'Our security forces have it back'?!?

August 21st, 2013

Novelist and former MP Louise Mensch, demonstrating her deep understanding of how digital technology works:

Louise Mensch on data security

She probably thinks the Guardian no longer has access to the files on that laptop too.

Actually, cancel that. I'm sure she's perfectly well aware that digital data can be – and in this case, was – backed up. To my mind, she's just doing her bit to help the government to deflect the focus of the discussion away from the Guardian's story and the doings of the surveillance state and on to the government's preferred law-and-order/keeping-us-safe-from-terrorists/nothing-to-hide, nothing-to-fear agenda.

[Via Charlie's Diary]

Comments Off

Maths problems

August 3rd, 2013

A classmate was caught using his phone in maths. The teacher took his phone and set a passcode. He gave him this back with his phone and said good luck unlocking it.

My first thought upon seeing the above-linked image was 'I hope nobody forwards this link to Michael Gove.'1

My second thought was that unless someone comes up with a better solution than passwords for logging in to web sites2 then one day CAPTCHAs will evolve into something like this and I'll have to give up using the web.

[Via Flowing Data]

  1. For non-UK readers: Michael Gove is the current Secretary of State for Education in the UK. Within a week his department would be announcing that schools would have to produce returns demonstrating that 75% of pupils could solve such problems in a below-average time..
  2. Speaking of which, in theory Tim Bray has a point. In practice, Rui Carmo has a much better one.

Comments Off

Life imitates The Onion

July 24th, 2013

The word 'ironic' comes to mind:

The NSA is a "supercomputing powerhouse" with machines so powerful their speed is measured in thousands of trillions of operations per second. The agency turns its giant machine brains to the task of sifting through unimaginably large troves of data its surveillance programs capture.

But ask the NSA, as part of a freedom of information request, to do a seemingly simple search of its own employees' email? The agency says it doesn't have the technology.

"There's no central method to search an email at this time with the way our records are set up, unfortunately," NSA Freedom of Information Act officer Cindy Blacker told me last week.

The system is "a little antiquated and archaic," she added. [...]

How suspiciously convenient for them.1

[Via Memex 1.1]

  1. For what it's worth, I'm quite prepared to believe that they don't have all their employee email in a single spool that can easily be searched by or on behalf of their FoIA team. The question is whether that was a desired outcome or just a happy side effect of their last email migration.

Comments Off

LET Eggs=N+1. LET Baskets = 1.

August 7th, 2012

Getting beyond the particulars of how Mat Honan had hackers use social engineering to get his passwords reset and his iOS and MacOS devices remote wiped, for my money here's the key lesson of the whole sorry saga:

I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can't put a price on.

This isn't just about Apple – it's about all the corporations expanding from their original niches into as many corners of our online life as possible.1 Having a single sign-on is scary, and only gets more so as the uses of that ID expand over time.2

I'd like to think that scares like this would motivate Apple, Amazon, Google, Microsoft and the rest to get this stuff right lest the public be discouraged from signing up for all the different services they offer, but I fear that convenience wins out all too often.

  1. For what it's worth, I haven't enabled iCloud on my Mac Mini or my iPod Touch. Not because I foresaw this sort of problem; it's just that I don't see the benefit of iCloud. I bought my iPod Touch as a replacement PDA, not a device for accessing the internet on the move. In any case, given that when I'm at work I'm not in range of an accessible WiFi service, so my iPod Touch isn't going to be accessing iCloud anyway.
  2. I dread the day when Apple finally make some feature I really want/need insist upon having access to iCloud. That might be my cue to take a close look at whatever the successor to the Nexus 7 turns out to be.

Comments Off

OAuth is your future

May 14th, 2012

OAuth is your future. What a cheerful thought.

Comments Off

Java updated

April 27th, 2012

Good news and bad news for Mac users.

I wondered what software update/new release was finally going to prod me into updating to Lion; I think this might just be it.

[Via Ars Technica]

Comments Off

(DNS) Changes

March 28th, 2012

Paul Vixie has posted details of his work in dismantling a network of DNS servers being used to redirect internet traffic from computers infected with the DNS Changer malware. The problem is, even after all that work there are still hundreds of thousands of internet users with infected computers and/or routers, just waiting for someone to pick up where DNS Changer left off:

Internet users are endlessly bombarded with warnings about their security and with offers of services and software (some of it apparently "free") offering to make their computers healthier. The victims of DNS Changer are by this time jaded or overwhelmed or both. The Internet seems to be a very dangerous place, and most Internet users probably feel that they could spend more than half their waking hours just installing patches and responding to warnings – unless they just put their heads down, ignore all that noise, and try instead to get their work (or play) done. I am sympathetic to this mindset. The problem is, the Internet really is that dangerous, and people really do need to pay more attention to the dangers of unpatched or infected computers.

