Page 478
Click on the “Establishing secure connection” link at the top of this page. It’s a Wells Fargo page that displays a progress bar with a bunch of security phrases—”Establishing Secure Connection,” “Sending credentials,” “Building Secure Environment,” and so on—and closes after a few seconds. It’s complete security theater; it doesn’t actually do anything but make account holders feel better.
It turns out that you can buy a position for your book on best-seller lists.
All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices.
Interesting essay:
Surveillance is part of the system of control. “The more surveillance, the more control” is the majority belief amongst the ruling elites. Automated surveillance requires fewer “watchers”, and since the watchers cannot watch all the surveillance, long term storage increases the ability to find some “crime” anyone is guilty of.
[…]
This is one of the biggest problems the current elites face: they want the smallest enforcer class possible, so as to spend surplus on other things. The enforcer class is also insular, primarily concerned with itself (see Dorner) and is paid in large part by practical immunity to many laws and a license to abuse ordinary people. Not being driven primarily by justice or a desire to serve the public and with a code of honor which appears to largely center around self-protection and fraternity within the enforcer class, the enforcers’ reliability is in question: they are blunt tools and their fear for themselves makes them remarkably inefficient.
Surveillance expands the reach of the enforcer class and thus of the elites. Every camera, drone and so on reduces the number of eyes needed on the ground. The Stasi had millions of informers; surveillance reduces that requirement and the cost of the enforcer class.
Hats:
De Blowitz was staying at the Kaiserhof. Each day his confederate went there for lunch and dinner. The two never acknowledged one another, but they hung their hats on neighboring pegs. At the end of the meal the confederate departed with de Blowitz’s hat, and de Blowitz innocently took the confederate’s. The communications were hidden in the hat’s lining.
I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn’t important. He said:
For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove to be valuable and provide a measurable return on investment, but that’s probably not the case for smaller enterprises, said John Viega, executive vice president of products, strategy and services at SilverSky and an authority on software security. Viega, who formerly worked on product security at McAfee and as a consultant at Cigital, said that when he was at McAfee he could not find a return on investment for software security.
I agree with that. For small companies, it’s not worth worrying much about software security. But for large software companies, it’s vital.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
The second edition of Ross Anderson’s fantastic book, Security Engineering, is now free online. Required reading for any security engineer.
Google Docs is being used for phishing. Oxford University felt that it had to block the service because Google isn’t responding to takedown requests quickly enough.
Think about this in light of my essay on feudal security. Oxford University has to trust that Google will act in its best interest, and has no other option if it doesn’t.
Good article on “Stingrays,” which the FBI uses to monitor cell phone data. Basically, they trick the phone into joining a fake network. And, since cell phones inherently trust the network—as opposed to computers which inherently do not trust the Internet—it’s easy to track people and collect data. There are lots of questions about whether or not it is illegal for the FBI to do this without a warrant. We know that the FBI has been doing this for almost twenty years, and that they know that they’re on shaky legal ground.
The latest release, amounting to some 300 selectively redacted pages, not only suggests that sophisticated cellphone spy gear has been widely deployed since the mid-’90s. It reveals that the FBI conducted training sessions on cell tracking techniques in 2007 and around the same time was operating an internal “secret” website with the purpose of sharing information and interactive media about “effective tools” for surveillance. There are also some previously classified emails between FBI agents that show the feds joking about using the spy gear. “Are you smart enough to turn the knobs by yourself?” one agent asks a colleague.
Of course, if a policeman actually has your phone, he can suck pretty much everything out of it—again, without a warrant.
Using a single “data extraction session” they were able to pull:
- call activity
- phone book directory information
- stored voicemails and text messages
- photos and videos
- apps
- eight different passwords
- 659 geolocation points, including 227 cell towers and 403 WiFi networks with which the cell phone had previously connected.
Sidebar photo of Bruce Schneier by Joe MacInnis.