Advertisement
GStreamer Conference 2013, 22-23 Oct, Edinburgh
GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.
Weekly Edition
Return to the Security page
| |||||||||||||
Security quotes of the week
For the past several years, we've been seeing a steady increase in the
weaponization, stockpiling, and the use of exploits by multiple
governments, and by multiple *areas* of multiple governments. This
includes weaponized exploits specifically designed to "bridge the air
gap", by attacking software/hardware USB stacks, disconnected Bluetooth
interfaces, disconnected Wifi interfaces, etc. Even if these exploits
themselves don't leak (ha!), the fact that they are known to exist means
that other parties can begin looking for them.
— Mike
Perry
In this brave new world, without the benefit of anonymity to protect oneself from such targeted attacks, I don't believe it is possible to keep a software-based GPG key secure anymore, nor do I believe it is possible to keep even an offline build machine secure from malware injection anymore, especially against the types of adversaries that Tor has to contend with.
For instance, did you know that it is a federal crime to be in possession of a lobster under a certain size? It doesn't matter if you bought it at a grocery store, if someone else gave it to you, if it's dead or alive, if you found it after it died of natural causes, or even if you killed it while acting in self defense. You can go to jail because of a lobster.
— Moxie
Marlinspike (Thanks to Paul Wise.)
If the federal government had access to every email you've ever written and every phone call you've ever made, it's almost certain that they could find something you've done which violates a provision in the 27,000 pages of federal statues or 10,000 administrative regulations. You probably do have something to hide, you just don't know it yet.
Many of you have seen my talk about medical
devices and general software safety [YouTube]. In fact, I'm up in the
Boston area, having given a similar talk yesterday at the Women's
Leadership Community Luncheon alongside the Red Hat Summit. Well, I
seem to have gotten through, at least a little! While I was giving the talk
yesterday, the FDA finally admitted that there is a big problem. In their
Safety
Communication, the FDA says that medical devices can be vulnerable to
attack. They recommend that manufacturers assure that appropriate
safeguards are in place to prevent security attacks on devices, though they
do not recommend how this should be accomplished.
— Karen
Sandler (ICS-CERT alert.)(Log in to post comments)
Security quotes of the week Posted Jun 20, 2013 9:26 UTC (Thu) by etienne (subscriber, #25256) [Link]
> I don't believe it is possible to keep a software-based GPG key secure anymore
I want my *watch* to be able to receive a file by optical communication, propose me to encrypt it using few buttons (few possible keys) while showing me the file size and beginning, and then send back the encrypted file optically to the PC...
Security quotes of the week Posted Jun 20, 2013 11:33 UTC (Thu) by DavidS (subscriber, #84675) [Link]
How would that help in a world where you monitor's content can be reconstructed from the scattered light off the white wall behind you?
But, have no fear. THEY are not after you. Except, if you have business competitors with ties yo the military-industrial complex, or anyone from China (or probably from anywhere else), or a run-in with some high ranking official (see czech republic) or actually any contact with someone from the police (including their janitors) or if your ex-significant other matches any of the above.
That list of course is only valid if you care about maliciousness. Think about the problems incompetence and secrecy yield. I refer you to the numerous individuals who are listed on the various no-fly lists for no good reason (Ted Kennedy?). For a different and more elaborate, albeit fictional, example see the girl with the dragon tattoo.
All those technical arguments pale in comparison to the fundamental cynicism and disrespect to basic human rights that underlies all those who think that social problems can be solved with technical means. Especially these!
Prosecutors can already indict anyone they want Posted Jun 21, 2013 9:19 UTC (Fri) by CChittleborough (subscriber, #60775) [Link] Re the quote from Moxie, at least one lawprof says "prosecutors [can already] charge almost anyone they take a deep interest in", even without emails or phone call data. See Ham Sandwich Nation: Due Process When Everything is a Crime by Glenn Reynolds.
Prosecutors can already indict anyone they want Posted Jun 21, 2013 14:00 UTC (Fri) by dark (subscriber, #8483) [Link] "Give me six lines written by the most honest man, and I will find something there to make him hang." — attributed to Cardinal Richelieu.
