Quotulatiousness

June 7, 2017

“Hey, Joey, ‘splain me public key cryptography!”

Filed under: Technology — Tags: , , — Nicholas @ 10:20

Joey deVilla explains public key cryptography for non-geeks:

Have you ever tried to explain public-key cryptography (a.k.a. asymmetric cryptography) or the concept of public and private keys and what they’re for to non-techies? It’s tough, and I’ve spent the last little while trying to come up with an analogy that’s layperson-friendly and memorable.

It turns out that it already exists, and Panayotis Vryonis […], came up with it. Go over to his blog and check out the article titled Public-key cryptography for non-geeks. Whenever I have to explain what private keys and public keys are for to someone who’s new to cryptography, I use Vryonis’ “box with special lock and special keys” analogy. Not only does the explanation work, but it’s so good that the people I’ve used it on have used it themselves to explain public-key crypto to others.

I’ve recently used Vryonis’ analogy in a couple of presentations and thought I’d share images from my slides. Enjoy!

April 13, 2017

Microsoft buries the (security) lede with this month’s patch

Filed under: Technology — Tags: , , , — Nicholas @ 05:00

In The Register, Shaun Nichols discusses the way Microsoft has effectively hidden the extent and severity of security changes in this month’s Windows 10 patch:

Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers.

In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead scattered details of changes across a new portal: Microsoft’s Security Update Guide.

Billed by Redmond as “the authoritative source of information on our security updates,” the portal merely obfuscates discovered vulnerabilities and the fixes available for them. Rather than neatly split patches into bulletins as in previous months, Microsoft has dumped the lot into an unwieldy, buggy and confusing table that links out to a sprawl of advisories and patch installation instructions.

Punters and sysadmins unable to handle the overload of info are left with a fact-light summary of April’s patches – or a single bullet point buried at the end of a list of tweaks to, for instance, Windows 10.

Now, ordinary folk are probably happy with installing these changes as soon as possible, silently and automatically, without worrying about the nitty-gritty details of the fixed flaws. However, IT pros, and anyone else curious or who wants to test patches before deploying them, will have to fish through the portal’s table for details of individual updates.

[…]

Crucially, none of these programming blunders are mentioned in the PR-friendly summary put out today by Microsoft – a multibillion-dollar corporation that appears to care more about its image as a secure software vendor than coming clean on where its well-paid engineers cocked up. The summary lists “security updates” for “Microsoft Windows,” “Microsoft Office,” and “Internet Explorer” without version numbers or details.

March 22, 2017

A check-in from the “libertarian writers’ mafia”

Filed under: Liberty, Politics, USA — Tags: , , , , , — Nicholas @ 03:00

In the most recent issue of the Libertarian Enterprise, J. Neil Schulman talks about “rational security”:

Two of my favorite authors — Robert A Heinlein and Ayn Rand — favored a limited government that would provide an effective national defense against foreign invaders and foreign spies. Rand died March 6, 1982; Heinlein on May 8, 1988 — both of them well before domestic terrorism by foreign nationals or immigrants was a major political issue.

Both Heinlein and Rand, however, were aware of domestic political violence, industrial sabotage, and foreign espionage by both foreigners and immigrants, going back before their own births — Rand February 2, 1905, Heinlein July 7, 1907.

Both Heinlein and Rand wrote futuristic novels portraying totalitarianism (including expansive government spying on its own citizens) within the United States. Both authors also portrayed in their fiction writing and discussed in their nonfiction writing the chaos caused by capricious government control over individual lives and private property.

In their tradition, I’ve done quite a bit of that, also, in my own fiction and nonfiction.

So has my libertarian friend author Brad Linaweaver, whose writings I try never to miss an opportunity to plug.

Brad, like myself, writes in the tradition of Heinlein and Rand — more so even than I do, since Brad also favors limited government while I am an anarchist. Nonetheless I am capable of making political observations and analysis from a non-anarchist viewpoint.

We come to this day in which Brad and I find ourselves without the comfort and living wisdom of Robert A. Heinlein and Ayn Rand. We are now both in our sixties, old enough to be libertarian literary elders.

Oh, we’re not the only ones. L. Neil Smith still writes libertarian novels and opines on his own The Libertarian Enterprise. There are others of our “libertarian writers’ mafia” still living and writing, but none as politically focused as we are — and often, in our opinion, not as good at keeping their eyes on the ball.

January 26, 2017

QotD: Why government intervention usually fails

Filed under: Bureaucracy, Government, Quotations, USA — Tags: , , , , , — Nicholas @ 01:00

We saw in an earlier story that the government is trying to tighten regulations on private company cyber security practices at the same time its own network security practices have been shown to be a joke. In finance, it can never balance a budget and uses accounting techniques that would get most companies thrown in jail. It almost never fully funds its pensions. Anything it does is generally done more expensively than would be the same task undertaken privately. Its various sites are among the worst superfund environmental messes. Almost all the current threats to water quality in rivers and oceans comes from municipal sewage plants. The government’s Philadelphia naval yard single-handedly accounts for a huge number of the worst asbestos exposure cases to date.

By what alchemy does such a failing organization suddenly become such a good regulator?

Warren Meyer, “Question: Name An Activity The Government is Better At Than the Private Actors It Purports to Regulate”, Coyote Blog, 2015-06-12.

October 26, 2016

A primer on last week’s IoT DDos attacks

Filed under: Technology, USA — Tags: , , — Nicholas @ 09:18

Joey DeVilla provides a convenient layman’s terms description of last Friday’s denial of service attacks on Dyn:

A map of the parts of the internet affected by Friday’s attack. The redder an area is, the more heavily it was affected.

A map of the parts of the internet affected by Friday’s attack. The redder an area is, the more heavily it was affected.

If you’ve been reading about the cyberattack that took place last Friday and are confused by the jargon and technobabble, this primer was written for you! By the end of this article, you’ll have a better understanding of what happened, what caused it, and what can be done to prevent similar problems in the future.

[…]

Hackread’s animation of what happened last Friday. Click the image to see the source.

Hackread’s animation of what happened last Friday. Click the image to see the source.

On Friday, October 21, 2016 at around 6:00 a.m. EDT, a botnet made up of what could be up to tens of millions of machines — a large number of which were IoT devices — mounted a denial-of-service attack on Dyn, disrupting DNS over a large part of the internet in the U.S.. This in turn led to a large internet outage on the U.S. east coast, slowing down the internet for many users and rendered a number of big sites inaccessible, including Amazon, Netflix, Reddit, Spotify, Tumblr, and Twitter.

Flashpoint, a firm that detects and mitigates online threats, was the first to announce that the attack was carried out by a botnet of compromised IoT devices controlled by Mirai malware. Dyn later corroborated Flashpoint’s claim, stating that their servers were under attack from devices located at millions of IP addresses.

The animation above is a visualization of the attack based on the devices’ IP addresses and IP geolocation (a means of approximating the geographic location of an IP address; for more, see this explanation on Stack Overflow). Note that the majority of the devices were at IP addresses (and therefore, geographic locations) outside the United States.

October 14, 2016

QotD: You can’t fix network security by changing the users

Filed under: Quotations, Technology — Tags: , , , — Nicholas @ 01:00

Every few years, a researcher replicates a security study by littering USB sticks around an organization’s grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as “teachable moments” for others. “If only everyone was more security aware and had more security training,” they say, “the Internet would be a much safer place.”

Enough of that. The problem isn’t the users: it’s that we’ve designed our computer systems’ security so badly that we demand the user do all of these counterintuitive things. Why can’t users choose easy-to-remember passwords? Why can’t they click on links in emails with wild abandon? Why can’t they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Bruce Schneier, “Security Design: Stop Trying to Fix the User”, Schneier on Security, 2016-10-03.

July 27, 2016

Security concerns with the “Internet of things”

Filed under: Technology — Tags: , , — Nicholas @ 03:00

When it comes to computer security, you should always listen to what Bruce Schneier has to say, especially when it comes to the “Internet of things”:

Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).

So far, internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by — presumptively — China in 2015.

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door — or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location.

With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.

Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.

The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn

I’m usually a pretty tech-positive person, but I actively avoid anything that bills itself as being IoT-enabled … call me paranoid, but I don’t want to hand over local control of my environment, my heating or cooling system, or pretty much anything else on my property to an outside agency (whether government or corporate).

June 27, 2016

QotD: The dangers of expanding the government’s power

Filed under: Government, Law, Liberty, Quotations, USA — Tags: , — Nicholas @ 01:00

Urging vague and unconstrained government power is not how responsible citizens of a free society ought to act. It’s a bad habit and it’s dangerous and irresponsible to promote it.

This is not an abstract or hypothetical point. We live in a country in which arbitrary power is routinely abused, usually to the detriment of the least powerful and the most abused among us. We live in a country in which we have been panicked into giving the government more and more power to protect us from harm, and that power is most often not used for the things we were told, but to solidify and expand previously existing government power. We live in a country where the government uses the power we’ve already given it as a rationale for giving it more: “how can we not ban x when we’ve already banned y?” We live in a country where vague laws are used arbitrarily and capriciously.

Ken White, “In Support Of A Total Ban on Civilians Owning Firearms”, Popehat, 2016-06-16.

March 29, 2016

Why did Apple suddenly grow a pair over consumer privacy and (some) civil rights?

Filed under: Business, Technology, USA — Tags: , , , , , — Nicholas @ 03:00

Charles Stross has a theory:

A lot of people are watching the spectacle of Apple vs. the FBI and the Homeland Security Theatre and rubbing their eyes, wondering why Apple (in the person of CEO Tim Cook) is suddenly the knight in shining armour on the side of consumer privacy and civil rights. Apple, after all, is a goliath-sized corporate behemoth with the second largest market cap in US stock market history — what’s in it for them?

As is always the case, to understand why Apple has become so fanatical about customer privacy over the past five years that they’re taking on the US government, you need to follow the money.

[…]

Apple see their long term future as including a global secure payments infrastructure that takes over the role of Visa and Mastercard’s networks — and ultimately of spawning a retail banking subsidiary to provide financial services directly, backed by some of their cash stockpile.

The FBI thought they were asking for a way to unlock a mobile phone, because the FBI is myopically focussed on past criminal investigations, not the future of the technology industry, and the FBI did not understand that they were actually asking for a way to tracelessly unlock and mess with every ATM and credit card on the planet circa 2030 (if not via Apple, then via the other phone OSs, once the festering security fleapit that is Android wakes up and smells the money).

If the FBI get what they want, then the back door will be installed and the next-generation payments infrastructure will be just as prone to fraud as the last-generation card infrastructure, with its card skimmers and identity theft.

And this is why Tim Cook is willing to go to the mattresses with the US department of justice over iOS security: if nobody trusts their iPhone, nobody will be willing to trust the next-generation Apple Bank, and Apple is going to lose their best option for securing their cash pile as it climbs towards the stratosphere.

October 29, 2015

Free HTTPS certificates coming soon

Filed under: Technology — Tags: , , , — Nicholas @ 02:00

At Ars Technica, Dan Goodin discussed the imminent availability of free HTTPS certificates to all registered domain owners:

lets-encrypt

A nonprofit effort aimed at encrypting the entire Web has reached an important milestone: its HTTPS certificates are now trusted by all major browsers.

The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai, is known as Let’s Encrypt. As Ars reported last year, the group will offer free HTTPS certificates to anyone who owns a domain name. Let’s Encrypt promises to provide open source tools that automate processes for both applying for and receiving the credential and configuring a website to use it securely.

HTTPS uses the transport layer security or secure sockets layer protocols to secure websites in two important ways. First, it encrypts communications passing between visitors and the Web server so they can’t be read or modified by anyone who may be monitoring the connection. Second, in the case of bare bones certificates, it cryptographically proves that a server belongs to the same organization or person with control over the domain, rather than an imposter posing as that organization. (Extended validation certificates go a step beyond by authenticating the identity of the organization or individual.)

September 30, 2015

Russia’s “bounty” on TOR

Filed under: Liberty, Russia, Technology — Tags: , , , , — Nicholas @ 05:00

Strategy Page on the less-than-perfect result of Russia’s attempt to get hackers to crack The Onion Router for a medium-sized monetary prize:

Back in mid-2014 Russia offered a prize of $111,000 for whoever could deliver, by August 20th 2014, software that would allow Russian security services to identify people on the Internet using Tor (The Onion Router), a system that enables users to access the Internet anonymously. On August 22nd Russia announced that an unnamed Russian contractor, with a top security clearance, had received the $111,000 prize. No other details were provided at the time. A year later is was revealed that the winner of the Tor prize is now spending even more on lawyers to try and get out of the contract to crack Tor’s security. It seems the winners found that their theoretical solution was too difficult to implement effectively. In part this was because the worldwide community of programmers and software engineers that developed Tor is constantly upgrading it. Cracking Tor security is firing at a moving target and one that constantly changes shape and is quite resistant to damage. Tor is not perfect but it has proved very resistant to attack. A lot of people are trying to crack Tor, which is also used by criminals and Islamic terrorists was well as people trying to avoid government surveillance. This is a matter of life and death in many countries, including Russia.

Similar to anonymizer software, Tor was even more untraceable. Unlike anonymizer software, Tor relies on thousands of people running the Tor software, and acting as nodes for email (and attachments) to be sent through so many Tor nodes that it was believed virtually impossible to track down the identity of the sender. Tor was developed as part of an American government program to create software that people living in dictatorships could use to avoid arrest for saying things on the Internet that their government did not like. Tor also enabled Internet users in dictatorships to communicate safely with the outside world. Tor first appeared in 2002 and has since then defied most attempts to defeat it. The Tor developers were also quick to modify their software when a vulnerability was detected.

But by 2014 it was believed that NSA had cracked TOR and others may have done so as well but were keeping quiet about it so that the Tor support community did not fix whatever aspect of the software that made it vulnerable. At the same time there were alternatives to Tor, as well as supplemental software that were apparently uncracked by anyone.

September 11, 2015

How about creating a truly open web?

Filed under: Liberty, Technology — Tags: , , , , , — Nicholas @ 02:00

Brewster Kahle on the need to blow up change the current web and recreate it with true open characteristics built-in from the start:

Over the last 25 years, millions of people have poured creativity and knowledge into the World Wide Web. New features have been added and dramatic flaws have emerged based on the original simple design. I would like to suggest we could now build a new Web on top of the existing Web that secures what we want most out of an expressive communication tool without giving up its inclusiveness. I believe we can do something quite counter-intuitive: We can lock the Web open.

One of my heroes, Larry Lessig, famously said “Code is Law.” The way we code the web will determine the way we live online. So we need to bake our values into our code. Freedom of expression needs to be baked into our code. Privacy should be baked into our code. Universal access to all knowledge. But right now, those values are not embedded in the Web.

It turns out that the World Wide Web is quite fragile. But it is huge. At the Internet Archive we collect one billion pages a week. We now know that Web pages only last about 100 days on average before they change or disappear. They blink on and off in their servers.

And the Web is massively accessible – unless you live in China. The Chinese government has blocked the Internet Archive, the New York Times, and other sites from its citizens. And other countries block their citizens’ access as well every once in a while. So the Web is not reliably accessible.

And the Web isn’t private. People, corporations, countries can spy on what you are reading. And they do. We now know, thanks to Edward Snowden, that Wikileaks readers were selected for targeting by the National Security Agency and the UK’s equivalent just because those organizations could identify those Web browsers that visited the site and identify the people likely to be using those browsers. In the library world, we know how important it is to protect reader privacy. Rounding people up for the things that they’ve read has a long and dreadful history. So we need a Web that is better than it is now in order to protect reader privacy.

August 28, 2015

The insecurity of the “internet of things” is baked-in right from the start

Filed under: Technology — Tags: , — Nicholas @ 02:00

At The Register, Richard Chirgwin explains why every new “internet of things” release is pretty much certain to be lacking in the security department:

Let me introduce someone I’ll call the Junior VP of Embedded Systems Security, who wears the permanent pucker of chronic disappointment.

The reason he looks so disappointed is that he’s in charge of embedded Internet of Things security for a prominent Smart Home startup.

Everybody said “get into security, you’ll be employable forever on a good income”, so he did.

Because it’s a startup he has to live in the Valley. After his $10k per month take-home, the rent leaves him just enough to live on Soylent plus whatever’s on offer in the company canteen where every week is either vegan week or paleo week.

Nobody told him that as Junior VP for Embedded Systems Security (JVPESS), his job is to give advice that’s routinely ignored or overruled.

Meet the designer

“All we want to do is integrate the experience of the bedside A.M. clock-radio into a fully-social cloud platform to leverage its audience reach and maximise the effectiveness of converting advertising into a positive buying experience”, the Chief Design Officer said (the CDO dresses like Jony Ive, because they retired the Steve Jobs uniform like a football club retiring the Number 10 jumper when Pele quit).

