Friday Squid Blogging: Squid Forks

Squid forks.

Posted on August 19, 2011 at 4:20 PM • 49 Comments

Comments

Richard Steven HackAugust 19, 2011 4:42 PM

And besides the calamari forks...

Antisec hackers hit another FBI affiliate
http://www.theinquirer.net/inquirer/news/2103000/antisec-hackers-hit-fbi-affiliate

""White hat sellouts, law enforcement collaborators, and military contractors beware: we're coming for your mail spools, bash history files, and confidential documents. Can't stop, won't stop."

And a second piece which claims only the CEO's Gmail account was hacked:

AntiSec hackers target Vanguard Defense exec
http://news.cnet.com/8301-1009_3-20094621-83/antisec-hackers-target-vanguard-defense-exec/

Also:

Hacked in 60 Seconds: Thieves Could Steal Cars via Text Messages
http://blogs.scientificamerican.com/observations/2011/08/19/hacked-in-60-seconds-thieves-could-steal-cars-via-text-messages/

Yeah, but do they look like Angelina Jolie?

And then the Fumbling Bunch of Idiots gets a nod:

Exclusive: How the FBI investigates the hacktivities of Anonymous
http://arstechnica.com/tech-policy/news/2011/08/exclusive-how-the-fbi-investigates-the-activities-of-anonymous.ars

And finally a nice CNET timeline chart of recent hacks:

https://spreadsheets.google.com/spreadsheet/ccc?key=0Apf9SIxJ8Cm_dGxuNUJjbmM5LU40bVdWaFBVcTZPN3c&hl=en_US&single=true&gid=0&range=A2%3AJ97&output=html

hopeAugust 19, 2011 11:22 PM

URF, universial request forwarder
Two request are sent, one is embeded in a request to one page that returnes normal traffic, hidden in the sub layers the client asks the website to crab another page some were else, and then forwards its and the other websites pages to the client

Richard Steven HackAugust 20, 2011 1:37 AM

The TV tropes article misses one big one: the FIRST Iron Man and his ridiculously powerful AI Jarvis. That product alone would have made him a trillionaire even without the Iron Man suit.

Similarly, they left out Terminator: The Sarah Connor Chronicles where young John Connor hacks into LA Police Department systems and downloads info on captured Resistance fighter Derek Reese.

He also extracts a Terminator's chip and hooks it up to his apparently home built PC with dual video processors each handling 10 terabytes per second of video processing in order to read what's on the chip.

He subsequently extracts hot Terminator Cameron's chip and hooks it up to his laptop so she can take over the LA County traffic light/camera network and crash it so Skynet can't use it as a surveillance system.

In another episode Cameron uses his laptop to track his cell phone when he's trapped in a truck - until the cell phone falls and breaks.

And of course there's the entire season two with the development by a T-1000 Terminator of an alternative AI called John Henry who ends up being in opposition to the real Skynet.

Not to mention Cameron getting her chip glitched and Connor fixing it by CLEANING IT... LOL

But the less said about season two, the better.

Although they DID use my name in one episode (one of the writers knew me from some blog comments I made.) My one second of fame... :-)

GregWAugust 20, 2011 3:30 AM

Please pardon an early-morning security rant. I welcome corrections or suggestions about how to fix what I am about to describe.

I suspect most readers of this board, like myself, have long recognized how broken/fundamentally limited antivirus/malware engine strategies of detecting malicious patterns of code within files, or hashed checksums of malicious files are. It's not hard to make variants, or to auto-create variants that evade the signature and or even auto-detect if those variants are detected by existing AV engines. We all probably know that in part for these reasons, these products only catch 40% at most of what's out there.

What I didn't realize until a recent personal painful experience is that it's actually worse than that at several fundamental levels. Perverse economics lead to a industry-wide highly suboptimal malware-reduction environment.

Say that, post-infection, you actually get to the root cause of your infection, the files and websites involved and you want to make sure that, at a minimum, nobody else who uses AV/malware tools has to get infected with at least the precise same URL or file and waste a dozen hours of their time with it. (Or you want to penalize your unknown/unseen attacker and minimize the benefits of the attack working with others in the future, in hopes of raising his "costs".)

You can't.

1) The average or even tech savvy citizen has no way to "sound the alarm" about a bad file. Presumably due to perverse economic incentives, if one gets infected by a virus and does manage to track down the root cause (a particular file), there is no way to submit it as a known threat to the entire industry of antivirus companies so at least future people don't waste time on it. There are online file scanners that can show you that your antivirus vendor and 20 others don't detect it, but 2 do, but there's no way to alert the other 20 to get their act together. At best, practically, you can pick your current AV vendor who failed and try to submit something to them and hope they notice/look at it. I say failed economic incentives because each AV/malware vendor's incentive is only for themselves to get notified about a known bad file. There is no public or shared cooperative mechanism to share this virus code. (The full disclosure list isn't really for this stuff, right?) Am I wrong?

2) The average citizen has no way to "sound the alarm" about a bad website. Say I mistakenly clicked on a weblink in an email from a friend and got infected. How can I submit this malicious URL to all 20+ vendors? Is there any common place to do so? No, just a dozen different AV/malware sites each with their own submittal pages and mechanisms. No economic incentive for anyone to build a common alarm system. Perhaps you can submit it to your own AV vendor and to Google's malicious sites list, but what else can you do? Totally broken.

3) Say your AV product doesn't detect the virus so you pay your AV vendor another $X to get an "expert" to find it (hey, it's cheaper than your time.) It turns out that your AV vendor doesn't really do the job themselves, they outsource it to another firm which has permission to use their name. The expert turns out to be someone in India who spends 10-12 hours of remote access (spread out over multiple days) to your PC. (Caring about security, you do end up spending your own time at least somewhat to watch over what they do on your PC, right?) When the expert does identify the problem file(s), do they submit them back to the AV vendor? No they just delete the files and wipe their hands of the problem... "solved!" And why should they? There's no incentive for them to improve AV vendor signatures or samples, and if anything, it's in their interest NOT to improve them since it merely drives more business to them. Even if you explicitly tell them you want to submit the file to the AV vendor, they will make a show of it, but A) will submit the wrong file and hope you don't notice, or B) when you find another copy of the file, remove it rather than disable/rename it. Thankfully you are supervising them enough to detect and abort and recover from their disobedience or incompetence and you submit the files yourself to a couple of one-off places.

Such a racket.

The 40% detection rate is not just because a signature strategy is technically weak, it's because the whole post-detection event handling of malware is fundamentally broken for basic reasons of economics. Really maddening. I know we can't have security, but at least can we do better? Am I wrong? Am I missing something? Suggestions?

hopeAugust 20, 2011 4:00 AM

@GregW, there proable is to many sig for them to work on them all.
There proable is a easy way, boot of a meddian that gets control of the cpu near the top(say post/bios) and runs or checks the code.

There is proable multable ways(some one posted in june some orcale code), to get and control what code and the cpu uses and if its something that would befiet the attacker more say cmd or admin account just stop it using the network or delete files(types of removed it)

Personaly i don't know why the would share, i thought "virus total" did that, but maybe the company rub each others backs.

Clive RobinsonAugust 20, 2011 12:24 PM

OFF Topic:

@ Bruce,

Last week I posted a comment about a hack on an wirless insulin pump that got cracked by a researcher.

Well it appears to have ruffled a few feathers up on the hill,

A couple of senior members on the House Energy and Commerce Committee (representatives Markey and Eshoo), sent a formal missive off to the GAO asking them to formally look into the FCC's responsabilities/actions with respect to medical devices with wirless interfaces,

http://markey.house.gov/index.php?option=com_content&task=view&id=4475&Itemid=177

Whilst we need this looked into, it needs to be done calmly and cautiously, lest we get a repeate of WiFi et al, not rushed into and produce "knee jerk" action that is going to end up less secure than a second hand pair of string underpants.

A blog readerAugust 20, 2011 3:19 PM

On the issue of privacy and leakage of information, Peter Singer's article "Visible man: Ethics in a world without secrets" in Harper's magazine (August 2011, page 31) may be of interest. Further details are available at http://harpers.org/archive/2011/08/0083544 (From what it appears, the online version of the article is only available to Harper's magazine subscribers.)

Richard Steven HackAugust 20, 2011 10:36 PM

GregW: No, you're not missing anything. This is the system and it's unlikely to change. As some have said, the only way to even remotely change it is to have the OS force everyone to "whitelist" what runs on their system and absolutely refuse to run anything else.

Of course, that wouldn't stop people from "whitelisting" every malware they run across. Because there's no way to vet third part software, either. There is to some degree in Linux because in Linux you usually get your software from a "repository" not random Web sites. But in Windows, good luck with that. Without Microsoft mandating it, it won't happen.

One thing you can do when you get hit with malware which isn't removable by your usual AV or antispyware is either 1) if you have Web access on another machine, go to site like Bleeping Computer where experts can help you get rid of it - which has the disadvantage similar to using overseas experts, i.e., time and repeated communication - or 2) hire a local PC support guy to come in and clean the system. The latter will probably cost as much but will take much less time.

But the software the tech uses will delete most of the malware, too, so you won't have much left over to submit.

It really doesn't matter what you submit, anyway, because the malware writers will just adjust the program to evade detection by most of the AVs anyway.

It's an arms race that cannot be won no matter what changes are made to the industry to submit new malware.

Again, the only way is: 1) no program is allowed to run unless explicitly allowed; and 2) someone vets every program out there.

This isn't going to happen. So, as usual, my meme applies. Suck it up.

Nick PAugust 20, 2011 11:35 PM

On Topic

Those forks are so cool. Even for a guy not obsessed with squid. The one on the top might be hard to use. Pasta, esp. spaghetti, is a major use of forks in the US. The spaghetti wouldn't go through such narrow openings that easily. I haven't had "thin" spaghetti, so I can't say anything about it. Maybe if they make the openings just a bit wider, like a squid spreading it's tentacles.

You buying a set, Bruce?

Clive RobinsonAugust 21, 2011 5:28 AM

OFF Topic,

Some more details and another perspective on the supposed Anonymous attack on BART.

http://policeledintelligence.com/2011/08/18/simple-attacks-can-be-devastating/

The interesting bits about the inefectualness of puffed up DHS advice and the lead up to the attacks (as well as a little info on the London Riots) is in the first part.

Speaking of Facebook as the article did some of you (who are daft enough to use it or know people who do) might find this 20page advice guide from CERIAS usefull,

http://www.cerias.purdue.edu/site/news/view/watson_co-authors_facebook_security_guide/

And for those with a yen for Sino-APT,

http://www.tgdaily.com/security-features/57975-leaked-data-points-to-sino-cyber-espionage-ring

The article suggests the over eight hundred effected IP addressess are related to financial espionage. If true this is not exactly a surprise, the old CCCP (USSR) ran a number of sophisticated (for the time) financial espionage activities in order to gain advantage in trade and other deals to support their economy. One such well known incident was the manipulation of grain prices to buy at minimum price vast quantities of wheat after a disastrous harvest in the Ukrain.

The important point to take away is that the poster of the information is anonymous and although some of the IP addressess are the same as those liberated from the HB Gary "soysource" data there is insufficient information to attribute where the attacks actualy originate from or who benifits financialy, so as always treet with an open mind.

Clive RobinsonAugust 21, 2011 5:57 AM

OFF Topic:

Whilst I remember some of you may of heard of Operation "Shady RAT" which is what McAfee's vice president Dmitri Alperovitch calls the hacker attacks of the past five years or so against a large number of industries. With more than a hint that it is a co-ordinated APT attack...

Well many people looked at the bredth of the industries attacked and whent nagh and said they "smelled a Rat" with the information.

Well the "Pope Of Virus" Eugene Kapersky founder of Kaspersky Labs is not only calling "bull" on "Shady Rat" he has effectivly written in his blog that it was deliberately alarmist in it's claims and did not represent the reality of the threat.

Well he may be right on the alarmist side because Mary Bono chairwoman of the U.S. House Subcommittee on Commerce, Manufacturing and Trade sent McAfee a letter asking for them to answer a set of questions about the claims of McAfee.

It appears the Mr Kaspersky is aquainted with the contents of the letter and has chose to post his view of what the answers realy should be on his blog.

Anyway PC World has a writeup on the spat,

http://www.pcworld.com/article/238382/shady_rat_report_called_alarmist_flawed.html

Richard Steven HackAugust 21, 2011 12:59 PM

From the Police Intelligence article: "It strikes me as hypocritical to attack a site and harm the very people your group claims to be defending – the people."

This has been the most common response to the Anonymous initial attack on BART. What it fails to comprehend is Anonymous is perfectly willing to reveal to USERS of a system how vulnerable they are to the lack of security on the systems they use.

And if this requires the users personal data to be dumped, so be it.

It makes perfect sense.

The sole reason people are harping on it is that they have a basic antipathy to Anonymous and what it is doing and therefore are upset and wish to demonize Anonymous any way they can.

To put it another way, what Anonymous is saying to the people by dumping their data is: "YOUR security doesn't exist. Suck it up."

Consider it "tough love".

Clive RobinsonAugust 21, 2011 2:38 PM

@ Richard Steven Hack,

"tough love"

You may be aware of one of the major rules in medicine which is,

'First do no harm'

Well in modern medicine it now has an exception to do mainly with canncer. Which is to look at the long term results and decide which is the least harmful to the patient. Thus if cutting a cancer out from around the spine means the patient will spend the rest of their probably quite long life in a wheel chair, it is considered preferrable to them being dead in three months.

So there is a longterm argument for doing a lesser harm in the short term if and only if the harm is less than the longterm harm.

Now the problem for Anonymous is have they done less harm in the short term to prevent a worse harm later?

Many would say not as they could have partialy anonyomized the data.

Although this sounds a reasonable argument it is infact flawed, because any meaningfull release of data will act as a seed which can be grown via public sources to the original data they have liberated...

It's a difficult call to make.

Richard Steven HackAugust 21, 2011 5:42 PM

Yes, I considered that they could have anonymized the data. Just publicizing the user's names might have been sufficient.

The point of any kind of "terrorism" is to change human behavior. Frequently this means scaring the crap out of the average citizen. Unless you show him what he needs to do to stop that fear, though, it tends to backfire. This is where a lot of terrorists screw up with attacks on civilians. It's generally better to attack the authorities on whom the people mistakenly rely for their security, and let that put fear into the people, then explain how dumping those authorities can change things and remove that fear.

In the case of Anonymous, however, the damage being done doesn't involve anyone dying. So if they just attack the cops, the average person doesn't really care. By causing the average person some problems, it draws more attention to the purpose.

Anonymous seems to have two separate but intertwined goals (to the degree they have any goals). 1) Attack the state for its actions; and 2) expose security weakness, especially in state authorities - which as hackers is their main focus. The latter may require causing civilians as much trouble as it does the state in order to bring home the problem.

Anonymous really doesn't show that much interest in "protecting the people" except in the sense of exposing IT security weaknesses. So if it takes causing some ordinary users problems to make their point, I'm not surprised they do it.

Almost any attack on a society authority structure is going to end up causing civilians problems one way or the other. That's the nature of protest, especially effective protest. A "peaceful demonstration" that doesn't disrupt something or other is generally ignored.

So the real reason I think is as I said: If you don't make the users suffer something, they won't care. As I think it was William S. Burroughs who once said, "The only thing that gets a human off his dead ass is a boot up it."

Certainly been true for me. :-)

Clive RobinsonAugust 22, 2011 2:21 AM

@ Vles,

"Have you seen this"

No but if listened to it.

There are three different aspects to it,

1, The nurses
2, Cheating
3, Testing

So taking it in reverse order,

(3) Is Anonymous carrying out a test on our broken assumptions?

Hmm I suspect not but that is no reason why we cannot use it as such (more on that later)

(2) Is Anonymous cheating (ie doing something wrong because they can)

The simple answer is yes, and like Dan Ariely the giver of the TED talk I think the standard risk reward model in economics is not just cracked it's compleatly wrong (mind you I think that about a lot of supposed "economic theory" for fairly sound reasons).

So yes Anonymous are subject to "peer perspective" even if they don't know who each other are. Yes due to the distance from the disclosure harm they are more amoral than they might otherwise be. And obviously some of the Anonymous group(s) members do indeed believe themselves to be sufficiently far removed from payback by the authorities that it has not come into their consideration.

(1) Which brings us to the nurses example of causing a lot of pain for a short time as opposed to a lesser pain over a longer period. Part of the problem in the nurses case is the unknown quantity of pain in terms of linearality.

[I need to declare a "self interest" here. Pain is something I have a degree of familiarity with due to some of my medical conditions and movment, so it is fairly continuous pain. And for other medical reasons I cannot take NSAIDs, and the CNS depressing opiates and their analogs cause me unpleasant hallucinations nausea and vomiting even in small doses as well as having adverse interactions with other medications, so pain medication is something I cann't use a lot of the time. So I've looked into pain and it's effects both short and longterm, in order to be able to function]

The assumption in the medical fraternaty is that pain is effectivly logrithmic not linear in nature. That is if I stick one pin in you you feel X pain two pins only causes 1.8X pain three pins only 2.0X pain and five pins only 3.0X pain, and after about ten pins each additional pin causes a marginal increase in pain. Thus the area under the graph is smaller with a large amount of action over a short period than a little action over a long period.

Unfortunatly the logrithmic response to pain is not the only factor involved. This is because pain is quite literally "all in your head" and peoples brains work in different ways or can be trained to do so. One example was the developer of the ejector seat in aircraft who developed chronic back pain but learnt to smile not whince. Another is that hypnosis either by formal induction or by self induction can cause pain to be a lot more managable. You can also displace pain, that is with training you can get your mind to move the pain to somewhere else in the head where it is less of an issue. People with chronic pain can develop these "mind tricks" over time as a self defense mechanisum without being aware that some parts of the medical proffession are aware of them and can teach them considerably more effective ways.

However with the brains function being mainly unknown and test subjects developing their own coping strategy making meaningfull pain measurments is difficult.

There is also the question of ethics which brings me back to testing (3) the speaker Dan Ariely got a few laughs from the audiance when he talked of crushing people fingers in a carpenters vice.

But is crushing peoples fingers (even a little bit) moraly right when investigating pain?

Many would say NO and rightly so if the test subjects are neither volunteers or properly informed.

And this is an important point with Anonymous outing the details of the BART customers, the customer concerned where neither informed or asked for their consent.

Which brings me onto the notion of "greater good", there is a viewpoint that it is acceptable to save the majority at the expense of a minority it somtimes hides behind the name triage.

In the medical sense if you have a disease which has an infection rate of 90% you may or may not take action depending on the mortality rate which might be low or high. At some point when it is known a person is infected you have three, choices do nothing, isolate the person from others remove the person from society.

Normaly we assume incorectly that people will be issolated and given good medical treatment, but in practice this is dependent on the resources available.

For some diseases the question of sacraficing the minority has to be considered. That is you treat infected people like a canncer and exorcise them from the body of society with a knife or other method of forcefully removing them to prevent others being infected.

Could Anonymous claim that outing the details of a few (to their potential harm) is a method of triage to prevent a more pervasive harm befalling larger numbers of society?

It's a question that needs to be considered and has been under law in various places when "the prevention of genocide" is given as a defense for capital crimes.

It is at the end of the day a question of morals, logic and individual conscience.

Clive RobinsonAugust 22, 2011 11:48 AM

@ dmc,

"Cameron's statement that they'd consider putting limits on social media."

Not sure which part of the world in which you live so I'll be overly general.

Whilst David Cameron might be PM you have to remember that he and his party did not get the majority vote required to be the party in power none of the three main parties did. What Cameron did was run around and did a deal with the third party and thus as a coalition of two parties got sufficiently more MP's than the party with most MP's (Labour).

Most people said "yeh so what" and tried to find jobs or maintain their standard of living.

Since then David Cameron has blundered from issue to issue riding rough shod over promises made to the coalition partners and civil liberties alike. He has been found to be extreamly wanting in judgment over the News International Phone Hacking and in general displays "knee jerk" "sound bites" instead of considered opinions.

The fact that David Cameron has failed to even start investigating why large companies such as Tesco's, Vodafone and many others should tax dodge billions, because of a person who now has a consulting role at HMRC who used to work for one of the big accounting firms who sold the companies concerned the tax dodge system in the first place has effectivly said against all legal and other advice "that's ok lads", shows Cameron's lack of serious focus.

This rather silly "knee jerk" idea is actually pretty vacuous and hypocritical in that it is both effectivly unenforcable, illegal under EU legislation and oh so easily avoided it will never have any significant effect. It is hypocritical for him to say it because he has supported the various uprisings of Arab Spring and condemed the rulers of the countries concerned for their attempts to censor or stop the same Internet systems by those countries "rioters" who have turned into Freedom Fighters that Daved Cameron through NATO has commited UK armed forces to support...

Richard Steven HackAugust 22, 2011 2:29 PM

Clive: Nothing like HBGary painting a bullseye on their foreheads with that article! LOL

I'm sure Anonymous will be by in a couple of days to prove the Hoglunds wrong about "being secure".

Vles/Clive: I just watched the TED talk (as an aside, they really should let me do a TED talk! :-) )

While his behavioral experiments were interesting, I'm not sure they justified the title about "our buggy moral code." Nor were the results particularly surprising to me. I think most of them could have been predicted from a reasonable model of human nature.

As far as applying them to Anonymous, I don't see the connection.

Anonymous is not "testing" anything. They are in a conflict with state authority on the one hand and demonstrating - not "testing" - the flawed nature of the notion of "security" on the other.

What interests me is that while Anonymous may believe that achieving "security" is a viable goal - unlike me who knows this is not achievable - their obvious effort is to prove otherwise. Their motivation for doing so is probably all over the lot, from using this "proof" in support of their general anti-authoritarianism, to personal gratification, to simple curiosity as to how much they can get away with.

Once again, how this effort affects the end users vs how it affects the authorities involved is not a simple either-or proposition. While in my view the goal should be to harm the authority in specific ways while minimizing actual harm to the civilians, there are two caveats to that.

One is that, again, the point is to change the behavior not only of the authority but also of the civilians. And if the civilians are not brought to a state of concern ("harm"), nothing will change on their part. Which means in turn nothing will change on the part of the authority because authority depends on the support of the civilian population for its existence.

Second is that precisely because the existence of the authority depends on the support of the civilians, the civilians bear a measure of responsibility for the situation. Now I never use the terms "right" and "wrong" because they are null terms with zero meaning. Neither do I describe situations in terms of "moral" vs "immoral" because they are also null terms with zero meaning.

But I do describe situations in terms of responsibility because that is a demonstrable characteristic. Someone either did something or they didn't. There was an effect of that. I also describe situations in terms of "correct" vs "incorrect" in the sense of what works to achieve one's purpose (in the short and the long term, however that is defined) and what doesn't.

So civilians, bearing some responsibility for NOT correcting the behavior of authority, can be made part of the conflict. The questions are: by what means, and to what degree?

As I've indicated, blowing them up at random is not the correct way. Revealing their personal data may or may not be correct. You can't conflate the two positions without consideration for the goal of the conflict and the relative responsibility the parties bear for the state of and reasons for the conflict.

In this respect, I submit that Anonymous, by releasing personal data for civilians, as opposed to state authorities where the case is much stronger for doing so, is subjecting those civilians to a minimal level of harm as an object lesson. While some of those civilians and independent observers may view this as an excessive level of harm, this is debatable given the overall concept of the conflict.

One should be careful of using the term "harm" over a broad range of effects and conflating upsetting people with blowing them up physically.

While I personally believe that anyone causing or even trying to cause me harm in any way - physically, emotionally, financially, whatever - is an enemy who deserves to be shot in the head - circumstances permitting, of course, which in most cases they don't - I can understand that in some cases if parties to a conflict bear some responsibility for the harm being caused by others in their name then they are rationally subject to having "harm" in some degree effected on them.

In other words, if you're going to assess "harm" assess ALL of it - not just some of it to one set of parties - especially the one to which one happens to belong.

VlesAugust 23, 2011 2:55 AM

@RSH
> "(as an aside, they really should let me do a TED talk! :-) )"
What topic would you pick & title?

