August 21st, 2013
Novelist and former MP Louise Mensch, demonstrating her deep understanding of how digital technology works:
She probably thinks the Guardian no longer has access to the files on that laptop too.
Actually, cancel that. I'm sure she's perfectly well aware that digital data can be – and in this case, was – backed up. To my mind, she's just doing her bit to help the government to deflect the focus of the discussion away from the Guardian's story and the doings of the surveillance state and on to the government's preferred law-and-order/keeping-us-safe-from-terrorists/nothing-to-hide, nothing-to-fear agenda.
[Via Charlie's Diary]
August 3rd, 2013
A classmate was caught using his phone in maths. The teacher took his phone and set a passcode. He gave him this back with his phone and said good luck unlocking it.
My first thought upon seeing the above-linked image was 'I hope nobody forwards this link to Michael Gove.'
My second thought was that unless someone comes up with a better solution than passwords for logging in to web sites then one day CAPTCHAs will evolve into something like this and I'll have to give up using the web.
[Via Flowing Data]
July 24th, 2013
The word 'ironic' comes to mind:
The NSA is a "supercomputing powerhouse" with machines so powerful their speed is measured in thousands of trillions of operations per second. The agency turns its giant machine brains to the task of sifting through unimaginably large troves of data its surveillance programs capture.
But ask the NSA, as part of a freedom of information request, to do a seemingly simple search of its own employees' email? The agency says it doesn't have the technology.
"There's no central method to search an email at this time with the way our records are set up, unfortunately," NSA Freedom of Information Act officer Cindy Blacker told me last week.
The system is "a little antiquated and archaic," she added. [...]
How suspiciously convenient for them.
[Via Memex 1.1]
August 7th, 2012
Getting beyond the particulars of how Mat Honan had hackers use social engineering to get his passwords reset and his iOS and MacOS devices remote wiped, for my money here's the key lesson of the whole sorry saga:
I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can't put a price on.
This isn't just about Apple – it's about all the corporations expanding from their original niches into as many corners of our online life as possible. Having a single sign-on is scary, and only gets more so as the uses of that ID expand over time.
I'd like to think that scares like this would motivate Apple, Amazon, Google, Microsoft and the rest to get this stuff right lest the public be discouraged from signing up for all the different services they offer, but I fear that convenience wins out all too often.
May 14th, 2012
OAuth is your future. What a cheerful thought.
April 27th, 2012
Good news and bad news for Mac users.
I wondered what software update/new release was finally going to prod me into updating to Lion; I think this might just be it.
[Via Ars Technica]
March 28th, 2012
Paul Vixie has posted details of his work in dismantling a network of DNS servers being used to redirect internet traffic from computers infected with the DNS Changer malware. The problem is, even after all that work there are still hundreds of thousands of internet users with infected computers and/or routers, just waiting for someone to pick up where DNS Changer left off:
Internet users are endlessly bombarded with warnings about their security and with offers of services and software (some of it apparently "free") offering to make their computers healthier. The victims of DNS Changer are by this time jaded or overwhelmed or both. The Internet seems to be a very dangerous place, and most Internet users probably feel that they could spend more than half their waking hours just installing patches and responding to warnings – unless they just put their heads down, ignore all that noise, and try instead to get their work (or play) done. I am sympathetic to this mindset. The problem is, the Internet really is that dangerous, and people really do need to pay more attention to the dangers of unpatched or infected computers.
Short of jumping into a TARDIS and going back to 1982 to give various heads of computer companies a stern talking-to about the need to make designing secure systems a top priority I don't see a good way out of this problem beyond passing the problem to ISPs and having them cut off internet access for customers still using infected systems until they clean up their systems. Which isn't going to happen any time soon, and is a terrible idea anyway.
March 5th, 2012
This anti-theft briefcase is a lawsuit waiting to happen.
[Via Bruce Schneier]
November 14th, 2011
"In theory" is one of the scariest phrases in the world of computing. Take this story about vulnerabilities in the computer systems used to run some federal prisons in the USA:
While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.
[Via Bruce Schneier]
November 4th, 2011
From the Department of What Could Go Wrong:
Police in Montgomery County, Texas reportedly plan to deploy drones capable of carrying "less lethal" weapons:
[Michael Buscher, CEO of Vanguard Defense Industries said that their drones ...] are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a number of different systems on board. Mostly, for law enforcement, we focus on what we call less lethal systems," he said, including Tazers that can send a jolt to a criminal on the ground or a gun that fires bean bags known as a "stun baton."
From the Department of Cargo Cults:
Nicholas Negroponte appears to have decided that the way to revive the One Laptop Per Child project is to resort to desperate measures:
The One Laptop Per Child (OLPC) project has devised a bizarre plan for deploying its new XO-3 tablet. The organization plans to drop the touchscreen computers from helicopters near remote villages in developing countries. The devices will then be abandoned and left for the villagers to find, distribute, support, and use on their own.
OLPC founder Nicholas Negroponte is optimistic that the portable devices – which will be stocked with electronic books – will empower children to learn to read without any external support or instruction.
[Drone story via Bruce Schneier, OLPC story via MetaFilter]
October 8th, 2011
File under 'Famous last words': Computer Virus Hits U.S. Drone Fleet:
A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other warzones.
The virus, first detected nearly two weeks ago by the military's Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. [...]
"We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." [...]
Retaliation for Stuxnet, or someone too high up the chain of command to be told what to do getting a bit careless with their USB drive and bringing in some malware they picked up on their home PC?
August 15th, 2011
Prompted by xkcd's take on creating passwords, Troy Hunt reminds us that the problem isn't coming up with a good password, it's remembering it – and the three dozen or more passwords for other accounts that you created using the same method – afterwards:
The issue is simply this: you can't apply [the xkcd-endorsed approach of stringing together four random common words together to make a password] consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to. In fact you're really back at the conclusion in the first part of the strip with the character substitution password where Randall concludes "Difficulty to remember: hard".
Sadly, in the absence of a widely supported, secure portable online authentication and identification system, we're pretty much stuck with having to remember dozens of passwords.
[Via The Tao of Mac]
August 4th, 2011
Possibly the Stupidest Bank in the World?
Essentially, my bank is asking me to install is a keylogger. Just so they can warn me not to use the same password on suntrust.com and playboy.com.
[Via The Tao of Mac]
June 16th, 2011
Cinemas are getting into the habit of projecting 2D films using lenses designed for 3D films, even though this can render the onscreen image unacceptably dim. Part of the reason for this is that projectionists may not have the technical skills required to swap out a 3D lens. Partly, it's that cinemas imagine that not running the bulb at full power will prolong the bulb's operating life. And partly it's because of security measures built into many modern projectors that require passwords and logins and can shut the projector down if you screw up. Wendy M Grossman sees two threat models colliding:
Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly. So they don't, and the long-term consequence will be the alienation of customers and loss of revenues.
[Via Bruce Schneier]
June 13th, 2011
The largest data breaches of all time, compared.
I feel quite fortunate that as far as I can tell not a single one of those incidents would have involved my personal details. I shouldn't get too complacent: I have a horrible feeling that if you extended the chart to cover the next 20 or 30 incidents then I'd see a familiar name or two.
Between the effects of governmental incompetence, corporate laxity and plain old malware, I wonder how many of us don't have our personal details up for sale, on a list alongside 99,999 other poor saps, on some dodgy bulletin board somewhere.
June 7th, 2011
Troy Hunt undertook a brief Sony password analysis, using email address and password information from some 37,000 registered users of Sony Pictures that is now freely available to download, thanks to the efforts of LulzSec. His most interesting findings relate to password re-use:
- 92% of users with multiple accounts recorded in various Sony databases across their different services and locations used the same password for more than one account.
- Comparing the Sony data with the account details released during the Gawker data loss last year, 67% of users who had registered with Sony and Gawker using the same email address also used the same password for both accounts.
There are lots of other fascinating scary statistics in Hunt's post. I'd love to write more about this, but I have to go and update some account details on some web sites. Now!
[Via Waxy.org Links]
May 30th, 2011
Quote of the day: Charlie Stross, quoting a character from his forthcoming novel, Rule 34…
"The twenty-first century so far has been a really fucking awful couple of decades for paranoid schizophrenics".
April 21st, 2011
John Naughton has posted a good summary of the varying reactions to the 'spyPhone' story as it has developed over the last day or so:
Firstly, lots of people began posting maps of where their iPhones had been, which is a clear demonstration of the First Law of Technology – which says that if something can be done then it will be done, irrespective of whether it makes sense or not.
To my mind, this story is much like the Dropbox insecurity stories that broke over the last week.
Geeks who are motivated enough to pay attention will mostly understand that:
- Mobile phone carriers have always been able to plot the approximate location of your phone over time according to which cell towers it connects to. Which means that the truly interesting element of this story is that iOS 4 seems to keep an unencrypted version of that data on your smartphone and in your phone's backups, meaning that anyone who can access your phone or an unencrypted backup of your phone on your computer could – in principle – access this data.
- At least some of Dropbox's system administrators are bound to have a way to access the contents of users' dropbox folders, if only in order to comply with legally-binding requests for information from the appropriate authorities. The big questions here are how widespread and carefully monitored access to unencrypted copies of users' data is among Dropbox staff, and the extent to which the company's marketing claims actively misled users about how secure data held in their Dropbox is.
Never mind the geeks: the big question in both cases is whether ordinary users (and/or their employers) get so freaked out about these security issues that they look for an alternative with a better balance of convenience and security. I'm guessing that they won't, unless either company completely mishandles their response to these stories or there are new, scary developments suggesting that these vulnerabilities are being actively exploited.