Short of jumping into a TARDIS and going back to 1982 to give various heads of computer companies a stern talking-to about the need to make designing secure systems a top priority I don't see a good way out of this problem beyond passing the problem to ISPs and having them cut off internet access for customers still using infected systems until they clean up their systems. Which isn't going to happen any time soon, and is a terrible idea anyway.

[Via rc3.org]

Comments Off

You'll put someone's eye out with that thing…

March 5th, 2012

This anti-theft briefcase is a lawsuit waiting to happen.

[Via Bruce Schneier]

Comments Off

'I guess passwords aren't the only things that change.'

February 11th, 2012

The CAPTCHA from hell.

[Via Bruce Schneier]

Comments Off

Open prisons

November 14th, 2011

"In theory" is one of the scariest phrases in the world of computing. Take this story about vulnerabilities in the computer systems used to run some federal prisons in the USA:

While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.

[Emphasis added]

[Via Bruce Schneier]

Comments Off

Watch the skies

November 4th, 2011

From the Department of What Could Go Wrong:

Police in Montgomery County, Texas reportedly plan to deploy drones capable of carrying "less lethal" weapons:

[Michael Buscher, CEO of Vanguard Defense Industries said that their drones ...] are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a number of different systems on board. Mostly, for law enforcement, we focus on what we call less lethal systems," he said, including Tazers that can send a jolt to a criminal on the ground or a gun that fires bean bags known as a "stun baton."

From the Department of Cargo Cults:

Nicholas Negroponte appears to have decided that the way to revive the One Laptop Per Child project is to resort to desperate measures:

The One Laptop Per Child (OLPC) project has devised a bizarre plan for deploying its new XO-3 tablet. The organization plans to drop the touchscreen computers from helicopters near remote villages in developing countries. The devices will then be abandoned and left for the villagers to find, distribute, support, and use on their own.

OLPC founder Nicholas Negroponte is optimistic that the portable devices – which will be stocked with electronic books – will empower children to learn to read without any external support or instruction.

[Drone story via Bruce Schneier, OLPC story via MetaFilter]

Comments Off

Skynet? Is that you?

October 8th, 2011

File under 'Famous last words': Computer Virus Hits U.S. Drone Fleet:

A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other warzones.

The virus, first detected nearly two weeks ago by the military's Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. [...]

"We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." [...]

Retaliation for Stuxnet, or someone too high up the chain of command to be told what to do getting a bit careless with their USB drive and bringing in some malware they picked up on their home PC?

Comments Off

The answer, of course, is '**********'

August 22nd, 2011

Worst. Security. Question. Ever!

2 Comments »

correct horse battery staple

August 15th, 2011

Prompted by xkcd's take on creating passwords, Troy Hunt reminds us that the problem isn't coming up with a good password, it's remembering it – and the three dozen or more passwords for other accounts that you created using the same method – afterwards:

The issue is simply this: you can't apply [the xkcd-endorsed approach of stringing together four random common words together to make a password] consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to. In fact you're really back at the conclusion in the first part of the strip with the character substitution password where Randall concludes "Difficulty to remember: hard".

Sadly, in the absence of a widely supported,1 secure portable online authentication and identification system, we're pretty much stuck with having to remember dozens of passwords.2

[Via The Tao of Mac]

  1. Which is to say, 'supported by everyone who does online commerce, including the banks, credit card companies, PayPal, Amazon and the iTunes Store.'
  2. I've been using SplashID on my various PalmOS devices for a few years now, and happily it also works nicely on the iPod Touch that I now use as my PDA. It's far safer than relying on my memory.

Comments Off

Utter Idiocy.

August 4th, 2011

Possibly the Stupidest Bank in the World?

Essentially, my bank is asking me to install is a keylogger. Just so they can warn me not to use the same password on suntrust.com and playboy.com.

