Entries Tagged "file sharing"

Page 1 of 2

HP Shared ArcSight Source Code with Russians

Reuters is reporting that HP Enterprise gave the Russians a copy of the ArcSight source code.

The article highlights that ArcSight is used by the Pentagon to protect classified networks, but the security risks are much broader. Any weaknesses the Russians discover could be used against any ArcSight customer.

What is HP Enterprise thinking? Near as I can tell, they only gave it away because the Russians asked nicely.

Supply chain security is very difficult. The article says that Russia demands source code because it’s worried about supply chain security: “One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software.” That’s a reasonable thing to worry about, considering what we know about NSA’s interdiction of commercial hardware and software products. But how can Group A convince Group B of the integrity and security of hardware/software without putting itself at risk from Group B?

This is one of the areas where open-source software has a security edge. If everyone has access to the source code — and security doesn’t depend on its secrecy — then there’s no advantage in getting a copy. As long as companies rely on obscurity for their security, these sorts of attacks are possible and profitable.

I wonder what sorts of assurances HP Enterprise gave its customers that it would secure its source code, and if any of those customers have negligence options against HP Enterprise.

News articles.

EDITED TO ADD (10/5): Commentary.

Posted on October 4, 2017 at 8:08 AMView Comments

Canada Spies on Internet Downloads

Another story from the Snowden documents:

According to the documents, the LEVITATION program can monitor downloads in several countries across Europe, the Middle East, North Africa, and North America. It is led by the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA. (The Canadian agency was formerly known as “CSEC” until a recent name change.)

[…]

CSE finds some 350 “interesting” downloads each month, the presentation notes, a number that amounts to less than 0.0001 per cent of the total collected data.

The agency stores details about downloads and uploads to and from 102 different popular file-sharing websites, according to the 2012 document, which describes the collected records as “free file upload,” or FFU, “events.”

EDITED TO ADD (1/30): News article.

EDITED TO ADD (2/1): More news articles.

Posted on January 29, 2015 at 6:26 AMView Comments

Apple Copies Your Files Without Your Knowledge or Consent

The latest version of Apple’s OS automatically syncs your files to iCloud Drive, even files you choose to store locally. Apple encrypts your data, both in transit and in iCloud, with a key it knows. Apple, of course, complies with all government requests: FBI warrants, subpoenas, and National Security Letters — as well as NSA PRISM and whatever-else-they-have demands.

EDITED TO ADD (10/28): See comments. This seems to be way overstated. I will look at this again when I have time, probably tomorrow.

EDITED TO ADD (10/28): This is a more nuanced discussion of this issue. At this point, it seems clear that there is a lot less here than described in the blog post below.

EDITED TO ADD (10/29): There is something here. It only affects unsaved documents, and not all applications. But the OS’s main text editor is one of them. Yes, this feature has been in the OS for a while, but that’s not a defense. It’s both dangerous and poorly documented.

Posted on October 28, 2014 at 6:21 AMView Comments

Laissez-Faire Access Control

Recently I wrote about the difficulty of making role-based access control work, and how reasearch at Dartmouth showed that it was better to let people take the access control they need to do their jobs, and audit the results. This interesting paper, “Laissez-Faire File Sharing,” tries to formalize the sort of access control.

Abstract: When organizations deploy file systems with access control mechanisms that prevent users from reliably sharing files with others, these users will inevitably find alternative means to share. Alas, these alternatives rarely provide the same level of confidentiality, integrity, or auditability provided by the prescribed file systems. Thus, the imposition of restrictive mechanisms and policies by system designers and administrators may actually reduce the system’s security.

We observe that the failure modes of file systems that enforce centrally-imposed access control policies are similar to the failure modes of centrally-planned economies: individuals either learn to circumvent these restrictions as matters of necessity or desert the system entirely, subverting the goals behind the central policy.

We formalize requirements for laissez-faire sharing, which parallel the requirements of free market economies, to better address the file sharing needs of information workers. Because individuals are less likely to feel compelled to circumvent systems that meet these laissez-faire requirements, such systems have the potential to increase both productivity and security.

Think of Wikipedia as the ultimate example of this. Everybody has access to everything, but there are audit mechanisms in place to prevent abuse.

Posted on November 9, 2009 at 6:59 AMView Comments

Monitoring P2P Networks

Interesting paper: “Challenges and Directions for Monitoring P2P File Sharing Networks or Why My Printer Received a DMCA Takedown Notice“:

Abstract — We reverse engineer copyright enforcement in the popular BitTorrent file sharing network and find that a common approach for identifying infringing users is not conclusive. We describe simple techniques for implicating arbitrary network endpoints in illegal content sharing and demonstrate the effectiveness of these techniques experimentally, attracting real DMCA complaints for nonsense devices, e.g., IP printers and a wireless access point. We then step back and evaluate the challenges and possible future directions for pervasive monitoring in P2P file sharing networks.

Webpage on the research.

Posted on August 22, 2008 at 12:08 PMView Comments

Framing Computers Under the DMCA

Researchers from the University of Washington have demonstrated how lousy the MPAA/RIAA/etc. tactics are by successfully framing printers on their network. These printers, which can’t download anything, received nine takedown notices:

The researchers rigged the software agents to implicate three laserjet printers, which were then accused in takedown letters by the M.P.A.A. of downloading copies of “Iron Man” and the latest Indiana Jones film.

Research, including the paper, here.

Posted on June 9, 2008 at 6:47 AMView Comments

Law Review Article on the Problems with Copyright

Excellent article by John Tehranian: “Infringement Nation: Copyright Reform and the Law/Norm Gap“:

By the end of the day, John has infringed the copyrights of twenty emails, three legal articles, an architectural rendering, a poem, five photographs, an animated character, a musical composition, a painting, and fifty notes and drawings. All told, he has committed at least eighty-three acts of infringement and faces liability in the amount of $12.45 million (to say nothing of potential criminal charges). There is nothing particularly extraordinary about John’s activities. Yet if copyright holders were inclined to enforce their rights to the maximum extent allowed by law, he would be indisputably liable for a mind-boggling $4.544 billion in potential damages each year. And, surprisingly, he has not even committed a single act of infringement through P2P file sharing. Such an outcome flies in the face of our basic sense of justice. Indeed, one must either irrationally conclude that John is a criminal infringer — a veritable grand larcenist — or blithely surmise that copyright law must not mean what it appears to say. Something is clearly amiss. Moreover, the troublesome gap between copyright law and norms has grown only wider in recent years.

The point of the article is how, simply by acting normally, all of us are technically lawbreakers many times over every day. When laws are this far outside the social norms, it’s time to change them.

Posted on November 26, 2007 at 6:54 AMView Comments

Leaked MediaDefender E-mails

This story is poised to become a bigger deal:

Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender’s elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender’s collaboration with the New York Attorney General’s office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.

More info here.

And now, phone calls were leaked. Here’s a teaser — Ben Grodsky of Media Defender talking to the New York State General Attorney’s office:

Ben Grodsky: “Yeah it seems…I mean, from our telephone call yesterday it seems that uhm… we all pretty much came to the conclusion that probably was ehm… caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm… knew the login and the IP address and port uhm… but they weren’t able to get in because we had changed the password on our end, you know, following our normal security protocols uhm… when we are making secure transactions like these on the first login we’ll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm… intercepted.

You know just because it is,.. probably it was going through the public Internet and there wasn’t any sort of encryption key used to ehm… protect the data in that email.”

Ben Grodsky: “…if you guys are comfortable just communicating with us by phone, anything that is really really sensitive we can just communicate in this fashion…”

Ben Grodsky: “OK [confused, taking notes]. So, you are gonna disable password authentication and enable public key?”

Ben Grodsky: “…that part has… has not been compromised in any way. I mean, the communications between our offices in Santa Monica and our data centers have not been compromised in any way and all those communications to NY, to your offices, are secured. The only part that was compromised was…was the email communications about these things.”

Ben Grodsky: “…All we can say for sure Media Defender’s mail server has not been hacked or compromised…”

[Answering to the question “What kind of IDS you guys are running?”]
Ben Grodsky: “Ehm…I don’t know. Let me look into that.”

EDITED TO ADD (9/20): Media Defender’s source code is now available on P2P networks. Actually, I’m feeling sorry for them.

Posted on September 18, 2007 at 12:03 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.