Security Blog |
6.22.2002
Paranoid, but cool The Dead-Man Switch. If you don't check in, it emails notification of your demise and encrypts your files. A digital version of the old "if you don't hear from me in X days, drop this in the mail" trick.
Exciting stuff I got a chance to do some great research last night. I'd like to put together a paper summarizing it, so keep an eye out. The topic will be wireless security.
Minority Report Review I got to see it last night - the verdict? A good, exciting movie which I recommend. I found it amusing that the "catch" in the story was actually a hack/security-exploit. I think some of the more subtle aspects of the film, not the pre-crime stuff, are the scariest. If you see it, look at how many times characters are "scanned" - either for access control or advertising purposes. Again, it's a movie worth seeing. 6.21.2002
Messages on websites From USAToday: U.S. officials are searching the Internet for the reappearance of a Web site that they believe has been used by al-Qaeda to deliver messages, including possible instructions for its next attacks, to its operatives around the world. If you read the article, you'll see that authorities fear that the site won't be registered using DNS - meaning only an IP address will be used. I've been thinking about how they could "look" for something like this - just a new site appearing at random. It would be VERY difficult. So much stuff comes up everyday, that unless they know where to look... It's a daunting task.
Millions and millions of...NexGen? The Federal Reserve Board has a release describing some new currency, which will begin appearing next year. They call it NexGen, and it doesn't sound as if there will be any additional security features. Rather, it's being updated just to stay ahead of current computer/scanner/printer tech. The purpose of the currency redesign is to stay ahead of advanced computer technologies used for some types of counterfeiting. According to the U.S. Secret Service, $47.5 million in counterfeit money entered into circulation in fiscal year 2001. Of this amount, 39 percent was computer generated, compared with only 0.5 percent in 1995.
50/50 From Slashdot, Ross Anderson has just released a paper declaring open and closed source software to be equal in terms of security. I haven't read the paper yet, but the message should be - ALL SOFTWARE IS INSECURE. I might also add that in time, open source software will become more secure, due to the legions of eyeballs pouring over it.
Sentencing 3 crackers were sentenced on Wednesday for a pro-Napster defacement spree. Hilarious quote from the federal judge to one of the defendants: "Your life is not `Good Will Hunting,' " Van Sickle said. "You are on the verge of criminal activity."
You mean it wasn't the Russian Mafia? A followup to the ASU story from earlier this week. Surprise, surprise - no mention of the Russian mob. 6.20.2002
Big Brother The NYTimes has a special section on Digital Surveillance up. Several articles discussing the impact of technology on our privacy.
An Important Article I wish we could make the media read this story. Naturally, that can't happen, but the points made are fundamental to building a security philosophy. I accuse the media in the United States of treason. That's what I call an opening line. His reasoning? While the media have, over the past several weeks, written extensively on alleged intelligence "failures" surrounding the events of Sept. 11, I want to address the media's common-sense "failures." As a terrorism analyst, I am both appalled and confused by many of the post-9/11 articles published at home and abroad, in newspapers, news magazines and academic journals, as well as on the Internet. And later, a crucial point from Richard Clarke: "if you put all the unclassified information together, sometimes it adds up to something that ought to be classified." Again - this is required reading. Refreshing to see something like this every once in a while.
The Mob When it doubt, blame it on the mafia. When in extreme doubt, blame it on the Russian mafia. I couldn't help but chuckle at this story. It could be legit, but I bet it'll change in time to something a little less dramatic. "We believe that they were here," Sutton said. "The word I got from the detective was it's a possible Russian mafia connection." He's referencing an incident at Arizona State, where student passwords and credit cards were pilfered.
Interview There are so many "cyberczars" now, I can't tell the difference. I come across a new name every day - person X heads the new division/office/group of cybersecurity for government agency Y. I wish someone would make a flow chart showing how they all relate. Here's an interview with Larry Mefford, the FBI's cybercrime director. Sharply criticized for its lack of technical know-how, the FBI has taken a pounding after recent reports disclosed that glitches in the agency's Carnivore online surveillance technology may have hindered investigations into terrorism threats. 6.19.2002
Score one for privacy Looks like the big, European snoop proposal got put on ice. That's the first good privacy news I've heard in a long time.
Excellent point This is a critical issue, one that a lot of people miss. A quote from a recent cybersecurity meeting: "This is the first national security threat the government can't handle alone," said Noonan, one of five panelists in the meeting on the national strategy to secure the online infrastructure.
Feverpitch "Minority Report" stories all over the web. The movie is getting a ton of hype. Jeremy Lott calls it the Bush administration's "Wag the Dog".
MPAA retaliates Using Ranger, an Internet spider, which crawls around recording illegal movie trades. If it's working now, passwords and private rooms will be used to circumvent it. But I still don't understand who wants to watch a movie recorded on someone's camcorder. Just like that Seinfeld episode, only now they use the Internet. Ranger is burrowing through the public parts of your computer, sniffing around, turning over bits of data, trying to find out if you've stolen a movie over the Internet.
ISP logs The US government has started down a road similar to Europe. They want ISP's to log EVERYTHING. I would think that most providers will fight this, because some major restructuring and costs are involved. The draft of the U.S. plan does not specify how much data ISPs would be forced to collect, or how long they would have to store it. The White House did not return phone calls on the strategy, which is scheduled for release in September.
One step away According to the Secret Service, hackers are "unpatriotic". A term inching closer and closer to terrorist. I think that's a bit harsh. Is a 13-year old cracking web pages a "terrorist"? Or just a kid screwing up and getting into trouble. "Hackers who brag that they can break into computer systems are unpatriotic," he said. "If you're a U.S. citizen breaking into computer networks, it's not only criminal but unpatriotic." 6.18.2002
Spielberg Interview With Ebert. Good stuff. Spielberg: The Internet is watching us now. If they want to, they can see what sites you visit. In the future, television will be watching us, and customizing itself to what it knows about us. The thrilling thing is, that will make us feel we're part of the medium. The scary thing us, we'll lose our right to privacy. An ad will appear in the air around us, talking directly to us. What's interesting, is that this future is here now. I've got a Tivo, and they already monitor what I watch, then offer suggestions. I haven't been this pumped to see a movie in a long time.
Government InfoSec Certification? This report baffles me. Does the government, specifically the National Institute of Standards and Technology, really need to certify InfoSec professionals? And if it's free now, why the HUGE cost increase? The chart wouldn't fit on the page, but the fees range from just under $3000 to nearly $11000.
More on Minority Report A very detailed review of the new Spielberg film coming out in a couple of weeks. I can't wait to see it. Warning - the story lists several specifics, so if you are sensitive to spoilage, avoid it. Filmgoers may occasionally hanker for a bit of precognition themselves to understand the plot's convolutions. But fathoming our political masters' motivations is now ingrained in the government systems controlling most of our lives today. Minority Report is a populist warning on the potential for control that the techniques of surveillance are creating while we stand by and watch civil liberties being consigned to the past.
Wiretaps galore Great piece at Salon on diminishing privacy. The deadline for filing an objection to the FCC order has already passed, and the only complaint filed was from a group of rural telecom carriers worried that the upgrades will cost too much. In the post-9/11 era, denying the FBI anything it says it needs is a far more daunting proposition than it was 10 months ago. What was once a bitter battle for the FBI has become an uncontested jog into the end zone. And, some observers fear, the real issues at stake aren't limited to phone calls. The big game being targeted by the FBI is communication via the Internet. And it get's worse when you consider Voice over IP ramifications. If the carrier does not do the extracting and just sends the whole packet, it will be up to law enforcement not to "peek" at the text. Leaving this job to the police makes civil liberties groups nervous, and it concerns Gidari too. "People have failed to recognize the impact this has on Internet communications," he said.
Responsible bug reporting The recent Apache bug has brought to light several questions about how it was handled. Moreover, is open source software at a disadvantage because most projects have no "headquarters"? The distrust puts open-source projects, and the users of their software, in a quandary if companies won't give them advance notice of security vulnerabilities. While some in the industry have suggested establishing a new vulnerability coordination center and others have promoted CERT as filling just such a need, it seems unlikely that the debate will get resolved anytime soon. 6.17.2002
Encryption Interesting piece at Wired on the future of IM and chat. They're moving toward real-time encryption, which will surely cause a problem at some point. Though law enforcement has suggested it's possible and, indeed, inevitable, nobody has shown any proof that terrorists are fans of IM. Still, encryption has always been a touchy subject for the authorities, and Matteo said he understands that the combination of messaging plus encryption might raise some eyebrows.
What!? Bear with me, it's Monday. I read it fast. But someone please tell me the FBI did not work with people visiting a child pornography site to catch hackers. I am going to take a deep breath, and read this again. Twenty-one people from around the country — as far away as Sacramento, Calif. — reported the attempted extortion, Blanchard said. All the people acknowledged visiting a child pornography site on the Internet, said David Beyer, a spokesman for the FBI in Kentucky. 6.16.2002
|
