Bruce Schneier
Schneier on Security
A blog covering security and security technology.
Recent Comments
May 25, 2013 7:27 AM
grape 5s on How to Open a Padlock with a Coke Can:
Schneier on Security: How to Open a Padlock with a Coke Can
May 25, 2013 7:14 AM
authentic jordans on Computer Security when Traveling to China:
Schneier on Security: Computer Security when Traveling to China
May 25, 2013 7:10 AM
grape 5s on Technologies of Surveillance:
Schneier on Security: Technologies of Surveillance
May 25, 2013 6:48 AM
I WANNA PULL IT OUT! on Friday Squid Blogging: Eating Giant Squid:
Don't like to think too much, it makes me think too much,
it keeps my mind on my mind
Don't wanna see too much, it makes me see to much
sometimes I'd rather be blind
All the things that they're saying & doing
when they pass me by just fills me up with noise
it overloads me
I wanna disconnect myself
pull my brain stem out and unplug myself
I want nothing right now, I want to pull it out
Chorus:
yeah, I want to pull it out, yeah
I wanna break it all down, hey, I wanna pull it out
yeah, yeah, disconnect myself, disconnect myself
I wanna see it go down, yeah, disconnect myself
A thousand miles an hour going nowhere fast
clinging to the details of your past
talking 'bout your damages and your wasting my time
I wanna be the king of pain, stand in line
all the numbers and the colours and the facts
backed by the rumours and the figures and the stats
I think I'm gonna download my mind
Chorus
Too damn bad if at the end of the day the only thoughts
in your brain are all the things that they say, what a waste
Too damn bad if at the end of the line you got no idea
what's on your own mind, you got no one to blame but yourself
Too much to know, too much to see
it might mean something to you but it's nothing to me
its just another ad for someone's version
of how they think it should be
I wanna disconnect myself, pull my
brains damn out, unplug myself
I want nothing right now, I want to pull it out
Chorus
Quote this message in a reply
May 25, 2013 6:30 AM
Clive Robinson on Training Baggage Screeners:
@ Jon,
To answer your questions you are going to have to do a bit more reading in the area.
Currently there is a bit of excitment in the fact that models of brain behaviour appear to follow more along the lines of Quantum Probability than Clasical Probability.
One of the authors (Love) has written a colabarative paper back in 2011 which can be seen as part of this,
http://homepage.psy.utexas.edu/homepage/group/...
And before anybody asks for an opinion on it, my view is curiously open. Basicaly a friend who works in the field pointed it out to me when we were talking about Roger Penrose's non clasical view of the mind.
But Roger Penrose was by nomeans the first but appears to have received the most "public stick" on it (possibly due to the fact he is a popular author as well as mathematician). You can read a potted history or time line in the first part of,
http://www.scaruffi.com/science/qc.html
The author of that is Piero Scaruffi [1] who is fairly well known in the AI and cognative science fields (as well as being a music critic). He has also written a book in 2006 on the broader areas of conciousness and keeps an updated version online at,
http://www.scaruffi.com/nature/index.html
Which will give you other areas to research if you are curious.
[1] http://en.m.wikipedia.org/wiki/Piero_Scaruffi
May 25, 2013 4:53 AM
Matthew on Friday Squid Blogging: Eating Giant Squid:
Much as its surprising that he knows what giant squid tastes like....It's far more surprising that he knows enough other people who have tried it to form the generalisation that its intense flavour actually scares people that aren't, by and large, afraid of normal sized squid. That is a pretty unusual demographic from which to pluck a meaningful correlation from.
May 25, 2013 4:46 AM
Otter on Training Baggage Screeners:
No need to fix anything. Go to the people who have long histories in training successful guards. Do what they do.
We should probably stop ignoring the plentiful evidence that TSA agents are doing exactly what they are paid to do.
May 25, 2013 4:34 AM
colored lab coats on Friday Squid Blogging: Eating Giant Squid:
I like the helpful info you provide in your articles.
I will bookmark your blog and check again here regularly.
I'm quite sure I will learn plenty of new stuff right here! Best of luck for the next!
May 25, 2013 2:57 AM
Jon on Training Baggage Screeners:
I admit I didn't read the whole thing, but from the abstract several things strike me:
First, before we go anywhere with this, let's replace 'predicted' with 'proven'.
Second, what is an ideal distribution of noisy data?
Third, the very initial sentence presumes that there will be a winner. There might not be (imagine a handful of people playing blackjack in a casino, or total thermonuclear war).
Fourth, who decides how to distort the real data into an 'ideal' form?
Fifth, isn't this just an indication of lousy education in statistics?
Fix that first, I'd suggest.
Thanks.
J.
May 25, 2013 2:40 AM
hiroshima by John hersey on The Future of Privacy:
I am curious which blogging platform you're running? I'm new to blogging and have been thinking about using the Live
journal platform. Do you think this is a good platform to start with?
I would be extremely thankful if I could ask you some questions through email so I can learn a bit more before getting started.
When you have some free time, please be sure to contact
me at: saulridley@arcor.de. Thank you
May 25, 2013 12:06 AM
Clive Robinson on One-Shot vs. Iterated Prisoner's Dilemma:
@ oh no,
- clearly there's some final solution
I hate the expression "final solution" simply because there is only one that we know of and that is when entropy is at it's maximum within the universe (unless the "big crunch" is back in favour).
Untill then or the human race nolonger exists as we currently know it I expect all social solutions to evolve with society...
However there is a certain base appeal to the cry of,
- Come the revolution, you lot.... ;-)
May 24, 2013 11:40 PM
dat phong khach san sam son on Breaking Hard-Disk Encryption:
He stares them down until he gets the information he wants
May 24, 2013 10:21 PM
Clive Robinson on Friday Squid Blogging: Eating Giant Squid:
OFF Topic :
As someone has already linked to the UK's Grauniad newspaper here's an InfoSec related one,
http://www.guardian.co.uk/technology/2013/may/20/...
It is about the Dutchman Sven Olaf Kamphis arrested in Spain over the Spamhaus DDoS and the very much over stated claims of CloudFlare.
But it appears that there is a rather murky back story going on about CloudFlare and Spamhaus, apparently Spamhaus used to block CloudFlare IP addresses etc and that CloudFlare has been hosting some stuff for a murky "bullet proof hosting" organisation Brian Krebs has taken an interest in because the purson supposadly running it has encoraged others to DDos Brian's blog site,
http://krebsonsecurity.com/2013/05/...
Brian also has an article up on Microsoft's Skype 6.5 Beta which supposadly fixes a gaping security hole,
http://krebsonsecurity.com/2013/05/...
However this does nothing to get Microsoft out of the Dog House for their other Skype security breaches where IM text that should have been protected by SSH mysteriously gets sent to MS.
Some people are putting a "pro-spin" on this,
http://nakedsecurity.sophos.com/2013/05/22/...
However they have (deliberatly?) ignored some aspects of the experiments carried out which contradict this "pro-spin" ( Dan Goodin can say more on this ).
And Microsoft is in the Dog House again this time from a Google Engineer who has found a significant "legacy bug" in MS code that alows an attacker to get system privs (equiv of *nix root) ON ALL Microsoft OS's going back pre NT...
http://www.computerworld.com/s/article/9239477/...
And this is not the first time Tavis Ormandy (Google engineer) has found such legacy bugs. If you want to know more (it's about a failing in a memory allocator) you can read more on Tavis's blog,
http://blog.cmpxchg8b.com/2013/05/...
The question now is if Microsoft will actually fix this legacy bug and in which patches --remember a lot of people still run XP and earlier MS OS's for good and proper reasons even though Microsoft has nixed the support on them-- and importantly when, I suspect some people are thinking "only when it is proven to be being used in real malware to the point it can not be ignored"....
May 24, 2013 9:16 PM
oh no on One-Shot vs. Iterated Prisoner's Dilemma:
clearly there's some final solution, clive
May 24, 2013 7:26 PM
Tom on Friday Squid Blogging: Eating Giant Squid:
If giant squid is full of ammonia, what reaction would you get if you served it with lutefisk?
Here's a story of the war on the unexpected in Falcon Heights, MN:
http://www.parkbugle.org/...
A broken pedometer in a trash can.
May 24, 2013 6:40 PM
Wim L on Friday Squid Blogging: Eating Giant Squid:
Giant squid has a ton of ammonia in its flesh for biological reasons I can't recall off the top of my head (Google says they use it for buoyancy control, but I thought it was also used for some kind of isotonicity/osmosis control function). A few other large sea creatures are similar, eg some sharks.
I think it's possible to wash/cook it out, yes, but not easy.
May 24, 2013 6:12 PM
Jon on Friday Squid Blogging: Eating Giant Squid:
I had heard they were loaded with ammonia, and so would taste truly foul.
There might be a way of cooking that out, or the ammonia might be a product of decay. "It's better fresh".
http://www.guardian.co.uk/world/2007/jul/15/...
J.
May 24, 2013 6:00 PM
pfogg on DDOS as Civil Disobedience:
@Someone
Opportunity cost. Most network resources are otherwise unutilized.
Most network resources, most of the time, are not operating at full capacity, since they are overdesigned to support uncommon traffic peaks. A DDoS attack produces sufficient traffic that it can exceed spec and interfere with intermediate nodes. Simply bringing traffic close to this mark can engage emergency procedures and force additional expenses on the part of businesses that do nothing except provide infrastructure.
Note that I'm talking about 'distributed denial of service' attacks, not the more general category 'denial of service'.
And no, the act is not a misdemeanor...
I was trying to describe a well-designed legal framework, not the existing one (my choice of language was poor). Current copyright law is an obvious case of a poorly designed legal framework, in that it both overestimates the harm done by copyright violations, and improperly extends the definition of the crime. Extensive expert analysis of this is present on the "Freedom to Tinker" blog.
Computer/network-related crimes have had the same problem, with arguably minor infractions being treated as serious crimes, and with artificially inflated assessments of the cost or harm done. In contrast, people engaged in such practices have minimized or dismissed altogether the cost or harm done. The most reasonable answer is arguably in between.
I was addressing Bruce Schneier's statement that
One of the problems with the legal system is that it doesn't make any differentiation between civil disobedience and "normal" criminal activity on the Internet, though it does in the real world.My argument is that this is a problem, in the sense that neither the written law nor the courts or police should make this distinction (you don't get a free pass because you imagined you were doing the right thing when identifiable harm is done), though the distinction could reasonably influence the choices of public and private leadership or decision-making bodies.
May 24, 2013 5:06 PM
Dillon on Friday Squid Blogging: Eating Giant Squid:
http://news.cnet.com/8301-1009_3-57585627-83/...
Interesting.
May 24, 2013 4:56 PM
Clive Robinson on One-Shot vs. Iterated Prisoner's Dilemma:
@ Ambrose Bierce (1842-1914),
- Solution: make not cheating more rewarding than cheating
Unfortunatly whilst Ambrose had a sense of humor, some people actually believe this "solution" is viable.
That is they don't realise that some people have "a sense of entitlement" that unless they have more than anyone else they are not being correctly recognised (see failed bank executives as an example with their 20million salary plus bonus). These people inately believe that this recognition must be paid like "tribute" and unless given they will take it.
Paying these people more to stop them cheating only feeds the sense of entitlement so perversly only makes them want to cheat more and thus take more.
The correct solution is once their sense of entitlement has become known is to not pay them at all preferably by giving them free (for them) board and lodgings at a "state facility" untill they are cured of their sense of entitlement.
I'm told however that such kindness tends to also feed their sense of entitlement so whilst the solution works for the rest of us it might not work for them. Ahh well no solution is perfect ;-)
May 24, 2013 4:11 PM
ronw on New Report on Teens, Social Media, and Privacy:
Every time I look at the details of a Pew report, I'm underwhelmed. The largest part of the survey group was "802 parents and their 802 teens ages 12-17". Yeah, teenagers participating in a survey with their parents will tell you what they really do.
May 24, 2013 2:59 PM
Daniel on New Report on Teens, Social Media, and Privacy:
First, I will simply quote what I said yesterday in the thread about iterative games, "The result is that the touchstone of privacy is no longer isolation but distraction. But some people are better at isolation than distraction. Their genes will tend to be disfavored."
@Kevin. Distraction doesn't need to be good in the long-run because in the long-run we are all dead. That is as equally true for games as it is for economics. So long as you can fool enough of the people enough of the time one is golden. How much is enough? If they catch you and kill you or put you in prison it wasn't enough!
Ask a magician. People figure out the trick sooner or later. Who cares: they already paid the admission fee. The trick to being a successful magician is not stopping people from learning your ploys; it is to keep inventing new tricks.
May 24, 2013 2:19 PM
left.for.dead on New Report on Teens, Social Media, and Privacy:
"91% post a photo of themselves, up from 79% in 2006."
Goodbye your chance for undercover careers without facial surgery. :-O
May 24, 2013 1:43 PM
Alex on Security Risks of Too Much Security:
@Renalto: When security gets in the way, it's too much. See also TSA, although that falls under Security Theatre rather than actual security.
The real threat is complacency. Why did 9/11 happen? Security personnel became complacent. The rules were in place which should have caught the attackers. Rules weren't followed because of complacency.
Complacency is also a major problem in the IT field of users, admins, and executives. Users don't think much about security because it doesn't affect them. Admins (myself included) get complacent because policies and systems are working at the present time, and executives become complacent for the same reasons the users do -- security issues aren't a daily problem to them.
May 24, 2013 1:32 PM
HairlessHacker on Training Baggage Screeners:
I'm amused that Gamblers and Baggage screeners are grouped together as requiring the same skill set.
May 24, 2013 1:26 PM
Alex on New Report on Teens, Social Media, and Privacy:
If this was Fark.com, I'd post this with the headline: [Obvious] Teenagers are self-absorbed and have no common sense.
@NobodySpecial: Don't negate how much value there is in the information contained in the details of someone's personal life. Just from what happens at my office, we've probably put >15 people in prison from details the electronic data detritus of their social media details which they disclosed. In terms of prison time, I'd say it's >250+ years. We're not law enforcement, nor were we looking to put people away. The data came out in the course of our audits.
ProTip: If you're stealing money from a company, don't go bragging about the spoils of it on the internet.
May 24, 2013 1:00 PM
Alex on Training Baggage Screeners:
As long as the TSA keeps recruiting its employees by advertising on delivery pizza boxes, and hiring people who couldn't hack it at McDonald's, you're going to get the lowest common denominator. At some point you get beyond a person's skillset. For this lot, I think we might just be better off with algorithms doing the job. Or more realistically, bring back the old pre-TSA baggage screeners. They seemed quite effective as long as they were actually doing their jobs. I do want to point out that we went nearly 30 years without a domestic hijacking with the pre-TSA security.
Instead, it'd be nice if we had professional security agents (they're agents, not sworn officers, despite the intentionally-intimidating blue smurf shirts & $145 tin stars). In my line of work, I often have to attend hearings in various federal courthouses and various federal buildings. Occasionally even a local county courthouse. In NONE of those have I ever encountered the ineptitude and rudeness and bullying of a typical TSA checkpoint, and I can't remember the last time I've heard of there being an issue with people getting past the security guards (and often sworn LEOs) at these venues. I should point out that I've been stopped multiple times in these venues for some of what I'm carrying, but in each instance the security guards were polite, almost apologetic, and efficient. Sometimes I do forget that I've left a piece of banned electronics bouncing around in the bottom of my briefcase.
Oh, and yes, I've never ONCE had someone tell me at a federal building to remove my shoes or throw out a bottle of water.
May 24, 2013 12:46 PM
Nick P on One-Shot vs. Iterated Prisoner's Dilemma:
Some of these points were made on the Cypherpunks mailing list. They thought a lot about things like reputation, trust, peer pressure, etc. People interested in it might want to dig into their mailing list archives on the subject. The link below just summarizes some sub-topics.
http://www.cypherpunks.to/faq/cyphernomicron/...
May 24, 2013 12:43 PM
Alex on DDOS as Civil Disobedience:
Let me first say with some hesitation, a DDoS attack goes beyond civil disobedience. With everyone depending upon the internet today, including hospitals, government, consumers, and business, taking out innocent bystanders along the way puts people's lives in danger by taking out the core infrastructure we all depend upon.
Case in point: I was an innocent bystander of a DDoS attack on someone else who used the same internet carrier a couple of years ago. Apparently >200Mbps of DDoS attacks streaming in on that carrier's local node. I do have multiple carriers at my office, but because the link didn't "fail", I had to manually force the re-routing to another carrier. Fortunately our VoIP PBX noticed the dropped packets and was able to re-route to another carrier, BUT I don't know off too many businesses which go to the extreme & expense of having multiple carriers. FWIW, some of the local hospitals here were taken out when CenturyLink's network had a nationwide failure a few weeks back. They had NO other carriers at their facilities. A couple of aging T1s + 2-way radios is all they had. No ability to receive test results from labs, no way to order supplies, etc.
For a more classical definition of civil disobedience, I'd say sit-ins at universities, or even the original Boston Tea Party (even though private goods were destroyed) were more appropriate. They only affected the targeted parties and didn't disrupt the entire operations of a town/city or put people's lives in danger.
May 24, 2013 11:52 AM
J.M. Porup on New Report on Teens, Social Media, and Privacy:
In Communist bloc countries this was called "sniping from cover".
The secret police are not going to come and take you away for producing Hamlet with the actors dressed as enzymes and set in the stomach of a cow.
May 24, 2013 11:47 AM
vas pup on Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture:
http://icail2013.ittig.cnr.it/
AI & Law.
Agenda includes privacy protection by AI agent (see the last day schedule)
May 24, 2013 10:43 AM
Petréa Mitchell on New Report on Teens, Social Media, and Privacy:
What danah boyd is talking about sounds just like how Chinese users of social media have adjusted to constant government censorship: when a word or topic is banned, it's still possible to talk about the issue to some extent with heavy use of euphemisms and homonyms.
May 24, 2013 10:42 AM
samiam on DDOS as Civil Disobedience:
Activist activity can be distilled down into 2 parties:
Parties of government regimes:
Parties of non-government actors: individuals and ideological or corporate action
The parties of government regimes seek to defend themselves from dissidents. Challenges to government actions and policy are good for democratic societies, though are contrary to the interests of those who hold or have harnessed government power, especially in areas where companies have achieved regulatory capture.
Non-government actors may be motivated by any number of factors, good or bad. However the friction created by these parties serve a necessary role. They keep the honest in-line, and can expose wrong doing. Companies that use these capabilities for evil such as corporate espionage or sabotage, or to conduct predatory pump and dump or stock manipulation.
Activists provide a critical and necessary role to the development of society. In addition to providing societal guidance, they also provide a safety valve to reduce violent outcomes. Stomping on activists at the protest stage simply increases the stakes. As President Kennedy said:
Those who make peaceful revolution impossible will make violent revolution inevitable.
May 24, 2013 10:12 AM
SJ on New Report on Teens, Social Media, and Privacy:
If "social media" means "the popular one with the Blue theme, the Face, and the Book", then "social media" overtly requests the high school that they attend. (Or, in my case, attended more than a decade ago.)
Reputedly to help the user connect with other students/alumni of said school.
Same with place of birth and current home.
However, that same social media platform does allow users to hide their email behind "username@SOCIAL_MEDIA_SITE.com".
I don't think it sets default-permissions to "hide from non-friends".
May 24, 2013 10:07 AM
NobodySpecial on New Report on Teens, Social Media, and Privacy:
Sorry: voting age limited to less than 18 (comments ate the tag)
May 24, 2013 10:05 AM
NobodySpecial on New Report on Teens, Social Media, and Privacy:
In other words American teens are more concerned by schools were they are random stop+searched by armed security guards looking for hay fever medicine because of the schools zero-tolerance policy.
About having the 82nd airborne descend on them for making a joke about farting that included the words "blowing one off".
About 100% surveillance of them through CCTV, RFID, phone location and credit card use being shared between stores and the police without a warrant.
Than they are about some stranger seeing a picture of them on facebook?
Perhaps the voting age should be limited to
May 24, 2013 10:05 AM
kevin on New Report on Teens, Social Media, and Privacy:
The question of course, is whether privacy-by-obfuscation will prove effective in the long run. I think not.
May 24, 2013 9:07 AM
Ambrose Bierce (1842-1914) on One-Shot vs. Iterated Prisoner's Dilemma:
"IMPUNITY, n. Wealth."
(Ambrose Bierce, The Devil's Dictionary)
Non-iterative systems (or interrupted iterative systems) wave the cost of sanctions.
The good news is that only a tiny minority can access cheating others.
The bad news is that this tiny minority makes its living by cheating all others.
Solution: make not cheating more rewarding than cheating.
May 24, 2013 8:29 AM
vas pup on One-Shot vs. Iterated Prisoner's Dilemma:
Non-iterative v. iterative.
Who is making the choice: you or choice is made for you?
Example 1: you buying something and providing the company some information just to complete this particular transaction only. Your initilal intention is non-iterative towards the company. As soon as company is binding by your choice for future interactions (you specify that you do want future interaction - versus default - you don't), that is okay, otherwise you forced for iterative model.
Example 2: man and woman (by consent - with hooker or not) have one-time sexual contact. By default both sides consider that non-iterative, and keep their autonomy for future, i.e. non-iterative. None is forced for iterative model if and only if that is their mutual choice, not society (police involvement with sting operation or shame by society).
Example 3: person is in jail, army, mental institution. No choice for person selecting the model. It is by default iterative.
Conclusion: more freedom/autonomy asumes more space to select non-iterative model by both sides of interaction (no extremes: - on positive side) without being forced to iterative.
May 24, 2013 8:21 AM
Gabe on One-Shot vs. Iterated Prisoner's Dilemma:
this is true in sports as well. If you're 7 feet tall, you just need to be good enough to get drafted and then maybe for a few years in the pros, to get 1 big contract. Then you don't need to care anymore, and can retire at 30 with $20MM+ in the bank.
May 24, 2013 8:18 AM
Andrew Fernie on Security Risks of Too Much Security:
I am reminded of the universal tendency here in the United Kingdom for people to never even as much as glance at the signature on a debit or credit card any more, due to the pervasive assumption that if someone has the PIN to a Chip and PIN card, they must be the owner of the card, even if the actual owner is blonde, petite and female and the person presenting the card is male, 20 stone and bald.
May 24, 2013 7:43 AM
AtomBoy on One-Shot vs. Iterated Prisoner's Dilemma:
Oooh, very deep stuff.
This concept can help analyze foreign based attacks and local.
It can analyze reader poster behavior.
For instance, posters here are effectively encouraged to give anonymous names. Some probably change their nicks frequently. Some clearly keep the same nick.
I find when I post on forums which interest me, if the consensus is against my opinion, I may choose to post and run, and so whatever "shaming" or flaming which may go on will give me little to no impact.
I think we all probably do this.
At other times, we may decide people are not that far gone, and we may want to stand our ground through all questions, flames, shames coming at us until we are left standing -- despite how painful that can be.
This is all related to the *real* opinions we have, which we give to our family or close friends. Versus the ??? opinion we give in public.
Criminality wise - illegal surveillance wise - this can tie in. As that is one crime which is popular on this blog and in tech news lately....
... in consideration, I believe, though, cops, in general want to keep themselves segregated from society. Not unlike supervisors. Because they have to do things and say things people will not like.
That distance affords them the ability to do this. Otherwise, the emotional pain of being too close can creep in.
...
This concept can also speak of societal blinders we put on. Such as "why did they not notice that priest was pedophile", or "why did they not notice Ames or Hanssen or Philby". Because they were one of "you". (Or, why, for that matter, have so many policing agencies been so opposed to the point of outrageous criminality when one of their own commits the crime -- why did they not have, or do not have, internal affairs...? Was Serpico necessary to be outside of the group and so ostracisized already for his long hair and such... to become the man of change in American police corruption? etc?)
We look at external groups very differently then internal groups.
I think this relates to that concept.
And from there, goes into our often very serious psychological blinders when it comes to processing truth, in general.
The keyword I usually use is "investment". Iterative or non-interative, if non-iterative, there is no investment.
Usually, serial killers are non-iterative. They originally called these "stranger killers".
May 24, 2013 3:57 AM
Joseph v. on Identification Technology in Personal-Use Tasers:
I am a taser owner, I actually own two with multipal cartridges on hand. I know to and when to use it. To clear up somethings: u do have to reg the product to you including state Id for it to be shipped, then the case with gun and cartridges are serialized and shipped to you from taser, the afid that is sprayed out is tied to those serial numbers on the cartridges and thus connected to you. In many state u are required to not only take a class but get shot with one as training in order to carry. The tags are small and spray out all over when shot this so many that your really can't shoot in the open and collect, to fire it is to spray the tags the cartridges are pacts with them In a manner that you can not disable the tags without disabling the taser, exception being using the taser in drive mode. Drive mode is where you use the front of the cartridges metal prongs that feed power to the live wires, a plus is that you can taser someone then use dive mode on another person while the fist is still hooked, and it's hurts like a mother either way.
The tags are ment for the situation like this: person A buys a taser, as such it's reg to you as above, t you try to use it to taser then mug. Well you would leave behind an I'd and cops can find you. Now of course there the possibility of stealing one but if reported then they can trace several attacks to one person. Now for those thinking well lie on the reg well it's kinda hard even all prepaid cards require real info per federal law, and the card is not the onlynid method there is info on the reg and plus your ip on the website.
On the issue of tagging bullets you all have missed a great idea, DON'T TAG THE BRASS! Tag the bullet it's self. We all know that we can laser micro print a diamond with a serial number it's could be just as ez to do it on the jacket of the bully at multipal areas with impacting the bullet and can be done on the manufacture level, then serialized the box and on check out when the id is give for age the I'd number can be tied to the person buying the box thus allowing a ez trace to get a start on the issue. And guns are ez to ship the bullets not so much as k9 units can smell the gunpowder more then the metal and you can not ez cover up the smell as you can us grease on the gun but not bullets. Also the tag method mentioned also the bullet it's self is mostly one time as it changes shapes when fired meaning can go to the local range and police the bullets, you can police the brass but u can do that at crime scene harder to collect the bullet.
Please note that while I expressed methods of tagging firearms beyond serializing the gun or brass, it does not mean I am suggesting it should or should not be done, just a smarter ez method of it being done. Enjoy.
May 24, 2013 3:26 AM
Otter on DDOS as Civil Disobedience:
To paraphrase : if I agree the activists are protesters; if I disagree they are criminals. The half a dozen who escape that summary are obvious.
"A friend who spent years as an activist in the 80s and 90s used to talk about the days [...]". The activists of the 80s and 90s, and 60s and 70s, made a few disasterous mistakes : they sometimes succeeded. Whereupon whatever they did was criminalized, and wherever they did it was fenced off. DDOS is rarely a successful tactic, but it is one of the few protests possible.
Wikileaks is a successful tactic. Look at the response.
May 23, 2013 8:47 PM
Dirk Praet on "The Global Cyber Game":
@ Jackson
Far and away the biggest undertaking by MS was to increase the usability of computing, to truly reach everyone
In which universe was that ? Back in the day, MacOS was infinitely more intuitive and user friendly than DOS/Windows, and from a technological point of view IBM's OS/2 was superior in every aspect. The only reason Windows became the predominant desktop system was the sheer brilliance of Bill Gates' marketing strategy, courting software developers, brokering deals with nearly every PC hardware vendor to preload DOS/Windows and making it so easy for even ordinary users to pirate both the OS and most software available for it.
By the time Linux had developed a GUI that was more or less usable for the average layman, M/S had cornered the entire market. The bug-ridden OS/2 with its ridiculous dancing nuns campaign was taken to the consumer market way too early with way too few applications available for it, and Apple nearly killed itself by proprietary vendor lock-in and failing to understand the wants and needs of an entire new generation of computer users. If it weren't for the return of Steve Jobs, they would have gone belly up.
@ Clive
I've no relationship with Oracle or the old Sun teams these days so cannot say, nor can I confirm or deny the comments of others ...
As a former Sun Microsystems engineer, I was a priviliged witness of its demise. The company was particularly hard struck by the burst of the internet bubble in 2000, and from then on gradually evolved from an engineering to beancounter driven organisation with a Mexican army of middle management alienating the brass from the people on the shopfloor, and shifting its strategy from innovation and long-term vision to quarterly profits. Instead of focussing on its hardware, Solaris and Java flagships, Sun embarked on a mission to try and corner new markets but its lack of a coherent vision got it defeated on pretty much every front. The acquisitions and integration into the company of Cobalt and the iPlanet software stack to name just a few cost a lot of money but were abysmal failures. The appointment of Jonathan Schwartz as new CEO didn't work out either. Despite being a great speaker, he totally failed at turning things around and effectively drove the company into the ground.
By the time Oracle bought what was left of Sun, many engineering and support teams had been laid off. The departure of James Gosling was a severe blow to Java, not to mention many other former Java crew members defecting to Google et al. Those who staid on found themselves in an entirely different, micro-managed company where they had nothing left to say over what they were working on. It's hardly a surprise that this does not make for a motivating environment, leading to even more defections and leaving Oracle with a product its creator and many - if not most - of its original developers have abandoned in search of greener pastures. Anyone who has ever been involved in development knows this makes for quite a peculiar situation, especially when the product is ubiquitous and a full rewrite from the ground up is virtually impossible for compatibility reasons. And that is pretty much the conundrum Oracle is facing today.
May 23, 2013 7:22 PM
Daniel on One-Shot vs. Iterated Prisoner's Dilemma:
Francois writes, "So maybe privacy is not a thing of the past, after all. Maybe the nature of privacy is just changing. Instead of being defined by the possibility of being observed, it will be more defined by the actions - and focus - of the observers."
I agree. What needs to be understood is that this truth is not a genetically neutral event. For example, one of the primary ways that physical security could be maintained in the past was distance/space. This was one of the great drivers of human migration. If one part of a community did not get along with another part they simply packed up and left for unoccupied lands. This action is no longer possible in practice. No one can drop out or run away because no matter where you go another community is already there. The result is that the touchstone of privacy is no longer isolation but distraction. But some people are better at isolation than distraction. Their genes will tend to be disfavored.
May 23, 2013 7:05 PM
Daniel on One-Shot vs. Iterated Prisoner's Dilemma:
IMO that is a poor way to conceptualize the issues because the frames of reference are inherently arbitrary. Every individual's decision making structure in practice is the result of an infinite amount of prisoner's dilemmas (both iterated and non-iterated) all happening at once. Take the CEO example. Even if we can imagine that the CEO might claw his way to the top and not care about the company when he leaves he still has to confront the fact he is playing an iterated game among his family, friends, and other business associates. In fact, the example as she outlines it is self-contradictory because it imagines a person who plays an iterated game to get to the top but then willingly abandons that game and plays an non-iterated game once at the top. But that contradicts everything we know about the way that human beings are conditioned and form psychological associations.
All she is really doing is switching frames of references to suit her a priori conclusions. It is neither effective nor persuasive.
May 23, 2013 7:02 PM
Brian on One-Shot vs. Iterated Prisoner's Dilemma:
I think that's a very interesting way to look at social interaction, and it makes a certain amount of sense.
I also wonder about the impact of how people think OTHER people are playing the game. The CEO in the example might have a different approach than the long-term worker, but what's the impact of the fact that the worker can SEE the difference in their required approaches? Does the worker resent the fact that he's somewhat required to treat social interaction as an iterative process while the CEO can make a single optimal decision for himself and then leave the game? Even if the CEO doesn't do that, the knowledge that he could have an impact on the worker.
May 23, 2013 6:28 PM
Francois on One-Shot vs. Iterated Prisoner's Dilemma:
It's interesting how one can be "shamed" into doing the right thing.
Ironically, it seems like the larger the group you participate in - and the more people you therefore interact with - the more anonymous you become, surveillance or no. The impact of each interaction is reduced as it is spread out among a greater number of people. As long as the spotlight isn't turned on you, anonymity can be presumed further and further.
After all, increasing a number of security cameras doesn't increase actual surveillance - only the observer can do that. But, increasing the number of cameras can contribute to a false sense of security, thus reducing the incentive to actually pay attention. We see this in security all the time.
So maybe privacy is not a thing of the past, after all. Maybe the nature of privacy is just changing. Instead of being defined by the possibility of being observed, it will be more defined by the actions - and focus - of the observers.
The easiest place to hide a book, after all, is in a library.
May 23, 2013 6:09 PM
Geoff on One-Shot vs. Iterated Prisoner's Dilemma:
It's important to consider when players perceive that the game is going to end. This can equate to short term vs long term strategies in the broader sense; which in turn can be mapped to Ethical Maturity imo.
May 23, 2013 4:54 PM
Karl on Security Risks of Too Much Security:
IIRC they were found to be safer (less incidents and less bodily harm) but on average, drivers compensated for those safety increases by driving more dangerously, so the net gain was close to zero.
The studies call this effect "risk homeostasis".
May 23, 2013 4:54 PM
BW on Honeywords:
I've thought about a similar idea, which came up in the context of the Scripps-telcoms fiasco (still unfolding).
You setup your firewall to look at requests and if a googlebot successfully accesses your restricted files, it sends up a flare and cuts off all access. Sure you could just use the robots file to fend off search engines but that doesn't discourage an attacker who might spider your site ignoring the robots file.
Of course you could just do a real security audit.
May 23, 2013 4:47 PM
Karl on Security Risks of Too Much Security:
Years ago, you may recall, I wrote a comment on bad security in the Harry Potter universe.
In the sixth book, the school is essentially locked down. Anything and anyone going in to the school is checked to make sure it's safe. At one point, Ron Weasley drinks some mead that turns out to be poisoned, and only Harry's quick thinking saves his life.
The mead was trusted because it had made it in through the perimeter. However, it turned out the person who had brought it in had brought it through a loophole in the security.
Similarly, the anti-counterfeiting features of Canadian notes are supposed to establish an impenetrable perimeter through which no bogus notes are supposed to be able to pass. So, when one does, because of a hole in the perimeter or some other security failure, no one will bother to submit it to any further checks.
May 23, 2013 3:31 PM
Pancho on Transparency and Accountability:
""As soon as the mechanisms for establishing a police state are in palace (or the police state is already partially established, like it looks more and more in the US, and parts of Europe are not far behind), it just takes one bad political decision by the population and a dictatorship with widespread oppression of any opposition is easily established. And history shows that law-enforcement will fall readily in line with minimal resistance when that happens.""
Wow. Really? I refer you to Schneier on the topic of risk assessment.
Sure, there's a risk of police statism. The risk of police statism (or tyranny if you will) needs to be balanced at all times against the risk of powerful outlaw groups harming citizens. Your argument is very one sided: you refer to Hitler and Stalin. I refer you to recent situations in Somalia, Rwanda, the Caucasus.
How about this. "As soon as the mechanisms for discouraging criminal behavior are sufficiently weakened, it takes very little time and criminal organizations capable of openly destroying their opposition will be established. And history shows that law-enforcement would just rather not deal with powerful, established criminal organizations."
While I will agree that a police state is a very high-consequence risk, criminal lawlessness has the higher likelihood. Risk assessment needs to be a bit more balanced than what I see here.
May 23, 2013 2:53 PM
vas pup on One-Shot vs. Iterated Prisoner's Dilemma:
When you are in electronic recording and saving all forever world, lack of privacy will force iterated model on you regradless of your intention after many years after your posting: HR or lawyers may hunt you with unpredictable (and even unreasonable) conclusions. The idea is that iterated model should be applied simmetrically to all parties involved, then transperency of one side (business, government, group, etc) could be balanced by openness of the other (person).
May 23, 2013 12:35 PM
Brian Krebs is the Chris Hansen of Cyber Security on One-Shot vs. Iterated Prisoner's Dilemma:
If encouraging the iterative game viewpoint is better for behavior and society, then what's so great about fighting to maintain degrees of privacy online which have historically never existed in person?
