50 posts • joined 1 Jul 2012
one of my favorite terms is "sophisticated attack". it seems to be a favorite of the media.
and when you get info on the issue they always seem to be the same old crap. after a while one would begin to think this stuff is just so much propaganda: some elements of the industry want us to think security is not possible. that would indeed be propaganda. has anything Bruce has written dispelled this concept?
articles around the net late last week and this morning report that google yanked the app control feature out of their android. yeah, go figure.
commercial at the start
they call it 'market research'. market research is gathering information about customers so that marketing campaigns can be conducted. these are more successful when they are directed to a selected or 'target' audience.
any type of communication that you participate in can be used to facilitate this 'market research' -- Web, e/mail, social nets, phone systems, ...
an article offered by Bruce Schneier recently suggests that the NSA isn't the real villian but rather has simply started to participate in the process.
no need to build - learn to use pgp
there is no need for anyone to build anything. for secure mail what you want is already available,-- for free.
start by switching to Linux,-- I recommend MINT
read and follow instructions regarding maintenance: stick to the official software store.
switch your e/mail to a commercial supplier -- not one of the free ones like Hotmail, Google, or Yahoo. I use Charter, and CoreComm services.
next switch your e/mail onto the THUNDERBIRD client -- that comes with Linux/MINT (also Ubuntu if you prefer ). spend a little time learning to use Thunderbird. it uses IMAP servers -- so you can share mail on your iphone (that isn't encrypted) .
activate the ENIGMAIL plugin on Thunderbird. this uses the GnuPG version of PGP.
use the OpenPGP dialog on Thunderbird to generate your PGP keypair. set 1 year expiration date; load your public key to the keyserver. be sure to generate and save the key revoke certificate (JIC).
locate, dowload, and read Phil Zimmerman's essay on PGP, paying particular attention to the section on protecting public keys from tampering. learn what the Trust Model is -- and how to control it.
find a pardner to begin exchanging PGP mail with
remember there are 3 main advantages to PGP (ENIGMAIL) mail
authentication allows you to ascertain with reasonable certainty that an e/mail is from the party which clains to have sent it. without this i can send you an e/mail and mark it from anyone i want -- your boss -- or Nixon or Kruschev
integrity allows you to be reasonably sure that you have a correct copy of a message; that the message has not been modified in-transit by someone using (e.g.) a "Man in the Middle" attack. This is CRITICAL for software distributions and financial transactions .
security allows you to encrypt messages so that you can be reasonbly sure only the intended recipient can read them . this is a lot better than putting a disclaimer in your signature block saying something to the effect "if you weren't supposed to get this please cover for me, thanks"
NSA can still apply a traffic analysis on you: ascertain who you are talking to and this won't ever go away on public networks -- switched circuit -- or packet switched . but to get the messages now they have to hit YOU with a subpoena. hitting your ISP won't help: Your ISPcouldn't read your traffic in any reasonable timeframe or at any reasonable cost -- no matter how much they wanted to .
remember though you are subject to the AUP you signed with you ISP. the government could tell ISPs that PGP mail traffic must not be allowed. in which case we'll come up with a new Plan .
in the first place a computer is not a printing system
disconnect the printer and take it to the recycling center. now that you have that done you can also junk the fax machine. use computer output fax for those who are still mired in paper base systems .
now: (1) install dual monitors so you don't need to print documents that you need to reference while working;
(2) get a nice tab so you can review dox while away from your desk.
i've known more that one person who felt they had to print out an e/mail in order to read it.
Word is a "pita"
fortunately msft strong-armed the ISO into adopting their ooxml standards for the new iso open document standards.
i note that LibreOffice v.4 is now better at compatibility with the hated ms/word . hopefully others e.g. Google Docs will join in breaking this nasty ms/word monopoly like a punkin after Halloween
untergang ss redmond
actually the whole mess known as msft, aka ss redmond -- needs to go under. i think it's well on its way: from a security standpoint -- which is a requirement for online computing -- ms windows os is simply un-acceptable.
alternate decryption key (ADK)
ladar's error is in having an alternate decryption key.
of course you would have to wonder: if he was using x.509 certificates and SSL -- rather than real PGP -- what was he thinking
evidently that was the problem: he wasn't thinking .
Two step process
becomming snoop proof is a 2 step process
1. clean up the end-points.
this requires that the end-point be subjected to a software intentory and audit to insure that all and only the desired software is present. open source o/s preferred
you cannot have a meaningful discussion about encryption until you have satisfied (1) (above) .
2. use GnuPG -- again open source -- to authenticate and secure communication links. this is a task that each user will have to learn and practice . the current practice of thransmitting masses of x.509 certificates authenticated by massive "Certificate Authorities" -- has been compromised on occasion and has ben the subject of significant inquiries by good COMSEC folks.
how long havn't you know that?
you mean make it like msft/windows? FT
if you do design an improved micro kernel os you need to make use of ring 1-2 as wellas just 0,3 so that kernel related processes -- which are privileged programs -- run protected.
not back to normal
they now force user to use a "Single Signon" to access both their Ubuntu1 drop-box as well as the BBS
this is not regarded as a "best practice" : anything of a sensitive nature -- should have a separate password. and your drop-box may be sensitive -- depending on what you use it for
I guess we all need to learn to cuss in Finnish!!
seriously Heaven forbid we were without Linus. I personally think LINUX may be capable of correcting some of the extreemly bad thinking that has been incorporated into some software -- which now causes a LOT of Security Trouble
that's because there are no certification tools available to test for un-authorized programming. Wolfgang Stiller (Stiller Research) taught us how to do it with his Integrity Master product
you boot from a separate read-only media and make a list of all the software on the subject machine. include CRC, date, and size of modules. check this list against what is supposed to be there. if you have what you're suppose to have, not of it changed, and nothing extra you are good to go.
it will take an FTC rule to force the industry to adopt this practice. a better practice is to stop using vulnerable operating software
Thomas Jefferson, 1821: "...when all government... in little as in great things, shall be drawn to Washington as the centre of all power, it will render powerless the checks provided of one government on another and will become as venal and oppressive as the government from which we separated."
one of the Critical Questions that is missed by security systems is: WHICH PROGRAM DO YOU WANT TO USE FOR THAT?
when you LOG ONTO your system you are given access to files based on WHO you are and the Ownership of any file you want to open
you might want to review this
for example, if you are running a web page do you really want your browser to be able toaccess anything you have access to ?? remember, it's you AND the web-page running your browser...
to control this you need AppArmor,-- or RACF
if you were interested in computer security you would study the methods used by attackers. The question for the hacker is : get code execution.
code execution could be a root kit or just a macro running in a word document or java running off a web page. no matter, it's important to ask: what can that code access, exfiltrate or manipulate?
now that we have polymorphic virus programs and millions of new samples appearing each year the virus scan is less effective that it needs to be . we have to monitor and limit program behavior.
I'm running Linux now, with my browser confined using AppArmor. It's a good package. Sadly, it's not for everyone.
you circulate the chilled water to heat exchangers inside the buiding
unless you want to take a bath
steele better check and see where mcaffee is hiding out these days
this is an effort to get rid of anoniminity
not everyone on ehte internet is a Good Guy so it is important to maintain you anonimity when you are online
there is nothing wrong with passwords -- when properly implemented
and if a hacker can get in via sql injection fingerprints or other scans are not going to help. if he gets in via sql injection he just takes what he wants
looking deeper, if the smart-phone user interface is un-acceptable then it's possible the PC ain't dead after all
we face a nasty backlog of badly written software that only runs on a specific version of an o/s which is making it difficult to dump XP . and Win8 ain't gonna help none .
in a very real sense an o/s IS a "hardware abstraction layer" . the o/s honors the system calls that an app needs in order to "do its thing"
i think Linux has made usable progress on this issue in Torvalds First Rule of kernel coding: don't break the system calls.
hopefully much of the obsoleted software can be ported to Linux.