For his implementation, the JVPESS chose a chip so stupid the Republicans want to field it as Trump’s running-mate, wrote a communications spec that did exactly and only what was in the requirements, and briefed the embedded software engineer.

The embedded software engineer only makes stuff actually work, so he earns about one-sixth that of the User Experience Ninja that reports to Jony Ive’s Style Slave and has to live in Detroit. But he’s boring and conscientious and delivers the code.

Eventually, the JVPESS hands over a design to Jony Ive’s Outfit knowing it’ll end in tears.

Two weeks later, Jony Ive’s Style Slave returns to request approval for “just a couple of last minute revisions. We have to press ‘go’ on the project by close-of-business today so if you could just look this over”.

August 7, 2015

Hacking a Tesla Model S

Filed under: Technology — Tags: , , , — Nicholas @ 03:00

At The Register, John Leyden talks about the recent revelation that the Tesla Model S has known hacking vulnerabilities:

Security researchers have uncovered six fresh vulnerabilities with the Tesla S.

Kevin Mahaffey, CTO of mobile security firm Lookout, and Cloudflare’s principal security researcher Marc Rogers, discovered the flaws after physically examining a vehicle before working with Elon Musk’s firm to resolve security bugs in the electric automobile.

The vulnerabilities allowed the researchers to gain root (administrator) access to the Model S infotainment systems.

With access to these systems, they were able to remotely lock and unlock the car, control the radio and screens, display any content on the screens (changing map displays and the speedometer), open and close the trunk/boot, and turn off the car systems.

When turning off the car systems, Mahaffey and Rogers discovered that, if the car was below five miles per hour (8km/hr) or idling they were able to apply the emergency hand brake, a minor issue in practice.

If the car was going at any speed the technique could be used to cut power to the car while still allowing the driver to safely brake and steer. Consumer’s safety was still preserved even in cases, like the hand-brake issue, where the system ran foul of bugs.

Despite uncovering half a dozen security bugs the two researcher nonetheless came away impressed by Tesla’s infosec policies and procedures as well as its fail-safe engineering approach.

“Tesla takes a software-first approach to its cars, so it’s no surprise that it has key security features in place that minimised and contained the risk of the discovered vulnerabilities,” the researchers explain.

August 2, 2015

Thinking about realistic security in the “internet of things”

Filed under: Technology — Tags: , , , , , — Nicholas @ 02:00

The Economist looks at the apparently unstoppable rush to internet-connect everything and why we should worry about security now:

Unfortunately, computer security is about to get trickier. Computers have already spread from people’s desktops into their pockets. Now they are embedding themselves in all sorts of gadgets, from cars and televisions to children’s toys, refrigerators and industrial kit. Cisco, a maker of networking equipment, reckons that there are 15 billion connected devices out there today. By 2020, it thinks, that number could climb to 50 billion. Boosters promise that a world of networked computers and sensors will be a place of unparalleled convenience and efficiency. They call it the “internet of things”.

Computer-security people call it a disaster in the making. They worry that, in their rush to bring cyber-widgets to market, the companies that produce them have not learned the lessons of the early years of the internet. The big computing firms of the 1980s and 1990s treated security as an afterthought. Only once the threats—in the forms of viruses, hacking attacks and so on—became apparent, did Microsoft, Apple and the rest start trying to fix things. But bolting on security after the fact is much harder than building it in from the start.

Of course, governments are desperate to prevent us from hiding our activities from them by way of cryptography or even moderately secure connections, so there’s the risk that any pre-rolled security option offered by a major corporation has already been riddled with convenient holes for government spooks … which makes it even more likely that others can also find and exploit those security holes.

… companies in all industries must heed the lessons that computing firms learned long ago. Writing completely secure code is almost impossible. As a consequence, a culture of openness is the best defence, because it helps spread fixes. When academic researchers contacted a chipmaker working for Volkswagen to tell it that they had found a vulnerability in a remote-car-key system, Volkswagen’s response included a court injunction. Shooting the messenger does not work. Indeed, firms such as Google now offer monetary rewards, or “bug bounties”, to hackers who contact them with details of flaws they have unearthed.

Thirty years ago, computer-makers that failed to take security seriously could claim ignorance as a defence. No longer. The internet of things will bring many benefits. The time to plan for its inevitable flaws is now.

« Newer PostsOlder Posts »

Powered by WordPress