Quotulatiousness

November 12, 2012

Firefox users more likely to stay on old version longer than other browser users

Filed under: Technology — Tags: , , — Nicholas @ 08:47

John Leyden summarizes the recent findings about how quickly users update their web browsers after a new release:

Nearly one in four netizens are using outdated web browsers and are therefore easy pickings for viruses and exploit-wielding crooks.

The average home user upgrades his or her browser to the latest version one month after it is released, according to a survey of 10 million punters. Two thirds of those using old browser software are simply stuck on the version prior to the latest release — the remaining third are using even older code.

Internet Explorer is the most popular browser (used by 37.8 per cent of consumers), closely followed by Google Chrome (36.5 per cent). Firefox is in third place with 19.5 per cent.

Firefox users tend to be the worst for keeping up to date with new software releases, according to the survey by security biz Kaspersky Lab. The proportion of users with the most recent version installed was 80.2 per cent for Internet Explorer and 79.2 per cent for Chrome, but just 66.1 per cent for Firefox.

Old-codgers Internet Explorer 6 and 7, with a combined share of 3.9 per cent, are still used by hundreds of thousands of punters worldwide.

October 27, 2012

Do you use a stupidly easy-to-guess password?

Filed under: Technology — Tags: , , , , — Nicholas @ 11:15

SplashData has released an updated list of the top 25 passwords gleaned by hackers from stolen password files:

# Password Change from 2011
1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged
4 abc123 Up 1
5 qwerty Down 1
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New

If you recognize any password on this list … do yourself a favour and change it to something not on the list, preferably using more characters (including upper and lower case letters, numbers, and symbols). And don’t use the same password on multiple sites! SplashData sells a password keeper application that is quite useful (I’ve been using it for years now), and is available for multiple platforms.

October 24, 2012

UN report says the internet is too vulnerable to terrorist use

Filed under: Liberty, Technology — Tags: , , , , — Nicholas @ 14:21

Mike Masnick views with alarm a new UN report that deserves to be viewed with alarm:

Ah, the UN. As highlighted by Declan McCullagh, a new report from the United Nations Counter-Terrorism Implementation Task Force, clocking in at an unwieldy 158 pages (pdf) warns that this old internet of ours is just too damn open, and that means terrorists can use it. Thus, it has to stop the openness. The report really is just about that bad: if terrorists might misuse it, it’s bad and must be stopped. The costs of locking up all this openness are brushed aside, if they’re even considered at all. Among the problems? How about open WiFi?

    ISPs may require users to provide identifying information prior to accessing Internet content and services. The collection and preservation of identifying information associated with Internet data, and the disclosure of such information, subject to the appropriate safeguards, could significantly assist investigative and prosecutorial proceedings. In particular, requiring registration for the use of Wi-Fi networks or cybercafes could provide an important data source for criminal investigations. While some countries, such as Egypt, have implemented legislation requiring ISPs to identify users before allowing them Internet access, similar measures may be undertaken by ISPs on a voluntary basis.

It seems like it should be a general rule that, if you’re supporting something that includes better surveillance tools by saying, “Hey, Egypt — the same country that recently had the people rise up to force out a dictator, who tried to shut down the internet — does it!” perhaps you don’t have a very good argument.

The report is basically one big “OMG! But… but… terrorists! Kill it!”

October 18, 2012

Domestic terrorism less common in the US now than in the past

Filed under: History, USA — Tags: , , , , — Nicholas @ 10:42

At the Cato@Liberty blog, Benjamin Friedman looks at the history and compares it with today’s constant worry about US domestic terror operations:

Homegrown terrorism is not becoming more common and dangerous in the United States, contrary to warnings issued regularly from Washington. American jihadists attempting local attacks are predictably incompetent, making them even less dangerous than their rarity suggests.

Janet Napolitano, Secretary of Homeland Security, and Robert Mueller, Director of the Federal Bureau of Investigation, are among legions of experts and officials who have recently warned of a rise in homegrown terrorism, meaning terrorist acts or plots carried out by American citizens or long-term residents, often without guidance from foreign organisations.

But homegrown American terrorism is not new.

Leon Czolgosz, the anarchist who assassinated President McKinley in 1901, was a native-born American who got no foreign help. The same goes for John Wilkes Booth, Lee Harvey Oswald and James Earl Ray. The deadliest act of domestic terrorism in U.S. history, the 1995 Oklahoma City Bombing, was largely the work of New York-born Gulf War vet, Timothy McVeigh.