Second Deadbolt on the Front Door
two factor authentication is like adding a second deadbolt to the Front Door while the Back Door is left flapping in the breeze. "Two Factor" -- is solving the wrong problem: hackers don't generally attack that way:
they are using infecged apps, or application program faults -- to install malware into their victimes. this has NOTHING to do with uder id's and passwords.
sa called "two factor" identification will have no effect on hacking: hackers use the owners keys to install malware into the owners computer
for mobil devices this is often via an infected "app"
after the malware is into the owners computer then the owner is "pwned" and his\her computer does whatever the attacker wants it to do
using the owner's credentials
"sophisticated" ? lol
every hack report i see claims the attack was "sophisticated" . and then I find out it was via some crappy old bug the hackers use all the time .
replace streaming with buffering
it's time to eliminate the streaming protocol and replace it with buffering . all this means if you want to look at a long running stream you wait while the first 20% or so buffers to you rlocal device . with the speeds we have now this shouldn't matter mich and theres no reason video fanbois should expect to pig the net .
Glossing over a Critical Security Requirement
as I have noted in the past: the fundamental error here is that HTTPS bypasses the requirement for users to authenticate keys
this requirement is carefully detailed by Phil Zimmerman in his original PGP documentation in the section "Protecting keys from tampering"
HTTPS did not follow his requiremnts and got what they deserved
anyone using PGP ( or by extension x.509 certificates ) should generate their own keypair and sign any certificate that is used in a critical system. it should be noted that MSFT already does this for critical security bulletins .
the IT industry again is guilty of glossing over a critical requirement in favor of convenience
getting hacked ain't gonna be convenient
remember what Geo Orwell taught us:
"The Greate Enemy of Clear Language is INSINCERITY
lookup the International Covenant on Civil and Political Rights
Freedom of expression is subject to the following restrictions:
these shall only be such as are provided by law and are necessary:
1. For respect of the rights or reputations of others;
2. For the protection of national security or of public order (ordre public), or of public health or morals
it is obviously easy for a tyrant to bend the meaning of the above
as far as MSFT v Linus goes MSFT is its own enemy while Linus has an unlimited pool of allies generating Open Source Software.
The result: MSFT attempting to cram their style onto us (and make us pay for their stuff); Linus offering Freedom as the alternative at n/c
how will this play?
I think MSFT is retreating to the mobil and gaming area, leaving the desk workstations to Linus -- which various versions of Linux have already won the field for servers
as MSFT pushes into the mobil/gaming field they will face Google and Android on their other flank though...
"Half a league, Half a League, Half a League, onward ...
the thing Android needs is AppArmor for every App.
put an end to apps messing around where they should not be messing.
she faces the Fundamental Internet Battle head on: Privacy v Advertising and Market Research
Google and Amazon have good models. social is a bad model and will soon be generally disdained
Fragments: Entertainment | Industry
IMHO ( which is free ) the industry is fragmenting,-- with the entertainment and business sectors going separate ways.
Win8 is going into the entertainment & Gaming business.
Canonical/Linux will pick up business computing.
Windows is a hacker's paradise that is beyond repair.
as a NEXTEL refugee we looked at Sprint and then switched to T-Mobil. Sprint basically bought up NEXTEL -- and then wrecked it. The NEXTEL phones were better and so was the old iDEN net.
understanding the "cloud"
=" Music and other content are easier to move, but still painful."
ah, --understanding!! the "cloud" wants to own your entertainment properties and just lease the use of them to you
cloud must be resisted at every juncture.
cloud ain't "whats happening" it is a method of control that the industry is attempting to foist upon consumers
Bad decisions trace back to the 5150
MSFT has been built on decisions that can be traced back to the IBM 5150. The 5150 was intended to compete with Atari, PDP8s, 11s, Comedores, Vic 20s. A different line of development, these machines were intended to be easy to modify. and they succeeded in that and no one can deny that that has resulted in a lot of program development
but to use such machines for sensitive applications -- which deal with money or sensitive information -- you need a machine for which you can assert exclusive control. that was not a design objective with the early toy computers. the issue wasn't addressed at MSFT until 1-15/2002 when Gates wrote his now famous letter re. security to be Job 1.
the makers of android are facing this problem today having learned nothing from the debauch of windows...
we may well be poised upon a new doorway where we will recognize that it important to have 2 types of computers: one type for play -- another for use with commercial or sensitive information requirements. The later will not be a derivitive of the 5150/Windows line: it'sd too late to correct them.
who needs one?
theres gonna be more of us as a result of aapl having become a patent troll
new music and video model
it seems there are elements of the 'net that would love to inventory every computer attached to the 'net
particularly MUSIC and VIDEO libraries
it appears this business is in a state of flux,... it appears the New Model is: you don't own any copies. Copies are to be kept in Cloud Libraries operated by licensed vendors. when you establish an account your will be placed on the Access List and given access to those assets you have paid the access fee for...
in this model if you have any titles on YOUR computer you are ipso facto a pirate
think about it
i only noticed this recently when Amazon changed their download procedures...
Computers: a market research tool
unfortunately there are a lot of folks working with computers today that see computers as the ultimate market research and advertising tool. for this they assert their ability to run their programs on your computer.
preventing this means controlling what their programs are allowed to do -- on your computer. My suggestion is: switch to Linux. I have a Ubuntu box working now.
the interesting thing about Linux is: Security. You can create a user account just for e/mail and browsing. By default -- working from that logon -- you -- or any program you are running -- hence an intruder -- can only modify files in the home directory associated with that user.
you still need to take care however: If you share a directory out from your browser user account and then extract an html document from that shared directory -- you are pulling a copy of the intruders java with that document . You could of course open the document with LibreOffice and then save it as text -- before you remove it from the shared directory.
just depends on whether tin foil is enough or if you need a helmet
SQL Injection is an old, known attack. the defense is (1) use only stored procedures and (2) sanitize input data.
getting hacked via SQL Injection is simple negligence on the part of the system operations staff. they should incur the $$$ liability for this.
hopefully they also have a contract burning bonfire
Re: QDOS vs CP/M
="The limit came from the address pins because there were only 20 of them."
the decision to use 20 rather than 24 address lines was taken during the design phase of the chip.
Re: QDOS vs CP/M
it is important to remember that at the time of the 5150 IBM did not want the 5150 to have enough guts to threaten its regular business products. that is why CP/M was NOT authorized for the 5150. Rather the junk O/S was scrounged up from experimenters. too you'll remember the segment offset was carefully limited to 4 bits -- limiting the 5150 and derivitives to 1MB memory
Re: thank you and goodbye
Wir sehen den Beginn des Untergangs von microsoft
Re: I see what you did there!
yep, i have no interest in games
but i do have a great interest in security and Linux makes windows look like a festival of fools
Anon Computer Group
this morning I'm playing some Joan Baez music and have renamed my file for the Anon Computer Group
this is a critical move and a very good one. if we can design a mechanism that can verify the initial load of the o/s then the o/s should be able to check itself as it finishes loading.
the danger remains in the attacker possibly being able to flash the bios or somehow modify the firmware used in the initial process. attackers have always preferred to inject their un-authorized programming into the system at the lowest level
of course if the O/S is secure -- and it receives a BIOS update signed by the OEM -- then it would be expected that it would be safe to accept the update. but if the O/S were compromised, uuuugh
all of which goes back to the note that security is like a balloon: 1 pin-prick and POP! it's gone.
my i 305 did that
a patent that allows folks to isolate data such as phone numbers in emails and then call the number.
my i 305 does that and i've had it for 5 years
a patent that allows folks to isolate data such as phone numbers in emails and then call the number.
my i305 does that and I've had it for 5 years
marketing in the courts
apple is a RICO and that should come up in court
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth