Quotulatiousness

July 16, 2013

State of play in the surveillance state

Filed under: Government, Liberty, USA — Tags: , , , , — Nicholas @ 08:38

If you’re just getting back from an extended vacation with no access to the news, “George Washington” at Zero Hedge has a cheat-sheet on spying that you might want to have a look at:

Lots more at Zero Hedge.

July 11, 2013

Who will background-check the watchers?

Filed under: Bureaucracy, Government, USA — Tags: , , , — Nicholas @ 11:11

Apparently, the folks who have been doing background checks for US government agencies have special abilities, including psychic powers:

The fallout from Ed Snowden’s leaks has taken many forms, one of which is the NSA taking a long look at its contractors’ hiring processes. Snowden claims to have taken the job solely to gathering damning info. This revelation, combined with some inconsistencies in his educational history, have placed the companies who perform background and credit checks under the microscope.

What these agencies are now discovering can’t be making them happy, including the news that one contractor’s investigative work apparently involved a seance.

    Anthony J. Domico, a former contractor hired to check the backgrounds of U.S. government workers, filed a 2006 report with the results of an investigation.

    There was just one snag: A person he claimed to have interviewed had been dead for more than a decade. Domico, who had worked for contractors CACI International Inc. (CACI) and Systems Application & Technologies Inc., found himself the subject of a federal probe.

It’s not as if Domico’s case is an anomaly.

    Domico is among 20 investigators who have pleaded guilty or have been convicted of falsifying such reports since 2006. Half of them worked for companies such as Altegrity Inc., which performed a background check on national-security contractor Edward Snowden. The cases may represent a fraction of the fabrications in a government vetting process with little oversight, according to lawmakers and U.S. watchdog officials.

Who watches the watchers’ watchers? It appears as if that crucial link in the chain has been ignored. Give any number of people a job to do and, no matter how important that position is, a certain percentage will cut so many corners their cubicles will start resembling spheres.

These are the people entrusted to help ensure our nation’s harvested data remains in safe hands, or at least, less abusive ones. Those defending the NSA claim this data is well-protected and surrounded by safeguards against abuse. Those claims were always a tad hollow, but this information shows them to be complete artifice. The NSA, along with several other government agencies, cannot positively say that they have taken the proper steps vetting their personnel.

June 11, 2013

The elephant in the IT room – who can you trust?

Filed under: Technology — Tags: , , , — Nicholas @ 10:00

At The Register, Trevor Pott explains why trust is the key part of your personal online security:

Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.

All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere’s complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.

Let’s use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.

The use of password managers and two-factor authentication is on the rise, but we have once more run into a classic security versus usability issue with both technologies.

[. . .]

Trust as a design principle

The technosphere doesn’t think like this. Very few design their products around trust, or the lack thereof. We’ve become obsessed with how the technology works and what that technology can enable; technology is easy, people are hard. How the technology we create integrates into the larger reality of politics, law, emotion and the other people-centric elements, is often overlooked.

In some cases it is simply a matter of having a limited target audience; American firms designing for American users, for example. It is impossible for most to really understand the intricacies of trust issues in all their variegated permutations. It is human to be limited in our vision, and scope of understanding.

H/T to Bruce Schneier for the link.

May 29, 2013

President Obama criticizes the abuse of executive power by … President Obama

Filed under: Government, USA — Tags: , , , — Nicholas @ 08:22

Jacob Sullum notes the fascinating debate going on between Barack Obama and the President of the United States:

Last week a guy named Barack Obama gave a speech in which he expressed appropriate concern about the abuse of government power in the name of fighting terrorism. Too bad he’s not in a position to do anything about it.

Obama, who used to teach constitutional law at the University of Chicago, quoted James Madison’s warning that “no nation could preserve its freedom in the midst of continual warfare.” Yet by declaring war against Al Qaeda and its shifting and proliferating allies and offshoots — groups that will not disappear or surrender anytime in the foreseeable future — he has reinforced the rationale for a never-ending military struggle that sacrifices civil liberties on the altar of national security.

Regarding one especially controversial aspect of that struggle, the used of unmanned aircraft to execute people the president identifies as terrorists, Obama incoherently argues that such assassinations are legitimate acts of war and that they are governed by due process (at least when the targets are U.S. citizens). To make matters even more confusing, he says the requirements of due process can be met through secret deliberations within the executive branch.

Obama nevertheless raised the possibility of establishing “a special court to evaluate and authorize lethal action,” which he said “has the benefit of bringing a third branch of government into the process but raises serious constitutional issues about presidential and judicial authority.” In other words, the advantage of consulting a court is that it would subject Obama’s death warrants to independent review; the disadvantage is that it would subject Obama’s death warrants to independent review.

April 21, 2013

Documentary War for the Web includes final interview with Aaron Swartz

Filed under: Liberty, Media, Technology — Tags: , , , , , — Nicholas @ 08:51

CNET‘s Declan McCullagh talks about an upcoming documentary release:

From Aaron Swartz’s struggles with an antihacking law to Hollywood’s lobbying to a raft of surveillance proposals, the Internet and its users’ rights are under attack as never before, according to the creators of a forthcoming documentary film.

The film, titled War for the Web, traces the physical infrastructure of the Internet, from fat underwater cables to living room routers, as a way to explain the story of what’s behind the high-volume politicking over proposals like CISPA, Net neutrality, and the Stop Online Piracy Act.

“People talk about security, people talk about privacy, they talk about regional duopolies like they’re independent issues,” Cameron Brueckner, the film’s director, told CNET yesterday. “What is particularly striking is that these issues aren’t really independent issues…. They’re all interconnected.”

The filmmakers have finished 17 lengthy interviews — including what they say is the last extensive one that Swartz, the Internet activist, gave before committing suicide in January — that have yielded about 24 hours of raw footage. They plan to have a rough cut finished by the end of the year, and have launched a fundraising campaign on Indiegogo that ends May 1. (Here’s a three-minute trailer.)

Swartz, who was charged under the Computer Fraud and Abuse Act, faced a criminal trial that would have begun this month and the possibility of anywhere from years to over a decade in federal prison for alleged illegal downloads of academic journal articles. He told the filmmakers last year, in an interview that took place after his indictment, that the U.S. government posed a more serious cybersecurity threat than hackers:

    They cracked into other countries’ computers. They cracked into military installations. They have basically initiated cyberwar in a way that nobody is talking about because, you know, it’s not some kid in the basement somewhere — It’s President Obama. Because it’s distorted this way, because people talk about these fictional kids in the basement instead of government officials that have really been the problem, it ends up meaning that cybersecurity has been an excuse to do anything…

    Now, cybersecurity is important. I think the government should be finding these vulnerabilities and helping to fix them. But they’re doing the opposite of that. They’re finding the vulnerabilities and keeping them secret so they can abuse them. So if we do care about cybersecurity, what we need to do is focus the debate not on these kids in a basement who aren’t doing any damage — but on the powerful people, the people paying lots of money to find these security holes who then are doing damage and refusing to fix them.

March 21, 2013

The technological imbalance between security and threats

Filed under: Government, Liberty, Technology — Tags: , , , — Nicholas @ 09:17

Bruce Schneier on the power of technology in a security context:

A core, not side, effect of technology is its ability to magnify power and multiply force — for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems.

The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side — it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction.

For the most part, though, society still wins. The bad guys simply can’t do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced?

I don’t think it can.

February 28, 2013

Cybersecurity … can it be anything more than fear + handwaving = “we must have a law!”

Filed under: Business, Government, Law, Technology — Tags: , , , , , — Nicholas @ 00:01

At Techdirt, Mike Masnick fisks “the worst article you might ever read about ‘Cybersecurity'”:

There has been a lot of discussion lately about “cybersecurity” “cyberwar” “cyberattacks” and all sorts of related subjects which really really (really!) could do without the outdated and undeniably lame “cyber-” prefix. This is, in large part, due to the return of CISPA along with the White House’s cybersecurity executive order. Of course, the unfortunate part is that we’re still dealing in a massive amount of hype about the “threats” these initiatives are trying to face. They’re always couched in vague and scary terms, like something out of a movie. There are rarely any specifics, and the few times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = “we must have a law!”

However, I think we may now have come across what I believe may top the list of the worst articles ever written about cybersecurity. If it’s not at the top, it’s close. It is by lawyer Michael Volkov, and kicks off with a title that shows us that Volkov is fully on board with new laws and ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response. As with many of these types of articles, I went searching for the evidence of these risks, but came away, instead, scratching my head, wondering if Volkov actually understands this subject at all, with his confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.

[. . .]