As Brian Michael Jenkins of RAND notes, there is far less homegrown terrorism today than in the 1970s, when the Weather Underground, the Jewish Defense League, anti-Castro Cuban exile groups, and the Puerto Rican Nationalists of the FALN were setting off bombs on U.S. soil.

[. . .]

After the September 11, the FBI received a massive boost in counterterrorism funding and shifted a small army of agents from crime-fighting to counterterrorism. Many joined new Joint Terrorism Task Forces. Ambitious prosecutors increasingly looked for terrorists to indict. Most states stood up intelligence fusion centers, which the Department of Homeland Security (DHS) soon fed with threat intelligence.

The intensification of the search was bound to produce more arrests, even without more terrorism, just as the Inquisition was sure to find more witches. Of course, unlike the witches, only a minority of those found by this search are innocent. But many seem like suggestible idiots unlikely to have produced workable plots without the help of FBI informants or undercover agents taught to induce criminal conduct without engaging in entrapment.

October 5, 2012

IT security magazine gets trolled

Filed under: Humour, Media, Technology — Tags: , , — Nicholas @ 08:04

At The Register, John Leyden talks about the researchers who finally got sick of being asked to write articles (unpaid) for the “biggest IT security magazine in the world”:

Security researchers have taken revenge on a publishing outlet that spams them with requests to write unpaid articles — by using a bogus submission to satirise the outlet’s low editorial standards.

Hakin9 bills rather grandly bills itself as the “biggest IT security magazine in the world”, published for 10 years, and claims to have a database of 100,000 IT security specialists. Many of these security specialists are regularly spammed with requests to submit articles, without receiving any payment in return.

Rather than binning another of its periodic requests, a group of researchers responded with a nonsensical article entitled DARPA Inference Checking Kludge Scanning, which Warsaw-based Hakin9 published in full, apparently without checking. The gobbledygook treatment appeared as the first chapter in a recent eBook edition of the magazine about Nmap, the popular security scanner.

In reality there’s no such thing as DARPA Inference Checking Kludge Scanning (or DICKS, for short) and the submission was a wind-up. Nonetheless an article entitled Nmap: The Internet Considered Harmful — DARPA Inference Checking Kludge Scanning appeared as the lead chapter in recent eBook guide on Nmap by Hakin9.

July 12, 2012

Säkerhetsbloggen does some preliminary analysis of Yahoo’s 453,000 leaked passwords

Filed under: Technology — Tags: , , , , , — Nicholas @ 10:01

As we’ve noticed before, there are lots of really, really bad passwords in use:

Recently, Ars Technica reported about a leak by “D33ds Company” of more than 450.000 plain-text accounts from a Yahoo service, which is suspected to be Yahoo Voice.

Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.

[. . .]

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Other bits of password-related idiocy are here.

May 30, 2012

New in the battle against Somali pirates: private convoys

Filed under: Africa, Middle East, Military — Tags: , , , , — Nicholas @ 09:40

At the BBC News site, Martin Plaut reports on the latest attempt to quell piracy off the shores of Somalia:

Off the pirate-infested waters of Somalia, a new force is taking shape.

The private company Typhon is preparing to operate alongside the world’s navies, offering protection to cargo vessels sailing around the Horn of Africa.

But unlike other private security firms which put guards on board other people’s ships, it will offer vessels of its own.

The chief executive of Typhon, Anthony Sharpe, says the plan is to rendezvous with cargo ships which sign up for their protection and form them into a convoy.

The company says it will establish what it is describing as an exclusion zone of one kilometre around the ships.

The company is buying three boats, which are currently being fitted out in Singapore.

Each of its craft will have up to 40 security officers, drawn from former British Royal Marines, as well as a crew of 20.

The ships will be fitted with machine guns and the staff will have rifles.

April 10, 2012

The easy days of piracy are fading rapidly

Filed under: Africa, Middle East, Military — Tags: , , , , — Nicholas @ 09:05

Strategy Page has an update on the anti-piracy efforts off the Somalian coastline:

After two years of immense prosperity, the last year has been a disaster for the Somali pirates. For example, in the last eight months, only six ships have been captured, compared to 36 ships in the same eight month period a year ago. Pirate income is down 80 percent and expenses are up. Pirates have to spend more time at sea looking for a potential target, and when they find one, they either fail in their boarding efforts (because of armed guards, or better defense and more alert crews) or find anti-piracy patrol warships and armed helicopters showing up. Unlike in the past, the patrol now takes away the pirates weapons and equipment, sinks their mother ships and dumps the pirates back on a beach. The pirates claim that some members of the anti-piracy patrol simply kill pirates they encounter on the high seas (some nations have admitted doing this, at least once, in the past). But no one does this as official policy, and the rules are still basically “catch and release.” The big change is that the patrol has become much better at detecting pirates, on captured fishing ships, and shutting these pirates down. Often the pirates bring along the crew of the fishing ships, to help with the deception. But the patrol knows which fishing ships have “disappeared” and quickly identify those missing ships they encounter, and usually find pirates in charge. The anti-piracy patrol also has maritime reconnaissance aircraft that seek to spot mother ships as they leave pirate bases on the north Somali coast, and direct a warship to intercept and shut down those pirates. The pirates have been losing a lot of equipment, and time, and money needed to pay for it.