>"I'm not sure they justified the title about "our buggy moral code"
That TED talk reminded me Lulzsec might be out to expose this personal fudge factor (~ buggy moral code) and bring the PFF down in people charged with enforcing security and guarding trust.
Obviously seeking targets in companies with a lot of badge value.
Just like in the vid: When you cause sharp pain/unpleasantness in a short period in the population it has a more negative effect compared with lower intensity drawn out over a longer period. Their actions are like good natured terrorism, because it's for shits and giggles. (Aussie slang). So they ad their actions are not explicitly *evil*, just being mischievous. (Like 8 year olds going around with 1m PVC pipe and half an IKEA brochure, rolling paper arrows and shooting them into the neighbours bathroom windows -- good times)

@Clive "morals, logic and individual conscience"
individual conscience --> Ethics
I'm wondering if a code of ethics and the iron ring like the Canadian engineers (http://en.wikipedia.org/wiki/Iron_Ring) would be equally applicable to the IT security engineer guarding Trust.
Talking about symbols: Tacitus mentions the iron ring http://ancienthistory.about.com/od/europe/l/bl_text_Tacitus_Germania.htm and legacy has it that it passed on to become a enviable symbol for restraint. (Can't find the Dutch article, but I'll try and dig it up)
Mapping it back to the TED video: Wearing it has the effect of (just like in the vid when recalling the ten commandments) reducing your PFF.

Lulzsec et al has certainly shown us - with evidence and Monty Python style humour - that even in the field of IT security and the people that work in it, good intentions do not always translate to good actions. This maps back in the video to the nurses example, the cheating experiments, "predictable irrationality" (I should print that on a t-shirt and sell it a la "shit happens", maybe include your meme underneath it if you're happy with 50-50) ... and what we discussed before in the post about the foreign USB stick:(http://www.schneier.com/blog/archives/2011/06/yet_another_peo.html)

>"Anonymous is not "testing" anything."
Maybe they're just trying to "level the playing field". Or maybe they are just like we say in Dutch: "tegen de schenen aan het trappen" --> "kicking against (your) shins". This, in order for you to sit up straight and pay attention so as to get better results. A bit of pain for more gain!
Like G.S.P jr. saying a pint of sweat (and perhaps some embarrassment) will save a gallon of blood or you reminding us "The only thing that gets a human off his dead ass is a boot up it."

Who watches the watchers? Who watches the IT department? Who in the IT department watches the IT security team?
When it was previously mentioned that we miss their presence when they decided to abandon ship, is it because Lulzsec' efforts do us a favour by kicking shins and getting people to pick up the slack, pay attention and close glaring security gaps? Here we go again: Is it a good thing to do a little *evil* / be mischievous to do a lot of good? tommy doesn't think so. To do *evil* - even if it's a little - to do good, is against his principles although plenty examples abound.

"morals, logic and individual conscience" -- If you can't place your trust (trust flows both ways) in the individual's morality, application of logic and conscience and many people at the top or in the executive branch seem to think so, does it really come as a surprise they are trying to control the masses through - and have come to place a greater emphasis on - rules and laws and technical security systems? But if the masses are not loyal to the leaders, is it the masses fault? Or have the leaders forgotten that "Loyalty operates both ways, down as well as up" and do not seem to be loyal to the masses in the first place? Trust issue?

You can interpret "leveling the playing field" here to mean balancing out "feeling" vs. "reality" and setting them equal again. Is that not a Good thing to do? We just had another someone loose his marbles in Norway and choosing to break a cardinal rule by going at it Ted K style. I don't think this person has a sense of humour.
I think a little prod in the ribs, kick on the shins and some embarrassment is a far better alternative than bombing or shooting people.
(And Bruce talks about this divide of feeling and reality in the TED talk "The security mirage")

>In other words, if you're going to assess "harm" assess ALL of it
How do you do that? How do you assess ALL of it? Is it possible? Can it be done?

@Clive
>"People with chronic pain can develop these "mind tricks" over time as a self defense mechanisum without being aware that some parts of the medical proffession are aware of them and can teach them considerably more effective ways.?
Insightful: Vilayanur Ramachandran at TED: Capgras syndrome, synesthesia, phantom limbs (especially the phantom limb section, where he helps people experiencing these pains to retrain the brain with the mirror box)
Originally seen on TED, can't find link. Youtube provided instead, apologies:
http://www.youtube.com/watch?v=Rl2LwnaUA-k

>"What interests me is that while Anonymous may believe that achieving "security" is a viable goal - unlike me who knows this is not achievable"
What Nick P said -- let's express the hope and state we can do a lot better in IT to re-address the balance feeling vs reality:
http://krebsonsecurity.com/2011/03/domains-used-in-rsa-attack-taunted-u-s/comment-page-1/#comment-20173

As an afterthought, when Bill Gates wrote the famous memo asking for Trustworthy computing. Was it his intention to 1. make them "appear" more trusted so as to keep selling software. (if people loose trust they will stop buying) or 2. actually make for better security?
I'd like to think 2. but why would he choose the word "trustworthy"? It makes me doubt... since "trusted" is a much more explicit and better word and fit for 2....


Keith AAugust 23, 2011 8:53 AM

@Vles

>> since "trusted" is a much more explicit and better word and fit

Trust is earned... by making something that is worthy of trust.

Clive RobinsonAugust 23, 2011 12:40 PM

OFF Topic:

@ Bruce,

It appears the FCC is going to axe the "Fairness Doctrine" because it places an unfair burden on business...

http://www.nextgov.com/nextgov/ng_20110822_4138.php

So I guess the US is going to get even more table thumping conservative talking head shops on all channels...

Now we all know that many banks are not good for a users financial security, likewise the payment card industries have had a few security breaches. Well guess what the US IRS is requiring the organisations to hold even more information that will make users even less secure,

http://www.nextgov.com/nextgov/ng_20110819_2747.php

And just to add to the fun over at the US Customs and Immigration Service it looks like internaly it's a crackers free fore all. An Investigation has shown countless examples of serious behaviour by employees that effect US National Security,

http://www.nextgov.com/nextgov/ng_20110818_1087.php

Meanwhile back in the crypto world, the latest version of PHP (5.3.7) has a bug in it's crypt() function when using MD5, and the developers are advising people to stear clear of it while they get a new version out in a hurry,

http://www.theregister.co.uk/2011/08/22/php_security_warning/

That was one for the servers, now one for the clients. It appears that a German researcher has found that the latest version of Skype for Windows contains a security vulnerability in that it lacks input validation on phone numbers. So it allows for the possibility that attackers could inject potentially nasty code into a user's Skype session.

http://www.theregister.co.uk/2011/08/22/skype_security_bug/

And here's an app to worry the Police and other forensic investigators,

Named after the three headed mutt that guarded the gates of the underworld, this security app does an awful lot of usefull things. I especialy like the "the SMS of death feature", if the apps authors could add a fail safe feature such as "Nuke after X time of no signal" it could have some real potential for a whole variety of clandestine activities not just in the underworld.

http://www.reghardware.com/2011/08/23/app_of_the_week_android_/

And finaly a story about a supposed rioter who was not. He has been given 4months. But as the story goes on to say the UK Prime Minister David Cameron MP has summonsed Facebook Twitter and RIM representatives in to discuse how he and his successors can turn them off on short notice,

http://www.theregister.co.uk/2011/08/23/facebook_sentence/

As I've noted in the past the PM is not the brightest light in the corridor and has a habbit of style over substance that leads to knee jerk reactions, all of which if thought about are going to suffer significantly from the "law of unintended consiquences" one of which as we know form other parts of the world is that victims of terrorist attacks or other civil unrest now use these systems in order to get help etc. So the PM's wants are likley (if allowed) to be a case of "throw the baby out with the bathwater".

