Schneier on Security
A blog covering security and security technology.
« The Problems of Too Much Information Sharing |
| The Failure of Two-Factor Authentication »
February 3, 2012
Friday Squid Blogging: Clothing that Keeps an Exercise Journal
It's called Squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on February 3, 2012 at 4:18 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Government security agencies pronounce Android phones safe and secure enough for Anonymous to intercept the phone calls directly.
@Daniel: Is that a pun against Android or against the feds?
A new, more sophisticated twist on the box-of-potatoes scam.
(In the original version, someone is offered a chance to buy something valuable such as a laptop, but winds up with a box which turns out to be filled with potatoes.)
Although it dates back to 2002, the paper "Risk anxiety in the classroom: teachers touching children" from the Annual Conference of the British Educational Research Association, University of Exeter, England might be of interest. The content of the paper includes the idea of a "risk society" where common sense seems unreliable, unease is not unusual, and there is an emphasis on limiting harmful byproducts from industrial society, among other things.
According to the AP news report I read, the conference call did have a password. Anonymous did not hack the conference call system. Rather, Anonymous got ahold of an FBI email announcing the conference call and giving the phone number and password. Anonymous then had all the credentials needed to join the call. A firewall or other security measures would not have helped.
If they simply dialed in, I wonder who the Anonymous member doing so identified themselves as?
Because the FBI and Scotland Yard would at least check that everyone joining a sensitive conference call gives a plausible-sounding ID, right? Um, right???
Oh! On a re-read of one of the articles about it, I see that it's believed that they didn't intercept the conference call itself, just an e-mailed recording of it.
Seems like an awfully ineffcient way for whoever was e-mailing it to distribute the information, though.
Google search on same topic as Daniel:
Talks about Google being more cooperative than Apple.
"People want to play 'Angry Birds,' and we do want our people to be able to download 'Angry Birds,' " Stavrou said. But he added, "If a clock application gets your GPS and transmits something over the network, that's not something that we would want to support."
@Alan, Petrea: Perhaps conference calls that require more security should use per call-in passwords or other authentication tokens? Then, one can see "who" is connected, and if one party is connected twice (red flag of course). And of course, IP based services can provide support for more advanced authentication token, such as smart card credentials or certificates. Not fool proof, but a good bit better than a shared password. Hey, it would have kept Jay Leno off that CBS conference call over the Tonight show.
@Gabriel - most of the conference call systems I have used have multiple levels of security.
These involve dialing in then a series of challenge-response tokens consisting of "John can you hear me? I can't hear Fred!" then each member of the call disconnects and tries again before we discover that somebody had their phone muted and somebody else had the speakers turned off.
If anyone actually gets straight in first try we assume they are a hacker
The more I read, the more I see the connection between a push to legalize drug use and the push to do away with patents and copyrights. They often use words like "freedom" and "rights." Last I heard, their leader lives out of his car and hasn't bathed in weeks. When they're through breaking everything in sight, then they're going to blame it all on you, and then they're going to send you the bill to clean it up.
@Jeremy (the other one):
Guilt by association?
Your association between drugs an IP is a little far fetched if you are saying there is a direct causal relationship from one to the other.
Last I heard, their leader lives out of his car and hasn't bathed in weeks.
Not quite sure who you mean by "their leader", the last organisations explicitly mentioned in the thread prior to your post is. CBS and MicroSoft...
Now I don't know very much about CBS staff's personal cleanliness habits, but I do know that since Bill Gates got married his BO problem has subsided considerably. I guess the old saying about behind every successful man ther is an ambitious wife does ring true sometimes.
Perhaps you would care to make your points a little more lucidly?
@Clive: I assume he's talking about Stallman, from the context. And how many even knows who he is among all the Firefox users and LibreOffice users? He's not "our leader", he's "a leader", and he leads the GNU project.
You would think the reverse would have happened during economic hard times.
Of course, one of the experts quoted in the article says that there is no correlation between homicide and business cycles.
And it also noted that age-related ailments dominate the list. Accidental deaths are prominent on the list; and appear to be the top cause of death for those under the age of 45.
While the specifics of the accidental deaths weren't outlined, I suspect that most of them were transportation-related.
...Replying to my own thought about Accidental Deaths, and quoting the 2010 numbers to 3 sig-figs:
Table 2 (Page 44) in the report contains a total for Accidental Deaths of 118000.
Transportation-related accidental deaths numbered 37600.
Non-transport accidents numbered 80300. Of these, 25000 were falls and 30800 were poisoning.
Thus, the big three for accidental death were Transportation, Fall, and Poison. Neither of these three is a majority-cause, but in sum they contribute almost 90% of accidental deaths.
However, I can't say that a majority of Accidental Deaths were Transport-related.
I note that these numbers are within 5% of the 2009 numbers, but that variance doesn't change the ranking of the Top 3 of Accidental Death.
Behind every great man stands a greater woman I once heard, but I always like to say behind every great man stands a surprised woman :o)
"You would think the reverse would have happened during economic hard times."
A lot of people, including experts, believed until recently that violent crime would always go up during economic hard times. It's also lately been puncturing some other long-held ideas about what raises crime rates.
Here's a rundown of some of the more popular ideas. But these are all hypotheses, and some (as the article notes) are already looking shaky.
The bottom line is that, at the moment, we flat-out do not know what makes crime rates go up or down on a national basis.
@ Petréa Mitchell,
The bottom line is that, at the moment, we flat-out do not know what makes crime rates go up or down on a national basis
And perhaps that is the one thing that will remain constant irrespective of the crime rate.
From the way the graph in the artical is presented it could just be the effects of population increase.
I forget the exact details but the US population has effectivly doubled from just under 150million to just over 310million currently in something like 40years.
Now if you assume for whatever reason there is a fixed size pool of potential crime then the crimes per 100,000 would halve in that period.
So you need both the absolute numbers as well as the number per 100,000 to see what is going on on the ground.
Also in the UK we know that the figures in any area suffer from the law of small numbers.
Of what might be described as "career criminals" some are "occasional" and "intermittent" whilst some will comit many crimes every day. Part of that is due to the value of the individual crime and part due to the criminals needs.
If as some police forces have, you concentrate on the "many a day" criminals the "crime rate" drops significantly. However the total value of crimes committed might actually go up.
Then there is "crime reporting" it is well known in the UK that Accident and Emergancy figures are rising and the rise in injuries likely to have come from some form of crime have risen significantly whilst the reported crime numbers have fallen.
Now I don't know if this occurs due to the police etc fudging the figures or the injured persons just not bothering to report the crime for any number of reasons. Either way makes the crime figures unreliable.
And this is why we are unlikley to ever know what methods, let alone which is the best method to reduce crime.
There is also another argument, crime risk -V- reward, in affluent times people have spare money to buy luxury goods "off the back of a lorry" but when times get sufficiently tough it becomes a hand to mouth exercise in existence and "good life goods" are not "food on the table".
Thus if people stop buying the traditional stolen goods the criminal will see that line of income dry up. Thus the criminal may well change their type of crime as the risk-V-reward model changes. In the UK we have seen a very significant upsurge in "scrap metal" theft from power, infrestructure and sculpture. That is cables for telephones, power delivery to trains and hospitals, manhole covers and other street furniture and plaques from war memorials and grave furniture as well as works of art on external public display. Worse they have even been stealing disabled access ramps etc from outside disabled peoples homes.
I'm not sure whether it's safe to say that absolute numbers of crime has decreased or remained constant while population rose...not because of anything I know, but mainly because the explanation seems too simple. At least, I've never seen anyone bring hard numbers with that claim.
(And now I'll have to wait until I have time...somewhere I've saved all of the FBI's Uniform Crime Reports from '95 onwards, and that should contain both raw numbers and per-capita rates.)
The link that Petrea gave has some good claims for the US situation, though I doubt any single explanation will cover the entire situation.
There's a lot that can be covered by risk-vs-reward, and a good amount that can be covered by demographic changes and changes in prison terms.
Still, it's a big mystery. I think the big unexplored reason is the change in urban-vs-suburban population spread.
How do issues of reliability, support, and possibly security relate to software that is embedded into critical devices? Back in January, lawyer Karen Sandler had an interest in seeing the source code for the software on her implanted pacemaker.
@ A blog reader,
How do issues of reliability, support, and possibly security relate to software that is embedded into critical devices?
That is a difficult question to answer effectivly because there are many sub-issues involved.
Firstly is the definition of a "critical device" there are a whole variety of definitions, however I prefer the old "Can cause harm by action or inaction either individualy or at the behest of others".
Thus as a first step a critical device must always fail safe even with one or two actual faults and random / invalid inputs. Although this sounds a tough requirment it is one used in the Petro Chem and mining industries where there is a high likley hood of explosive or flamable atmospheres being present during operation (See "Intrinsicaly safe (IS) design" and the EU "Ex" specifications).
So, whilst a microcontroler in your gas oven / boiler or local petrol pump is certainly something that should be designed by IS principles, the one in your fridge is not likley to be considered critical by most, which is incorect as it could hold the food inside at the incorect temprature giving rise to a harm by food poisoning.
The thing is that nearly all embedded microcontrolers can be shown as capable of causing harm. For instance the apparently benign cames console could flash the screen to cause epileptic fits. Something like this has actually happened with simple light dimmers that self oscillated at a frequency sufficiently close to the mains frequency that the frequency difference was in the band that induced epileptic fits.
What about those DSP chips used to control amongst other things sound levels in audio systems... What effect could say an "underflow" have in causing a very very high volume click or other noise capable of "harming hearing"
I could go through virtually every embedded system in existance and show a way that it could cause harm without having any actuall hardware faults. The two causes for this are "unit price reduction" and "design cost reduction".
Unit price reduction means removing as many components as possible and for those left use the cheapest available. Both of which have a deleterious effect on "safety components" and "failure modes".
Design cost reduction involves getting systems "to market" faster than the competition and often involves minimal component count hardware, using Systems on a Chip (Soc) microcontrolers and maximum functionality in software. Most SoC's and nearly all software is "re-boiled" from previous designs, in nearly all cases these hardware and software components are known to have "errata" or plain simple bugs, and in almost all cases insufficient testing.
Such are the faults of what is in effect a compleatly unregulated market (even in the EU with some of the toughest consumer safety legislation for the "CE" mark).
But most embedded systems are short lived consumer devices, where they can be economical scrapped after a very short period of time, which means that most of the critical faults get resolved at some point.
But what about non consumer embedded systems such as "medical" and "infrastructure" these are expected to have quater century plus lifetimes, and can due to their usage do considerable harm way beyond an individuals ability to prevent it.
Worse there are few if any standards for the likes of communications and commands, and most medical devices have no security and many insufficient ability to deal fully with malformed messages sent to them.
The same applies to infrastructure devices such as "smart meters" and it takes very little imagination as to what is going to happen in the not to distant future, especialy in the UK where a sieries of laws were rushed through by the previous political encumbrants on of whiich enforces people to pay for the meters to be installed and another to implement remote "kill switches"...
No squid post yet for today, so here goes ... Lady prevented from boarding flight due to lack of female TSA agents to grope her: http://consumerist.com/2012/02/...
(Really, Consumerist is a great source of info for TSA malfeasance stories ...)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.