This is a crazy overreaction:
A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials.
Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland.
I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? Or that a few ounces distributed amongst 38 million gallons is negligible.
I previously posted that I am writing a book on security and power. Here are some title suggestions:
- Permanent Record: The Hidden Battles to Capture Your Data and Control Your World
- Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World
- They Already Know: The Hidden Battles to Capture Your Data and Control Your World
- We Already Know: The Hidden Battles to Capture Your Data and Control Your World
- Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World
- All About You: The Hidden Battles to Capture Your Data and Control Your World
- Tracked: The Hidden Battles to Capture Your Data and Control Your World
- Tracking You: The Forces that Capture Your Data and Control Your World
- Data: The New Currency of Power
My absolute favorite is Data and Goliath, but there's a problem. Malcolm Gladwell recently published a book with the title of David and Goliath. Normally I wouldn't care, but I published my Liars and Outliers soon after Gladwell published Outliers. Both similarities are coincidences, but aping him twice feels like a bit much.
Anyway, comments on the above titles -- and suggestions for new ones -- are appreciated.
The book is still scheduled for February publication. I hope to have a first draft done by the end of June, and a final manuscript by the end of October. If anyone is willing to read and comment on a draft manuscript between those two months, please let me know in e-mail.
Here's my upcoming speaking schedule for April and May:
- Stanford Law School on April 15.
- Brown University in Providence, RI -- two times -- on April 24.
- The Global Summit for Leaders in Information Technology in Washington, DC, on May 7.
- The Institute of World Politics on May 8.
- The University of Zurich on May 21.
- IT Security Inside in Zurich on May 22.
- University of Oregon Eugene on May 28, and then Portland on May 29
Information about all my speaking engagements can be found here.
The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government.
A little too big for my house.
This is an update to my earlier post.
Cloudflare is reporting that it's very difficult, if not practically impossible, to steal SSL private keys with this attack.
Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.
The reasoning is complicated, and I suggest people read the post. What I have heard from people who actually ran the attack against a various servers is that what you get is a huge variety of cruft, ranging from indecipherable binary to useless log messages to peoples' passwords. The variability is huge.
I have a lot to say about the human aspects of this: auditing of open-source code, how the responsible disclosure process worked in this case, the ease with which anyone could weaponize this with just a few lines of script, how we explain vulnerabilities to the public -- and the role that impressive logo played in the process -- and our certificate issuance and revocation process. This may be a massive computer vulnerability, but all of the interesting aspects of it are human.
EDITED TO ADD (4/12): We have one example of someone successfully retrieving an SSL private key using Heartbleed. So it's possible, but it seems to be much harder than we originally thought.
And we have a story where two anonymous sources have claimed that the NSA has been exploiting Heartbleed for two years.
EDITED TO ADD (4/13): The US intelligence community has denied prior knowledge of Heatbleed. The statement is word-game free:
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
The statement also says:
Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Since when is "law enforcement need" included in that decision process? This national security exception to law and process is extending much too far into normal police work.
Another point. According to the original Bloomberg article:
Certainly a plausible statement. But if those millions didn't discover something obvious like Heartbleed, shouldn't we investigate them for incompetence?
Finally -- not related to the NSA -- this is good information on which sites are still vulnerable, including historical data.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..