There’s been plenty of talk about these Chinese hacks, which definitely do appear to be happening. But, what economic activity has been undermined? So far, the hacks may have been a nuisance, but it’s unclear that they’ve done any real damage. It is also unclear how CISPA helps stop such hacks, other than making Congress feel like it’s “done something.”

Are there issues with online security that need to be taken seriously? Yes, absolutely. Do we need legislation to deal with those problems? That’s debatable, and we’re still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help. Unfortunately, this article keeps us waiting. But, it did make us laugh. Unintentionally (we think).

December 4, 2012

Tumblr gets trolled

Filed under: Media, Technology — Tags: , , , , — Nicholas @ 09:58

The Register‘s John Leyden on the JavaScript troubles inflicted on Tumblr the other day:

A worm spread like wildfire across Tumblr on Monday, defacing pages on the blogging website with an abusive message penned by a notorious trolling crew.

The outbreak was triggered by the GNAA, a group of anonymous troublemakers who get their kicks from winding up bloggers with offensive posts.

Tumblr temporarily halted the publication of new journal posts to prevent the worm from spreading further before restoring the service to normal a few hours later.

[. . .]

“It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages,” wrote Graham Cluley, senior technology consultant at Sophos.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post — our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” he added.

December 3, 2012

The feudal technopeasant internet

Filed under: History, Liberty, Technology — Tags: , , , , , , — Nicholas @ 11:20

Bruce Schneier on the less-than-appealing state of user security in today’s internet:

It’s a feudal world out there.

Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.

These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.

Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.

Of course, I’m romanticizing here; European history was never this simple, and the description is based on stories of that time, but that’s the general model.

And it’s this model that’s starting to permeate computer security today.

November 12, 2012

Firefox users more likely to stay on old version longer than other browser users

Filed under: Technology — Tags: , , — Nicholas @ 08:47

John Leyden summarizes the recent findings about how quickly users update their web browsers after a new release:

Nearly one in four netizens are using outdated web browsers and are therefore easy pickings for viruses and exploit-wielding crooks.

The average home user upgrades his or her browser to the latest version one month after it is released, according to a survey of 10 million punters. Two thirds of those using old browser software are simply stuck on the version prior to the latest release — the remaining third are using even older code.

Internet Explorer is the most popular browser (used by 37.8 per cent of consumers), closely followed by Google Chrome (36.5 per cent). Firefox is in third place with 19.5 per cent.

Firefox users tend to be the worst for keeping up to date with new software releases, according to the survey by security biz Kaspersky Lab. The proportion of users with the most recent version installed was 80.2 per cent for Internet Explorer and 79.2 per cent for Chrome, but just 66.1 per cent for Firefox.

Old-codgers Internet Explorer 6 and 7, with a combined share of 3.9 per cent, are still used by hundreds of thousands of punters worldwide.

October 27, 2012

Do you use a stupidly easy-to-guess password?

Filed under: Technology — Tags: , , , , — Nicholas @ 11:15

SplashData has released an updated list of the top 25 passwords gleaned by hackers from stolen password files:

# Password Change from 2011
1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged
4 abc123 Up 1
5 qwerty Down 1
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New

If you recognize any password on this list … do yourself a favour and change it to something not on the list, preferably using more characters (including upper and lower case letters, numbers, and symbols). And don’t use the same password on multiple sites! SplashData sells a password keeper application that is quite useful (I’ve been using it for years now), and is available for multiple platforms.

October 24, 2012

UN report says the internet is too vulnerable to terrorist use

Filed under: Liberty, Technology — Tags: , , , , — Nicholas @ 14:21

Mike Masnick views with alarm a new UN report that deserves to be viewed with alarm:

Ah, the UN. As highlighted by Declan McCullagh, a new report from the United Nations Counter-Terrorism Implementation Task Force, clocking in at an unwieldy 158 pages (pdf) warns that this old internet of ours is just too damn open, and that means terrorists can use it. Thus, it has to stop the openness. The report really is just about that bad: if terrorists might misuse it, it’s bad and must be stopped. The costs of locking up all this openness are brushed aside, if they’re even considered at all. Among the problems? How about open WiFi?

    ISPs may require users to provide identifying information prior to accessing Internet content and services. The collection and preservation of identifying information associated with Internet data, and the disclosure of such information, subject to the appropriate safeguards, could significantly assist investigative and prosecutorial proceedings. In particular, requiring registration for the use of Wi-Fi networks or cybercafes could provide an important data source for criminal investigations. While some countries, such as Egypt, have implemented legislation requiring ISPs to identify users before allowing them Internet access, similar measures may be undertaken by ISPs on a voluntary basis.

