LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security quotes of the week

[Posted July 31, 2013 by jake]

The two [Jeremiah Grossman and Matt Johansen] discovered that even reputable ad networks do a poor job of vetting the java script that is bundled with ad images. "As long as it looks pretty, they have no problem with it," Johansen said. "The folks we were dealing with (at the ad networks) didn't really have the javascript reading skills to know the difference anyway."
ITworld reports on a Black Hat security conference presentation

In the [Bradley] Manning case, the prosecution used Manning's use of a standard, over 15-year-old Unix program called Wget to collect information, as if it were a dark and nefarious technique. Of course, anyone who has ever called up this utility on a Unix machine, which at this point is likely millions of ordinary Americans, knows that this program is no more scary or spectacular (and far less powerful) than a simple Google search. Yet the court apparently didn't know this and seemed swayed by it.

We've seen this trick before. In a case EFF handled in 2009, Boston College police used the fact that our client worked on a Linux operating system with "a black screen with white font" as part of a basis for a search warrant. Luckily the Massachusetts Supreme Court tossed out the warrant after EFF got involved, but who knows what would have happened had we not been there.

Cindy Cohn of the Electronic Frontier Foundation (EFF)

What would a spoofing attack look like in practice? Suppose the spoofer's goal is to run the target vessel aground on a shallow underwater hazard. After taking control of the ship's GPS unit, the spoofer induces a false trajectory that slowly deviates from the ship's desired trajectory. As cross-track error accumulates, the ship's autopilot or officer of the watch maneuvers the ship back into apparent alignment with the desired trajectory. In reality, however, the ship is now off course. After several such maneuvers, the spoofer has forced the ship onto a parallel track hundreds of meters from its intended one. Now as the ship moves into shallow waters, the ECDIS display and the down-looking depth sounder may indicate plenty of clearance under the keel when in truth a dangerous shoal lies just underwater dead ahead. Maybe the officer of the watch will notice the strange offset between the radar overlay and the underlying electronic charts. Maybe, thinking quickly, he will reason that the radar data are more trustworthy than the ship's GPS-derived position icon displayed on the ECDIS. And maybe he will have the presence of mind to deduce the ship's true location from the radar data, recognize the looming danger, and swing clear of the shoal to avert disaster. Or maybe not.
Todd Humphreys on GPS spoofing as reported by ars technica

To call Prime Minister Cameron a "clown" at all might reasonably be taken by some as an affront to clowns and jesters reaching back through history. Because Cameron's style of clowning is far more akin to the nightmarish, sneering "clowns" of "B" horror movies, not the bringers of entertainment under the big top.

Cameron, through a series of inane and grandstanding statements and pronouncements both deeply technically clueless and shamelessly politically motivated, has been channeling Napoleon by placing the clown prince crown on his own head.

Laughing at his antics would be a terrible mistake. For his wet dream of Internet censorship poses an enormous risk not only to the UK, but to other nations around the world who might seek comfort in his idiocy for their own censorship regimes (already, calls have been made in Canada to emulate Cameron's proposed model).

Lauren Weinstein
(Log in to post comments)

Security quotes of the week

Posted Aug 1, 2013 5:12 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

…and this is why it's important for us to be able to pass an argument to the kernel to default to black text on a white background.

Security quotes of the week

Posted Aug 2, 2013 3:03 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

What about popping up a warning that you've been put on a couple of lists when you make the default colors green-on-black? I mean, that's just reckless.

Security quotes of the week

Posted Aug 1, 2013 8:27 UTC (Thu) by acunningham (subscriber, #9368) [Link]

> What would a spoofing attack look like in practice?

To force the vessel into Chinese waters and so start a war of course. Hasn't he seen the documentary?

Security quotes of the week

Posted Aug 2, 2013 7:21 UTC (Fri) by hickinbottoms (subscriber, #14798) [Link]

Or even "Tomorrow Never Dies"...

Security quotes of the week

Posted Aug 2, 2013 7:28 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

I think that's the "Documentary" that the parent poster was referring to :-)

Security quotes of the week

Posted Aug 2, 2013 7:57 UTC (Fri) by acunningham (subscriber, #9368) [Link]

Indeed :-))

Security quotes of the week

Posted Aug 2, 2013 13:10 UTC (Fri) by smitty_one_each (subscriber, #28989) [Link]

Past all of that spin and whitewash, how does Lauren Weinstein feel about Prime Minister Cameron?

Security quotes of the week

Posted Aug 2, 2013 19:16 UTC (Fri) by filteredperception (subscriber, #5692) [Link]

What I would like to know (arguably as one of my grade-school's class clowns), is what Lauren Weinstein thinks of residential ISP server prohibition terms of service, and whether or not such can be seen under the light of censorship. To me, running your own server is the envisionment of the "citizenry affordable printing press with global reach for your free speech" wet and dry dream for the internet. If citizens can't* run their own server, they are dependent on other printing presses (servers) that likely come with chilling terms of service agreements against things that are "improper". I AM NOT FUCKING KIDDING YOU, GOOGLE FIBER'S TERMS OF SERVICE BANNED ANY "IMPROPER" USE OF THE NETWORK. WHAT KIND OF FUCKING LEGAL WEASEL WORD IS THAT???

Security quotes of the week

Posted Aug 2, 2013 19:20 UTC (Fri) by filteredperception (subscriber, #5692) [Link]

*can't

And by that I mean, forbidden by terms of service, though perhaps partially interestingly ?legally? 'promised' in an FAQ. But I see that situation as successfully chilling the market from such home services. I mean, ok, say Google allows that partial subset. If this isn't a netneutrality, censorship, or other legal issue, then we can presume each and every ISP can define their own subset. And thus there is no minimal subset guaranteed as a place of deployment for folks like myself that would like to develop open and closed source, commercial and non-commercial, software to run on people's home servers that makes them all happier (gives them utility). $0.02... sorry for screaming, but it's been a long year.

Security quotes of the week

Posted Aug 2, 2013 16:08 UTC (Fri) by apoelstra (subscriber, #75205) [Link]

This wget quote is very disturbing. It sounds as though the "new dark ages" that the Reddit crowd likes to warn about whenever articles about, e.g., creationism in schools, hit the press. The scientific and legal literacy contained in arguments along the lines of "the defendant used a dark screen like in Hackers!" is no higher than "the defendant is a witch!".

It is not good than any lawyer in the 21st century could say such a thing without being discredited or disbarred.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds