whac-whac-whac that same old mole
we've been whacking that same old mole for 10 years
time to throw that game out the back and down the alley
65 posts • joined 1 Jul 2012
we've been whacking that same old mole for 10 years
time to throw that game out the back and down the alley
fixing stuff that's broken is basically a defensive effort,-- something we only do to stop loss
as there is no product liability for software there is no loss for defective work . until that issue is addressed no one will give up the glitter of the new announcement for the drudgery of fix and repair .
i see they offer the source code
i didn't think they would
i will not be receiving the update: i took my Windows/7 system off the net.
there are only 2 apps on it i still need to use and they work fine offline
everything else is on Linux now
1. before any discussion of security can begin you have to have a secure operating system. a secure O/S is one which will not allow itself to be compromised by the activity of an application program and which prevents any one application from compromising another application.
it is generally agreed we don't have such a system although it is also agreed some options are much better than others. Get LINUX.
2. with LINUX you get the Thunderbird e/mail client, ENIGMAIL and the Gnu Privacy Guard -- GmuPG -- all included. and all this stuff is free.
3. n.b. nobody is going to do this for you; nobody is going to give you security.
4. generate your key-pair and start learning.
is the above article news or propaganda? at times advertisers will attempt to use articles that look like news in an attempt to fix into the mind of consumers that x, or y, or z -- is "where it's at" -- "everybody's doing it and so if you are lagging behind you're a luddite"
it's just a marketing ploy.
cloud computing has two problems: 1 network latency and reliability, and 2 privacy
"cloud computing" -- just ain't where it's at: it's a Bad Idea at the start.
MSFT does not produce a secure o/s . their o/s is intended for other purposes and is un-acceptable in a network environment. their o/s will be phased out as soon as critical applications can be ported to secure operating environments . this is a change that has to happen .
it would be news,-- if flash went for a week without needing a patch
does anyone still seriously believe this is all due to sloppy work or just oversights? Santa will bring you everything on your Santa Letter! :)
the Corporate Intranet -- must be carefully isolated from the Public Internet. Otherwise troub;e is sure to follow.
Samsung: this is a good way to get onto the DO NOT BUY list
go back and figure out a better way.
this is another band-aid,-- and it does not address the Core Problem: an application program should not be able to affect(compromise) its host operating software.
hacking involves corrupting a program that is already running via which privilege escallation may be obtained,-- thus to corrupt the o/s itself.
this fundamental issue must be corrected if MSFT/Windows wishes to become a viable commercial OS
the it industry made two errors. both stupid, like dropping a ground ball:
1. no specification for routing ipv4 onto ipv6 was made as part of the standard.
2. mobil devices were allowed to have ipv4 addresses.
Cohen is right on each point.
it doesn't make sense for average users to foot the bill for every high-volume video enthusiast.
I would dearly love to see the national cable plant changed to fiber optics with speed in the 100GB range so that we could exchange video like we do jpegs .
but that's down the road a piece. things will all be different before we get there .
you forgot John McAffee
one of my favorite terms is "sophisticated attack". it seems to be a favorite of the media.
and when you get info on the issue they always seem to be the same old crap. after a while one would begin to think this stuff is just so much propaganda: some elements of the industry want us to think security is not possible. that would indeed be propaganda. has anything Bruce has written dispelled this concept?
articles around the net late last week and this morning report that google yanked the app control feature out of their android. yeah, go figure.
they call it 'market research'. market research is gathering information about customers so that marketing campaigns can be conducted. these are more successful when they are directed to a selected or 'target' audience.
any type of communication that you participate in can be used to facilitate this 'market research' -- Web, e/mail, social nets, phone systems, ...
an article offered by Bruce Schneier recently suggests that the NSA isn't the real villian but rather has simply started to participate in the process.
there is no need for anyone to build anything. for secure mail what you want is already available,-- for free.
start by switching to Linux,-- I recommend MINT
read and follow instructions regarding maintenance: stick to the official software store.
switch your e/mail to a commercial supplier -- not one of the free ones like Hotmail, Google, or Yahoo. I use Charter, and CoreComm services.
next switch your e/mail onto the THUNDERBIRD client -- that comes with Linux/MINT (also Ubuntu if you prefer ). spend a little time learning to use Thunderbird. it uses IMAP servers -- so you can share mail on your iphone (that isn't encrypted) .
activate the ENIGMAIL plugin on Thunderbird. this uses the GnuPG version of PGP.
use the OpenPGP dialog on Thunderbird to generate your PGP keypair. set 1 year expiration date; load your public key to the keyserver. be sure to generate and save the key revoke certificate (JIC).
locate, dowload, and read Phil Zimmerman's essay on PGP, paying particular attention to the section on protecting public keys from tampering. learn what the Trust Model is -- and how to control it.