Prosecutors can already indict anyone they want Posted Jun 24, 2013 7:53 UTC (Mon) by jezuch (subscriber, #52988) [Link]
Actually, that's not the biggest problem. When malice is involved, then yes, you can hang anyone you want by using obscure laws nobody knows exist. The biggest problem is that context is everything. If you put yourself in the wrong context, even totally by accident, that makes everything else you do (and did) suspicious just because of the context. No malice needed, just plain old paranoia, human nature, confirmation bias and good intentions from the pavement of the road to hell.
Prosecutors can already indict anyone they want Posted Jun 24, 2013 14:25 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I think you are very much right about this and I will highlight one point. You said "If you put yourself in the wrong context, even totally by accident, [...]" which shows that you don't have real agency in the process. It might even have nothing to do with anything you've actually done, I always think of Buttle/Tuttle in the movie Brazil as the one of the real dangers of a highly efficient but fundamentally incompetent police state. Without sufficient oversight and supervision there is no incentive to learn from your mistakes, or even admit that they exist.
Prosecutors can already indict anyone they want Posted Jun 25, 2013 7:03 UTC (Tue) by jezuch (subscriber, #52988) [Link]
> Buttle/Tuttle in the movie Brazil
Yes! This movie should be mandatory "reading" in schools, more so than "1984" and all :) (Kids love movies and hate books, right?)
Security quotes of the week Posted Jun 22, 2013 17:57 UTC (Sat) by kleptog (subscriber, #1183) [Link]
The thing I find most interesting about this is that while everybody talks about 1984-like surveillance, it doesn't *feel* like it. Why?
Because in the book the monitoring was real, and you noticed it. While PRISM is collecting lots of data they're not doing anything with it that you even notice. There are no speakers in the wall telling you what to do.
Is that risk? There are certainly nowhere near enough people at the NSA to monitor everyone. I imagine they think that with data-mining they can find terrists, but I doubt that will work. You're looking for outliers and *everyone* is an outlier in some sense.
Mind you, I find the issue about some small fact (like a lobster) being found to jail you a bit unrealistic. I don't think any judge would fall for it. There are not a lot of crimes you can commit in an email/phone call. You are not going to be convicted on the basis of emailing a friend about an undersized lobster without producing the lobster in question.
If they try to nail Assange by charging him on the basis of an email about an undersize lobster, everyone will just laugh.
Security quotes of the week Posted Jun 22, 2013 20:27 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
the issue isn't the example of 1984, it's the example of the J Edger Hoover FBI. They did enough damage with the capabilities they had at the time, imagine what they could do with what's been put in place now.
at least initially, they won't go after people like Assange with things like the undersized lobster, they will go after people they 'know' are terrorists or mobsters, but just can't prove it (people who "everybody knows" direct the people who do the violence directly, but are able to keep the direct links hidden)
the problem is that rather than "the rule of law", it's turning into "the ends justify the means", as long as the 'bad guys' get locked up, what mechanism was used to get them locked up doesn't matter.
This isn't new, locking up Al Capone for "tax evasion" is an example of this.
this quote from John Adams is the best explanation of the problem that I've found so far.
> It is more important that innocence should be protected, than it is, that guilt be punished; for guilt and crimes are so frequent in this world, that all of them cannot be punished.... when innocence itself, is brought to the bar and condemned, especially to die, the subject will exclaim, 'it is immaterial to me whether I behave well or ill, for virtue itself is no security.' And if such a sentiment as this were to take hold in the mind of the subject that would be the end of all security whatsoever
Security quotes of the week Posted Jun 27, 2013 20:29 UTC (Thu) by thumperward (guest, #34368) [Link]
Aaron Schwartz's crime, for which he was facing a period longer than his life to date in a Federal prison, was downloading freely-available papers.
Security quotes of the week Posted Jul 4, 2013 22:19 UTC (Thu) by man_ls (guest, #15091) [Link] Even if incarceration is a remote possibility, there is always the very real danger of being arrested and interrogated for petty crimes, just because you confessed to it in a private email -- which perhaps wouldn't even be accepted as evidence. Disruption of people's lives can be subtle but deep.Also, with near-infinite storage data can be collected now and used many decades in the future. Just to think that a government has the power to collect and store everything that you do online should be enough to scare anyone.
|
|||||||||||||