Create an Account
username: password:
  MemeStreams Logo

It's always easy to manipulate people's feelings. - Laura Bush


Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
   Sci-Fi/Fantasy Literature
   Sci-Fi/Fantasy Films
   Electronic Music
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Markets & Investing
Health and Wellness
Home and Garden
Current Events
  War on Terrorism
  Cars and Trucks
Local Information
  United States
   SF Bay Area
    SF Bay Area News
  Nano Tech
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
   Intellectual Property
  Computer Security
  High Tech Developments

support us

Get MemeStreams Stuff!

"I don't think the report is true, but these crises work for those who want to make fights between people." Kulam Dastagir, 28, a bird seller in Afghanistan

A Response to Mike Schmitt's Clarion Call
Topic: Miscellaneous 5:43 pm EDT, Mar 27, 2015

On Monday, JustSecurity published an article by Mike Schmitt titled Preparing for Cyber War: A Clarion Call. Its a great article that highlights a bunch of the thorny issues in International law that remain unresolved that we ought to take the time to sort out before a conflict arises that demands immediate answers. The biggest of these, in my mind, is the question of whether or not or when destruction of data meets the criteria of an armed attack. I think Schmitt is absolutely right here - real world events are going to demonstrate that destruction of data can be significant enough to alter the strategic course of nation states.

One thing that struck me about the narrative of the article is how quickly the possibility of defending a nation against attacks is dismissed:

In kinetic warfare, it is usually possible to eventually develop a counter-measure that deprives a weapon of its effectiveness, at least until development of a counter-countermeasure. For instance, Israel’s Iron Dome has achieved a very high success rate against rockets fired at urban areas. In cyber space, however, such a “fix” with respect to protecting the civilian population is less likely for three reasons. First, malware is very diverse and one size fits all countermeasures are usually unattainable. Second, the general population does not patch and update systems with sufficient frequency and care to reliably protect them from attack. Finally, technical attribution can be very difficult in cyber space, thereby making shooting back problematic.

The article then proceeds to dig into the third point - looking at different ways in which strike back is complicated by attributional factors and the potential for collateral damage. Although those concerns raise a number of great legal questions, which is really the focus of the article, from a practical standpoint in terms of preparedness, I think the first two points demand greater scrutiny as well.

I've spent years designing Intrusion Detection technology, and I don't think the countermeasure situation is necessarily all that different from the kinetic example Schmitt references. A variety of aspects of an attacker's TTPs can be embedded into network signatures, including the vulnerabilities targeted, the malware, the command and control points and protocols. Part of the trouble is the amount of time it takes to get that information embedded into network defenses (Schmitt's second point). However, that response time could be reduced by building better operational processes that allow threat information shared by the government to be put into production by network operators and managed security service providers in an automated fashion. The more integrated these systems are, the better equipped the government will be to rapidly respond when its necessary. We need to tighten the OODA loop here. ... [ Read More (0.3k in body) ]

RE: at the ragged edge
Topic: Miscellaneous 12:03 pm EDT, Mar 26, 2015

noteworthy wrote:
Astro Teller, on Google Glass:

I'm amazed by how sensitively people responded to some of the privacy issues. When someone walks into a bar wearing Glass ... there are video cameras all over that bar recording everything.

They STILL don't understand what went wrong with Google Glass!? I'll try to write more about this later, but this has the appearances of a serious cultural/institutional blindspot within Google. They really believe that privacy is irrelevant and they just can't wrap their heads around evidence to the contrary. It reminds me of that Upton Sinclair quote: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

The problem is that given the amount of information Google has been entrusted with, their failure to understand this failure means that it may be repeated in other contexts where the stakes are higher.

RE: at the ragged edge

Why I don't agree with Access on Wassenaar's scope, even though I wish I could.
Topic: Miscellaneous 1:30 pm EDT, Mar 13, 2015

Earlier this month Collin Anderson at Access published a whitepaper on the new Wassenaar controls relating to "intrusion software."

The whitepaper takes the position that the exchange of exploits and vulnerability information across borders is completely outside of the scope of what is controlled by Wassenaar. The whitepaper asserts that :

Exploitation is not concomitant with Intrusion Software nor is vulnerability research necessarily Intrusion Software development.

I'd like to think thats the case, but when I read the Wassenaar text I have trouble reaching the same conclusion. Even if Wassenaar didn't intend to cover vulnerability research, the text they wrote certainly seems to do so. I've come away with the conclusion that the Wassenaar authors may have crafted their policy under an erroneous understanding of how exploitation works.

Wassenaar defines "Intrusion Software" was follows:

"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Lets expand that part of defeating 'protective countermeasures' as those are also defined specifically in the Wassenaar text:

"Software" specially designed or modified to defeat techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing, of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

This seems to be a perfect description of an exploit. In fact, I don't think that I could have written a clearer legal definition for "exploit" if I tried.

An exploit is software that modifies the standard execution path of a program in order to allow the execution of externally provided instructions. These days, most operating systems have countermeasures that are designed to make it difficult to write an exploit. Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) are examples of exploit countermeasures. If you're going to write a successful exploit for a modern operating system in this day and age, you have to contend with and defeat those countermeasures most of the time.

So, most exploits that are being written today meet both of these criteria. They defeat a countermeasure like DEP and then modify the execution path in order to ... [ Read More (1.0k in body) ]

My comments to BIS regarding Intrusion Software
Topic: Miscellaneous 4:13 pm EDT, Mar 12, 2015


I'm writing you because my understanding is that BIS is currently in the process of considering implementation of the new Wassenaar controls related to "Intrusion Software." These controls have started to raise some concerns within the professional community associated with information security vulnerability research. I asked XXXXXXXXXXXXX who I might reach out to in order to provide some input and he suggested that I start by emailing the two of you.

I appreciate your time in reading this. I have some experience working with the EAR as a technical SME within export compliance programs at IBM and Internet Security Systems, and I have great deal of professional experience with security vulnerability research and coordination, so I believe I have sufficient experience to provide you with an informed perspective.

Although there are a number of different concerns that have been raised regarding these new controls, I want to focus my comments specifically on the Category 4.E.1.C controls on "technology" for the "development" of "intrusion software." I don't believe that the potential unintended consequences of the technology controls in particular have received enough emphasis in the comments that I have read to date by other parties.

Computer security professionals use the word "vulnerability" to refer to a flaw in a software system which allows another program, such as an "intrusion" program, to modify "the standard execution path of a program or process in order to allow the execution of externally provided instructions." A great deal of the work that we do in information security has to do with finding and fixing these vulnerabilities, and that work involves getting information about newly discovered vulnerabilities into the hands of people who are in a position to fix them before that information falls into the hands of computer criminals. The exchange of information about these vulnerabilities is the life blood of information security, and that exchange often happens behind closed doors, across international borders, and sometimes, in exchange for money.

Unfortunately, the technical information that you would provide another person about a security vulnerability if you wanted them to fix it is the exact same information that you would provide them if you wanted to enable them to write an "intrusion program" that exploits it. In fact, one of the jobs that I personally held at IBM and Internet Security Systems was to take information about vulnerabilities that was provided to us and use that information to implement a corresponding "intrusion program" so that we could verify that the vulnerability had been fixed properly.

Therefore, an export control on "technology" for the "development" of "intrusion software" may wind up also controlling the exchange of information needed to fix the flaws that "intrusion software" takes advantage of. Any export control regime that d... [ Read More (0.5k in body) ]

Humera Khan | Washington's Top-Down Approach to Countering Violent Extremism Fails to Include Civil Society | Foreign Affairs
Topic: Miscellaneous 11:56 am EST, Feb 20, 2015

The objective of counter-extremism messaging should be to dissuade people from supporting violence, not to defend policy choices made by lawmakers and politicians. This messaging is best done by non-government actors,

This might be the single most intelligent thing I've read on counter terrorism since 9/11.

We've engaged in mountains of bullshit - preemptive wars, torture chambers, totalitarian surveillance. There is very little evidence that any of it is effective and its all stuff we should have known wasn't going to work.

What people want is "pre-crime." But "pre-crime" is by definition not criminal and so its something that law enforcement simply isn't equipped to deal with.

This is more like suicide counseling than law enforcement. Instead of identifying at risk individuals and throwing them in dungeons, you identify at-risk individuals and you help them make better choices.

