Quotulatiousness

October 18, 2012

Domestic terrorism less common in the US now than in the past

Filed under: History, USA — Tags: , , , , — Nicholas @ 10:42

At the Cato@Liberty blog, Benjamin Friedman looks at the history and compares it with today’s constant worry about US domestic terror operations:

Homegrown terrorism is not becoming more common and dangerous in the United States, contrary to warnings issued regularly from Washington. American jihadists attempting local attacks are predictably incompetent, making them even less dangerous than their rarity suggests.

Janet Napolitano, Secretary of Homeland Security, and Robert Mueller, Director of the Federal Bureau of Investigation, are among legions of experts and officials who have recently warned of a rise in homegrown terrorism, meaning terrorist acts or plots carried out by American citizens or long-term residents, often without guidance from foreign organisations.

But homegrown American terrorism is not new.

Leon Czolgosz, the anarchist who assassinated President McKinley in 1901, was a native-born American who got no foreign help. The same goes for John Wilkes Booth, Lee Harvey Oswald and James Earl Ray. The deadliest act of domestic terrorism in U.S. history, the 1995 Oklahoma City Bombing, was largely the work of New York-born Gulf War vet, Timothy McVeigh.

As Brian Michael Jenkins of RAND notes, there is far less homegrown terrorism today than in the 1970s, when the Weather Underground, the Jewish Defense League, anti-Castro Cuban exile groups, and the Puerto Rican Nationalists of the FALN were setting off bombs on U.S. soil.

[. . .]

After the September 11, the FBI received a massive boost in counterterrorism funding and shifted a small army of agents from crime-fighting to counterterrorism. Many joined new Joint Terrorism Task Forces. Ambitious prosecutors increasingly looked for terrorists to indict. Most states stood up intelligence fusion centers, which the Department of Homeland Security (DHS) soon fed with threat intelligence.

The intensification of the search was bound to produce more arrests, even without more terrorism, just as the Inquisition was sure to find more witches. Of course, unlike the witches, only a minority of those found by this search are innocent. But many seem like suggestible idiots unlikely to have produced workable plots without the help of FBI informants or undercover agents taught to induce criminal conduct without engaging in entrapment.

October 5, 2012

IT security magazine gets trolled

Filed under: Humour, Media, Technology — Tags: , , — Nicholas @ 08:04

At The Register, John Leyden talks about the researchers who finally got sick of being asked to write articles (unpaid) for the “biggest IT security magazine in the world”:

Security researchers have taken revenge on a publishing outlet that spams them with requests to write unpaid articles — by using a bogus submission to satirise the outlet’s low editorial standards.

Hakin9 bills rather grandly bills itself as the “biggest IT security magazine in the world”, published for 10 years, and claims to have a database of 100,000 IT security specialists. Many of these security specialists are regularly spammed with requests to submit articles, without receiving any payment in return.

Rather than binning another of its periodic requests, a group of researchers responded with a nonsensical article entitled DARPA Inference Checking Kludge Scanning, which Warsaw-based Hakin9 published in full, apparently without checking. The gobbledygook treatment appeared as the first chapter in a recent eBook edition of the magazine about Nmap, the popular security scanner.

In reality there’s no such thing as DARPA Inference Checking Kludge Scanning (or DICKS, for short) and the submission was a wind-up. Nonetheless an article entitled Nmap: The Internet Considered Harmful — DARPA Inference Checking Kludge Scanning appeared as the lead chapter in recent eBook guide on Nmap by Hakin9.

July 12, 2012

Säkerhetsbloggen does some preliminary analysis of Yahoo’s 453,000 leaked passwords

Filed under: Technology — Tags: , , , , , — Nicholas @ 10:01

As we’ve noticed before, there are lots of really, really bad passwords in use:

Recently, Ars Technica reported about a leak by “D33ds Company” of more than 450.000 plain-text accounts from a Yahoo service, which is suspected to be Yahoo Voice.

Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.

[. . .]

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Other bits of password-related idiocy are here.

May 30, 2012

New in the battle against Somali pirates: private convoys

Filed under: Africa, Middle East, Military — Tags: , , , , — Nicholas @ 09:40

At the BBC News site, Martin Plaut reports on the latest attempt to quell piracy off the shores of Somalia:

Off the pirate-infested waters of Somalia, a new force is taking shape.

The private company Typhon is preparing to operate alongside the world’s navies, offering protection to cargo vessels sailing around the Horn of Africa.

