SECURITY
We now know that
states have superseded hackers
as the internet's apex predator!
Definition of Security -
"The Person In Charge Of Being The House Illusionist"
Walt Mossberg's common-sense writings define our era. Walt's first column, Personal Technology, began in the Wall Street Journal on October 17th, 1991. His first sentence: “Personal computers are just too hard to use, and it's not your fault.” His last column appeared in the Verge, May 25, 2015 the disappearing computer.
';--have i been pwned?
check if you have an account that has been compromised in a data
breach.
Home computers connected to the internet aren't private - court
ruling
7/1/2016
The usual pattern of using horrible defendants to create horrible
precedents. Not only does this ruling continue to chip away at
personal privacy, it seems to also establish a precedent that
computer security will always be ineffectual.
A federal judge for the Eastern District of Virginia has ruled that
the user of any computer that connects to the Internet should not
have an expectation of privacy because computer security is
ineffectual at stopping hackers. The June 23 ruling came in one of
the many cases resulting from the FBI's infiltration of PlayPen, a
hidden service on the Tor network that acted as a hub for child
exploitation, and the subsequent prosecution of hundreds of
individuals. To identify suspects, the FBI took control of PlayPen
for two weeks and used, what it calls, a "network investigative
technique," or NIT—a program that runs on a visitor's computer and
identifies their Internet address.
Why a staggering number of Americans have stopped using the Internet the way they used to WP 2016/05/13 the insecurity of the Web is beginning to have consequences that stretch beyond the direct fall-out of an individual losing personal data in breach. The research suggests some consumers are reaching a tipping point where they feel they can no longer trust using the Internet for everyday activities.
"Like all rights and privileges, security is about power . Who gets it, who doles it out and what interests it protects . If the internet revolution can successfully liberate people from traditional power structures -- totalitarianism, bias, poverty -- like we've hoped, that'll be awesome. But at this inflection point, there are signs that surveillance, censorship and entrenched powers may successfully co-opt the internet. It's up to us." ~
The mere act of creating any backdoor to these systems weakens them enormously and catastrophically. The fact that politicians and law enforcement continue to try bend physics, math, and computer science to their wills -- irrespective of the realities -- should come as no surprise. Any attempt to backdoor strong encryption systems will by definition make them immensely vulnerable not only to abuse by authorities, but also to outside hacking -- including by sophisticated terrorist groups! -- that would put all honest users at immense risk as ever more of our financial and other aspects of our personal lives are online. Ultimately it's mostly a game of political cover, of politicians being willing to massively weaken the security and privacy of us all to ensure themselves an excuse to spout at the press when bad things happen. ~ Lauren
Good rule:: If a tech company gives you a product for free .. YOU likely *are* the product.
A flaw in the design
“We didn't focus on how you could wreck this system intentionally,” said Vinton G. Cerf.
Yet 1988 's attack by the “Morris Worm” — named for Robert T. Morris, the Cornell University graduate student who created it — was a wake-up call for the Internet's architects, who had done their original work in an era before smartphones, before cybercafes, before even the widespread adoption of the personal computer. The attack sparked both rage that a member of their community would harm the Internet and alarm that the network was so vulnerable to misdeeds by an insider. But the realization came too late. The Internet's founding generation was no longer in charge. Nobody really was. washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/
Marcus Ranum: If you are not depressed by security, you probably just don't understand it well enough .
2016 6 DDoS attack delivered by botnet of hijacked IoT devices is
the total nightmare. Securing the internet of things should become a
major priority now that an army of compromised devices - perhaps 1
million strong - has swamped one of the industry's top distributed
denial-of-service protection services. A giant botnet made up of
hijacked internet-connected things like cameras, lightbulbs, and
thermostats has launched the largest DDoS attack ever against a top
security blogger, an attack so big Akamai had to cancel his account
because defending it ate up too many resources.
It seems this is just the beginning
- and most people feel it is going to get worse. What will happen
when another 10 billion plus IoT devices come online in the coming
years, connected to gigabit connections at home? See
Mutually Agreed Norms for Routing Security
.
There probably aren't any bad guys left who would know how to hack into them.
I ACCEPTED THE RISK
It's inappropriate to call hackers "wizards" because it completely denies the hard work and study involved. To call their craft magical is to call it deeply incomprehensible, something which defies logic. This metaphor distracts people from the nuts-and-bolts reality: anyone can hack systems, including you -- all it takes is patience and an inquisitive mind. This is knowledge that people want to suppress. -- Phaedrus
2015 If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router. This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool. A highly sophisticated form of malicious called SYNful Knock , has been implanted in routers made by Cisco the world's top supplier and reported to have been found in 14 routers across four different countries.
2015 The Government Accountability Office has been tracking EINSTEIN's implementation since about 2010 and will later this year issue an update on the status of the state of federal security systems, and all is not well. But those people were told all about it in 1998.
In 1998
LOpht's warnings about the Internet drew notice but little action
Space Rogue
, Kingpin, Mudge and the others were hackers who had come from the
mysterious environs of cyberspace to deliver a terrifying warning
to the world.
The making of a vulnerable Internet: This story is the third of a
multi-part project on the Internet's inherent vulnerabilities and
why they may never be fixed.
Part 1: The story of how the Internet became so vulnerable
Part 2: The long life of a 'quick fix' Your computers, they told the
panel of senators in May 1998, are not safe — not the software, not
the hardware, not the networks that link them together. The
companies that build these things don't care, the hackers continued,
and they have no reason to care because failure costs them nothing.
And the federal government has neither the skill nor the will to do
anything about it. “If you're looking for computer security, then
the Internet is not the place to be,” said Mudge, then 27 and
looking like a biblical prophet with long brown hair flowing past
his shoulders. The Internet itself, he added, could be taken down
“by any of the seven individuals seated before you” with 30 minutes
of well-choreographed keystrokes.
17 years later the world is still paying the price in rampant
insecurity
. The testimony from L0pht, as the hacker group called itself, was
among the most audacious of a rising chorus of warnings delivered in
the 1990s ! ! !
Who Cares 'I've got
nothing to hide
'
#Snowden's response to the 'I've got nothing to hide' #privacy argument is excellent!
"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
Apple patents technology enabling police to prevent iPhones from
filming police abuse
The technology exists, it will also be used by authorities who don't
want police violence and abuse of power documented by members of the
public.
PRIVACY
The word "privacy" is generally used as a euphemism for power. Knowing this, you can safely substitute the word "power" for "privacy" nearly everywhere it appears.
SECURITY OF PASSWORDS
ENTER PASSWORD. WRONG.
WRONG.
WRONG.
WRONG.
WRONG.
WRONG.
RESET PASSWORD.
NEW PASSWORD CAN'T BE OLD PASSWORD.
sets fire to computer
Don't encrypt passwords
The current state of password-based security on the Internet today, as illustrated by Chico and Groucho Marx in "Horse Feathers" (1932):
08/20/2015
@
_IMPACT_TEAM_
"NOBODY WAS WATCHING. NO SECURITY."
Avid Life Media's CEO Noel Biderman. #AshleyMadison #Password List:
376120 passwords To open the
Ashley Madison Passwords
list you will need to provide the following password:
cyberwarzone.com
Researchers fun exercise!
It's just a list of passwords, no user names / email addresses. Most
of these are very weak passwords. Hard to believe this is the real
file. According to reports there were millions of accounts stolen,
this file contains only about 376,000. There are also very few
duplicates only a few repeated 2 or at max 3 times all numeric. One
password was actually "ashleymadison". This file is a very clear
example of the lack of concern for privacy. There were 8551
passwords with "123" in the password. Other popular words "love"
(3133 times), "ass" (2620 times), "sex" (2356 times).
The Impact Team reveals that not only did the Ashley Madison portal
have no security measures in place, the admins were stupid enough to
use a simple pass phrase for their servers' root: " Motherboard:
What was their security like? The Impact Team: Bad. [...] Only thing
was segmented network. You could use Pass1234 from the internet to
VPN to root on all servers." This allowed the hackers to gain full
control over all the servers, internal and external, letting them
quietly download customer data, private conversations, user photos,
credit card details, financial records, the site's source code,
documentation, and internal emails exchanged by Avid Life Media, the
company that ran the Ashley Madison site. Ashley Madison admins used
Pass1234 as their password.
Asked what their motivation for the hack was, The Impact Team
explained, "We watched Ashley Madison signups growing and human
trafficking on the sites." This places the group in the category of
hacktivists and not blackmailers, and their future hacking plans
reveal that they are interested in righting some of the society's
wrongs: "Not just sites. Any companies that make 100s of millions
profiting off pain of others, secrets, and lies. Maybe corrupt
politicians."
Oh so now 15,000 government email revealed on Ashley Madison Leak and NOW 8/24/15 Federal appeals court says has the authority to crack down on companies for having bad computer security: FTC
When Must Lawyers Ethically Encrypt Data? Texas Answers
WHAT CAN GO WRONG?
The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair. -- Douglas Adams
THERE IS NO SUCH THING AS SECURTY
any asset can be compromised.
RULE #1
Every big hack discovered will eventually prove to be more serious than first believed.
2015 A Hack That Undermines All Software
Stealing and corrupting legitimate certificates is particularly galling to the security community because it undermines one of the crucial means for authenticating legitimate software. Digital certificates are like passports that software makers use to sign and authenticate their code. They signal to browsers and computer operating systems that software can be trusted. But when attackers use them to sign their malware “the whole point of digital certificates becomes moot,” says Costin Raiu, director of Kaspersky's Global Research and Analysis Team. In all three attacks Stuxnet, Duqu 1.0 and Duqu 2.0 the attackers employed digital certificates from companies based in Taiwan. Seems attackers have a stockpile of stolen certs. They also had zero-day exploits for the Windows operating system that allowed the intruders to bypass the Windows requirement that all drivers be signed. So they didn't need to sign anything else because they had administrative access and relied on [zero-day exploits] to load the code into kernel mode! BUT If any of the [zero-day] vulnerabilities get patched and all the computers are rebooted and the malware is evicted from the network, they still have the signed driver, which is almost invisible and will allow them to come back to the infected networks.
On June 23, 2009 the company Foolad Technic was the first victim.
This version of Stuxnet contained 2 0days that caused it to spread
globally, leading to its discovery. Stuxnet is the first ever known
Cyber Weapon. It changed the world.
VirusTotal
is a free service
that analyzes suspicious files and URLs and facilitates the quick
detection of viruses, worms, trojans, and all kinds of malware.
.
2015 Ooops just a little late and it's so STUPID!
:
As top FBI officials are arguing that the tech industry needs to
“prevent encryption,” the federal government's CIO, Tony Scott, has
officially announced that all federal government websites will only
be available via encrypted HTTPS connections by the end of next
year. The unencrypted HTTP protocol does not protect data from
interception or alteration, which can subject users to
eavesdropping, tracking, and the modification of received data.
Unencrypted HTTP connections create a privacy vulnerability and
expose potentially sensitive information about users of unencrypted
Federal websites and services.
6/12/15
Cyberbreach of federal records
dramatically worse than first acknowledged. Hackers linked to China
have gained access to the sensitive background information submitted
by intelligence and military personnel for security clearances. The
forms authorities believed may have been stolen en masse, known as
Standard Form 86, require applicants to fill out deeply personal
information about mental illnesses, drug and alcohol use, past
arrests and bankruptcies, applicants' financial histories and
investment records, children's and relatives' names, foreign trips
taken and contacts with foreign nationals, past residences and names
of neighbors and close friends potentially exposing any foreign
relatives of U.S. intelligence employees to coercion. Both the
applicant's Social Security number and that of his or her cohabitant
is required.
Wickr-Top Secret Messenger - Escape the Internet
There is a strange intransigence with some who reject improved security with the line: “but we're not criminals! Why do we need this?” Well, the only answer I have is that OPSEC is prophylactic, you might not need it now, but when you do, you can't activate it retroactively. As I phrased it in my “The Ten Hack Commandments” — be proactively paranoid, it doesn't work retroactively. ~
Humans are the weakest link in the security ecosystem and yet
many corporations fail to recognize that.
Companies need to stop solely focusing on preventing attacks and
invest effort in detecting when attackers have breached their
systems. A good way to do that is to train employees to better
recognize threats and respond to potential security issues in the
proper way, turning worker from liabilities into assets.
This Animated MAP
Shows Who's Hacking Who In Real Time
Every second, Norse collects and analyzeslive threat intelligence
from darknets in hundreds of locations in over 40 countries. The
attacks shown are based on a small subset of live flows against the
Norse honeypot infrastructure, representing actual worldwide cyber
attacks by bad actors. At a glance, one can see which countries are
aggressors or targets at the moment, using which type of attacks
(services-ports). <
more
>
8/13/14 Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat. Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says if the NSA knows how a malicious algorithm generates certain attacks, this activity may produce patterns of metadata that can be spotted. Think of it as a digital version of the Star Wars initiative President Reagan proposed in the 1980s, which in theory would have shot down any incoming nuclear missiles. In the same way, MonsterMind could identify a distributed denial of service attack lobbed against US banking systems or a malicious worm sent to cripple airline and railway systems and stop—that is, defuse or kill— it before it did any harm. More than this, though, Snowden suggests MonsterMind could one day be designed to return fire—automatically, without human intervention—against the attacker. Because an attacker could tweak malicious code to avoid detection, a counterstrike would be more effective in neutralizing future attacks.
Cybersecurity as Realpolitik by Dan Geer
presented at Black Hat USA 2014
Power exists to be used. Some wish for cyber safety, which they will
not get. Others wish for cyber order, which they will not get. Some
have the eye to discern cyber policies that are "the least worst
thing;" may they fill the vacuum of wishful thinking.
Surveillance
"... Ever Cheaper Surveillance substantially changes the balance of
power in favor of the executive and away from the legislature.
Things that need no appropriation exist outside the system of checks
and balances."
George Carlin said, "they're not Constitutional 'rights' they're 'privileges' that can be revoked at any time."
With a sign of the pen, official 'reality' and 'truth' are
redefined. Pentagon May Put JSOC Under Secretive CIA Control in
2014 Special Ops under CIA control would be considered spies,
allowing the White House to claim US troops have been withdrawn.
CIA control means they become spies with no accountability and
transparency, since activities and funding would become classified
and journalists or other forms of oversight would not be welcomed.
Joint Special Operations Command (JSOC) forces are around the
world, where U.S. military interventions occur mostly in the
shadows. JSOC forces “reportedly conduct highly sensitive combat
and supporting operations against terrorists on a world-wide
basis. Without the knowledge of the American public. This new
Pentagon power elite is waging a global war whose size and scope
has never been revealed. 2012
http://news.antiwar.com/2012/03/03/pentagon-may-put-jsoc-under-secretive-cia-control-in-2014/
Steve Gibson , the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte.
7/10/13 Perfect Forward Secrecy: A creepy PRISM thought, a defense against it. Episode 412 SSL Forward Secrecy
"It is the first responsibility of every citizen to question
authority." -- Benjamin Franklin
US 'Blackmails' EU Into Agreeing To Hand Over Passenger Data
from the You-have-no-more-fundamental-rights dept.
Reading the bit about the Reagan document: you couldn't help but
think of how much of it, like some controversial religious texts,
can be disavowed as "heresy" since their contents can underrmine
the self-perceived legitimacy and self-claimed purpose in the
world.
The Purpose of National Security Policy, Declassified [Oct. 17th,
2012]
http://www.fas.org/blog/secrecy/2012/10/nsdd_238.html
The most fundamental purpose of national security policy is not to
keep the nation safe from physical attack but to defend the
constitutional order. At least, that is what President Reagan
wrote in a Top Secret 1986 directive.
“The primary objective of U.S. foreign and security policy is to
protect the integrity of our democratic institutions and promote a
peaceful global environment in which they can thrive,” President
Reagan wrote in National Security Decision Directive 238 on “Basic
National Security Strategy,” which was partially declassified in
2005. In a list of national security objectives, the directive
does note the imperative “to protect the United States… from
military, paramilitary, or terrorist attack.” But that is not the
primary objective, according to the Reagan directive. Defense of
the Constitution evidently takes precedence.
The first purpose of national security policy is “to preserve the
political identity, framework and institutions of the United
States as embodied in the Declaration of Independence and the
Constitution,” President Reagan wrote. This is a remarkable
statement, for several reasons. First, it recognizes that the
political identity and institutions of the United States are not
simply a given, but that they are vulnerable to many types of
threats and must be actively defended and sustained. This task is
not normally assigned the urgency or the priority given to
“national security.”
Second, the directive distinguishes between constitutional
governance and physical security. Not every measure intended to
promote security is constitutional. And not every act in defense
of democratic self-governance is likely to promote public safety.
(The American Revolution was not calculated to increase “homeland
security.” Quite the opposite.) Sometimes a choice between the two
is required. President Reagan indicated what he thought the choice
should be. And third, the directive is remarkable because its
rhetoric was so imperfectly realized by the Reagan Administration
(and egregiously defied in the Iran-Contra Affair) and has been
largely abandoned by its successors.
“Defending our Nation against its enemies is the first and
fundamental commitment of the Federal Government,” wrote President
George W. Bush in his 2002 National Security Strategy, skipping
over President Reagan's “primary” objective. Likewise, “As
President, I have often said that I have no greater responsibility
than protecting the American people,” President Obama wrote in his
National Strategy for Counterterrorism. The Reagan directive
invites reflection on what U.S. national security policy would
look like if it were truly structured above all “to protect the
integrity of our democratic institutions.”