Is a virtually untraceable identity a normal aspect of our physical culture, or is it for special cases like voting? If someone was running around under the cover of dark and doing even simple legal errands in a ski mask in the summer, they'd be denied service in a lot of cases and probably would be investigated on a regular basis--because in person, we all have the same expectation that we come to the table with our identities exposed. But online, some people don't want to play by those same rules. I'm not talking about personal privacy like the right to control a book buying list at Amazon (the same as you may with cash) but the right to go out and do things to other people.
And I think a lot of the desire for anonymity online comes from a sort of arms race--people are operating on the knowledge that online communication is NOT an even playing field, which is unfair--an anonymous mob can hate a thing someone says, and then they will proceed to commit all sorts of fraud and mischief against their name, and they end up looking like a sucker for trying to act like a normal citizen in disclosing their identity.
May 23, 2013 11:45 AM
Fernando on Keeping Network Outages Secret:
What's up to every body, it's my first pay a visit of
this webpage; this blog consists of amazing and actually excellent data in favor of
readers.
May 23, 2013 11:20 AM
paul on DDOS as Civil Disobedience:
I think the premise here is mistaken. Depending on the action and just how civilly disobedient it is, prosecutors are perfectly willing to label protestors as dangerous criminals (see e.g. http://www.huffingtonpost.com/2013/05/20/... where the protestors face decades in prison for cutting through fences at Oak Ridge and spraypainting a building).
A friend who spent years as an activist in the 80s and 90s used to talk about the days of negotiations that went on with police and prosecutors before major protests, detailing exactly what acts people would be arrested for, where they would be arrested and so forth. That kind of negotiation apparently no longer takes place either in the physcial world or in cyberspace.
May 23, 2013 11:11 AM
Nick P on DDOS as Civil Disobedience:
@ Bruce Schneier
Many of these points were made in a TV episode in 2002. Secret, Strange and True Season 1, Episode 6 "Hackers: Knowledge is Power." It was about hackers in general, but the last segment was the relevant part.
They interviewed political activists in Mexico. They had teamed up with a hacker to make a Java applet that DDOS'd a site via refreshes. The "hacktivist" leader called it a "form of electronic civil disobedience" where they could do a "sit in" and "the weight of a community could be felt." It was inherently democratic, he said, because it was only effective when large numbers of people were participating. (They cited a failed attempt by a guy to get geeks to DDOS Starbucks, noting that "coffee was the hacker drink of choice." haha)
He supported his view with eToys vs eToy case. eToy was a netart group, eToys a big company. According to the show, eToys saw great value in eToy domain (people leaving off the 's' accidentally) and used the legal system to force them out of the domain.
Hacktivists, including the Mexican guy & his hacker friend, staged an "electronic sitin" using the technology. They warned eToys they'd bring their stock to zero during an important business period. They went through with their plan, causing eToys plenty of damage. eToys relented, gave eToy back their domain name, and "promised not to bother another netart group again."
A fine case study in electronic civil disobedience, using all the same jargon, long before Sauter's paper was written. Although, good to see someone continuing research in this area.
"For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. " (Bruce)
I've just described it. You can watch the episode i mentioned if you want to see it and a few other aspects in action visually. Had some nice interviews with people, too. Probably cheap on ebay by now.
May 23, 2013 11:07 AM
paul on One-Shot vs. Iterated Prisoner's Dilemma:
The CEO example is particularly apposite, because in a winner-take-all society it's the very choice to defect that makes the dilemma non-iterated. If you decide to take a reasonable salary, you have to stay in the job and deal with all those people some more; it's only if you trouser as much as possible that you get to opt out.
This takes Akerlof & Romer's 1993 "Looting" paper one step further, because in the current system the act of acquiring huge piles of wealth essentially makes you immune to clawback.
May 23, 2013 10:41 AM
Mike Petonic on One-Shot vs. Iterated Prisoner's Dilemma:
Interesting concept and sort of formalizes phenomena that I've experienced.
For example, consider the favorite topic of car driving behavior... Turn signals. Not everyone uses them. In fact, in California, I would suggest that only about 35% of the people have internalized the habit enough to make using them second nature. It takes more psychic energy to *not* use turn signals than it does for those folks, even in, ridiculously enough, a parking garage with no one else there.
Those of us who use signals have probably had enough feedback from our driving mentors or partners that we feel as if we are in an iterative game. Those that do not probably see the mass of humanity that they share the road with as presenting a one-shot game.
May 23, 2013 10:06 AM
Kevin J. Maroney on One-Shot vs. Iterated Prisoner's Dilemma:
"Anyone can sell you rat-on-a-stick. Dibbler can manage to sell you TWICE." -- paraphrased from Terry Pratchett.
May 23, 2013 9:53 AM
sigh on Surveillance and the Internet of Things:
You guys lamenting how hard it will be to "store everything" are missing the point. How much data would it take to store GPS location information for each person in the U.S., every 5 or 15 minutes? Certainly less than 1TB per day even if uncompressed.
Plus the useful parts of the headers on every e-mail you send and receive.
Plus notes about any snail-mail processed from or to your address.
Plus the pen register of who you phoned/received phone calls from.
Plus the list of URLs you visit and terms you type into a search engine.
Etc.
They can store the bare minimum about everybody, and only collect more voluminous information about the <1% who scare them the most (i.e. people who have already been identified as having something to do with someone who has been identified as bad). You'll never know if you're on one of the 'bad people' lists or not at any given time, and which types of extra info they are collecting/storing about you. Anyone sufficiently paranoid would assume they have been doing most of this for at least 10 years now; the Utah data center is just evidence of them working to do it bigger and better.
Even if it bothers me to have government agencies collecting and storing this amount of info about everyone, Bruce is right--there's no way to put that genie back in the bottle. Commercial entities already have incentive to collect far more info than the government, and to aggressively combine and aggregate it so they can build better profiles for advertising or marketing products to the population. If the info exists, people in power will find ways to get their hands on it, either to use it for good or for their own selfish ends. There's basically nothing we can do anymore to stop this avalanche. At best, we can try to be hyper-aware of everything we do and avoid leaving 'dangerous' trails behind us. Twenty years from now, I think self-censorship will be the key to living your life undisturbed by the powers that be. Its already quite dangerous to voice certain opinions; this trend will only get worse.
May 23, 2013 9:45 AM
Jurgen on One-Shot vs. Iterated Prisoner's Dilemma:
... would anyone have a simple-to-use multi-period multi-play prisoner's dilemma strategy tweaking app so we could demonstrate this (and/or in line with L&O) ...?
May 23, 2013 9:29 AM
jackson on "The Global Cyber Game":
The anti-MS comments are really crooked. A lot of younger people repeat this stuff because they think it makes them sound knowledgeable.
Far and away the biggest undertaking by MS was to increase the usability of computing, to truly reach everyone. How many times have people compared the Linux Kernel to a Windows machine running all these applications? Oh see how solid the Linux machine is. Isn't it weird how people still bring up MS mistakes decades later and with crystal clear hindsight? The fact is, this has nothing to do with MS. It's about THEM.
If it was up to these guys there wouldn't be a PC and you'd have to go to the university to use a command line.
May 23, 2013 9:14 AM
name.withheld.for.obvious.reasons on "The Global Cyber Game":
@Clive : You've about put the issue to bed.
The only thing I'd add, not to give the punch line away, but...
Java can be found in a whole host of embedded systems (ever checked your 3G/4G firmware)?
How about your embedded controllers management features? From a web interface, right? Under these systems are JVM's and
applets along with the commensurate presentation coding. I know, this is probably more drama than should be written for one play, I leave the play writing to the likes of Shakespheare. What is implied is that for any number of the X billion devices java is installed on--there is probably a JVM injection strategy to access, or deny access, to these billions of pieces of SH -- Internet of Things.
May 23, 2013 9:00 AM
zoli on Surveillance and the Internet of Things:
Someone mentioned to generate noise, someone says that it is not always useful to hide real events into noise, so I would use more techniques, like exchange of data (e.g. TOR, Onion routing etc.) with others, randomly, all over the world...and hopefully this will not lead to fake arrests when some bad data is travelling through my system.
May 23, 2013 7:58 AM
Clive Robinson on "The Global Cyber Game":
@ Winter, GRK,
Microsoft are one of many offenders and I've no particular wish to single anyone of them out when it comes to security.
Microsoft however with their relentless drive to make the world Microsoft by various actual and faux first to market techniques and later other less sulubrious techniques, did make themselves target number one with attackers simply because of their dominance at the time. We now see similar with Adobe and Oracle products, because they are on virtualy every user system and quite a few servers, and as the code base is generaly platform agnostic untill the build phase the same or very similar faults appear on all platforms.
I noted a long time ago on this blog certainly well before Google Chrome was even hinted at that the attackers game was moving from the OS layer to the App layer simply because many apps had become the equivalent of OS's in their own right to get the performance but without the hardwon security that was going into OSs at the time. The app type I'd seen this start happening on back was web browsers and I discused it back in 95 at a University Masters course. At the time web browsers were in effect becoming the new "work environment" as developing for the desktop was considerably harder due to the issues with MS MFC amongst others. The easy attack vector being exploted at the time was the lack of state in web browsers, an issue that still haunts us today in many ways with what are in effect "session tickets" built around cookies etc.
One reason MS got baddly hit was their building IE into the desktop in the way they did and because of it they are still paying the penelty.
However MS had another issue where security problems were rife and still are today and in some ways are currently the major cause of our current attack vectors. The issue is the support of legacy code across many updates in the OS, apps, protocols and standards.
For instance I know for a fact there are still people out there using Self Signed PK Certs which were made on systems that had a broken random number generator (none of which was to do with MS code but is still used with their code). The people that generated the Certs have long since left the organisations for "bigger and better" and those who have replaced them have no idea of the origin of the certs but fear changing them for many customer facing reasons.
As for the various security methodologies for production code cutters on commodity platforms none of them are sufficient, they are slow to bring into place and require all code cutters in the organisation do so, and all the legacy code still in use to get re-milled. As Microsoft have admitted there system is most definatly not for every one and their productivity took a masive hit during the initial phases.
It is rumoured that Oracle are fed up to the back teeth with Java due to the bad publicity, but for some reason are unable or unwilling to get a grip on the problem and resolve it. I've no relationship with Oracle or the old Sun teams these days so cannot say, nor can I confirm or deny the comments of others that have or claim to have a relationship with them. What I can say is that if the rumours are true it's not that surprising the problem has been seen over and over again when one organisation takes over another organisation. As somebody once observed "We knew there would be teething problems but we didn't realise we had to do puberty and stroppy teenager issues as well!".
Security is hard, even for those with many years experiance, they are a rare resource and have a golden value. Most managment would rather buy in than train not realising that all code cutters have to be security aware, so buying in is not working for them the way they thought it would, and the number of developers with the required skills still remains well below that required. Consiquently code is still...
Further few realise that most of the code independent protocols were ad hock and were not designed with current security requirments in mind. But they still expect revision 0.5 to still work with 3+.
Belive it or not many standards are just the same take C with it's fairly infamous security issues from K+R days. Well many got slurped into ANSI C and subsiquently they are still there in many C++ compilers as well.
It's a mess that is going to take one to two programmer generations to sort out, but legacy issues will still be with us due to embedded systems. As I've noted befor electricity and other service meters and implanted medical electronics can have expected life times well in excess of a third of a century. DES died the death in considerably less time but it still has to be supported due to embedded systems that cannot be upgraded. If the original standards had included upgradability as part of the approvals process then we would be in less of a hurt area than we currently are. Which is just one reason I say we need to raise the game by legislation that requires standards to be met, and the standards to be appropriatly future proofed in some way.
May 23, 2013 6:40 AM
Autolykos on DDOS as Civil Disobedience:
I'm getting tired of the fallacy that DDOS is not "real activism" because the activists don't risk anything. Besides this statement being factually wrong (there are people being prosecuted for this), it completely misses the point. A cause does not become more justified because it has martyrs. It has to stand for itself, no matter how much sacrifice people make for it. There's nothing inherently noble about sacrifice; it just means that your tactics suck.
For the same reason, it doesn't matter whether people show their face, or whether the people protesting are loud youths, old grandmas or top managers in their 40s.
May 23, 2013 6:39 AM
Carlos Perales (@Relampague) on DDOS as Civil Disobedience:
Isn't a consequence of a civil disobedience the possibility of being judge? If not, what's the point?
May 23, 2013 6:36 AM
winter on "The Global Cyber Game":
@grk
"But worms focused on Windows because it was installed on 98% of end user computers. "
Some design "decisions" were damaging beyond mere market share.
The initial surge of cyber malware was mostly carried by viruses that could install and propagate from infected emails. These infected machines were the basis of the bot-nets of the last decade. The same with "infected" web pages.
I have not seen many (or even any) such viruses in any other OS than Windows. Even now, with MacOS X having a sizable market share, I do not see viruses propagating by email.
Another horrible decision of MS was to run internal OS services over external IP ports. That way, a Windows machine could be infected over a network even before it's installation was completed. I know of no other OS that does that.
May 23, 2013 6:24 AM
grk on "The Global Cyber Game":
@winter
Microsoft is responsible for its poor software design in the 95-2005 period. But worms focused on Windows because it was installed on 98% of end user computers.
Apple computer are recently in focus for the same reason, market shares.
I might be the case for GNU/Linux at a time, and I really hope that the SDLC mindset will reach major Linux apps developers, because it is not the case, and no company can incentive OSS developers for achieving so.
To come back to the initial topic, greed for power(in all its forms) will always battle with greed for freedom. Both extreme are utopias.
May 23, 2013 5:11 AM
winter on "The Global Cyber Game":
@Clive Robinson
"Neither the "hardening" or "re-architecting" would be required if the likes of major commodity software companies had actually done their jobs properly rather than rush half baked overly featured software out the door on unsuspecting customers."
I have often wondered about what the current state of cyber-security would have been if Microsoft would have kept windows at a minimum level of security on par with what Apple and BSD/Linux had at the time?
For instance, self propagating computer viruses seem still to be limited to Windows. And much of the rise of cyber crime can be attributed to such computer viruses.
May 23, 2013 4:13 AM
Clive Robinson on Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture:
Further to yesterday afternoons (terrorist) attack in East London there are various messages or thems comming through from politicians and (supposed) experts intervied by the BBC journos .
The general comment is "lone wolf" "clean skins" "radicalised by the Internet".
Whilst the first two points mean this couple of animals were not on any security services radars the third point is extreamly worrying.
It will not take long for the discussion to swing around to "greater Internet control" either with the equivalent of a "great firewall" or "deep packet inspection" being sugested and in all probability taken up by the politicos. Either would be unfortunate and as we are probably aware fairly usless as preventative measures.
May 23, 2013 12:49 AM
Someone on DDOS as Civil Disobedience:
@pfogg
Opportunity cost. Most network resources are otherwise unutilized.
And no, the act is not a misdemeanor because a computer was used. When you have cases like what happened with Aaron Schwartz for something that caused less damage than DDOS where no one wanted to prosecute except for Carmen Ortiz's office.
And I agree on the last two points, although the matter of attribution is still a tricky one to solve before you can even get into things like intent.
May 22, 2013 11:18 PM
pfogg on DDOS as Civil Disobedience:
@Someone
Engaging in a DDoS means you are spending other people's resources (network, IT staff, computer uptime, etc.) on the target site, on all the bot machines you've taken over, and in any network bottlenecks in between. Very different than the XKCD comic about defacing a website.
If the total damage of the DDoS is very small, then the crime is arguably small, possibly just a misdemeanor. If all a prosecutor is likely to get is conviction on a misdemeanor charge, it probably won't be worth making an arrest, let alone bringing it to court.
The point is that the law should be written so punishment scales according to things like the amount of harm done (and 10000 small injuries can be construed to be 1 big one), how intentional the harm was, and whether it's a repeat offender and likely to commit the crime again.
The law as written, and as enforced by the courts and police, should NOT make something illegal in general and then turn around and make the act legal if it's done as part of 'political activism', or if done to someone who is sufficiently unpopular.
May 22, 2013 11:12 PM
Clive Robinson on Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture:
OFF Topic :
In further terrorism related news it appears the FBI shot and killed an unarmed man during an interview, and are claiming the man had just verbaly confessed to killing three people involved with the providing of drugs and parahanalia such as Bongs.
The deceased was a Chechin who had had some contact in the past to the (alledged) Boston bombers through sporting activities.
http://m.washingtonpost.com/world/...
Apparently the FBI man was accompanied by other Law Enforcment Officers and they tell a markedly different story to the FBI.
The father of the (alleged) Boston bomber who was killed by the police claims that this FBI killing is yet another setup.
May 22, 2013 10:25 PM
Clive Robinson on DDOS as Civil Disobedience:
As I have pointed out and Dirk Praet has nicely amplified we need commanality in our definitions befor meaningful argument can be made.
However this presuposes another less obvious consideration of commonality that is largely ignored by people especialy politicians, legislators and our legal bretherin.
To understand this there is a question people should be considering with regards Civil Disobediance, which is what is the purpose of "protest" that under lies it and how it differs in the tangible physical and intangible information worlds.
The usual purpose of a "protest" is to make a view point known to others in the case of civil disobediance it is in a manner and place of the protestors chosing that will provoke a response either in the form of embaresment for the entity been protested against or by action by the civil authorities thus making a message significantly more visable via some medium. The intent is usually to keep the protest below the point where the various government military forces become involved simply because at that point it is nolonger civil disobediance but civil war (a point that has sofar not been commented upon).
At the lowest level of civil disobediance there is the puting up of posters and handing out of leaflets in public places usually adjacent to a place significant to the entity being protested against. Both posting and leafleting are in most juresdictions transgretions against legislation be it local bylaws or more general civil (tort) or criminal law. The usual ones being some form of fairly ancient legislation such as tresspass or blocking of the highway or activities that might cause a breach of the peace, the actuall legislation depends not just on the juresdiction, type of legal process but also on the general type of society be it permiso or non permiso.
In almost all such legislation is the implicit idea of a place or location at which the offence has taken place.
