658 posts • joined 16 Jan 2011
Re: Are you talking to me?
From the us-cert.gov posting it is obvious that the vulnerable POSs all run some variant of Windows. However, that probably is merely a reflection of the target environment, and the root fault appears (from the article) to be deployment failures : remote access (strike 1), weak credentials (strike 2), and credential reuse (strike 3).
Someone (individuals in the case of debit cards and largely banks in the case of credit cards) is eating the cost of these depressingly repetitive events and the civil courts would seem a reasonable agent for reassigning them to the responsible parties.
We in the US have seen how well specialized courts work out, in the form of the Court of Appeals for the Federal District (specializing in patent issues).
Is the SSH version 1 protocol still allowed anywhere? My recollection is that it has been deprecated for ten or more years, and when I left the US DoD several years ago their systems had been required for at least five years to be configured to use only protocol 2.
The article appear to address mainly sloppy administration practices that tools like SSH make easier. Monkeying with SSH will not cure that, and it is not clear that some of the matters complained of are properly the job of SSH at all.
If your prospective employer pays any attention whatever to your teenage error, would you want to work for him? Is a 20 year old bankruptcy likely to have any effect on your multi-million pound company? It seems more like a recommendation than something to worry about (unless your company is paying dividends from the capital put in by new investors, in which case the earlier bankruptcy might be quite relevant).
Should Yahoogle be the judge? I do not think so. It would be better if each removal were reviewed and based on a judgment by a competent court.
Re: James 51
Need to find a replacement word for sh..le.
I wonder ...
... how many people/websites actually need or benefit from the kind of security being discussed here. The articles on the Register or similar sites are fairly public information that I do not think is likely to implicate me in anything interesting to spy agencies. Comments I post are meant to be read by anyone who cares to and I try to edit them accordingly, mainly to attempt clarity and avoid being offensive. I expect that is true for most of those who read and post on this site. I never have changed comments to avoid the interest of any government agency, although I do not name the one that employed me and avoid describing in detail their information assurance procedures, but anyone seriously interested probably could find out with moderate difficulty at most.
Account creation over HTTP is a bit offputting, but I knew that going in and provided a password that I do not use for anything associated with data I wish to keep private. I sort of hope it is salted and hashed, and that TheRegister takes reasonable precautions to secure it and the associated account data, but there isn't any correct information there that I care much about keeping private.
HTTPS certainly is warranted for more important things like online purchasing or bank access. For the most important ones I really would prefer that the identification and authentication in both directions be based on something like hand-to-hand direct exchange of public keys to automated acceptance of certificates signed by one of dozens of CAs about which I know, in most cases, next to nothing.
Re: SSL is a good thing
"Browsers pop up really alarming warnings" might not be an entirely bad thing. In that case I have an explicit choice whether to accept the risk of connecting rather than the implicit and sometimes incorrect acceptance that goes with trusting the certs distributed with the browser. I still have some security from the encrypted link, and can't see that risk associated with accepting a private cert differs much from that of trusting the browser and the largely unknown CAs that signed certs for anyone who paid them money.
Assuming that SpiderOak is what it claims, it seems doubtful that they are likely to be bothered by many warrants, national security letters, or subpoenas unless the cryptography they use is broken. Their customers, however, will be subject to pretty much the same range of intrusions as they are now.
Re: "Mega Corp" proves command and control can work!
For many years, General Motors operated an internal market economy, and were highly successful and very profitable. Different divisions competed with each other as well as the likes of Ford and Chrysler, and individual plants were competitors with other plants within their division to supply designs and components. Those less successful in winning bids for supply contracts made lower profits (or losses) and might need to shrink, while the more successful ones were more profitable and would grow. This might have declined or been abandoned in the '70s or beyond, as the major divisions came, for efficiency, to rely on more uniformity and common designs and parts, Detroit management laid a heavier hand on overall control, and the different brands became largely indistinguishable except by ornamentation and finish details. That may have contributed to the decline and near extinction of the corporation.
I declare, as a former civil servant, that the performance incentives in a government run organization differ from those in a private sector profit oriented one. This is true primarily at the top of the organization where strategic goal are set and in parts the organization that face its external world, but to a degree works its way into the interior and more bureaucratic parts as well. The working of an objective measure - profit - of success is critical to a profit oriented organization and largely lacking in many (most, nearly all) government agencies. The result is that in government agencies goals are more likely to be qualitative, diffuse, and ill defined, and productivity measures that exist are quite vague and disconnected from any external reality.