find a pardner to begin exchanging PGP mail with
remember there are 3 main advantages to PGP (ENIGMAIL) mail
authentication allows you to ascertain with reasonable certainty that an e/mail is from the party which clains to have sent it. without this i can send you an e/mail and mark it from anyone i want -- your boss -- or Nixon or Kruschev
integrity allows you to be reasonably sure that you have a correct copy of a message; that the message has not been modified in-transit by someone using (e.g.) a "Man in the Middle" attack. This is CRITICAL for software distributions and financial transactions .
security allows you to encrypt messages so that you can be reasonbly sure only the intended recipient can read them . this is a lot better than putting a disclaimer in your signature block saying something to the effect "if you weren't supposed to get this please cover for me, thanks"
NSA can still apply a traffic analysis on you: ascertain who you are talking to and this won't ever go away on public networks -- switched circuit -- or packet switched . but to get the messages now they have to hit YOU with a subpoena. hitting your ISP won't help: Your ISPcouldn't read your traffic in any reasonable timeframe or at any reasonable cost -- no matter how much they wanted to .
remember though you are subject to the AUP you signed with you ISP. the government could tell ISPs that PGP mail traffic must not be allowed. in which case we'll come up with a new Plan .
in the first place a computer is not a printing system
disconnect the printer and take it to the recycling center. now that you have that done you can also junk the fax machine. use computer output fax for those who are still mired in paper base systems .
now: (1) install dual monitors so you don't need to print documents that you need to reference while working;
(2) get a nice tab so you can review dox while away from your desk.
i've known more that one person who felt they had to print out an e/mail in order to read it.
Word is a "pita"
fortunately msft strong-armed the ISO into adopting their ooxml standards for the new iso open document standards.
i note that LibreOffice v.4 is now better at compatibility with the hated ms/word . hopefully others e.g. Google Docs will join in breaking this nasty ms/word monopoly like a punkin after Halloween
actually the whole mess known as msft, aka ss redmond -- needs to go under. i think it's well on its way: from a security standpoint -- which is a requirement for online computing -- ms windows os is simply un-acceptable.
ladar's error is in having an alternate decryption key.
of course you would have to wonder: if he was using x.509 certificates and SSL -- rather than real PGP -- what was he thinking
evidently that was the problem: he wasn't thinking .
becomming snoop proof is a 2 step process
1. clean up the end-points.
this requires that the end-point be subjected to a software intentory and audit to insure that all and only the desired software is present. open source o/s preferred
you cannot have a meaningful discussion about encryption until you have satisfied (1) (above) .
2. use GnuPG -- again open source -- to authenticate and secure communication links. this is a task that each user will have to learn and practice . the current practice of thransmitting masses of x.509 certificates authenticated by massive "Certificate Authorities" -- has been compromised on occasion and has ben the subject of significant inquiries by good COMSEC folks.
how long havn't you know that?
you mean make it like msft/windows? FT
if you do design an improved micro kernel os you need to make use of ring 1-2 as wellas just 0,3 so that kernel related processes -- which are privileged programs -- run protected.
they now force user to use a "Single Signon" to access both their Ubuntu1 drop-box as well as the BBS
this is not regarded as a "best practice" : anything of a sensitive nature -- should have a separate password. and your drop-box may be sensitive -- depending on what you use it for
I guess we all need to learn to cuss in Finnish!!
seriously Heaven forbid we were without Linus. I personally think LINUX may be capable of correcting some of the extreemly bad thinking that has been incorporated into some software -- which now causes a LOT of Security Trouble
that's because there are no certification tools available to test for un-authorized programming. Wolfgang Stiller (Stiller Research) taught us how to do it with his Integrity Master product
you boot from a separate read-only media and make a list of all the software on the subject machine. include CRC, date, and size of modules. check this list against what is supposed to be there. if you have what you're suppose to have, not of it changed, and nothing extra you are good to go.
it will take an FTC rule to force the industry to adopt this practice. a better practice is to stop using vulnerable operating software
Thomas Jefferson, 1821: "...when all government... in little as in great things, shall be drawn to Washington as the centre of all power, it will render powerless the checks provided of one government on another and will become as venal and oppressive as the government from which we separated."
one of the Critical Questions that is missed by security systems is: WHICH PROGRAM DO YOU WANT TO USE FOR THAT?
when you LOG ONTO your system you are given access to files based on WHO you are and the Ownership of any file you want to open
you might want to review this
for example, if you are running a web page do you really want your browser to be able toaccess anything you have access to ?? remember, it's you AND the web-page running your browser...
to control this you need AppArmor,-- or RACF
if you were interested in computer security you would study the methods used by attackers. The question for the hacker is : get code execution.
code execution could be a root kit or just a macro running in a word document or java running off a web page. no matter, it's important to ask: what can that code access, exfiltrate or manipulate?
now that we have polymorphic virus programs and millions of new samples appearing each year the virus scan is less effective that it needs to be . we have to monitor and limit program behavior.
