Create an Account
username: password:
  MemeStreams Logo

It's always easy to manipulate people's feelings. - Laura Bush


Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
   Sci-Fi/Fantasy Literature
   Sci-Fi/Fantasy Films
   Electronic Music
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Markets & Investing
Health and Wellness
Home and Garden
Current Events
  War on Terrorism
  Cars and Trucks
Local Information
  United States
   SF Bay Area
    SF Bay Area News
  Nano Tech
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
   Intellectual Property
  Computer Security
  High Tech Developments

support us

Get MemeStreams Stuff!

"I don't think the report is true, but these crises work for those who want to make fights between people." Kulam Dastagir, 28, a bird seller in Afghanistan

NASA Captures "EPIC" Earth Image | NASA
Topic: Miscellaneous 12:05 pm EDT, Jul 22, 2015

The last time anyone took a real picture of the whole earth from space, it was 1972.

The image was taken July 6, 2015, showing North and Central America. The central turquoise areas are shallow seas around the Caribbean islands. This Earth image shows the effects of sunlight scattered by air molecules, giving the image a characteristic bluish tint. The EPIC team is working to remove this atmospheric effect from subsequent images. Once the instrument begins regular data acquisition, EPIC will provide a daily series of Earth images allowing for the first time study of daily variations over the entire globe. These images, available 12 to 36 hours after they are acquired, will be posted to a dedicated web page by September 2015.

NASA Captures "EPIC" Earth Image | NASA

Comments on the Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items
Topic: Miscellaneous 7:57 pm EDT, Jul 20, 2015

Submitted by:
Tom Cross
CTO – Drawbridge Networks

Thank you for opening a public comment period regarding the proposed implementation of export controls on Intrusion items. I am writing because I believe that these regulations may interfere with important work that computer security professionals do to protect the Internet from attacks. Breaches of both government and private sector computer networks are a regular item in the headlines, and they have significant impacts on our economy and our national security. The recently disclosed breach at the Office of Personnel Management that resulted in the loss of security clearance information about millions of Americans is stark example of the problem that we are trying to combat.

The Bureau of Industry and Security (BIS) should exercise caution before taking steps that could make this problem worse than it already is. Export Controls on computer security information can have a chilling effect on important international collaboration, even if that is not intended. Furthermore, it may be difficult to measure the security failures that are the secondary effects of that break down in collaboration.

I am qualified to address this topic because I have professional expertise with both US Export Controls and Computer Security Vulnerability Research. From 2003 to 2012 I worked for Internet Security Systems (ISS), which was acquired by IBM in 2006.

At ISS, I served as an engineering advisor to their export compliance program. I helped the company understand how the software we were building fit into the framework of US Export Controls. In collaboration with our attorneys, I wrote Letters of Explanation to BIS for a number of different Export Classifications and I wrote one Commodities Jurisdiction request to the State Department.

Additionally, as part of my job, I engaged in primary computer security vulnerability research and for some time I managed the organization’s vulnerability research work. I identified vulnerabilities in popular commercial software applications, disclosed those vulnerabilities to the responsible software vendors, and worked with them to fix those issues. I participated in security industry information sharing programs in which technical information about vulnerabilities, and attack tools, is privately shared between information security companies, coordination centers, and the broader software industry. I had access through those programs to more technical detail about certain security vulnerabilities than was ever disclosed to the general public. It was my responsibility to ensure that ISS’s products correctly detected attack activity targeting those vulnerabilities. Those products are used by thousands of organizations around the world to protect their computer networks from attack.

I have broken my comments into four sections:

I. Technical Information about computer security issues that i... [ Read More (1.8k in body) ]

Warrantless airport seizure of laptop “cannot be justified,” judge rules | Ars Technica
Topic: Miscellaneous 3:50 pm EDT, May 13, 2015

The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable.

Warrantless airport seizure of laptop “cannot be justified,” judge rules | Ars Technica

Why Chafee for President actually makes sense |
Topic: Miscellaneous 11:01 am EDT, Apr 13, 2015

The Democratic presidential primary is looking pretty dull right now – just a long march to inevitable victory by Hillary Clinton. Reporters are going to be looking for other stories to cover over the next year, and a quixotic campaign by the quotable and unpredictable Chafee could be excellent copy. Plus, the press thrives on conflict, and Chafee doesn’t mind picking a fight – he could make the TV debates significantly more interesting, particularly if he’s more willing than, say, O’Malley to throw a haymaker at Hillary. (And oh look, he’s already doing just that.)

Why Chafee for President actually makes sense |

Apple and the Self-Surveillance State -
Topic: Miscellaneous 1:31 pm EDT, Apr 11, 2015

Paul Krugman in favor of the surveillance state:

First, most people probably don’t have that much to be private about; most of us don’t actually have double lives and deep secrets — at most we have minor vices, and the truth is that nobody cares. Second, lack of privacy is actually part of the experience of being rich — the chauffeur, the maids, and the doorman know all, but are paid not to tell, and the same will be be true of their upper-middle-class digital versions. The rich already live in a kind of privatized surveillance state; now the opportunity to live in a gilded fishbowl is being (somewhat) democratized.

Gosh, where do I sign up!

I posted this largely because of it's obsurd, "let them eat cake" quality, which was also echoed in another recent Krugman column in which he wrote:

There are almost no genuine libertarians in America — and the people who like to use that name for themselves do not, in reality, love liberty.

What an incredibly arrogant thing to say! There are many people involved with libertarianism who've worked hard to preserve individual liberties, and there are many people involved with the left who have authoritarian views associated with their own, personal economic and social interests and don't give a damn about level playing fields other than as a selling point.

Apple and the Self-Surveillance State -

In NSA-intercepted data, those not targeted far outnumber the foreigners who are - The Washington Post
Topic: Miscellaneous 10:26 pm EDT, Mar 31, 2015

There have been so many useless Snowden disclosures that I didn't notice this. This is important, primarily because of the assurances that all the data is extremely difficult to access without authorization.

“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”

“The operational data?” the reporter asked.

“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”

Yes, he did...

In NSA-intercepted data, those not targeted far outnumber the foreigners who are - The Washington Post

Wikimedia v. NSA: Standing and the Fight for Free Speech and Privacy | Just Security
Topic: Miscellaneous 9:32 pm EDT, Mar 31, 2015

When I first saw this suit I ignored it, but it may have more merit than I originally thought.

the government itself has now acknowledged and confirmed many of the key facts about the NSA’s upstream surveillance, including the fact that it conducts suspicionless searches of the contents of communications for information “about” its targets. These facts fundamentally change the standing equation: now we know that the NSA isn’t surveilling only its targets, but it’s instead surveilling everyone, looking for information about those targets. Finally, the volume of the plaintiffs’ international communications is so incredibly large that there is simply no way the government could conduct upstream surveillance without sweeping up a substantial number of those communications. In short, the plaintiffs in Wikimedia v. NSA have standing because the NSA is copying and searching substantially all international text-based communications, including theirs.

If its content, its not metadata, so all the rationalizations about metadata go out the window. We're talking about US to foreign traffic. Although the border search exemption is extremely broad, allowing for this would undermine all the rationalizations from the courts over the years that there is some limit to it. Whats that leave?

1. Richard Posner's fucked up argument that the 4th Amendment doesn't prohibit robots from watching you because they don't have emotions.

2. The idea that there is a general "intelligence collection" exception to the fourth amendment.

3, The idea that the Constitution requires the exact minimization procedures that happen to be in place. How prescient of them.

Either way, it'll be fun to watch.

Wikimedia v. NSA: Standing and the Fight for Free Speech and Privacy | Just Security

A Response to Mike Schmitt's Clarion Call
Topic: Miscellaneous 5:43 pm EDT, Mar 27, 2015

On Monday, JustSecurity published an article by Mike Schmitt titled Preparing for Cyber War: A Clarion Call. Its a great article that highlights a bunch of the thorny issues in International law that remain unresolved that we ought to take the time to sort out before a conflict arises that demands immediate answers. The biggest of these, in my mind, is the question of whether or not or when destruction of data meets the criteria of an armed attack. I think Schmitt is absolutely right here - real world events are going to demonstrate that destruction of data can be significant enough to alter the strategic course of nation states.

One thing that struck me about the narrative of the article is how quickly the possibility of defending a nation against attacks is dismissed:

In kinetic warfare, it is usually possible to eventually develop a counter-measure that deprives a weapon of its effectiveness, at least until development of a counter-countermeasure. For instance, Israel’s Iron Dome has achieved a very high success rate against rockets fired at urban areas. In cyber space, however, such a “fix” with respect to protecting the civilian population is less likely for three reasons. First, malware is very diverse and one size fits all countermeasures are usually unattainable. Second, the general population does not patch and update systems with sufficient frequency and care to reliably protect them from attack. Finally, technical attribution can be very difficult in cyber space, thereby making shooting back problematic.

The article then proceeds to dig into the third point - looking at different ways in which strike back is complicated by attributional factors and the potential for collateral damage. Although those concerns raise a number of great legal questions, which is really the focus of the article, from a practical standpoint in terms of preparedness, I think the first two points demand greater scrutiny as well.

I've spent years designing Intrusion Detection technology, and I don't think the countermeasure situation is necessarily all that different from the kinetic example Schmitt references. A variety of aspects of an attacker's TTPs can be embedded into network signatures, including the vulnerabilities targeted, the malware, the command and control points and protocols. Part of the trouble is the amount of time it takes to get that information embedded into network defenses (Schmitt's second point). However, that response time could be reduced by building better operational processes that allow threat information shared by the government to be put into production by network operators and managed security service providers in an automated fashion. The more integrated these systems are, the better equipped the government will be to rapidly respond when its necessary. We need to tighten the OODA loop here. ... [ Read More (0.3k in body) ]

RE: at the ragged edge
Topic: Miscellaneous 12:03 pm EDT, Mar 26, 2015

noteworthy wrote:
Astro Teller, on Google Glass:

I'm amazed by how sensitively people responded to some of the privacy issues. When someone walks into a bar wearing Glass ... there are video cameras all over that bar recording everything.

They STILL don't understand what went wrong with Google Glass!? I'll try to write more about this later, but this has the appearances of a serious cultural/institutional blindspot within Google. They really believe that privacy is irrelevant and they just can't wrap their heads around evidence to the contrary. It reminds me of that Upton Sinclair quote: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

The problem is that given the amount of information Google has been entrusted with, their failure to understand this failure means that it may be repeated in other contexts where the stakes are higher.

RE: at the ragged edge

Why I don't agree with Access on Wassenaar's scope, even though I wish I could.
Topic: Miscellaneous 1:30 pm EDT, Mar 13, 2015

Earlier this month Collin Anderson at Access published a whitepaper on the new Wassenaar controls relating to "intrusion software."

The whitepaper takes the position that the exchange of exploits and vulnerability information across borders is completely outside of the scope of what is controlled by Wassenaar. The whitepaper asserts that :

Exploitation is not concomitant with Intrusion Software nor is vulnerability research necessarily Intrusion Software development.

I'd like to think thats the case, but when I read the Wassenaar text I have trouble reaching the same conclusion. Even if Wassenaar didn't intend to cover vulnerability research, the text they wrote certainly seems to do so. I've come away with the conclusion that the Wassenaar authors may have crafted their policy under an erroneous understanding of how exploitation works.

Wassenaar defines "Intrusion Software" was follows:

"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Lets expand that part of defeating 'protective countermeasures' as those are also defined specifically in the Wassenaar text:

"Software" specially designed or modified to defeat techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing, of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

This seems to be a perfect description of an exploit. In fact, I don't think that I could have written a clearer legal definition for "exploit" if I tried.

An exploit is software that modifies the standard execution path of a program in order to allow the execution of externally provided instructions. These days, most operating systems have countermeasures that are designed to make it difficult to write an exploit. Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) are examples of exploit countermeasures. If you're going to write a successful exploit for a modern operating system in this day and age, you have to contend with and defeat those countermeasures most of the time.

So, most exploits that are being written today meet both of these criteria. They defeat a countermeasure like DEP and then modify the execution path in order to ... [ Read More (1.0k in body) ]

<< 1 - 2 - 3 - 4 - 5 ++ 15 >> Older (First)
Powered By Industrial Memetics