This is not to say that a profit motive ensures meaningful incentives in an organization; the number of failed startups strongly suggests otherwise. But the startups that don't generate profits may well fail, whereas government entities (and their private sector counterparts, charities), like "temporary" tax levies, tend to lumber on endlessly.
Re: Who trusts a third party with their authentication?
KeePassX with the database on a USB key. I trust myself more than I trust the unknown provider of a remote service.
Re: El Reg is Pro-Amazon sympathiser?
The full Orwell quote:
"The Penguin Books are splendid value for sixpence, so splendid that if the other publishers had any sense they would combine against them and suppress them. It is, of course, a great mistake to imagine that cheap books are good for the book trade. Actually it is just the other way around. If you have, for instance, five shillings to spend and the normal price of a book is half-a-crown, you are quite likely to spend your whole five shillings on two books. But if books are sixpence each you are not going to buy ten of them, because you don’t want as many as ten; your saturation-point will have been reached long before that. Probably you will buy three sixpenny books and spend the rest of your five shillings on seats at the ‘movies’. Hence the cheaper the books become, the less money is spent on books. This is an advantage from the reader’s point of view and doesn’t hurt trade as a whole, but for the publisher, the compositor, the author and the bookseller it is a disaster."
It is clear that many digital books are worth less than paper ones in that instead of purchasing an object outright, with an unrestricted right to use and transfer it you are buying a sometimes seriously restricted license. They should be priced lower. With that limitation, Amazon's proposal clearly would benefit *book purchasers.
Amazon claims empirical evidence that their proposal is likely to increase the revenue to publishers and authors, but they might be wrong or warping the truth for their benefit. If they are correct, though, it also could benefit publishers and authors as well.
The publishers' argument has the appearance of an attempt to justify and continue a possibly obsolescent business model, where in the future "books" may be produced by web-mediated groups of independent authors, editors, compositors, and printers; and publishers, as coordinators of the overall process (and skimmers of some of the revenue) are consigned a much less central (and profitable) role than they now have.
As another poster noted, nothing major stands in the way of Hachette or other publishers engaging in online sales of books on their lists in competition with Amazon, although start up costs could be significant and Amazon's market position would be a challenge. Those who did so likely would accrue a larger part of the total revenue and would be able to use part of it to improve the lot of the authors. If they so chose.
Is the proposed service demonstrably superior to PGP (with the actual subject embedded in the message body) in either security or usability? Do any points of superiority matter a great deal?
Does the apparently greater complexity (e. g., to PGP) enlarge the attack surface and possibly lead to additional vulnerabilities?
Is it safe from local system compromises by hardware or software implants?
Can it be used to transmit malware?
As much as I respect Phil Zimmerman, I think he is largely mistaken. For quite a few years I have urged nearly everyone I know who is even marginally computer literate to use PGP or OpenPGP to secure email, with exactly one success, who already was set for, and using, one of these product.
Although this sample is not at all random and the results of analysis unsuitable for making long term projectios, it nonetheless suggests that people are not very interested. Whatever the reason, it appears likely that a great many people are comfortable with the same degree of privacy they would get by sending a post card through the mail. I do not really expect that encryption of voice mail to have enough uptake to limit the signals intelligence agencies. Those who have reasons to use encryption, or a desire for the privacy that encryption can provide probably are using it already, and I rather doubt that preaching to the faithful at Black Hat will change that much.
Re: Dunno what you can say except...
in other words, someone else's privacy is fair game as long as you agree with the purpose for violating it, as stated by a trustworthy data custodian like Microsoft or Google. Presumably the NSA and GCHQ then would be OK if they simply looked for and reported those who exchange kiddie porn, keeping mindful that to do that they would have to scan everything they could get their hands on and decrypt what they could.
Re: Prediction for the next step
Re: There are three-quarters of a million terrierists in the US?!?
There may be other and more shocking documents yet to come, but the one so far shown on the Firstlook web site is pretty much a bore.
A quick scan of the Intercept article suggests that a majority of the nearly 700K TIDE listees are not US people. The one document referenced in that article suggests the number of US citizens or residents probably is in the order of 10,000, or roughly 3/1000 of one per cent of the population. I made no effort to add up the numbers, which probably would not be meaningful anyhow, as the referenced document is a typically turgid bureaucratic self congratulation such as all federal agencies prepare near the end of the fiscal year. This is done so that their bosses, who receive the report, can attach it to their annual list of accomplishments. I saw, and was required to provide "input" to more than a few such documents in 40 years of federal employment.
Iit is indeed inexcusable that so many sites fail to sanitize their input, but it would be of interest to know how many of the claimed 420,000 from which data was pilfered failed to salt and hash the passwords. Their developers warrant far harsher treatment than those who only were sloppy about input editing.
Re: "a tool Microsoft uses to hide its source code from being copied"
The relevant question is whether THIS database can be replaced by text files, and the answer is "yes it can."
Re: Maximum speeds only
I had a similar experience (Amazon Prime, Comcast) a few days ago. At the same time, my local link showed low latency and about 50 megabits/second down, 10+ up. I suspect there might be issues related to Amazon's willingness to purchase enough capacity at their end or Comcast's connection to whatever their connection is to Amazon's servers. The other alternative is poor performance on my wlan due to the large number of neighborhood systems, some as strong as mine.
That said, competition is a Good Thing and we look forward with eagerness to the possibility that Google will bring it to us in Salt Lake City (suburbs - Xmission already provides gigabit service in some parts of the metropolitan area, I think).
Re: To be fair to Microsoft...
Google, Amazon, Apple, and others may not (at present) have had a similar warrant delivered to them and would be without standing in a court. It is not impossible that one or more of them has filed an Amicus brief, however; the article did not say one way or the other.
Re: US Tech Companies
The Internet was not designed for (or against) security. Accordingly, it is incumbent on those with a great interest in privacy of the communications they pass on the Internet to provide their own. For most of us, most of the time, the imitation privacy that goes with "not of interest to any but the communicating individuals" together with "mixed in with a great bunch of other trash" is sufficient, at least judging by the widespread failure to incur the additional cost of bothering with encryption. Using commercial services leaves one exposed to the risks that someone will snatch the messages in transmission (possibly assisted by broken SSL - including compromised certificates) or from the servers (possibly by breaking any storage encryption or compelling production using legal process). The closest thing to a guarantee of privacy is end-to-end encryption using the likes of (Open)PGP. Even that, of course, is subject to the risk that the originating or destination computer is compromised, possibly by a government agency but more likely by a criminal organisation.
Re: Damned if they do and damned if they don't!
Microsoft (Azure) T&Cs allow users to limit storage by geographical area (e. g., European, Asian, American), with some exceptions; and like all or nearly all companies, their privacy rules have a law enforcement exception. Within an area, or within the world if the customer fails to limit to a geographical area, Microsoft can move the data around as it sees fit.
I've never been a fan of "the cloud", but can't see there is a good reason not to store arbitrary data there, provided you encrypt on your premises and before transmission any data you would not want to post on a publicly accessible web page. Processing in the cloud is a different matter, as it involves outsourcing your security, accepting the associated risk, which may be either greater or less than the risk of doing it on your own.
There seems to be quite a bit of conflation in this thread about legal process and espionage, the latter being generally illegal in the target country while possibly legal in the one doing the spying. A foreign government official, including a head of state (like Ms. Merkel) could be an espionage target for various reasons, but it is unlikely that a US judge would issue a warrant to compel production of their communications. I do not think it is impossible, though, and there might be circumstances in which a warrant for communications would result in production of government officials' communications even when the target is not an official.
Re: Doom for US tech companies
"So what is stopping us?"
Near terminal laziness, starting with use of webmail, for which decent end to end encryption still is somewhere between nonexistent and seriously deficient.
"How bad does it have to get?"
For nearly all people, it will have to appear to be a lot worse than it does now, even in the mild state of moral panic in which we now find ourselves. And those who actually need end to end encryption probably are using it already, which explains the intelligence agencies' interest in communication metadata.
Re: Doom for US tech companies
For the reasons Mr. Pott cites, there will be no US law requiring that a company with a US presence must make its data available to the US government. On the other hand, the recently enacted UK Drip Act appears to go a few steps in that direction without triggering mass flight of businesses from there.
This case is not about an unrestricted requirement for US businesses to give up data held in foreign data centers on request of nosy government officials, or without a warrant. That would be a matter for the NSA, if anyone. It is, instead, about a warrant issued, in a criminal inquiry, by a federal judge with a passing knowledge, at least, of legal procedures and the fourth amendment. The decision, as the article pointed out, does not appear to set a precedent. The process of obtaining a warrant may present a low bar, as some of the FISA orders indicate, but it still interposes some procedural requirements and judicial review.