I'm running Linux now, with my browser confined using AppArmor. It's a good package. Sadly, it's not for everyone.
you circulate the chilled water to heat exchangers inside the buiding
unless you want to take a bath
steele better check and see where mcaffee is hiding out these days
this is an effort to get rid of anoniminity
not everyone on ehte internet is a Good Guy so it is important to maintain you anonimity when you are online
there is nothing wrong with passwords -- when properly implemented
and if a hacker can get in via sql injection fingerprints or other scans are not going to help. if he gets in via sql injection he just takes what he wants
looking deeper, if the smart-phone user interface is un-acceptable then it's possible the PC ain't dead after all
we face a nasty backlog of badly written software that only runs on a specific version of an o/s which is making it difficult to dump XP . and Win8 ain't gonna help none .
in a very real sense an o/s IS a "hardware abstraction layer" . the o/s honors the system calls that an app needs in order to "do its thing"
i think Linux has made usable progress on this issue in Torvalds First Rule of kernel coding: don't break the system calls.
hopefully much of the obsoleted software can be ported to Linux.
two factor authentication is like adding a second deadbolt to the Front Door while the Back Door is left flapping in the breeze. "Two Factor" -- is solving the wrong problem: hackers don't generally attack that way:
they are using infecged apps, or application program faults -- to install malware into their victimes. this has NOTHING to do with uder id's and passwords.
sa called "two factor" identification will have no effect on hacking: hackers use the owners keys to install malware into the owners computer
for mobil devices this is often via an infected "app"
after the malware is into the owners computer then the owner is "pwned" and his\her computer does whatever the attacker wants it to do
using the owner's credentials
every hack report i see claims the attack was "sophisticated" . and then I find out it was via some crappy old bug the hackers use all the time .
it's time to eliminate the streaming protocol and replace it with buffering . all this means if you want to look at a long running stream you wait while the first 20% or so buffers to you rlocal device . with the speeds we have now this shouldn't matter mich and theres no reason video fanbois should expect to pig the net .
as I have noted in the past: the fundamental error here is that HTTPS bypasses the requirement for users to authenticate keys
this requirement is carefully detailed by Phil Zimmerman in his original PGP documentation in the section "Protecting keys from tampering"
HTTPS did not follow his requiremnts and got what they deserved
anyone using PGP ( or by extension x.509 certificates ) should generate their own keypair and sign any certificate that is used in a critical system. it should be noted that MSFT already does this for critical security bulletins .
the IT industry again is guilty of glossing over a critical requirement in favor of convenience
getting hacked ain't gonna be convenient
remember what Geo Orwell taught us:
"The Greate Enemy of Clear Language is INSINCERITY
lookup the International Covenant on Civil and Political Rights
Freedom of expression is subject to the following restrictions:
these shall only be such as are provided by law and are necessary:
1. For respect of the rights or reputations of others;
2. For the protection of national security or of public order (ordre public), or of public health or morals
it is obviously easy for a tyrant to bend the meaning of the above
as far as MSFT v Linus goes MSFT is its own enemy while Linus has an unlimited pool of allies generating Open Source Software.
The result: MSFT attempting to cram their style onto us (and make us pay for their stuff); Linus offering Freedom as the alternative at n/c
how will this play?
I think MSFT is retreating to the mobil and gaming area, leaving the desk workstations to Linus -- which various versions of Linux have already won the field for servers
as MSFT pushes into the mobil/gaming field they will face Google and Android on their other flank though...
"Half a league, Half a League, Half a League, onward ...
the thing Android needs is AppArmor for every App.
put an end to apps messing around where they should not be messing.
she faces the Fundamental Internet Battle head on: Privacy v Advertising and Market Research
Google and Amazon have good models. social is a bad model and will soon be generally disdained
IMHO ( which is free ) the industry is fragmenting,-- with the entertainment and business sectors going separate ways.
Win8 is going into the entertainment & Gaming business.
Canonical/Linux will pick up business computing.
Windows is a hacker's paradise that is beyond repair.
as a NEXTEL refugee we looked at Sprint and then switched to T-Mobil. Sprint basically bought up NEXTEL -- and then wrecked it. The NEXTEL phones were better and so was the old iDEN net.
=" Music and other content are easier to move, but still painful."
ah, --understanding!! the "cloud" wants to own your entertainment properties and just lease the use of them to you
cloud must be resisted at every juncture.
cloud ain't "whats happening" it is a method of control that the industry is attempting to foist upon consumers
MSFT has been built on decisions that can be traced back to the IBM 5150. The 5150 was intended to compete with Atari, PDP8s, 11s, Comedores, Vic 20s. A different line of development, these machines were intended to be easy to modify. and they succeeded in that and no one can deny that that has resulted in a lot of program development
but to use such machines for sensitive applications -- which deal with money or sensitive information -- you need a machine for which you can assert exclusive control. that was not a design objective with the early toy computers. the issue wasn't addressed at MSFT until 1-15/2002 when Gates wrote his now famous letter re. security to be Job 1.
the makers of android are facing this problem today having learned nothing from the debauch of windows...
we may well be poised upon a new doorway where we will recognize that it important to have 2 types of computers: one type for play -- another for use with commercial or sensitive information requirements. The later will not be a derivitive of the 5150/Windows line: it'sd too late to correct them.
who needs one?