Yet Another "People Plug in Strange USB Sticks" Story

I'm really getting tired of stories like this:

Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed.

Of course people plugged in USB sticks and computer disks. It's like "75% of people who picked up a discarded newspaper on the bus read it." What else are people supposed to do with them?

And this is not the right response:

Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: "There's no device known to mankind that will prevent people from being idiots."

Maybe it would be the right response if 60% of people tried to play the USB sticks like ocarinas, or tried to make omelettes out of the computer disks. But not if they plugged them into their computers. That's what they're for.

People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

Quit blaming the victim. They're just trying to get by.

EDITED TO ADD (7/4): As of February of this year, Windows no longer supports AutoRun for USB drives.

Posted on June 29, 2011 at 9:13 AM • 191 Comments

Comments

ViktorJune 29, 2011 9:24 AM

There are two human impulses at play here. To either find the owner and return the lost property, or find out if they left anything "fun" on the stick - to snoop. I think both feelings are often present at the same time.

I would certainly insert the stick into a computer. But I may chose which computer carefully.

Not really anonymousJune 29, 2011 9:28 AM

Another related story today I saw at H online is about USB mouses that secretly also act as a keyboard. One was developed as a pen test. Not auto-running stuff, will not solve the problem in this case.

JamesJune 29, 2011 9:29 AM

I found a usb stick in the computer cluster at uni. I asked the rest of the room if anyone had lost it, and plugged it in to find its user. I reckoned the security risk was low for a few reasons:
1) It was already plugged into a computer, most likely a student's personal stick they'd left behind
2) Uni has decent enough antivirus
3) Uni machines aren't my responsibility to clean of viruses
4) If it was infected, then the uni box was most likely already infected. (See 1)

Anyway, found some docs on it that contained the phone number of the owner, and it got reunited.

And yes, those damn sticks should not autorun. Went around agencies with printed CVs and CV on memory stick. All of them wanted them emailing because of the virus risk. *headdesk*

OlafJune 29, 2011 9:37 AM

Children are taught not to take candy from strangers. But adults are perfectly OK with using USB sticks from unknown sources...

karrdeJune 29, 2011 9:38 AM

"...and a USB stick given away at a trade show is automatically good."

Trade shows are also excellent places to drop a name-branded USB drive into someone's bag while they walk past.

Or to drop a 'poison' USB drive into the stack handed out by the some other company's corporate reps. If it looks like the rest, it will hit a target of some kind.

Those methods are enabled at a trade show. But if a company feels like doing some corporate raiding of a the data kind, trade-show USB drives are an excellent vector.

As long as the OS automatically runs any inserted USB stick, then this will be a vector of attack.

JuergenJune 29, 2011 9:39 AM

Antivirus software would not be helpfull in a real attack - it depends on signatures, and those can only be done if somebody already saw the same malware and reported it to the AV vendor.

Drop a USB stick with custom-made malware on a big corporate parking lot (especially in the area where Execs park), and you're virtually guaranteed to get huge amounts of interesting stuff.

The only real problem would be to get the data out of the corporate network, but even for that there's ways... DNS tunneling, for example.

AJune 29, 2011 9:41 AM

I found somebody's USB stick on the train. Rather than trusting lost and found, I looked at the contents and found the owner's contact info so I could mail it back to her. The lady subsequently sent me a thank you note and a Christmas card.

Windows still autoruns files?!

Carlo GrazianiJune 29, 2011 9:41 AM

According to this story,

http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/

"the OS trusts random USB sticks" is only one variant of the problem. In principle, any USB device could contain a microcontroller that lies about what kind of device it is. If a controller chip concealed in a USB stick chassis tells the OS that it is in fact a keyboard, it can issue arbitrary keystrokes, and hence arbitrary commands (with the privileges of the console user). Game over.

The solution is irreducibly to trade off convenience and security. If security is an uncompromisable concern (as in many government and corporate offices), unauthorized USB devices cannot be plugged in, period. If productivity from ease of use is a high priority, some risk of USB-borne malware must be accepted. There is no magic bullet here.

Bruce SchneierJune 29, 2011 9:43 AM

"Children are taught not to take candy from strangers. But adults are perfectly OK with using USB sticks from unknown sources..."

It's a stupid thing to teach children, too.

GreggJune 29, 2011 9:53 AM

Yes, the OS shouldn't trust all USB sticks but that doesn't excuse the idiots. I'll wager that not one of them would have picked up a spoon from the parking lot and put it in their mouth without washing it first.

Josh WinslowJune 29, 2011 9:57 AM

"It's a stupid thing to teach children, too."

It's an easy way of encapsulating the lesson that there are people who are trying to game the system (in this case the expectation that people who give you things are nice) and you need to be vigilant to avoid being taken. Certainly a better rule would be "be wary when unknown people give you things and attempt to deduce their motivations" but that is an ability that literally doesn't exist in children of a certain age due to the lack of brain development.

Daniel WijkJune 29, 2011 10:07 AM

Gregg: The difference is that humanity as a whole have had quite a few years behind them to figure out that physical viruses are abundant out in the street and not quite as many years to figure out that data-carrying devices most often aren´t infected with anything. Double edged problem really.

SavikJune 29, 2011 10:11 AM

"But not if they plugged them into their computers. That's what they're for."

Food is for eating but do people normally pick up food off the ground and eat it? Come on - some responsibility has to lay upon the user...quit allowing them to be some dumb and hold them responsible.

TSJune 29, 2011 10:16 AM

@Gregg

How do you suggest one clean off a USB stick, *without* plugging it in?

JeffJune 29, 2011 10:20 AM

Savik, people know what the security model of eating is: Anything you eat is trusted (i.e. can kill you). But you wouldn't die just from *looking* at tainted food. There's no magical force that automatically shoves it into your mouth whenever you see it.

Why is it intuitive that just looking at what is on a USB stick can automatically make you "eat" something (run arbitrary code)? Why would you expect users to know this fact?

kurt wismerJune 29, 2011 10:29 AM

if you use less care putting things in your computer than you use when putting things in your mouth then you might be a security idiot.

Adam ShostackJune 29, 2011 10:34 AM

Windows machines that are running with the recommended auto-update settings no longer run autorun.inf files from USB devices. It's not clear when the study was run.

See http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx

I fully agree with Bruce that blaming (and insulting) the victim is, at best, a waste of time, and in fact is probably counter-productive.

and for some of the impact:
http://blogs.technet.com/b/mmpc/archive/2011/06/14/autorun-abusing-malware-where-are-they-now.aspx

Patrick W. BarnesJune 29, 2011 10:39 AM

@Viklor: There's also the intent of appropriation.

I absolutely agree that the OS should not automatically execute anything from a USB stick, but "autorun" malicious code is not the only risk. Some others that come to mind:

* The device could be faulty (incidentally or intentionally) and could damage the computer.
* Something on the device could be carefully crafted to exploit driver vulnerabilities, allowing execution of arbitrary code even in the absence of normal "autorun" functionality.
* The contents of the device might not be harmful code, but could be crafted for social engineering in any number of ways, such as a forged document that leads the viewer to do something harmful.

Would I plug the drive in? Probably, but I'd take some precautions, like using a low-value computer configured for the task. I might actually hope for something malicious, just for the opportunity to study it.

There would definitely be some value to user education about the risks, but I would expect most people to plug the device in for one reason or another.

TSJune 29, 2011 10:47 AM

@Patrick

Absolutely, which is why we have standalone machines and Macs to check out suspicious USB sticks.

Still, I see a *lot* of malware alerts coming from USB sticks... crazy that there are so many people out there that have infected devices and don't know it.

Ben EvansJune 29, 2011 10:48 AM

@Josh - Nope. The vast majority of adults do not mean any harm to children.

The vast majority of adults who harm children are already known to the child they harm.

What "Stranger Danger" teaches kids is not to accurately assess risk and to give credence to largely imaginary hobgoblins. And we already have *quite* enough of that.

kurt wismerJune 29, 2011 10:51 AM

@Adam Shostack
"I fully agree with Bruce that blaming (and insulting) the victim is, at best, a waste of time, and in fact is probably counter-productive."

it (arguably) may not help the actual victim, but it can certainly help others learn what they can do different to avoid becoming victims themselves.

it isn't that different from how traditional behavioural norms are established and enforced. just in this case it's a norm with a computer security purpose.

Does it Matter?June 29, 2011 10:53 AM

I think Mark Rasch had it right. The fact that USB sticks are meant to be plugged into a PC is no excuse for inviting a problem into your PC/network. If I follow your thinking about USB sticks, that would mean that if one of the 'idiots' were to find a ham sandwich on the ground they would stick it in their mouth and start chewing. Because that is what ham sandwiches are for, right? You follow me?

NeilJune 29, 2011 10:53 AM

You're missing the most painful statistic, at least from a security perspective. By putting a valid logo on a program, 90% of those who plugged in the drive installed the program! This isn't an autorun issue, and it's not an easy issue to resolve. Autorun was a terrible idea, which is why it got disabled, but if all a user needs to trust a program is an icon, this is, indeed, a "user was an idiot" story. Half of the people in the test ran a program they found on a random thumb drive, based solely on the icon of that program.

GabrielJune 29, 2011 10:55 AM

Regarding USB "Trojan" HID devices (mice/keyboard devices to the OS), the best defense that an OS could probably provide with the current USB specifications would probably be to track the Vendor ID (VID), Product ID (PID), and serial number (iSerial) that are in the USB device descriptor. Whenever a new HID device is attached, the host should prompt the user before enumerating the device and accepting input from it. Thus, the default keyboard and mouse would be "trusted" once set up, and any new trojan devices would at least wait for confirmation, such as "You have plugged in a new USB keyboard. Are you sure you want to enable it? If this device is not a keyboard, detach it immediately." While this system could be defeated, it would make the attack more difficult. The attacker would have to obtain the VID/PID and iSerial of the target's keyboard, greatly narrowing the scope of the attack, or count on users truly being stupid and accepting a new keyboard device after plugging in a USB flash drive.

Of course none of this addresses the inherent security limitations in USB: It is a trusted bus, there is no authentication that takes place over it, and it exposes nearly any function (input, storage, display, audio, network, etc.) via the one interface. It's not like you could connect a PS/2 keyboard disguised as a printer to the parallel port.

James AndersonJune 29, 2011 10:56 AM

To paraphrase Bob Dole: Where is the outrage? Most OSs are malware friendly by default. Yet we flock to buy them. Our governments, critical infrastructure organizations, law enforcement and other serious businesses flock to buy them. Why don't we stop buying malware friendly OSs?? Is it because the companies that sell them lack the design knowledge and skill to make secure OSs?

NobodySpecialJune 29, 2011 10:57 AM

Suppose tuning into a new radio station could destroy your car - should we be blaming drivers or car makers?

NobodySpecialJune 29, 2011 11:00 AM

@Gabriel - assuming the ID system could be implemented flawlessly, you would now know that your keyboard had been built by the "Acme keyboard Company" in China

How exactly does that help with security?
Like the famous statement about HTTPS - it's like driving your credit card number along the street in an armoured car surrounded by armed guards - then giving it to a homeless guy.

JoeJune 29, 2011 11:07 AM

Malware is so common that it has become reasonable to expect people who use computers to be mindful of risks. If I found a memory stick on the ground, I would just throw it away; I would not plug it into either my office or home system.
If a person finds a knife on the ground and then cuts himself with it, should we blame human skin for not being tough enough? No, the person should be careful because the knife can be dangerous.

GabrielJune 29, 2011 11:08 AM

@NobodySpecial and Brian: Which i referenced to as well. The purpose of this scheme is to prevent mass non-targeted attacks. The attacker would have to know the VID/PID of your keyboard, and the serial number reported via the USB descriptor. So, they have to go to a greater length. This would reduce the trade show attack vector, where they distribute dozens or hundreds of trojan mice.

As I said, USB has inherent security problems. My suggestion is an easy process that reduces most attack surfaces for this particular trojan hardware. It's the low hanging fruit.

DilbertJune 29, 2011 11:37 AM

Ironically, the person picking up the USB stick from the parking lot might rush to wash his hands because "who knows where it's been!" and then they'll stick it into their computer without taking similar precautions.

Patrick W. BarnesJune 29, 2011 11:38 AM

I don't think there is anything that hardware or software vendors can do to eliminate the risk posed by devices attached to the system, nor would I want them to take any extreme measures. Sure, there are things they can do to mitigate the risk - hardening drivers, consistently treating contents of removable devices as untrusted and potentially harmful, applying short and bad power protection, etc., but ultimately, there will always be risk.

While I would hope hardware and software vendors would do as much as they could, that still leaves gaps that can only be filled by user education. People must approach all hardware with reasonable suspicion. It isn't just USB devices that pose dangers, but the convenience, ubiquity and capability of USB devices certainly makes them an easy vessel for attacks. People need to be aware of the dangers before they can decide the level of risk they are willing to accept.

If the potential danger of trojan hardware is unknown to the public, they may not realize that they need to question the background of the devices they use. We have developed a culture where most people inherently trust all electronic devices they come across, and that mindset needs adjustment. The food analogy has been repeated several times in comments above. Perhaps we need to teach people to approach electronics with the same kind of skepticism they approach food with. Once such an adjusted mindset is prevalent, it might be fair to ridicule people that take excessive risk, just as it is fair to ridicule someone that eats food off the pavement.

Brian 2June 29, 2011 11:39 AM

@ kurt wismer
"if you use less care putting things in your computer than you use when putting things in your mouth then you might be a security idiot."

Au contraire! Putting the wrong thing in my computer can inconvenience me (possibly severely), with a virus leading to an empty bank account or possibly criminal charges (if it puts illegal material on my hard drive and pings the FBI).

OTOH, putting the wrong thing in my mouth can kill me.

I don't know about you, but I consider death to be a worse security outcome than lost money or a prison sentence.

sdrJune 29, 2011 12:03 PM

I actually once found an entire laptop bag (with sleeping laptop) laying in a parking lot. I was concerned of course and wanted to try and find the owner.

I guessed the password on the second try and ended up finding some info about the owner. Fast forward a few hours and I have the guy on the phone, he is completely ecstatic and we arranged to meet so that I could return it.

Long story short: it was covered in bodily fluid "residue" and I ended up getting a really nasty rash.

Always beware of ANY unknown it equipment because i'm here to tell you, an infection is an infection!

LulzsecJune 29, 2011 12:23 PM

I plugged a usb stick into my anal cavity and low and behold...I got a virus :( but it cured my bad case of hemmhoroids.

P.S. I shave my armpits.

PerseidJune 29, 2011 12:27 PM

@Gabriel
"""Whenever a new HID device is attached, the host should prompt the user before enumerating the device and accepting input from it. Thus, the default keyboard and mouse would be "trusted" once set up, and any new trojan devices would at least wait for confirmation, such as "You have plugged in a new USB keyboard. Are you sure you want to enable it? If this device is not a keyboard, detach it immediately." """

They could just as well have sent him a keyboard instead of a mouse.

GabrielJune 29, 2011 12:28 PM

Regarding USB trojans, the best we can do is mitigate risk, not eliminate it. Any determined attacker could steal your mouse/ keyboard and slip in a small microcontroller between the USB cable and the mouse controller. The new controller would assume the descriptor of the surrogate device and one would be none the wiser. The nefarious microcontroller could then execute scripted input commands or accept them via RF.

The best bet would be to adopt driver/ host changes that would reduce risk and make mass attacks very difficult. This could include sandboxing such devices and treating their file contents as untrusted. Additionally, the USB class specifications for HID, MSC, and CDC to provide basic authentication. Again these do nothing for MITM attacks like I outlined above. Secure channels will be necessary for that, and such crypto may not be feasible for the low end $1 to $5 controllers on such devices.

Josh WinslowJune 29, 2011 12:36 PM

@Ben
There is the rule "Tell an adult that you trust if someone does something that makes you feel uncomfortable" to cover the unfortunately much more common case. However, that doesn't obviate the need for the rule about having a bit of distrust towards strangers. Besides, the rule isn't "Run screaming from any stranger who talks to you" it's "Don't take candy from strangers". In my family that meant don't trust the providence of something you don't know the original source of. Maybe that's not the norm though.

Andy R.June 29, 2011 12:38 PM

The quote from Mike Rasch in Bruce's original article is correct, in a sense: If someone doesn't know how to use the tool they own safely, that's not the tool maker's fault. If you own a rotary saw and you don't know not to go around sawing random things in half, you'll break your saw or cut your arm off. If you own a computer and you don't know not to go around introducing random devices or files, you'll get a virus, trojan, or keylogger. Caveat Emptor!

But that doesn't mean that the makers of tools shouldn't continue to find ways to make the tools safer, so that people who ARE stupid enough to run around and saw random items have a better chance of not putting shrapnel in their eye, and people who ARE stupid enough to plug in every USB drive they find have a better chance of not taking down the company network. Making a product safer is one of the main ways one can make a product better, whether that product is a power tool, automobile, online banking service, or an operating system.

Bruce, I agree with you when you say "The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick." But this isn't true of every OS out there. Apple's OS X doesn't autorun anything on inserted USB sticks. Linux in a corporate environment can be set up to autorun or not autorun, whichever the admin desires. A brief look around on Google shows that Solaris turned autorun off sometime in the 1990's.

It seems to me like this attack vector is mostly a problem for the people who elected to trust Microsoft to keep them safe at an OS level. The continuing existence of threats like this, and your continuing frustration with hearing these stories, suggests that that wasn't such a great choice on their part. Since some other companies and groups have already solved this issue, maybe users who are worried about this attack vector should upgrade to one of those OSs. Problem solved.

HarryJune 29, 2011 12:40 PM

There's a selectin bias here. I'm not surprised that the majority of people who picked up the USB plugged it in. The ones who know this is a bad idea are less likely to pick it up in the first place.

GabrielJune 29, 2011 12:44 PM

@Perseid: yes, at which point it is a Trojan horse that looks like a horse. But the system could potentially be configured so that an administrator has to approve the new device. Again the idea is to make it harder to masquerade as something else and harder to execute code, io, or commands on a victim's machine. The fact is there are low hanging fruits that would greatly help, without breaking USB, that are not being implemented.

Mike WarotJune 29, 2011 1:15 PM

It's not the users, it's the lack of a reasonable security model. Capability based security is still absent in mainstream systems, and this will continue to happen (along with worms, virii, etc) until this situation changes.

If users could sandbox things off by default, and only grant capabilities on demand, this stuff would happen far less frequently. Currently there isn't an easy way to do this.

Dirk PraetJune 29, 2011 1:24 PM

As usual, the truth is somewhere in between.

First, we need to differentiate between ignorance and negligence. The former is no reason to call someone an idiot. The latter unfortunately way too often goes hand in hand with stupidity. Both however can get you into serious trouble, and not just from a legal angle. Not respecting road signs or other traffic rules on grounds of ignorance will not prevent you from getting a ticket. Damages by negligence and caused to 3rd parties will have consequences under tort law.

Furthermore, there is a distinct difference between the private and the office context. If the average computer (security) illiterate person plugs in an unknown USB into his personal computer at home, blindly trusting the OS's default settings and behaviour, then subsequently gets infected with malware, than that's too bad. Most COTS operating systems make usability over security trade-offs, settings that will not be changed until they become common attack vectors. The Windows auto-run feature is just one of many. Whether or not a user invests in self-education pre or post disaster is basically up to him, bearing in mind that it is probably pointless to sue any vendor in case of a security failure compromising or otherwise crippling his machine. The sad truth is that connecting to any device or network potentially is as hazardous as operating a chainsaw. Even though it can never be an excuse for vendors or service providers to walk away from theirs, ignoring this simple fact equals being in denial of ones own responsability and accountability in the matter.

Things IMHO are entirely different in a corporate environment. Companies that fail due diligence with regards to IT security are no better than those that don't to keep a proper accounting administration. If they have no appropriate training/education in place, couldn't care less about IT policy and procedures or are unable to put Windows GPO's in place to prevent non-engineering staff from plugging in USB devices, than the problem is not with the user but with the company. But as already pointed out above, such should be fully endorsed and practiced by execs too. Unfortunately, it is my experience that in way too many environments it's exactly this group that is the prime obstacle to proper security protocol since they believe themselves to be exempt.

As an anecdote, I'd like to end with the example of a company I used to work for and where the (external) Facilities Manager one day conducted an unanounced badge policy enforcement exercise. Any employee showing up at the door and unable to produce his/her company badge was denied access to the premises and sent back home. One of them was the Country Manager. Guess who's head was chopped off.

Tony PJune 29, 2011 1:32 PM

You can't expect the device maker to keep adding safegards to their prodects catering to the stupid. "Make something idiot proof and they'll make a better idiot." That's the problem with our society as a whole. We are constantly making it easier for people to become lazy and more stupid. (Movie: Idiocracy) Just read some warning labels and you'll realize that for most of those warnings, someone actualy did what the warning said not to do, thus prompting the warning. Education is where to start, stricter enforcement/punishment is how to follow through. Let people be stupid, eventually stupid thin the herd.

ElegieJune 29, 2011 1:41 PM

Years ago (this is probably less common now) at a certain public library system, there were cases where a book would include a floppy disk (of the 3.5-inch (or 8.89 cm) variety) in a plastic pocket at the back. (For certain books, this was a convenient way to include software or source code that went with the book.) From what one remembers, for such books, the library would add a label near the disk pocket that warned the user to check the disk(s) for viruses before using them. (For libraries that are considering lending out floppy disks even now for conveying software or pregenerated content, it might not hurt to completely remove the write-protect tabs to essentially make the disks permanently write-protected.) From what one remembers, the library branches also had VHS tapes that had an added label warning that the library was not responsible for any damage caused to the user's player.

If someone borrowed a library book that included a floppy disk and discovered malware on the disk, the library might well turn to the party who had previously borrowed the book (depending on how long records of such borrowing are kept.) Even so, it might be easy for the previous borrower to make the case that they could not feasibly have known about the malware or how it got on the disk.

With regard to the consumption of food items from unknown sources, the following might be of interest. In Bruce Lansky's book "Mother Murphy's Law" (Meadowbrook, Inc., 1986), there is an interesting take on page 32 about the situation where a baby eats an item of food that they found on the ground (or something similarly "gross"): a baby will probably not get sick from eating such an item, but a parent who watches a baby eat such an item will get sick. Though likely intended to be humorous, this take might actually not be all that far from reality. (Indeed, the mere appearance of an action being harmful may cause alarm with regard to bystanders.)

kurt wismerJune 29, 2011 2:09 PM

@Brian 2

if that's all you think USB malware can do then you have a much more limited view of what computers get used for than i do.

stuxnet is the obvious example of USB malware (and effects) that your argument fails to account for.

Jeff SchroederJune 29, 2011 2:54 PM

@Bruce: I can't believe no one has caught your tyop yet.

"""Of course people plugged in UBS sticks and computer disks."""

Should read:
Of course people plugged in USB sticks and computer disks.

ChrisJune 29, 2011 3:03 PM

This reminds me of one of the funniest things an end user ever said to me: "Every time I bring in a disk from home, your anti-virus software pops up to tell me it's been infected by one of your computers."

Some users are idiots, but it's the job of an administrator to make their systems as idiot proof as possible. If I were still in charge of desktops, I would have locked down USB autorun capability the first time I heard about this little trick of "social engineering" which was like 4 years ago. If you're responsible for security in your environment and haven't done this by now, who's the idiot?

ChelloveckJune 29, 2011 3:05 PM

About the trojan mouse... Even if your computer popped up a notice saying, "Hey! You just plugged in a mouse + keyboard + flash drive!" would the average Joe even care? Would the average techie care? If I plugged in a mouse that also identified itself as a keyboard I'd just think, "Neat. Maybe this thing has macro capabilities!" That would actually be a useful device! If the mouse (designed, like this one, to look like a random promo piece) also identified itself as a flash drive I'd just roll my eyes and wonder what marketing genius thought *that* up. A combo mouse / flash drive certainly wouldn't be the stupidest piece of vendor swag I'd ever received.

In short, this is a terrific piece of social engineering. I think all but the very most paranoid of us would be duped.

Nick PJune 29, 2011 3:39 PM

@ Bruce Schneier on why users are to blame

"What else are people supposed to do with them?"

Discard them. Many older lay people are still aware that viruses moved through floppies and email. (They've said as much to me before.) People also understand the general concept that putting a piece of equipment whose function is unknown into another important piece of equipment is dangerous.

If you see 5W-30 labeleld motor oil lying on the ground, do you automatically put it into your car? If you see a cup, do you automatically drink from it? If you see an icemaking unit, do you automatically try to connect it to your fridge? No in all cases. The average person knows there are risks to using unknowns found in the wild. They were probably just being apathetic to digital risks, as usual. That's their fault. Additionally, many people plug these things in to snoop or try to get something of value. That's an ethically questionable activity that often comes with risks. Double fail.

"The problem is that the OS will automatically run a program that can install malware from a USB stick."

Most don't, but that's surely a problem. Why does this problem exist? Because manufacturers don't focus on building secure systems. Why don't they build secure systems? >>BECAUSE USERS DON'T BUY THEM!

Most users want the risk management paradigm where they buy insecure systems that are fast, pretty and cheap, then occasionally deal with a data loss or system fix. The segment of people willing to pay significantly more for quality is always very small and there are vendors that target that market (e.g. TIS, GD, Boeing and Integrity Global Security come to mind).

So, if users demand the opposite of security, aren't capitalist system producers supposed to give them what they want? It's basic economics Bruce. They do what's good for the bottom line. The only time they started building secure PC's en masse was when the government mandated them. Some corporations, part of the quality segment, even ordered them to protect I.P. at incubation firms and reduce insider risks at banks. When the government killed that & demand went low again, they all started producing insecure systems again. So, if user demand is required and they don't demand it, who is at fault again? The user. They always were and always will be.

On the bright side, those same users are the reason I can send photo's to friends on a thin, beautiful smartphone. They also gave us short-lived 1TB hard disks whose low cost made the short-lived part tolerable. They are also probably why I have a full-featured, fast, cheap wireless router at the home. So, at least some good comes from the users choices of demand. But, they definitely don't accept the tradeoffs of real security, they don't demand it, it doesn't pay to produce it, & that's why it's their fault.

(To be totally honest, evolution and the human brain's hardwired patterns are the real culprit. Society/civilization evolved much faster than the human brains ability to properly interact with it and assess risks. It's a pet theory I've been thinking about writing a paper on that shows each flaw & interaction in detail. But, people are also smart enough to know their weaknesses and act responsibly. They usually remain wilfully ignorant or apathetic. So I blame them.)

Nick PJune 29, 2011 3:45 PM

@ Patrick Barnes

"I don't think there is anything that hardware or software vendors can do to eliminate the risk posed by devices attached to the system, nor would I want them to take any extreme measures."

An IOMMU unit restricts read/write access of memory regions that devices access. Technologies like this existed in the 80's in hardware. Some early 90's B3/A1 security kernels used segments to restrict access for certain non-DMA devices. Integrating RAM encryption and signing on chip, like Aegis & SecureCore do, leaves malicious devices only able to cause a loss of availability. SecureCore's modifications are minimal. IOMMU modificaitons are minimal and SecureCore's preserve much legacy VHDL/Verilog code.

We already have the technology to use untrusted devices in COTS systems. We've had it for almost thirty years. Industry just doesn't do it. PCI could have had built in access control. USB could use unique identifiers for devices & the chips cryptosign transmissions using a fast algorithm. There's many possibilities. The fact remains: they can solve the problem affordably, but they don't care because the users don't push them too. The only exception I see is in higher end smart cards: MULTOS, Caernarvon, certain Infineon chips, etc.

alJune 29, 2011 3:59 PM

@Nick P:
--
Why don't they build secure systems? >>BECAUSE USERS DON'T BUY THEM!

Most users want the risk management paradigm where they buy insecure systems that are fast, pretty and cheap,
--

And how do YOU know? Have you tried selling really secure systems to "users" in the first place?

Or did you stuff "most users" into a barn and told them they are not allowed to go to bathroom until they have answered your 100 question user-purchase-habit questionnaire?

Actually I am sure if you offered "most users" a secure system or a pretty-yet-insecure, most of them would likely choose the former. The two other factors of "fast" and "cheap" can be ignored because you just added them to bolster your point.

"Secure systems" (relative term, nb) can be made fast and cheap as well but in this system, who would when there is added value in that they are now secure. Therefore lets suck more money out of the user.

VoidJune 29, 2011 4:06 PM

@ Nick P.

"If you see 5W-30 labeleld motor oil lying on the ground, do you automatically put it into your car? If you see a cup, do you automatically drink from it? If you see an icemaking unit, do you automatically try to connect it to your fridge? No in all cases. The average person knows there are risks to using unknowns found in the wild. They were probably just being apathetic to digital risks, as usual. That's their fault..."

Several posters have used similar analogies here. But you seem to have not read the posts pointing out these analogies are false. Just LOOKING at a bottle of motor oil laying on the ground is not going to hurt your car. The average user assumes that plugging in a usb drive will let them just look at the contents. If they don't do anything with any of the files they see, no harm. This assumption, while in many cases false, is fairly logical to most people, unlike eating a piece of food off the ground or pouring something into your crankcase.

Nick PJune 29, 2011 4:18 PM

@ al at

"And how do YOU know? Have you tried selling really secure systems to "users" in the first place?"

Many companies did in the past. The tricky thing is that secure systems require three things at each level in the design: mediation of every access of information (subject to object); suppression of major covert channels; verifiability. These principles mean the secure systems will experience a significant drop in performance, consistently lag behind the insecure market in features available, be more cumbersome to use/administer, and cost more. Each of these problems may show up in a secure design. How much varies.

Besides, you see customers trading convenience/aesthetics/cost for security/safety all the time. Here's a few examples.

Locksmith says you can have a decent lock for $30 or a nearly unpickable Medeco/Assa for $80 to protect your home. They rarely choose Medeco/Assa.

Volvo rarely wins against a better looking car with similar specs.

People who can afford a steel door usually choose a wooden one for aesthetic reasons.

Most companies and individuals budget little for security. They consider it discretionary.

Safer, rubber grip box cutters priced a few bucks over the rest sell much less.

People who are aware of identity theft still often hand checks full of their personal info to strangers at a checkout line because their checkbook is more convenient when they balance their budget later.

And so on and so forth. It's a constant trend. Security/safety gets a tiny cut, the other factors are favored the majority of the time.

"Actually I am sure if you offered "most users" a secure system or a pretty-yet-insecure, most of them would likely choose the former."

Ask any Best Buy salesperson what factors most determine which PC's people purchase there. Is it how they look/feel, how fast they are and their price? Or is it how reliable and secure they are? Specifically, ask them how many times someone came in that week asking for the most reliable, safest PC with acceptable performance. If they have an answer, I bet they can remember each individual person they will be so few.

"The two other factors of "fast" and "cheap" can be ignored because you just added them to bolster your point."

Oh sure. People are cool with dialup speeds, extremely long wait times in video editing, and slow internet access. And they don't want more for less... I'm wondering if you're just trolling or if you're actually serious? I'm leaning toward the former.

Nick PJune 29, 2011 4:22 PM

@ void

"Several posters have used similar analogies here. But you seem to have not read the posts pointing out these analogies are false. Just LOOKING at a bottle of motor oil laying on the ground is not going to hurt your car. The average user assumes that plugging in a usb drive will let them just look at the contents. If they don't do anything with any of the files they see, no harm. "

It's a debatable point. Many users will think like that and the analogy fails for them. Many users also know plugging stuff into your computer carries risk, at the least that one of the files they open might have a virus. More users know this than people give credit for. And what do they do? Open random files on a storage medium they found on the ground. They just ignore any risk considerations. For these users, the analogy fits.

My more important point, though, was the second part of that post. The part concerning what users demand, bring to market, and force off the market. Security is rarely part of that demand and the market only answers demand, making users responsible. I'd like to hear people's thoughts on the economic side of user responsibility.

Dr. TJune 29, 2011 5:10 PM

@Tony P: "... Let people be stupid, eventually stupid thin the herd."

In our current society, stupid people rarely die young. They live almost as long as smart people, and they tend to have more children than average. We have reverse Darwinism in regards to intelligence.

Bryan FeirJune 29, 2011 5:11 PM

@Chellovack:
"A combo mouse / flash drive certainly wouldn't be the stupidest piece of vendor swag I'd ever received."

I've actually got a Compaq-branded USB mouse at home where the handrest of the mouse flips up to expose an SD card slot. So it is actually a combo mouse/drive. It was useful at the time for connecting to my old laptop with only a single USB port and no SD card slot. Given I haven't seen a laptop with those connection limitations in years, it's somewhat less useful now.

MikeJune 29, 2011 5:38 PM

Do people finding discarded syringes typically pick them up and jab them in their arms? Is that different?

kingsnakeJune 29, 2011 5:51 PM

Saw an article somewhere recently where they hacked a mouse, then sent the mouse to a designated target, got them to plug the mouse in, and the mouse itself snagged all the goodies and transmitted them back to home base ...

Pat CahalanJune 29, 2011 6:09 PM

I love the way people are comparing USB sticks (something almost everyone has, commonly uses harmlessly, and loses often)...

...to other items which most people never use independently (icemaking unit?), or can't be used harmlessly (non-sterile syringes), or are not commonly lost (cans of motor oil?)

For the record, if I was in an automotive shop parking lot and I saw a sealed can of motor oil sitting on the ground, I'd assume that someone left it there accidentally and take it home to use in my lawnmower. Yes, someone could have filled it with something nefarious. How much more difficult would it have been to put the nefarious can on the shelf in the auto shop? If you're going to trust the auto shop to give you un-doctored motor oil, when the auto shop has virtually zero security countermeasures, why wouldn't you trust the parking lot can of oil?

If you see a USB stick on the ground, in almost all cases it's been dropped. If it's got your logo on it, in almost all cases it's been dropped *by someone in your own org*.

Trying to figure out who it belongs to is not only normal human behavior, it's laudable. Even if you're selfish and intending on just keeping the thing, finding out how big it is is entirely normal human behavior.

The autoruns problem is in fact the problem, because it presupposes that a normal non-authoritative action (insertion of a USB stick to read a file) is an authoritative action (please run/install software).

This is like saying, "Oh, someone logged into the machine. I will give them root privileges, just in case they need them" is a reasonable security model.

Bob Van ValzahJune 29, 2011 6:11 PM

I hope my kids grow up in a world where people who work at secure facilities are less trusting of what they find in the parking lot. I hope they grow up in a world where default OS policies are shaped by the malicious intent that undeniably exists in the world. But until the future arrives, I blame those who deploy such insecure infrastructure for use by people who's behavior is so predictable.

RobertTJune 29, 2011 6:55 PM

I remember hearing rumors that Stuxnet distribution was also targeted using dropped USB sticks. I can't remember what site it was on.

I guess this is the ideal vector to distribute any custom malware because you can spread throughout an organization and get a good widespread infection before any AV packages receive the signature. I guess I'm only surprised that there is not more of this going on. Trouble is most corporate computers have USB ports blocked (I wonder why?)

Dirk PraetJune 29, 2011 7:25 PM

@ al

"Actually I am sure if you offered "most users" a secure system or a pretty-yet-insecure, most of them would likely choose the former."

Er, no. With the exception of the usual suspects, no single individual or company gives a cr*p about secure systems unless/until they are driven by either fear or compliance. I may have said this before, but I gave up on rational sales years ago when some decision maker bought our equipment not for the price or the features, but because he liked the fluorescent front panel on the rack and the really cool blue lights on the storage units.

Windows became the dominant desktop operating system because for years it was easy to copy and x86-based machines were cheaper than macs. Apple rose from its ashes because OS X was slick, sexy and intuitive. Not only did Steve Jobs learn from the many M/S and IBM failures, he also understands what makes folks tick and make them buy Apple products. Security or privacy concerns historically have never been any real part of the equasion.

Apart from some niche players, vendors, manufacturers and service providers alike do not provide secure systems unless customers explicitly ask for them AND are willing (and able) to accept the common usability inconveniences that come with them. Most unfortunately still prefer to stick their heads in the sand and keep it there even when their *ss is on fire.

I got yet another painful demonstration of such behaviour a couple of days ago when I traced back to a Belgian catholic church organisation a non-specified password database dumped on pastebin and tweeted about by a Dutch Anonymous/AntiSec chapter. The usual stuff: 5000+ email adresses and accompanying DES-passwords from an SQL-table most probably obtained by a simple SQLi. Although I sent an email to both the organisation's contact persons and the company that built the website, I got no reply whatsoever and to date nothing has been done about it. Unless disclosed to the press, they're probably not going to act at all, and I have no intention of doing so myself for fear of them shooting the messenger rather than actually dealing with the issue.

Dirk PraetJune 29, 2011 7:31 PM

@RobertT

"Closing the airgap" was exactly what the Stuxnet authors had in mind.

RobertTJune 29, 2011 8:22 PM

One more thought, If you think this problem is bad with USB on PC's than you'll love the variations on this attack vector, that are possible with BlueTooth enabled smart-phones.

Michael LynnJune 29, 2011 8:26 PM

When I was in junior high a friend and I made this prank auto-run floppy for the macs that altered all the registry entries for the mac os stuff to do funny things (juvenile pranks stuff).

We made one copy of the disk, labeled it "DO NOT INSERT INTO COMPUTER" and left it somewhere.

Within a couple weeks there were dozens of copies (that we didn't make) all over the place and almost every computer in the district was infected (and it wasn't a virus or worm, it didn't spread on its own or infect other floppies or anything).

So it seems like it still works.

DiamondGeezaJune 29, 2011 8:34 PM

There is the curiousity factor coming into play here - I mean if you happen to come across an official looking USB stick with the D.H.S. logo emblazoned on it, who isn't a bit curious to find out what's on it? If they ran the same test with a busted up old USB stick that looked like a piece of junk, I'm sure they'd get a different result. Considering that the users are surely running anti-virus software, they probably thought they would be protected anyway. As a side note, I happened to actually drop a USB stick once with important stuff on it (source code no less) as I was entering my car in a hotel parking lot. I returned a couple of hours later retracing my steps, and it was still there(!), lying on the ground where I dropped it. Luckily it looked like a old piece of junk.

Nick PJune 29, 2011 8:42 PM

@ Dirk Praet

I found more support for our claim in a new paper I read. It's called "Lessons learned from building a high assurance crypto gateway." It basically connected COTS workstations over untrusted networks like the Internet. In the process, it maintains confidentiality and integrity of data. It also provides Mandatory Access Control (Bell-Lapadula, I think) to ensure the COTS workstation only gets data it's cleared for & other guards know its clearance.

That I can tell from the description, the device was designed to be evaluated to EAL7, the highest level of assurance. They had all the requirements met: formal specifications of design; formal security policy; formal & semiformal mappings between abstract design, concrete design and code; functional & penetration tests. They were about to enter evaluation when reality set in:

"The biggest lesson to be learned from this project was hard. Before we completed product certification, management cut off our funding. Their justification for this surprise was that there was no market for our product."

They elaborated that they didn't really have the sponsorship by senior management that they needed. This led to product termination. However, I think it's appropriate to this conversation. This was a Navy project. That the managers of Navy's secure engineering programs thought there was "no market" for a truly secure MLS/IPSec VPN, even in government circles, says plenty. Even if they're wrong, it could accurately be restated: "there is a very small market for high assurance security, there are existing solutions/partnerships and its hard to market a new high assurance product to anyone, even them."

IEEE link
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?isnumber=5705585&arnumber=5669248

Note: There are still companies that try & target these market segments. Boeing's SNS server was A1 & is in evaluation for EAL7. MULTOS was evaluated to ITSEC E6, an EAL7-like standard. INTEGRITY-178B was EAL6+. BAE's XTS-400/STOP line has gradually dropped from A1/EAL7(SCOMP) to B3/EAL6(XTS-200 through 400) to B2+/EAL5+ (XTS-500). The majority of high assurance certifications are data diodes, which are only so useful. The government is also not allowing high assurance vendors to use the RAMP to skip re-evaluation of unchanged code/specs, which is something they originally promised. This keeps the likes of GEMSOS, Trusted Xenix, etc. off the market.

Nope, no market at all. I have a scheme for coping with it, but it couldn't be done in the US. I'll share it privately with anyone via email if you agree to non-disclosure. I'm interested in seeing what people think of the new business model.

lolwutJune 29, 2011 9:45 PM

Okay, I've scanned through the comments and I don't see anyone bringing this up so I will.

I have been a federal employee for three years. Every single year, everyone in my agency takes a mandatory annual security training module. The "mysterious USB stick dropped in a hallway or parking lot" ploy is identified, specifically, with the literary equivalent of little flashing lights and danger signs, as in "if you find a USB device that is not yours on the ground, give it to security personnel and whatever you do don't plug it into your computer because it is a security threat."

Later we take a little quiz at the end of the module, with questions like "Bob finds a USB stick on the ground in the parking lot. What should he do with it?" I believe each agency designs its own security training, so I'm not saying that everybody gets the same warnings, but come on. If anyone in my agency were found to have accidentally brought in malware/hackers via this trick, I would not be worried about excessive victim-blaming. I would recommend they be fired, because they obviously can't be trusted to not do this one specific thing that they are forced to be reminded of every single year.

Richard Steven HackJune 29, 2011 11:19 PM

Wow, a ton of comments, so I didn't bother reading them all - except to note how many times the rigged mouse I mentioned the other day got mentioned without crediting me. :) (Not that I care, mind you, I just found it funny.)

Here's the bottom line: Unless people are TRAINED to THINK about their personal security - and virtually no one is, even in terms of the "don't trust strangers" meme (which IS valuable advice to give to a child as well as adults because it's absolutely true - although it should be extended to "don't trust ANYONE"), there is ZERO chance that people will not do dangerous things like the topic.

If you want people to think properly about security, sign them up for a Togakure ninjutsu course where they teach you that security is a LIFESTYLE and a COMMITMENT FOR LIFE. And that there is no such thing as "security."

Otherwise, dropping little memes around like "don't stick a random USB drive in your computer" is just not going to cut it.

Which of course brings me right back to MY meme: There is no security. Suck it up.

Which is precisely because you're dealing with humans 99.9999 percent of whom are not trained in personal security (let alone computer security).

The most important improvement in children's education that could possibly be done would be to mandate extensive martial arts training from an early age, including the martial philosophy. Not only would it improve the physical fitness of our fat kids, it would improve their mental state by reducing fear, improving mental stability, improving reflexes, teaching them to be calm in the face of danger (which would have helped enormously after 9/11) and personal problems, and so on.

It would also improve computer security by producing an appropriate and controlled level of general security awareness in the average person which could then be built on to indoctrinate them in "technological security", including computer security.

stevenJune 29, 2011 11:42 PM

this is the same problem one faces with almost any social game. people tend to act on what they know.

if pressed, people tend to either disavow ignorance, or are ignorant of their ignorance: that is, most people think they know more than they actually do. this is how assumptions work.

[i wonder how many people plugged the usb sticks in to see if they could return them to their owner? much flows from simple guestures of kindness or distrust.]

alos: some 'security' suit abusing people for being 'stupid' for doing the obvious only reinforces the averge person's distruat and low opinion of such people and their gap-from-reality.

my questions is not "why are these people doing this"; the question is "why does the system not anticipate/expect people to be doing this, and have designed-in responses?

a simple 'lost property deposit' at building entrances might go a long way to resolving this before it even got to the network.

AndyJune 30, 2011 12:27 AM

Reminds me of a saying.
The OS isn't there to help you, its there to make sure the bullet gets develed to you foot

BrianJune 30, 2011 12:45 AM

@lolwut:

The fact that federal security folks feel that yearly training for their employees is necessary to prevent people from plugging USB sticks into their computers should tell you something. Obviously random USB sticks being able to take over your computer just by plugging them in is not something people naturally expect. Rather than training and harassing people to behave in a way that's obviously counter-intuitive for them, maybe engineers and programmers shouldn't design such terrible security into the interface.

I mean, it's not like it's a physical law of the universe that USB drives HAVE to be automatically trusted by the OS, and HAVE to be allowed to run all sorts of code when they are plugged in. It's designers making a moronic security decision, and then everyone buying into the idea that the problem is really the users not compensating for crummy technology.

Now as a security aware computer user, I personally am very careful about plugging USB drivers into my computer. And every time the issue comes up, I think about what a half-ass job the operating system designers did when it came to removable media security.

yetanothergeekJune 30, 2011 12:57 AM

One thing I haven't seen mentioned (maybe i missed it) is the fact that most modern computers can also *boot* directly from a USB stick. So it isn't just a matter of which OS, or whether autorun is enabled, because if your BIOS is set to boot from USB, and you plug the device in and then boot/reboot the machine, it could drop a custom Linux/Mac/Windows rootkit right into your system before your OS ever sees it.

As far the the motor oil / candy bar / syringe argument, a better analogy might be: if you saw a wallet on the ground, would you pick it up? After all, it might be rigged with explosives or contaminated with a bio-toxin!

UndergroundJune 30, 2011 1:15 AM

The same sort of problem with why people will accept faxes of signed forms, but not a scanned image of the same document in an email.

IanJune 30, 2011 1:25 AM

Surely there should be a sort of "USB condom" device which you could use as an adaptor between your PC and the USB stick, which (1) prevents a virus jumping from the stick to the PC by not allowing autorun, and (2) prevents a virus jumping from the PC to the stick by effectively making the stick read-only? I'm wary of plugging a random USB stick into my PC, but equally I'm wary of putting my USB stick into an untrusted PC in an internet cafe or print shop, because it always seems to come back with a virus.

columbusJune 30, 2011 2:31 AM

I believe holding down the shift key while inserting prevents autorun.

tommyJune 30, 2011 2:44 AM

@ Ian and everyone else:

At the risk of making a difficult problem ridiculously easy, I just opened one of my own USB flash drives inside Sandboxie, a free/nagware or paid program usually used for browser sandboxing, but in fact can open any program or file inside the sandbox. I created a new folder, "Nasty, Evil Program", then closed the sandbox, which empties it. When I opened the flash drive normally, Nasty Evil Program was not there.

Which means that it works the other way around, too. If "Nasty" is on the found USB, whatever it tries to write to the HDD will be contained in the sandbox, and dumped on closing. So you can safely look for owner info, etc.

The fundamental issue here isn't getting people to sandbox USB drives found in the street, but to understand that until high-assurance systems are the norm, *all browsers* must be run in some type of virtual or sandboxed environment almost 100% of the time. Then, the concept of opening unknown USB drives, word docs, pdfs, spreadsheets, videos, audio files, CDs, etc... in a sandbox or VM will become second nature.

Disclaimer: I have no personal or financial connection to Sandboxie, and my experience is not a guarantee of results nor assumption of liability for your results. Choose your own virtualizing solution after careful investigation.

csrsterJune 30, 2011 3:00 AM

The library issue raised above is an interesting one. I'm involved with a national webarchiving project. What's the right thing to do about web-based malware? On the one hand, we have a legal mandate to archive our entire national web domain for cultural heritage purposes. Malware, linkspam etc. are all part of that heritage,

On the other hand, we don't want to infect or con our users. It would be an interesting moral and legal dilemma if we actually had the technology and resources to to anything about it!

Adam DudleyJune 30, 2011 3:00 AM

Half of the problem is that people do want to snoop and have a look see, but yeah, we all know if we lost our USB stick, we would really appreciate someone giving it us back, so we do the same.

The other half of the problem is that people are using USB sticks where there are much better ways of moving data around. I use http://www.lushbackup.com . Go and get a free trial, if you like the backup you will love the Lushdrive. It's basically a USB stick that lives on the Internet. You can install the Lushdrive on ALL your computers, and it comes up just like a USB drive. Save a document on you laptop to the L: drive, it appears on the L: drive of all you other computers automatically.

Why are people still using USB sticks again, ahh, they are very cheap. I suppose you get what you pay for.

USB sticks are simple, and you can 'hold them', that makes people feel secure, it's a shame they get lost.

There are other services that do exactly the same thing as lush backup, I'm not suggesting one over the other, but this one is cheap and when I looked the others are way expensive as soon as you go to multiple computers.


DennisJune 30, 2011 3:05 AM

Great post. It's nice to see someone stick up for the non-techo-paranoid. Bad memory sticks is why you leave UAC on! :)

uk visaJune 30, 2011 4:24 AM

I wonder if the advertised capacity of the USB Stick has an effect on plug in rates ie are more people tempted by 64GB compared to a 256MB?

J S CJune 30, 2011 4:33 AM

The fault is with the original USB owner, not the person who picks it up and tries to be responsible in tracing its owner. All USB devices should be encrypted. The only unencrypted part on mine is the drive volume label, which is set to my email address (no room for the .com part as there is a max of 11 chars, but enough for xxxxx@xxx).

FrankJune 30, 2011 4:45 AM

> It's like "75% of people who picked up a
> discarded newspaper on the bus read it.

It's more like "75% of people who picked up a wallet open it to see if there's a clue to whom it belongs". At least I and lot of people I know would do that. And that's the reason why I'd think about pluging in a USB stick. Maybe the data helps to track down the owner.

The difference is that I'd possibly be more sensible about the machine I'd plug it into.

Sure enough, I'd like to get my lost USB stick back and - yes this can be called utterly naive - I believe there are more honest people out there than dishonest just like not all foreigners with beards are terrorists ;-)

Dirk PraetJune 30, 2011 5:01 AM

@ Nick P.

"I'll share it privately with anyone via email if you agree to non-disclosure".

Yes, please.

@ Moderator/Bruce : can you please forward my mail address to Nick ?

@ lolwut

Although it's a good thing at least some organisations spend time on user awareness and security training, the type of webinars you are referring too for all practical purposes are a complete fail. Most of the time, they are driven by compliance rules only and generally are outsourced to 3rd parties that couldn't care less. Staff are supposed to go through them either between other daily tasks or in their free time, so most people skim through them in as short a time as possible without any interaction or discussion with peers whatsoever. The usual pop quiz at the end is a joke, and at several companies I used to work for there was always one guy who did the test, wrote down all the correct answers, then passed them on to his fellow workers who then rapidly clicked through the entire thing to get a perfect score. That's not how education works, and it really can't be a surprise that 95% of all staff a week after their "training" remember ziltch and are still as clueless as before.

As for the disciplinary actions you are referring too: not going to happen because unenforceable as long as management believes the same rules do not apply to them.

@ Brian / lolwut

" It's designers making a moronic security decision"

No it's not. Designers and engineers don't make such decisions. It's the sales and product management teams that do. Ask any engineer how many times a day he gets blasted for "coming up with cures for non-existing diseases", "non-intuitive user experience" or "jeopardising release schedules".

BF SkinnerJune 30, 2011 6:52 AM

Nick P " That the managers of Navy's secure engineering programs thought there was "no market" for a truly secure MLS/IPSec VPN, even in government circles, says plenty."

Which is why there needs to be a government version of SourceForge. Or even should be a requriement to conserve orphan projects like that TO SourceForge.

The design and development was paid for with tax dollars and even if one set of management can't see the point doesn't mean others won't.

Ricky BennettJune 30, 2011 7:31 AM

A USB stick given away at a trade show is NOT automatically good. I was given a USB stick at a trade show in Boston that had a virus on it. This was a stick given to all attendees that had all of the show presentations on it.

bob!!June 30, 2011 8:10 AM

The food on the ground analogy is an especially broken analogy, because I'm sure that there isn't *anybody* whose mother has, since they were very small, continually reminded them "We don't use USB sticks we find on the ground." This isn't the case with food. While eating is the normal use for food, it is *not* the normal use for food that's sitting on the ground.

And for the rest of the found on the ground analogies, I *have* found a 1/3 full jug of windshield washer fluid on the ground, and picked it up and put it into my car. I've also used pens, money, flashlights and other things off the ground (I don't remember all of them, because finding something on the ground and keeping it to use happens enough that it's generally unmemorable).

JasonJune 30, 2011 8:42 AM

To Bruce's point, on my way into work this morning, I found a bag of potato chips in the parking lot. As it appeared to be a brand new sealed back, I picked them up, brought them inside and ate them - because that's what they're for.

noble_serfJune 30, 2011 8:58 AM

There''s also an age or knowledge factor here too.

If my boss found a USB stick in the parking lot, she would secure it, probably not be able to view it since our boxes have USB disabled, and then make attempts to find the owner (probably by spamming the entire email list, then creating a reply to all cascade of failure) becuase she thinks USB sticks are "expensive." (She thinks anything IT related is expensive).

I would assign value to the data on the USB and secure it at the security office (who holds lost andn found).

SlashdotterJune 30, 2011 9:07 AM

As they said on Slashdot about this:

Of course people used the stick at work, if the stick was infected and they used it at home then THEY would have to deal with it. At work, it is someone else's problem.

Perfectly rational behavior.

BF SKinnerJune 30, 2011 9:20 AM

Slashdotter 'Perfectly rational behavior"

The reasonable person construct is a lie.

People aren't thinking "This might be a risk so I'll open it at work." People aren't that granular in their security awareness unless they've been burned by a particular vector.

They are instead, as people noted above, thinking "I wonder what's on it." Or maybe "If I can see who owns it I can return it to it's owner"

NotQuiteALumberjackJune 30, 2011 9:34 AM

"The sad truth is that connecting to any device or network potentially is as hazardous as operating a chainsaw."

You've obviously never operated a chainsaw.

T800June 30, 2011 9:53 AM

That's why you need to have linux live cd at hand. Boot from cd and then examine the usb stick.
If your hard drive is in replaceable enclosure, even better.

Dirk PraetJune 30, 2011 9:55 AM

@ NotQuiteALumberjack

"You've obviously never operated a chainsaw"

Actually I have. More than once. Just google or youtube for "chainsaw accidents". Chilling.

Patrick G.June 30, 2011 10:00 AM

Nice amount of disagreeing posts.

I wonder if those people went to any conference, ever: Imagine lots of people, lots of documents to transfer and share.
And sure everybody uses other peoples USB sticks, plugs them in, reads and writes and so on.

This is reality, those people aren't dumb, they are using a tool in a way it was designed to be used.
Give them a secure and transfer method that is as easy that works as good as the sticks and they will use it.
But don't complain about them until you do.

From the briar patchJune 30, 2011 11:12 AM

Sometimes that idiot isn't an idiot, and sometimes that computer is a honeypot. I love it when malware fights over me...

Nick PJune 30, 2011 12:35 PM

@ BF Skinner

"Which is why there needs to be a government version of SourceForge. Or even should be a requriement to conserve orphan projects like that TO SourceForge."

Definitely. So many program's deliverables could have been used by the public, but were trashed. This one is definitely useful. Just the formally verified crypto component alone could be utilized in both commercial and open source projects. I've also been trying to get companies to tell me who, if anyone, has the source or rights to some of the older projects like Secure Ada Target, DTOS, and Trusted Xenix. Keep getting the run-around so far, when I get a returned phone call.

The closest thing we have right now are the Verified Software Repository and Verisoft Repository. The Verisoft Project that aims at pervasive formal verification in industry, starting with a bunch of demo projects. When they produce something, they usually put it in the repository for peer review and/or 3rd party use. So far, they got a compiler, a microcontroller RTOS, a microkernel, a processor, and some software libraries.

Verisoft XT
http://www.verisoft.de/GoalsAndResults.html

Verisoft Repository
http://www.verisoft.de/VerisoftRepository.html

The Verified Software Repository is part of the International Grand Challenge on Verified Software project. This group is trying to get pervasive formal software engineering going worldwide over the next 50 years. Good luck lol. One of their lesser ambitions is to get a bunch of projects done on little pieces of functionality and have them in a free repository online. This let's us build a formally verified software base gradually. That's a nice idea.

Verified Software Grand Challenge
http://vstte.ethz.ch/pdfs/vstte-hoare-misra.pdf

Verified Software Repository
http://vsr.sourceforge.net/

If the government had been doing this, we'd already have six secure OS's in there and recently a VPN. (sighs)

Dan S.June 30, 2011 3:09 PM

@Ben - are you a dad?!? Granted, the likelihood of taking candy from, or in a large sense "trusting" a stranger leading to harm is small. However that likelihood is present, and there is a stage between "trust" and "distrust" that is simply do not trust, that is be wary. My kids don't run away screaming from strangers, but they know enough to be cautious.

Gary H.June 30, 2011 3:28 PM

Hi Bruce. I, for one, appreciate your charitable, user-centric view of this topic. Before I was properly educated, I found one of these on the bus, with an IBM logo on it, and I intended to wipe it clean and use it for my own data. It was foolish, but I did it in ignorance. I agree with your post.

Br.BillJune 30, 2011 3:49 PM

RobertT wrote: "Trouble is most corporate computers have USB ports blocked (I wonder why?)"

Ha ha! That's a good one.

-- Santa Claus

VlesJuly 1, 2011 1:27 AM

NX bit for CPU's? lol

Should have a mechanism like that in OS for USB ports too! [data only]

FrankJuly 1, 2011 4:27 AM

> NX bit for CPU's? lol
> Should have a mechanism like that in OS for USB ports too! [data only]

Actually there are OS's out there which have; does:

mount -o noexec,nosuid,nodev

ring any bell? :-)

GreenSquirrelJuly 1, 2011 6:10 AM

@Adum Dudly,

Things like Lush Backup (and dropbox) are good but they are never going to be a replacement for USB drives.

For around £15, I can get a 16gb USB stick which I can use anywhere I need (with, or without an internet connection) and the data transfer rates mean that if I have a reason to shift all 16 gig around, I am not going to die of old age in the process. Equally, it is something I now *have* for ever and I can get to choose what security is put in place and how it is implemented. I can attach it to as many computers as I want and, if I can control who has access to its contents.

Lush Backup, however, does provide an excellent resource for backing up essential files from a limited number of machines. It is limited by internet bandwidth (and download caps where applicable) meaning that, as a file transfer solution, it is not as efficient or flexible as the much maligned USB stick.

There is an element here of not just blaming the victim but also blaming the neutral technology. The USB stick is equally useful for good and bad things. If I need to share a few GB of data with people, doing it over USB drive is fantastic.

The problem, as Bruce pointed out, is that we have OSes which are vulnerable to untrusted data.

If we all moved to sharing files via cloud systems things wouldnt be any better (c.f. bittorrent). Getting rid of USBs doesnt remove the problems around users sharing files.

VlesJuly 1, 2011 7:59 AM

> mount -o noexec,nosuid,nodev

Do they use such technology in government buildings? (or private contractors)

Sounds like a solution!

Kerry VeenstraJuly 1, 2011 10:29 AM

Microsoft won't disable the Autorun automatic virus installer because it is misused by some developers to install legitimate programs.

confusedJuly 1, 2011 10:53 AM

Food, oil, a wallet,... why not give an analogy closer to the discussion? If a user happens upon a web page and they have no idea of its origin, should they be protected if they click any buttons on that page?

Any form of input to a computer is subject to attack so that the only truly secure system would be something on the lines of a calculator. There has to be some point where users have to make reasonable decisions or except the consequences.

To the guy that found the can of oil in the parking lot and used it in his lawnmower; if the engine stopped working would you blame the lawnmower manufacturer?

Nick PJuly 2, 2011 12:01 AM

@ all

I've seen a lot of comments about bad analogies. Perhaps they were. But, that was the minor point in my reply to Bruce. The real reason I blame users, their economic choices, haven't been discussed. I'll repost it here. Anyone have any thoughts on this angle?

"The problem is that the OS will automatically run a program that can install malware from a USB stick." (Bruce Schneier)

Most don't, but that's surely a problem. Why does this problem exist? Because manufacturers don't focus on building secure systems. Why don't they build secure systems? >>BECAUSE USERS DON'T BUY THEM!

Most users want the risk management paradigm where they buy insecure systems that are fast, pretty and cheap, then occasionally deal with a data loss or system fix. The segment of people willing to pay significantly more for quality is always very small and there are vendors that target that market (e.g. TIS, GD, Boeing and Integrity Global Security come to mind).

So, if users demand the opposite of security, aren't capitalist system producers supposed to give them what they want? It's basic economics Bruce. They do what's good for the bottom line. The only time they started building secure PC's en masse was when the government mandated them. Some corporations, part of the quality segment, even ordered them to protect I.P. at incubation firms and reduce insider risks at banks. When the government killed that & demand went low again, they all started producing insecure systems again. So, if user demand is required and they don't demand it, who is at fault again? The user. They always were and always will be.

On the bright side, those same users are the reason I can send photo's to friends on a thin, beautiful smartphone. They also gave us short-lived 1TB hard disks whose low cost made the short-lived part tolerable. They are also probably why I have a full-featured, fast, cheap wireless router at the home. So, at least some good comes from the users choices of demand. But, they definitely don't accept the tradeoffs of real security, they don't demand it, it doesn't pay to produce it, & that's why it's their fault.

(To be totally honest, evolution and the human brain's hardwired patterns are the real culprit. Society/civilization evolved much faster than the human brains ability to properly interact with it and assess risks. It's a pet theory I've been thinking about writing a paper on that shows each flaw & interaction in detail. But, people are also smart enough to know their weaknesses and act responsibly. They usually remain wilfully ignorant or apathetic. So I blame them.)"

tommyJuly 2, 2011 4:47 AM

@ Nick P.:

Speaking as one with an MBA in Economics, your post is in total agreement with a secret tightly kept among us econogeeks, called "The law of supply and demand". (It must be a secret, because Congress, POTUS, and all other politicians regularly try to flout it. Reality always wins in the end, which is why we're in this current mess and aren't getting out unless radical changes are made.)

The only minor quibble is that most average home users (AHU) naively believe that Gov, MS, their AV vendor, etc. will keep them safe. They have no idea of how dangerous are the threats; random surveys of home PCs show that 80-90% are infected with at least one form of malware, often several.

I've received an infected Word doc from a very intelligent user whose two Master's degrees are in the arts and education. I've seen a friend with a Master of Science in CSci pick up a spyware "toolbar". They *just don't teach* security as being a necessary part of CSci, apparently. They should, both as separate modules and as a part of every course. But I digress.

The user's refrigerator is safe; their car is reasonably safe; both are appliances to be used, not feared. They naturally extend that to IT, because they don't know any better. It seems that the market demand will have to come from enterprises with much more to lose in dollars or pounds or euros, and only strict liability will force that. Otherwise, the loss falls on the user.

The evolutionary point is good. A tiger appears. Try to kill it, and obtain food? Or run like crazy, to avoid becoming food? Digital is so novel in humanity's history, and so different - the threats can be invisible. Even an army knows to fear an ambush. But not 0s and 1s. These aren't threats that we've evolved to assess.

"people are also smart enough to know their weaknesses and act responsibly."

They could, but they don't. The human capacity for self-delusion to maintain self-esteem and comfort level is nearly infinite, and our US schools are sacrificing knowledge to phony "self-esteem" courses. (That's an actual report from my friend with the M.A in Education, a public schoolteacher.)

People become alcoholics; drug addicts; vote for politicians who promise them benefits that will come from "somebody else".

If people all drove well, and never under the influence, safety devices on cars wouldn't be needed. The US Gov finally recognized that they don't drive well, and so started requiring restraints, air bags, anti-lock brakes (I've raced a bit and driven on a skid pad, but most drivers panic in a skid), crash-absorbing zones and bumpers, padded dash and steering wheel, etc....

I'm afraid we may have to "protect people from themselves" in IT, as well. Either by Gov regulation, or Internet regulation.

"You cannot connect to IPv6 with your insecure equipment. You must stay with IPv4, and that will end in X years."

A while back, Stanford University, I think it was, started a think-project, "What if we could rebuild the Internet from scratch, knowing what we know now?" I looked forward to the report eagerly, assuming they'd ensure Net security was baked in. Instead, most of the ideas were for even more advanced ways of delivering dancing bunnies, if you get my drift. If Stanford thinks this way...

The only alternative is Thoreau's civil disobedience: Openly support LULZ-type attacks, but be sure to do no actual harm, merely post on the web site or browser, "You've been hacked. We could have done worse. Think about it." When every web site and almost every user has seen that... if that doesn't work, it may be necessary to get /a little bit/ nasty, though of course I'm not advocating any criminal activity.

The US and USSR started reducing the nuke stockpile only after some incidents of coming to the brink of holocaust. It may be the same with IT security.

Those are my thoughts on your angle.

Why we're in the current economic mess, and how it all relates to trying to circumvent the Law of Supply and Demand and other fundamental principles of reality:

http://www.amiright.com/parody/70s/donmclean152.shtml

VlesJuly 2, 2011 7:20 AM

tommy, thank you for your link. the way you explain value (or the process of revalueing --> devalueing) prompts me - beg pardon off topic - to ask you: what's your take on digital stores? surely they break - by their very nature - the law of demand and supply as there's infinite supply? what happens when supply is near infinite?

also that thoreau fellow and your "if a little disobedience doesn't work, then up the ante" makes me think of ted kaczynski manifesto, surely that direction is not a good thing? should we not be more like ghandi then?

tommyJuly 2, 2011 10:30 PM

@ Nick P.:

"The first copy of new sw costs a million dollars; all the rest cost nothing". You're right that the ability to copy digital info infinitely at near-zero cost has introduced a new element into the equation - and that's exactly what's behind the current issues of DRM, bootlegging, pirating, etc.

Fifty years ago, very few people would have gone to the expense of making (pirated) physical copies of books and reselling them on the black market. Even though the royalties to the author are cut out, and the publisher has already done your advertising and promotion for you, the cost of printing, storage, and shipping still cut the pirate's profit margin considerably. Especially because he has to undercut the publisher's price in the first place, by enough to swing sales his way.

Plus, the pirate would have to advertise the availability, which in a pre-Internet world would cost a lot of money to cover all likely markets. And it would leave a trail for LE to follow back to the pirate.

All of that has changed, and that's why pirating has become a major industry. I've read that in the Phillipines, a cracked and usable Windows DVD sells for very little more than the cost of a blank DVD.

Similar to your evolutionary points about digital threats vs. traditional, this does change the economic model of the past ten thousand years, and the difficulty of enforcement is creating new challenges: How to protect authors' IP rights without breaking users' machines, etc. It's nowhere near being solved, obviously, and the process to produce legislation has barely started.

One possible successful example is in music downloads. The recording industry was accustomed to getting, say, $15-$20 for a vinyl album, and a few dollars for a (two-sided) single. They tried to keep that price structure with CDs and digital d/l's, creating enough of a margin for pirates to take the risks and gain the profits.

So they lowered the price of MP3 d/l's -- lowest I've seen so far is $0.63 for one, thus passing on to the buyer some of the economies of digital duplication. Also removing a lot of the pirate's incentive: You have to sell an awful lot at, say, 40 cents (undercutting) to make any money, including the cost of processing payments.

Sheer user copying, at no profit, will require a complete re-thinking of copyright law. I could, theoretically, (never have, of course) watch a YouTube video and make an mp3 or video file from it myself. And a lot of what's uploaded there is already copyrighted material - original vinyl or CD. They get take-down requests all the time; they close users' accounts for violation of TOS; but in the meantime, millions of copies may have been made, which can now be passed around infinitely.

Food, materials, and labor have always had significant costs - in time, in effort, or in money that represents someone's time and effort. The ability to copy bytes at almost no cost changes everything, and will require substantial changes in our thinking and our laws. You face this with your proposed HA sw: You've obviously put a great deal of time and effort into it; is it right that anyone should be able to copy it without you being compensated?

One market response has already appeared: the donation model. There will be free-riders, as there already are in traditional economic cases, but many people do want to support the continued development and release of sw or content that they desire. But sometimes, donations come with strings: Google donates a large amount to Mozilla, which carries quid pro quos, such as using Google as the "safe surfing" vetter of phishing or malware sites, which in effect gives Google your complete browsing history and usage - which is valuable for advertising. Or as introduced in Firefox 3+, geolocation, not just by IP (mine is usually off by about 20-50 miles, which suits me fine), but right down to the street address of the user.

Got a copy of F3? (I got rid of F4, of course, because of the irreparably-broken announcement, and don't trust F5, which was obviously rushed out way before anticipated release -- F4 had been out for only three months, and it clearly hadn't been tested sufficiently, so how could F5 have been tested even that much?)

For F3, navigate to (Windows XP, or equiv path in your OS)
"C:\Program Files\Mozilla Firefox\components\NetworkGeolocationProvider.js"

Open the .js file with Wordpad or equivalent. It's not a large file. Find

function WifiGeoAddressObject

and look at all the parameters, from street address to lat/long and altitude.

And who does the geolocation?

about:config > geo.wifi.uri string value = https://www.google.com/loc/json

Shocked, I tell you, I'm shocked! ;) (not)

So now Google can add your exact street address to the rest of the dossier they have on you.

btw, the commenting in that code is interesting:

// if we don't see anything in 5 seconds, kick of one IP geo lookup.
// if we are testing, just hammer this callback so that we are more or less
// always sending data. It doesn't matter if we have an access point or not.

// send our request to a wifi geolocation network provider:

// This is a background load
xhr.mozBackgroundRequest = true;

I don't like things loading or phoning home behind my back.

You can replace that geo URL string with a blank space, and toggle the default, geo.enabled = true, to false

I've asked Giorgio Maone to add a box to NoScript GUI, checked by default, to disable this 'feature", which most home users surely don't know about, nor about how to disable it. His reply was that it was opt-in anyway, because a web site that wants to use this provides a pop-up bar saying so, and you can check "Share my location", or "Don't share..." Yeah, but given the past attacks on history, cache, css, etc., *which were never meant to be shared at all*, surely someone will find a way around the request-permission thing. They find a way around everything else.

And once the data are out there one time, you can never delete them, despite Fx's absurd claim that clearing your own history will somehow get it out of Google's db.

But you know me, Mr. Poly2. ;) I figure the best way to make sure that no file is ever exploited, misbehaves, has flaws discovered, etc. is to get it off the machine altogether. Prime example here. *wink*. And yes, F3 runs just fine without that, along with its fellow,

"C:\Program Files\Mozilla Firefox 3\components\GPSDGeolocationProvider.js"

not to mention

\components\nsFormAutoComplete.js
\components\nsLoginInfo.js
\components\nsLoginManager.js
components\nsLoginManagerPrompter.js
\components\nsPlacesAutoComplete.js
\components\nsSearchService.js
\components\nsSearchSuggestions.js
\components\nsSessionStore.js

which are also potential privacy leaks, along with

\components\nsTaggingService.js. (useless to me, but some might use it)
\components\nsUrlClassifierLib.js.
\components\nsUrlClassifierListManager.js.
\components\nsSafebrowsingApplication.js.

and in folder Modules,

"C:\Program Files\Mozilla Firefox\modules\CrashSubmit.jsm"

because the crash submit tells MZ what you were doing, and where, when the crash happened. More unmonitord phoning home. Add'l files in the main Program Folder:

Program Files\Mozilla Firefox\crashreporter.exe.
\crashreporter.ini.
\crashreporter-override.ini.

In the Profile folder:

profiles\(Profile Name)\search.json
\urlclassifierkey3.txt

I seem to have digressed. :) Pardon the personal rant, but the point was that donations often have strings attached. (Strings -- another pun... ;)

So, how do free Linux distros support themselves? If everyone volunteers, they must have day jobs...

In summary, I don't know the answers, and neither does anyone else. It's an evolving field.

Is this what you meant by "stores", or were there other meanings not covered here?

I hope Clive doesn't think I'm trying to steal his crown for "essays in blog comments. Will take a break before replying to the second part of your comment, but yeah, "upping the ante" is a bad idea. I just haven't seen anything else that will get Gov, corp mgmt, corp Admins, or home users to demand HA, have you?

Nick PJuly 3, 2011 12:47 AM

@ tommy

I'm pretty sure you just replied to Vles's post and put my name on it. Seriously, man, do his flowing sentence fragments even resemble a post of mine? And no emoticons? WHAAT!? :P

Seriously, though, thanks for posting all of that information about Firefox. I didn't know about that particular data leak. As usual, your minimization lists are great. If I find those files on my Linux box, I'll certainly be deleting them if Firefox still works without them. :)

RobertTJuly 3, 2011 1:18 AM

@tommy

I'm not sure what a DVD costs in the Philippines but in China the street price is somewhere between 3 and 5 RMB. (that's about 40c to 70c US). It does not matter what the disk content is TV, Movie, Music, Operation Systems, Applications. all are the same price. The stand will typically have copies of Win7, Vista, XP/SP3 your choice. If you buy a new PC from a second tier vendor, they will ask you what apps you want them to pre-load, all as a free service. Autocad, Officesuite, Adobe, Photoshop all no problem, exotic / specialty apps usually take them a few hours to find (so come back after lunch)

Of course as with everything there is no free lunch, so each significant app comes with it's own unique rootkit, and accompanying virus load, sometimes the rootkits are stealing resources from other rootkits to the point where everything goes pear shaped. Actually the best rootkits are also great AV resources, because they close all likely doors after they install, kind of like a security kernel.

tommyJuly 3, 2011 1:21 AM

@ Nick P.:

(double facepalm)

Another lesson in Human Factors Engineering, a special interest of mine.

"We see what we expect to see" (or want to see). I expected a reply from you, so I didn't even look at the name. Lamest excuse possible: These discussions are so thought-provoking, one wants to get the thoughts on disk ASAP. :-(

Do please let us know your results with Fx on Linux. I can't really see how the files could *not* be there, in the appropriate location, nor why Fx on L. would break when Fx on W. continues to work fine for me.

btw, do you and Giorgio Maone know each other at all? My point to him was that 99% of users -- even NoScript users -- don't know about this geo "feature". If a user as tech-heavy as yourself didn't know of it, what chance has the average home user? ... I could perhaps point him here, invite him to make his own judgments based on your posts, but I think his mind is made up. I have great respect for him, personally and professionally, and he's singlehandedly made the Web sort of safe for many light-tech users, so I won't push.

Now, please excuse me while I go have another helping of crow. :-0

@ Vles:

Humble, humble apologies. See above lame excuse and self-flogging.

I agree with what Nick P. said (I checked his signature three times ;) at the TDSS Rootkit Thread:

http://www.schneier.com/blog/archives/2011/07/tdss_rootkit.html#comments

"I have to say that I agree with that minority of security professionals: I loved LulzSec and miss them. They, and people like them, showed just how pathetically weak the current security approach is. They gave more robust solutions some free advertising by making many lay people ask their geek friends: "How could anyone avoid this stuff?" The answers vary, but probably made us all safer. ;)"

The problem of what to do if that doesn't work is a thorny one. You're right, it's a bad direction to continue. Bruce has discussed the issue of whether it is legitimate to feed a detection-and-correction "virus" to a machine known to be bot-netted, when the owner doesn't know and so won't do anything about it. Can we do evil to do good? No, I don't like it. Unauthorized change to another computer or network is still legally and morally wrong, although the no-harm LULZ may squeeze under the wire there. Sort of like, if I see a car in the parking lot with its headlights left on, and the door isn't locked, I can shut the headlights off to save the owner the agony of a dead battery -- there's no "criminal intent".

But how does the Ghandi approach work? Not use the Internet? Not possible in business these days. Boycott unsafe sites, products, etc.? That's virtually all of them. Go on a hunger strike? The majority in the US could stand to lose the weight, but it doesn't really pressure the vendors, except for the food vendors... ;)

I'm open to ideas. Got any?

p. s. Glad you enjoyed my treatise-disguised-as-parody. Do feel free to read any of the others, and also to leave comments there. No registration or authentication is required to post comments, just like here. The community self-polices very well.

My solo works, on many fields besides politics and economics: (some are just for fun; some a bit "racy", but never obscene)

http://www.amiright.com/parody/authors/tommyturtle.shtml
which includes an explanation of the US housing bubble-and-burst,

http://www.amiright.com/parody/misc/williamshakespearehamletlordpolonius0.shtml

99 more with a co-author, including the one you read:

http://www.amiright.com/parody/authors/fiddlegirlandtommyturtle.shtml

@ Nick P.:

WILL YOU PLEASE GET SCHNEIER BLOG BETA THREAD-BASED MODEL UP AND RUNNING, ALREADY???? >grin

tommyJuly 3, 2011 1:26 AM

@ Robert T.:

Thanks for the info. As you said, nothing is really "free" -- you get what you pay for, which surely includes spyware and more. And LOL @ all of the rootkits forming a security kernel!

VlesJuly 3, 2011 3:28 AM

> Is this what you meant by "stores", or were there other meanings not covered here?

Nothing more, I meant the "stores" selling digital goods: movies, music and books. I'm struggling with "Value" and "Trust" a lot lately.

> Seriously, man, do his flowing sentence fragments even resemble a post of mine? And no emoticons? WHAAT!? :P

lol. Mea culpa. (Not my best writing I acknowledge) I'll blame it on being a foreigner and not conducting enough error checking before posting. :o)

> I just haven't seen anything else that will get Gov, corp mgmt, corp Admins, or home users to demand HA, have you?

Gauging by reactions in the media, I'd say Lulzsec's efforts have come closer than anything else. I know of nothing else.

> Can we do evil to do good?
Good people certainly can do evil by doing nothing.
There are many examples out there of being evil to do good. Some recent articles came to my attention:

The secret-service dilemma:
http://www.nrc.nl/nieuws/2011/06/03/het-aivd-dilemma-hoe-dieper-de-infiltratie-hoe-vuiler-de-handen/
(Loose translation: The deeper the penetration, the dirtier the hands)

Google translate for non-Dutch speakers:
http://translate.google.com.au/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.nrc.nl%2Fnieuws%2F2011%2F06%2F03%2Fhet-aivd-dilemma-hoe-dieper-de-infiltratie-hoe-vuiler-de-handen%2F

> Unauthorized change to another computer or network is still legally and morally wrong, although the no-harm LULZ may squeeze under the wire there.

Shutting down a botnet by reverse engineering the virus and instructing it to uninstall... (Coreflood and Bredolab are mentioned as examples)
http://www.wired.com/threatlevel/2011/04/coreflood/

I've heard rumors of white hats writing their own "fixes" (sometimes to the detriment of AV vendors), enabling their creation with worm-like capabilities to "go forth and cleanse". But someone will have to back me up on that one.

> I'm open to ideas. Got any?
More LULZ? I don't know :/

Come time, I'll read all of your parodies :o) - Thanks for sharing.

Re FF, google and geolocation, (take your wifi's mac address) would it classify as an example of being somewhat evil to do good? (give you a better augmented reality experience?)

tommyJuly 3, 2011 4:52 PM

@ vles:

"Re FF, google and geolocation, (take your wifi's mac address) would it classify as an example of being somewhat evil to do good? (give you a better augmented reality experience?):

Not if it does it without my permission. Which, as mentioned, someone will surely find a way to do. If I want the help, I can always feed my own address or GPS coordinates that I obtain myself, into a form asking (where is a nearby restaurant, etc.)

JonathanJuly 4, 2011 2:06 AM

@Gabriel:
1. My keyboard breaks.
2. I get another one, unplug the broken one and plug in the new one.
3. Dialog says "You plugged new Keyboard X, press Y to accept"
4. I press Y... on which keyboard exactly?

tommyJuly 4, 2011 3:57 AM

@ Vles:

"Shutting down a botnet by reverse engineering the virus and instructing it to uninstall... (Coreflood and Bredolab are mentioned as examples)
wired.com/threatlevel/2011/04/..."

Opening line of the story:

"In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge..."

Do you see the difference? The FBI did not act on their own. They took their evidence and their case to a Judge, who ruled in their favor. This is what the founders of the US had in mind in the famous Fourth Amendment to the US Constitution ("Bill of Rights"), requiring that search warrants be issued only after presenting evidence of probable cause of wrongdoing, under oath, to a Judge.

And this is what makes privacy advocates in the US furious over the so-called "USA PATRIOT Act" (yes, it's actually an acronym, an idiotic one -- WikiP has it) -- the warrantless wiretaps and mass e-mail scanning of parties, self included, for whom there is no evidence of wrongdoing, in the hopes of finding a needle in a haystack of someone plotting the next evil attack.

If they believe Mr. X is planning to do so, they can take the reasons for their belief to a Judge, and if the evidence is convincing, a warrant will be issued. This is the proper checks-and-balances system needed to enable law enforcement while protecting individual rights.

I certainly encourage such things when botnet machines or servers can be detected reliably, and corrected, with judicial approval beforehand.

Regarding geolocation of wireless, there is already http://www.wigle.net/ , which has many (not all) wireless routers and networks mapped, in interactive, browseable maps of the world. These were originally contributed by wardrivers to make it easy for travelers to "borrow" an unsecured network. I imagine these other data sources are now included.

I'm pleased that my own home wireless isn't in there, although the WPA2 security makes me feel reasonably OK. A friend's home network was there, though not with the accuracy of the Firefox geolocation feauture of "street address". It was about 100m off.

"If it did it without your permission it would be evil to do good?"

But why is it GOOD? How on Earth is *my* browsing to *my* choice of sites enhanced by the site knowing where I live? If I *want* personalized info, such as where is a nearby restaurant, or driving directions, I can *volunteer* to fill in a form at a site designed for that specific purpose. (There are many.) .. btw, I usually fill in an address a few streets away, just to add disinformation to such databases. My webmail thinks I live 30km away. (They also think I'm a 17-year-old girl, which would make for interesting advertisements, if it weren't for the ad-blocking software.;)

I don't want someone "doing me good" against my will, or without my permission. I think I, not they, should decide what's "good" for me -- except when my actions (being bot-netted) harm others (my machine sends spam, for example.) Otherwise, I run from do-gooders.

Old joke in the US: Scariest words ever: "I'm from the Government, and I'm here to help you."

New version: "I'm from Google, and I'm here to help you". No thanks; when I want help, I'll ask for it.

By the way, Nick P. was kidding -- at my expense, not yours. Your English is very good, and people often leave blog comments quickly and without proofreading -- trust me! -- whereas in a more formal setting, they'd be more careful.

Vrede,
tommy

Clive RobinsonJuly 4, 2011 3:58 AM

@ Jonathan,

+1 2 U

You raised the first chuckles on this Monday morning 8)

Clive RobinsonJuly 4, 2011 4:26 AM

@ tommy,

Firstly good morning to you (from the UK, though if you are in the US what on earth are you doing up at this time 8^)

With regards,

"And this is what makes privacy advocates in the US furious over the so-called "USA PATRIOT Act""

You forgot to mention the worst type of terrorists, ie those that "fail to render unto Ceaser".

Ultimatly that is what all those warrantless intrusions under PATRIOT will be used for, extracting tax.

In the UK it has been said that the Inland Revenue and Customs & Excise, are developing and deploying software to find those trading on EBay and the like and assessing them for a request for 30% off the top and VAT etc etc.

Menwhile action against major tax dodgers like Vodafone and Tessco's is quietly stopped by "Treasury advisors" who are the very same people who worked for the major accountancy firms who thought up and sold the "tax dodging" systems to them in the first place...

Proving once again it's not just what you know nor just who you know but who they will influance on your behalf that is important...

VlesJuly 4, 2011 6:07 AM

@ tommy
> Opening line of the story:
"In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge..."

I see the difference, but what of infected computers falling outside the jurisdiction of either DoJ or The Dutch Ministry of Security and Justice? Tbh I don't know if their reverse engineering work and subsequent uninstall instructions excluded those... Laws are country bound.... (though the Hague has a good track record of calling international rule breakers to account. )

Thanks for the link to wigle! Never been there before. 

> I'm pleased that my own home wireless isn't in there, although the WPA2 security makes me feel reasonably OK. 

http://www.wpacracker.com/
Learn another language not English or German or any that they have rainbow tables on. Or be like Tolkien and make up your own. :o)
I haven't used the site but I will one day to check on my own WPA2 password. (which - regardless of result - I will reset)

A friend's home network was there, though not with the accuracy of the Firefox geolocation feauture of "street address". It was about 100m off.
Will you tell him?

"If it did it without your permission it would be evil to do good?"
But why is it GOOD? How on Earth is *my* browsing to *my* choice of sites enhanced by the site knowing where I live?

As someone said before on this blog: Good is what I like. Evil is what I don't like. Why does FF ship the geolocation.js in the first place? Because they can? Because they like it? Not many know about its presence so for them they'll have no chance to not-like it and never are any the wiser to how location aware surfing works. Is that a bad thing?
I suppose it takes some of your freedom away. But doesn't it offer you more value equal to what is taken away? Doesn't it make it easier for you by only showing you the movie listings for your city, rather than for idk Rotterdam? Or the libraries nearby you rather then the ones in idk Eindhoven? Or the flowershop around the corner rather than a similar named one in, say, Glasgow? Some people believe in magic or Santa Claus (Sinterklaas)
What's the value of freedom if you don't know you have it? Should you tell others if you know they don't know?

> btw, I usually fill in an address a few streets away, just to add disinformation to such databases
My webmail thinks I live 30km away. (They also think I'm a 17-year-old girl, which would make for interesting advertisements, if it weren't for the ad-blocking software.;)
I don't want someone "doing me good" against my will, or without my permission. 

Could this be then why we are sometimes dishonest?

Is true value added when it is at the cost of (some) liberty?
Do we not trade in our bachelor hood when settling in a monogamous relationship? Do we not submit to the state's sovereignty  by abiding by it's rules&laws? For a greater Good? Or for a Good that is equal to our liberty lost, but with the special bonus it counts for all those who are bound to it? Levels the playing field?

Richard Steven HackJuly 4, 2011 8:03 AM

Vles: "Why does FF ship the geolocation.js in the first place? Because they can? Because they like it?"

Bingo! Those ideas pretty much explain all software development and especially open source software development. Commercial software development does it, too, but open source is totally devoted to programmer egoboo: "Hey, look what I did! Ignore the fact that it's unusable, unreliable, and insecure! It's COOL!"

Add in the necessity to tout "features" in order to get program adoption - necessary for egoboo - and we're doomed. Need...more..."features"... whether any one asked for them or not.

The entire software industry is based on (apologies to Slashdot):

1) Write program;

2) Sell it (or get it adopted, in OSS);

3) Add more features;

4) repeat 2) and 3);

5) PROFIT!!! (Money wise, egoboo or both.)

Someone decided that geolocation could be "useful" to "someone" for "something" - and that's all it takes - and all the thought that goes into it - to get a feature in an application these days.

Zero consideration for desirability, usability, reliability or security.

ZygoJuly 4, 2011 12:31 PM

I'm not sure that USB sticks are for plugging into other people's computers. The technology arose when someone connected a bunch of off-the-shelf pieces together--pieces that were designed for different use cases. I would say that from an engineering perspective, everything from the top-level application protocols down to the physical connector shape is _not_ designed for routine data transport between computers.

The SCSI protocol in UMS was designed for storage devices with trusted firmware (like a CD-ROM drive, floppy drive, or a hard disk on the business end of an ATA controller), and OS code treated the drive as a trusted entity ("my CD-ROM drive") while treating the media within the drive as at least potentially untrusted ("someone else's malware-infested CD-ROM"). Other removable-storage-media technology like CompactFlash and SD/MMC cards also have a trusted host interface that stays with the host computer, not the media. These devices all have well-understood security implications (good and bad), but USB sticks in particular are very slightly different from all of them.

USB sticks combine both the interface and storage functions into a single device, which exposes a number of non-storage-related layers in the USB stack that weren't exposed before. They have interactive access to the host computer in ways that CD-R discs and floppies just don't. If the OS has even a modest level of paranoia about unfamiliar USB devices, USB sticks quickly become inconvenient or even unusable--and that's ignoring the question of how you reliably know a USB device is familiar in the first place.

The rest of USB (before the floodgates opened and people started using USB for everything) was designed with devices like mice and keyboards in mind--devices which tend to stay in the possession of a single user. USB bus speeds were extended by more than two orders of magnitude since then. It is not surprising that USB code designed in the mid 1990's is unable to cope with common use cases in 2011, and by now none of us should be surprised that popular USB stacks haven't been updated to fix the lower-layer vulnerabilities yet. Only a few short years ago plugging a new mouse into an old computer was likely to crash its OS--now you not only expect it to keep running, but resist intentional attack?

Other hardware and wire protocols that are designed for data interchange between computers look nothing like a USB stick. Compare OBEX over Bluetooth (including the discovery and pairing protocols, which often allow users to not only allow or deny connections, but also constrain the services a device can use) or IRDA, MTP or PTP over USB, SD/MMC's physical connectors, or a dozen popular near-field and short-range wireless protocols.

Even the USB connector says "don't use this as a data interchange device." The standard USB A connector found on most USB sticks (and in most computers!) is fragile, and wears out much more quickly than purpose-built data interchange connectors (or even later standard USB connectors found on devices like cell phones). Even if we fix the software, routine use of a USB stick to transfer data between computers will simply break both computers' USB ports.

RandallJuly 4, 2011 3:47 PM

Heart this blog post for up and stating an opinion. Next time I find a strange USB stick I might play it like an ocarina.

tommyJuly 4, 2011 7:23 PM

@ Clive Robinson:

Thank you. I hope you're feeling better today.

As for my hours, you do realize that I could be living in the US State of Hawaii, which is UTC-10 (no daylight savings time), and therefore, that post could have been written quite early in the evening or late afternoon? Also, that today (Monday) is a holiday in the US -- something about some silly misunderstanding with the UK 235 years ago, but it's all good now ;) -- so there wouldn't be a need to go to sleep early, with no work the next day?

(Little-known fact to most US citizens: The day was supposed to be July 2. The difference was explained, in satiric form, in footnote [7] of the following general satire of how poorly Americans know the history of the culture -- yours -- which gave us our inspirations, via Enlightenment thinkers such as John Locke.) You might enjoy the following self-mockery of American ignorance:

http://www.amiright.com/parody/60s/hermanshermits130.shtml

Taxes: “it's not just what you know nor just who you know but who they will influance on your behalf that is important...”

Indeed, Sir. President Obama has been embarrassed (or maybe not) at revelations that several of his Cabinet members and other high officials or nominees were tax dodgers. Yet none has gone to jail. “I made a mistake” -- of hundreds of thousands or millions of dollars. Try that as a private citizen... Congressman Rangel was found to have under-reported vast amounts of income. He was told, “Naughty, naughty”, but still holds his seat, and his constituents re-elected him.


@ Vles: (and later, @ Richard Steven Hack)

“WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary...”. or 1.35 x 10^8.

http://www.grc.com/haystack.htm

Didn't run my actual PSK, but used one identical in terms of characters (upper and lower case, numbers, etc.)

Search Space Size (as a power of 10): 1.26 x 10^25

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario:
(Assuming one thousand guesses per second) 4.01 trillion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 40.08 thousand centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 40.08 centuries

So my WPA2 key is 17 orders of magnitude more time-consuming to crack than their attack against stupid, weak keys. Besides, as I sit here, I can pick up two unsecured networks from my neighbors, so why would anyone even bother to try mine? (I'm not wealthy or otherwise a high-value target -- alas! ;)

“A friend's home network was there.... / Will you tell him?”

Already did. But again, the key is stronger than that cracker site, and also a low-value target, also with unsecured networks nearby. Nothing to lose sleep over. Just use strong passwords!

“But doesn't it offer you more value equal to what is taken away? Doesn't it make it easier for you by only showing you the movie listings for your city, rather than for idk Rotterdam?”

I can do that already, through many search pages, including localized ones (for movies, etc.), without disclosing *anything* about myself, other than the fact that I’m querying about a particular region (plus not-so-accurate IP geolocation. But that is very rare. 99.9+% of my browsing is not like that, so they are not doing me any “good”. Does Bruce, or you, or anyone else here really care *exactly* where I live -- other than Clive, who wants to ensure I get my beauty rest ;) ?

>>>> “I usually fill in an ... disinformation to such databases...”

“Could this be then why we are sometimes dishonest?”

Absolutely. I HOPE BRUCE SEES THIS. (sorry). I lie to protect myself from invasions of my privacy. I’ve never had to lie to my television set. (I don’t have Tivo, I have a stand-alone DVR.) My TV can’t track what I watch, when, what’s muted or increased volume (Tivo can, and does. Tivo users, a word to the wise.) So I don’t have to lie to it. OTOH, web sites can set cookies, web beacons, Flash cookies, and now, this geolocation thing, etc., etc. It’s like lying to someone you don’t very well about your standard of living, value of things in your home, etc... could be a potential thief, so if the topic comes up, understate. And lie about where the jewels are stored. *** Perhaps a section in Bruce’s new book, about “Defensive lying?”

“Is true value added when it is at the cost of (some) liberty?”

I still don’t think that the geolocation is any type of true value to me, and no need to repeat that any more.

“Do we not trade in our bachelor hood when settling in a monogamous relationship?”

Voluntarily! (most of the time, LOL.) Still missing the difference between my volunteering and Firefox squealing behind my back.

“Not many know about its presence so for them they'll have no chance to not-like it and never are any the wiser to how location aware surfing works. Is that a bad thing?”

Yes. Unequivocally, yes.

As for why the geolocation was added to Firefox:

What Richard Steven Hack said^10. Plus, donations from Google, which support Mozilla substantially.

@ Richard Steven Hack:

What you said. Also, Nick P. liked this non-partisan anti-Gov rant in song parody form. Don't think you've seen it, but no obligation, and double your money back if not satisfied:

http://www.amiright.com/parody/misc/francisscottkey21.shtml

@ zygo:

“The standard USB A connector found on most USB sticks (and in most computers!) is fragile, and wears out much more quickly than purpose-built data interchange connectors”

Yes, I found that out almost the hard way. One started failing, because it had been used, not so much for data xfr as for backup and storage of stuff that didn’t need to clutter the HD so much. Which is why my entire HD footprint is consistently less that 900 MB -- that is not a misprint -- which in turn, makes backups quicker, easier, and smaller.

But the connector began to fail. I was lucky to get it to read one last time, and copy the entire contents to the HD, then buy *two* new flash drives, and copy the contents to both. It’s always been the practice to copy such things to CD or DVD as well. In the case of backups, the most recent full-disk-image backup and increments to it are kept on the flash drive even after burning to CD, because a restore is a lot faster from flash. But your point is well taken.

VlesJuly 4, 2011 10:17 PM

@tommy
I admit, I marvel at Socrates and his dialogues of old to transcend these intangibles (Trust, Value, Good, Evil, Honest, Dishonest). However, I'd be the first to stand up and say I'm far removed from his intellectual and rhetoric prowess, especially doing so in a language I do not - and never will - fully master. I hope I've tread and will tread carefully. I do not mean to offend or ruffle feathers! But I phrased my posts to help foster the discussion. I come here as much to learn about technology as I do to listen and learn from the posters (of its most frequent contributors). It's close to music sometimes.

While we have gone somewhat off topic, the crux of the OP is "man errors - even when he/she should know better". RSH's meme: "There's no security, suck it up" rings true in the case of people plugging in strange/foreign/unknown USB sticks. Many forego to safeguard themselves before using a foreign object. A willingness to Trust wins out from a healthy dose of Skepsis. Having enough of "good security" (in whatever form) , helps validation, so we know we can safely commit with our emotions (trust bonding), rather than take up a hostile stance. I'm not schooled in psychology, but perhaps someone who is can refute or concur with the following: If there are no conceivable dangers to the individual, and little to no security to help verification or decisively conclude good/evil, and there's perceivable gain, trust bonding is a rather normal and instantanous process? Time will then show him/her what true (or false) value was gained?

> "If it did it without your permission it would be evil to do good?"
But why is it GOOD? How on Earth is *my* browsing to *my* choice of sites enhanced by the site knowing where I live?

If their intention is Good (Their result makes the data returned more relevant, therefore saving you time) does that make the actions they take in that respect Good? You state it does not make their actions Good, as you do not trust their intentions. They feel predetermined (geolocation.js sitting in a folder waiting) and the whole process precludes a transaction of Trust, which even if it was explicit and warranted and you acknowledge their good intentions, you still did not initiate or sanction.
They presuppose you desire, whereas you desire not. They presupose you need, whereas you need not.
But through the same glasses: so is advertising on TV! So is the Christian reaching out to a homeless person with a pair of shoes. (What if the homeless turned around and just said: "f**k off?" -- I'm sure it has happened) -- Are we so conditioned that we live in a world where the majority believes actions MUST BE Good, if intentions are Good?

> “Is true value added when it is at the cost of (some) liberty?”
I still don’t think that the geolocation is any type of true value to me, and no need to repeat that any more.

I try not to repeat things :o) Perhaps the true value here is "Trust"? (Is trust added at the cost of some liberty?). However, since we didn't ask for it in the first place, one can argue we are set up with a "dishonest transaction"? So we apply defensive lying? Given that you know this is happening: Going along with it and committing to it = recipe for unhappiness?
Is it a Good thing to tell and inform other people and risk making them unhappy? (Lulzsec, WikiLeaks) (Where is Kant when you need him talking to Socrates?)
Bother someone who doesn't care about what you care about, and you get a dose of indifference. (My mum doesn't care about 8 digit PINs / my client doesn't care about running as administrator even though when he gets infected he cannot afford to pay me when his computer stuffs up again / those 4 facebook people didn't log off when someone else repeatedly told them about firesheep in a public space)
We don't fear being vulnerable. I think we fear the shame of someone else knowing about it (and exploiting it). My mum doesn't feel ashamed running around with less secure PINs, she implicitly trusts me to help her setup a new PIN if the old one is breached. So she is never unhappy for long. My client doesn't feel ashamed if a virus hits his computer while running as admin, he implicitly trusts me to help fix it for him. So he is never unhappy for long. Facebook? It'll patch with an update. If we want people to be safer online, we need to raise awareness and educate them accordingly. It takes time.

AndyJuly 4, 2011 11:22 PM

@Vles , "If their intention is Good (Their result makes the data returned more relevant, therefore saving you time) does that make the actions they take in that respect Good? You state it does not make their actions Good, as you do not trust their intentions"
had to think about that for a while, try to compare it to a sisutaion. Was doing some gardening for someone and found a gardening fork in a place that look like it was forgotton about...move it to a place that would be more visable.
I suppose if the damage from that out come was them not notice it and spending more time seach... we low chance it would be good.
If a company has geolocation the damage from the idea might be minimual before release but if some one finds a hack...the damage would sky rocket.

Try to put that logic into the free speach thingy, people can say anything has long as it won't damage anything/anyone(that is not based on someone opion(throw it out))

2 cents

tommyJuly 5, 2011 3:32 AM

@ Vles:

Your argument, in a nutshell, seems to be "Ignorance is bliss". "If I don't know I'm being screwed, then I'm not unhappy". I'm sorry, but I just disagree. (And your English, as said, is excellent.)

"They presuppose you desire, whereas you desire not."

They don't presuppose I desire. They just don't give a **** what I desire. The data are valuable to them, because it creates "targeted advertising", for which advertisers will rightly pay more than for mass advertisements.

18-year-old girls and 50-year-old men are probably interested in very different products and services. (The men are interested in 18-year-old girls, LOL). I'm *not* interested in their d**n ads; if I were, I'd be researching the product or service myself. Would you like someone walking behind you 24 hours a day, recording everywhere you went, every shop window you looked into, everything you bought, everything you looked at but didn't buy, with whom you spoke, etc.? That is the definition of "1984"'s vision of an all-seeing, Big Brother totalitarian police state.

But that's what the data-miners are doing. One woman sued Internet ad agency DoubleClick and discovered they had a file on her equal to 968 single-spaced typewritten pages, all about her and her habits, preferences, and purchases. Google bought DoubleClick for USD $3 billion (US billion = 10^9) in 2008. I'm sure they know even more now.

And they've conned half of us into giving away our private data via Facebook and such.

Please read Bruce's brilliant essay on "The Value of Privacy"

http://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html

It's so good, I keep it bookmarked from five years ago. It's even more applicable today. Cheers.

Clive RobinsonJuly 5, 2011 5:05 AM

@ tommy,

"Thank you. I hope you're feeling better today"

Sadly no, I'm housebound for now, however some satire does make the hours pass more easily.

Like most men I'm known to have one or two annoying habits (by my relatives and friends ;) One of which is to sing (according to my son but not his gran or mum). Allied with inserting new words to fit the current situation. For his sins my son both hates me doing it and himself for laughing at the ditties especially the gross ones based around nursery rhyms.

It has of course led me to ask the question of why RAP singers get paid stupid amounts of money for something I do just for fun (and far better according to some).

So I think I might take a leaf out of your playbook and put some on line ;)

With regards your location, I just assumed you were hanging out with the other 300million (and rising rapidly) of "Our Colonial Cousins" in "His Majesties Republican Colony of the Americas", and "We find your preffrence for that continental devils brew of coffee over the health bringing benifits of British tea most quaint, for which we can only blaim those French and their turncoat supporters" ;)

(Gentle leg pulling over) I'm consistantly amazed by the lack of historical knowledge in most WASP Nations. Mind you I don't know how it's taught in the US but when I was young it was taught in the manner appropriate for "Civil Service Board Exams" and was thus bureaucraticaly boaring requiring the memorising of just names, dates and places. Not the interesting machinations, blood, guts, exploitation and rivalry behind much of it.

My son apears quite interested in history especialy the blood guts and filth of it especialy as his mum and I take the time to aquaint him with the more gory bits which he just loves, luckily we live not far from the Museums in Kensington London and the Science museum has the "Welcome" medical collection which amongst other gory things has genuine "shrunken heads" on display...

Nick PJuly 5, 2011 8:23 AM

@ Clive Robinson

I wish you a quick recovery. But I gotta say...

"It has of course led me to ask the question of why RAP singers get paid stupid amounts of money for something I do just for fun (and far better according to some)."

...that there ain't no way you are "far better" than Eminem or Young Jeezy. I mean, you're even behind the times on the name: they call it "hip hop" now. So, please forgive me if I call you for technical advice and Jeezy to host my parties. ;)

Clive RobinsonJuly 5, 2011 10:49 AM

@ Nick P,

"... you're even behind the times on the name: they call it "hip hop" now"

Hmm are you confusing the Hip Hop culture (which encompases both RAP music and Hip Hop music) with modern Hip Hop music?

When talking of the differences between RAP and Hip Hop music they fall into three main areas,

1,Musical features.
2, Culture.
3, Community message.

Importantly to the uneducated ear is RAP is about current events and is poetry or ryming often impromptue set to a music beat or rhythm and it is often "very in your face". The skill is thus in the selection of the words and the impact they have upon the listener.

What you might call Classic RAP originated in the Bronx and was from the 1970'&1980's, however it's roots trace back through Ska music of the 60's. It was about social commentry on then current events that were either not given or recieved very little attention to by the media. It was not untill 1979 did it appear on the general music radar with the success of the Sugar Hill Gang (often used as backing for adverts these days).

More contempory or what you might call Popular RAP. by the likes of Eminem is now very much more commercialy focused and gives aditional comment on things like social mores or personal relationships either percieved or actual, which has considerably broadend it's consumer base. It usually lacks the originality and punchiness of Classical RAP and likewise often uses baser psuedo macho appeal with repeated use of swear words and certain mems (as seen in things like Gangster RAP). [ as a side note I often thought Em-in-em was a euphemism of an anatomicaly difficult solo act ;)]

Hip Hop music is based around modern R&B and beat boxing. Modern R&B is in turn based around soul and pop music from the later 1970's onwards. Little attention if any is given to the poetry asspects and only marginaly more to the rhyming. Because of this soul/pop focus it has a considerably broader comercial base than either Popular or Classic RAP.

Importantly unlike RAP, Hip Hop music is traditionaly about fast beats and tempos to which complex body dance is performed. The dance style is usually more about body movment than movment of the hands and feet (because of the fast tempo). In this respect it is more akin to traditional West African dance than European dance which originated from "Courtly Dance" in Medieval Europe.

Which brings in the cultral differences between Hip Hop and RAP music. RAP is not about dance although the performer(s) may often pose to emphersize lyrical content. RAP is usually performed by individual males with some backing not usually groups and very rarely women. Hip Hop on the other hand is performed by both men and women but predomenantly women currently and often in quite recognisable groups sharing lyrics etc.

Because there are generally more women doing the complex dance whilst singing the style often involves a lot of chest and pelvic movment. It has thus earned Hip Hop music in some circles a reputation of sexualization of women and young girls, whilst the many female performers tend to regard it as almost a form of female liberation from the oppressive subservient femal role norm of WASP cultures.

I hope that helps you understand the difference between RAP and Hip Hop music, both of which fall under Hip Hop culture which includes several other asspects including certain styles of graphical art that many classify as being "Graffiti".

Oh and if you do get "Young Jeezy" to host a party for you ask about the difference I'm sure you will hear strong views about them.

It's funny who you get to meet and know when you have as I've previously mentioned worked in the broadcast industry, especialy if you had association with pirate brodcasting as it moved from AM to FM.

Bill SorensenJuly 5, 2011 12:56 PM

"...a USB stick given away at a trade show is automatically good."

If I were a hacker I would pick up USB sticks out of vendor's fishbowls at trade shows, copy malware onto them, then drop them back into the fishbowl.

Perhaps we need standalone flash drive reformatters.

IT DaveJuly 5, 2011 7:48 PM

I have to say I do disagree with Mr. Schneier on this one though. He says that the problem isn't that people should know better than to not trust a strange USB stick, but that the OS shouldn't automatically trust it.

If we applied that same line of logic to, say, sex for example, then it shouldn't be one person's responsibility to make sure that his/her lover doesn't have an STD before "plugging in" -- his/her genitals should be intelligent enough to not work the way they're supposed to if the other person is infected.

Richard Steven HackJuly 5, 2011 7:53 PM

Clive: Just to add, I believe Rap came out of the US prison system, not just the Bronx. No instruments, had to make do.

Actually, Federal prisons (I don't know about state ones) have musical instruments available for prisoners. At Florence, Colorado, FCI, IIRC, they even had a "Battle of the Prison Bands" concert with different inmate bands competing.

VlesJuly 5, 2011 8:19 PM

@tommy
Lost my response last night when accidentally browsing away from site. :/

> Your argument, in a nutshell, seems to be "Ignorance is bliss". "If I don't know I'm being screwed, then I'm not unhappy". I'm sorry, but I just disagree. (And your English, as said, is excellent.)

Thanks for the compliment. :o)

> "If I don't know I'm being screwed, then I'm not unhappy"
Can someone prove me wrong, I have a feeling a lot of business attitudes follow this presupposition to sell us cr*p.

For the record, although my tone and style might belie it: I'm actually on your side. Just taking up the other side of the argument is all.
We both perceive the same wrong: Your example of the woman suing DoubleClick suffices. Whether it is publicly gathered or privately gathered, data which is recorded about your habits, which is then stored and analyzed and the result used to build a profile about you which facilitates "targeted advertising", is evil and against Privacy. The geo location awareness is also an affront to Privacy, if you haven't submitted to it voluntarily and explicitly approved its use.

But I'm sure lawyers have that covered with TOCs and lots of small print. (Conditions of entry, conditions of use.) The alternative is then very simple: Don't use that site or service. But I know of no site out there that offers choice: Enter the fully automated no-privacy easy to use site with targeted ads, or the manual form fill out site with general ads.

I've read Bruce's essay, and I re-read it again last night along with 80% of the comments.

I'd like to believe Privacy is a value worth defending and standing up for but I agree with Nestor's first comment "I do not believe privacy is an inherent right."

"Privacy, as the term is generally understood in the West, is not a universal concept and remained virtually unknown in some cultures until recent times" [1]

I also had a problem finding its Dutch equivalent (as intertwined as we might be with the English -- see glorious revolution). "Persoonlijke levenssfeer / personal living sphere" comes closest, and for all other intent or purposes the Dutch borrow the word itself: "privacy". (It's ironic we even use the English word, as it carries with it the Victorian connotation of personal shame. As of old Dutch are known not to be too worried about this aspect of Privacy: We don't mind undressing on the beach to put swimming trunks on, and there's a raft of other Dutch stances foreigners quintessentially ascribe to us specifically, covering such topics as Sex, Drugs, and Euthenasia etc. It's no surprise to me that the TV show which brought "no privacy" to the world was first aired in the Netherlands: Big Brother" [2] -- I only watched the first season.

I'm still thinking about it, but I'm almost inclined to believe Privacy, Liberty and Security are like a project triangle: pick any two.

____________
1. http://en.wikipedia.org/wiki/Privacy
2. http://en.wikipedia.org/wiki/Big_Brother_(TV_series)

tommyJuly 5, 2011 10:12 PM

@ Clive Robinson:

Glad my little satire(s?) helped lighten your burdens. And you do know that Hawaii is in fact one of HM's Glorious American Colonies now, right? ... which means, if I live there, I'm still hanging out with the other 307 million. ;-D

And I personally prefer tea to coffee, despite having no British ancestry. ;)

@ Vles:

"Privacy, as the term is generally understood in the West, is not a universal concept and remained virtually unknown in some cultures until recent times"

The idea of individual human freedom and unalienable rights is a novel concept also. Most civilizations were ruled by chiefs, tyrants, or kings with unlimited power. John Locke and other Enlightenment thinkers conceived of liberty as a right, and Thomas Jefferson enshrined it in the US Declaration of Independence only 235 years and one day ago (here).

And it still wasn't universal within the US. It took until the early 1900s for those rights to extend to Blacks and women. Very novel concepts historically, to be sure. Does that make them invalid?

btw, I'm aware that many Europeans are less prudish about public nudity than most Americans. In fact, I've enjoyed their enlightened attitude when they visit our beaches. ;) But would they approve of the case Bruce blogged, in which a public school gave students laptop computers to take home, with the cameras secretly turned on by remote control, capturing (probably) the student's bedroom, showering, undressing, having sex, etc.?

Appropriate parody:

"I'm On the Outside (Looking In)" - Little Anthony and the Imperials
(parody title was the same - and Clive, feel free as well)

http://www.amiright.com/parody/60s/littleanthonyandtheimperials0.shtml

"I'm still thinking about it, but I'm almost inclined to believe Privacy, Liberty and Security are like a project triangle: pick any two."

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin, one of the Founding Fathers of the US, 23 February 1769.

VlesJuly 6, 2011 3:02 AM

> And it still wasn't universal within the US. It took until the early 1900s for those rights to extend to Blacks and women. Very novel concepts historically, to be sure. Does that make them invalid?

So if the intention was "good" (to enshrine human freedom as an unalienable human right), but the actions to implement it were "evil". (They were only selectively implemented as blacks and women were exempt until early 1900s) I will have to repeat myself: "Are we so conditioned that we live in a world where the majority believes actions MUST (automatically) BE Good, if intentions are Good?". We need a healthy dose of skepsis / security here...
It took a civil war and various leftist movements to "level the playing field" and extend these unalienable human rights to the rest of the "human" population. *sarcasm* (and what irony!)
So imho it doesn't make them invalid, it just highlights severe problems in the executive branch of the sovereign state. I suppose there will always be people who do not like giving up power of control (over others).

> But would they approve of the case Bruce blogged, in which a public school gave students laptop computers to take home, with the cameras secretly turned on by remote control, capturing (probably) the student's bedroom, showering, undressing, having sex, etc.?

There are so many things wrong with that scenario, I would imagine anyone would react with the same level of disgust!
I believe the quote: "You're controlling someone's machine, you don't want them to know what you're doing", says it all.
Who cares if you were doing your best friends girlfriend, or having a good old time on the toilet! Also: 1] The user draws the line between public (school use) and private, not the device. But the device doesn't even know how to respect that. 2] It seems end users were not made aware about its existence and capabilities. 3] When suspicion arose they were told a lie. (We reported it multiple times, each time getting the response: "It's only a malfunction. if you'd like we'll look into it and give you a loaner computer.") Howz that! .... blatant trust violations! Talk about a dishonest transaction! I couldn't even say that there were "good" intentions to start with. (the premise of "looking for proof of spying"). The whole thing reeks of insolence, disrespect, obsession with control and a wrong use of technology.

Then again, I believe the LEO's use the same kind of tech to spy on its citizens. IIRC I've read about that somewhere here as well.

I had a good laugh at your parody! Something tells me you'd understand Dutch (crude) humor!

> "I'm still thinking about it, but I'm almost inclined to believe Privacy, Liberty and Security are like a project triangle: pick any two."
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin, one of the Founding Fathers of the US, 23 February 1769.

He could be wrong? (j/k)
Maybe you can have liberty and security (if we agree on it being a sub for safety), but not privacy...
Or maybe when you don't know you've lost essential liberty as you were not made aware of the bargain, your ignorance is bliss. (Not your bliss, but their bliss. They, the ones who took it of you.)

Long live the dishonest minority!
Vive la minorité malhonnête!

;o)

mashiaraJuly 6, 2011 7:53 AM

@RHS funny you should mention Togakure ryu, I have been training Bujinkan Budo Taijutsu (combination of nine very old schools, including Togakure ryu) for 12 years now and indeed gives a very different insight to all aspects of life.

Not to disrespect you but I would advice anyone avoid teachers who speak of teaching ninjutsu, it's marketing talking: trying to ride on the popular image of ninja... Very important factor in why the current grandmaster of Togakure ryu (and the 8 other schools that form Bujinkan) Masaaki Hatsumi decided to call what he teaches Bujinkan.

Digress end.

ps. Teensy is a very handy little board (I'm also an electronics hobbyist)

jacobJuly 6, 2011 10:40 AM

Sorry Bruce, you blew it. Users should get some blame. I have had many in meetings go "here it is on this flash drive, just plug in into your computer"
Nope. Be care what you stick and where you stick it. I'll leave the analogies of slamming toilet seats and zippers for another discussion. ;)

The construction industry is very behind the times with computers.

Miriam RJuly 6, 2011 11:47 AM

It's peculiar to me that in all this discussion of whom to blame, no one has really talked about what I think of as the "consciousness cost" of security awareness.

Most, if not all, of the commentators have spent years familiarizing themselves with the technologies under discussion. What seems straightforward, "don't plug in an untrusted device from an unknown source", is completely opaque to most end users.

Time and awareness are limited individual resources. You'll forgive me, I hope, if I believe that learning computer technology and constant security consciousness aren't always the most worthwhile ways for everyone to spend those resources.

Billions of people can spend trillions of hours improving their technical skills and security awareness. The well-trained few million software and hardware engineers can spend _paid_ (generally) hours to devise better intrinsic security. Each approach has its own utility, but the best "bang for the buck" comes from the latter.

I expect doctors to be well-versed in medicine, accountants to know how to apply the tax code, secretaries to be able to type and file. Effectively, we trade our expert services for theirs, because we don't have the time or interest to acquire those skills. It's not in everyone's interest that they learn how a rootkit works, or what's happening under the covers when they plug in a USB drive.

It would be great if end users even knew how to ask the questions they should to protect their security and privacy.

Unfortunately, the essence of trust is the hope that people with more skills/information/power/resources than you will behave in an equitable way. It's really time that we stopped calling end users "idiots" when we're the ones with the preponderance of the above factors in the technology and information security spheres.

jacobJuly 6, 2011 1:02 PM

Miriam,
Good points. As you and Bruce have pointed out the security industry needs to do a better job setting up systems and educating end users. I do not expect everyone to be well versed in the latest security threats any more than I expect everyone to be an automobile mechanic in order to drive one.

I do expect basic knowledge. I taught my children to change tires, fill it up with gas, and check basic fluids. Even some more advanced like changing brake pads. Nothing too major. I am constraigned by house rules never to use power tools. ;)

I do not expect someone to put diesel in their car without at least asking once, "Can I do this?" Just my thoughts.
I saw a bid opening that the vendor for a security company included
a thumb drive with his bid...duh. bet in 24 hrs it will be plugged into some city network. My point exactly.

tommyJuly 6, 2011 9:22 PM

@ Vles:

"So if the intention was "good" (to enshrine human freedom as an unalienable human right), but the actions to implement it were "evil". (They were only selectively implemented as blacks and women were exempt until early 1900s)"

No, they weren't evil, they were partial. It was still a huge improvement for the white male citizens, which was a start in the right direction, for the first time in human history. (The Wright Brothers' first flight lasted 12 seconds and crashed. But without it, would we have jumbo jets?) Just as we will never achieve perfect IT security, but every step in that direction helps, and should be encouraged.

Jefferson himself owned slaves, though he freed them in his will, and had a child by one. Hypocrite? Yes, but he was a product of his time, as we all are. His concept was so novel in human history... and many great philosophers have not always lived up to their own ideas, which merely means that all humans are imperfect. It doesn't mean their ideals or arguments are wrong.

Ayn Rand, my all-time favorite philosopher, smoked cigarettes and used amphetamines to support her crazy schedule of day job + writing epic novel. Also had an openly-adulterous affair for a long time. I look at the ideas, not the people behind them. (Doing the opposite is the logical fallacy of "argumentum ad hominem", which is pandemic these days.)

"I had a good laugh at your parody! Something tells me you'd understand Dutch (crude) humor!"

The cruder, the better! That site has a Finnish writer who is very intelligent and erudite, but seems a bit more reserved in type of humor. I'd love to see Dutch humor, if it translates well into English. Many puns, and much humor, doesn't translate too well across languages.

When the controversy arose over Obama's nomination to the US Supreme Court of a racist, Hispanic woman who openly stated that she could make better decisions than any white male, (is that racist, or what?), I mocked her in her own language (Spanish), with a translation below:

http://www.amiright.com/parody/60s/jayandtheamericans17.shtml

And since the parody didn't flow properly as translated, it was done slightly differently (same original song) in English:

http://www.amiright.com/parody/60s/jayandtheamericans18.shtml

and then to the famous Broadway musical and movie, "West Side Story", which was itself about ethnic hatred, to its great song, "America"

http://www.amiright.com/parody/misc/westsidestorybernsteinsondheim6.shtml

Hope you enjoy them, and look forward to any comments about the message: Justice Sotomayor is a racist, a quality not confined to white males, and the parodies were anti-racist.

"Maybe you can have liberty and security (if we agree on it being a sub for safety), but not privacy..."

Bruce has blogged repeatedly on the false dichotomy between privacy and security. Scroogle it. (more private than Google, who build dossiers on your searches and sell them to advertisers -- wonder why the search box here uses Google instead of https://ssl.scroogle.org/ ? )


@ Miriam R.:

Welcome to the best think-tank in the blogosphere!

Nick P. has made a lifetime passion of doing just what you said: Designing systems that are "inherently" high-security, even against ignorant or socially-engineered users. For a taste, see his posts throughout the TDSS Rootkit thread,

http://www.schneier.com/blog/archives/2011/07/tdss_rootkit.html#comments

and also search this blog in general for "Nick P." (Use Scroogle!) Cheers!

Nick PJuly 6, 2011 11:09 PM

@ Miriam/Jacob/Vles

Welcome to the blog. You'll find that the comments section of this blog usually has better content than many blogs, along with more thoughtful discussions. Many people, including me, use it to brainstorm solutions to problems. (I'd make my own, but exposure is important for peer review & Bruce has plenty of it 8).

@ tommy

You're too kind. But, while informative, that was part of a kind of heated discussion. I do have some posts on here that give specifics and tell how to do it right. If the new folks want, I'll gladly dig them up and post them here. It's mainly principles of secure design, examples from present/past, and how one must look at a secure system development.

@ Miriam/Jacob/Vles

If you look at the link tommy posted, skip to my last post @ RSH. I give many examples of systems that you can Google if you want and what kind of security they achieved. As for processes, techniques, etc. I'll post you links or overviews on demand.

tommyJuly 7, 2011 12:42 AM

@ Nick P.:

After posting, I realized that the "Electronic Banking Security" thread was probably what I should have given for the newbie Intro to High-Assurance Thinking,

http://www.schneier.com/blog/archives/2011/06/court_ruling_on.html

But unfortunately, one cannot edit one's posts here, unlike a forum, where a registered user can edit their... n/m, I know you're too busy to do it. ;D

Since Miriam, Vles, and Jacob seem to be still following the thread, you might just post the main links of two or three Schneier threads which you think include your best examples for introduction to HA-thought and let them scan those. Then, as you say, they can ask for more, or search the stuff you give them.

The Bell-LaPadula model, as discussed in this thread,
http://www.schneier.com/blog/archives/2011/06/open-source_sof.html

and your link to David Bell's paper,
http://www.acsac.org/2005/papers/Bell.pdf

are probably excellent starters.

VlesJuly 7, 2011 3:15 AM

> "No, they weren't evil, they were partial."
If you think about it for awhile (imho) such actions can never be partial (and that's the evil part) and I hope you agree with me.
There's no halfway house once you decide to enshrine it and make it part of your societal morality and rules and laws. Either the "unalienable human right" is implemented, or it is not. And if it is, it becomes an unalienable human right. This implies - by its very definition - that it is for all humans (individuals) in that cooperative system.
The action to limit scope to a select group of people, is by itself dishonest. Doing so also implies all of a sudden that blacks and women are "not human", which is clearly not true! (a more obvious sign of dishonesty).
More importantly "the excluded" would have felt "cheated". (There's a perceived gain for all --> trust bonding --> being excluded --> bargain is not upheld --> trust is broken --> feeling cheated)
Dishonest transactions (as in "evil" or "do not like") are a good precursor to unhappiness and from what we discussed I venture to hypothesize these transactions lead to "the cheated" using "defensive lying". After all, defensive lying is a good strategy to keep filtering truth when one anticipates more dishonesty.
Dishonest transactions undermine trust and if there's no trust in the unwritten rules by which we strive to all abide (morality: being honest, holding true to your word), we're slowly unraveling the fabric on which our society rests... (I believe anyway) According to Thoreau's Civil Disobedience, (as I understand it) to foster and have trust in your people is invaluable and is the way to go forward for it means the government governs (controls) less. It may very well also make your people much happier!

Surfing the web for "trust and socrates" returned this yesterday, which I thought was interesting:
http://eprints.aktors.org/186/01/trust-ohara-kansaigaidai.pdf
Socrates, Trust and the Internet. Kieron O'Hara. Dept of Electronics and Computer Science. University of Southampton. Highfield. Southampton SO17 1BJ

> I look at the ideas, not the people behind them.
Have you read Peter Watson's "A terrible beauty"? ISBN 1842124447. I've read it four times already and I think you'd really like it. (A Cultural History of the Twentieth Century: The People and Ideas that Shaped the Modern Mind)

I'll have to start reading up on Ayn Rand. I admit not having read a single work by her. Which one for starters?

As for the Dutch humor, it's not going to be easy bringing it to a foreign audience. Even in Australia (where I now live and work) comedy shows made here do not automatically do well in either U.S. or U.K. -- I'll see what I can find :)

Long live the dishonest minority!
Vive la minorité malhonnête!
Lang leve de oneerlijke minderheid!

Clive RobinsonJuly 7, 2011 7:51 AM

@ tommy,

"I should have given for the newbie Intro to High-Assurance Thinking"

The problem is that for the newbie most things don't start at the right point.

Usually the explanation kicks in witht the "Security CIA triad" which unfortunatly has nothing what so ever to do with the "logic" side and everything to do with the "human" side of things.

More bluntly computers understand algorithms (Rules) data (Information) and logical conjunctions of the two (ie Processes).

Computers have no absolutly no concept of the CIA triad of "Confidentiality", "Integraty" or "Availability", it is the programs we humans put on them that try to fake them for us.

A newbie needs to understand that

1, Information (is proceesed by)
2, Software (running on)
3, Hardware (and to be usefull it needs to be shared by)
4, Communications.

The first problem that the newbie often strikes is that information is intangable and computers only natively understand data in the tangable form of bits and integers that can be communicated or stored.

Data in the form of integers is given further meaning by various abstraction layers of "meta-data". The two simple examples being ASCII charecters (an ordered 7bit mapping onto printable text) and floting point numbers which use two or more integers and two or more bits to give an approximation to the real value.

Primarily the hardware under the control of the software does only two things move data and process (change) data into another form.

The basic design of all computers is due to Shannon's Information model of a Data Source, and data sink connected by a channel that may either pass the data unmodifed or modify it.

That is the basic computing block (ie a CPU machine code instruction) fits in with the model of taking an integer from a data source, optionaly modifiying it in some way and outputing it to a data sink.

It is the modification of the data in the channel where things become interesting (and usefull). That is how do you modify the data usefully and importantly how do you communicate the result to both the hardware and other parts of the software.

Methods vary but in essence the channel has memory (CPU registers) as well as the ability to transform data (in the Arithmetic / Logic unit or ALU).

Thus the modification consist of a chain of instructions,

1. Get data1 into reg1;
2. Get data2 into reg2;
3. Add reg1 and reg2, put result in reg1, and status in regS;
4. Send reg1;
5. Skip next instruction if result is not zero;
6. Goto to XXX;
7. ...

From this it can be seen the first instruction is a data move from the data source to the channel state, as is the next instruction. The third instruction modifies copies of the two data items and updates the channels status. The forth is a data move of the result from the previous instruction out of the channel into the data sink. The fith instruction is a conditional control instruction to "the software" in that it takes an action (updates the instruction pointer) based on the contents of the status (regS) of the control channel. The sixth instruction is again a control instruction but this is not conditional of the channel status.

At no point in this do you see the instructions or data source or data sink get checked for the CIA triad, all you see are Rules (instructions) Information (data) acted upon under the current set of Rules (software) that form the current Process.

Also you don't see any action taken on geting data from a data source or on outputing data to a data sink. That is in the case of the simple channel there are no restrictions on this "the software is assumed to "know" what it is doing".

More elaborate channels have hard ware mechanisms to detect when the Software instruction trys to get data from a data source or output data to a data sink it should not be using. It causes the channel to "throw an exception" and the channel (can) automaticaly go from the current process context into an entirely different process context.

This is where a new set or Rules (software) can impose the concepts of Confidentiality or Integrity onto the channel.

It is "not understanding" that computers only work with (understand),

Rules (instructions),
Information (Data) and
Processes

and Humans realy only understand (and work with),

Integrity
Communications
Entities

And that the two sets do not map directly from Human to Computer even faintly that newbies can get a grip on the basics of how things work.

Further that HA systems relie on "rule sets" thought up by humans, that are triggered by excepptions that in turn are "rule sets" thought up by humans.

The real biggie on the non fit is "Processes and Entites". Humans have a very poor grip on the difference, legaly an "Entity" is "any person legal or natural", where as a process is an agnostic set of rules/actions carried out by either the entity or on the entities behalf.

Now as you can imagin trying to develop software to account for correct "Communication of data between entities whilst maintaining the integrity of the data" is going to be difficult to do unless you can usefully define an entity and integrity.

That is without resorting to "arm waving" or Douglas Adams style satire of "You know the ultimate question, to life the universe and every thing" 8)

tommyJuly 7, 2011 7:54 PM

@ Vles:

All of what you say, happened. But does that mean that we should never even have started on the path to freedom, and let the newly-formed US be a tyrannical monarchy like the one it just rebelled against? (no offense, Clive ;-D) .. in fact, first POTUS George Washington was offered a Crown for his heroic actions during the American Revolutionary War. Without looking it up, from memory, he said something like, "Did we just fight one tyrant to live under another?", and refused, thus leading to a Constitutional form of government. (It's continually been subverted, and continues to be, but they had the right idea.)

"A journey of a thousand miles begins with a single step." Slavery has existed since Biblical times. Women have been the chattels of men in many societies, and still are today. (Maybe we should have kept it that way... KIDDING! ;) This single, huge step broke those chains for one group; then, over time, additional steps were taken -- including a bloody Civil War, which cost more American lives than all other wars put together, to the present day (true). And a POTUS was assassinated for daring to free the slaves.

It isn't easy to change thousands of years of tradition and thinking. Quite frankly, the Founders knew that if they freed everyone, the Southern colonies/states would never go along, because they had become economically dependent on slavery. Which was an institution brought to the New World by, (cough) the British, Spanish, French, Portuguese, and, um, who else -- oh, yeah, the Dutch. :P

"The first English colony in North America, Virginia, acquired its first Africans in 1619, after a ship arrived, unsolicited, carrying a cargo of about 20 Africans. Thus, a practice established in the Spanish colonies as early as the 1560s was expanded into English North America."

The new nation had to overcome that legacy of *European* origin. From the Spanish beginning, slavery existed in the New World for more than two hundred years before the US was founded. Most Northern states eliminated slavery within the first decade or two after the US had a functional government.To eliminate an institution of more than two centuries in two decades was a remarkable achievement in the time span of history.

But they had to start somewhere, or not start at all. It really isn't as easy as flipping a binary switch....

For Rand, start with her magnum opus, "Atlas Shrugged", a fictional novel which embodies and illustrates her principles more thoroughly, and more entertainingly, than her many non-fiction essays and such. The book was also quite prescient, in terms of what's happening today. Published in 1957, one of the main characters, a CEO, spends most of his time and effort lobbying Washington for special favors and bailouts. Sound familiar? ... lots more examples.

@ Clive Robinson:

Again, I apologize for my lack of clarity, but I fear my posts are already too wordy and long. (But yours are not, of course!) I was specifically introducing the persons mentioned to Nick P.'s approaches to actual design of actual HA systems, and not to the theoretical underpinning.

I don't know the tech level of the other readers, but with simple concepts like "trusted" and "untrusted", one can understand Nick P.'s ideas, whereas actually getting into registers, instructions, data transformations, etc., may be a little *too* much detail for those trying to understand why commodity OSs, including Linux-based, are insecure, and what Nick, and you, and Richard T., Mark Currie, RS Hack, and others, are looking at as ways to get high-security products actually on the shelf. Cheers.

Nick PJuly 7, 2011 10:14 PM

@ tommy & new folks

"may be a little *too* much detail for those trying to understand why commodity OSs, including Linux-based, are insecure,"

Clive's posts on technical security always include too much detail for a layperson to get. That's why I'm his unofficial translator. ;) In this case, though, I recommend new people ignore the technical level Clive is working on and get the basics. These links are a good start.

Saltzer & Schroeder Principles
http://nob.cs.ucdavis.edu/classes/ecs153-2000-04/design.html

Qmail lessons learned
http://cr.yp.to/qmail/qmailsec-20071101.pdf

Microsoft's 10 Laws of Security
http://technet.microsoft.com/en-us/library/cc722487.aspx

Nice description of Evaluated Assurance Levels (EALs)
http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM
EAL5-7 are medium-to-high assurance. Focus on EAL6 & EAL7 additional requirements over EAL4.

Ross Anderson's Security Engineering
http://www.cl.cam.ac.uk/~rja14/book.html
(Landmark book on the subject with tons of good examples, rules, etc. The first edition is free & some of 2nd edition is online.)

tommy July 7, 2011 11:56 PM

@ Nick P.:

"Clive's posts on technical security always include too much detail for a layperson to get." ROFLMAO!!! ... but it's true, and that's a compliment to Clive's many co-brains, and to the master module that handles the traffic among them. ;)

"That's why I'm his unofficial translator. ;) " ... Well, let's make that official, then. He certainly needs one, so that we Earthlings can understand him.

(clears throat) "I hereby dub thee Sir Translator of Clive". (touches sword to each of Nick P.'s shoulders)


@ Anyone Interested In This Stuff:

That's a great list. I just finished assimilating the QMail paper that Nick had pointed me to, but will probably save my comments for Friday's blogs, squid or otherwise, as this thread is going to disappear from the home page soon.

And of course, enjoy the irony of Microsoft (Microsoft!?!) giving security lessons... Billy G was kicked out of school for hacking the school's computer; you'd think he'd apply what he knew to stop his fellow haxxors. But commercial interest trumped that, as it usually does (sigh)...

"Supercalifragilisticexpialidocious" by Julie Andrews, from Mary Poppins:

"Newcomputercamewithwindowsxphowatrocious", by Your Humble etc., Tommy Turtle:
http://www.amiright.com/parody/60s/julieandrewsmarypoppins14.shtml

"Microsoft™ Is Suing Me Because I Dissed On Vista™" (same author):
http://www.amiright.com/parody/60s/julieandrews131.shtml

Clive RobinsonJuly 8, 2011 7:09 AM

@ tommy,

"(no offense, Clive ;-D) .. in fact, first POTUS George Washington was offered a Crown for his heroic actions during the American Revolutionary War. Without looking it up, from memory, he said something like, "Did we just fight one tyrant to live under another?"

Hmm I guest the first POTUS must have studied history for was not Oliver Cromwell lord High Protector reputed as saying similar when the second parliment talked about making him King in 1657 (or was it just Richard Harris in the film?)

Mind you a number of people say that Washington being offered let alone turning down a crown was a myth,

http://chss.montclair.edu/english/furr/gbi/docs/kingmyth.html

Clive RobinsonJuly 8, 2011 7:55 AM

@ tommy,

Speaking of crowns reminds me in your post where you say,

"I hope Clive doesn't think I'm trying to steal his crown for "essays in blog comments"

You talked a little about the economic considerations of zero cost duplication.

However you forgot to mention the realy nasty hole in the head shot for economic theory which is the effective zero distance cost metric.

Information is intangable, it becomes just tangable when you store it (cost of DVD blank) or when you transmitt it from place to place (ie each bit actually does have a minimum energy value)

Economic theory deals with "goods" which is taken these days as physical objects and services. However many mistakenly believe that "services" are not tangable and thus economics does cover information.

The thing is traditional services did have a distance cost metric, that is you would pick a service provider close to your location because there were costs proportional to distance.

Likewise telephone billing usually had a distance cost involved that ment local calls cost less than longer distances.

Nearly all the theory to do with markets and the way they behave have the distance cost metric built in as an implicit assumption or axiom.

This is even though there were market models (ie inland postal services) that did not have a distance cost metric in them the theory ignored it.

The result is the Internet is now a globe spanning market with a zero distance cost metric and is thus effectivly "local" everywhere. This has a very noticable effect in the way "intangable" Information only markets differ from "tangable" physical goods and service markets.

The issue of intangable product markets also effects us in many other ways because of the implicit assumption of distance having meaning in taken from the tangable or physical world and is carried forward without correction into the intangable non physical information world.

One asspect of this you indirectly mentioned is law or breaking thereof (ie piracy). That is laws apply in jurisdictions, that is the DMCA does not cover Russia. So a Russian Publisher could legaly sell software tools etc etc that would not be legal in the US.

And... Because of the implicit but incorrect assumptions being carried forward we now are living with the Chinese Curse (of living in interesting times).

jacobJuly 8, 2011 8:57 AM

@clive.
First you make me feel like "if I only had a brain".
1. monitizing a service is tangible. The old business models you speak of went out with IBM and their blue shirts.
2. When people refer to the service economy they tend to think of mcdonald's and not the project management or the code jockeys that have been outsourced or rejiggered.
3. Modern economies are trying to catch up and will continue to fail. Technology, capabilities, and social interactions move at a break neck speed and legislators/regulators are struggling to catch up, let alone get ahead of it. The problem is that companies are thinking of ways to make money off information, and that can be done very creatively. Google is a classic example. The crooks are not far behind trying to make money off information gathered by others.

You mentioned the chinese proverb. True. I have another one for you.
"Those who fail to learn history are doomed to repeat it. Those who fail to learn history CORRECTLY are simply doomed.

I hope and I'm sure there are many others who wish you a speedy recovery and good health. I miss the countryside of Dunoon, Edinburgh, Glascow (night life) and other places. I miss real fish and chips and am reduced to trying to make my own here in US. (not the same)
I would gladly pull a pint of Tenant's or Guiness and lose a game of snooker or darts to ya.
Take care and keep us up to date. :)

tommyJuly 9, 2011 4:07 AM

@ Clive Robinson:

"This is even though there were market models (ie inland postal services) that did not have a distance cost metric in them the theory ignored it."

The theory ignored nothing. The Government ignores economics to buy votes. The US Postal Service charges the same to mail a letter across town as it does to mail it 5000km across the country. Try sending your document by a private courier such as FedEx, and you'll see a zone map, with higher costs for longer distances.

Gov doesn't recognize economies of scale. The entire US state of Wyoming has fewer people than many American cities. Which means costs of running a post office, etc. can be spread among more people in population-dense areas. But private busineses who start service (as FedEx did) only among major cities are charged with some pejorative like "cherry-picking". Well, sure. If you have the volume of delivery to fill a plane beween New York and Los Angeles, but not beteen Driggs, Idaho, and Taos, New Mexico, then you'd be stupid to offer service to the latter, at least at the same rate as the former. But Gov does such things all the time.

"Unfair"? There are downsides to living in major cities: Crime, pollution, congestion, noise, high cost of real estate. People choose them because some upsides attract them: More and better jobs, art and culture, convenient public transportation, lots of choices in air travel //becase of the intense competition for the high volume of traffic//, etc... . People choose small-town or rural life to escape the crowds and smog, but they inherently give up the conveniences of a shopping mall a few minutes away, and they may have to drive a long distance to a commercial airport, with commuter-plane hops required. It's a trade-off, and the small-towners shouldn't expect the benefits of pastoral life while still having the cost efficiencies that population density gives in many areas. But Gov tells them it can, and taxes us all to pay for it.

Interesting about Washington. But whether the crown story is apocryphal, the point to Vles was that this idea of individuals being born with equal rights before the law (even if only paritally implemented at first) was novel and historic. I know that the class system is very embedded in British culture. You have your Lords, Knights, etc. And while the US may have de facto classes by wealth, etc., anyone can stand on public property near the White House with a sign saying, "Barack Obama is an idiot." I'd like to know what would happen if you were to stand at the closest legal distance friom Buckingham Palace with a sign saying "Elizabeth Alexandra Mary (Windsor?) is an idiot."

Yes, I deliberately left off "Her Majesty" and "Queen", because although there are certain protocols of manner in addressing US officials, they're not legally enforceable. (Actually, they're widely ignored. Proper way to refer to the President, in the third person, is "The President". Not "President Obama", or "President George Bush", or worse, "Mr. Bush", as was often heard on news stations during his terms. But there's no legal penalty for that. What about where you live?)

You are of course correct that the Internet has reduced, though not eliminated, the cost of distance in sending information. If I use my ISP's e-mail service (I din't), I can send an e-mail to another customer of my local ISP, or visit a business' web site hosted by same, without the transaction going beyond my ISP. I can't send it to Europe or Asia without either trans-oceanic cables, or satellites. Someone had to spend the money to lay those cables and launch those satellites, but the cost has been spread among millions or billions of people. So my ISP finds it less costly to charge the same for all traffic than it would be to meter it.

This definitely changes things, but it doesn't change the laws of economics. It benefits the consumer. Before, I had only my local stores to shop, or mail-order catalogs in my own country. Now, I can shop for software online, from providers across the globe, and for tangible goods from Amazon and other online retailers, who will even do price comparisons for me. More competition = lower prices, Win-win, other than the pirates. Which, as has been mentioned, is indeed something new, for which national and international laws will have to find new answers.

@ jacob:

Slight misquote, even considering that it's a paraphrase in the first place:

""Those who fail to learn **FROM** history are doomed to repeat it" is a closer paraphrase of Santayana.

"Those who fail to learn history correctly are simply doomed"

Unfortunately, most in the US don't learn history at all, as I've parodied and posted about. But "history is written by the winners." The losers' version would often be very differetn. Still, agree that humanity keeps repeating the same errors.

If you miss home so much, may I ask, without sarcasm, what is holding you wherever you are? Must be some upside that exceeds the downsides, because you made a(n economic) trade-off decision to remain. Of course, you don't have to answer.

I join you and all here in wishing Clive the best of health.

Having ragged on the UK/CW, have a couple of tributes to my mates in Australia:

Vol. !:
http://www.amiright.com/parody/70s/johndenver81.shtml

Vol. II:
http://www.amiright.com/parody/misc/raypetersonelvispresley4.shtml

Click my sig for a parody blasting The President. I'm far too polite to trash Her Majesty, but did do a number on the Blair-Bush friendship. Link on request. Cheers all.

jacobJuly 9, 2011 9:26 AM

@tommy. As far as going back, economics, family, etc. The simple answer is that earlier adventures ruined me for life in more than one way. It's just not practical and good health care here. Maybe I need to use the idea from MASH and instead of ribs get fish and chips sent...;)

It was a paraphrase but I rather like the sentiment.History is written by the winners but the cultural memory of the losers can really bite. Just ask the Turks and the Kurds.

Trying to loop this thread back to USB and security etc. Clive talked to me about tools and the importance of understanding the underlying processes. I wonder upon thinking on what Clive said. Could the recent rash of hacking be related to just such a scenario?

1. I'm old enough to remember CP/M programming. The language of computers is the key. If one person only knows to use a sniffer, megaspoit, bt5, etc. that is a big difference from someone who knows the apache structure. If someone knows the "processes" or steps...'If I punch it between these two steps...' The difference between the petty theft and to catch a thief. (movie reference)
2.People are being hired who know how to use the tools, not the underlying structure so much.
3. Back in the 80's the hackers were being hired. Now adays it is more the people with the certs. That's at big practical difference.
4. Most real world stuff is the usb lost and data or the ebay hard drive.
5. I suspect most of the recent attacks are from not enough money being spent and not having the right people in place. (maybe not enough people)
6. I wonder how much of the talent pool has been sucked up by govt away from private sector. Look at the want ads or what companies are trying to hire both publicly and private back channels. If you ever talk to some of these companies you realize they really don't get it and the only reason they haven't been compromised is someone hasn't tried or don't think it's worthwhile. I believe that some gubmint people strengthen them without them knowing (out of pity for practice training their people). lol

Just my thoughts. Your mileage may vary.

jacobJuly 9, 2011 9:51 AM

@tommy A followup thought. Can you imagine letting a SANS, infosec or some conferences loose on a company's info structure? It would be like magog let loose in a puppy farm. Maybe if a copy of a setup and anon identification of company would really strengthen the infostructure. A prize, free jaeger slams, or recognition? There is a talent pool that is not being used.

Clive RobinsonJuly 9, 2011 1:45 PM

@ Jacob, tommy,

I used to work all around the world in various trades including wearing the green, the oil and broadcast industries, and specialising in communications and computer security through out most of it. For my sins I'm old enough to have made what we now call CPU cores out of bit slice processors and prior to that even out of ECL (if anybody remembers it) and cut my own state machines and wrote the microcode.

There are many places I've visited and would love to go again but I'm not allowed to fly any longer for medical reasons, nor go climbing real mountains. Having experianced the Medical facilities in a number of countries I'm glad I don't live in them and others I would not be able to afford either the medical care or the insurance rates. And some so called advanced Medi Care systems do let you down (A US Health care provider failed to recognise I had multiple PE's and instead gave me anti-biotics for a "chest infection").

However I do live in the UK and for all it's many failings the medical care given by the National Health Service does keep people alive for most problems. However that's not to say it's perfect by any means, for some life threatening problems you would be better of in another European Country. Oncology for instance you would in many cases be better off in Germany.

So being restricted to surface only travel for medical reasons I can appreciate why people cannot get to the places they might want to go. I for one would love to go back to Seattle and Redmond and back up Mnt St Helen's again and other parts of Coastal North America and Southern Canada, Likewise New Zealand. One of my regrets is not taking up the opportunity of spending a year at the South Pole for what at the time seemed like very important personal reasons.

Now as for the Fish and chips it's probably the type of potato you are using, and the flour and beer for the batter that's letting you down. Unless you are after the flavour of Northern England, Scotland and N.I. in which case you may need to find beef dripping as well.

The good news is that those items can and do travel reasonably well so there may be hope for your (artery clogging) Fish and Chip Supper yet 8)

Clive RobinsonJuly 9, 2011 9:54 PM

@ Jacob,

The following might amuse,

http://www.computing.co.uk/ctg/news/2083236/microsoft-blames-recent-sony-rsa-hacks-rookie-mistakes

A Microsoft 'Senior Director' John Howie has basicaly said that Sony and RSA made "rookie-mistakes" (which may well be true).

But... He also made claims Microsoft is immune to such attacks due to 'training' 'patching' and 'masive bandwidth'...

I wonder if pride is going to come before a fall

Apple on the other hand have another zero-day attack on iPones and iPads. Ironically there is a patch available but only to those who have a "jailbroken" device...

http://blogs.forbes.com/andygreenberg/2011/07/06/jailbreakme-hackers-expose-gaping-security-hole-in-iphones-and-fix-it-only-for-jailbreakers/

Also by the same Forbes author are some ongoing articals about wikileakes and the payment card industry. It looks as though EU anti monopoly legislation will be used against various members of the payment card industry.

tommyJuly 9, 2011 9:54 PM

@ Jacob:

Not sure what you mean by "recent rash of hacking". It's been going on even before the Internet. (See the German hacking incident of, IIRC, 1988.)

The main problem is misplaced incentives. Bruce has spoken of this often, and as an economist, I would say the same thing independently:

The cost of security is borne by the producer (e. g., Microsoft), but the cost of insecurity is borne by the user. MS would have to spend much more to create more secure systems, but they don't lose money when you're pwned, so they don't. If they did, and increased the cost of the system accordingly, they'd not be competitive in the marketplace -- since most people *and businesses* don't know the degree of risk, they won't pay the extra cost. Ask Clive and Nick P., et al., about how hard it can be to sell secure solutions.

Universities don't integrate comprehensive security teaching into their IT curricula, because that's not what the employers want from the graduates - for the reasons above.

The "unused talent pool" is the pen testers. Those companies that are willing to pay for them generally get rude shocks -- and better security. Some vendors and third parties offer bounties to those who find verifiable critical security vulns in common products. This is a way to motivate crackers to use their skills in a beneficial way, and should be expanded.


@ Clive Robinson:

I wish for the Transporter Beam (Star Trek, though never watch it and not a fan), so I could see the world, including a few fellow parodists in your own beautiful country. Money is an issue, esp. in the current mess, and so is time (which is required to earn money). I'm sorry for your limitations -- I have some minor ones of my own - but I'm glad that I did the traveling that I have when I could, as I'm sure you are.

There is an "Irish Pub" a few blocks from me. Naturally, I can't judge the authenticity, but I have had a stout or ale or two, and they're quite good -- much fuller in flavor. I don't care for American beer at all -- they mix *rice* in with the barley, because it's cheaper, and they use chemicals and other means to speed up the fermentation to 2-3 days instead of 2-3 weeks. Some Mexican beers are still authentic and full-bodied, but not the ones that advertise the most -- isnt' that how it always is?

Mexican beer, to "Eleanor Rigby:
http://www.amiright.com/parody/60s/thebeatles1404.shtml

May the road always be downhill, with the sun on your face. Cheers! (gulps)

Clive RobinsonJuly 9, 2011 11:05 PM

@ tommy,

It's around 5am now and the simple answer is I'm a very light sleeper at the best of times and Hospitals are noisy places.

And in my case when my sleep rhythm gets disturbed it can sometimes take weeks to correct it's self. =8-(

I don't know what you call it in the US but in the UK the medicos refer to "Sleep Hygiene" when it comes to people suffering from sleep disorders. And they say not only no coffee or tea but also no chocolate as well. Apparently it to contains stimulants which is apparently one of the reasons a greater percentage of woman than men like it (obviously most mens conversational abilities dont stimulate enough ;)

Now I'm not saying that my sleep disorders are realy bad but one doctor wrote in a report after an examination and assesment "Thank God this man does not drive".

tommyJuly 10, 2011 6:27 PM

@ Clive Robinson:

"I'm a very light sleeper at the best of times ... And in my case when my sleep rhythm gets disturbed it can sometimes take weeks to correct it's self. =8-(

Join the club. I believe that those whose minds are constantly running in the b/g -- i. e. the more intelligent - are more likely to have sleep difficulties. (Not that my b/g always outputs anything worthwhile, mind you. ;) Studies have found that the "best" sleepers tend to be very conformist, very unquestioning of conventional values: they don't worry about things; they accept them as they are, etc. These are not the people who have given humanity its huge breakthroughs, which come from those who question the status quo and want to improve it.

"Hospitals are noisy places."

Been there, done that. You'd think they'd realize that quiet rest helps healing, but no.... "Sleep phase reversal" (day/night) is quite common in hospital stays of more than a few days or a week.

Chocolate is loaded with (natural) stimulants, including the "love molecule", which is why men give it to women as gifts, and women like it. (Most men have plenty of "love molecules" already, albeit of a different type, :wink:)

Stimulant chemicals in chocolate, footnotes [1] and [4], in parody form, naturally:

http://www.amiright.com/parody/60s/theswinginmedallions1.shtml

RobertTJuly 10, 2011 10:03 PM

@clive R
OT "I'm a very light sleeper at the best of times ... And in my case when my sleep rhythm gets disturbed it can sometimes take weeks to correct it's self"

I don't know if you have tried complete black-out curtains but I used to have terrible sleep problems especially when I was flying US-Asia one per month. What I found really works well is complete dark. Black-out curtains + no Leds from DVD or whatever, no illuminated clocks, it also helps if you get out side in the morning sunshine for a walk (but my memories of England suggest that this is rarely possible)

You say that you worked in the oil and defense industries, with the references to Bitslices and ECL it sounds like you were working for Ferranti. I spent some time up in Aberdeen doing oil platform control systems, myself but that was a long long time ago.

Talking about obscure semiconductor logic technology, I've even designed in Integrated Injection Logic (I2L). Actually if you want a laugh, I sometimes use I2L in a critical stage if I want to protect a design from copying. If you really want to confuse a young engineer take a normal CMOS process and use a parasitic Lateral PNP with a multiple collectors to build a NAND gate. The secret is that you need to use the silicide block mask and prevent the "channel stop" implant to the region. Since you cant see either of these masks it totally frustrates the copiers. It's mean but fun, especially when they approach you years later and they still have not figured it out.

AndyJuly 10, 2011 10:28 PM

On/Off topic, about sticking unknown things into processing systems..A slight revelation about anti-psycoice drugs.
They are effective, ie should down the brain and then autopolit or sub-concious do the thinking.
Was wondering what the sex/muder/hunter(range) of crimes were down with people on anti-pysco.

If the concoius is disabled how the hell would you beable to control autoploit.

Weird post sorry ;)

VlesJuly 11, 2011 2:44 AM

@tommy
> "For Rand, start with her magnum opus, "Atlas Shrugged""
Cheers :)
> "the point to Vles was that this idea of individuals being born with equal rights before the law (even if only paritally implemented at first) was novel and historic"
Yes, but not so novel in 1863. Globally, the movement started some time beforehand:
http://en.wikipedia.org/wiki/Abolition_of_slavery_timeline
The "crown denouncing" anecdote reminds me of the use of the "Rex"/King title in old Roman times. It came to have a negative connotation so strong that after the republic ceased to exist, it wasn't reused. The new word introduced in to legacy became "Caesar" / "Keizer" / "Czar", after the man himself. And history repeats...
Power corrupts and with your example I merely wanted to demonstrate that even if intentions are good/nobel/worthy, it does not automatically follow that actions are.
Every form of government, not just a monarchy, can reach a stage where it risks its chosen symbol being endowed with a (strong) negative connotation. Be it a crown, other symbol or flag. Especially flags are prone to abuse. They seem to get burned a lot...

(
-"Electronic Banking Security" thread
-The Bell-LaPadula model, as discussed in this thread,
http://www.schneier.com/blog/archives/2011/06/...
-and your link to David Bell's paper,
http://www.acsac.org/2005/papers/Bell.pdf
) > I'll be quiet for the next couple weeks, thanks again :)

@Nick P
(
-Saltzer & Schroeder Principles
-Qmail lessons learned
-Microsoft's 10 Laws of Security
-Nice description of Evaluated Assurance Levels (EALs)
-Ross Anderson's Security Engineering
) > Thank you, I've printed them out -- finished djb essay and on to RAnderson.

@Clive
> "It is "not understanding" that computers only work with (understand),
Rules (instructions),
Information (Data) and
Processes
and Humans realy only understand (and work with),
Integrity
Communications
Entities
And that the two sets do not map directly from Human to Computer even faintly that newbies can get a grip on the basics of how things work."

So computers do "control" very well (better than Humans?), but have no concept of trust. And the difficulty is tokenizing / encoding trust?
Does trust flow from control, or control from trust? Tricky, that one. ;)

Bowing to the silver shields here. I admit I have little faith in ever feeling secure in a virtual world. The real world is hard enough. I'm forced to "trust bond" if I want to use online services (banking, shopping), yet all around me I see evidence that makes me feel I shouldn't be so exposed to these risks. The risk of the unauthorised reuse of tokens that are in essence me. (Or you, or thousands of people and many at a time). Robots logging in to my bank as me I would equate with being physically assaulted and wallet stolen, but I may not even be aware of it. It is a new feeling we're dealing with that is extremely negative (This artificial uncertainty - or is that just me?). Some old folks I speak with are adamantly against computers and internet. I often wonder why, yet have come to feel they understand and very strongly feel trust is explicitly local and human.

I admit I enjoy the "prince of the realm" feeling/illusion that networked computers in a virtual world give me. (Don't play farmville though) However I feel burdened when helping other people out with computer problems. For truly helping them out so they feel secure is educating them with everything I know (follow best practices etc) and even then, there's still so much I don't know. Newbie here. Furthermore if I don't trust it all myself, I can't expect those I help to do so either. The last thing I want to do for those I care about is engage with them in a "dishonest transaction".

Finding a bit of solace here. I'll just stick to reading :)

kind regards,

Vles

tommyJuly 11, 2011 3:40 AM

@ Vles:

"Yes, but not so novel in 1863."

I was more referring to the original expression of the concept in the US Declaration of Independence in 1776. And already agreed that its principal author, Thomas Jefferson, borrowed very heavily from the Enlightenment thinkers before him, such as John Locke.

What I meant to say was not that the *concept* was new, but that //actually implementing a Government // that enshrined these concepts into //fundamental principles and law// was a novelty, even if implemented only partially at first.

"Power corrupts" - the whole quote, from Lord Acton, is worth reading, as well as the context. He included even the Pope.

Our own Constitution and Bill of Rights have been repeatedly subverted over the years, so that the US is approaching an elected monarchy in some ways (POTUS inventing powers non-existent in Constitution), and an elected aristocracy in other ways = Congress also passing laws that Constitution gives it no power to pass. Actually, most of the laws passed these days are in areas in which Congress lacks Constitutional authority. Otherwise, the Federal budget would be at most 1/4, and maybe 1/10, what it is; there would be no need for debt and none would exist, and taxes would be much lower.

The Founders forgot to put in a restriction against non-emergency deficit spending. Such an Amendment is mentioned repeatedly, but once the people get used to their bread and circuses (Rome), they don't want their benefits cut, and they don't want their taxes raised, so it's not going to happen - and the US will go broke, and become a second-rate power, then eventually a third-world nation.

My analysis of this history, in parody form, has been linked here several times, but once more, in case you're interested and haven't seen it:

http://www.amiright.com/parody/70s/donmclean152.shtml

" and with your example I merely wanted to demonstrate that even if intentions are good/nobel/worthy, it does not automatically follow that actions are."

Oh, ab_so_lute_ly! In fact, there is a saying in English, "The road to Hell is paved with good intentions." Much evil has been done by those with good intentions. So we do not disagree so much after all. Perhaps there is a slight language barrier, but I think we're "on the same page" (thinking alike), as we say, now.

To be sure, the links to David Bell's paper were provided by Nick P., who brought the Bell-LaPadula model to my attention. Credit where credit is due. :)

tommyJuly 11, 2011 3:47 AM

@ Vles P.S: (forgot)

When you finish "Atlas Shrugged", I'd love to know your reactions, at any thread - this one is about to disappear -- or give me a heads-up by e-mail to let me know you've posted, and where. Other readers may be interested in your reactions, and the book, since Rand was a staunch promoter of the same values that Bruce and many others fight for - free speech, free press, individual liberty, limited Government power, even though she passed away before the Internet, and unfortunately, before seeing the downfall of the Soviet Union, which she avoided only because her family escaped during the Bolshevik Revolution. She knew what totalitarianism is like.

jacobJuly 11, 2011 9:44 AM

@tommy. exactly. I do understand the need and problems selling security. The industry is incident driven. At the same time we need to do a better job explaining and selling it. The "rash" I was speaking of was the well publicized hacks on sony, et. al.

Microsoft is probably better whatever that means. They would have to be really dumb to think they are not a target. Also, they are charging for access so maybe they spend more for security. That sony made rookie mistakes, would be surprising but not shocking. What was a surprise to me was RSAsecureID. It's their business model. I think it was probably social engineering that did them in.

American beer has way too much hops in it IMHO. Tenant's which I haven't had in decades was good. Guiness or PBR ;). It is very hard to find an american beer that doesn't taste like a lemon.

@clive. It sounds like we are kind of in the same boat. Yours is cardio, mine is skeletal? The mind and heart is willing but the body says, "Oh hell no!!"

I have the fish down, the chips are still not quite right. I'll keep trying. (Just eat salad for 3 days after) I do not miss the full english/scottish breakfast. That is a heartburn carnival. Don't miss haggis. I never could drink enough beer to make that palatable. ;)

Hope you are doing better, and keep us informed. Any day above ground means we can make a difference. \m/

ModeratorJuly 11, 2011 10:35 AM

Please don't start an "Atlas Shrugged" discussion on a random thread. I suggest taking that to another site.

Peter E RetepJuly 11, 2011 11:05 AM

Andy R makes one side of a good coin of points.
It does seem this test reveals
(a) a person's level of security consciousness,
and
(b) their concern with the equipment at hand.
I myself run every USB stick, even the purchased kind,
through my work security program first.

Since most folk have very low levels of security consciousness,
and most folk use computers, workstations, LANs and Internet access devices,
the perception of risk is what makes the electric saw analogy imperfect.
You can see a saw rip through wood.

The inner workings of computers to most people are
"will-driven" because they have to make it do anything,
recalcitrant, because it often does NOT do what they want it to,
"magic" because they have no idea how it works, and otherwise
invisible, because they can't see it.
So they assume it is idle, passive, and narrowly responsive - if at all -

Recall the .gov attempts to make unreadable-as-English transmissions a Federal felony,
which doesn't pass the three-year-old test,
and to feloniize all deviant programs -
which doesn't pass the execution-interrupt-download test.

The idea that a computer is equal to a concrete saw running at full blast alongside your egg cartons of precious data is not in their minds, is it?

ModeratorJuly 11, 2011 12:04 PM

@Andy:

"On/Off topic"

I can just barely tell what you're talking about in this comment, but it seems purely off-topic. Please don't do that.

LisaJuly 11, 2011 6:32 PM

Yes, and people automatically have sex with the first drugged out hobo they find in the street. Sex is an instinct, and it's up to the environment to prevent people from doing something stupid like having sex with the first random person sitting in the street.

People who plug strange USB sticks into their computers ARE idiots.

3-DJuly 11, 2011 7:41 PM

Well, I see two views here:

1) I've believed from day one when Microsoft first introduced AutoPlay that it was the devil incarnate, and that it would make installing viruses from "evil" media a lot easier

2) Even if AutoPlay weren't there, most of those suckers would run whatever's on that drive without hesitation. See: attachments any idiot will run from e-mail.

So I partially agree and disagree with you here Bruce. As it was said in Baseketball, "Ah, well, you know it was a team effort and I guess it took every player working together to lose this one."

VlesJuly 11, 2011 11:12 PM

"educate them with everything I know (follow best practices etc)"

"and it's up to the environment to prevent people from doing something stupid like having sex with the first random person sitting in the street."

No, it's up to people to do this to other people. And the natural process controlling this instinct by society is called moralizing.(Although religion has claimed a lot of it as their domain.) - I hope this will be discussed in the upcoming book.

And the reason morals are fleeting in information technology, is because there aren't enough mothers in IT beating kids over the head with a wooden spoon for plugging in foreign USB sticks!!!!!

@tommy - aye cap'n :) - I'll get to voting on your parodies, just need to find the music and sing em first.

VlesJuly 11, 2011 11:59 PM

@tommy - excuse double post

> "If you would like to discuss the book"
Done this. Send you an email about ~2 hours ago. :)

Guzmah MingJuly 12, 2011 2:35 AM

I found a USB stick and put it up my bum.

My brain's been slow and glitchy ever since.

tommyJuly 12, 2011 6:06 PM

@ Google Promotions, Inc.:

Why? What's so safe about Google's present tools, which get hacked as much as any others?


@ Moderator:

That post contained no factual basis for the claim. If it was indeed from Google, there should be a link, but it's spam anyway. If someone is falsely claiming to be writing on behalf of Google, that's not only spam, but impersonation.

Shouldn't it be deleted either way? Cheers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.