Richard Steven HackAugust 23, 2011 4:50 PM

Vles:

@RSH > "(as an aside, they really should let me do a TED talk! :-) )"
What topic would you pick & title?

Probably something along the lines of the Firesign Theater's title "Everything You Know Is Wrong". :-)

"Their actions are like good natured terrorism, because it's for shits and giggles. (Aussie slang)."

US slang, too. "Good natured terrorism" used to be called "civil disobedience" before the days when ANY disobedience is now considered a "threat to national security".

"Lulzsec et al has certainly shown us - with evidence and Monty Python style humour - that even in the field of IT security and the people that work in it, good intentions do not always translate to good actions."

Most of the time, there aren't even REAL "good intentions", just a cover story intended to make one look better morally than one actually is.

>"Anonymous is not "testing" anything."
Maybe they're just trying to "level the playing field". Or maybe they are just like we say in Dutch: "tegen de schenen aan het trappen" --> "kicking against (your) shins". This, in order for you to sit up straight and pay attention so as to get better results. A bit of pain for more gain!

It's like the old joke about hitting the donkey with a 2-by-4 to "get his attention".

"Here we go again: Is it a good thing to do a little *evil* / be mischievous to do a lot of good? tommy doesn't think so. To do *evil* - even if it's a little - to do good, is against his principles although plenty examples abound."

Which is why I don't deal in "good and evil" - only in what works and doesn't, preferably in non-coercive ways - but there are times non-coercion doesn't work or coercion can be justified by the outcome, if not the opinion of the coerced. It's a gray area precisely resistant to rigid moral codes.

"If you can't place your trust (trust flows both ways) in the individual's morality, application of logic and conscience and many people at the top or in the executive branch seem to think so, does it really come as a surprise they are trying to control the masses through - and have come to place a greater emphasis on - rules and laws and technical security systems?"

This isn't even an issue. Almost never are the actions of authority based on "trusting the masses", but to control them on first principles. The only "trust" involved is whether the masses might rise up against the obvious coercion. But the coercion came first - always.

The definition of the state is an agency which seeks to maintain a monopoly on the use of violence over a given population. The monopoly comes first. The motivation is indeed fear of the masses, which in turn generates a desire to control the masses.

But this is not related to "trust". It is central to the human condition. All humans distrust the other members of their own species. This is why statists seek to control everyone else AND also why the masses agree to be controlled. Divide and conquer is the fundamental social mechanism of humans.

"do not seem to be loyal to the masses in the first place?"

Exactly.

"Trust issue?" A fear issue, basic to human nature.

"I think a little prod in the ribs, kick on the shins and some embarrassment is a far better alternative than bombing or shooting people."

Agreed. But as someone said a while back, the US is in that awkward position where working within the system is no longer possible but it's too soon to start shooting people.

I'm sure about the first part. I'm not sure about the too soon part.

"How do you do that? How do you assess ALL of it? Is it possible? Can it be done?"

Sure. You just look at the whole picture based on first principles. Starting from the fact that no matter what decision is made, someone is going to be "harmed" somehow to some degree. Picking and choosing who shouldn't be "harmed" without taking into consideration the entire conflict and who else IS being harmed by the status quo is just blinded oneself to the real situation.

>"What interests me is that while Anonymous may believe that achieving "security" is a viable goal - unlike me who knows this is not achievable"
What Nick P said -- let's express the hope and state we can do a lot better in IT to re-address the balance feeling vs reality:
http://krebsonsecurity.com/2011/03/...

When I refer to "security" in that manner, I'm referring to absolute security. Improving security (without quotes) is a fine goal. Just don't expect it to be achievable in any absolute terms. The problem is that most people conflate those two terms. Which is how you end up with security theater.

And this is almost always inevitable because human fear knows no bounds. ANY fear is unacceptable to most humans because it leads directly to the fear of death - which is overwhelming in humans, more so even than in lower animals because humans have a conceptual awareness of it that lower animals mostly lack.

"As an afterthought, when Bill Gates wrote the famous memo asking for Trustworthy computing. Was it his intention to 1. make them "appear" more trusted so as to keep selling software. (if people loose trust they will stop buying) or 2. actually make for better security?"

There's no doubt in my mind that it wasn't 2. Or if it was, that he could use it to gain even more control over the end user and thus make his lock-in even stronger. That guy never had the end user in mind for anything he did at Microsoft. It was ALWAYS about the money and control. Read any biography about him.

VlesAugust 23, 2011 11:44 PM

@Keith A

Confronting a great “dilemma”: Is trust earned or given?

http://www.dynamicbusiness.com.au/blogs/confronting-a-great-dilemma-is-trust-earned-or-given-1972011.html

Other google searches for "is trust earned or given?" lead to myriad of articles.

Some thoughts that come to mind about trust being given:
- grandmother buying a laptop for the first time
- people with fear of flying (not being able to trust bond with plane or stewards/stewardesses, can't see pilot, they have a hard time "giving trust")
- same token: stepping in to a car as a passenger next to a young fella who just got his drivers license. He's rash, over confident and drives a V8, hits the brakes too hard, accelerates faster than you feel comfortable with. How has he had time to earn your trust? You'll have to give it to him in the first place.....
- first time parents and their bub. How do you earn trust? Trust is given almost immediately both ways. (Called "bonding")

RSH - thanks for reply.
I've started to associate this song with your stance on security (refreshing):
Mark Knopfler - Cleaning my gun - http://www.youtube.com/watch?v=wkUj0aGUBeo

Will have to look up and check out Firesign Theater's "Everything You Know Is Wrong :)

Nick PAugust 24, 2011 2:06 AM

@ Vles

I appreciate the repost of my comment. I just noticed it. It was one of my more clear and to the point posts. Sorry for being late to comment. The trick is in dealing with the economic and psychological forces. The technology is mostly a done deal for the low hanging fruit (aka script kiddie & generic stuff). Just eliminating that reduces risk across the board and saves probably hundreds of millions of dollars globally.

Psychological is about convincing managers, users, etc. to use the secure stuff or use what they have correctly. That's tricky. The economic stuff is the force multiplier of the "penetrate and patch" movement. Steve Lipner, of Microsoft and experienced A1/EAL7 product development, said it best:

"Well, I think that given the choice between shipping perfectly secure software (whatever that means) that no customers will use and shipping software with continuously improved security that will actually help customers, the better ethical path is to ship. That's a controversial view in some circles, but it's the view I've reached after working in the field for the last 35 years or so."

The ethics of perfection - Microsoft's SDL
http://blogs.msdn.com/b/sdl/archive/2007/08/23/temp.aspx

The demand focuses on a steady stream of improvements to cheap, fast, highly compatible software/systems. This contrasts what is required to engineer secure systems. So, in the real world, we must always compromise. There is no nearly perfect security because people don't want it. There's also government-related issues that cause the ROI to be so low that most companies don't want to build them even for governments. Hence, we can do it, there's no incentive to do it all the way, and we must compromise to some degree. No absolute security, but I can damn sure implement some cost-effective countermeasures if I need to! :)

Nick PAugust 24, 2011 2:17 AM

@ Vles

I just realized I quoted the same guy on the same Krebs thread responding to DeborahS. She was claiming that she didn't patch her WinXP system because she worked at Microsoft and knew how poor quality the patches were. I slammed her for obvious reasons & quoted Lipner to show that Microsoft's core strategy was to ship with bugs and fix them later, making patches a logical necessity. Looking back, I especially like how I closed it: "So, for all of us, please update your system. I’m not a big fan of spam and DDOS attacks that system like yours are likely to provide." LOL

http://krebsonsecurity.com/2011/03/domains-used-in-rsa-attack-taunted-u-s/comment-page-1/#comment-20174

Note: It's kind of strange that my comment is grayed out. I rarely visit Krebs' site. I thought that was for downvoting. Must be geared toward how old a post is. Seems unusual to see a grayed out post with votes going 13 and 0. :)

Richard Steven HackAugust 24, 2011 6:01 PM

A Legal Analysis For Why BART's Mobile Phone Shutdown Was Illegal
http://www.techdirt.com/blog/wireless/articles/20110824/02401315651/legal-analysis-why-barts-mobile-phone-shutdown-was-illegal.shtml

Court decision (from another case) quoted:

These depredations of a subscriber’s legal right to telephone service constitute a denial of due process guaranteed by the Constitution of 1901, art. 1, § 6. The gratuitous and arbitrary action of a police official is no justification for an abridgment of this right. To hold that the Telephone Company is justified in discontinuing service by “order” of a police official would require judicial recognition of a police power which does not exist. The bald assertion of an executive officer, be he the Attorney General of the United States or a constable of some remote beat, cannot be accepted as a substitute for proof in the judicial process. No presumption arises as to the sufficiency of evidence based on a law enforcement officer’s conclusions.

Nick PAugust 24, 2011 11:03 PM

@ RSH

On Anonymous Leak

"If you are going to be a dick to the public, then I'm sure you dont mind showing your dick to the public…"

I almost spit out my beer.

On Court Case

Thanks for posting the quote. It's about time the courts start taking their loss of power personally & actually making decisions that reflect how the constitution laid out government operations.

Clive RobinsonAugust 25, 2011 4:16 AM

OFF Topic:

It appears that some one has developed an app for some versions of the Android Smart Phone Operating System that is actually malware and is based on a "root-crack" from four months ago It's being called Ginger-root.

In of it's self not unexpected, however as the only way to effectivly get rid of it is to wipe the phone and do a factory level re-install it could be classed as quite serious.

However despite Google developers quickly releasing a patch etc the mobile phone operators are reluctant at best to distribute it due to "user support issues"...

This is very worrying because the companies are effectivly saying "we abdicate any responsability with regards to security updates for the phones we have sold you". And thus nearly all of the phones they have sold will remain compleatly vulnerable to whatever malware get's cobbled together for the life of the phone which under contract could be two years or more...

http://news.techworld.com/security/3298629/android-users-hit-by-lethal-trojan-root-hack/

Clive RobinsonAugust 25, 2011 6:53 AM

A couple of related articles about the US Federal Gov's use of backend servers, and trend towards external service provision. Also the increasing trend for US Government personnel "mobile app operating" and some likley issues during expected natural events (for background reading),

Firstly it appers that the backend server for the US Air Marshals Blackberries is in a very ropey state due to many security and other patches not applied to it.

http://www.fiercegovernmentit.com/story/federal-air-marshal-blackberries-risk-says-dhs-oig/2011-08-22

Apparently this state of affairs is not abnormal in US Government organisations for several reasons (not just lack of skills and funding but other issues such as security clearance etc).

The second article is based on putting the US Government in the clouds, but who's clouds, simple answer "not their own".

The likes of Amazon (yep them with the outage or three the other days [1][2]) are planning to take over much of the US Goverment backend IT structure from many departments. This includes information that would come under "secret" clasification (and possibly above).

http://www.nextgov.com/nextgov/ng_20110824_6977.php?oref=topstory

Also there are plans afoot to also use smart phone technology to replace many Government Desktops, with these two policies running in tandem it looks like the US Government IT usage will be outsourced at the server and desktop ends.
Which raises the question of what does happen when things start to go wrong such as the earth quake in the Washington area the other day that effectivly took down the mobile phone network for many [3].

It is likely that such outages will rise as we head into a new sunspot maxima [4] and an expected cyclic upturn in hurricane activity (follows a 25-40year cycle) [5]. However of most interest is the solar flare and ejections, that cause significant levels of solar radiation to impinge on the earth at the poles which can and has knocked out satellite communications systems, telecommunications networks and utility networks for electricity gas and water. In the recent past (1950's) the effects of such solar activity have been seen as far south as 40degrees north (Rome) and thus covers a significant proportion of the USA and Europe.

In recent years utility companies have pared their networks back to maximise profits to the point where in some cases they can barely support the ordinary day to day load as seen by various cascade faliures. With the econmic down turn we are currently experiancing it is considered unlikly that major infrastructure updates or preventative maintanence programs above statutory requirments will be carried out.

Thus the systems such Government policies are going to be based on are fragile at best, which means there is considerably more than the possability that the US Gov could it's self "go off line" when they are needed the most...

I suspect a number of people remember the shambolic Gov response (FEMA) to Katrina with 1800 deaths, and over a million people displaced, many of whom have not returned and the still ongoing problems from it including significant loss of Federal and State income.

[1] An article pointing to many others on Amazon's EBS five day outage,

http://www.datacenterknowledge.com/archives/2011/04/25/the-aftermath-of-amazons-cloud-outage/

[2] An article showing that an event such as a transformer failure from an overload (possibly lightening) can kill services even when they think their backup plan has it covered,

http://www.datacenterknowledge.com/archives/2011/08/07/lightning-in-dublin-knocks-amazon-microsoft-data-centers-offline/

[3] News bite artical on mobile phone difficulties during recent 5.8 earthquake in US near NYC and Washington DC,

http://www.pcmag.com/article2/0,2817,2391635,00.asp

[4] Current sun spot/cycle information and prediction by NOAA

http://www.swpc.noaa.gov/SolarCycle/

[5] NOAA 2011 season hurricane prediction and general cycle outlook,

http://www.cpc.ncep.noaa.gov/products/outlooks/hurricane.shtml

Richard Steven HackAugust 25, 2011 4:17 PM

ChristianO: Quote from that article:

"then fire Stinger missiles at airplanes taking off from Stewart International Airport in the southern Hudson Valley."

Notice who came up with that plan, which I've cited before as a way to bypass the TSA completely: the FBI stooge. So the FBI is INJECTING ideas into the radical community! Your tax dollars at work!

"During the interrogation, OSU police asked Mohamud if a search of his laptop would indicate that he'd researched date-rape drugs. He said it wouldn't and gave them permission to examine his hard drive. Police copied its entire contents and turned the data over to the FBI—which discovered, it later alleged in court documents, that Mohamud had emailed someone in northwest Pakistan talking about jihad."

That was interesting. If there's a chance you might even be accused of any crime, you might want to make sure no one even knows you OWN a computer and that it can't be found...

"So why in many of these terrorism stings are meetings not recorded? Because it's convenient for the FBI not to record."

Because the FBI are liars by profession, which is what he really means.

"he'd transitioned from indentured informant to paid snitch, earning as much as $100,000 per assignment."

I'm really in the wrong line of work... :-) We really need to pay these clowns that kind of money?

"one of his four luxury cars—a Hummer, a Mercedes, two different BMWs—made plenty of friends. But after more than a year working the local Muslim community, he had not identified a single actual target."

I see the FBI knows how to get value for their money... Uh, wait, I mean YOUR money...

The idea of "pre-empting terrorists" by CREATING them is so obviously intended to justify the FBI's budget and careers that everyone involved should be under arrest, or at least fired without pension.

There's a significance difference between infiltrating an organization known to be a threat and setting them up, and recruiting losers and giving them all the means to do something stupid. The notion that these losers would "eventually think of it themselves" is so flimsy an excuse as to be ridiculous.

Extend that approach to all criminals! Have undercover cops approach every black and Hispanic and poor white kid in lower class neighborhoods and say, "Let us make you rich in drug dealing! We'll supply you with the drugs, the money, everything!"

How would that work out?

Really, the FBI is on a par with the Gestapo - and if you read their history, they always were. True scumbags. The only good FBI agent is a dead FBI agent. Another of my memes you can take to the bank! :-)

Nick PAugust 25, 2011 6:21 PM

@ Clive Robinson

Between holes in magnetic field, possible Carrington-sized event in next year, and NASA assessment it would could 20 katrinas worth of damage & possibly cause a new Dark Age... I'd say there's plenty of reason to party as much as possible this year. ;)

Carrington event
http://science.nasa.gov/science-news/science-at-nasa/2008/06may_carringtonflare/

NASA warning for 2012-2013
http://www.telegraph.co.uk/science/space/7819201/Nasa-warns-solar-flares-from-huge-space-storm-will-cause-devastation.html

(Does anyone else think the 2012 peak was an amazing coincidence? Perhaps that Mayan calendar was synced with their observations of extreme solar activity. What do you think? Coincidence or astronomical observation?)

On your prison approach

I found a paper I think you might like. Neither of our approaches are likely to happen anytime soon because they require serious investments or ditching COTS strategies. So, I'm always looking for compromises. The paper below details a PCI card that scans memory to detect modifications to kernel, modules, critical applications and certain other things. It can also stop the system and allow updates via a trusted path device. Prototypes indicate minimal performance disruptions. Check it out.

Kernel and application integrity assurance: Ensuring freedom from rootkits and malware in a computer system 2007 Lifu Wang and Partha Dasgupta
http://cactus.eas.asu.edu/partha/Papers-PDF/2007/lifu-conf.pdf

Next paper on it. Adds Nizza-like ecommerce.
http://cactus.eas.asu.edu/partha/Papers-PDF/2008/lifu.pdf

Andrew HAugust 25, 2011 11:53 PM

I first time visiting this blog, some one from bt recommended it.

A news thing I found interesting
"https://www.eff.org/deeplinks/2011/08/cybercrime-treaty-pushes-surveillance-secrecy-worldwide"
Anythings possible unless you stop it from happening

ModeratorAugust 26, 2011 9:02 AM

Andrew H,

I first time visiting this blog

You forgot to change your e-mail address before making this claim.

I don't know what you hoped to accomplish with that lie, and I suppose it doesn't matter much. What's more important is that most of your recent comments on this blog are completely incomprehensible. I realize that if English isn't your first language, it may be hard for you to make yourself understood. But it will help if you slow down, explain things more thoroughly, and make clear connections between thoughts rather than assume we can guess what you're talking about.

ModeratorAugust 26, 2011 9:21 AM

Andrew H, after finding some more of your comments, I believe you have some kind of mental disorder and it sounds like you are probably aware of that. I don't know if you can do anything differently or not. I wish you well, but it just doesn't do any good for you to comment here if nobody can make sense of what you say.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.