Create an Account
username: password:
  MemeStreams Logo

It's always easy to manipulate people's feelings. - Laura Bush


Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
   Sci-Fi/Fantasy Literature
   Sci-Fi/Fantasy Films
   Electronic Music
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Markets & Investing
Health and Wellness
Home and Garden
Current Events
  War on Terrorism
  Cars and Trucks
Local Information
  United States
   SF Bay Area
    SF Bay Area News
  Nano Tech
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
   Intellectual Property
  Computer Security
  High Tech Developments

support us

Get MemeStreams Stuff!

"I don't think the report is true, but these crises work for those who want to make fights between people." Kulam Dastagir, 28, a bird seller in Afghanistan

RE: the more fraught question
Topic: Miscellaneous 10:47 am EDT, Jun 23, 2015

Sam Biddle:

The brightest and buzziest apps aren't about connecting me to you, but rather about never forcing us to acknowledge that anyone else exists in real life as anything but the help.

What makes the pervading mythologies so frustrating is the smug certainty of Silicon Valley that its contributions to society are more important than every other industry's. It's not that we can't deal with assholes in our national midst (there's no innovating our way out of that); it's that no prior cohort of rich pricks have fooled themselves, and the rest of us, so thoroughly.

I agree with the synopsis that Sillicon Valley ought to have its critics, but it seems to have become popular as of late among the left to ground that criticism in the over simplified dogma of their identity politics. This article is noteworthy, both for its accurate description of the views of tech workers and its sneering judgement of the same.

There aren't enough women in engineering, and that isn't a problem that Silicon Valley can solve.

Certainly, there are good things that Silicon Valley can do. They can invest some of their riches in building programs that encourage young girls to have confidence in their ability to create things with technology and they can work to ensure that their work environments are positive ones for all of their employees, but both of those things are happening, and neither will solve the problem.

It will take multiple generations of concerted effort to change a culture that does not encourage girls to make things, and the effort to change that culture needs to be focused on the experience of children - the toys we make for them, the things we teach them in school, and the encouragement that they get from the adults around them. Silicon Valley is not in charge of raising the nation's children, and no matter how much you yell at Silicon Valley, it won't change how children are raised.

Therefore, the people who make money writing outrage columns have found themselves a bottomless well. For the forseeable future, there will not be enough women in engineering and that will always be because the tech industry is a terrible place full of "rich pricks," rather than because of how we raise our children.

Thats why I think the article about Randroids is prescient. What happens when someone keeps yelling at you, over and over again, about a problem you can't solve? You do everything you can to help but its not enough, and they keep yelling at you and blaming you. Eventually, you have to remove that person from your life.

As the left continues to make a sport of hating the tech industry, the tech industry, all its votes and all its money, is going to leave the left. People like Rand Paul will be the beneficiaries of this, and over time you'll see them soften their rhetoric in order to appeal to this constituency.

RE: the more fraught question

Warrantless airport seizure of laptop “cannot be justified,” judge rules | Ars Technica
Topic: Miscellaneous 3:50 pm EDT, May 13, 2015

The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable.

Warrantless airport seizure of laptop “cannot be justified,” judge rules | Ars Technica

Why Chafee for President actually makes sense |
Topic: Miscellaneous 11:01 am EDT, Apr 13, 2015

The Democratic presidential primary is looking pretty dull right now – just a long march to inevitable victory by Hillary Clinton. Reporters are going to be looking for other stories to cover over the next year, and a quixotic campaign by the quotable and unpredictable Chafee could be excellent copy. Plus, the press thrives on conflict, and Chafee doesn’t mind picking a fight – he could make the TV debates significantly more interesting, particularly if he’s more willing than, say, O’Malley to throw a haymaker at Hillary. (And oh look, he’s already doing just that.)

Why Chafee for President actually makes sense |

Apple and the Self-Surveillance State -
Topic: Miscellaneous 1:31 pm EDT, Apr 11, 2015

Paul Krugman in favor of the surveillance state:

First, most people probably don’t have that much to be private about; most of us don’t actually have double lives and deep secrets — at most we have minor vices, and the truth is that nobody cares. Second, lack of privacy is actually part of the experience of being rich — the chauffeur, the maids, and the doorman know all, but are paid not to tell, and the same will be be true of their upper-middle-class digital versions. The rich already live in a kind of privatized surveillance state; now the opportunity to live in a gilded fishbowl is being (somewhat) democratized.

Gosh, where do I sign up!

I posted this largely because of it's obsurd, "let them eat cake" quality, which was also echoed in another recent Krugman column in which he wrote:

There are almost no genuine libertarians in America — and the people who like to use that name for themselves do not, in reality, love liberty.

