Would a serf, watching the lord's
knights ride by, understand that they were not an adequate defense?
"In the
old days, traditional computer security centered around users.
However, Bruce Schneier writes that now some of us have pledged our
allegiance to Google (using Gmail, Google Calendar, Google Docs, and
Android phones) while others have pledged allegiance to Apple (using
Macintosh laptops, iPhones, iPads; and letting iCloud automatically
synchronize and back up everything) while others of us let Microsoft
do it all. 'These
vendors are becoming our feudal lords, and we are becoming their
vassals. We might refuse to pledge allegiance to
all of them — or to a particular one we don't like. Or we can
spread our allegiance around. But either way, it's becoming
increasingly difficult to not pledge allegiance to at least one of
them.' Classical medieval feudalism depended
on overlapping, complex, hierarchical relationships. Today we
users must trust the security of these hardware manufacturers,
software vendors, and cloud providers and we
choose to do it because of the convenience, redundancy, automation,
and shareability. 'In this new world of computing,
we give up a certain amount of control, and in exchange we
trust that our lords will both treat us well and protect us from harm
(PDF). Not only will our software be continually updated with the
newest and coolest functionality, but we trust it will happen without
our being overtaxed by fees and required upgrades.' In this system,
we have no control over the security provided by our feudal lords.
Like everything else in security, it's a trade-off. We need to
balance that trade-off. 'In Europe, it was the rise of the
centralized state and the rule of law that undermined the ad hoc
feudal system; it provided more security and stability for both lords
and vassals. But these days, government has
largely abdicated its role in cyberspace, [Except
for crying “Wolf!” (Cyber Pearl Harbor) Bob]
and the result is a return to the feudal relationships of yore,'
concludes Schneier, adding that perhaps
it's time for government to create the regulatory environments
that protect us vassals. 'Otherwise, we really are just serfs.'"
An anonymous reader provides
a contrary opinion:
"The proposed
analogy is wrong. Rather than feudal lords being replaced by a
semi-accountable, presumably representative government, asking the
government to take over would be going back to the having just AT&T
as the sole provider of telecommunications, with private ownership of
phones prohibited. It would be a reversion from an open and
competitive market (where those who fail to provide security can be
abandoned freely, the exact opposite of a feudal situation where
serfs were forbidden to leave their masters and breaking oaths of
obedience would lead to hit series on HBO) to a single "provider"
which cannot be abandoned or ignored.
Monopolies, in
general, suck, and without an external force to shore them up, they
tend to be short lived. I remember when Lotus and WordPerfect and
dBase were "unassailable", and people were wondering if the
government should force these companies to be more "competitive"
somehow. Then it was Windows, and particularly Explorer, that was
going to control the world because "no one could compete".
Now it's Google and Apple. Either these companies
actually provide the security they promise, or they lose business to
someone who will. The fear of the "feudal lords"
failing to offer the security they promise is a false one, because
they have no actual hold if they fail to deliver the goods.
The role of
government in this arena is making sure that companies are held
accountable for broken promises, that they pay the costs for data
loss and security breaches. ... The government should
not be determining what security is acceptable, because governments
and regulations cannot possibly keep up with ever-changing
realities."
Geeky stuff that means: Passwords are
only useful for avoiding “accidental” access to data in certain
limited circumstances.
"A presentation at the
Passwords^12 Conference in Oslo, Norway (slides),
has moved
the goalposts on password cracking yet again. Speaking on
Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig
that leveraged the Open Computing Language (OpenCL) framework and a
technology known as Virtual Open Cluster (VCL) to run the HashCat
password cracking program across a cluster of five, 4U servers
equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps
over Infiniband switched fabric. Gosney's system elevates password
cracking to the next level, and effectively renders even the
strongest passwords protected with weaker encryption algorithms, like
Microsoft's LM and NTLM, obsolete. In a test, the researcher's
system was able to generate 348 billion NTLM password hash checks per
second. That renders even the most secure password vulnerable to
compute-intensive brute force and wordlist (or dictionary) attacks.
A 14 character Windows XP password hashed
using LM for example, would fall in just six minutes,
said Per Thorsheim, organizer of the Passwords^12 Conference. For
some context: In June, Poul-Henning Kamp, creator of the md5crypt()
function used by FreeBSD and other, Linux-based operating systems,
was forced to acknowledge that the hashing function is no longer
suitable for production use — a victim of GPU-powered systems that
could perform 'close to 1 million checks per second on COTS
(commercial off the shelf) GPU hardware,' he wrote. Gosney's cluster
cranks out more than 77 million brute force attempts per second
against MD5crypt."
