Schneier on Security
A blog covering security and security technology.
« Changes to the Blog |
| Our Internet Surveillance State »
March 22, 2013
Friday Squid Blogging: Giant Squid Genetics
Despite looking very different from each other and being distributed across the world's oceans, all giant squid are the same species. There's also not a lot of genetic diversity.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
EDITED TO ADD (3/25): More news stories.
Posted on March 22, 2013 at 4:12 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Since this is Friday, I want to ask how easy it is to create my own index of the web so I won't have to use a third party search engine.
I don't expect to ever match a fraction of the major search indexes but it will be another privacy enhancing step for me since the is one less service that will see and log my search terms.
Users flock to Japan student's firewall-busting thesis project
'VPN Gate,' designed by PhD student Daiyuu Nobori to circumvent government firewalls, has drawn 77,000 users in less than a week
By Jay Alabaster, IDG News Service | Security, VPN
March 13, 2013, 6:50 AM —
If you're not sure about the purpose behind Daiyuu Nobori's online thesis project, perhaps the large picture of the collapse of the Berlin Wall will help.
Nobori created VPN Gate
to help individuals in countries that restrict Internet use to beat government firewalls. The service encourages members of the public to set up VPN (virtual private network) servers and offer free connections to individual users, aiming to make the technology more accessible.
"Today's VPN software is very complex. They are not easy to use. Some VPN services around the world are expensive for people in other parts of the world," Nobori said in an interview with IDG News Service.
His service maintains a public, real-time list of freely available VPN servers for users to choose from. It also offers downloadable server software to run the VPN, and a client that greatly simplifies the process of finding and connecting to one of the free servers, for the less technically inclined.
The 28 year-old doctoral student at Tsukuba University, about 30 miles northeast of Tokyo, wasn't sure what the reaction would be when he launched last Friday. He did little to advertise it outside of the home page and a few mentions on tech forums.
Five days later, the service has drawn 77,000 users and served nearly 4 terabytes of data.
It's an awesome post for all the web users; they will obtain advantage from it I am sure.
@AC2/ Who is behind the study
I've ruled out Clive, since there's no misspellings to be found such as integraty / integrity. (Although I have a sneaking suspicion he throws them in on purpose. :P)
Could it be Steve Gibson?
What Information does your browser give out? What can information can people see when you visit their site?
Test your machine:
@ Gu355 wHo
Excellent project ! Thanks for that. Already 273 VPN gate servers running and the number keeps increasing.
A few days ago South Korea discovered some of it's banks and media outlets comming under which wiped hard drives and the MBR.
The attack originated via a "watering hole" site and the original source is (currently) unknown.
Many have as a knee jerk reacttion blaimed North Korea as the source. However the few pointers available actually suggests not.
The important thing to note is all the infection vectors are old news and have patches or work arounds that those attacked obviously did not apply. This is an important fact to note as this sort of laxity effects the majority of countries, and should be a warning to all.
The attack it's self although using old vectors is of interest because it contains code not just aimed at MS OS systems but Linux and HP-UX.
Needless to say S.Korea Politico's and Mil are blaiming the North but if it is the North it is a significant change to methods, targets and reporting. Others are indicating it may originate from China whilst others are indicating it could be a "false flag" operation by those who attacked North Korea's Internet infrestructure a few days before hand.
Yet again this demonstrates that treating cyber-crime as warfare is a dangerous thing to do because of the attribution issue...
Old frontiers in criminology: a judge has issued an order to allow the Aurora shooter to be subjected to a "narcoanalytic interview", which apparently is the modern jargon for the use of "truth drugs", which, as the story notes, don't actually work and will probably be inadmissable in court. At least one of the drugs that might be used is known to cause a person to become suggestible, which may lead to actual memory damage. One wonders if that might constitute tampering with evidence.
Along with it, the judge also allowed a polygraph test, which would definitely be inadmissible in court.
If there's a plea of not guilty by reason of insanity, these are supposed to be used to determine if Holmes really is insane, because apparently the judge believes these are scientific tools which are used to diagnose mental illness.
@ Clive "treating cyber-crime as warfare is a dangerous thing to do because of the attribution issue"
Dangerous to the falsely accused, not to the attacker.
@Marcus Gustafsson "This would of course include hactivists"
And "collateral damage". And "well, sure, it's the scumbag my little sister was mushy on, but it was an honest mistake, sir, honest, sir".
@ Petréa Mitchell,
If there's a plea of not guilty by reason of insanity, these are supposed to be used to determine if Holmes really is insane, because apparently the judge believes these are scientific tools which are used to diagnose mental illness
Perhaps the judge should put his money where his mouth is by having these "tools" used on him to prove he's sufficiently sane to sit in judgment...
I guess as long as the DHS through the TSA et al lends credence to this nonsence by funding research into it you can guess which way law enforcment is going to go no matter what reputable science says to the conrary.
The real issue hiding behind this is "Justice being seen to be done, not actualy done". Basicaly irespective of the what has occured somebody has decided "the defendent must fry" or equivalent to save/make their political careers etc. and sate the appetite of the media baying for blood/retribution or whatever else gets the revenue.
What appears to have been mainly ignored is just how the defendent or others obtained the weapons explosives etc that enabled the crime to be committed. As I understand it much of the materials should not have been available let alone so easily. As to the state of the defendants mind and how the treatment or lack there of, of any mental illness contributed to the defendants alledged actions, this is almost secondary in nature to the materials supply.
The people I actually feel sorry for are all the victims, not just the 70 primary victims killed or injured but also those who are in effect also victims (friends family etc) of the seventy primary victims. They have been caught up in the worst form of political "bread and circuses" behaviour this tragic event has engendered, and I can only imagine the hurt caused by the continuing hacking at their emotional wounds that each media glamourized twist and turn of the case.
Dangerous to the falsely accused, not to the attacker
Perhaps perhaps not, the attacker could depending on where they are easily get caught up in the follow on effects, especialy if things go kinetic.
The one thing that is clear is that prior to and since the cease fire between the North and South of Korea that certain elements within the US administration and military have done quite a bit to ensure that either the hostilities continued or were rekindled. Of more recent times the political leaders in the South have become much more belligerent with the assistance of the US.
It would appear that the "cold war games" of "war by proxie" are still very much on the minds of the old "war hawks" and "rabid right". What they have failed to learn the lessons of history that in modern times stretch back to WWII that getting involved with what in effect would be asymmetric warfare is by no means a senible policy for the majority of voters both short and long term. However as has been pointed out by senior retiring political and military leaders there are always a group of individuals who will benift greatly and they tend to drive the political agender through various mechanisms.
Contrary to the way some portray it there is nothing glamorous or honorable about war the economic cost for the majority is immense and lasts many generations as does the fallout of more modern weapons (chemical and lost unexploded munitions and mines).
ON Toppic :-)
Giant Squid Genetics Despite looking very different from each other and being distributed across the world's oceans, all giant squid are the same species. There's also not a lot of genetic diversity
Hmm sounds much like another species.
I wonder what other perhaps more psychological attributes they share with homosapians...
WAY OFF TOPIC.
Minor nit. I get that we want people to be able to share links, but do they really need to use the link within their name?
The NCTC warns that urban explorers may be inadvertently providing information to terrorists warning that “Any suspicious UE activity should be reported to the nearest State and Major Area Fusion Center and to the local FBI Joint Terrorism Task Force.”
http://publicintelligence.net/... - See the insightful comment by Dr Bradley L. Garrett – University of Oxford
@00000000: That was not one of it's brightest moments.
I think we you should have a live debate on this http://www.darkreading.com/blog/240151657/... Everyone should carry rotten tomatoes, gauging from the tone of the Counterpoint. I think CISSPs get angry really quickly, and I have experience with this at work....! @everyone, shut up.
So, we need to have a debate, and then take a vote, just like you did with Ranum.
It is very simple to get started building a web crawler. Perhaps 40 lines of Python. You will need to then figure out how to lex, store and query the data; that will be perhaps an order of magnitude increase in complexity, maybe two.
I've worked with this stuff before, but haven't gotten far. If you have 40 or so hours to spare and am comfortable with SQL, multiprocessing/threading, and Python, you should be able to have a search engine & crawler off and indexing. Hope you have enough hard disk space.
Wasn't aware this was happening. Seems like a waste.
@ Bobby (and Bruce Schneier might be interested)
That was a nice counterpoint. I think a response by Bruce would be interesting. I agree with some of the counterpoint's statements because I've seen awareness work in practice plenty of times.
Odd enough, I have an example from just a few hours ago. I told a layperson about a particular kind of scam a year or two ago. She told me Tuesday night that she thought someone was pulling it on her and why. That she understood how the scheme worked and was given a simple procedure to stop it helped. She also was reading the potential scammer's body language, a required part of her profession and something she's good at. Her awareness training + her understanding of people = a significant loss was prevented.
Just one security note as far as bank robberies versus cyberhacking.....
The interesting thing about bank robberies is that the amount of money that banks lose via bank robberies is trivial. The problem with bank robberies is not the money. It's the fact that having someone point a gun at you is a life-changing emotionally traumatic event.
By contrast, having a billion dollars stolen by a rogue trader or cyber thief is not going to cause you nightmares. It's a bad thing, yes, but it's not going to cause your life to change as much as if someone points a gun in your face.
This has relevance to cyber-hacking. One thing that we have to realize is that having someone conduct stuff via the internet is just different in the same way that being robbed by having a gun pointed in your face is different than being robbed via non-violent ways.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.