In a section of the directive that was only classified
Confidential, President Reagan contrasted the U.S. with the Soviet
Union, which was described as its polar opposite. “Our way of
life, founded upon the dignity and worth of the individual,
depends on a stable and pluralistic world order within which
freedom and democratic institutions can thrive. Yet, the greatest
threat to the Soviet system, in which the State controls the
destiny of the individual, is the concept of freedom itself.” “The
survival of the Soviet system depends to a significant extent upon
the persistent and exaggerated representation of foreign threats,
through which it seeks to justify both the subjugation of its own
people and the expansion of Soviet military capabilities well
beyond those required for self-defense,” President Reagan wrote.
Numerous Presidential directives from the Reagan Administration
have been declassified in recent years and have released by the
Reagan Library, though others still remain partially or completely
classified. Many of the declassified directives provide a
fascinating account that enlarges and enriches the public record
of events of the time. Only last year, for example, a 1985
directive (NSDD-172) on “Presenting the Strategic Defense
Initiative” was finally declassified. This year, NSDD 159 on
“Covert Action Policy Approval and Coordination Procedures” (1985)
was declassified. NSDD 207 on “The National Program for Combatting
Terrorism” (1986) was declassified in 2008. Among other things,
that directive ordered the Attorney General to “Review the Freedom
of Information Act (FOIA) and determine whether terrorist
movements or organizations are abusing its provisions.”
Snooping by Big Business has a mundane objective: to sell you more
stuff. Big Brother snooping is about judging you. And there's the
rub. With Moore's Law Big Brother is getting better and better at
judging you, your character, your ideas, your connections, your
trustworthiness (esp. with Manning and Snowden). Everything about
what makes you human can be measured, quantified, and judged.
There's another difference: Big Business isn't much interested in
what you did, said, or wrote, a year ago, two years, ten years
ago, it throws away much of that data. Big Brother keeps it all.
What it can't use today, because the files are strongly encrypted,
or distributed across many databases, it knows it can use
tomorrow. Tomorrow's computer systems will be able to decrypt
those files, tomorrow's computer systems will be able to analyze
and cross-link data in a myriad of databases, they'll be able to
know more about you in ways that are impractical today. Historical
data grows in usefulness to Big Brother because it makes possible
a more accurate digital simulacrum of you. With every doubling in
computer performance, the simulation of you grows closer and
closer to the real you. The computer models get better at
predicting what you will or won't do. Big Brother gets better at
predicting intent. The horror of George Orwell's 1984 was the
government's ability to uncover and punish "thoughtcrimes."
Tomorrow's Big Brother will have the means to predict
thoughtcrimes before they become actual crimes. They are designed
to discover intent. To be judged on the privacy of your thoughts
is bad enough, to be judged on your future thoughts and the crimes
that they will likely lead to, is far worse. And that's the
difference between Google and the NSA: Big Business is purely
interested in your wallet. Big Brother is interested in the purity
of your soul. ~ Tom Foremski
John Gilmore, Entrepreneur and Civil Libertarian In the U.S., the prison population is the largest of any country on earth. We also lock up a larger fraction of our population than any country on earth.
elliott.org
says Airlines are federally regulated, and these are the
regulators. If you can cite the rule being violated, DOT's airline
cops can ask the airline about the case, and if the carrier acted
improperly, they can either penalize it or pressure it into
compensating you.Office of Aviation Enforcement and Proceedings
Aviation Consumer Protection Division
1200 New Jersey Ave, SE
Washington DC 20590
Phone: (202) 366-2220
TTY / Assistive Device Number: (202) 366-0511
8:30am-5:00pm ET, M-F
Most Popular Services
File an Aviation Consumer Complaint
Air Travel Consumer Reports
Aviation Enforcement Orders
Guidance on Aviation Rules and Statute
Travel Tips and Publications
$1B of TSA Nude Body Scanners Made Worthless How Anyone Can Get Anything Past The Scanners
THE 5TH AMENDMENT
Blackburn, a George W. Bush appointee, ruled that the Fifth
Amendment posed no barrier to his decryption order. The Fifth
Amendment says that nobody may be "compelled in any criminal case
to be a witness against himself," which has become known as the
right to avoid self-incrimination. "I find and conclude that the
Fifth Amendment
is not implicated by requiring production of the unencrypted
contents of the Toshiba Satellite M305 laptop computer," Blackburn
wrote in a 10-page opinion today. He said the All Writs Act, which
dates back to 1789 and has been used to require telephone
companies to aid in surveillance, could be invoked in forcing
decryption of hard drives as well. The Department of Justice is
relying on the All Writs Act, which dates back to 1789. It doesn't
seem intended to address this situation.
Dubois: It wasn't intended to address this. It was basically: If
the judge orders someone to transfer title of property, he can
also order whatever else is necessary to make that happen. It was
pretty clearly necessary to allow judges to enter orders they've
always been able to enter anyway. It wasn't designed to expand the
judge's power or the government's power. This is the place where
technology has bumbled right on ahead of the law, as it always
does.
http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/
THE 4TH AMENDMENT
Beginners Eyes: Digital Birds: Nothing is what it seems. The Illusions of Security: The Known and Unknown Rules, becoming part of the borg. The Masters, The Humplings, and The Dregs but so what! You never get the truth from the company Memo
The Tallinn Manual on International Law
lays down rules for online attacks.
http://www.ccdcoe.org/249.html
Curated by NATO's Cooperative Cyber Defense
Center of Excellence and calls upon two dozen experts from around
the world to help lay the groundwork for cyberwar guidelines as
attacks aimed at computer
grids, networks and systems increasingly become the target of
foreign agents. Michael Schmitt, a professor with the US Naval War
College and the editor of the manual, told the Associated Press
before publication that the guidelines come at a time when few
laws formally exist governing the use of so-called cyberweapons.
