Schneier on Security
A blog covering security and security technology.
« IT for Oppression |
| Feudal Security »
November 30, 2012
Friday Squid Blogging: Possible Squid Eyeball Found in Florida
It's the size of a softball. No sign of the squid it came from.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on November 30, 2012 at 2:18 PM
• 63 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
yea, sorry it's a little ingratiating.
However, I enjoyed this article very much. Ok, ok. "sheldon here's a cookie" is still better than "boy, that's a lot of bandaids"...
weev, who was found guilty of bs charges and is awaiting sentencing wrote a great article yesterday for wired why hackers shouldn't sell 0days anymore since corporations and LE just use said exploits to oppress us, and it enables crime
The index to Liars and Outliers directs the reader to pages 205-206 for "Facebook privacy". I like that those are empty pages.
I'm not sure if that's intended, but it's quite humorous.
Some techie website recently revisited this article on its 10th birthday.
It talks about how no matter how much security layers you put around software and digital media content, it will always get circumvented by the "Darknet".
I tend to agree that Darknet is an effective and efficient tool in nullifying DRM. It is somewhat sad to me that it has a limited in the capacity to generate new content. Darknet users can't create a mega blockbuster film, they can only distribute it endlessly for free to anyone who wants it.
On the other hand, memetic creations from the undocumented, seedy corners of the interwebz has made it to the mainstream without the massive budgets or backing of traditional studios.
Is it necessary to encrypt media/software/information in order to get paid for it?
It is illegal to distribute copyrighted material and it clearly hurts the financial success of the content owners. Then why it is treated by Users (capitalized) like breaking the speed limit?
If you make bad music/software, no one will want it, even for free. (Example: Malware has to be distributed by fooling people into installing it.) But when you have to pay for it several things can happen:
1) You are tech savvy enough and will download a free(cracked) copy.
2) You are not tech savvy enough and you pay to play.
3) You are tech savvy enough but the price is low enough so that you don't want to bother with it and you pay to play.
Distributors who know their customer base, will make the price pint accordingly.
I don't think this story passes the smell test... If the FBI "re-imaged" the computer, then they could only re-image it with the OTS or custom s/w that the school district had placed on it, no? Did they have exactly that s/w and configuration??? Also, don't you doubt that the student had the admin password? So any re-image would have been a re-install in that case, no?
To me, this story lacks credibility. And if it's a real story, then it looks to me like the FBI agent is fibbing...
Bruce misses some of the delights of The King Game and some of the joys of slavery-v-surfdom ;-)
The thing I like about the king game is it's a "protection racket" over which it's not just your body but soul as well they control. Originaly a King would claim to be a god but that had some disadvantages so they started to claim to be his right hand man to avoid the disadvantages...
Anyway after some thug raises a ravening hord to subjugate an area and given his top thugs a slice of the cake thy needed titles so King and Baron filled the spot nicely. And after the initial stages it settled down and works like this,
1, I am King and I rule you by divine right.
2, Because I speak directly with God.
3, Thus you must obay me because it's God's word and I am obediant to God as you must be.
4, If you don't believe in God then you are an unbeliever and must thereforeby word of God be killed so your soul may be released unto God's Mercy.
5, God has decided your position and duty in life and there you must remain or face eternal damnation.
I like step three it's the get out of jail card, if things go right you look on your King's benevolance to "his" people, if it goes wrong it's God's work and must be punishment for not believing in God and his ever faithful servant the King, so it's not the King's fault but your own wickedness ;-)
Hence "as the King I can do no wrong" which we still see today with "heads of state" being above the law... Although this has started to change.
Step 4 is the classic one of you've been told once, about stepping out of line and as there are no second chances "off with your head". So let that stand as a warning to others that "God's word prevails and I am God's loyal servant on earth".
So at first they had it nicely stiched up with the King (supposadly) ruling with his Barons providing enforcment of the physical side and the Bishops providing enforcment on the spiritual side. But all these mouths need to be kept sweetend with the best of the honey so there needed to be tribut paid. Initialy this was collected by the Baron's and the Bishops and they were supposed to kick a percentage back to the King but the Bishops also claimed divine right and used a bit of "Moral blackmail" against the King. So some of the Baron's likewise thought I'll keep more of my cake, partly because what anoyed them greatly is what we call inheritance tax, where the inheritors would have to buy back the inheritance from the King (but it would appear that the Church did not pay this tax so gained land from the faithfull at the Kings expense).
Well a smart King fairly quickly caught on to this fiddling by the Barons and started the exchequer and revenue gatheres to do the job the Baron's had got a little to greedy for.
And just to make sure they were doing their job we had what became the "assessers of revenue" who went out and produced the master lists of who what and where of the King's assets. We see this with the Doomsday Book.
But how was an ambitious individual to get around the "stay in your place rule? well by interpreting God's word through the church which was getting wealthier by the simple extent of inheritance, by the use of persuasion they got fathers to disinherit their sons so that priests would offer up prays in perpertuity in the fathers name (and as we know they didn't live up to their side of the bargin) they eventualy became so wealthy and such a threat to the Monarch that one (King Henry VIII) grabbed the land back and kicked the catholic church back across the channel and proclaimed himself head of the Church of England (and until recently we've kept them out of state and monarchy with the "no monarchy may marry a catholic" laws, though we stoped the "recant or be burned" option for others a while ago).
And appart from a few republican upstarts on the way this is how it stayed with the Monarch, the titled landlords, the land inheriting church and the tax collectors.
But the Monarchs started to inter breed and strange malidies madness and the stupidity of the village idiot became their lot and the kings advisors got more and more powerfull and eventualy in 1215 put a reighning monarch in their place in a field in what is now North Surrey to the west of London. King John signed (or more correctly sealed) the "The Great Charter of the Liberties of England, and of the Liberties of the Forest" which we comomly call Magna Carta. It put a limit on the arbitary powers of the Monarch and set in place the right of law in which a "Freeman" (not you surfs etc) could not be punished except by the rules of the written law.
But contrary to what most kids get taught this was not the first contractual limit on a Kings power a little over a hundred year befor Henry the first was only alowed to succeed to the thrown after signing up to the Charter of Liberties in 1100 (this was due in part to the behaviour of the previious King William Rufus who mysteriously died on a hunting trip with Henry...) which amongst other things recognissed the laws put in place by King Edward (the confessor) And it was this contract that formed the basis of the first magna carta.
The first magna cartar did not last long about three months King John having got the Barons out of London and off of his back, he got Pope Innocent to declair the agreement void. Then in 1216 John died and it came back again. Due to various political power plays it came back in different form and was inturn ignored time and again over a two century period untill in 1423 it was confirmed by King Henry VI and it in effect became the basis of English (and American) law.
However in 1829 clause 29 was repealed and in short order all but three of the clauses were repealed only one of which applies to the common man with the "right to due process" which unfortunatly Tony Blair MP aided by Lord Falkner gave a severe kicking to throwing the right sof the common English man back nigh on a thousand years...
Hopefully it will take less time to get them back but with the attitude of the current incumbrants it does not look likely.
The history of the common man has nearly always been one of repression be it slave, surf or modern wage slave. Almost all law that improves their lot gets repealed or watered down or nullified within a generation or two at the most. As I've indicated befor we don't live in a true democracy but the illusion of one by "representational democracy" every four years or there abouts we get the chance to vote for a monkey in a suit based on promises we know they have no intention of keeping. Our representatives then spend most of their time grubbing around for money, which means that they are "easy meat" for those who can buy their loyalty. Nobody with power or influance wishes to lose it so our laws are changed to put money in the pockets of those with power and influance so they can buy more. And when we common people get to gether to defend our selves by forming Unions and the like we find that those with influance get payed to curtail any power a union might find.
I was once told by a disillusioned American from Silicon Valley who had moved to Canada to start life afresh as an of grid "self sustainer", that a slaves lot was to be fed watered stabled and beaten like the beasts of the field and entertainment by their owners until they died. And further surfs were worse off because they did not get fed watered and sheltered thus saving their owners money, in return for this downgrade in "working conditions" they were given the feint hope of freedom by staying recognisably free for a year and a day from their master. But worse still, today whilst we are neither slaves or surfs our lot is to suffer the fear of poverty and the midnight knock on the door as we and our homes filled with baubles are used against us to ensure we enrichen others in return for the faux illusion of control given by representational democracy. Thus for those not opting out the only freedom left is that given by crime, that at it's worst can purchase it's liberty by having the crimes go unlegislated against and thus fulfill the curse of the Great American Dream.
Whilst few would have agreed with him back in the 1980's and I thought him somewhat eccentric I suspect that since 2008 a lot more would.
And that I guess is the real question how has the ideal of the American Dream and the freedoms the founding fathers gave to the American people been subverted to the will of mammon? With the only apparent recompense being the shiney baubles of consumerism purchased with debt...
Clive: ...we don't live in a true democracy but the illusion of one by "representational democracy" every four years or there abouts we get the chance to vote...
This reminded me of:
"The people of England regards itself as free; but it is grossly mistaken; it is free only during the election of members of parliament. As soon as they are elected, slavery overtakes it, and it is nothing. The use it makes of the short moments of liberty it enjoys shows indeed that it deserves to lose them." (J-J Rousseau, Social Contract)
@ Clive Robinson Re "American Dream" & democracy
George Carlin on American Dream
His comments on public education are backed up by Gatto's book. Free online I think.
As for owners, that started as far back as the Federal Reserve. So, one day we have the govt coining money and directly putting it into the economy. After Act passes, we have private banks (who are unidentified) print money out of thin air, "loan" it to us, and charge interest on "their" money. Also most of the gold (read: real money) is forcibly collected and traded for worthless Federal Reserve Notes. It's hard to explain to new people educated by "economics" classes why this is such a big fraud.
The modern version involves the financial bailout. American businesses and individuals were forced into bankruptcy for years, with foreclosures at ridiculous rates. Then, the top 1%'s investment arms (e.g. Goldman Sachs) gamble away money via derivatives and get bailed out. That the Treasury head responsible for accountability was ex-Goldman and many underlings was like fox guarding henhouse.
This case is actually a good argument against representational democracy existing. The reason I say that is that Americans voted on the bailout, furiously writing Congress letters saying "don't do it." It was voted down. Then, after a few under-the-table deals, a small number of people snuck it in under most of Congress's nose. Amazingly, the deal specifically said they get $800+ billion and don't have to account for what they spent it on (!!!). So, American democracy votes it down, then a few connected people make it happen no questions asked. Americans then see a continuous stream of news headlines about banker's getting multi-million dollar bonuses & tons of luxurious spending.
To top it off, Citigroup accidentally leaks a memo for their richest investors to the public. They sue many sites to take it down. The memo straight out says US is a "plutonomy." It also says biggest threats to those in control were the voting power of the majority & demand for equitable share of wealth. QED.
It's not like any of this is news or should have surprised people. We've been hearing about it for a LONG time.
"Give me control of a nation's money and I care not who makes the laws."
- Mayer Amschel Rothschild
"The real menace of our republic is this invisible government which like a giant octopus sprawls its slimy length over city, state and nation. Like the octopus of real life, it operates under cover of a self created screen. At the head of this octopus are the Rockefeller Standard Oil interests and a small group of powerful banking houses generally referred to as international bankers. The little coterie of powerful international bankers virtually run the US government for their own selfish purposes. They practically control both political parties."
-- Mayor John Hylan of New York
(His comments are still true...)
"The real truth of the matter is, as you and I know, that a financial element in the large centers has owned the government of the U.S. since the days of Andrew Jackson."
-- President FDR
And to end with a quote from President Woodrow Wilson when Fed Reserve Act was passed:
"Some of the biggest men in the United States, in the field of commerce and manufacturing, are afraid of somebody, are afraid of something. They know that there is a power somewhere so organized, so watchful, so interlocked, so complete, so pervasive, that they had better not speak above their breath when they speak in condemnation of it.
"They know that America is not a place of which it could be said, as it used to be,that a man may choose his own calling and pursue it just as far as his abilities enable him to pursue it; because today, if he enters certain fields, there are organizations which will use means against him that will prevent his building up a business which they do not want to have built up; organizations that will see to it that the ground is cut from under him and the markets shut against him. ...
"We have not one or two or three, but many established and formidable monopolies in the United States. We have, not one or two, but many, fields of endeavor into which it is difficult, if not impossible, for the independent man to enter. We have restricted credit, we have restricted opportunity, we have controlled development, and we have come to be one of the worst ruled, one of the most completely controlled and dominated, governments in the civilized world – no longer a government by free opinion, no longer a government by by conviction and the vote of the majority, but a government by the opinion and duress of small groups of dominant men."
I've always thought it was amusing that so many people think we have a representational democracy when so many politicians and industry giants have said we don't, sometimes on Congressional record.
Question for the greybeards:
What attack surface does a mini XP live disk run have for access from one USB to another for propagating a trojan/dropper?
Same question for a linux live disk?
Same question for a Windows PE live disk?
Same questions for a live USB run for any of the above?
In 2010, Schneier's Fifth Annual Movie-Plot Threat Contest involved creating a fable or fairytale to instill fear in children. At the same time, one could consider as to whether there have ever been fictional stories or other works that have touched on the issue of security being used to advance an agenda or improper responses to security threats. In the late 80s and early 90s, there was a cartoon series from Disney, "The New Adventures of Winnie the Pooh." In particular, there was an episode called "King of the Beasties," in which Tigger finds out that he is related to a lion, and that the lion is the king of beasts. The others tell Tigger that they don't need a king. Tigger desperately wants to be king, so he falsely claims that there is a dangerous creature called a "jagular" and that a king could protect others against such an attacker. To help persuade the others, Tigger fashions a fake jagular using items that he took from Rabbit's home without permission. Rabbit, however, is not fooled and he works out a way to surprise Tigger... (This episode was also mentioned by a poster at the Democratic Underground.) Though there are security threats in the real world that are not made up, there is still the issue of how they are handled (especially when many persons work on emotion or perception as opposed to logic.)
@Blog Reader One
The bible when they sacrifice a lamb and a kid.
If a child doesn't know they mean a baby goat it will scare the crap out of them.
I found a really interesting Kickstarter project this week. It looks to be a film about hacking that actually manages to get the details, the mindset, the techniques really right. It's like the polar opposite of that movie "Hackers".
I thought computer security folks here might find it interesting. The filmmaker poster the first seven pages of the screenplay, and they read like a really engaging introduction to various ways to attack someone, brute force, phishing, etc. Could help introduce laymen to these sorts of things.
The Root Kit
A little while ago I indicated that the US Eastern Sea Board and the inland area behind it that got hit by Hurricane Sandy were better off than they might otherwise have been due to a previous hurricane and summer power outages causing an upgrading of infrastructure.
I also indicated that those downplaying cyber attacks were not looking at how a fragile infrastructure cascades that it does not realy matter at that point if the start of the cascade was natural or man made.
Well it appears that a classified report from 2007 by the National Acadamy which downplayed the terrorist risk has been declasified at their request and further the FCC is starting a series of hearings on the significant failings during Sandy of communications.
Should get a corner (?) at Speaker's Corner named after you... Except that it's mostly nutcases there now...
@ Nick P
Intersting bunch of quotes...
@ David J
I think the audience for that would be small to begin with and smaller once the first set of people see it.
Ars has re-posted an interesting guide for getting a regular CA-signed SSL cert for free in a general article about SSL/ TLS:
Hmmm, how free is this particular free?
There is a farm a few miles from me with a sign at the road, "Kids for sale for meat or pets."
@clive. i and probably bruce were avoiding discussing the religious aspects of feudalism. I will say however, that the M.E. and Islam have not yet reached a Reformation if you wil.
I am not offended if someone opposes marriage. I don't want or need their validation of my choice. I certainly don't derive my self worth from others' opinion or want to cut their head off for disagreeing with me.
Just an example and I really want to back off this aspect of discussion. Private conversation and theological discussions and all that... ;)
@ Dave M, nonegiven,
There is a farm a few miles from me with a sign at the road, "Kids for sale for meat or pets"
I have a rather nice recipe or three for "kid stew" (baby goat actually works quite well as a replacment for lamb, as goat meat does for mutton).
But the old joke still applies,
I like kids, but I don't think I could eat a whole one
i and probably bruce were avoiding discussing the religious aspects of feudalism
I can understand why, man has, and has had, many types of religion over the years. It appears to be an inate spiritual side to us that can be seperated from the moral side of us (that is you can be perfectly law abiding and moral without being spiritual or for that matter political).
In my travels I've met so many people of different religions I don't differentiate them by that, but as individuals and how they behave to others. That is there morals and their politics.
And because I have no particular desire to lead or be led I am wary of how people hide behind politics, codified morals and ultimatly deities for their own benifit.
Thus I was using "god" not in the spiritual terms of a persons beliefs, but as many self apointed tyrants have used it, as a way to appeal/blaim a higher authority against which you cannot argue, for their actions and thus deny others reason, rights and freedoms.
As for marriage, I prefer for people to make their own choices, in European history it is a very recent thing for the "commoner" (and latterly encoraged by "the church" more for financial reasons than others). It was for a considerably longer period a way of recognising a political union amongst those who were playing the "King Game" and it was partly because of this we have our somewhat peculiar inheritance laws.
I'll leave you with a thought, there was a quite popular comedian called Dave Allen, he was at one time very popular and had several TV shows, at the end of which he would close with the simple statment,
Take care and may your God go with you.
@clive. Yep. The worst atrocities have been committed in the name of religion (G_d) says it's the right thing to do, or in the betterment of society (eugenics, communism, etc.)
Still waiting on human evolution.... :)
AND enjoying the view of the universe..Studying Supernovae at moment. I love mountain views and no light pollution....take care ol' man to ol' man. ;)
I've joked a few times about a de-evolution happening. Humans have some flaws built-in to them that make them less rational. Evolution builds on reproduction. The people who are going for the most, eh, "reproduction" aren't usually the wisest. So, the evolutionary goal of the species surviving happens, but our mental potential rising doesn't necessarily. It's a path that we might take and might not.
For an example negative path, see the movie "Idiocracy." I remember telling a friend about it and he told me he hated it. I asked why. He said "I think it's already happening in the real world."
It appears banks do now have some liability to their small business customers for ACH Fraud after a rulling that a banks security system was inadiquate for the purposse intended,
Another article on the UN power grab on the Internet via the ITU in Dubai this week for the World Conference of International Telecommunications (WCIT).
The WCIT closed door sesion is likely to cause all sorts of problems and it is well outsside the remit the ITU has and it is a power grab plain and simple by the UN on behalf of certain nations who want to gain significantly more control over the Internet.
Like WIPO did for users IP rights, the proposed WCIT results will be neither pretty or user friendly and will produce very bad legislation that will stifle if not bring to a halt Internet development in it's current form. And of course will aid represive regimes significantly.
Thanks Nick, I'll take a look at that one. Missed it. I think until our understanding of genetics progresses....it is a crap shoot for prediction. Geniuses may be general or specific. Add to the mix that someone may just enjoy something and the skill may follow. But it looks like a fun movie to watch. I watch 'allo 'allo, Red Dwarf and then turn around a watch shows on supernovae. stephen hawking. and then start looking at code for flame module. So no predictor there. ;)
Geeks can be dangerous....Well only the ones who feel you are not their recommendations seriously enough.... ;)
Bruce gets mentioned in this one for his "attacks only get better" comment.
More importantly it's about a bug in JS that alows your browsers internal search function (ctrl-F) to be hijacked and what you type in to be sent to a remote site without your knowledge.
Sadly this is one of those attacks that have been known about for many years but nobody has bothered sorting out or (as far as we are aware) exploiting. However somebody has come up with a couple of pre-packaged exploits that script kiddies etc can use.
This sttory has two points of interest,
The first is they made a fundemental error in the design of their protocols that by the lack of entropy potentially allowed a surveillance system to be hacked.
The second point is that the traffic surveillance system detects the various Bluetoooth devices in a vehicle and can use it to uniquely identify a vehicle and know when and where a vehical is and thus if it has commited any traffic violations.
What is not clear is what the legal implications of this are. It's not a GPS tracking device which some judges have raised exception to, but it can potentialy be used in exactly the same way.
Now some of you might think I dislike Rupert Murdoch and News Corp...
Well it's true that I think he has shown very very poor judgment when it comes to the Internet, net pads and mobile platforms. Sticking pay walls up all over the place to try and raise revenue on what was more freely and better reported by others looked like he was the sole entrant in an A55 kicking contest and still managed to lose.
But some of you might have heard of his latest idea to bite the dust "The Daily" well various people "in media" have said why they think it failed and to be honest I don't think most of them get it in the same way Academic Paper Publishers and the recording industry don"t get it.
Well it appears I might not be alone in my reasoning,
@ Clive Robinson
I appreciate the link. I discovered the compiler on slashdot yesterday. In return, here are two excellent developments in parallel computing. The first is a product in use and the second is an innovative language.