What an incredibly arrogant thing to say! There are many people involved with libertarianism who've worked hard to preserve individual liberties, and there are many people involved with the left who have authoritarian views associated with their own, personal economic and social interests and don't give a damn about level playing fields other than as a selling point.

Apple and the Self-Surveillance State -

In NSA-intercepted data, those not targeted far outnumber the foreigners who are - The Washington Post
Topic: Miscellaneous 10:26 pm EDT, Mar 31, 2015

There have been so many useless Snowden disclosures that I didn't notice this. This is important, primarily because of the assurances that all the data is extremely difficult to access without authorization.

“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”

“The operational data?” the reporter asked.

“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”

Yes, he did...

In NSA-intercepted data, those not targeted far outnumber the foreigners who are - The Washington Post

Wikimedia v. NSA: Standing and the Fight for Free Speech and Privacy | Just Security
Topic: Miscellaneous 9:32 pm EDT, Mar 31, 2015

When I first saw this suit I ignored it, but it may have more merit than I originally thought.

the government itself has now acknowledged and confirmed many of the key facts about the NSA’s upstream surveillance, including the fact that it conducts suspicionless searches of the contents of communications for information “about” its targets. These facts fundamentally change the standing equation: now we know that the NSA isn’t surveilling only its targets, but it’s instead surveilling everyone, looking for information about those targets. Finally, the volume of the plaintiffs’ international communications is so incredibly large that there is simply no way the government could conduct upstream surveillance without sweeping up a substantial number of those communications. In short, the plaintiffs in Wikimedia v. NSA have standing because the NSA is copying and searching substantially all international text-based communications, including theirs.

If its content, its not metadata, so all the rationalizations about metadata go out the window. We're talking about US to foreign traffic. Although the border search exemption is extremely broad, allowing for this would undermine all the rationalizations from the courts over the years that there is some limit to it. Whats that leave?

1. Richard Posner's fucked up argument that the 4th Amendment doesn't prohibit robots from watching you because they don't have emotions.

2. The idea that there is a general "intelligence collection" exception to the fourth amendment.

3, The idea that the Constitution requires the exact minimization procedures that happen to be in place. How prescient of them.

Either way, it'll be fun to watch.

Wikimedia v. NSA: Standing and the Fight for Free Speech and Privacy | Just Security

A Response to Mike Schmitt's Clarion Call
Topic: Miscellaneous 5:43 pm EDT, Mar 27, 2015

On Monday, JustSecurity published an article by Mike Schmitt titled Preparing for Cyber War: A Clarion Call. Its a great article that highlights a bunch of the thorny issues in International law that remain unresolved that we ought to take the time to sort out before a conflict arises that demands immediate answers. The biggest of these, in my mind, is the question of whether or not or when destruction of data meets the criteria of an armed attack. I think Schmitt is absolutely right here - real world events are going to demonstrate that destruction of data can be significant enough to alter the strategic course of nation states.

One thing that struck me about the narrative of the article is how quickly the possibility of defending a nation against attacks is dismissed:

In kinetic warfare, it is usually possible to eventually develop a counter-measure that deprives a weapon of its effectiveness, at least until development of a counter-countermeasure. For instance, Israel’s Iron Dome has achieved a very high success rate against rockets fired at urban areas. In cyber space, however, such a “fix” with respect to protecting the civilian population is less likely for three reasons. First, malware is very diverse and one size fits all countermeasures are usually unattainable. Second, the general population does not patch and update systems with sufficient frequency and care to reliably protect them from attack. Finally, technical attribution can be very difficult in cyber space, thereby making shooting back problematic.

The article then proceeds to dig into the third point - looking at different ways in which strike back is complicated by attributional factors and the potential for collateral damage. Although those concerns raise a number of great legal questions, which is really the focus of the article, from a practical standpoint in terms of preparedness, I think the first two points demand greater scrutiny as well.

I've spent years designing Intrusion Detection technology, and I don't think the countermeasure situation is necessarily all that different from the kinetic example Schmitt references. A variety of aspects of an attacker's TTPs can be embedded into network signatures, including the vulnerabilities targeted, the malware, the command and control points and protocols. Part of the trouble is the amount of time it takes to get that information embedded into network defenses (Schmitt's second point). However, that response time could be reduced by building better operational processes that allow threat information shared by the government to be put into production by network operators and managed security service providers in an automated fashion. The more integrated these systems are, the better equipped the government will be to rapidly respond when its necessary. We need to tighten the OODA loop here. ... [ Read More (0.3k in body) ]

RE: at the ragged edge
Topic: Miscellaneous 12:03 pm EDT, Mar 26, 2015

noteworthy wrote:
Astro Teller, on Google Glass:

I'm amazed by how sensitively people responded to some of the privacy issues. When someone walks into a bar wearing Glass ... there are video cameras all over that bar recording everything.

They STILL don't understand what went wrong with Google Glass!? I'll try to write more about this later, but this has the appearances of a serious cultural/institutional blindspot within Google. They really believe that privacy is irrelevant and they just can't wrap their heads around evidence to the contrary. It reminds me of that Upton Sinclair quote: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

The problem is that given the amount of information Google has been entrusted with, their failure to understand this failure means that it may be repeated in other contexts where the stakes are higher.

RE: at the ragged edge

Why I don't agree with Access on Wassenaar's scope, even though I wish I could.
Topic: Miscellaneous 1:30 pm EDT, Mar 13, 2015

Earlier this month Collin Anderson at Access published a whitepaper on the new Wassenaar controls relating to "intrusion software."

The whitepaper takes the position that the exchange of exploits and vulnerability information across borders is completely outside of the scope of what is controlled by Wassenaar. The whitepaper asserts that :

Exploitation is not concomitant with Intrusion Software nor is vulnerability research necessarily Intrusion Software development.

I'd like to think thats the case, but when I read the Wassenaar text I have trouble reaching the same conclusion. Even if Wassenaar didn't intend to cover vulnerability research, the text they wrote certainly seems to do so. I've come away with the conclusion that the Wassenaar authors may have crafted their policy under an erroneous understanding of how exploitation works.

Wassenaar defines "Intrusion Software" was follows:

"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Lets expand that part of defeating 'protective countermeasures' as those are also defined specifically in the Wassenaar text:

"Software" specially designed or modified to defeat techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing, of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

This seems to be a perfect description of an exploit. In fact, I don't think that I could have written a clearer legal definition for "exploit" if I tried.

An exploit is software that modifies the standard execution path of a program in order to allow the execution of externally provided instructions. These days, most operating systems have countermeasures that are designed to make it difficult to write an exploit. Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) are examples of exploit countermeasures. If you're going to write a successful exploit for a modern operating system in this day and age, you have to contend with and defeat those countermeasures most of the time.

So, most exploits that are being written today meet both of these criteria. They defeat a countermeasure like DEP and then modify the execution path in order to ... [ Read More (1.0k in body) ]

My comments to BIS regarding Intrusion Software
Topic: Miscellaneous 4:13 pm EDT, Mar 12, 2015


I'm writing you because my understanding is that BIS is currently in the process of considering implementation of the new Wassenaar controls related to "Intrusion Software." These controls have started to raise some concerns within the professional community associated with information security vulnerability research. I asked XXXXXXXXXXXXX who I might reach out to in order to provide some input and he suggested that I start by emailing the two of you.

I appreciate your time in reading this. I have some experience working with the EAR as a technical SME within export compliance programs at IBM and Internet Security Systems, and I have great deal of professional experience with security vulnerability research and coordination, so I believe I have sufficient experience to provide you with an informed perspective.

Although there are a number of different concerns that have been raised regarding these new controls, I want to focus my comments specifically on the Category 4.E.1.C controls on "technology" for the "development" of "intrusion software." I don't believe that the potential unintended consequences of the technology controls in particular have received enough emphasis in the comments that I have read to date by other parties.

Computer security professionals use the word "vulnerability" to refer to a flaw in a software system which allows another program, such as an "intrusion" program, to modify "the standard execution path of a program or process in order to allow the execution of externally provided instructions." A great deal of the work that we do in information security has to do with finding and fixing these vulnerabilities, and that work involves getting information about newly discovered vulnerabilities into the hands of people who are in a position to fix them before that information falls into the hands of computer criminals. The exchange of information about these vulnerabilities is the life blood of information security, and that exchange often happens behind closed doors, across international borders, and sometimes, in exchange for money.

Unfortunately, the technical information that you would provide another person about a security vulnerability if you wanted them to fix it is the exact same information that you would provide them if you wanted to enable them to write an "intrusion program" that exploits it. In fact, one of the jobs that I personally held at IBM and Internet Security Systems was to take information about vulnerabilities that was provided to us and use that information to implement a corresponding "intrusion program" so that we could verify that the vulnerability had been fixed properly.

Therefore, an export control on "technology" for the "development" of "intrusion software" may wind up also controlling the exchange of information needed to fix the flaws that "intrusion software" takes advantage of. Any export control regime that d... [ Read More (0.5k in body) ]

<< 1 - 2 - 3 - 4 - 5 ++ 15 >> Older (First)
Powered By Industrial Memetics