Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei in the year 2010. Thank you.
After the Iranian attack on Twitter someone decided to strike back, it appears...
Black Hat Technical Security Conference: DC 2010 // Briefings
Topic: Miscellaneous
7:01 pm EST, Jan 4, 2010
Exploiting Lawful Intercept to Wiretap the Internet
Many goverments require telecommunications companies to provide interfaces that law enforcement can use to monitor their customer's communications. If these interfaces are poorly designed, implemented, or managed they can provide a backdoor for attackers to perform surveillance without lawful authorization. Most lawful intercept technology is proprietary and difficult to peer review. Fortunately, Cisco has published the core architecture of it's lawful intercept technology in an Internet Draft and a number of public configuration guides.
This talk will review Cisco's architecture for lawful intercept from a security perspective. The talk will explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. The talk will explain what steps network operators need to take to protect this interface. The talk will also provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.
RE: "System worked" comments being taken out of context.
Topic: Miscellaneous
7:27 pm EST, Dec 31, 2009
Icer wrote: By your scoring I can because the launch went as planned and since we are compartmentalizing who cares if one portion failed miserably.
You're right Dave. Her comment was self promoting - she should not be talking about what they did right in the context of a security breach - she should be talking about what they are doing to study what happened and improve their approach. I certainly hope she conveyed the later but I haven't bothered to track down the original source interview. If she didn't perhaps there is a problem here...
I think the reason the criticism is annoying me is that it seems to come along with a presumption that there is something different we could be doing that would have prevented this, its clear what that is, and these people are idiots for not doing it.
I certainly hope there is something different that we could be doing, but I don't think its obvious yet. A lot of the stuff thats being thrown around is sort of knee-jerk "throw security stuff at the problem." I'm not convinced that millimeter wave scanners are going to end terrorism as we know it.
A few days ago all we knew is that they got this tip that may or may not have been credible. Since then more information has come out. One thing I do fault her for was her comment that this guy acted alone. We now know that wasn't true - she obviously didn't know either way when she said it. Its beginning to sound like there are some things that we could have known - things the NSA and the CIA might have put together.
But that raises another matter - the organizations that really have the intelligence needed to identify terrorists before they strike aren't within DHS. Perhaps she is focused on the response because thats really what DHS does. Pre-emption happens somewhere else - and perhaps there still isn't a single person accountable for it in the federal government, other than the President himself.
"System worked" comments being taken out of context.
Topic: Miscellaneous
1:16 pm EST, Dec 31, 2009
This video provides the actual context for Napolitano's "the system worked" observation. The comment was about the response to the incident after it happened and not about the preventative measures that should or should not have been in place beforehand. The outrage that is being targeted at it, and her, is intentionally misplaced.
How does dishonest political point scoring help keep this country safe? It doesn't. It contributes to confusion at a moment where clarity is needed. Those who would muddy our thinking for their own private ends are a wicked host indeed.
Voltage, Current, and Resistance - three of the most important electrical properties, are elegantly intertwined by way of a the simple equation - V = IR, better known as Ohm's Law.
This is the most basic concept in electronics presented for those of you who read this blog who have taken an interest in circuitry but don't happen to be operating with a degree in engineering...
The problem with over-inclusiveness is that innocent people will suffer major inconvenience and that counter-terrorism resources are wasted. But if the lists are under-inclusive, innocent people can die, and in large numbers. If asked to choose between over- and under-inclusiveness on the watch lists, the passengers of Northwest Flight 253 no doubt would have their preference.
Another article pointing the finger at "civil libertarian extremeists" for the nearly successful terrorist attack a couple days ago.... The question ought to be whether Abdulmutallab was placed on the appropriate list and given the appropriate amount of scrutiny given the information that we actually had about him ahead of the incident and not based on the 20/20 hindsight that he turned about to be a terrorist in the end. If it turns out that he should have or could have received more scrutiny than he did based on what we knew, I'm all for making changes and holding people accountable. But, sometimes there are going to be situations where you just don't have enough information about someone to justify keeping them off of airplanes, and that remains a possibility here. There seem to be calls for the scope of these lists to be massively expanded as a result of this incident based on the "better be safe than sorry" rationale. I remain troubled that this is a knee-jerk reaction that will leave our security forces jumping at shadows.
We need more information about what, exactly, we knew about this person, as well as how our different watchlists are actually used, inorder to make a thoughtful assessment of whether or not there is something reasonable that can be done here. I think some of the relevant information may be classified and this won't be a public debate.
To put a finer point on it - presuming we did not, in fact, have enough information about this individual to subject him to greater scrutiny, this situation bares absolutely no relationship to future questions that might arise about the inclusiveness of and procedures behind these lists. To uphold this incident as a reason to ignore the concerns of privacy advocates and civil libertarians before a direct relationship can be draw between this case and those concerns is, frankly, dishonest political gamesmanship. It is this sort of partisan football spiking and total dismissal of the legitimacy one's opponents that has made it so difficult to build reasonable policies in this space by polluting the discussion with distrust and strife.
Six Uncomfortable Answers from Stewart Baker about Abdulmutallab
Topic: Miscellaneous
9:05 pm EST, Dec 27, 2009
The intelligence/security agencies would like the consular officials in Nigeria to take the fall for this. The agencies seem to be telling journalists that the father's warning wasn't relayed to them with enough detail to justify putting Abdulmutallab on a no-fly or selectee list, so they just stuck him in the 550-thousand-name catchall database (known as TIDE, the Terrorist Identities Datamart Environment) rather than a more active 400-thousand-name database. But neither database would have made him a automatic "selectee" for special screening (roughly 14 thousand people are on that list), let alone no-fly status (4 thousand). And it's hard to imagine that even transmitting a full transcript of the father's warning would have boosted Abdulmutallab onto the selectee or no-fly list.
Why is it so hard to get on the selectee or no-fly lists? In part because privacy campaigners have made the lists less effective and more controversial by raising phony privacy concerns -- and getting Congress to buy into those concerns.