[. . .]

Pirates have responded by finding new targets (ships anchored off ports waiting for a berth) and using new tactics (using half a dozen or more speedboats for an attack.) The pirates still have a powerful incentive to take ships. In 2010, for example, pirates got paid over $200 million in ransom. The year before that it was $150 million. Most of that was taken by the pirate gang leaders, local warlords and the Persian Gulf negotiators who deal with the shipping companies. But for the pirates who took the ship, then helped guard it for months until the money was paid, the take was still huge. Pirates who actually boarded the ship tend to receive at least $150,000 each, which is ten times what the average Somali man makes over his entire lifetime. Even the lowest ranking member of the pirate gang gets a few thousand dollars per ransom. The general rule is that half the ransom goes to the financiers, the gang leaders and ransom negotiators. About a quarter of the money goes to the crew that took the ship, with a bonus for whoever got on board first. The pirates who guard the ship and look after the crew gets ten percent, and about ten percent goes to local clans and warlords, as protection money (or bribes).

[. . .]

For the last four years, Somali pirates have been operating as far east as the Seychelles, which are a group of 115 islands 1,500 kilometers from the African coast. The islands have a total population of 85,000 and no military power to speak of. They are defenseless against pirates. So are many of the ships moving north and south off the East Coast of Africa. While ships making the Gulf of Aden run know they must take measures to deal with pirate attacks (posting lookouts 24/7, training the crew to use fire hoses and other measures to repel boarders, hanging barbed wire on the railings and over the side to deter boarders), this is not so common for ships operating a thousand kilometers or more off the east coast of Africa. Ships in this area were warned last year that they were at risk. Now, the pirates are out in force, demonstrating that the risk is real.

April 1, 2012

“Off the Somali coast, everyone is looking for a big payday”

Filed under: Africa, Law, Military — Tags: , , , , , — Nicholas @ 11:54

Strategy Page on recent developments in the anti-piracy campaign off the Somali coast:

To get around laws, in many ports, forbidding weapons aboard merchant ships, security companies operating off the Somali coast have equipped small ships to serve as floating arsenals. The security guards boards, in port, the merchant ships they are guarding, then meet up with the gun ship in international waters so the guards can get their weapons and ammo. The process is reversed when the merchant ships approach their destinations or leave pirate infested waters (and put the armed guards off onto the gun ship.) Maritime lawyers fret that there are no proper laws to regulate these floating armories, or that if there are applicable laws, everyone is not following them. It’s also feared that some enterprising lawyers will seek to represent the families of pirates shot by these armed guards. Off the Somali coast, everyone is looking for a big payday.

In the last three years, more and more merchant ships, despite the high expense, have hired armed guards when travelling near the “Pirate Coast” of Somalia. It began when France put detachments of troops on tuna boats operating in the Indian Ocean, and Belgium then supplied detachments of soldiers for Belgium ships that must move near the Somali coast. These armed guards are not cheap, with detachments costing up to $200,000 a week. There are now over a dozen private security companies offering such services. What makes the armed guards so attractive is the fact that no ship carrying them has ever been captured by pirates. That may eventually change, but for the moment, the pirates avoid ships carrying armed guards and seek less well-defended prey.

November 25, 2011

This explains why Google dropped out of my “referer site” log

Filed under: Administrivia, Technology — Tags: , , , — Nicholas @ 12:24

John Leyden explains how a change in the way Google handled search requests was reflected in my blog’s referer log by Bing suddenly becoming the top search engine for folks visiting Quotulatiousness:

Google made secure search the default option for logged in users last month — primarily for privacy protection reasons. But the move has had the beneficial side-effect of making life for difficult for fraudsters seeking to manipulate search engine rankings in order to promote scam sites, according to security researchers.

Users signed into Google were offered the ability to send search queries over secure (https) connections last month. This meant that search queries sent while using insecure networks, such as Wi-Fi hotspots, are no longer visible (and easily captured) by other users on the same network.

However Google also made a second (under-reported) change last month by omitting the search terms used to reach websites from the HTTP referrer header, where secure search is used. The approach means it has become harder for legitimate websites to see the search terms surfers fed through Google before reaching their website, making it harder for site to optimise or tune their content without using Google’s analytics service.

I’d assumed that there had been some kind of change in the way Google was handling searches, because even though Google pretty much disappeared from my logs (having been the #1 referring site forever), the volume of traffic remained about the same.

November 19, 2011

Internet users’ password security still hasn’t improved

Filed under: Technology — Tags: , , , , , — Nicholas @ 10:03

Do you use any of the following terms as your password? If so, congratulations, you’re helping keep the rest of us from being as easily hacked as you are:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

This list is from SplashData, who produce (among other things) a password-keeper utility. Last year, Gawker published the 50 top passwords in a graphic:

Here’s a word cloud from an earlier post on passwords:

Other posts on this topic: opportunities for humour with your bank’s secret questions, xkcd on the paradox of passwords, Passwords and the average user, More on passwords, And yet more on passwords, and Practically speaking, the end is in sight for passwords.

November 14, 2011

Retired Gurkha soldiers changing the face of security services in Britain

Filed under: Asia, Britain, Military — Tags: , , — Nicholas @ 12:14

An interesting article at the BBC website details how many retired Gurkha soldiers have found civilian careers in security a good follow-up to their military service:

It has been suggested that some Gurkhas are struggling to cope with the cost of living in the UK, with the British Gurkha Welfare Society saying about 25,000 of those who retired before 1997 still only receive a third of the pension of their British and Commonwealth former comrades.

But a recent study suggested that Gurkhas of working age are the most economically active and self-reliant social group in Britain.

The University of Kent research found the employment rates among Gurkha men and women are particularly high, at 95% for men under 60 and 93% for women under that age.

It also showed that security is the most popular job for male veterans. Ex-military people joining the security industry is nothing new, but security companies are capitalising on the Gurkhas’ formidable reputation.

G4S set up Gurkha Services in 2007 and it now employs at least 600 people across 27 contracts.

They are involved in guarding the UK’s “critical infrastructure”, such as power stations and railways, from vandals, protesters and thieves. Rarely a day goes by without some story about how cable theft has disrupted a train journey or caused a power outage. Now Gurkhas are the new front line against the crime wave.

October 16, 2011

Rick Mercer on the (secret) border security negotiations

Filed under: Cancon, Government, USA — Tags: , , — Nicholas @ 10:42

September 10, 2011

How much damage to personal liberty will the new US/Canadian security deal inflict?

Filed under: Cancon, Economics, Liberty, USA — Tags: , , , — Nicholas @ 11:35

An article in the Globe and Mail discusses — in very general terms — the new security deal negotiated between the US and Canadian governments:

U.S. and Canadian negotiators have successfully concluded talks on a new deal to integrate continental security and erase obstacles to cross-border trade.

Negotiators have reached agreement on almost all of the three dozen separate initiatives in the Beyond the Border action plan, said sources who cannot be named because they are not authorized to speak publicly on the matter. The few remaining items mostly involve questions of wording and should be settled in time for an announcement in late September.

[. . .]

Opponents have raised alarms that an agreement would cost Canadians both sovereignty and personal privacy. But failure to implement the agreements could further impair the world’s most extensive trading relationship, and put manufacturing jobs across the country at risk.

Details of the agreement are closely held. But goals outlined earlier include specific proposals to co-ordinate and align such things as biometrics on passports, watch lists, inspection of containers at overseas ports and other security measures.

[. . .]

Canadians who believe that the United States has sold its liberty because of fears for its security, or who resist any further economic integration with the troubled economic giant, are likely to oppose the Beyond the Border proposals.

I don’t oppose trade with the US — far from it — but I do feel very strongly that the US has reduced the liberties of its citizens in pursuit of security (check the topic SecurityTheatre for lots of examples). I don’t want to see that trend exported to Canada in exchange for better economic access to their markets.

September 9, 2011

Opportunities for humour with your bank’s “secret questions”

Filed under: Humour, Technology — Tags: , , — Nicholas @ 09:15

If you do online banking, you’ve probably been asked to provide additional security checks beyond your userid and password. Some banks only allow you to select answers from pre-selected questions, but others get you to provide both the question and the answer. In a post from more than a year back, Bruce Schneier offers a few combinations that lighten the mood (and there are lots of funny — and weird — suggestions in the comment thread):

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

« Newer PostsOlder Posts »

Powered by WordPress