Quotulatiousness

May 2, 2011

I think I’ll hold off on buying a PlayStation for a little while longer

Filed under: Gaming, Technology — Tags: , , , — Nicholas @ 09:17

I actually was considering buying a PS3 in the near future, as our existing Blu-Ray player doesn’t play nicely with Netflix, while my domestic gaming advisor tells me that PS3’s do. Sony’s security problems are enough to give me pause:

“It’s really scary,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor, who fleshed out the doomsday scenario more thoroughly on Monday. “It’s justification for Sony freaking out. They could lose control of their whole PS3 network.”

Ray’s speculation is fueled in part by chat transcripts that appear to show unknown hackers discussing serious weaknesses in the PSN authentication system. In it, purported hackers going by the handles trixter and SKFU discuss how to connect to PSN servers using consoles with older firmware that contain bugs susceptible to jailbreaking exploits, even though Sony takes great pains to prevent that from happening.

“I just finished decrypting 100% of all PSN functions,” SKFU claimed.

There’s no evidence the participants had anything to do with the massive security breach that plundered names, addresses, email addresses, passwords and other sensitive information from some 77 million PSN users. But the log did raise questions about the security of the network, since it claimed it was possible to fool the PSN’s authentication system into permitting rogue consoles.

On this reading, arrogance on the part of Sony executives, and complacency on the part of developers and testers are key elements of the security failure:

“If you can’t jailbreak it, then I can see a developer assuming that they don’t need a particular authorization check on what’s coming across the wire because a user can’t do that,” said WhiteHat Security CTO Jeremiah Grossman, an expert in web application security. “So if somebody managed to jailbreak their device and pop a flaw, I can see something major happening there.”

Hotz, the PS3 jailbreaker who recently settled the copyright lawsuit Sony brought against him, said in a recent blog post that the theory is plausible and that responsibility for the hack lay squarely on the shoulders of Sony executives who placed too much trust in the invulnerability of the PS3.

“Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?” Hotz, aka GeoHot, wrote. “This arrogance undermines a basic security principle, never trust the client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you.”

April 28, 2011

Want a secure home? Even want it zombie-proof? Here you go

Filed under: Randomness — Tags: , , , — Nicholas @ 12:12

The first house to be certified as Zombie-proof:

“The most essential item for our clients was acquiring the feeling of maximum security,” begins the designers’ website in the summary of the structure. Who wouldn’t feel safe in a concrete rectangle that folds in upon itself to become completely sealed? Even the windows are covered with a slab of concrete when the structure is on nap time.

The house, with its movable walls, has only one entrance, which is located on the second floor after crossing a drawbridge. Seems like the perfect opportunity to use a flamethrower and defend the life of your family, while stylishly nesting in a piece of architectural elitism.

Lots of pictures at the original post. Here’s your drawbridge:

Here are the upper-story “shutters” swinging shut and the roll-down partially deployed:

And finally, your nice, safe, snug zombie-proof home all tucked in for the assault:

H/T to Markus Baur for the link.

April 27, 2011

Syrian update

Filed under: Liberty, Middle East — Tags: , , , — Nicholas @ 07:43

With attention focused on Libya, the Syrian situation is still highly volatile:

Bashir Assad clings to power by manipulating the fear within the many factions supporting him that they would have to flee the country, to avoid death or prison, if the current government fell. Then there is the threat that the security forces would use extreme violence to suppress the demonstrations. This, however, could enrage the general population and trigger a bloody civil war. The only thing everyone can agree on is a desire for peaceful resolution of the crises. But Assad and his cronies don’t want to give up power, and they may have to risk everything to find out how far most Syrians are willing to go to force big changes.

Five weeks of escalating violence have left over 200 dead, and over a thousand arrested (and hundreds later released). While nearly all the dead are protestors, more security forces personnel are getting killed. The government is using armed militias (from the groups that have always supported the Assad dictatorship) as well as the police and “special” (secret) police to try and control or terrorize the growing number of demonstrators. There are also said to be small numbers (hundreds) of “security specialists” from Iran. Some Hezbollah gunmen are believed involved as well, and Syrians are accusing these “foreigners” for many of the killings. While most of the leadership posts in the police and army are held by minorities (like the Alawite sect the Assads belong to), most of the troops are majority Sunni Arab. Thus Assad controls management, but has to be careful with the rank and file.

If enough civilians hit the streets, there won’t be enough security forces to confront them, and the entire structure of the Assad police state will start coming apart. Iran might try to stop it, with a massive transfer (by air) of security personnel, and many more from Hezbollah entering by land. Hezbollah loses a lot if it no longer has those land supply routes from Syria. Meanwhile, each Friday (the Moslem Sunday), the demonstrations get larger. The way things have been going, it won’t be many more Fridays before Assad and his crew are gone, or the country is getting blown apart by civil war. It’s unclear if democracy or a new dictatorship will replace the old government. There are many tribes and factions in Syria, and predicting how they will all shake out is not possible.

Update: Just so you don’t forget, at the same time the Syrian government is attempting to suppress the demonstrations, it is running (unopposed) for a seat on the UN Human Rights Council.

April 14, 2011

DANE to address weaknesses in internet security?

Filed under: Technology — Tags: , — Nicholas @ 12:05

The Economist looks at a possible way to address the known weaknesses of the current internet security defaults:

[A] comprehensive solution would let domain owners confirm that the names and machine numbers issued by a given CA are kosher. Under DNS-based Authentication of Named Entities (DANE), a standard being developed by Mr Schultze and others at the Internet Engineering Task Force, a browser retrieves a certificate from a web server, but checks with the DNS whether the certificate is in fact the one that was issued to a given domain owner. So, though a CA will still provide a validation step, the domain owner will have had to give it the thumbs up first. To prevent malevolent fiddling the DNS infrastructure itself needs to be secured, too. A long-running effort to do this, known as DNSSEC, hit a key milestone in 2010 and may have enough pieces in place soon to be usable. This is important because DANE would be incomplete without it.

Whilst all current browsers must be updated to take advantage of DANE, the new system can coexist with the old, and a gradual transition can be made. Browser plug-ins could bridge the gap before browser makers build in DANE, too. Those that want the added robustness of the new system — whether individuals, companies, or governments — may accelerate the adoption of updated browsers as DANE becomes available.

These moves do not provide total assurance that what your browser is told about an internet site’s identity and security is true. Trust, but verify — and verify again.

April 11, 2011

SSL is “just an illusion of security”

Filed under: Technology — Tags: , , , , — Nicholas @ 10:09

SSL (Secure Sockets Layer) is critically important to safe communications on the internet. It may also be “hopelessly broken“:

SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users’ connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.

It’s hard to overstate the reliance that websites operated by Google, PayPal, Microsoft, Bank of America and millions of other companies place in SSL. And yet, the repeated failures suggest that the system in its current state is hopelessly broken.

“Right now, it’s just an illusion of security,” said Moxie Marlinspike, a security researcher who has repeatedly poked holes in the technical underpinnings of SSL. “Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems.”

Although SSL’s vulnerabilities are worrying, critics have reserved their most biting assessments for the business practices of Comodo, VeriSign, GoDaddy and the other so-called certificate authorities, known as CAs for short. Once their root certificates are included in Internet Explorer, Firefox and other major browsers, they can’t be removed without creating disruptions on huge swaths of the internet.

March 24, 2011

Online security: compromised HTTPS certificates

Filed under: Technology — Tags: , , , — Nicholas @ 09:25

Iranian hackers (or someone trying to cast blame on Iran) managed to get a number of HTTPS certificates issued under false colours:

On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into issuing fraudulent certificates that posed a dire risk to Internet security. Based on currently available information, the incident got close to — but was not quite — an Internet-wide security meltdown. As this post will explain, these events show why we urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and email systems.

[. . .]

Comodo also said that the attack came primarily from Iranian IP addresses, and that one of the fraudulent login.yahoo.com certs was briefly deployed on a webserver in Iran.

March 11, 2011

Nothing to see here, citizen iPhone 3G user, move along

Filed under: Technology — Tags: , , , — Nicholas @ 12:31

An impertinent Apple iPhone 3G user risks becoming a non-person by asking why Apple’s latest security fixes exclude customers using earlier iPhones:

A Reg reader who brought up Apple’s decision to exclude the iPhone 3G and other older devices from its latest security update on an official forum has received a firm rebuke for his effort.

Apparently the post, which was quickly deleted, failed three separate rules of the Apple Discussions soviet, as a curt notice to our source explained (extract below):

Apple removed your post on Apple Discussions, titled “Please Apple, you cannot leave a major share of your customers vulnerable,” because it contained the following:

Speculation or Rumors Discussion of Apple Policies, Procedures or Decisions Petitions

Damn straight. Frankly our man can consider himself fortunate not to have his account deleted for suggesting Apple (at minimum) ought to release patches for Safari for the iPhone 3G. An iOS 4.3 update, released on Wednesday, which includes a number of critical security fixes, is incompatible with both the iPhone 3G and older versions of the iPod Touch. You need the iPhone 3GS, or later, or iPod Touch third generation to take advantage of the update, which includes a number of critical security fixes as well as performance and functionality improvements.

You don’t question us, Apple customer. We question you.

March 8, 2011

Lastest boon to spammers? The move to IPv6, apparently

Filed under: Technology — Tags: , , , — Nicholas @ 08:50

John Leyden reports that with all the good things about moving to the vastly larger address space of IPv6, we can expect at least one negative:

The migration towards IPv6, which has been made necessary by the expansion of the internet, will make it harder to filter spam messages, service providers warn.

The current internet protocol, IPv4, has a limited address space which is reaching exhaustion thanks to the fast uptake of internet technology in populous countries such as India and China and the more widespread use of smartphones. IPv6 promises 3.4 x 1038 addresses compared to the paltry 4.3 billion (4.3 x 109) addresses offered by IPv4.

While this expansion allows far more devices to have a unique internet address, it creates a host of problems for security service providers, who have long used databases of known bad IP addresses to maintain blacklists of junk mail cesspools. Spam-filtering technology typically uses these blacklists as one (key component) in a multi-stage junk mail filtering process that also involves examining message contents.

“The primary method for stopping the majority of spam used by email providers is to track bad IP addresses sending email and block them — a process known as IP blacklisting,” explained Stuart Paton, a senior solutions architect at spam-filtering outfit Cloudmark. “With IPv6 this technique will no longer be possible and could mean that email systems would quickly become overloaded if new approaches are not developed to address this.”

February 19, 2011

When “hacker army” is not an exaggeration

Filed under: Britain, China, Government, Military, Russia, Technology — Tags: , , , , , — Nicholas @ 10:07

Strategy Page counts noses of the various semi-organized hacker armies out in the wild:

Despite spending over a billion dollars a year defending their government networks, Britain recently complained openly of hackers getting into the communications network of the Foreign Office. The government also warned of increasing attacks on British companies. The recent attacks government and corporations were all targeting specific people and data. While China was not mentioned in these official announcements, British officials have often discussed how investigations of recent hacking efforts tended to lead back to China. There is also a strong suspicion, backed up by hacker chatter, that governments are offering large bounties for information from foreign governments. Not information from China, but from everyone else.

China one of many nations taking advantage of the Internet to encourage, or even organize, patriotic Internet users to obtain hacking services. This enables the government to use (often informally) these thousands of hackers to attack targets (foreign or domestic.) These government organizations arrange training and mentoring to improve the skills of group members. Turkey has over 45,000 of hackers organized this way, Saudi Arabia has over 100,000, Iraq has over 40,000, Russia over 100,000 and China, over 400,000. While many of these Cyber Warriors are rank amateurs, even the least skilled can be given simple tasks. And out of their ranks will emerge more skilled hackers, who can do some real damage. These hacker militias have also led to the use of mercenary hacker groups, who will go looking for specific secrets, for a price. Chinese companies are apparently major users of such services, judging from the pattern of recent hacking activity, and the fact that Chinese firms don’t have to fear prosecution for using such methods.

It was China that really pioneered the militia activity. It all began in the late 1990s, when the Chinese Defense Ministry established the “NET Force.” This was initially a research organization, which was to measure China’s vulnerability to attacks via the Internet. Soon this led to examining the vulnerability of other countries, especially the United States, Japan and South Korea (all nations that were heavy Internet users). NET Force has continued to grow. NET Force was soon joined by an irregular civilian militia; the “Red Hackers Union” (RHU). These are nearly half a million patriotic Chinese programmers, Internet engineers and users who wished to assist the motherland, and put the hurt, via the Internet, on those who threaten or insult China. The RHU began spontaneously in 1999 (after the U.S. accidentally bombed the Chinese embassy in Serbia), but the government has assumed some control, without turning the voluntary organization into another bureaucracy. The literal name of the group is “Red Honkers Union,” with Honker meaning “guest” in Chinese. But these were all Internet nerds out to avenge insults to the motherland.

You have to wonder how many script kiddies ever thought they’d end up being government operatives.

February 16, 2011

QotD: For dictators, storm troopers are not a luxury

Filed under: Government, Middle East, Military, Quotations — Tags: , , , , — Nicholas @ 09:11

A major reason for the inability of the recently deposed Egyptian dictatorship to suppress anti-government demonstrations was the lack of a large, loyal and reliable security force. Not having such a force handy was unthinkable for any security conscious dictator. For example, in Iraq, Saddam Hussein had his Republican Guard, a force that was filled with well paid, well armed men who were, above all, loyal to Saddam. All other successful dictatorships have similar forces. Russia had the KGB, which not only employed spies, but also several divisions of troops trained and equipped to deal with rebellions by the population, or the armed forces. Iran has a similar force, the Revolutionary Guard, that serves a similar role as the old KGB. During World War II, Adolf Hitler had the SS, Gestapo and his private army, the Waffen SS, all of which kept Germany fighting until the very end.

Former Egyptian ruler Hosni Mubarak got lazy and greedy by filling his “regime maintenance” forces with conscripts (as troops) and recent college graduates (as officers). Theses security forces, like the 325,000 paramilitary police in the Central Security Services (belonging to the Interior Ministry, nor the Defense Ministry), were more loyal to the people than to the small group of corrupt politicians running the country. Things had gotten so bad that the small secret police force had taken to hiring criminal gangs to harass or intimidate visible opponents of the government. These thugs fled if faced with serious opposition. And that’s what they got during February, 2011.

“Murphy’s Law: Storm Troopers Are Not A Luxury”, Strategy Page, 2011-02-16

February 11, 2011

Human hacking: the overconfident CEO

Filed under: Law, Media, Technology — Tags: , , , — Nicholas @ 07:19

An interesting story at PC World talks about the methods used to get inside information on individuals and companies:

“He was the guy who was never going to fall for this,” said Hadnagy. “He was thinking someone would probably call and ask for his password and he was ready for an approach like that.”

After some information gathering, Hadnagy found the locations of servers, IP addresses, email addresses, phone numbers, physical addresses, mail servers, employee names and titles, and much more. But the real prize of knowledge came when Hadnagy managed to learn the CEO had a family member that had battled cancer, and lived. As a result, he was interested and involved in cancer fundraising and research. Through Facebook, he was also able to get other personal details about the CEO, such as his favorite restaurant and sports team.

Armed with the information, he was ready to strike. He called the CEO and posed as a fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were offering a prize drawing in exchange for donations — and the prizes included tickets to a game played by his favorite sports team, as well as gift certificates to several restaurants, including his favorite spot.

The CEO bit, and agreed to let Hadnagy send him a PDF with more information on the fund drive. He even managed to get the CEO to tell him which version of Adobe reader he was running because, he told the CEO “I want to make sure I’m sending you a PDF you can read.” Soon after he sent the PDF, the CEO opened it, installing a shell that allowed Hadnagy to access his machine.

When Hadnagy and his partner reported back to the company about their success with breaching the CEO’s computer, the CEO was understandably angry, said Hadnagy.

“He felt it was unfair we used something like that, but this is how the world works,” said Hadnagy. “A malicious hacker would not think twice about using that information against him.”

Takeaway 1: No information, regardless of its personal or emotional nature, is off limits for a social engineer seeking to do harm

Takeaway 2: It is often the person who thinks he is most secure who poses the biggest vulnerability. One security consultant recently told CSO that executives are the easiest social engineering targets.

January 24, 2011

Recognizing the right to self-defence

Filed under: Cancon, Law, Liberty — Tags: , , , — Nicholas @ 12:38

Lorne Gunter wants our government to recognize that Canadians have a right to self-defence:

Canadian officialdom is conducting an all-out assault against self-defence. Quite simply, few politicians, Crown prosecutors, judges, law professors and police commanders believe ordinary Canadians have any business using force to defend themselves, their loved ones, homes, farms or businesses.

The latest example of the campaign against self-defence comes from southern Ontario. In August, retired crane operator Ian Thomson, who lives near Port Colborne, awoke early in the morning to find masked men attempting to burn his house down with him in it. When he fired at them with a licensed handgun he had stored in a safe, he was charged.

How out-of-touch are police and prosecutors when you are not even allowed to defend yourself and your property from thugs attempting to incinerate you? Their attitude seems to be that it is better to die waiting for police to respond than to take matters into your own hands.

[. . .]

When Canada became independent at Confederation in 1867, Canadians retained the rights they had at the time as British subjects. These included three “absolute rights”: the right to personal liberty, the right to private property and the right to self-defence, up to and including the right to kill an attacker or burglar.

William Blackstone, Britain’s famous constitutional expert, argued the right to self-defence included the right to kill even an agent of the king found on one’s property after dark, uninvited. He also traced the right to armed self-defence back to the time of King Canute (995–1035) when subjects could be fined for failing to keep weapons for their own protection.

January 22, 2011

QotD: Sikhs, the kirpan, and the courts

Filed under: Cancon, Law, Quotations, Religion, Weapons — Tags: , , , — Nicholas @ 00:02

The [Supreme] court didn’t find for the appellants on the grounds that “the kirpan is not a weapon”. Indeed, all parties to the suit accepted the premise “that the kirpan, considered objectively and without the protective measures imposed by the Superior Court, is an object that fits the definition of a weapon.” The court found for the appellant because the school board’s zero-tolerance policy towards weapons, based largely on fears that the presence of a knife would somehow allow spooky negative vibes to propagate throughout the school, did not constitute a minimal infringement upon the rights of a religion that happens to insist upon the carrying of a weapon. (Anyone who has studied the remarkable history of the Sikhs can only be surprised that they don’t carry about five of them.)