Multithreading issues it solves
(Includes a few I didn't know about)
ParaSail Programming Language (in alpha)
Of course, high assurance design research moves on. I haven't checked on the NSF research Jeremy Epstein started in 2012. It's still bookmarked for later review. In mean time, there's been developments in high assurance compilation, mobile security, host monitoring & assurance-based development. Progressing slow but steady.
Unrelated note: OpenVMS celebrates 35 years rock-solid service
@Nick P re: De-Evolution
--If you need one parallel, Ow My Balls. How this can be classified as "talent" is embarrassing for our country. What's scarier?-He has 2 daughters. Let's hope the apples fall further away from the tree.
@ Nick P, Figureitout,
Re : de-evolution
Back in the 1980's we had Maggie Thatcher finding all sorts of excuses to attack the Union's and Welfare systems in the UK presumably at the erging of the "Tory Grandees" and their plutocratic backers (much as you are currently seeing in the US).
Two perenial points were raised "errant fathers" and "welfare moms". The argument was basicaly it was profitable for single women to have lots of children and get large wealfare checks whilst the "fathers" were effectivly "good time Charlie" "sperm donors". We now know (or should do) that it is actually way way more complex than these overly simplistic ideals. And yes whilst there are issues with single parents they are not the ones that have been laid at their door by political mantra.
Any way in the 1990's it became fairly obvious that the further up the socio economic ladder you were the less likely you were to have children and as such a lot of the children being born were closer to the poverty line and previous historic trends indicated they were likley to stay there for other reasons (poor education and overloaded social and health care in rundown areas where they could aford to live).
In the mid 90's I was doing an MSc in InfoSystems and I actually raised the point that inteligence might actually be anti-darwinian. Lets just say it was not a popular thing to say amongst the "banker types" that were also on the course, when I further pointed out that a poorly educated younger generation might be more numerous but had no excess economic resources to put towards pensions and thus pay the late Baby Boomer pensions due to start being paid out from 2015 onwards....
Sufficit to say 2008 woke a few of them up rather sharply when anuity rates droped through the floor...
One of the real problems with Info Sys is it's an economic leveler on a global scale and is actually going to destroy government in the way we have become used to it, simply because of outsourcing abroad and virtual companies in tax havens etc.
Put simply outsourcing might save a company 10% on some labour costs but it also puts that other 90% outside the home economy into that of a foreign nation. But worse you also lose the ten times magnification of economic churn from your home economy and put it in the forign nation. Thus the effect is in reality close to a 20:1 change in advantage to the foreign economy from the home economy (ie 1USD spend produces 10USD economic advantage so outsourcing 1USD takes 10USD advantage from the home economy and puts it in the foreign economy making in effect 20USD advantage for them).
One of the hot debates in the UK at the moment is just how little tax the likes of Google and Starbucks pay in tax, although potentialy the worst offender is the PayPal subsiduary fronted by Mr Birt who has shoved it for tax avoidance reasons through various tax havens in the likes of Liechtenstein and Switzerland.
The result is many international companies pay at best tax down in the single digit percentages on what would otherwise be regarded as profit which non international companies would pay 20-30% tax...
Which means the government TAX take is well down, and hit in three ways, the lack of corporate tax, the lack of personal tax due to job losses due to outsourcing and having to pay welfare to those that have had their jobs outsourced...
Now you would think the politicos might actually wake up and do something about it because their future is quite largly dependent on the tax take that can be used to bribe voters come election time... Put no they seem content just like bul calves to suck on the plutocrate teat to fatten themselves up for castration and slaughter...
@ Clive Robinson
Great analysis. Particularly, I remember reading some good books about the churn ratio of our manufacturing and agricultural base. Proponents of globalization promised that we get cheaper goods. They conveniently ignored how much less money would be flowing through our economy when local plants/factories/farms shut down.
Even if we abandoned WTO/UN/NAFTA, they'd have us by the balls because so much of our foundation was dismantled that it would be hard to get it back. The powerful interests have stated their long-term goals of limited democracy, strong concentration of wealth, and global empire. Every President and important US politico is publicly a part of these organizations. The odds of them curing our economic ills are slim to none.
@ Nick P,
Great analysis. Particularly, I remember reading some good books about the churn ratio of our manufacturing and agricultural base...
Thanks, sadly though it's not just churn that's an issue, there are all sorts of other nasties awaiting around the corner.
Here's one to keep you up at night ;-)
The price of gold has risen so far that the level of fraud in terms of "faux gold" in repositories and double or tripple issued certificates is such that the reality is that the price payed for the real amount of gold on hand has turned trading gold in the current repository and traded certificates method into a "black tulip market".
The question is what will happen to the price of ggold when people decide to remove and actualy check their gold from the repositories... (remember what a large South American Country did with it's foreign gold holdings).
It's one of the reasons I dislike the "gold standard" not because there is anything particularly wrong with the general idea of tying money to a commodity. It's just that fraudsters and speculators can wreak the implementation. I would prefer a raft of commodities such that it smoths out the wild price jumps and frantic trading that has alowed the fraudsters to get a significant foot hold in the system.
Every President and important US politico is publicly a part of these organizations. The odds of them curing our economic ills are slim to none.
It's not just the US it's the UK and other major Western Countries as well arguably some countries that were once considered "Third World" are doing better than the First world Countries. And here's the joke for you, the UK is still sending them via DiFD "development aid", the thing is though that this "arms length" control has alowed DiFD to almost become a "private venture capatalist". So the money does not actually go to "aid" in the way the public believe but actualy investing in foreign companies that are very deliberatly targeting the UK's economy...
