|
|
Subscribe / Log in / New account

Security quotes of the week

[Posted July 15, 2015 by jake]

So nothing serious here. It's just casually violating your privacy.
Jakub Wilk looks at what HTTP requests Iceweasel (Firefox) makes on first startup (Thanks to Paul Wise.)

None of this really should surprise me. I’ve known for some time that there are some “security” people that have their own modifications they have no intention of sending my way. Thanks to the way that people that release 0-days are revered in this circus, there’s no incentive for people to share their modifications if it means that someone else might beat them to finding their precious bugs.
Dave Jones on contributions to the Trinity system call fuzzer

We can learn a lot about the potential for safety failures at US nuclear plants from the July 29, 2012, incident in which three religious activists broke into the supposedly impregnable Y-12 facility at Oak Ridge, Tennessee, the Fort Knox of uranium. Once there, they spilled blood and spray painted “work for peace not war” on the walls of a building housing enough uranium to build thousands of nuclear weapons. They began hammering on the building with a sledgehammer, and waited half an hour to be arrested. If an 82-year-old nun with a heart condition and two confederates old enough to be AARP members could do this, imagine what a team of determined terrorists could do.
Hugh Gusterson

Forever secrets, like the formula for Coca-Cola, are few and far between. The one exception is embarrassments. If an organization had to assume that anything it did would become public in a few years, people within that organization would behave differently.

The NSA would have had to weigh its collection programs against the possibility of public scrutiny. Sony would have had to think about how it would look to the world if it paid its female executives significantly less than its male executives. HBGary would have thought twice before launching an intimidation campaign against a journalist it didn't like, and Hacking Team wouldn't have lied to the UN about selling surveillance software to Sudan. Even the government of Saudi Arabia would have behaved differently.

Bruce Schneier
to post comments

Security quotes of the week

Posted Jul 16, 2015 0:38 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

> We can learn a lot about the potential for safety failures at US nuclear plants from the July 29, 2012, incident in which three religious activists broke into the supposedly impregnable Y-12 facility at Oak Ridge, Tennessee, the Fort Knox of uranium. Once there, they spilled blood and spray painted “work for peace not war” on the walls of a building housing enough uranium to build thousands of nuclear weapons.
Don't exaggerate. They breached the external perimeter (which was not that secure), and this facility certainly doesn't store weapon-grade uranium.

Security quotes of the week

Posted Jul 16, 2015 9:50 UTC (Thu) by ewan (guest, #5533) [Link] (3 responses)

Right, because if someone blows up a fertilizer bomb mixed with this uranium everyone's going to be fine with it because it's not a real nuclear explosion.

Security quotes of the week

Posted Jul 16, 2015 17:07 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Actually, yes. Mixing uranium into a bomb won't do more harm than the bomb itself. You need something much nastier for real damage.

Security quotes of the week

Posted Jul 16, 2015 17:19 UTC (Thu) by raven667 (subscriber, #5198) [Link] (1 responses)

This is well off into hyperbole land, a few decades ago we were on a hair trigger for _thousands_ of fusion bomb detonations, enough to be as damaging as the astroid that killed the dinosaurs 65 Million years ago, and today we seem to be stumbling into a significantly changed climate that will cause severe global turmoil in time, a "dirty bomb" is small potatoes in comparison to other more likely risks out there. There was a time not very long ago when a few million deaths and a permanently uninhabitable metro area would have been seen as the *good* outcome.

In this specific case no one actually got near the protected materials, they breached the outermost and softest layers (a couple of fences, whoop-de-do), to do some political vandalism, for an actual threat to the protected material you'd have to get _all_ the way in to the facility and _all_ the way back out again in one piece which is a different problem entirely.

It's hard to have any meaningful dialog about security issues when under the grips of fear, it drives the imagination to heighten the risks and deepen the consequences far beyond what actually happens in the real world.

Security quotes of the week

Posted Jul 16, 2015 21:11 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link]

for an actual threat to the protected material you'd have to get _all_ the way in to the facility and _all_ the way back out again in one piece

Not only that, but you'd have to bring a meaningful amount of the material out with you. Unless it's already enriched to weapons grade, enough material for one bomb is more than it's practical for one person to carry.