Why has this insight been missing from the dialog for so long?

Humera Khan | Washington's Top-Down Approach to Countering Violent Extremism Fails to Include Civil Society | Foreign Affairs

The War Nerd: Boko Haram and the Demon Consensus | PandoDaily
Topic: Miscellaneous 6:14 pm EST, Feb  5, 2015

This is why I love the War Nerd:

“Yup, in today’s inverted-neocon Left dumbery, it’s assumed you’re a *reactionary* if you care about sub-Saharan African victims of Arab/Muslim religious jihadis…It goes something like this: The US is the most powerful on the planet, and power is evil. So anything at all that is anti-American is good because it’s fighting Power; anything that distracts from that is evil; and anything that America professes to care about is even eviler, because of America’s monstrous hypocrisy.

“It makes you dumb just writing that down, but it’s Assange’s worldview and it’s pretty much the dominant Left’s as well.”

Sometimes it helps to keep in mind that most people just don't understand how to tell right from wrong, and nearly everyone is lying to them about it - but they are lies that they want to believe.

The War Nerd: Boko Haram and the Demon Consensus | PandoDaily

EFF Statement on President Obama's Cybersecurity Legislative Proposal | Electronic Frontier Foundation
Topic: Miscellaneous 12:35 am EST, Jan 14, 2015

Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.


EFF Statement on President Obama's Cybersecurity Legislative Proposal | Electronic Frontier Foundation

R. Crumb on the Cartoon War
Topic: Miscellaneous 4:21 am EST, Jan 12, 2015

Given the stream of uninformed politically partisan claptrap coming out of all sides on the American political spectrum at the moment this link is worth sharing. R. Crumb understands Charlie Hebdo in context.

R. Crumb on the Cartoon War

RE: with blindfold removed
Topic: Miscellaneous 9:22 am EST, Jan 11, 2015

Teju Cole:

It is necessary to understand that free speech and other expressions of liberté are already in crisis in Western societies; the crisis was not precipitated by three deranged gunmen.

We may not be able to attend to each outrage in every corner of the world, but we should at least pause to consider how it is that mainstream opinion so quickly decides that certain violent deaths are more meaningful, and more worthy of commemoration, than others.

For what its worth, I am extremely unimpressed with this and the hoard of similar pieces streaming out of the American left at the moment. Nearly every argument that is made in this essay is refutable, from the extremely ignorant mischaracterization of Charlie Hebdo as racist, to the false equivalency regarding people who violated security clearances.

It seems that people on the left just aren't comfortable with the fact that sometimes, members of the oppressed masses that they take pity on do things which are, in fact, evil, and not merely an understandable reaction to their circumstances. Evil is a thing that people are capable of regardless of their social position. It is not something that the powers that be have a monopoly on.

RE: with blindfold removed

Don't you dare call it an intelligence failure.
Topic: Miscellaneous 12:04 am EST, Jan 11, 2015

It seems the unease I expressed earlier in the week was warranted.

We were told that we needed to record everybody's telecom metadata in order to find the needles in the haystack. Its not clear that many needles have been found that way, but regardless, we already had THESE particular needles. We didn't need the telecom metadata program to find them. And, apparently, having the needles isn't enough.

A rational question to ask is why, if these people were on watch lists, were they able to successfully carry out an attack? If its a matter of resources, then its reasonable to ask why we don't invest more resources in actually keeping track of known suspected terrorists? If there isn't enough money to go around, perhaps that is because we've spent too much money chasing unknown unknowns and not enough money chasing known unknowns? Even if you don't buy that, then perhaps you'd accept that you simply ought to be spending more total money on anti-terrorism if your country is being deluged with militants returning from Syria and you can't keep track of them all effectively?

Of course, we're not going to be allowed to ask those questions.You see, there is no such thing as an "intelligence failure." The intelligence community is beyond question and it is not appropriate to think critically about their strategy or focus.

The problem we have is the ancient right of habeas corpus. If you want fewer terrorist attacks, you're going to have to get rid of that.

Nice western civilization you've got there, with all your silly little historical precedents. It would be a shame if something happened to it.

<< 1 - 2 - 3 - 4 - 5 ++ 15 >> Older (First)
Powered By Industrial Memetics