I hate to break it to Nav Bains and to admirers of leading comparative-religion scholar Michael Ignatieff, but reciting “It’s not a weapon” won’t give us a magic wormhole we can all leap through to avoid debates over religious accommodation in public services. As I understand matters, and I am perfectly prepared to receive instruction on this point, the whole point of the kirpan is that it’s an avowedly defensive weapon. The reference books, including those written by Sikhs, tell us that it is worn precisely to signify and reinforce the Sikh’s wholly admirable preparedness to protect his faith, his community, and innocent human life. I suppose I could have added the words “just as a handgun might be”, but that would send altogether too many of my readers scrambling for the Preparation H.

Respectable efforts to establish a modus vivendi on the kirpan in secured public spaces can’t begin with evasion if they hope to be successful (and certainly it sets a terrible precedent for evasion to be designated courage). I’ll add that the problems are not really all that thorny for those of us who have never consented to fanaticism about security theatre or to cretinizing “zero tolerance” of blades in schools

Colby Cosh, “That non-weapon sure is pointy”, Maclean’s, 2011-01-21

December 16, 2010

Bruce Schneier on Security in 2020

Filed under: Economics, Liberty, Technology — Tags: , , , — Nicholas @ 12:48

Aside from all the ugly new terms coined to describe the phenomena, the evolution of security is one of the most under-appreciated stories of the decade. The next decade is going to be even more important to how we live our lives:

There’s really no such thing as security in the abstract. Security can only be defined in relation to something else. You’re secure from something or against something. In the next 10 years, the traditional definition of IT security — ­that it protects you from hackers, criminals, and other bad guys — ­will undergo a radical shift. Instead of protecting you from the bad guys, it will increasingly protect businesses and their business models from you.

Ten years ago, the big conceptual change in IT security was deperimeterization. A wordlike grouping of 18 letters with both a prefix and a suffix, it has to be the ugliest word our industry invented. The concept, though — ­the dissolution of the strict boundaries between the internal and external network — was both real and important.

So, that was then. This is now:

Today, two other conceptual changes matter. The first is consumerization. Another ponderous invented word, it’s the idea that consumers get the cool new gadgets first, and demand to do their work on them. Employees already have their laptops configured just the way they like them, and they don’t want another one just for getting through the corporate VPN. They’re already reading their mail on their BlackBerrys or iPads. They already have a home computer, and it’s cooler than the standard issue IT department machine. Network administrators are increasingly losing control over clients.

This trend will only increase. Consumer devices will become trendier, cheaper, and more integrated; and younger people are already used to using their own stuff on their school networks. It’s a recapitulation of the PC revolution. The centralized computer center concept was shaken by people buying PCs to run VisiCalc; now it’s iPads and Android smart phones.

I’ve certainly noticed this myself: it was forced to my attention a couple of years ago, when a change of employment required me to buy and maintain my own “business” computer and software. Without seriously stressing my wallet, I was able to buy far more capable equipment than my previous employer had provided. Being able to check my email on multiple devices was very important, and once I’d started doing that, I realized the need to do many other things regardless of the machine I happened to be using. There are, of course, trade-offs involved:

The second conceptual change comes from cloud computing: our increasing tendency to store our data elsewhere. Call it decentralization: our email, photos, books, music, and documents are stored somewhere, and accessible to us through our consumer devices. The younger you are, the more you expect to get your digital stuff on the closest screen available. This is an important trend, because it signals the end of the hardware and operating system battles we’ve all lived with. Windows vs. Mac doesn’t matter when all you need is a web browser. Computers become temporary; user backup becomes irrelevant. It’s all out there somewhere — ­and users are increasingly losing control over their data.

Anyway, there’s lots more interesting stuff. Go read the whole thing.

December 14, 2010

No surprises at all in Gawker’s 50 most-popular passwords

Filed under: Randomness, Technology — Tags: , , , , — Nicholas @ 12:23

An article in the Wall Street Journal has the 50 most popular passwords from the Gawker data heist:

Recognize the pattern? Here’s a word cloud from my last post on passwords:

Other posts on this topic: Passwords and the average user, More on passwords, And yet more on passwords, and Practically speaking, the end is in sight for passwords.

« Newer PostsOlder Posts »

Powered by WordPress