Tag: Security

Categories
Quotations

2013.1.15

Placing sensitive data in insecure locations is never a good idea, and the loss of physical security has long been considered tantamount to a breach. Yet some early elements of the IoT incorporate this very flaw into their designs. It’s often an attempt to compensate for a lack of technological maturity where always-on network connectivity is unavailable or too expensive, or the central infrastructure does not scale to accommodate the vast number of input devices.

As the IoT crawls through its early stages, we can expect to see more such compromises; developers have to accommodate technical constraints — by either limiting functionality or compromising security. In a highly competitive tech marketplace, I think we all know which of these will be the first casualty.

And it’s not just security: it’s privacy, too. As the objects within the IoT collect seemingly inconsequential fragments of data to fulfill their service, think about what happens when that information is collated, correlated, and reviewed.

Andrew Rose, “The Internet of Things Has Arrived — And So Have Massive Security Issues
Categories
Quotations

2013.1.10

… Chrome acts as 100 million sensors on the Internet looking for *.google.com MitM attacks. If you are a government wanting to spy on your citizens, as soon as you insert a fraudulent signing certificate into your BlueCoat monitor, one of your citizens using Google Chrome is going to notify the mother ship.

Robert Graham, “Don’t mess with the Google
Categories
Quotations

2013.1.8

The war on terrorism should not be a war on ethics, integrity, technology and the rule of law. Stopping terrorism should not include terrorizing whistleblowers and truth tellers who raise concern when the government cuts corners to electronically surveill, torture and assassinate its own people. And it is not okay for a president to grant himself the power to play prosecutor, judge, jury and executioner of anyone on the entire fucking planet.

Jesselyn Radack, quoted in “US Whistleblowers on Being Targeted by the Secret Security State
Categories
Links

Advice on Browsing the Web Safely

Global Voices has a series of good suggestions on how to browse the web safely. Many users may not need to take the more extreme precautions – such as browsing from a USB-drive mounted operating system – but other pieces of information are helpful. Well worth the (quick) read.

Categories
Links

Turning IT Into a Profit Centre

Jeffrey Carr has some amusing thoughts on transforming IT in corporate businesses from a cost to a profit centre. Just a taste of the humour:

The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you’ve viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.

One can easily imagine how his article, slightly reworked, would have made an excellent April fool’s column.

Categories
Links

How foreign firms tried to sell spy gear to Iran

Steve Stecklow is one of the few reporters that has continued to write about Iran’s acquisition of surveillance equipment for the past several years. At this point he has a good grasp of how the technology gets into the country, what’s done with it, and why and how vendors are evading sanctions. His article earlier this year provides a good look at how Huawei and ZTE alike have sold ‘lawful intercept’ equipment to the Iranian government. I’d highly recommend taking a look at what he’s written.

Categories
Quotations

2012.12.11

Life under a national security state is not a life. Living under such a state is simply living like a slave, or at best it is like living in a big prison, albeit one that has invisible bars. While invisible, these bars are, nevertheless, extremely constraining.

Maher Arar, from “What Life Looks Like Under a National Security State
Categories
Links

Feudalism 2.0

Bruce Schneier has a clever piece discussing the contemporary model of ‘feudal security’, where user have committed themselves to differing lords of the Internet. As a taste:

Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.

These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them – or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.

Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.

Of course, I’m romanticizing here; European history was never this simple, and the description is based on stories of that time, but that’s the general model.

And it’s this model that’s starting to permeate computer security today.

The rest of the piece is clever; highly recommend taking a read.

Categories
Quotations

2012.12.4

… sacrifices often involve the rights and liberties of minorities and dissidents, so the costs aren’t born equally by all in society. When people say they’re willing to give up rights and liberties in the name of security, they’re often sacrificing the rights and liberties of others rather than their own.

Dan Solove, Nothing to Hide: The False Tradeoff between Privacy and Security
Categories
Links Writing

Belkin #Fails At Password Creation

WPA2-PSK is recognized as a pretty reasonable way for most consumer to secure their wifi access point. That said, this mechanism falls pretty flat on its face when router manufacturers screw up, and it looks like Belkin has screwed up badly. From a Register article we see that:

Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the WAN MAC address using a static substitution table. Since the WAN MAC address is the WLAN MAC address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase.

This is just really poor mechanism to calculate the password. At least the manufacturer has been totally silent on the issue, and unwilling to disclose how they intend to defray potential attacks; this gives the possibility that Belkin’ll fix things instead of just abandoning consumers (which seems to be, sadly, a pretty default vendor response when their errors undermine users’ privacy and security). Here’s hoping that Belkin decides to not be like most router vendors…