Security quotes of the week

Posted Jul 16, 2015 1:07 UTC (Thu) by xtifr (guest, #143) [Link] (6 responses)

I was a little perturbed by the "casually violating your privacy" thing, so I read a little more of the thread, and here's what I found:

1. The favicon downloads are apparently because of a Debian-specific patch; Debian doesn't want to ship a set of non-free icons. Makes a certain amount of sense. (Might make even more sense to cache them, but that's extra work for already overloaded Debian folks.)

2. The safebrowsing.google thing apparently only sends a *partial* hash. Which may not be perfect, but still makes me feel a lot better. And you can reportedly disable it with:

Security > Block reported attach sites
and
Security > Block reported web forgeries

(I haven't tested this part.)

I'm still a little uncomfortable with the whole thing, but less so than I was at first.

Security quotes of the week

Posted Jul 16, 2015 4:22 UTC (Thu) by ncm (guest, #165) [Link] (1 responses)

You should be worried. One hash tells them little. A dozen hashes resolving to pages on the same site tells them everything. Are there any sites we use that we don't get a dozen URLs from?

Security quotes of the week

Posted Jul 16, 2015 15:35 UTC (Thu) by jwarnica (subscriber, #27492) [Link]

Read the thread. Apparently you send Google a hash of a trimmed URL, and then get back the whole list of results based on that. It is a necessary optimization over downloading, ever hour, the entire safebrowsing database.

Your DNS server knows what host you are going to, I don't think this leaks out much more.

Security quotes of the week

Posted Jul 16, 2015 17:29 UTC (Thu) by flussence (guest, #85566) [Link]

It gets nastier after you've used the browser for a while:

Unless you take steps to completely avoid the default new tab page in Firefox (with thumbnails of frequently-visited sites), it also starts loading some of those pages in their entirety without asking, executing scripts and so on, to update those thumbnails every few times you view it.

Better yet, this action bypasses any privacy-oriented extensions you may have installed — if any of those pages have "share" buttons, Mozilla is helpfully letting Facebook/Google/etc. know you visited them often.

Non-free icons (was: Security quotes of the week)

Posted Jul 18, 2015 7:27 UTC (Sat) by debacle (subscriber, #7114) [Link] (1 responses)

Maybe someone with an artistic streak could create alternative, free icons for Debian?

Non-free icons (was: Security quotes of the week)

Posted Jul 18, 2015 7:46 UTC (Sat) by debacle (subscriber, #7114) [Link]

Don Armstrong is the one with the artistic streak: 
for icon in ebay google wikipedia bing; do 
    convert -size 16x16 xc:white -pointsize 8 \
            -font 'DejaVu-Sans' -fill black \
            -stroke none \
            -draw "text 0,7 '${icon:0:3}'" \
            -draw "text 0,14 '${icon:3:3}'" \
            ${icon}.png;
done;

Security quotes of the week

Posted Jul 23, 2015 16:33 UTC (Thu) by gerv (guest, #3376) [Link]

There seems to be a persistent misunderstanding that Google SafeBrowsing, by default sends, history, hashes of history or partial hashes of history to Google. This is simply not true in almost every case. See: https://support.mozilla.org/en-US/kb/how-does-phishing-an... for details.

Safe Browsing downloads databases of bad URLs and checks against those locally. The only time data is sent to Google is:

a) when you hit a URL present in the downloaded anti-phishing database; Firefox checks to make sure it's not been removed since the database was downloaded, e.g. because it was a false positive
b) when you download a non-common binary file; in that case, a hash of the file is sent to check if it's known malware.

The first of these would be pretty rare; the second perhaps a bit less rare, but Google don't get the file contents, or find out where you got it from. This feature can also be disabled without disabling the standard SafeBrowsing service.

It seems to me that the current way the feature works manages to protect users from what are serious, ongoing internet threats (phishing and malware are big, big problems) in the most privacy-preserving way possible.

Gerv

Wikipedia favicon non-free?

Posted Jul 23, 2015 17:38 UTC (Thu) by davidgerard (guest, #100304) [Link]

What makes the Wikipedia favicon DFSG non-free? The file itself is marked "ineligible for copyright" (it's a simple rendering of the capital W from the font):

https://commons.wikimedia.org/wiki/File:Wikipedia-favicon...

It is, however, trademarked. Is that a universal DFSG dealbreaker?


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds