Quotulatiousness

June 8, 2019

Differentiating between actual security and security theatre

Filed under: Britain, Humour, Liberty, Technology — Tags: , — Nicholas @ 03:00

Alistair Dabbs has a security tale of woe:

“Keypad Entry”by Victor Frost is licensed under CC BY-NC-SA 2.0

Access denied. Enter Access Code.

That’s a good start. Just a few moments ago I was handed a card on which is written, in blue ballpoint, a newly compiled string of alphanumerics that is supposed to identify me as a unique user. Oh well, maybe I fumbled the buttons. Let’s try again.

Access denied. Enter Access Code.

I am standing in the driving rain – this is London in the summer – in front of a large electronically operated vehicle barrier that keeps the riff-raff from getting anywhere near the car park and loading bay behind the building where I am to be working this week.

The vertical stainless steel keypad into which I am pushing my access code is weather-resistant. I am not. You’d think they could have installed the keypad at car-window level but no, it’s at lorry level. And it’s not on the driver’s side anyway, so anyone not rolling up in an unmodified US or continental import vehicle is forced to exit and walk over to the access terminal.

Access denied. Enter Access Code.

As far as it is concerned, I am riff-raff. I look behind me to see a steel-grey car has pulled up behind mine. Steel-grey = bland, unimaginative, company car, must be management. As I trudge back towards the street entrance around the corner to ask the security desk for an alternative access code, remembering this time to express an explicit preference for one that actually provides access, I notice the driver in the grey car has started to harrumph.

Security systems like this exist to protect me and my possessions, whether physical or electronic. They keep out the nasties and foil the mischievous. They allow access to the honest and prevent it to the unauthorised.

They are a pain in the arse.

Security is essential, of course, but only for other people. Not me. I’m the nice guy here and this sodding keypad is stopping me from getting in.

But then security authentication is one of those functions whose philosophical concept is hampered by self-contradictory details of its own design. To pick a topical example, it is the right of European Union citizens to enjoy free movement between EU countries without being stopped by border controls. However, how can the border controls know whether you are an EU citizen or not unless they stop you to ask for your EU identification? So it’s only by presenting your passport or ID card that you can exercise your right not to have to present your passport or ID card.

The forces of law and order, from police to night club bouncers, face the same recursive logic. Why do they insist on frisking me? Why can’t they concentrate their stop and search efforts only on those who are carrying concealed weapons?

May 8, 2019

Your electronic devices and the Canadian Border Services Agency

Filed under: Cancon, Law, Liberty, Technology — Tags: , , , , , , — Nicholas @ 03:00

A few years ago, many civil libertarians were upset that the US government allowed warrantless searches of electronic devices at the border, but it was less well known that the Canadian Border Services Agency does the same at the Canadian border:

According to the CBSA, it has the right to search electronic devices at the border for evidence of customs-related offences — without a warrant — just as it does with luggage.

If travellers refuse to provide their passwords, officers can seize their devices.

The CBSA said that between November 2017 and March 2019, 19,515 travellers had their digital devices examined, which represents 0.015 per cent of all cross-border travellers during that period.

During 38 per cent of those searches, officers uncovered evidence of a customs-related offence — which can include possessing prohibited material or undeclared goods, and money laundering, said the agency.

While the laws governing CBSA searches have existed for decades, applying them to digital devices has sparked concern in an era where many travellers carry smartphones full of personal and sometimes very sensitive data.

A growing number of lawyers across Canada argue that warrantless digital device searches at the border are unconstitutional, and the practice should be stopped or at least limited.

“The policy of the CBSA of searching devices isn’t something that is justifiable in a free and democratic society,” said Wright who ran as a Green Party candidate in the 2015 federal election.

“It’s appalling, it’s shocking, and I hope that government, government agencies and the courts, and individual citizens will inform themselves and take action.”

January 4, 2019

SplashData’s Top 100 Worst Passwords of 2018

Filed under: Humour, Technology — Tags: , , — Nicholas @ 02:00

SplashData's Top 100 Worst Passwords of 2018 from John Hall on Vimeo.

December 7, 2018

Australian parliament votes to weaken encryption

Filed under: Australia, Government, Law, Liberty, Technology — Tags: , , — Nicholas @ 03:00

Scott Shackford reports on the latest bit of oddness from the southern hemisphere:

Pretty much every single person in the tech industry, human rights circles, and academia warned the Australian government that forcing online platforms to weaken encryption would lead to disastrous results. Nonetheless, lawmakers are pushing forward — and it’s not just Australians who will suffer as a result.

Last night, Australia’s parliament rushed through the Assistance and Access Bill of 2018 right as their session was coming to a close. The bill gives various government agencies the authority to demand that tech and communication platforms provide them secret bypass routes around encrypted messages.

This is what is known as an encryption “backdoor,” and it’s a bad idea. Governments insist such tools are needed to fight crime and terrorism. The problem is that an encryption backdoor doesn’t care who uses it: If there’s a mechanism to bypass privacy security on a communication system, it can be exploited by anybody who knows how. That includes hackers, thieves, officials from authoritarian governments, and all sorts of dangerous people (including, of course, the very government people who insist they’re trying to protect us). That’s why tech companies have spent years fighting against the idea.

Weak encryption is a threat to the health of any tech platform that involves transferring data, and governments know that. So they insist they’re not demanding encryption backdoors while attempting to enact policies that pretty much demand them.

The Assistance and Access Bill won’t just grant the Australian government the power to demand that everybody from Facebook to Whatsapp help them bypass security to access private communications. The bill will let officials order companies, through “technical capability notices,” to alter their programming to facilitate snooping. And it gives the government the authority to force the tech employees who implement the changes to keep them secret. Break that secrecy, and the employees can face up to five years in jail.

November 10, 2018

Don’t expect the “Internet-of-Things” to get better security without Uncle Sam’s pressure

Filed under: Business, Government, Technology — Tags: , — Nicholas @ 05:00

Bruce Schneier believes it will take government action (or as The Register phrased it, “Uncle Sam … putting boots to asses”) to get any significant improvement in Internet-of-Shit device security:

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.

So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.

“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.

“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.

“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.

September 20, 2018

Mind Your Business Ep. 3: Public Safety from Private Security

Filed under: Business, Law, Liberty, USA — Tags: , , — Nicholas @ 06:00

Foundation for Economic Education
Published on 18 Sep 2018

In Detroit, dependence on law enforcement has proved insufficient to keep people safe. Enter Dale Brown, a threat management professional who specializes in stopping violence and empowering individuals to protect themselves and their loved ones.

September 11, 2018

Fear the Internet-of-Things

Filed under: Business, Technology — Tags: , , , — Nicholas @ 05:00

Martin Giles talks to Bruce Schneier about his new book, Click Here to Kill Everybody:

The title of your book seems deliberately alarmist. Is that just an attempt to juice sales?

It may sound like publishing clickbait, but I’m trying to make the point that the internet now affects the world in a direct physical manner, and that changes everything. It’s no longer about risks to data, but about risks to life and property. And the title really points out that there’s physical danger here, and that things are different than they were just five years ago.

How’s this shift changing our notion of cybersecurity?

Our cars, our medical devices, our household appliances are all now computers with things attached to them. Your refrigerator is a computer that keeps things cold, and a microwave oven is a computer that makes things hot. And your car is a computer with four wheels and an engine. Computers are no longer just a screen we turn on and look at, and that’s the big change. What was computer security, its own separate realm, is now everything security.

You’ve come up with a new term, “Internet+,” to encapsulate this shift. But we already have the phrase “internet of things” to describe it, don’t we?

I hated having to create another buzzword, because there are already too many of them. But the internet of things is too narrow. It refers to the connected appliances, thermostats, and other gadgets. That’s just a part of what we’re talking about here. It’s really the internet of things plus the computers plus the services plus the large databases being built plus the internet companies plus us. I just shortened all this to “Internet+.”

Let’s focus on the “us” part of that equation. You say in the book that we’re becoming “virtual cyborgs.” What do you mean by that?

We’re already intimately tied to devices like our phones, which we look at many times a day, and search engines, which are kind of like our online brains. Our power system, our transportation network, our communications systems, are all on the internet. If it goes down, to a very real extent society grinds to a halt, because we’re so dependent on it at every level. Computers aren’t yet widely embedded in our bodies, but they’re deeply embedded in our lives.

Can’t we just unplug ourselves somewhat to limit the risks?

That’s getting harder and harder to do. I tried to buy a car that wasn’t connected to the internet, and I failed. It’s not that there were no cars available like this, but the ones in the range I wanted all came with an internet connection. Even if it could be turned off, there was no guarantee hackers couldn’t turn it back on remotely.

Hackers can also exploit security vulnerabilities in one kind of device to attack others, right?

There are lots of examples of this. The Mirai botnet exploited vulnerabilities in home devices like DVRs and webcams. These things were taken over by hackers and used to launch an attack on a domain-name server, which then knocked a bunch of popular websites offline. The hackers who attacked Target got into the retailer’s payment network through a vulnerability in the IT systems of a contractor working on some of its stores.

July 24, 2018

QotD: Passwords

Filed under: Quotations, Technology — Tags: , — Nicholas @ 01:00

It makes no sense to force users to generate passwords for websites they only log in to once or twice a year. Users realize this: they store those passwords in their browsers, or they never even bother trying to remember them, using the “I forgot my password” link as a way to bypass the system completely — ­effectively falling back on the security of their e-mail account.

Bruce Schneier, “Security Design: Stop Trying to Fix the User”, Schneier on Security, 2016-10-03.

June 27, 2018

Canada’s euphemistically named “High Risk Returnees”

Filed under: Cancon, Middle East, Politics, Religion — Tags: , , , , , , — Nicholas @ 05:00

Judith Bergman on the Canadian government’s kid-gloves approach to dealing with Canadian citizens who return to Canada after volunteering to serve with terrorist organizations:

Canadians who go abroad to commit terrorism – predominantly jihadists, in other words – have a “right to return” according to government documents obtained by Global News. They not only have a right of return, but “… even if a Canadian engaged in terrorist activity abroad, the government must facilitate their return to Canada,” as one document says.

According to the government, there are still around 190 Canadian citizens volunteering as terrorists abroad. The majority are in Syria and Iraq, and 60 have returned. Police are reportedly expecting a new influx of returnees over the next couple of months.

The Canadian government is willing to go to great (and presumably costly) lengths to “facilitate” the return of Canadian jihadists, unlike the UK, for example, which has revoked the citizenship of ISIS fighters so they cannot return. The Canadian government has established a taskforce, the High Risk Returnee Interdepartmental Taskforce, that, according to government documents:

    “… allows us to collectively identify what measures can mitigate the threat these individuals may pose during their return to Canada. This could include sending officers overseas to collect evidence before they depart, or their detention by police upon arrival in Canada.”

Undercover officers may also be used “to engage with the HRT [High Risk Traveler] to collect evidence, or monitor them during their flight home.”

In the sanitizing Orwellian newspeak employed by the Canadian government, the terrorists are not jihadis who left Canada to commit the most heinous crimes, such as torture, rape and murder, while fighting for ISIS in Syria and Iraq, but “High Risk Travelers” and “High Risk Returnees”.

The government is fully aware of the security risk to which it is subjecting Canadians: According to the documents, “HRRs [High Risk Returnees] can pose a significant threat to the national security of Canada”. This fact raises the question of why the government of Canada is keen to facilitate these people’s “right of return” — when presumably the primary obligation of the government is to safeguard the security of law-abiding Canadian citizens.

June 5, 2018

The Internet-of-Things as “Moore’s Revenge”

Filed under: Technology — Tags: , , , — Nicholas @ 03:00

El Reg‘s Mark Pesce on the end of Moore’s Law and the start of Moore’s Revenge:

… the cost of making a device “smart” – whether that means, aware, intelligent, connected, or something else altogether – is now trivial. We’re therefore quickly transitioning from the Death of Moore’s Law into the era of Moore’s Revenge – where pretty much every manufactured object has a chip in it.

This is going to change the whole world, and it’s going to begin with a fundamental reorientation of IT, away from the “pinnacle” desktops and servers, toward the “smart dust” everywhere in the world: collecting data, providing services – and offering up a near infinity of attack surfaces. Dumb is often harder to hack than smart, but – as we saw last month in the Z-Wave attack that impacted hundreds of millions of devices – once you’ve got a way in, enormous damage can result.

The focus on security will produce new costs for businesses – and it will be on IT to ensure those costs don’t exceed the benefits of this massively chipped-and-connected world. It’ll be a close-run thing.

It’s also likely to be a world where nothing works precisely as planned. With so much autonomy embedded in our environment, the likelihood of unintended consequences amplifying into something unexpected becomes nearly guaranteed.

We may think the world is weird today, but once hundreds of billions of marginally intelligent and minimally autonomous systems start to have a go, that weirdness will begin to arc upwards exponentially.

May 5, 2018

Passwords, again

Filed under: Technology — Tags: , — Nicholas @ 03:00

At The Register, a meditation on passwords by Kieren McCarthy:

“It’s World #PasswordDay! A reminder to change your pins/passwords frequently,” it advised anyone following the hashtag “PasswordDay”. But this, as lots of people quickly pointed out, is terrible advice.

But hang on a second: isn’t that the correct advice? Weren’t all sysadmins basically forced to change their systems to make people reset passwords every few months because it was better for security?

Yes, but that was way back in 2014. Starting late 2015, there was a big push from government departments across the world – ranging from UK spy agency GCHQ to US standard-setting National Institute of Standards and Technology (NIST) and consumer agency the Federal Trade Commission (FTC) – to not do that.

That said, the past few years has been virtually defined by the loss of billions of usernames and passwords from corporations, ranging from your email provider, to your credit agency, home improvement store, retail store and, yes, even government departments.

In that case, does it not in fact make sense to get people to periodically change their passwords? Well, yes. And no.

Yes, because the information would age and so become irrelevant faster. No, because constant resets eat up resources, tend to nudge people toward using simpler passwords, and don’t really make it harder for some miscreant using a brute force attack to guess the password.

[…]

Random or pronounceable?

Everyone agrees that using the word “password” for a password is pretty much the dumbest thing you can do. But so many people still do it that designers have been forced to hardcode a ban on the word into most password systems.

But from there – where do you go? How much better is “password1”? Is it sufficiently better? What about switching letters to other things, like “p@ssw0rd”? Yes, objectively, that is better. But the point is that there are much better ways. And that comes down to basically two choices: random or pronounceable.

The best random password is one that really is random i.e. not a weird spelling that you quickly forget but a combination of letters, numbers and symbols like “4&bqJv8dZrXgp” that you would simply never be able to remember.

But here’s the thing – the reason that particular password is better is largely because in order to use and generate such passwords, you would likely use a password manager. And password managers are great things that we’ll deal with later.

But here’s the thing: if someone is trying to crack your password randomly they are likely to be using automated software that simply fires thousands of possible passwords at a system until it hits the right one.

In that scenario, it is not the gibberish that is important but the length of the password that matters. Computers don’t care if a password is made up of English words – or words of any language. But the longer it is, the more guesses will be needed to get it right.

As our dear truthsayer XKCD points out: “Through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

December 14, 2017

The US Navy and Their Hilariously Inept Search for Dorothy and Her Friends

Filed under: Military, USA — Tags: , , , — Nicholas @ 02:00

Today I Found Out
Published on 2 Dec 2017

In this video:

While the Ancient Greeks had their celebrated Sacred Band of Thebes, a legendarily successful fighting force made up of all male lovers, in more modern times the various branches of the United States military have not been so accepting of such individuals, which brings us to the topic of today- that time in the 1980s when the Naval Intelligence Service invested significant resources into trying to locate a mysterious woman identified only as “Dorothy” who seemed to have links to countless gay seamen. The plan was to find her and then “convince” her to finger these individuals so the military could give them the boot.

Want the text version?: http://www.todayifoundout.com/index.php/2017/01/u-s-navy-hilarious-multi-million-dollar-fruitless-search-wizard-ozs-dorothy-friends/

October 21, 2017

Canada’s equivalent to the NSA releases a malware detection tool

Filed under: Cancon, Technology — Tags: , , , — Nicholas @ 04:00

At The Register, Simon Sharwood looks at a new security tool (in open source) released by the Communications Security Establishment (CSE, formerly known as CSEC):

Canada’s Communications Security Establishment has open-sourced its own malware detection tool.

The Communications Security Establishment (CSE) is a signals intelligence agency roughly equivalent to the United Kingdom’s GCHQ, the USA’s NSA and Australia’s Signals Directorate. It has both intelligence-gathering and advisory roles.

It also has a tool called “Assemblyline” which it describes as a “scalable distributed file analysis framework” that can “detect and analyse malicious files as they are received.”

[…]

The tool was written in Python and can run on a single PC or in a cluster. CSE claims it can process millions of files a day. “Assemblyline was built using public domain and open-source software; however the majority of the code was developed by CSE.” Nothing in it is commercial technology and the CSE says it is “easily integrated in to existing cyber defence technologies.”

The tool’s been released under the MIT licence and is available here.

The organisation says it released the code because its job is to improve Canadian’s security, and it’s confident Assemblyline will help. The CSE’s head of IT security Scott Jones has also told the Canadian Broadcasting Corporation that the release has a secondary goal of demystifying the organisation.

October 12, 2017

That Time Canada Tried to Make a Literal “Gaydar”

Filed under: Cancon, Government, History — Tags: , , , , — Nicholas @ 04:00

Today I Found Out
Published on 10 Oct 2017

Never run out of things to say at the water cooler with TodayIFoundOut! Brand new videos 7 days a week!

In this video:

We are all familiar with the colloquialism “gaydar” which refers to a person’s intuitive, and often wildly inaccurate, ability to assess the sexual orientation of another person. In the 1960s, the Royal Canadian Mounted Police (RCMP) attempted to use a slightly more scientific, though equally flawed, approach- a machine to detect if a person was gay or not. This was in an attempt to eliminate homosexuals from the Canadian military, police and civil service. The specific machine, dubbed the “Fruit Machine”, was invented by Dr. Robert Wake, a Carelton University Psychology professor.

Want the text version?: http://www.todayifoundout.com/index.php/2013/06/when-the-canadian-government-used-gay-detectors-to-try-to-get-rid-of-homosexual-government-employees/

October 1, 2017

When network security intersects teledildonics

Filed under: Technology — Tags: , , , , — Nicholas @ 05:00

At The Register, John Leyden warns anyone using an internet-of-things sex toy that their device can be easily detected and exploited by (I kid you not) “screwdrivers” (below the fold, just in case you’re extra-concerned for potentially NSFW content):

(more…)

« Newer PostsOlder Posts »

Powered by WordPress