The lesson I remember best from my religious instruction as a youth in the Catholic church came from a nun who was explaining the ten commandments. She asked me to explain the prohibition of taking the Lord’s name in vain; I said it meant I should not curse using God’s name. She corrected me — ultimately the commandment means we should not invoke God’s name for our own power or glory or purposes rather than His own, she said.
9/11 — like every great and terrible thing and event that has ever come before it — is invoked to demand and justify a wide array of ends and prove a confusing jumble of conclusions. Many of those ends and conclusions were sought by their advocates well before 9/11. It has ever been so. People will seek power, seek prominence, seek money, seek their religious and ideological goals by invoking events — by trying, as I suggested in #4 above, to blur the line between the thing and our reaction to the thing. This has been a constant theme on this blog: the government has sought more and more power over us, and more and more limitations on our rights, by invoking 9/11, only to use those new powers to fight old fights unrelated to terrorism and to suppress things they didn’t like before 9/11. The PATRIOT ACT was an incoherent jumble of law enforcement wet dreams and wish lists, components of which had been floating about for decades. But though the government’s efforts to use 9/11 has carried the most weight, the invocations have not come only from the government — they’ve come from everywhere, left and right, seeking to use the tragedy to prove preconceptions about America and its foreign policy.
Ken White, “Ten Things I Want My Children To Learn From 9/11”, Popehat, 2011-09-11
September 12, 2013
QotD: The “never let a crisis go to waste” mentality
August 18, 2013
The real problem facing the NSA and other intelligence organizations
Charles Stross points out that there’s been a vast change in the working world that the NSA and other acronyms didn’t see coming and haven’t prepared themselves to face:
The big government/civil service agencies are old. They’re products of the 20th century, and they are used to running their human resources and internal security processes as if they’re still living in the days of the “job for life” culture; potential spooks-to-be were tapped early (often while at school or university), vetted, then given a safe sinecure along with regular monitoring to ensure they stayed on the straight-and-narrow all the way to the gold watch and pension. Because that’s how we all used to work, at least if we were civil servants or white collar paper pushers back in the 1950s.
[…]
Here’s the problem: they’re now running into outside contractors who grew up in Generation X or Generation Y.
Let’s leave aside the prognostications of sociologists about over-broad cultural traits of an entire generation. The key facts are: Generation X’s parents expected a job for life, but with few exceptions Gen Xers never had that — they’re used to nomadic employment, hire-and-fire, right-to-work laws, the whole nine yards of organized-labour deracination. Gen Y’s parents are Gen X. Gen Y has never thought of jobs as permanent things. Gen Y will stare at you blankly if you talk about loyalty to their employer; the old feudal arrangement (“we’ll give you a job for life and look after you as long as you look out for the Organization”) is something their grandparents maybe ranted about, but it’s about as real as the divine right of kings. Employers are alien hive-mind colony intelligences who will fuck you over for the bottom line on the quarterly balance sheet. They’ll give you a laptop and tell you to hot-desk or work at home so that they can save money on office floorspace and furniture. They’ll dangle the offer of a permanent job over your head but keep you on a zero-hours contract for as long as is convenient. This is the world they grew up in: this is the world that defines their expectations.
To Gen X, a job for life with the NSA was a probably-impossible dream — it’s what their parents told them to expect, but few of their number achieved. To Gen Y the idea of a job for life is ludicrous and/or impossible.
This means the NSA and their fellow swimmers in the acronym soup of the intelligence-industrial complex are increasingly reliant on nomadic contractor employees, and increasingly subject to staff churn. There is an emerging need to security-clear vast numbers of temporary/transient workers … and workers with no intrinsic sense of loyalty to the organization. For the time being, security clearance is carried out by other contractor organizations that specialize in human resource management, but even they are subject to the same problem: Quis custodiet ipsos custodes?
August 4, 2013
Bruce Schneier talks about security and trust
Published on 19 Jun 2013
Human society runs on trust. We all trust millions of people, organizations, and systems every day — and we do it so easily that we barely notice. But in any system of trust, there is an alternative, parasitic, strategy that involves abusing that trust. Making sure those defectors don’t destroy the cooperative systems they’re abusing is an age-old problem, one that we’ve solved through morals and ethics, laws, and all sort of security technologies. Understanding how these all work — and fail — is essential to understanding the problems we face in today’s increasingly technological and interconnected world.