It seems like it should be a general rule that, if you’re supporting something that includes better surveillance tools by saying, “Hey, Egypt — the same country that recently had the people rise up to force out a dictator, who tried to shut down the internet — does it!” perhaps you don’t have a very good argument.

The report is basically one big “OMG! But… but… terrorists! Kill it!”

October 18, 2012

Domestic terrorism less common in the US now than in the past

Filed under: History, USA — Tags: , , , , — Nicholas @ 10:42

At the Cato@Liberty blog, Benjamin Friedman looks at the history and compares it with today’s constant worry about US domestic terror operations:

Homegrown terrorism is not becoming more common and dangerous in the United States, contrary to warnings issued regularly from Washington. American jihadists attempting local attacks are predictably incompetent, making them even less dangerous than their rarity suggests.

Janet Napolitano, Secretary of Homeland Security, and Robert Mueller, Director of the Federal Bureau of Investigation, are among legions of experts and officials who have recently warned of a rise in homegrown terrorism, meaning terrorist acts or plots carried out by American citizens or long-term residents, often without guidance from foreign organisations.

But homegrown American terrorism is not new.

Leon Czolgosz, the anarchist who assassinated President McKinley in 1901, was a native-born American who got no foreign help. The same goes for John Wilkes Booth, Lee Harvey Oswald and James Earl Ray. The deadliest act of domestic terrorism in U.S. history, the 1995 Oklahoma City Bombing, was largely the work of New York-born Gulf War vet, Timothy McVeigh.

As Brian Michael Jenkins of RAND notes, there is far less homegrown terrorism today than in the 1970s, when the Weather Underground, the Jewish Defense League, anti-Castro Cuban exile groups, and the Puerto Rican Nationalists of the FALN were setting off bombs on U.S. soil.

[. . .]

After the September 11, the FBI received a massive boost in counterterrorism funding and shifted a small army of agents from crime-fighting to counterterrorism. Many joined new Joint Terrorism Task Forces. Ambitious prosecutors increasingly looked for terrorists to indict. Most states stood up intelligence fusion centers, which the Department of Homeland Security (DHS) soon fed with threat intelligence.

The intensification of the search was bound to produce more arrests, even without more terrorism, just as the Inquisition was sure to find more witches. Of course, unlike the witches, only a minority of those found by this search are innocent. But many seem like suggestible idiots unlikely to have produced workable plots without the help of FBI informants or undercover agents taught to induce criminal conduct without engaging in entrapment.

October 5, 2012

IT security magazine gets trolled

Filed under: Humour, Media, Technology — Tags: , , — Nicholas @ 08:04

At The Register, John Leyden talks about the researchers who finally got sick of being asked to write articles (unpaid) for the “biggest IT security magazine in the world”:

Security researchers have taken revenge on a publishing outlet that spams them with requests to write unpaid articles — by using a bogus submission to satirise the outlet’s low editorial standards.

Hakin9 bills rather grandly bills itself as the “biggest IT security magazine in the world”, published for 10 years, and claims to have a database of 100,000 IT security specialists. Many of these security specialists are regularly spammed with requests to submit articles, without receiving any payment in return.

Rather than binning another of its periodic requests, a group of researchers responded with a nonsensical article entitled DARPA Inference Checking Kludge Scanning, which Warsaw-based Hakin9 published in full, apparently without checking. The gobbledygook treatment appeared as the first chapter in a recent eBook edition of the magazine about Nmap, the popular security scanner.

In reality there’s no such thing as DARPA Inference Checking Kludge Scanning (or DICKS, for short) and the submission was a wind-up. Nonetheless an article entitled Nmap: The Internet Considered Harmful — DARPA Inference Checking Kludge Scanning appeared as the lead chapter in recent eBook guide on Nmap by Hakin9.

July 12, 2012

Säkerhetsbloggen does some preliminary analysis of Yahoo’s 453,000 leaked passwords

Filed under: Technology — Tags: , , , , , — Nicholas @ 10:01

As we’ve noticed before, there are lots of really, really bad passwords in use:

Recently, Ars Technica reported about a leak by “D33ds Company” of more than 450.000 plain-text accounts from a Yahoo service, which is suspected to be Yahoo Voice.

Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.

[. . .]

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Other bits of password-related idiocy are here.

« Newer PostsOlder Posts »

Powered by WordPress