But my current pet peve is this idea of "trickle down" where if we make the feast of the plutocrates even bigger, then a few crumbs are bound to fall of the table into the TAX payers hands... I don't know who thought it up but they deserve a "movie plot award".
A select few of you might know about a conference in Oslo Norway specificaly to do with Passwords and Pins and the issues to do with them.
Well one little item that might be of interest is the latest in COTS password cracking hardware,
It's capabilities realy are quite amazing when you consider it's realy the work of one person and paid for from their own resources.
To give you an idea of it's capabilities have a look. at the crack times on the two Win XP password formats.
Is Two Factor by Mobile Dead?
For some time I've been voicing concerns over what might happen with smart phones if attackers got access to the "SMS side channel" used for TAN's and the like.
The simple answer is "now we know",
Basicaly what has happened is the attackers have used a fairly standard trojan attack against a PC to get access to the online banking app, they then insert a screen that askes the user to update their mobile phone details.
The attacker having got the mobile phone details then send malware to the phone, if it's a Smart Phone then the chances are they can install a trojan on it to steel the TAN sent by the bank.
It's game over because the attackers simply use the TAN to remove money, the bank simply sends a new TAN the mobile trojan simply has to hide/delete the SMS containing the TAN they used from the user...
My original concern with smartphones was if the user just used a smart phone for online banking, they would have both the transaction and authentication channels on the same platform.
The attackers however have used a simple human engineering technique to make the same thing work even if the user still keeps the transaction and authentication channels seperate.
So it's "Game Over" on SMS TAN two factor authentication.
A little while ago the US DoD amongst others indicated that China and Russia had been mapping out the cyber side of US "critical infrastructure".
Well on the anniversary of the UK setting up it's national cyber investigation and deterent at GCHQ it has anounced (unsurprisingly) that the UK has likewise received such attaacks but has chosen (probably wisely) not to state which countries are behind it,
Why do I say "wisely" well there are several reasons not least because it's usually impossible from just the routing information in the incoming packetss to tell where the attack actually originated. However forensic information can provide clues, BUT you have to be very careful you are following deliberate mis-direction.
This is a perennial concern with the idea of "Cyber-Warfare" and trying to transfer various doctrines on first strike attacks and offensive defence from "kinetic-warfare". This lack of Cyber-doctrine an some of the underlying problems has been brought up again in the US just recently,
It is a problem which is going to be difficult to address as Ronald Marks, remarks at the end of the piece,
"How do you, as a government make people behave? Do you want to make a law? Do you want to tell people what to do? You know how successful that's been over time."
December is tthat time of year for lists...
And I'm not talking New Year resolutions or the list of things not to do at this years Xmas parties be they office or otherwise.
No it's those industry lists of best practices and all sorts of other mainly irrelevant security practicies we see.
Why are they mainly irrelevant, well simply for two reasons, firstly they are usually compiled for organisations that are not comparable to yours be it by size market segment or risk. But secondly and more importantly the list generaly is about those things over and above what you should be doing as an organisation as standard (and probably are not).
This is because the basics are usually neither sexy or big capital items with shiny shiny must have status lights etc etc...
Which is why this Roger Grimes list is tthe one most of us should read first (and hope our CapEx managers don't other wise Santa will not be handing out pretty new toys for you naughty boys and girls ;)
--Would you have made these statements about the "rats from Pluto" "in the clear", and say when you were in your mid-twenties and perhaps had more to lose?
Politco makes report about wasteful DHS spending; going after peanuts but still doing "something" (or trying to). The most recent HALO conferences where the imbeciles are playing make believe fighting zombies, to the underwater vehicle to assist underwater rescues in a landlocked place (OH), to the national security Sno-Cone machines in MI, to an armored vehicle in a pumpkin parade in NH (even after residents said they didn't want it!), to the LRAD's in PA that caused permanent hearing loss in a protester, to the $24k "sh*ter on wheels" in TX, to the $67k hovercraft and $100k in PSA's in IN, to $2.7k teleprompter and $12k in phone bills in LA, to Fargo,ND buying a $256k armored truck w/ rotating turret which made an appearance at a local picnic, a mention of possible criminal activity where a police department sells its old "peacekeeper" for $1, and gets a new $275k police state vehicle, and drones for everyone.
(deep breath)That was a lot, if you want to read the mostly worthless report by the Politico, go ahead, pg. 33 really sums it up w/ a picture. I've always wondered why engineers/techies don't get involved in politics, it's become crystal clear now.
Another commentry on a presentation from Paswords^12 in Oslo Norway, this time from ARS technica.
The bit of interest in this is the speeding up of SHA1 by a little over 20%.
Whilst it might make password attacks faster it will also make other uses of SHA 1 faster as well.
As Bruce has noted before "attacks can only improve with time".
"I've always wondered why engineers/techies don't get involved in politics, it's become crystal clear now."
I would submit the following.
1. Some have, reference network security and government contracting.
2. However, most don't have the people skills or patience.
3. You can make good money making neat stuff IF you can convince someone to buy it.
4. It is rare (IMHO) to find a salesman that is also a geek and has real finely tuned people skills.
5. Generally, Geeks don't want to prostitute themselves for money. That's why they invented the internet.
Dilbert is funny for a reason.
that's the problem. You seem to be recommending bringing in the experts in last. I would bring them in first. And hire some. Good salary (salt), redbull, and toys. Joking.