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a “security guru,” he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.
H/T to AVC for the link.
July 16, 2013
State of play in the surveillance state
If you’re just getting back from an extended vacation with no access to the news, “George Washington” at Zero Hedge has a cheat-sheet on spying that you might want to have a look at:
- The government is spying on just about everything we do
- The government has adopted a secret interpretation of the Patriot Act which allows it to pretend that “everything” is relevant … so it spies on everyone
- The government’s mass spying doesn’t keep us safe
- NSA spying did not prevent a terror attack on Wall Street
- There is no real oversight by either Congress or the courts. And see this and this
- Even a Federal judge who was on the secret spying court for 3 years says that it’s a kangaroo court
- Experts say that the spying program is illegal, and is exactly the kind of thing which King George imposed on the American colonists … which led to the Revolutionary War
Lots more at Zero Hedge.
July 11, 2013
Who will background-check the watchers?
Apparently, the folks who have been doing background checks for US government agencies have special abilities, including psychic powers:
The fallout from Ed Snowden’s leaks has taken many forms, one of which is the NSA taking a long look at its contractors’ hiring processes. Snowden claims to have taken the job solely to gathering damning info. This revelation, combined with some inconsistencies in his educational history, have placed the companies who perform background and credit checks under the microscope.
What these agencies are now discovering can’t be making them happy, including the news that one contractor’s investigative work apparently involved a seance.
Anthony J. Domico, a former contractor hired to check the backgrounds of U.S. government workers, filed a 2006 report with the results of an investigation.
There was just one snag: A person he claimed to have interviewed had been dead for more than a decade. Domico, who had worked for contractors CACI International Inc. (CACI) and Systems Application & Technologies Inc., found himself the subject of a federal probe.
It’s not as if Domico’s case is an anomaly.
Domico is among 20 investigators who have pleaded guilty or have been convicted of falsifying such reports since 2006. Half of them worked for companies such as Altegrity Inc., which performed a background check on national-security contractor Edward Snowden. The cases may represent a fraction of the fabrications in a government vetting process with little oversight, according to lawmakers and U.S. watchdog officials.
Who watches the watchers’ watchers? It appears as if that crucial link in the chain has been ignored. Give any number of people a job to do and, no matter how important that position is, a certain percentage will cut so many corners their cubicles will start resembling spheres.
These are the people entrusted to help ensure our nation’s harvested data remains in safe hands, or at least, less abusive ones. Those defending the NSA claim this data is well-protected and surrounded by safeguards against abuse. Those claims were always a tad hollow, but this information shows them to be complete artifice. The NSA, along with several other government agencies, cannot positively say that they have taken the proper steps vetting their personnel.
June 11, 2013
The elephant in the IT room – who can you trust?
At The Register, Trevor Pott explains why trust is the key part of your personal online security:
Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.
All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere’s complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.
Let’s use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.
The use of password managers and two-factor authentication is on the rise, but we have once more run into a classic security versus usability issue with both technologies.
[. . .]
Trust as a design principle
The technosphere doesn’t think like this. Very few design their products around trust, or the lack thereof. We’ve become obsessed with how the technology works and what that technology can enable; technology is easy, people are hard. How the technology we create integrates into the larger reality of politics, law, emotion and the other people-centric elements, is often overlooked.
In some cases it is simply a matter of having a limited target audience; American firms designing for American users, for example. It is impossible for most to really understand the intricacies of trust issues in all their variegated permutations. It is human to be limited in our vision, and scope of understanding.
H/T to Bruce Schneier for the link.
May 29, 2013
April 21, 2013
Documentary War for the Web includes final interview with Aaron Swartz
CNET‘s Declan McCullagh talks about an upcoming documentary release:
From Aaron Swartz’s struggles with an antihacking law to Hollywood’s lobbying to a raft of surveillance proposals, the Internet and its users’ rights are under attack as never before, according to the creators of a forthcoming documentary film.
The film, titled War for the Web, traces the physical infrastructure of the Internet, from fat underwater cables to living room routers, as a way to explain the story of what’s behind the high-volume politicking over proposals like CISPA, Net neutrality, and the Stop Online Piracy Act.
“People talk about security, people talk about privacy, they talk about regional duopolies like they’re independent issues,” Cameron Brueckner, the film’s director, told CNET yesterday. “What is particularly striking is that these issues aren’t really independent issues…. They’re all interconnected.”
The filmmakers have finished 17 lengthy interviews — including what they say is the last extensive one that Swartz, the Internet activist, gave before committing suicide in January — that have yielded about 24 hours of raw footage. They plan to have a rough cut finished by the end of the year, and have launched a fundraising campaign on Indiegogo that ends May 1. (Here’s a three-minute trailer.)
Swartz, who was charged under the Computer Fraud and Abuse Act, faced a criminal trial that would have begun this month and the possibility of anywhere from years to over a decade in federal prison for alleged illegal downloads of academic journal articles. He told the filmmakers last year, in an interview that took place after his indictment, that the U.S. government posed a more serious cybersecurity threat than hackers:
They cracked into other countries’ computers. They cracked into military installations. They have basically initiated cyberwar in a way that nobody is talking about because, you know, it’s not some kid in the basement somewhere — It’s President Obama. Because it’s distorted this way, because people talk about these fictional kids in the basement instead of government officials that have really been the problem, it ends up meaning that cybersecurity has been an excuse to do anything…
Now, cybersecurity is important. I think the government should be finding these vulnerabilities and helping to fix them. But they’re doing the opposite of that. They’re finding the vulnerabilities and keeping them secret so they can abuse them. So if we do care about cybersecurity, what we need to do is focus the debate not on these kids in a basement who aren’t doing any damage — but on the powerful people, the people paying lots of money to find these security holes who then are doing damage and refusing to fix them.
March 21, 2013
The technological imbalance between security and threats
Bruce Schneier on the power of technology in a security context:
A core, not side, effect of technology is its ability to magnify power and multiply force — for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems.
The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side — it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction.
For the most part, though, society still wins. The bad guys simply can’t do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced?
I don’t think it can.
February 28, 2013
Cybersecurity … can it be anything more than fear + handwaving = “we must have a law!”
At Techdirt, Mike Masnick fisks “the worst article you might ever read about ‘Cybersecurity'”:
There has been a lot of discussion lately about “cybersecurity” “cyberwar” “cyberattacks” and all sorts of related subjects which really really (really!) could do without the outdated and undeniably lame “cyber-” prefix. This is, in large part, due to the return of CISPA along with the White House’s cybersecurity executive order. Of course, the unfortunate part is that we’re still dealing in a massive amount of hype about the “threats” these initiatives are trying to face. They’re always couched in vague and scary terms, like something out of a movie. There are rarely any specifics, and the few times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = “we must have a law!”
However, I think we may now have come across what I believe may top the list of the worst articles ever written about cybersecurity. If it’s not at the top, it’s close. It is by lawyer Michael Volkov, and kicks off with a title that shows us that Volkov is fully on board with new laws and ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response. As with many of these types of articles, I went searching for the evidence of these risks, but came away, instead, scratching my head, wondering if Volkov actually understands this subject at all, with his confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.
[. . .]
There’s been plenty of talk about these Chinese hacks, which definitely do appear to be happening. But, what economic activity has been undermined? So far, the hacks may have been a nuisance, but it’s unclear that they’ve done any real damage. It is also unclear how CISPA helps stop such hacks, other than making Congress feel like it’s “done something.”
Are there issues with online security that need to be taken seriously? Yes, absolutely. Do we need legislation to deal with those problems? That’s debatable, and we’re still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help. Unfortunately, this article keeps us waiting. But, it did make us laugh. Unintentionally (we think).
December 4, 2012
Tumblr gets trolled
The Register‘s John Leyden on the JavaScript troubles inflicted on Tumblr the other day:
A worm spread like wildfire across Tumblr on Monday, defacing pages on the blogging website with an abusive message penned by a notorious trolling crew.
The outbreak was triggered by the GNAA, a group of anonymous troublemakers who get their kicks from winding up bloggers with offensive posts.
Tumblr temporarily halted the publication of new journal posts to prevent the worm from spreading further before restoring the service to normal a few hours later.
[. . .]
“It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages,” wrote Graham Cluley, senior technology consultant at Sophos.
“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post — our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” he added.
December 3, 2012
The feudal technopeasant internet
Bruce Schneier on the less-than-appealing state of user security in today’s internet:
It’s a feudal world out there.
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.
These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.
Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.
Of course, I’m romanticizing here; European history was never this simple, and the description is based on stories of that time, but that’s the general model.
And it’s this model that’s starting to permeate computer security today.
November 12, 2012
Firefox users more likely to stay on old version longer than other browser users
John Leyden summarizes the recent findings about how quickly users update their web browsers after a new release:
Nearly one in four netizens are using outdated web browsers and are therefore easy pickings for viruses and exploit-wielding crooks.
The average home user upgrades his or her browser to the latest version one month after it is released, according to a survey of 10 million punters. Two thirds of those using old browser software are simply stuck on the version prior to the latest release — the remaining third are using even older code.
Internet Explorer is the most popular browser (used by 37.8 per cent of consumers), closely followed by Google Chrome (36.5 per cent). Firefox is in third place with 19.5 per cent.
Firefox users tend to be the worst for keeping up to date with new software releases, according to the survey by security biz Kaspersky Lab. The proportion of users with the most recent version installed was 80.2 per cent for Internet Explorer and 79.2 per cent for Chrome, but just 66.1 per cent for Firefox.
Old-codgers Internet Explorer 6 and 7, with a combined share of 3.9 per cent, are still used by hundreds of thousands of punters worldwide.
October 27, 2012
Do you use a stupidly easy-to-guess password?
SplashData has released an updated list of the top 25 passwords gleaned by hackers from stolen password files:
# Password Change from 2011 1 password Unchanged 2 123456 Unchanged 3 12345678 Unchanged 4 abc123 Up 1 5 qwerty Down 1 6 monkey Unchanged 7 letmein Up 1 8 dragon Up 2 9 111111 Up 3 10 baseball Up 1 11 iloveyou Up 2 12 trustno1 Down 3 13 1234567 Down 6 14 sunshine Up 1 15 master Down 1 16 123123 Up 4 17 welcome New 18 shadow Up 1 19 ashley Down 3 20 football Up 5 21 jesus New 22 michael Up 2 23 ninja New 24 mustang New 25 password1 New
If you recognize any password on this list … do yourself a favour and change it to something not on the list, preferably using more characters (including upper and lower case letters, numbers, and symbols). And don’t use the same password on multiple sites! SplashData sells a password keeper application that is quite useful (I’ve been using it for years now), and is available for multiple platforms.
October 24, 2012
UN report says the internet is too vulnerable to terrorist use
Mike Masnick views with alarm a new UN report that deserves to be viewed with alarm:
Ah, the UN. As highlighted by Declan McCullagh, a new report from the United Nations Counter-Terrorism Implementation Task Force, clocking in at an unwieldy 158 pages (pdf) warns that this old internet of ours is just too damn open, and that means terrorists can use it. Thus, it has to stop the openness. The report really is just about that bad: if terrorists might misuse it, it’s bad and must be stopped. The costs of locking up all this openness are brushed aside, if they’re even considered at all. Among the problems? How about open WiFi?
ISPs may require users to provide identifying information prior to accessing Internet content and services. The collection and preservation of identifying information associated with Internet data, and the disclosure of such information, subject to the appropriate safeguards, could significantly assist investigative and prosecutorial proceedings. In particular, requiring registration for the use of Wi-Fi networks or cybercafes could provide an important data source for criminal investigations. While some countries, such as Egypt, have implemented legislation requiring ISPs to identify users before allowing them Internet access, similar measures may be undertaken by ISPs on a voluntary basis.
It seems like it should be a general rule that, if you’re supporting something that includes better surveillance tools by saying, “Hey, Egypt — the same country that recently had the people rise up to force out a dictator, who tried to shut down the internet — does it!” perhaps you don’t have a very good argument.
The report is basically one big “OMG! But… but… terrorists! Kill it!”