Re: Doom for US tech companies
A bit over the top on both sides. The US government won't do that (it would piss off too many Americans) and the US economy would not collapse if all non-US Microsoft/Google/Amazon etc. customers abandoned them (assuming they all could find alternatives that met their requirements).
And we are, after all, apparently talking about execution of a warrant in a criminal investigation.
Re: Doom for US tech companies
~90% won't care enough to do anything
~9% will care and actually do something, but won't carry it through
~1% actually will do something effective
~0.01% actually will benefit in a measurable way
US Tech companies won't suffer a lot.
Re: I already have an NFC iPhone
Or, with the iThingy you can lose it (alone) and not be able to report the loss. Not much of an operational difference that I can see.
Re: Wonder why..
Jonathan Pollard: still in jail (parole eligible in November 2015).
Re: Helpful link
Another example of the internet healing itself, along with the probably (by the sequesters) unintended consequence of putting all the undesired links-to-be-forgotten n an easy to find and convenient place.
By all means, tie up Google and bring it down to the mediocre level of Yahoo! and Bing. That way all can suffer equally poor search results rather than being compelled to choose a provider. The obvious solution is to compel all DNS providers (at least in Europe) to randomly return an IP address for yahoo, bing, or google when the target is "google".
Re: Showing off your saucy selfies
We need not, however, depend on the NSA (or perhaps GCHQ) for politician selfies - see Wikipedia for Anthony Wiener, former US Congressman.
And why should we wish to use TrueCrypt, given the statement "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" on the truecrypt web site, along with the accompanying statement that development and maintenance have been discontinued?
Encryption is a useful tool, but using unmaintained products from anonymous producers (therefore of unknown trustworthiness) would not be my first choice.
The Constitution of 1787 provided in Article I Section IX, that "importation of such Persons as any of the States now existing shall think proper to admit, shall not be prohibited by the Congress prior to the Year one thousand eight hundred and eight" and allowed the Congress to impose an import tax of up to $10 for each such person.
That does not quite constitute abolishing slave importation in the Constitution, however much it may be a signal that the tide had begun to turn against the slave owners.
Re: I would laugh at this if it weren't so sad @ King of Foo
In addition to the British ending their part of the slave trade, in 1807, importation of slaves was banned in the US in 1808, the earliest possible time under the set of compromises that allowed acceptance of the Constitution. The fact of the compromises indicates that slavery was recognized, by many in America, as the abomination that it was a generation earlier.
Although it's a bit late for finger pointing, the English did, beginning in 1652, participate with some degree of enthusiasm in the transatlantic slave trade.
Re: Why am I not surprised by this?
"Posted anonymously because they 'know' and you probably work for them with an astroturfer's comment like what you posted."
Anonymous is pointless in this, as it probably is in all other forums. You are linked in the Reg database to your anonymous posts, as you will see if you review your past posts. And, as everyone knows, GCHQ has it if they want.
Posted with identiy because they know anyhow and it makes me think before submitting.
Upvoted for offering a rational comment to a well-known and widespread problem.
"[B]roader cryptographic community are really just amateur wannabes" once was substantially correct. That is no longer the case. There are increasing numbers of competent cryptographers in academia and the private sector, although intelligence agencies like NSA and GCHQ almost certainly are among the best if not the best sources of cryptographic expertise.
Re: You can't have democracy...
Actuially, it would make little or no difference, for at least two reasons.
First, the accuracy of any poll in which respondents select themselves is quite low to begin with, and any intervention by the various agencies is very unlikely to affect meaningful opinion measurements, as such polls usually do not produce any.
Second, polls - well-done or not - mostly reflect opinion. Evidence that the announced results drive opinion is somewhere between nonexistent and weak. There probably is a small effect at the margins, but not enough to matter much.
The most productive use for poll-fiddling might be to bend them toward results that show (a) a need for more agency funding and (b) that most of the people are not all that uncomfortable with agency activities. My guess, notwithstanding all the furor, is that (b) is not far from the truth anyhow.
Re: Why 128 bit AES not 256 bit?
I wonder if decrypting 256 bit AES would be faster than I can read the decrypted output; and also whether the time taken to encrypt really matters as long as it happens in less than minutes. And I wonder what the answers would be if the computer were restricted to an 8086.
Re: Yet more unconstitutional remedies to unconstitutional treatment
A fuller statement of the relevant part of the Fourteenth Amendment is this:
"No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."
The amendment appears to constrain State, but not federal, laws. It is silent about whether federal law such as that proposed may apply differently to citizens and non-citizens. That does not mean CISA is a good idea; it is not. The Constitution permits a great many things that are not very bright.
Re: No cloud is still the best option
This post is, perhaps, correct in some sense but there are a few questions worth considering.
First, is there a reason to care whether an NSA (or CSEC, GCHQ, ASD, GCSB or, indeed, any other signals intelligence agency) would care about your business or would be in position to harm you or a business you operate? While that might seem too much like "if you have nothing to hide you have nothing to fear", it is part of the task of evaluating risk. In the US, illegally obtained evidence is likely to be excluded by a judge, and that would, possibly with additional legal arguments probably extend to information obtained using warrants issued based on illegally obtained communication intelligence. The other Five Eyes nations, and most others we generally think of as democratic probably are similar.
Second, is data you hold a target for criminals wishing to exploit it (Target, for instance), or competitors? For both questions, what is the probable cost in recovery efforts or lost business? Are there other risks to evaluate?
Third, will changing to a different provider or doing the work in house reduce exposure overall, and at what cost? What are the appropriate mitigations, such as link or disk encryption?
The answers will vary, depending on numerous details, but for most people, and most businesses, most of the time, action by one's own government is unlikely to be the most important risk. My own preference is to store all of my data on my equipment, on my premises, under my direct control; and except for google backup of my cell phone, which contains no data I think important, I do that. But II do it more to try to protect the personal credit and other personal financial information than to guard against the government (in my case, the FBI or NSA).
Re: If someone invented a device to extract kilowatts of electricity from the vacuum...
It is not entirely clear how the activity described is beneficial to the public. Public benefit would be maximized by fully disclosing the patent to everyone for immediate free use by anyone. Issue of the patent, as was recognized by the authors of the US Constitution, is a way of rewarding the clever inventor by allowing part of the public benefit to be converted to private benefit. The temporary monopolies that patents grant were thought to be undesirable, but offset by the public benefit of public disclosure that allowed others to extend and improve technology. That may be so in the case where the alternative is keeping trade secrets. In the case of enterprises whose sole or primary business is extracting monopoly rents using purchased patents (or even patents on its own inventions) it is very unlikely to be true.
No. "Work to rule" would be to deny every request and force the requester to go through the courts. Given that many of these requests would involve competing legal and other interests, that would be correct.
Re: Whither the mission creep?
Well, the NSA and its predecessor agencies have been doing pretty much what they are doing now, and sometimes more intrusively*, for at about 75 years. Its Five Eyes associates, and signals intelligence agencies of other democratic nations such as France, Germany, Sweden, Israel, and others probably have been doing much the same for about the same period. Mission creep, if there were any, should be apparent by now.
* SHAMROCK and MINARET, for example.
Re: Re: they're a spy agency
"You want to spy, you spy legally."
You cannot mean this to be taken seriously. Depending on the point of view, NSA's activities are either legal (under US law, and subject to future determinations about legality and about the constitutionality of the enabling laws) or illegal (under the laws of the countries in which the targets are located). That is equally true, with obvious adjustments, for the comparable spying done by intelligence agencies of other nations.
Edward Snowden is not a traitor by the definition that counts: Article III, Section III of the Constitution. He broke rules, and may be honorable or not depending on one's opinion, but a traitor he is not.
Stupid grading scheme
You get a B for upvoting the Sensenbrenner-Massie-Lofgren amendment, which is a sop and won't inconvenience the NSA in any significant way.
One upvote for veti as well.
Re: Old Mainframe is "New" again?
While mainframe security is baked into the Authorized Program Facility for privileged programs, the primary factor in overall security is in System Authorization Facility exit to the add-ons that provide Mandatory Access Control. The MAC products are optional, and may be either from IBM (RACF) or others (Top Secret, ACF-2 being the primary ones), and are analogous to SELinux or, I think, Grsecurity or AppArmor). Linux with SELinux probably is on a par with a z12 and RACF for security purposes.
On the contrary ...
"This strange doctrine" now is supported by both statute and Supreme Court decision. The remaining part of the quote - "Neither individuals nor corporations have any right to come into court and ask that the clock of history be stopped, or turned back" - is morally correct but has been overridden by the legislature and the courts.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...