But unlike other private security firms which put guards on board other people’s ships, it will offer vessels of its own.

The chief executive of Typhon, Anthony Sharpe, says the plan is to rendezvous with cargo ships which sign up for their protection and form them into a convoy.

The company says it will establish what it is describing as an exclusion zone of one kilometre around the ships.

The company is buying three boats, which are currently being fitted out in Singapore.

Each of its craft will have up to 40 security officers, drawn from former British Royal Marines, as well as a crew of 20.

The ships will be fitted with machine guns and the staff will have rifles.

April 10, 2012

The easy days of piracy are fading rapidly

Filed under: Africa, Middle East, Military — Tags: , , , , — Nicholas @ 09:05

Strategy Page has an update on the anti-piracy efforts off the Somalian coastline:

After two years of immense prosperity, the last year has been a disaster for the Somali pirates. For example, in the last eight months, only six ships have been captured, compared to 36 ships in the same eight month period a year ago. Pirate income is down 80 percent and expenses are up. Pirates have to spend more time at sea looking for a potential target, and when they find one, they either fail in their boarding efforts (because of armed guards, or better defense and more alert crews) or find anti-piracy patrol warships and armed helicopters showing up. Unlike in the past, the patrol now takes away the pirates weapons and equipment, sinks their mother ships and dumps the pirates back on a beach. The pirates claim that some members of the anti-piracy patrol simply kill pirates they encounter on the high seas (some nations have admitted doing this, at least once, in the past). But no one does this as official policy, and the rules are still basically “catch and release.” The big change is that the patrol has become much better at detecting pirates, on captured fishing ships, and shutting these pirates down. Often the pirates bring along the crew of the fishing ships, to help with the deception. But the patrol knows which fishing ships have “disappeared” and quickly identify those missing ships they encounter, and usually find pirates in charge. The anti-piracy patrol also has maritime reconnaissance aircraft that seek to spot mother ships as they leave pirate bases on the north Somali coast, and direct a warship to intercept and shut down those pirates. The pirates have been losing a lot of equipment, and time, and money needed to pay for it.

[. . .]

Pirates have responded by finding new targets (ships anchored off ports waiting for a berth) and using new tactics (using half a dozen or more speedboats for an attack.) The pirates still have a powerful incentive to take ships. In 2010, for example, pirates got paid over $200 million in ransom. The year before that it was $150 million. Most of that was taken by the pirate gang leaders, local warlords and the Persian Gulf negotiators who deal with the shipping companies. But for the pirates who took the ship, then helped guard it for months until the money was paid, the take was still huge. Pirates who actually boarded the ship tend to receive at least $150,000 each, which is ten times what the average Somali man makes over his entire lifetime. Even the lowest ranking member of the pirate gang gets a few thousand dollars per ransom. The general rule is that half the ransom goes to the financiers, the gang leaders and ransom negotiators. About a quarter of the money goes to the crew that took the ship, with a bonus for whoever got on board first. The pirates who guard the ship and look after the crew gets ten percent, and about ten percent goes to local clans and warlords, as protection money (or bribes).

[. . .]

For the last four years, Somali pirates have been operating as far east as the Seychelles, which are a group of 115 islands 1,500 kilometers from the African coast. The islands have a total population of 85,000 and no military power to speak of. They are defenseless against pirates. So are many of the ships moving north and south off the East Coast of Africa. While ships making the Gulf of Aden run know they must take measures to deal with pirate attacks (posting lookouts 24/7, training the crew to use fire hoses and other measures to repel boarders, hanging barbed wire on the railings and over the side to deter boarders), this is not so common for ships operating a thousand kilometers or more off the east coast of Africa. Ships in this area were warned last year that they were at risk. Now, the pirates are out in force, demonstrating that the risk is real.

April 1, 2012

“Off the Somali coast, everyone is looking for a big payday”

Filed under: Africa, Law, Military — Tags: , , , , , — Nicholas @ 11:54

Strategy Page on recent developments in the anti-piracy campaign off the Somali coast:

To get around laws, in many ports, forbidding weapons aboard merchant ships, security companies operating off the Somali coast have equipped small ships to serve as floating arsenals. The security guards boards, in port, the merchant ships they are guarding, then meet up with the gun ship in international waters so the guards can get their weapons and ammo. The process is reversed when the merchant ships approach their destinations or leave pirate infested waters (and put the armed guards off onto the gun ship.) Maritime lawyers fret that there are no proper laws to regulate these floating armories, or that if there are applicable laws, everyone is not following them. It’s also feared that some enterprising lawyers will seek to represent the families of pirates shot by these armed guards. Off the Somali coast, everyone is looking for a big payday.

In the last three years, more and more merchant ships, despite the high expense, have hired armed guards when travelling near the “Pirate Coast” of Somalia. It began when France put detachments of troops on tuna boats operating in the Indian Ocean, and Belgium then supplied detachments of soldiers for Belgium ships that must move near the Somali coast. These armed guards are not cheap, with detachments costing up to $200,000 a week. There are now over a dozen private security companies offering such services. What makes the armed guards so attractive is the fact that no ship carrying them has ever been captured by pirates. That may eventually change, but for the moment, the pirates avoid ships carrying armed guards and seek less well-defended prey.

November 25, 2011

This explains why Google dropped out of my “referer site” log

Filed under: Administrivia, Technology — Tags: , , , — Nicholas @ 12:24

John Leyden explains how a change in the way Google handled search requests was reflected in my blog’s referer log by Bing suddenly becoming the top search engine for folks visiting Quotulatiousness:

Google made secure search the default option for logged in users last month — primarily for privacy protection reasons. But the move has had the beneficial side-effect of making life for difficult for fraudsters seeking to manipulate search engine rankings in order to promote scam sites, according to security researchers.

Users signed into Google were offered the ability to send search queries over secure (https) connections last month. This meant that search queries sent while using insecure networks, such as Wi-Fi hotspots, are no longer visible (and easily captured) by other users on the same network.

However Google also made a second (under-reported) change last month by omitting the search terms used to reach websites from the HTTP referrer header, where secure search is used. The approach means it has become harder for legitimate websites to see the search terms surfers fed through Google before reaching their website, making it harder for site to optimise or tune their content without using Google’s analytics service.

I’d assumed that there had been some kind of change in the way Google was handling searches, because even though Google pretty much disappeared from my logs (having been the #1 referring site forever), the volume of traffic remained about the same.

November 19, 2011

Internet users’ password security still hasn’t improved

Filed under: Technology — Tags: , , , , , — Nicholas @ 10:03

Do you use any of the following terms as your password? If so, congratulations, you’re helping keep the rest of us from being as easily hacked as you are:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

This list is from SplashData, who produce (among other things) a password-keeper utility. Last year, Gawker published the 50 top passwords in a graphic:

Here’s a word cloud from an earlier post on passwords:

Other posts on this topic: opportunities for humour with your bank’s secret questions, xkcd on the paradox of passwords, Passwords and the average user, More on passwords, And yet more on passwords, and Practically speaking, the end is in sight for passwords.

November 14, 2011

Retired Gurkha soldiers changing the face of security services in Britain

Filed under: Asia, Britain, Military — Tags: , , — Nicholas @ 12:14

An interesting article at the BBC website details how many retired Gurkha soldiers have found civilian careers in security a good follow-up to their military service:

It has been suggested that some Gurkhas are struggling to cope with the cost of living in the UK, with the British Gurkha Welfare Society saying about 25,000 of those who retired before 1997 still only receive a third of the pension of their British and Commonwealth former comrades.

But a recent study suggested that Gurkhas of working age are the most economically active and self-reliant social group in Britain.

The University of Kent research found the employment rates among Gurkha men and women are particularly high, at 95% for men under 60 and 93% for women under that age.

It also showed that security is the most popular job for male veterans. Ex-military people joining the security industry is nothing new, but security companies are capitalising on the Gurkhas’ formidable reputation.

G4S set up Gurkha Services in 2007 and it now employs at least 600 people across 27 contracts.

They are involved in guarding the UK’s “critical infrastructure”, such as power stations and railways, from vandals, protesters and thieves. Rarely a day goes by without some story about how cable theft has disrupted a train journey or caused a power outage. Now Gurkhas are the new front line against the crime wave.

October 16, 2011

Rick Mercer on the (secret) border security negotiations

Filed under: Cancon, Government, USA — Tags: , , — Nicholas @ 10:42

September 10, 2011

How much damage to personal liberty will the new US/Canadian security deal inflict?

Filed under: Cancon, Economics, Liberty, USA — Tags: , , , — Nicholas @ 11:35

An article in the Globe and Mail discusses — in very general terms — the new security deal negotiated between the US and Canadian governments:

U.S. and Canadian negotiators have successfully concluded talks on a new deal to integrate continental security and erase obstacles to cross-border trade.

Negotiators have reached agreement on almost all of the three dozen separate initiatives in the Beyond the Border action plan, said sources who cannot be named because they are not authorized to speak publicly on the matter. The few remaining items mostly involve questions of wording and should be settled in time for an announcement in late September.

[. . .]

Opponents have raised alarms that an agreement would cost Canadians both sovereignty and personal privacy. But failure to implement the agreements could further impair the world’s most extensive trading relationship, and put manufacturing jobs across the country at risk.

Details of the agreement are closely held. But goals outlined earlier include specific proposals to co-ordinate and align such things as biometrics on passports, watch lists, inspection of containers at overseas ports and other security measures.

[. . .]

Canadians who believe that the United States has sold its liberty because of fears for its security, or who resist any further economic integration with the troubled economic giant, are likely to oppose the Beyond the Border proposals.

I don’t oppose trade with the US — far from it — but I do feel very strongly that the US has reduced the liberties of its citizens in pursuit of security (check the topic SecurityTheatre for lots of examples). I don’t want to see that trend exported to Canada in exchange for better economic access to their markets.

September 9, 2011

Opportunities for humour with your bank’s “secret questions”

Filed under: Humour, Technology — Tags: , , — Nicholas @ 09:15

If you do online banking, you’ve probably been asked to provide additional security checks beyond your userid and password. Some banks only allow you to select answers from pre-selected questions, but others get you to provide both the question and the answer. In a post from more than a year back, Bruce Schneier offers a few combinations that lighten the mood (and there are lots of funny — and weird — suggestions in the comment thread):

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

August 16, 2011

Charles Stross on the future of network security

Filed under: Science, Technology — Tags: , , , — Nicholas @ 12:40

Charles isn’t a professional in network security, but he has a good track record of exploring the consequences of new technology in his science fiction works. He was invited to give the keynote address at the 2011 USENIX conference.

Unlike you, I am not a security professional. However, we probably share a common human trait, namely that none of us enjoy looking like a fool in front of a large audience. I therefore chose the title of my talk to minimize the risk of ridicule: if we should meet up in 2061, much less in the 26th century, you’re welcome to rib me about this talk. Because I’ll be happy to still be alive to rib.

So what follows should be seen as a farrago of speculation by a guy who earns his living telling entertaining lies for money.

The question I’m going to spin entertaining lies around is this: what is network security going to be about once we get past the current sigmoid curve of accelerating progress and into a steady state, when Moore’s first law is long since burned out, and networked computing appliances have been around for as long as steam engines?

I’d like to start by making a few basic assumptions about the future, some implicit and some explicit: if only to narrow the field.

August 10, 2011

xkcd on the paradox of passwords

Filed under: Humour, Technology — Tags: , , , , — Nicholas @ 10:10

He’s absolutely right, you know . . .

June 22, 2011

Carr: LulzSec versus the CIA

Filed under: Government, Technology, USA — Tags: , , , , — Nicholas @ 07:50

Paul Carr is somewhat dismissive of the hacking exploits of the LulzSec group:

For the past few weeks, a hacker collective called LulzSec has been leading American and British authorities a merry dance. The group’s targets are seemingly random – Sony, the CIA, contestants of a reality TV show, the Serious Organised Crime Agency (Soca) – but their stated motive has remained constant: “we’re doing it for laughs”, or, to put it in internet parlance, “lulz”.

If one is to believe the media coverage – particularly here in the US‚ no one is safe from the ingenious hackers and their devilishly complex attacks. The truth is, there’s almost nothing ingenious about what LulzSec is doing: CIA and Soca were not “hacked” in any meaningful sense, rather their public websites were brought down by an avalanche of traffic — a so-called “distributed denial-of-service” (DDoS) attack. Given enough internet-enabled typewriters, a mentally subnormal monkey could launch a DDoS attack — except that mentally subnormal monkeys have better things to do with their time.

Even the genuine hacks are barely worthy of the word. Many large organisations use databases with known security holes that can easily be exploited by anyone who has recently completed the first year of a computer science degree: it’s no coincidence that so many of these hacker collectives appear towards the end of the academic year.

« Newer PostsOlder Posts »

Powered by WordPress