[Via The Tao of Mac]

Comments Off

Threat Model II: When Threats Collide

June 16th, 2011

Cinemas are getting into the habit of projecting 2D films using lenses designed for 3D films, even though this can render the onscreen image unacceptably dim. Part of the reason for this is that projectionists may not have the technical skills required to swap out a 3D lens. Partly, it's that cinemas imagine that not running the bulb at full power will prolong the bulb's operating life. And partly it's because of security measures built into many modern projectors that require passwords and logins and can shut the projector down if you screw up. Wendy M Grossman sees two threat models colliding:

Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly. So they don't, and the long-term consequence will be the alienation of customers and loss of revenues.

[Via Bruce Schneier]

Comments Off

A million here, a million there – before you know it you're talking about serious numbers of users

June 13th, 2011

The largest data breaches of all time, compared.

I feel quite fortunate that as far as I can tell not a single one of those incidents would have involved my personal details.1 I shouldn't get too complacent: I have a horrible feeling that if you extended the chart to cover the next 20 or 30 incidents then I'd see a familiar name or two.

Between the effects of governmental incompetence, corporate laxity and plain old malware, I wonder how many of us don't have our personal details up for sale, on a list alongside 99,999 other poor saps, on some dodgy bulletin board somewhere.

  1. Unless one of the organisations involved was holding/processing data on behalf of a company I've had dealings with.

Comments Off

Sony passwords = Gawker passwords = ?

June 7th, 2011

Troy Hunt undertook a brief Sony password analysis, using email address and password information from some 37,000 registered users of Sony Pictures that is now freely available to download, thanks to the efforts of LulzSec. His most interesting findings relate to password re-use:

  • 92% of users with multiple accounts recorded in various Sony databases across their different services and locations used the same password for more than one account.
  • Comparing the Sony data with the account details released during the Gawker data loss last year, 67% of users who had registered with Sony and Gawker using the same email address also used the same password for both accounts.1

There are lots of other fascinating scary statistics in Hunt's post. I'd love to write more about this, but I have to go and update some account details on some web sites. Now!

[Via Waxy.org Links]

  1. Admittedly, there were only 88 instances of the same email address being used at Sony and Gawker, so the small sample size may mean that this isn't representative of the wider picture. In a world where passwords still end up jotted down on Post-It™ notes, it feels believable, though.

Comments Off

NewsTweaked

May 30th, 2011

Quote of the day: Charlie Stross,1 quoting a character from his forthcoming novel, Rule 34

"The twenty-first century so far has been a really fucking awful couple of decades for paranoid schizophrenics".

  1. Prompted by a demo of NewsTweak.

Comments Off

SpyPhones and Unlocked Dropboxes

April 21st, 2011

John Naughton has posted a good summary of the varying reactions to the 'spyPhone' story as it has developed over the last day or so:

Firstly, lots of people began posting maps of where their iPhones had been, which is a clear demonstration of the First Law of Technology – which says that if something can be done then it will be done, irrespective of whether it makes sense or not.

To my mind, this story is much like the Dropbox insecurity stories that broke over the last week.

Geeks who are motivated enough to pay attention will mostly understand that:

  1. Mobile phone carriers have always been able to plot the approximate location of your phone over time according to which cell towers it connects to. Which means that the truly interesting element of this story is that iOS 4 seems to keep an unencrypted version of that data on your smartphone and in your phone's backups, meaning that anyone who can access your phone or an unencrypted backup of your phone on your computer could – in principle – access this data.
  2. At least some of Dropbox's system administrators are bound to have a way to access the contents of users' dropbox folders, if only in order to comply with legally-binding requests for information from the appropriate authorities.1 The big questions here are how widespread and carefully monitored access to unencrypted copies of users' data is among Dropbox staff, and the extent to which the company's marketing claims actively misled users about how secure data held in their Dropbox is.

Never mind the geeks: the big question in both cases is whether ordinary users (and/or their employers) get so freaked out about these security issues that they look for an alternative with a better balance of convenience and security. I'm guessing that they won't, unless either company completely mishandles their response to these stories or there are new, scary developments suggesting that these vulnerabilities are being actively exploited.

  1. If you really want to secure the data you share via Dropbox, create an 'secure' container for it on your computer – be it a TrueCrypt volume, a Mac OS encrypted disk image or just a password-protected .zip file. – and put that in your Dropbox folder. Of course, you'll then lose the convenience of Dropbox seamlessly doing versioning of individual files and will be dependent upon all your Dropbox client devices being able to access the same type of encrypted container. Also, the more you require users to enter passphrases to delve down to the level where they can access their files via Dropbox, the less likely they are to want to bother. Dropbox users mostly value convenience over absolute security, IMHO.

Comments Off

Page 1 of 212