Schneier on Security
A blog covering security and security technology.
« Preventing the Theft of Wire Cutters |
| Screenshots of Chinese Hacking Tool »
August 26, 2011
Friday Squid Blogging: Squid Fishing in Ulleungdo, Korea
The industry is in decline:
A generation ago, most of the island's 10,000 residents worked in the squid industry, either as sellers like Kim or as farmer-fishermen who toiled in the fields each winter and went to sea during summer.
Ulleungdo developed a reputation for large, tasty squid that were once exported to the mainland and Japan. The volcanic island, which can be circumnavigated in three hours by car, is also known for its seaside cliffs and picturesque views, which have begun to attract more tourists.
The number of mainlanders who visit here has risen from 160,000 a decade ago to 250,000 last year. Meanwhile, the total squid catch has decreased by more than a third. Nowadays only 20% of islanders work in the squid industry, with many having shifted to the tourism trade, said Park Su-dong, a manager in the island's marine and fisheries office.
As before, use the comments to this post to write about and discuss security stories that don't have their own post.
Posted on August 26, 2011 at 3:40 PM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
IBM just announced a new disk drive array with enough capacity to consider a dictionary attack on some popular hashes (pre Skein, of course)
And people wonder why I don't have a picture on Facebook...
@ Nick P,
"And people wonder why I don't have a picture on Facebook.."
I always assumed it was because you were of a kindly nature and did not wish to cause upset to children or those of a nervous disposition...
Hope you are well and your sense of humor is intact, and thus you have not gone red around the gills, it's such an unflattering look 8)
And now you know why I don't have a website etc to be revenge attacked 8)
Clive, you could tell the less aware that your site is 4chan, if they'd like revenge.
Arthur Frommer notes a newly developed tool for detecting fake hotel and restaurant reviews, and makes the obvious extrapolations.
Fake reviews are a huge problem; there's a growing suspicion that the majority of reviews on sites like TripAdvisor and Yelp are fake. More here, including Frommer's own pre-Web experience with them.
@ Clive Robinson
Haha. Oh sure, Clive. Not having been around as long as you, I've yet to become a grumpy old fart. And I'm sure this defense of yours is also why I don't have your email address yet. Not that I'd spam it... ;)
With regards the wirless hacking of the insulin pump at Blackhat.
It appears the manufacturer of the four pumps the researcher found susceptible to the attack has tried the "old school" method of dealing with the problem of denials an lies.
Thus the researcher has further disclosed,
Any ballpark guesstimate how many people 1) view 2) post to this blog?
A bit of interesting research from MIT to help detere Man In The Middle attacks on wireless networks.
It does however have some limitations such but it is interesting nether the less.
I'm going to try posting something in pieces because the comment form keeps rejecting the whole thing and isn't giving me a clear explanation why.
Here's the article. I don't normally recommend The Economist for science news, but there's a complete enough description of the experiment for once.
Basically, the finding is that innocent people will give false confessions even under very low-stress conditions (compared with waterboarding, anyway). They do so because they believe they will be vindicated by the evidence.
And I should add, this is consistent with findings about torture-- the focus of the person being interrogated is on ending the unpleasant experience by saying what they believe the interrogator wants to hear, rather than on telling the truth. What's surprising is that this happens at such a low level of pressure.
@ Petrea Mitchell
Thanks for the link on false confessions. The data gives us plenty of justification to take confessions less seriously and require corroborative evidence. Hopefully, it might also be used as an argument against the use of torture. It's not that I have a lot of sympathy for captured enemy combatants. I just think if we're going to do something extremely cruel there should be justification. Otherwise, we aren't acting much different than them. Worse, actually, because they believe they will accomplish something with their attacks, whereas we're just doing it for the hell of it.
Further Evidence the Root CA System is Broken.
It appears that Dutch CA DigiNotar (A Vasco company) issued a blanket (8.google.com) SSL certificate for google on July 10th. Which they finaly revoked on the 29th at just before 5PM GMT.
However there is a further issue in that although the certifficate has been revoked by DigiNotar, few browser users have the revocation list checking feature enabled in their browser.
This false certificate was discovered by an Iranian using google via https and getting a certificate warning in their chrome browser and posting a warning to the Gmail support forum ( http://www.google.com/support/forum/p/gmail/... ).
One or two other Iranian users on different ISP's noticed the same thing, which some people have jumped on and assumed it is a Man In The Middle Attack on Google by Iran.
It appeares that because DigiNotar have not given reason why the certificate was issued or to whom both Mozilla and Google have decided to remove the DigiNotar root CA in their lists ( http://blog.mozilla.com/security/2011/08/29/... , http://codereview.chromium.org/7795014 ).
Now in Mozilla's case they are talking about a compleate re-release of the software...
But for existing users the manual method is,
I guess DigiNotar will get around to making a formal "what went wrong" at some point very soon. But sofar there is nothing on their announcments page ( http://www.diginotar.com/Announcements/News/... )
@ Nick P
'And people wonder why I don't have a picture on Facebook...'
Are you sure?
c.f. Incidental data.
Press Release from VASCO about the DigiNotar fail:
As Vasco acquired DigiNotar jat 8 Month ago this is probably true (from above note)
"The incident at DigiNotar has no consequences whatsoever for VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO's strong authentication business."
"Press Release from VASCO about the DigiNota fail"
It makes very interesting reading,
1, We detect intrusion in july.
2, We revoke those certs we beleive are false.
3, We get external consultants who tell us we've been successfull.
4, We discover a month down the line that our external conssultants were wrong.
So what do we do we get more external consultants in...
That aside the real issue is not DigiNotar or the other CA's prior to them that got cracked, it's the fact that it is possible to crack them and no doubt a significant percentage of the other 600 odd issuing CA's.
Put simply inorder to make any profit a CA has to streamline and automate the process as much as possible. The result is there is either no security break in the system or there is no sanity checking in the process.
Either or both combined will ensure that this won't be the last time this happens.
However getting back to Vasco, what they say about DigiNotar and their products might be true, but how do we know that in the attempt to be profitable in a very competative market Vasco have not made similar mistakes to DigiNotar or RSA or...
The simple fact is it's the "weakest link" when identified that is going to break all of these security company products and the "purchase process" appears currently to be the weak link.
And as it's close to the top of the pyramid of the CA model it's effects good or bad flow down the rest of the process.
As Bruce and others have noted in the past it's not the individual algorithms that need to be strong it's the whole system, and in a business that includes the "purchase forfilment", "technical support" and a whole host of other areas (including cleaning staff) and as we know such security does not come in cheap.
So as it's a "free market" the inevitable "race for the bottom" happens.
Over on Dark Reading they have a post that indicates "One third of security people do not practice what the preach",
It's a bit more general than the title suggests but basicaly shows there is a lot of complacency with security staff reporting potential new problems "in the wild" upwards but then failing to take any mitigation action.
As I note which appears apropo to my post above to M.V.
The city of San Jose is installing public security cameras not because they catch criminals but because...wait for it...the public thinks they catch criminals.
"The camera lets people know it's there and that the city cares about downtown and their safety,"
What's even more amusing is that the police chief admits that crime actually isn't a problem but "there is a perception that it is".
What I don't understand is if the only thing the city is trying to do is combat the perception, and not the reality, why aren't they using fake cameras. Wouldn't it accomplish the same thing and be a whole hell of a lot cheaper. I suppose only until the first real crimes that wasn't caught on tape and then they'd be the laughingstock. But it just goes to show how even in this time of 'crisis' Americans still figure out how to waste money.
"120 Petabytes", you could probable work out parallel universes with that setup, don't need to worry about matter in this universe ,too easy.
But then everyone is crazy and has a spare year :)
Tony Sale, rescuer of Bletchly Park, founder of "The National Museum of Computing" and rebuilder of the Colosus has died aged 80 after a long career in electronics.
He will be missed by many.
"The city of San Jose is installing public security cameras not because they catch criminals but because...wait for it...the public thinks they catch criminals." If it weren't for the simple fact that the criminals and prospective criminals are subsets of the public I might follow Daniel's logic. But they are. Efforts to create zones where crime is less likely because of a deterrent effect seems to me to be more cost effective than incarceration.
You left out step 3a (from between the lines):
"We get external consultants who tell us we've been successfull. So we don't need to notify anyone about the break in."
According to F-Secure this was not the first break in at DigiNotor:
For VASCO it may be the best move just close down DigiNotar and write off the investment (was only about 12 M$).
This may however leave the dutch government with a problem, as DigiNotar's main business is PKI for the them.
The most scary thing about the hack is that without Chrome checking the google certificate it may have been undiscovered for quite a long time.
What numbers do you have for the cost of the cameras, the likely number of crimes deterred, and the cost of the incarcerations that don't happen?
Yeah, I knew that would happen eventually. The good news is they did a full disclosure. This lets me maintain trust in them. They also did another thing I promote: use a decentralized, resilient SCM. I mainly promote Aegis for this, but Git is pretty good & is popular as well. It's better than subversion, at least. ;)
I have spent the past 2 months trying to lock down my wireless router.
During our recent DC area Earthquake and Hurricane scare, I realized that in an emergency if I still have power, I should open the router up to everyone. We weathered the storm on Saturday night, and suddenly lost power at 4am Sunday morning--no router. It didn't matter that our laptops were charged, we didn't have any easy internet access to check in with loved ones in other places. And we just weren't up to doing driveby's in search of open networks--we simply wanted to know if our parents and our kids were okay, from the safety or our quiet, dark home. I'm not sure how anothers' open wireless would have helped us in our area this past weekend since we were all dark for hours for quite a large radius, but the community spirit of opening the router occurred to me.
Maybe we need emergency wireless routers in all areas.
I realized that like the Hams of my childhood, if I had power and someone else didn't, I'd put security to the side for the moment in an Emergency and share my wifi. Let me know what you all think.
Oh, ps: after the Earthquake here Tuesday the 23rd, there was no cell phone connection from my ATT or my friend's Verizon service. We were unable to make any calls for over 40 minutes. TV, landline, and internet were more reliable but even our attempts to contact loved ones by landline failed during that time.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.