Seriously, GSE, Network hardening people, etc.
Really harden the computers, network, and people. Linux unhardened just means they won't know what happened. At least windows will give you an error code to google and talk to the guy in India about in future.
Pep talks and linux in early stage won't help other than in consumption of liquor and chest thumping party..I am joking.
--Would you have made these statements about the "rats from Pluto" "in the clear", say when you were in your mid-twenties and perhaps had more to lose?
Have you ever wondered why I'm not rich and famous like Bruce ;-)
Some would say my main claim to fame is I can open my mouth and swap feet faster than a Movie "gun slinger" can draw :-)
I've "done time" on both the Government and Academic pay role at various points in my life, but office politics has always made me move back into industry usually at somebodies "cutting edge" I'd get bored having done the interesting bit and job hop to something else interesting and thus let others get the fame etc.
When I was still alowed to travel (ie befor the Drs said "you'll die an early death if you keep traveling") I had become what they used to call a "fireman" in the US and a "troubleshooter" else where. The nice thing about it (and I guess Nick P might agree) is no "office politics" they all know before you walk through the door it's their livelihood I was coming to save not my own...
--Nice list, tech./elec./RF is way more attractive. On the "social" thing, I lose my long train of thought when I have to talk, takes awhile to regain; maybe others have same problem.
--Ha, yes I've wondered. Sad that merely saying what needs to be said gets you in "hot water" or on the "chopping block". BTW, don't ever say "naughty boys and girls" again :)
BTW, don't ever say "naughty boys and girls" again :)
Awah, the real kids will be disapointed, It's at this time of year I get asked to play Santa by various people...
Why goodness alone knows, I'm over six foot six for starters and have trouble walking through doorways without ducking or turning sideways. When I used to wear the green and collect my Queen's schilling I could scare the proverbial out of adults because I used to walk almost silently (even across gravel) and had a fairly deep and somewhat resonant voice, which when coming from above and behind people even when only saying "excuse me" quietly tended to make them jump (literally). Even these days with a large beard and long hair and over expansive mid drift to soften the edges as it were I can still see people look nervous when I walk into a room.
So you would think I would make a realy scary Santa, but as far as kids are concerned not a bit of it, why I have not a clue.
As an aside the line "naughty boys and girls" is used by "Robot Santa" in a Futurama Xmas show usually just before he tries to "kill all humans" with a missile launcher or some such because nobody makes it onto the "nice list"... For some reason my son still likes Futurama even though he first saw all the original episodes over five or six years ago.
@figureitout. I sympathize. My problem is alternating add and OCD. Helps with job though. When I do focus it turns into OCD. I rarely get 30 seconds before interruption. My last comment was while directing two people one about what the difference can be between effects of manufacturers of DVDs and the other of exporting video to USB for security footage and typing/reading email. When working on something I may spend 30 hrs on project. Getting a little long in the tooth to do that now it actually is beginning to hurt. I can talk to anybody. Vertical learning curve for +30 yrs now.
You may try self dialog to do feedback with what you want to say. You may wander but can return from the path you wandered to. You will get the hang of tieing things back. Sense of humor helps.. I cracked up people today when I tied that uk hot burger from Bristol to discussion about security. I described the burger as having special sauce of hate and Ill will. Also consequences, etc will burn your ass the next morning.
You sound like you tense up. Make a simple outline. You can do anything you want to. I once explained the principle of writing papers to my son. Intro...tell them what you are going to tell them. Supporting paragraphs, tell them. Conclusion. Tell them what you told them...
Just relax and play to your strengths...just some thoughts to consider.
I guess the original poster of this link got moderated out. Moving on... :)
Chinese hackers pushe california firm to brink
Ok, I confess: I changed the title to remove the FUD. The short version of the story is that China used a California company's censoring software without their permission. California company and "stubborn" owner sued. Sophisticated hackers hit them hard. Owner decides he's better than them. He's driven to paranoia trying (and failing) to defend. He looses tons of money, agrees to a settlement and attack is suddenly over.
Why this is interesting
I think it's a good example of Chinese use of espionage to steal Western IP. We've been talking about it for years. You always hear the government say it and big hacks are in the news. I think this account illustrates their capabilities and mob mentality more than most. The Chinese, like many others, know it's easier to steal technology than to invent and mature it. NATO companies need to learn this lesson quick and stop taking IP over there.
The other part of the lesson involves DO's and DON'Ts. DON'T fight the Chinese over something like this if you're a SMB and want to keep your revenue. DO take a stand if you have good security posture, legal muscle, and are willing to take a few bruises on the way to a settlement. DON'T think you'll outsmart hackers whose talents you can't understand ahead of time. DO call in companies that specialize in this sort of thing: they're normally better than in-house staff. DO call me ONLY if you are willing to make strong usability and efficiency compromises to cause attackers to smash their keyboards over monitors in frustration.
Side note: As I read it, I remembered another bright coder with similar traits (the good ones, anyway) to decided to take the fight to the hackers. The key difference is that Steve Gibson is awesome.
DO call me ONLY if you are willing to make strong usability and efficiency compromises to cause attackers to smash their keyboards over monitors in frustration
Excellent post. This sentence jumped out for me. When a pack of wolves attacks you don't poke your stick at them..you hit them hard enough to make them go away.difference though between enticement and entrapment. A little surprise waiting between ports.
I do feel sorry for the business but they should have known this was a pack of wolves attacking and you are prey. Bring in a lion. There are too many skilled people out there. Granted it's gonna cost you. One of the first steps might have been cloud fare for hosting. Let them take the hit. Short term thought example.
There are too many ways to deal with it. Granted none of them perfect. We all can't be chuck Norris or Bruce.... ;)
I appreciate it. What got to me is that he didn't call in help. I'm sure he likes to do it on his own. However, he's running a business under attack by either skilled or proffesional hackers. There are skilled contractors like Dell SecureWorks in article that can handle this (probably). For the sake of his business, he should have contracted professional help.
I got to thinking about this more. The article said it was an 8 person firm. Presumably, most of them were support staff with modest pay. At one point he's loosing "$58,000 a month" in sales. Doing some speculative math, I think he makes around $5-20k a month after business costs are subtracted (before he or his wife's possibly inflated pay). The article notes that the firms that can deal with these incidents aren't cheap. Well, this guy wasn't exactly living dollar to dollar either. He had $100,000 to blow on a property dispute with a neighbor, but no money to protect his business?
In the end, it's not a story about hackers vs businesses. It's a story about the perils of egomania. The man took offense to something Chinese companies were doing. It probably didn't even cost him anything. When they hit back, he let his ego lead the way in determining his fight strategy and approach to things. He couldn't even think clearly enough to call in the big guns during the more severe parts of the digital beating. In the end, he looses out pretty big and imho he totally deserves it. Let that be a lesson to him and other people that put ego before reason when running a business.
Epilogue: The people who didn't deserve it were his employees. Readers let THAT be a lesson about carefully choosing who you work under and which business you stick with. I promise you and any future employers that I will jump ship almost instantly if you pick a fight with the mob or a powerful government. There's few jobs worth risking one's future over. I would recommend others take the same practical approach if their employers' loose their minds.
@ Nick P,
I promise you and any future employers that I will jump ship almost instantly if you pick a fight with the mob or a powerful government
Sadly for many people these days "jumping ship" is not an option for a whole host of reasons. I know it should not be that way but unfortunatly that's the way it is for the majority of people in these current economic times.
Secondly not all employees will know what is going on. When such things happen almost immediatly the first suspects are the employees as they are the closest to the problem and are seen as the ones who can do most damage either directly or indirectly, conciously or unconciously.
However that said if you are aware and can walk away then it's probably the best option, but oddly not the human choice (most people are actualy quite loyal to their employers unless given cause to be otherwise).
Oh and it's not always foreign Governments small businesses have to go up against, in most cases it's actually their own Government causing them grief, something that the large corporates and internationals don't generaly worry about.
The reaon being as we have seen in the UK with Customs and Revenue, the Government knows the big companies can afford the legal muscle and the associated court costs. Whilst eye watering to you and me theey are nothing in comparison to the profits from the illegal business model. Further they usually wrigle out using various tactics and worse case at the end of the day cough up what to them is a tiny fine usually wih a clause of "no further liability" meaning those actually hurt don't get compensattion.
For instance in the US the largest fine the EPA ever handed out was 30million to an organisation that has been estimated to be worth in excess of 100billion. It's known that the two brothers behind it spend well over 30million on ultra right wing political campaign funds (they payed for the tea bags) to try and stop or reverse legislation on issues that they think will effect their profits (or political view point).
Greenpeace has a list of some of their worst environmental offences and you can see from it that the fines are nothing compared to the savings they have made by neglegent maintanence etc,
I've reposted the China/CYBERsitter link and my original comments in the newest Squid blog entry. I assume they got pulled because I quoted the original article (copyright?). I hope this blog doesn't have a policy against recommending quick defensive tactics for people finding themselves in over their heads.
@Nick P: Keep in mind that CYBERsitter's founder didn't say "I think I'm going to take on all of China today." He did something fairly normal for businesses to do (sue to protect IP). It was the response from the people he sued that was out of left field. How are your hypothetical future employers to know that they can sue companies X and Y for infringement or breach of contract, but if they sue company Z then they'll be tangling with the mob? The mob doesn't exactly put "This company a wholly owned subsidiary of the Sicilian Mafia" on their websites' about pages.
Conversely, what kind of world would it be if companies could get off scot-free with breaching contracts merely by spreading rumors they had criminal backing?
The problem with your comment wasn't a couple of paragraphs quoted from Bloomberg-- Bruce routinely pushes fair use much harder than that -- but the fact that the entire comment was an uncredited reprint from what appears to be somebody else's blog. Are you saying that is your own work? If so then that's a different story and I will let it stand, but still, please don't copy-paste your blog posts here. Comments are for conversation, not for reprints.
Let me clarify that I think the core of it was that he was so stubborn he refused to get help. He was getting hit hard by some top notch hackers. He was actively suing Chinese government for stealing his software. With all the cyberwar and IP theft stuff in the media, I would hope this guy could put it together.
If not, he should know his business and employee's future were being destroyed by digital attackers. They were doing a good job at it. His attitude and decisions put everyone at risk for nothing other than his ego. The crooks don't have to call themselves "the mob." The company got all the warning it needed when it started loosing plenty of revenue, equipment was going down and unknown enemies had more control over their systems than they did.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.