An update. Don't expect the delay to
last long...
California
Eyeing Drone Surveillance
Plans by the first California local
government to deploy a surveillance drone were postponed Tuesday amid
protests by rights groups who complained that Alameda County
authorities were rushing the plan without public input.
“There has to be robust public
engagement whether to deploy something like this,” said Will
Matthews, a spokesman for the American Civil Liberties Union.
Alameda County is moving to become one
of dozens
of local law enforcement agencies nationwide to deploy the
unmanned crafts. Some of the agencies include the Seattle Police
Department, Miami-Dade Police Department and the Texas Department of
Public Safety.
Suspicion and rumor are one thing,
talking to the architect is quite another...
‘Everyone
in US under virtual surveillance’ – NSA whistleblower
December 5, 2012 by Dissent
The FBI records
the emails of nearly all US citizens, including members of congress,
according to NSA whistleblower William Binney. In an interview with
RT, he warned that the government can use this information against
anyone.
Binney, one of the
best mathematicians and code breakers in the history of the National
Security Agency, resigned in 2001. He claimed he no longer wanted to
be associated with alleged violations of the Constitution, such as
how the FBI engages in widespread and pervasive surveillance through
powerful devices called ‘Naris.’
This year, Binney
received the Callaway award, an annual prize that recognizes those
who champion constitutional rights and American values at great risk
to their personal or professional lives.
Watch the interview with Binney on
RT.com
(the transcript below it has some errors, like “My line” for
“Mark Klein”).
(Related) This came up Sunday, but I
didn't have a link to the research paper.
"U.S. law enforcement and
intelligence services can use the PATRIOT Act/FISA to 'obtain'
EU-stored data for snooping, mining and analysis, despite strong
EU data and privacy laws, according to a recent research
paper. One of the paper's authors, Axel Arnbak, said, 'Most
cloud providers, and certainly the market leaders, fall within the
U.S. jurisdiction either because they are U.S. companies or conduct
systematic business in the U.S. In particular, the Foreign
Intelligence Surveillance Amendments (FISA) Act makes it easy for
U.S. authorities to circumvent local government institutions and
mandate direct and easy access to cloud data belonging to
non-Americans living outside the U.S., with little or no transparency
obligations for such practices -- not even the number of actual
requests.' Arnback added, 'These laws, including the Patriot Act,
apply as soon as a cloud service conducts systematic business in the
United States. It's a widely held misconception that data actually
has to be stored on servers physically located in the U.S.'"
(Related) A hint that the majority of
UN member states want the ability to spy on their citizens too?
dsinc sends this quote from Techdirt
about the International Telecommunications Union's ongoing conference
in Dubai that will have an effect on the internet everywhere:
"One of
the concerns is that decisions taken there may make the Internet less
a medium that can be used to enhance personal freedom than a tool for
state surveillance and oppression. The new Y.2770
standard is entitled 'Requirements for deep packet inspection in
Next Generation Networks', and seeks to define an international
standard for deep packet inspection (DPI). As the Center for
Democracy & Technology points out, it is thoroughgoing in its
desire to specify technologies that can
be used to spy on people. One of the big issues surrounding WCIT
and the ITU has been the lack of transparency — or even
understanding what real transparency might be. So it will comes as
no surprise that the
new DPI standard was negotiated behind closed doors, with no
drafts being made available."
Having grown up in New Jersey, I'd like
to assure everyone that I am mostly cured. I haven't murdered anyone
in weeks! For my Statistics students...
"With a homicide rate
historically more than three times greater than the rest of the
United States, Newark, N.J., isn't a great vacation spot. But it's a
great place for a murder study (abstract).
Led by April Zeoli, an assistant professor of criminal justice, a
group of researchers at Michigan State University tracked homicides
around Newark from 1982 to 2008, using analytic software typically
used by medical researchers to track the spread of diseases. They
found that "homicide clusters" in Newark, as researchers
called them, spread
and move throughout a city much the same way diseases do.
Murders, in other words, did not surface randomly—they began in the
city center and moved in 'diffusion-like processes' across the city."
[Can you say, “vendetta?” Bob]
A few companion sites for
http://musicnoteslib.com
After all what use is the music without the lyrics?
No comments:
Post a Comment