hackers and their devilishly complex attacks. The truth is, there’s almost nothing ingenious about what LulzSec is doing: CIA and Soca were not “hacked” in any meaningful sense, rather their public websites were brought down by an avalanche of traffic — a so-called “distributed denial-of-service” (DDoS) attack. Given enough internet-enabled typewriters, a mentally subnormal monkey could launch a DDoS attack — except that mentally subnormal monkeys have better things to do with their time.

Even the genuine hacks are barely worthy of the word. Many large organisations use databases with known security holes that can easily be exploited by anyone who has recently completed the first year of a computer science degree: it’s no coincidence that so many of these hacker collectives appear towards the end of the academic year.

June 19, 2011

Cyber-espionage in theory and practice

Filed under: China, Government, Military, Technology, USA — Tags: , , , — Nicholas @ 09:50

An interesting article at Strategy Page discussing online espionage:

Firms with the most to lose, like financial institutions, guard their data most successfully. They do this the old-fashioned way, with layers and layers of security, implemented by the best (and most highly paid) people and pushed by senior managers who take the time to learn about what they are dealing with, and what it will take to stay on top of the problem.

It’s different in the defense business. If the Chinese steal data on some new weapon, there might be a problem years down the road, when the Chinese offer a cheaper alternative to an American weapon, for the export market. But even that problem has a silver lining, in that you can get away with insisting that those clever Chinese developed your technology independently. Meanwhile, everyone insists that there was no espionage, cyber or traditional, involved. As a further benefit, the American firm will get more money from a terrified government, in order to maintain the American technical edge. It’s the same general drill for military organizations. But for financial institutions, especially those that trade in fast moving currency, derivatives and bond markets, any information leaks can have immediate, and calamitous consequences. You must either protect your data, or die.

It’s not exactly a secret that China has been active in this area, but the extent of their official activity is hard to state. However, just as non-state actors take advantage of individuals who fail to use anti-virus software on their computers, ignorance and apathy are tools for state actors:

But the biggest problem, according to military Cyber War commanders, is the difficulty in making it clear to political leaders, and non-expert (in Internet matters) military commanders, what the cyber weapons are, and the ramifications of the attacks. Some types of attacks are accompanied by the risk of shutting down much, or all, of the Internet. Other types of operations can be traced back to the source. This could trigger a more conventional, even nuclear, response. Some attacks use worms (programs that, once unleashed, keep spreading by themselves.) You can program worms to shut down after a certain time (or when certain conditions are met). But these weapons are difficult, often impossible, to test “in the wild” (on the Internet). By comparison, nuclear weapons were a new, very high-tech, weapon in 1945. But nukes were easy to understand; it was a very powerful bomb. Cyber weapons are much less predictable, and that will make them more difficult for senior officials to order unleashed.

So the first order of business is to develop reliable techniques to quickly, and accurately, educate the senior decision makers about what they are about to unleash. This would begin with the simplest, and cheapest, weapons, which are botnets, used for DDOS attacks. In plain English, that means gaining (by purchase or otherwise) access to hundreds, or thousands, of home and business PCs that have had special software secretly installed. This allows whoever installed the software that turned these PCs into zombies, to do whatever they want with these machines. The most common thing done is to have those PCs, when hooked up to the Internet, to send as many emails, or other electronic messages, as it can, to a specified website. When this is done with lots of zombies (a botnet), the flood of messages becomes a DDOS (Distributed Denial of Service) attack that shuts the target down. This happens because so much junk is coming in from the botnet, that no one else can use the web site.

June 17, 2011

DARPA’s “National Cyber Range” on schedule

Filed under: Government, Technology, USA — Tags: , , , , — Nicholas @ 10:07

In order to determine ways to fend off or prevent attacks on the internet, DARPA is hoping to have their scale model of the internet ready sometime next year for testing:

The US defence agency that invented the forerunner to the internet is working on a “virtual firing range” intended as a replica of the real internet so scientists can mimic international cyberwars to test their defences.

Called the National Cyber Range, the system will be ready by next year and will also help the Pentagon to train its own hackers and refine their skills to guard US information systems, both military and domestic.

The move marks another rise in the temperature of the online battlefield. The US and Israel are believed to have collaborated on a sophisticated piece of malware called Stuxnet that targeted computers controlling Iran’s nuclear centrifuge scheme. Government-authorised hackers in China, meanwhile, are suspected to have been behind a number of attacks on organisations including the International Monetary Fund, French government and Google.

[. . .]

Darpa is also working on other plans to advance the US’s cyber defences. A program known as Crash — for Clean-slate design of Resilient, Adaptive, Secure Hosts — seeks to design computer systems that evolve over time, making them harder for an attacker to target.

The Cyber Insider Threat program, or Cinder, would help monitor military networks for threats from within by improving detection of threatening behaviour from people authorised to use them. The problem has loomed large since Bradley Manning allegedly passed confidential state department documents to WikiLeaks, the anti-secrecy website.

Another is a Cyber Genome, aimed at automating the discovery, identification and characterisation of malicious code. That could help figure out who was behind a cyber-strike.

May 11, 2011

How resilient is the internet?

Filed under: Economics, Media, Technology — Tags: , , — Nicholas @ 09:57

Richard Clayton summarizes a recent study by European Network and Information Security Agency (ENISA) on the internet’s ability to cope with disruptions. Among the ways the internet is vulnerable are:

First, the Internet is vulnerable to various kinds of common mode technical failures where systems are disrupted in many places simultaneously; service could be substantially disrupted by failures of other utilities, particularly the electricity supply; a flu pandemic could cause the people on whose work it depends to stay at home, just as demand for home working by others was peaking; and finally, because of its open nature, the Internet is at risk of intentionally disruptive attacks.

Second, there are concerns about sustainability of the current business models. Internet service is cheap, and becoming rapidly cheaper, because the costs of service provision are mostly fixed costs; the marginal costs are low, so competition forces prices ever downwards. Some of the largest operators — the ‘Tier 1′ transit providers — are losing substantial amounts of money, and it is not clear how future capital investment will be financed. There is a risk that consolidation might reduce the current twenty-odd providers to a handful, at which point regulation may be needed to prevent monopoly pricing.

Third, dependability and economics interact in potentially pernicious ways. Most of the things that service providers can do to make the Internet more resilient, from having excess capacity to route filtering, benefit other providers much more than the firm that pays for them, leading to a potential ‘tragedy of the commons’. Similarly, security mechanisms that would help reduce the likelihood and the impact of malice, error and mischance are not implemented because no-one has found a way to roll them out that gives sufficiently incremental and sufficiently local benefit.

Fourth, there is remarkably little reliable information about the size and shape of the Internet infrastructure or its daily operation. This hinders any attempt to assess its resilience in general and the analysis of the true impact of incidents in particular. The opacity also hinders research and development of improved protocols, systems and practices by making it hard to know what the issues really are and harder yet to test proposed solutions.

H/T to Bruce Schneier for the link.

May 2, 2011

I think I’ll hold off on buying a PlayStation for a little while longer

Filed under: Gaming, Technology — Tags: , , , — Nicholas @ 09:17

I actually was considering buying a PS3 in the near future, as our existing Blu-Ray player doesn’t play nicely with Netflix, while my domestic gaming advisor tells me that PS3′s do. Sony’s security problems are enough to give me pause:

“It’s really scary,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor, who fleshed out the doomsday scenario more thoroughly on Monday. “It’s justification for Sony freaking out. They could lose control of their whole PS3 network.”

Ray’s speculation is fueled in part by chat transcripts that appear to show unknown hackers discussing serious weaknesses in the PSN authentication system. In it, purported hackers going by the handles trixter and SKFU discuss how to connect to PSN servers using consoles with older firmware that contain bugs susceptible to jailbreaking exploits, even though Sony takes great pains to prevent that from happening.

“I just finished decrypting 100% of all PSN functions,” SKFU claimed.

There’s no evidence the participants had anything to do with the massive security breach that plundered names, addresses, email addresses, passwords and other sensitive information from some 77 million PSN users. But the log did raise questions about the security of the network, since it claimed it was possible to fool the PSN’s authentication system into permitting rogue consoles.