Just like bombs and missiles, hackers and state-sponsored parties
can use malicious code to wipe out entire databases, break down
machinery and
otherwise render enter infrastructures useless.
Cyber protection forces -- will comprise more than 60 Cyber Teams. National mission forces will employ 13 teams focused on securing U.S. private networks powering critical infrastructure such as transportation systems and other vital industries. Gen. Keith Alexander, head of Cyber Command, said the combat mission forces will include 27 teams and would “support the combatant commands in their planning process for offensive cyber capabilities.”
The U.S. National Security Act defines "covert" as government
activities
aimed at influencing conditions abroad "where it is intended that
the role of the United States Government will not be apparent or
acknowledged publicly." USAID hires subcontractors but deny that
contractors perform covert work. "All too often, the outside
perception is that these USAID people are intelligence officers,"
said Philip Giraldi, an ex-CIA officer. "That makes it bad for
USAID, it makes it bad for the CIA and for any other intelligence
agency who like to fly underneath the radar." Citing security
concerns, U.S. agencies have refused to provide operational
details even to congressional committees overseeing the programs.
the State Department, which oversees USAID
which has long relied on visitors willing to carry in prohibited
material, such as books and shortwave radios, U.S. officials
briefed on the programs say. And USAID officials have acknowledged
in congressional briefings that they have used contractors to
bring in software to send encrypted messages over the Internet,
according to participants in the briefings. [
see discreet sim card
]
|
ARE YOU Cranky, SKANKY AND INFECTED??
|
ARTICLES
|
||
| COPYRIGHT / COPYLEFT | CHILDREN'S PRIVACY RIGHTS | |||
|
Security TOOLS - secure your code |
September 11th
World Trade Center SECURITY CRISIS CURRICULUM RESOURCES |
||
| LISTS, RESOURCES, ROBOTS, TROUBLE FINDERS | |||
| ABOUT THAT WORD " TRUSTED " CREDIT CARD FRAUD | |||
|
Learn about "URIICA"
Union for Representative International Internet Cooperation and Analysis |
|||
Hurricanes
- How prepared are people and systems for severe weather? What
historians have too rarely emphasized, is how
interconnected all of our systems have become
. We called it the "supersystem." The "teachable moment" has
become a ubiquitous cliche, like holding a teach-in / discussion
in a classroom - but in the middle of a disaster zone it's useful.
What is the role of cost-benefit analysis in engineering? How much
money should we spend to ensure that the New York subway will not
be flooded again? We will have to rethink our infrastructure. Sea
water may have corroded the electrical substation, but if we are
to replace those parts, we will need to use other systems, like
roadways or rail lines, which were down for some time after the
storm. In New York, where fuel is running short, because of
Hurricane Sandy, there is a refinery full of gasoline, but it
requires electricity to pump it out. The mind boggles. Hold on,
you have fuel right there, and it didn't occur to you that you
should perhaps build a generator on site? Interdependency, not
fail safe-redundancy, is the norm. It was a
map produced by Google
that stood out as the most comprehensive display of the data
available about the storm and its recovery. The maps were built by
Google's Crisis Response Team which is a project of , Google's
philanthropic arm. The map is embeddable Google wants news
organizations to use it.
How to Delete Yourself from the Internet
Espionage: Nearly every secret worth stealing sits on a computer server. U.S. intelligence agencies fear that Chinese spies have already siphoned terabytes of data from thousands of Western companies.
ENCRYPT EVERYTHING
Operation Encrypt Everything (OpE^2) was started in 2012 by members of the Pirate Party of Canada to counteract the increasing threat of total communications surveillance by governments and private industry. It is intended to bring together information about protecting your data and privacy online, and making easily-understood instructions available to our digital comrades.
Dead Drops Uncloud your files in cement.
mailvelope.com Application that provides [Open]PGP for Webmail
IN A DISASTER
Command and Control Communications always breaks down;
"Hello? Hello, Dimitri?
Listen, I can't hear too well, do you suppose you could turn
the music down just a little? Oh, that's much better. Yes.
Fine, I can hear you now, Dimitri. Clear and plain and coming
through fine. I'm coming through fine too, eh? Good, then.
Well then as you say we're both coming through fine." ~
Dr. Strangelove
The real goal of Cyber War, is the theft of national secrets,
intellectual property from corporate R&D labs, corporate
M&A deal documents, government policy, plans, negotiating
terms and the ultimate concession of our nation's competitiveness
to other countries. The year 2011 will be remembered as the year
that the fundamental underpinnings of Internet security fell.
Military Networks 'Not Defensible,' Says General Who Defends
Them
. It is cyber espionage and theft akin to the spy vs. spy efforts
of the Cold War, but on a massive and pervasive scale. Easily
forgotten are spectacular breaches across every major industrial
sector this year, including "
Operation Shady RAT
", which was disclosed by McAfee in August. This disclosure
identified over 70 companies in 6 different sectors targeted in a
single campaign. Similarly, the “Nitro” campaign,disclosed by
Symantec
,
targeted chemical companies
and industrial manufacturing concerns. Secure Sockets Layer (SSL),
Certificate Authorities, and two-factor authentication were all
compromised. SSL, long considered the bastion of online secure
protocols, was broken by a couple of researchers with a prototype
called
BEAST
. The SSL protocol is today the most widely used Web-based
protocol for securing online transactions, including banking and
e-commerce. Certificate Authorities (CAs)
have been the subject of repeated compromise
this year, mainly for the purpose of forging legitimate
certificates subsequently used in attacks on both SSL sessions and
also software authentication.
http://www.forbes.com/sites/ciocentral/2011/11/18/cyber-spies-are-winning-time-to-reinvent-online-security/
Depending on the Breaks
One of the best scenes in movie/comedy history. Peter Sellers
plays 2 roles in this scene and
George C. Scott is brilliant as
Buck Turgidson
.
The back and forth dialogue is true genius. Dr. Strangelove or How
I Learned to Stop Worrying and Love the Bomb (c) Stanley Kubrick
Turgidson
: Ahh, am I to understand the Russian Ambassador is to be admitted
entrance to the War Room
?
Muffley
: That is correct. He is here on my orders.
Turgidson
: I... I don't know exactly how to put this, sir, but are you
aware of what a serious breach of security that would be? I
mean... [begins closing his notebooks] he'll see everything.
He'll See The Big Board!
Muffley
: That is precisely the idea, General.
Stains, get Premier Kissov on the Hotline.
- US hypocrisy in China cyberwar says Mr Ranum , chief security officer of Tenable Network Security Expert.
-
Defcon's Jeff Moss on cybersecurity, government's role
by Elinor Mills
As a hacker and organizer of Defcon, at event at which computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June. But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia. - 2012 Study Confirms The Government Produces The Buggiest Software
-
Hacking the Human Brain: The Next Domain of Warfare 12.11.12
It's been fashionable in military circles to talk about cyberspace as a “fifth domain” for warfare, along with land, space, air and sea. But there's a sixth and arguably more important warfighting domain emerging: the human brain. This new battlespace is not just about influencing hearts and minds with people seeking information. It's about involuntarily penetrating, shaping, and coercing the mind in the ultimate realization of Clausewitz's definition of war: compelling an adversary to submit to one's will. And the most powerful tool in this war is brain-computer interface (BCI) technologies, which connect the human brain to devices.Chloe Diggins and Clint Arizmendi are research & analysis officers at the Australian army's Land Warfare Studies Centre. The views expressed are their own and do not reflect those of the Australian Department of Defence or the Australian Government.
wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain
2015 Pentagon Moves More Communications Gear into Cheyenne Mountain Largely abandoned a decade ago, the iconic Cold War bunker is getting an upgrade. Since 2013, the Pentagon has awarded contracts worth more than $850 million for work related to Cheyenne Mountain. The Colorado complex is the embodiment of the Cold War, an era when bunkers were built far and wide to protect people and infrastructure. Cheyenne Mountain was the mother of these fallout shelters, a command center buried deep to withstand a Soviet nuclear bombardment. The complex was locked down during the Sept. 11, 2001, attacks on New York and Washington.
2015
A New Material Promises NSA - Proof Wallpaper
A Utah company has a new nickel-carbon material that could help
the Pentagon fight off some of its most haunting threats. A small
company called
Conductive Composites
435.654.3683
357 West 910 South Heber City, UT 84032 ::
has developed a flexible material — thin and tough enough for
wallpaper or woven fabric — that can keep electronic emissions in
and electromagnetic pulses out.
2013
Shodan
: The scariest search engine on the Internet Shodan navigates the
Internet's back channels. It's a kind of "dark" Google, looking
for the servers, webcams, printers, routers and all the other
stuff that is connected to and makes up the Internet. Shodan runs
24/7 and collects information on about 500 million connected
devices and services each month. It's stunning what can be found
with a simple search on Shodan. Countless traffic lights, security
cameras, home automation devices and heating systems are connected
to the Internet and easy to spot. Shodan searchers have found
control systems for a water park, a gas station, a hotel wine
cooler and a crematorium. Cybersecurity researchers have even
located command and control systems for nuclear power plants and a
particle-accelerating cyclotron by using Shodan. What's really
noteworthy about Shodan's ability to find all of this -- and what
makes Shodan so scary -- is that very few of those devices have
any kind of security built into them.
http://money.cnn.com/2013/04/08/technology/security/shodan/
2013 " Annualcreditreport.com " A website that provides U.S. consumers with a free annual credit report appears to have been the source used by hackers to download credit reports including - SSN's Phone, address, everthing.
Secure Computers Are Not Secure . The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab's Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them. Complete extraction of the private key, Tromer says, “takes merely seconds, and the measurements that are needed, of the actual cryptographic process being attacked, can be carried out in milliseconds.” Clouds - By spying on the caches of the servers hosting their software, they could determine which were also trying to keep pace with their fake traffic spikes. Once they'd identified the target site's servers, they could use cache monitoring to try to steal secrets. Any information at all about a computer's internal workings “is actually fairly damaging,” Rohatgi says. “In some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.”
The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit
The Smart Card Detective
: a hand-held EMV interceptor by Omar Choudary
Abstract Several vulnerabilities have been found in the EMV system
(also known as Chip and PIN). Saar Drimer and Steven Murdoch have
successfully implemented a relay attack against EMV using a fake
terminal. Recently the same authors have found a method to
successfully complete PIN transactions without actually entering
the correct PIN.
"Whenever you have a secret, you have a vulnerability."
~
Whitfield Diffie
"We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect Us."
"Mrs. Robinson:
"
We'd like to know a little bit about you for our files, we'd
like to help you learn to help yourself
"
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor saftey."
" Security is mostly a superstition. It does not exist in nature."
" There are no secrets in the world . The only hard part is finding the right person to ask," "If you have a phone, you can find out anything you want in under 60 minutes. With the Internet, it's even faster."
No Such Thing as Nuclear Secrecy ~ KE
http://nuclearsecrecy.com/nukemap/
run by Alex Wellerstein
, an historian of science at the American Institute of Physics.
"Why do hackers use social engineering? It's easier than exploiting a technology vulnerability. You can't go and download a Windows update for stupidity... or gullibility."
PRIVACY
Freedom Box gets off the ground
While providing "safe social networking" is one of the aims of the
Freedom Box
, it is only part of the picture. The project wants to protect
users' data as well as their communications, including internet
traffic, email, and voice. Beyond that, Freedom Box is
specifically targeted at routing around ISPs' restrictions on the
types of traffic they will carry, as well as attempts by
governments to do similar traffic restrictions. In short, the
goals of the Freedom Box live up to Moglen's original vision, as
spelled out in his February 2010 talk at the New York branch of
the Internet Society, as well as those outlined in a more recent
talk at FOSDEM 2011: it is geared towards restoring users'
freedoms.
Those freedoms are best guarded by keeping our data safe within
the walls of our homes, because there are typically more legal
protections there than there are when storing data on some
company's servers. We have already seen that companies will often
bow to governmental pressure in ways that would be more difficult
to orchestrate when the data is spread out across the net. To that
end, Freedom Box also plans to provide ways to securely back up
encrypted data on friends' and neighbors' servers. In addition, it
will provide ways for those under repressive regimes to
anonymously publish information
, such that those regimes will find it difficult to stop or track
down the publishers. If the FreedomBox is going to handle all of
these kinds of things, obviously the security of the device itself
is paramount, but it is also targeted at protecting other systems
in the home that live "behind" the Freedom Box. Eben strongly
recommended reading the
Top Secret America
articles published by the Washington Post. It is eye-opening to
see just how many Google-like operations there are, all under the
control of the government.
Privacy of Consumer Information and Devices in the Electric
Power Industry Executive Overview PDF
October 2009
The Energy Independence and Security Act of 2007 mandated that
NIST report to Congress on cyber security for the electricity
grid. NIST established a Smart Grid Cyber Security Coordination
Task Group and is issuing position papers. Privacy is an important
adjunct to security and uses some of the same data tools. However,
privacy goes beyond data tools and confidentiality. How personal
information is collected, used, shared, stored, retained, and
disposed of all impact privacy. Stringent and effective security
can be in place and still result in egregious privacy breaches
that fall outside of security controls. The Smart Grid Cyber
Security Coordination Task Group sought input about home-to-grid
issues from Home-to-Grid Domain Expert Working Group members and
was consulted in the development of this paper on privacy.
Trusting cell phones to work in many emergency situations can be dangerous or fatal.
Social Engineering
People are trusting of other people, especially if there is a
request for help. One of the biggest things that worked was asking
"Can you please help me with this?" Asking people for help, the
human vulnerability, has not changed. There is an inherent desire
for people to help other people. There are trends of a positive
nature, but they still get exploited.
Now people use social media to such an extent that their whole
lives are on the Web. With sites like Blippy which people can tie
into their Twitter and Facebook accounts and it in essence tweets
every time you use a credit card or bank account, and it tweets
what you've purchased and the amount. So you can go to these
sites, find someone on Twitter, link them to a Blippy account and
to Facebook and now you have their pictures, what they like to
buy, what restaurants they go to, when they leave the house, when
they work. And within an hour you can have a very detailed profile
of a company or an individual based on the amount of social media
they use.
Q. How many security engineers would it take to design a system
for ATM security today?
A. I don't think it could be done.
We would be debating biometric-enabled smartcards, assurance,
protection profiles, denial of service, non-repudiation, viruses
and buffer-overflow attacks till we were blue in the face. There
is no way that such a system with "good enough" security could be
designed and built today on the basis of conventional security
wisdom. ~
In 1985, the federal government
published the first set of computer security criteria that
computer professionals could understand and integrate into
systems.
"A trusted computer system must provide authorized personnel with
the ability to audit any action that can potentially cause access
to, generation of, or effect the release of classified or
sensitive information. The audit data will be selectively acquired
based on the auditing needs of a particular installation and/or
application. However, there must be sufficient granularity in the
audit data to support tracing the auditable events to a specific
individual (or process) who has taken the actions or on whose
behalf the actions were taken."
WAIT! I thought YOU were in charge of security!!!
The General Services Administration is the federal agency
responsible for procuring equipment and services, including
computer security technology, making the lapse all the more
striking.
The General Services Administration has shut a Web site for
government contractors after a computer industry consultant
reported that he was able to view and modify corporate and
financial information submitted by vendors.
OK GO
"The system relies, rather stupidly, on making it difficult to get
in in the first place, by forcing you to get a client certificate
for your browser," a mechanism for establishing the user's
identity, said Mark Seiden, a security consultant who perform
tests for corporations....
In filing an electronic application to become a government
contractor, Mr. Greenspan was forced to repeat the process several
times. After doing so, he noticed that the file's identifying
number had been changed to a number one digit higher.
1/2006 QUOTE
"
Good-Enough Security: Toward a Pragmatic Business-Driven
Discipline
", Ravi Sandhu,IEEE Internet Computing, Vol.5, No.3
(January/February 2003), p.66 The author offers three design
principles for good-enough security:
1. Good enough is good enough.
2. Good enough always beats perfect.
3. The really hard part is determining what is good enough.
The Dark Side Of Crime Fighting, Security and Professional Intelligence
Speaker: Andrew Gavin Consultant, Verizon Business DEFCON 19:
Stealing Sensitive Data from Thousands of Systems Simultaneously
with OpenDLP http://www.youtube.com/watch?v=Xv8kbjziCds
Got domain admin to a couple of thousand Windows systems? Got an
hour to spare? Steal sensitive data from all of these systems
simultaneously in under an hour with OpenDLP. OpenDLP is an open
source, agent-based, massively distributable, centrally managed
data discovery program that runs as a service on Windows systems
and is controlled from a centralized web application. The agent is
written in C, has no .NET requirements, uses PCREs for pattern
matching, reads inside ZIPs like Office 2007 and OpenOffice files,
runs as a low priority service so users do not see or feel it, and
securely transmits results to the centralized web application on a
regular basis. The web application distributes, installs, and >
uninstalls agents over SMB; allows you to create reusable
profiles, view results in realtime, and mark false positives; and
exports results as XML.
SECURING THE INTERNET
"A lot of the security stuff is designed by crypto geeks [and] because of a lack of usability, people can't apply them correctly," Peter Gutmann said, adding usability is just as important as "having a bunch of crypto and let people figure it out from there". Gutmann said "the protocols were designed without usability and even if a user-friendly GUI could be put over it, it is unlikely the original developers would accept it. They would rather have 100 percent perfect software that's unusable than 99 percent perfect software that is usable. It will take 20 to 30 years to educate people about computer security, you wouldn't give your house key to someone, so why do the same with your password." [ 1 ]
A fragment from the archives, to remind us of how much we owe to
people like
Mina Rees, who stood up for Science in times when Security was
being misused
...
John von Neumann to J. Robert Oppenheimer, June 15, 1950:
I had a telephone call from Dr. Mina Rees, Chief of the
Mathematical Sciences Section of ONR. She informed me of the
following facts:
Dick Feynman and the mathematician, J. McShane, had been invited
by the Institute for Numerical Analysis, which is a joint
enterprise of the Bureau of Standards and the University of
California at Los Angeles, to spend the summer months there, that
is, at UCLA. The Department of Commerce, which apparently
exercises a direct supervision over the Bureau of Standards'
activities in such matters, did not approve of these appointments
for security or loyalty reasons (I understand, however, that the
appointments are purely scientific and do not involve classified
matters).
After Mina Rees learned this, she caused ONR to inquire from the
FBI about the causes for withholding Feynman's and McShane's
clearance. The FBI did not make the relevant files available, and
Mina Rees thinks that they are still in the hands of the Commerce
Department. After this, she turned to Condon, who inquired of Mr.
Gladier, Assistant Secretary of Commerce in charge of
Administration, who informed him that the immediately available
evidence on McShane and Feynman provided no basis for their
clearance, so that a full investigation would have to effected in
order to appoint them. I have heard from other sources that a full
investigation is undesirable, firstly, because it is very
expensive, and secondly, because it may take too much time. In
view of all this, Mina Rees suggested that Feynman and McShane be
appointed to the ONR mathematical contract at the IAS and sent to
UCLA.
Cyberspace covers almost everything electrical or
electromechanical, from the simplest direct-current applications
to the slickest, fastest space-age GPS gadgets off to things that
haven't been invented. The scale of invention and development over
the decades "means the further ... you go on the electromagnetic
spectrum ... the energy moves faster and it's greater. ... the
higher the scale of effects you can deliver."
Lani Kass
The history of modern warfare has been one of adding domains in
which people can fight and lose, be the controllers or the
controlled, she said. For decades, the traditional domains were
land and sea. In the 20th century, air and space were added, along
with the recognition that if you control air and space, you can
dictate to a great degree the control of land and sea.
But it has only been in the past few years that cyberspace, the
realm that links the four war domains, has been recognized as an
area of combat and control in its own right, she said. "We have
been using the electromagnetic spectrum longer than we have been
using air and space," she said, noting that the telegraph, one of
the most bedrock aspects of cyberspace, was developed around the
time of the Civil War.
What makes cyber different from the other realms, she said, is
that it doesn't take a lot to fight in it. You don't have to build
or buy expensive ships, airplanes, tanks or spacecraft. All you
need is a laptop or a link to the Internet. "For the first time,
perhaps ever, we are dealing with a domain where the level of
investment is disproportionate to the kind of effects you can
deliver," she said. [
source
]
BANNED BOOKS ONLINE openculture.com free banned books for banned books week
PODCASTING
Journalists vs. Blogger War
Podcast Information and How To AudioBlog by Phone, and RSS
Instructions.
DARPA
8/1/14 DARPA Tried to Build Skynet in the 1980s Matt Novak From 1983 to 1993 DARPA spent over $1 billion on a program called the Strategic Computing Initiative. The agency's goal was to push the boundaries of computers, artificial intelligence, and robotics to build something that, in hindsight, looks strikingly similar to the dystopian future of the Terminator movies. They wanted to build Skynet. Much like Ronald Reagan's Star Wars program, the idea behind Strategic Computing proved too futuristic for its time. But with the stunning advancements we're witnessing today in military AI and autonomous robots, it's worth revisiting this nearly forgotten program, and asking ourselves if we're ready for a world of hyperconnected killing machines. And perhaps a more futile question: Even if we wanted to stop it, is it too late? < big snip >
Defense Advanced Research Projects Agency (DARPA) to develop computational techniques and software tools for processing and analyzing the vast amount of mission-oriented information for Defense activities.
DARPA Seeking to Develop a "Cognitive Fingerprint"
The Pentagon's Defense Advanced Research Projects Agency, or Darpa security articles Darpa does for the national defense and what N.I.H. does for health.
The NSA told DARPA
that any attempt to introduce security mechanisms into TCP/IP's
architecture would be viewed very negatively.
The DARPA Information Awareness Office (IAO)
will imagine, develop, apply, integrate, demonstrate and
transition information technologies, components and prototype,
closed-loop, information systems that will counter asymmetric
threats by achieving total information awareness useful for
preemption; national security warning; and national security
decision making. Is the IAO
datamining Facebook?
Electronic Frontier Foundation
EFF is a respected voice for the rights of users of online
technologies. We feel that the best way to protect your rights on
the Net is to be fully informed and to make your opinions heard.
JOHN PERRY BARLOW
is cofounder of the Electronic Frontier Foundation, a former
lyricist for the Grateful Dead, and a former Wyoming cattle
rancher.
Read More
FBI - Freedom of Information Act
Blue Ribbon Campaign
The campaign for online freedom of expression
2005
The Department of Homeland Security is monitoring inter- library
loans. Agents look for books on a "watch list". President Bush has
authorized the National Security Agency to spy on as many as 500
people at any given time since 2002 in this country. The
eavesdropping
was apparently done without warrants.
1
President Bush acknowledged on Saturday that he had ordered the
National Security Agency to conduct an electronic eavesdropping
program in the United States without first obtaining warrants, and
said he would continue the highly classified program because it
was "a vital tool in our war against the terrorists."
2
Keep your K12 Schools Safe. Security at Schools.
"640K ought to be enough for anybody." - Idiot Bill Gates in 1981
IT'S SO SECURE I CAN'T LOG IN !