Whilst in the tangible world it is possible for people to see posters and be handed leaflets at a place of protest in a public area adjacent to the entity being protested against the same is far from true in the intangible world, where there is in effect no sense of locality or public space for a protest. Further the tangible electrons that convey the information impressed upon them have neither eyes to see with or ears to hear the message of the protestor, nor hands to carry the message to a human for consideration.
Thus in the intangible information world you have to either "trespass on the entity" or "block access to the entity" as a minimum as there is no locality to have an adjacent public space in which to protest peacfully or otherwise.
This means that unlike the tangible world where it is possible to peacefully protest with minimal disruption, in the intangible information world to protest you have to as a minimum commit a series of criminal acts. Which in some juresdictions carry very very significant penalties (fifty years in jail was the anti levied on Aaron by the federal prosecutor).
It is important when making comparisons to ensure that you have sufficient cominality for the comparisons to be valid. Often we make basic assumptions of parity based simply on our everyday perceptions of one case -- in the tangible physical world-- without actually testing or even attempting to test the validity of our perceptions in the comparison case -- in the intangible information world-- which is problematic at best.
Not doing so causes confused reasoning and often untenible argument based on assumption atop assumption atop an invalid perception.
Our human perception of the physical world is axiomatic on location, distance, forces and energy/matter as limiting action (work). As I've indicated before information has no energy or matter component and thus forces, distance and location do not have meaning thus constraint to information. The only time information gets constrained is when it is impressed onto a physical entity for either communication or storage.
Thus care must be taken to view the information on a case by case basis by the medium it is impressed onto. As many will apreciate a photon traveling down an optical fiber convaying information at a sizable fraction of the speed of light is not directly perceivable by a human being unlike the ink upon the paper of a poster or flyer. Nor for that matter is it that much more comparable to the compressive wave movment in air that results from the spoken word. Each media has its own attributes and a listing of the differences of attributes would be considerably more extensive than the commonalities thus to try to transfer atributes from one medium to another will fail in many if not most cases. Therefore you likewise cannot expect legislation which is based on the attributes to transfer unless they have reliably comparable attributes as their sole axioms.
May 22, 2013 9:24 PM
No Fan on DDOS as Civil Disobedience:
Also, because it's come up here: despite what a certain book is telling us now, code is not speech.
Or to be more precise, the execution of code is not speech; it's action.
There are no words in world I can utter to kill a person, except in specialized circumstances like the following:
If I attach the trigger of a pistol to a sound-activated device, and utter a word that causes the pistol to fire at the person at whom the pistol is aimed, the fact that I can be prosecuted for murder completely obviates the idea that what I have done is "speak." I've taken action. I've made something happen.
You are, yes, free to write any goddamned code you please--that's speech. You are not free to execute that code--that is action, not speech.
Executed code directly causes actions in the real world. "Robot move forward" would be illegal to execute if there was a person standing in front of the robot and I knew it. DDoS is not speech: it is directly acting to stop other actions in the world (namely, the provision of online services). Code, when executed, is not speech. Code, when executed, is action. It deserves none of the protections accorded to expression, and the recent attempts by some writers to conflate the two--chiefly by writing as if the creation/execution distinction did not exist--are extremely disturbing. They should know better.
May 22, 2013 9:07 PM
No Fan on DDOS as Civil Disobedience:
I am heartened to read the comments on this thread.
I find the pro-hacking, pro-DDoS scholars to be pushing the limits of credibility, and advancing an agenda whose purposes they themselves seem not to acknowledge.
On the one hand, they promote and defend the right to absolute anonymity of their favorite heroes.
On the other, they want government to actually carve out an exception for "activist" DDoS, and this determination of "activist" is often accompanied by their own insistence that one must "know" the actual perpetrators, do ethnographies of them, even, to know what they are up to. Then, when "bad" actors self-identify as part of these groups, these scholars disavow those actions as not being "authentic." But how would anyone know? The scholars themselves insist that nobody (but them) knows who's actually "in" the group.
The problem with focusing on DDoS as a form of activism is that it misidentifies a method with a commitment. Suppose someone had written a parallel thesis that focused on other actions that (as the author of this thesis admits) are typically understood as criminal: brick-throwing as activism; punching people as activism; stealing money as activism; and so on.
Yes, you could, in the right circumstances, find cases where each of these might be justified as activism.
But the means aren't the point. The point is to understand how we determine which commitments function as "activism" within any given political body. Martin Luther King's actions were clearly able to be understood as civil disobedience. So was the (original) tea party. So was Rosa Parks. So was Occupy Wall Street.
The problem with DDoS, especially from anonymous sources, is that nobody can be sure why it's being done or who is doing it, and it is amidst a sea of clearly violative acts. The scholars who defend it admit that authorities have no way of knowing who is actually behind the attacks; how in the world are they to determine which are "free speech" and which are not? Further, the actual DDoS attacks claimed to be "activist" are themselves often in very murky territory, unless one has already decided that the Lulz and Anonymous folks are inherently "good guys," which seems by no means clear to me.
DDoS can and has taken down vital services to which people need access. #OpIsrael hit several medical facilities, whose connection to the political cause anonymous advocated was tenuous at best. In the US anonymous has hit government and law enforcement sites, which again could actually be needed by citizens right at that moment. Even the Swartz protest took down parts of MIT's systems when students needed that access to study.
The whole thing is BS. Yes, if the Federal government actually swooped in and mass arrested everyone in New York City on false charges, you might have a case for DDoSing some websites. But unless there are direct, clear, understandable, public actions for which DDoS is an appropriate and reasonable last resort after other methods have failed, it's BS. And it's BS because what this thesis author is actually doing is celebrating the raw power these groups enjoy getting their hands on, replicating the very thing they claim to hate--raw, unregulated, antidemocratic power in the hands of the unaccountable.
We know what online protest looks like--it happens all the time. Bringing down websites is not protest, it's not civil disobedience, it's a raw exercise of power, something much closer to an act of violence, and the idea that it should be protected as "free speech" is one of the most ludicrous and offensive things I've ever heard (and can only be uttered by people who have not read deeply in the history of free speech).
May 22, 2013 8:42 PM
Yusuke on Surveillance and the Internet of Things:
I feel that computer software is becoming more and more politics *and* economy. The way Google/Apple/Amazon/Steam works somewhat dictates our moral and economical decision. I remember Larry Lessig kinda predicted this in his book "Code" and warned that we'd need a policy discussion about our future law of nature, but sadly I see it's still missing in the public discourse today.
May 22, 2013 8:29 PM
Bubba on Who Does Skype Let Spy?:
http://www.h-online.com/security/news/item/...
May 22, 2013 8:15 PM
Someone on DDOS as Civil Disobedience:
@pfogg
Clearly there is a disagreement here. The harm caused by a DDOS is proportionate to the value of the target site's uptime during the DDOS, not including extraneous factors such as someone hosting a critical service on the same IP as the front page of their website.
The vast majority of websites are unquestionably low value in this regard. Most websites, even those for high-profile entities, do not have an absolutely vital need for their front page to be available nor would they suffer a notable loss of business were their website to remain down for a relatively short period of time. See https://xkcd.com/932/
May 22, 2013 8:05 PM
Dirk Praet on DDOS as Civil Disobedience:
Many commenters seem to have a particularly narrow view on the concept of civil disobedience, or civil resistance if you like. Clive correctly points out that there is no such thing as a precise definition, thus giving rise to all sorts of different interpretations.
Although examples of civil disobedience go back to the book of Exodus, modern interpretation most often is based on Henry Thoreau's 1849 essay "Resistance to Civil Government" and Gandhi's non-violent satyagraha. In this context, it is important to differentiate between the definition, and the means through which it is executed. The late Ronald Dworkin, a 20th century American philosopher and scholar of constitutional law held that there are three types of civil disobedience:
- "Integrity-based" civil disobedience, i.e. when a citizen disobeys a law she or he feels is immoral.
- "Justice-based" civil disobedience, i.e. when a citizen disobeys laws in order to lay claim to some right denied to her or him.
- "Policy-based" civil disobedience, i.e. when a person breaks the law in order to change a policy believed to be dangerously wrong.
Even when for argument's sake - and in honour of the Mahatma - excluding physical "ad hominem" violence, there is no compelling reason - either academic or practical - to restrict the definition with regards to the means used, the way in which they're used, side-effects thereof or the entity it is directed against. A benefit of such a broad definition is that it removes any political bias out of the equation.
This means that for me civil disobedience can be directed against governments as well as non-governmental entities (e.g. banks, corporations). Whether it is done in public or covert does not matter. Whether or not it is threading on rights accorded by law to the entity it's aimed against is completely irrelevant, especially when that same law offers recourse only to the rich and powerful in a context where political and legal system are broken, or are perceived to be so.
Precluding any acts causing collateral damage is another interpretative constraint. Very often, it is exactly the collateral damage that is offering more leverage than the act itself. I can imagine the stockholders and traders of the British East India Company were not too happy with Gandhi's salt satyagraha. Or slave owners suffering financial losses over people refusing to rat out runaway slaves. Remember that in the end - and just like Apple et al setting up complex constructions to avoid taxes - neither were doing anything wrong under the then law. Under the same argumentation, most strikes could be outlawed.
In my opinion, several commenters are suffering from a specific form of hindsight bias with regards to civil disobedience, acknowledging as such only those instances that went down in history as morally justified under today's interpretation thereof.
There is however little doubt in my mind that a person like Mohandas Gandhi in the US today by many would be labeled a dangerous terrorist. Chances are fair that he would be keeping Bradley Manning company, be haunted into suicide by overzealous prosecutors or taken out by a drone if operating from abroad.
May 22, 2013 7:53 PM
Hacker Dude on Applied Cryptography on Elementary:
Congrats!
Speaking of movies can anyone recommened me a good sociel engineering movie for tonight?
May 22, 2013 6:28 PM
Simon on Surveillance and the Internet of Things:
As usual, Sci-Fi has covered this issue already. Look for the "Larsen Localizers" in Vernor Vinge's A Fire Upon the Deep. Ubiquitous security invariably leads to the downfall of society.
Greg Bear also examines this briefly in Moving Mars. A couple of characters are shown to be "Vernoring", a reference to Vinge and occluding one's identity in public. Vinge's early work, True Names, is all about masking your on-line identity from the government.
As the old curse goes, interesting times indeed...
May 22, 2013 6:13 PM
pfogg on DDOS as Civil Disobedience:
@James et al.
The distinction of 'collateral damage' vs. damage to an intended target is not one the law should make in determination of the criminality of an act. Many 'real world' disruptive actions result in material harm to the intended target (e.g. blocking offices in a way that makes normal, legal business operations sufficiently difficult that the targeted business suffers an economic loss), and the law should not give a pass to them simply because the target is unpopular or the perpetrators believed what they were doing was justified. Collateral damage isn't the sole measure of doing harm, though it is an important additional consideration when assessing the severity of the crime.
Normally, considerations of motive (as well as youthful naivete) can be taken into account during sentencing, and similarity or analogy to previous court sentences are used as a basis for matching the sentence to the specific case.
There's also a substantial difference between 'civil disobedience' that is protesting a law itself, usually by breaking it (underground railroad, Ghandi's Salt March, etc.), and protesters that violate laws because doing so will garner more attention than legal methods would have. In the latter case, no one is saying that causing material harm is supposed to be okay in general, they just want to have a special license to cause harm because they've decided the harm is small compared to the importance of their cause.
@umum, Jenny Juno
The above seems to bear on your comments in some fashion, but I'm not sure if it expands on them or contradicts them.
May 22, 2013 3:46 PM
Clive Robinson on "The Global Cyber Game":
There is one obvious point to make about this, where the authors say,
- Defending the civil Internet in depth, and hardening it by re- architecting will allow its full social and economic value to be realized but will restrict the potential for espionage and surveillance by states.
Neither the "hardening" or "re-architecting" would be required if the likes of major commodity software companies had actually done their jobs properly rather than rush half baked overly featured software out the door on unsuspecting customers.
As I've noted a number of times before the only thing unregulated "free markets" are going to produce is a "race for the bottom" where first quality then reliability then profits are sacrificed to be perceived as "the first to market".
Oddly perhaps making sure that a minimum amount is regulated actuall opens the market up to compeate on other asspects than "first to market" this gives not only consumer choice but also a degree of stability that alows specialisation in certain aspects that then become main stream.
An example of this is safety features in cars etc. When a certain minimum were required by regulation they had to be built in not bolted on. This caused design innovation which produced other benifits and a market for safety features that had previously not existed.
The hard part for legislators is working out what the minimum amount of regulation is to encorage the desired behaviour without stiffeling innovation.
May 22, 2013 3:44 PM
fatbloke on "The Global Cyber Game":
Looks & sounds like impenetrable "cyber drivel" to me to justify an expensive consultancy project...
May 22, 2013 2:51 PM
unum on DDOS as Civil Disobedience:
I'm curious how the legal legal system differentiates between civil disobedience and "normal" criminal activity in normal space. I'm trying to think of some examples that I know of and can't think of any. I suspect these would have come about through case law and not statutes. In fact currently a hot item in my state is a law allowing for INCREASED penalties for trespassing if your purpose is to obtain video of farm treatment of animals. So we'll probably have to wait for the courts to carve out exceptions for "civil disobedience".
Someone mention contradictory legal definitions of "civil disobedience" I'd like to see any of those definitions, again they are probably from case law not statute so if they are contradictory the highest court in the system with the most recent ruling, is the current definition, but ya the legal system is "squishy".
May 22, 2013 1:39 PM
name.withheld.for.obvious.reasons on "The Global Cyber Game":
Our research team has worked in a similar vein that has been described as Know-fare. Essentially the concept of knowledge being leveraged in a cyber battlespace. What we wanted to understand is the concept of a militarized battlespace as an extention of thought. It is not pretty, the number of elements affected in society is hard to overstate. We are definitely headed in this direction.
May 22, 2013 1:26 PM
moo on Security Risks of Too Much Security:
@HJohn:
On the example of vehicles, I vaguely recall hearing about studies of the effectiveness of anti-lock brakes after they were introduced.
IIRC they were found to be safer (less incidents and less bodily harm) but on average, drivers compensated for those safety increases by driving more dangerously, so the net gain was close to zero.
I don't have a handy source for this though, take it with a giant punch of salt.
May 22, 2013 1:22 PM
name.withheld.for.obvious.reasons on Surveillance and the Internet of Things:
Our small tech R&D company is being hobbled by these developments. We are in the process of making accommodated policies and procedures tharmt are typically exercised by much larger companies. This is negatively impacting our competitive position and incurring an increased level of activity we had not planned on ten months ago. We are wondering if our small company will survive these developments.
May 22, 2013 1:08 PM
George on DDOS as Civil Disobedience:
In comparison to the legality of real-world sit-ins, I think that allowing a pre-determined and individual use-proportional amount of traffic consumption to public and government websites could be considered a legal analog to real life protest, but the user should be ready to show that their computer is being used for nothing else during that time, and that they are using no other personal computers, or multitasking in any way, in order to symbolize a unified and democratic commitment to demonstrating a belief, rather than just being allowed to casually deploy a loitering app on a spare computer, without engaging the meaningful self-sacrifice historically associated with demonstrating.
In such cases where people can meet these requirements, I believe they should not be prosecuted for traffic consumption. For instance, if 150,000 people want to occupy cia.gov in this manner because they dislike some recent abuse, then the CIA should be forced to deal with these people as a democratic entity and should seek to make reparations as needed. Because the CIA is funded by taxes.
And prolonged traffic consumption to private websites should be treated as loitering, like in the real world. Excess consumption of either is pretty much straight-forward vandalism. On election day, you get 1 vote, not 1,000.
We can rationalize our actions all day long, and name-drop the Rothschilds or whatever conspiracy theory, but there is no legal, mature excuse for attacking the property of other citizens based on our own rationalizations, and there should always be consequences.
Of course this doesn't even address the conundrum of foreign DDOS protest of domestic organizations. I'm not even sure how I feel about a "fair" way to treat that sort of protest. Maybe this is the genius behind the great firewalls of China.
May 22, 2013 12:51 PM
JR Fezziwig on DDOS as Civil Disobedience:
The concept of civil disobedience, I believe, is probably not applicable in the circumstances Bruce describes.
What is more pertinent, I think, is the part of the Constitution's First Amendment that says "Congress shall make no law ... abridging the freedom of speech, or of the press; ..."
Attacking a web site actually restricts the freedom of electronic speech and electronic press of the organization so attacked. Those freedoms must not ever be one-sided, where I can speak but you can't -- or vice-versa. Yet one-sidedness is exactly what the attackers hope to accomplish.
If Congress does not treat such internet-based attacks as a crime, it in effect _has_ made a law that allows for the abridgment of freedom of speech and of the press, and has violated its Constitutional mandate.
May 22, 2013 12:03 PM
Clive Robinson on Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture:
OFF Topic :
In London there has this after noon (14:20 BST) been a very brutal attack in Woolich not far from the Army Barraks and very close to a school.
Reportedly two men hacked a young male member of the Armed Forces repeatedly and brrutaly with a machette or equivalent befor dragging and dumping him in the middle of a busy road. They then reportedly started waving the weapons in the air and told people to photograph them.
One of the weapons appeared to be a gun and reportedly police officers shot both men.
Unusually for a shooting incident the Home Secretary has called to gether CORBA which is the UK National Emergancy commity.
Now this may be precautionary and it may be because it is potentialy a terrorist attack (apparently people are sayiing the two attackers were chanting arabic etc).
It will be interesting to see how this incident plays out over the next few days and compare / contrast what the UK authorities do with say US authotities over similar incidents.
You can read more on the BBC web site,
http://m.bbc.co.uk/news/uk-22630303
May 22, 2013 11:55 AM
Larry Seltzer on DDOS as Civil Disobedience:
>>Activists in the NYC area are very careful to follow the law.
Clearly this wasn't true of OWS.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
May 25, 2013 7:29 AM
grape 5s on Picking a Single Voice out of a Crowd:
Schneier on Security: Picking a Single Voice out of a Crowd