On this reading, arrogance on the part of Sony executives, and complacency on the part of developers and testers are key elements of the security failure:

“If you can’t jailbreak it, then I can see a developer assuming that they don’t need a particular authorization check on what’s coming across the wire because a user can’t do that,” said WhiteHat Security CTO Jeremiah Grossman, an expert in web application security. “So if somebody managed to jailbreak their device and pop a flaw, I can see something major happening there.”

Hotz, the PS3 jailbreaker who recently settled the copyright lawsuit Sony brought against him, said in a recent blog post that the theory is plausible and that responsibility for the hack lay squarely on the shoulders of Sony executives who placed too much trust in the invulnerability of the PS3.

“Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?” Hotz, aka GeoHot, wrote. “This arrogance undermines a basic security principle, never trust the client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you.”

April 28, 2011

Want a secure home? Even want it zombie-proof? Here you go

Filed under: Randomness — Tags: , , , — Nicholas @ 12:12

The first house to be certified as Zombie-proof:

“The most essential item for our clients was acquiring the feeling of maximum security,” begins the designers’ website in the summary of the structure. Who wouldn’t feel safe in a concrete rectangle that folds in upon itself to become completely sealed? Even the windows are covered with a slab of concrete when the structure is on nap time.

The house, with its movable walls, has only one entrance, which is located on the second floor after crossing a drawbridge. Seems like the perfect opportunity to use a flamethrower and defend the life of your family, while stylishly nesting in a piece of architectural elitism.

Lots of pictures at the original post. Here’s your drawbridge:

Here are the upper-story “shutters” swinging shut and the roll-down partially deployed:

And finally, your nice, safe, snug zombie-proof home all tucked in for the assault:

H/T to Markus Baur for the link.

April 27, 2011

Syrian update

Filed under: Liberty, Middle East — Tags: , , , — Nicholas @ 07:43

With attention focused on Libya, the Syrian situation is still highly volatile:

Bashir Assad clings to power by manipulating the fear within the many factions supporting him that they would have to flee the country, to avoid death or prison, if the current government fell. Then there is the threat that the security forces would use extreme violence to suppress the demonstrations. This, however, could enrage the general population and trigger a bloody civil war. The only thing everyone can agree on is a desire for peaceful resolution of the crises. But Assad and his cronies don’t want to give up power, and they may have to risk everything to find out how far most Syrians are willing to go to force big changes.

Five weeks of escalating violence have left over 200 dead, and over a thousand arrested (and hundreds later released). While nearly all the dead are protestors, more security forces personnel are getting killed. The government is using armed militias (from the groups that have always supported the Assad dictatorship) as well as the police and “special” (secret) police to try and control or terrorize the growing number of demonstrators. There are also said to be small numbers (hundreds) of “security specialists” from Iran. Some Hezbollah gunmen are believed involved as well, and Syrians are accusing these “foreigners” for many of the killings. While most of the leadership posts in the police and army are held by minorities (like the Alawite sect the Assads belong to), most of the troops are majority Sunni Arab. Thus Assad controls management, but has to be careful with the rank and file.

If enough civilians hit the streets, there won’t be enough security forces to confront them, and the entire structure of the Assad police state will start coming apart. Iran might try to stop it, with a massive transfer (by air) of security personnel, and many more from Hezbollah entering by land. Hezbollah loses a lot if it no longer has those land supply routes from Syria. Meanwhile, each Friday (the Moslem Sunday), the demonstrations get larger. The way things have been going, it won’t be many more Fridays before Assad and his crew are gone, or the country is getting blown apart by civil war. It’s unclear if democracy or a new dictatorship will replace the old government. There are many tribes and factions in Syria, and predicting how they will all shake out is not possible.

Update: Just so you don’t forget, at the same time the Syrian government is attempting to suppress the demonstrations, it is running (unopposed) for a seat on the UN Human Rights Council.

Older Posts »
« « The xkcd Guide to Making People Feel Old| Crunching the advance polling data » »

Powered by WordPress