| |
| Current Topic: Computer Security |
|
RE: People in the Loop: Are They a Failsafe or a Liability? |
|
|
|---|
| Topic: Computer Security |
2:50 pm EST, Feb 11, 2012 |
Rattle wrote:
This Dan Geer piece is a great read, with much food for thought. That being said, I'm only excerpting this quote because it gives me a smug self-flagellating feeling of awesomeness... cybersecurity is the most intellectually difficult profession on the planet
OK, this is actually brilliant - a must read or at least a must scan - we spend a lot of time trying to figure out how to build computer systems that can solve security problems when we could consider hiring actual people in the third world to make access control choices for us. At the very least its a thought provoking. RE: People in the Loop: Are They a Failsafe or a Liability? |
|
Bellovin RE: The National Strategy for Trusted Identities in Cyberspace |
|
|
|---|
| Topic: Computer Security |
1:43 pm EDT, Jun 26, 2010 |
Steven Bellovin People often suggest that adding strong identification to the Internet will solve many security problems. Strong, useful identification isn't possible and wouldn't solve the security issue; trying to have it will create privacy problems.
Agree. The problem with security in cyberspace is that exploits target bugs in software to make them do things the designers didn't intend. Authoritarians have this fantasy that if they can just design a system that requires everybody to be tracked and tagged they'll be able to arrest those dirt bags who commit crimes on the Internet. One problem with this idea is the assumption that the identity system will be any less prone to software bugs then any other part of the infrastructure. It won't be, so it won't work. Another problem is the idea that you can actually manage an identity system for everybody in the entire world. You can't. This, much like the ill considered efforts at "whois accuracy," will only serve to make it easier to target, arrest, or sue people who aren't intentionally out to commit crimes but for some reason run afowl of well heeled interests. The secret is that some of the supporters of these systems know this, and thats exactly what they want. Other supporters don't care - they stand to benefit financially from these requirements regardless of how effective they are. Bellovin RE: The National Strategy for Trusted Identities in Cyberspace |
|
The National Strategy for Trusted Identities in Cyberspace |
|
|
|---|
| Topic: Computer Security |
1:14 pm EDT, Jun 26, 2010 |
Howard Schmidt: Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities. No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. We seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online ...
The National Strategy for Trusted Identities in Cyberspace |
|
TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem |
|
|
|---|
| Topic: Computer Security |
11:55 am EDT, Jun 11, 2010 |
One of my biggest gripes about the upcoming cybersecurity legislation is the threat of mandatory certification for security professionals. I didn't get a chance to thank Richard Bejtlich for his kind comments regarding my Blackhat talk, so let me take the time now to thank him for taking a stand on this issue: There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done. The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve." This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros. My opinion? This is a jobs program for security training and certification companies. Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers: Train Federal non-IT managers first. If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.
TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem |
|
Google China cyberattack part of vast espionage campaign, experts say - washingtonpost.com |
|
|
|---|
| Topic: Computer Security |
1:09 pm EST, Jan 14, 2010 |
Rattle: I'm glad to see this is finally getting some attention. As bad as these articles makes the extent of the ongoing Chinese espionage sound, it's actually worse... Human rights groups as well as Washington-based think tanks that have helped shape the debate in Congress about China were also hit.
sigh... "Usually it's a group using one type of malicious code per target," said Eli Jellenc, head of international cyber-intelligence for VeriSign's iDefense Labs, a Silicon Valley company helping some firms investigate the attacks. "In this case, they're using multiple types against multiple targets -- but all in the same attack campaign. That's a marked leap in coordination."
The division of labor is what I think stands out the most. "This is a big espionage program aimed at getting high-tech information and politically sensitive information -- the high-tech information to jump-start China's economy and the political information to ensure the survival of the regime," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "This is what China's leadership is after. This reflects China's national priorities."
Google China cyberattack part of vast espionage campaign, experts say - washingtonpost.com |
|
MD5 considered harmful today |
|
|
|---|
| Topic: Computer Security |
11:39 am EST, Dec 30, 2008 |
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
MD5 considered harmful today |
|
|
|---|
| Topic: Computer Security |
9:22 am EST, Dec 11, 2008 |
This report, provided by MIT ANA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage.
State of IP Spoofing |
|
RE: U.S. Is Losing Global Cyberwar, Commission Says - BusinessWeek |
|
|
|---|
| Topic: Computer Security |
2:27 pm EST, Dec 8, 2008 |
Report here. In particular note recommendation 17, in which the government is encouraged to enable drivers licenses or national ID cards to work online. The words "consistent with privacy and civil liberties" are thrown in there, but I think this development, and the massive civil liberties battles that will be associated with it, are inevitable. Its kind of like watching the birth of skynet. RE: U.S. Is Losing Global Cyberwar, Commission Says - BusinessWeek |
|
Chertoff: We're Closing that Boarding-Pass Loophole | Threat Level from Wired.com |
|
|
|---|
| Topic: Computer Security |
12:32 am EST, Nov 18, 2008 |
DHS's Transportation Security Administration is currently testing an encrypted 2-D bar code that includes all the information from a boarding pass and is digitally signed to ensure the data hasn’t been altered. In the pilot, passengers show the bar code to TSA identity checkers, who use a scanner to read the image off the passenger’s smartphone, and then check the person’s identification against the decrypted information. The system also works using public-key cryptography, which lets the TSA use scanners that don’t need to connect to airline databases, and they don’t store records of who is traveling.
Really, really cool. Smart use of crypto to solve a real security problem. I never thought I'd say these three words but: Good job TSA! Chertoff: We're Closing that Boarding-Pass Loophole | Threat Level from Wired.com |
|
RE: Microsoft Security Bulletin Advance Notification for October 2008 |
|
|
|---|
| Topic: Computer Security |
5:40 pm EDT, Oct 23, 2008 |
noteworthy wrote:
Things that make you go "hmmm..." This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on October 23, 2008.
If you haven't seen it, Microsoft has just recently started publishing an immense amount of technical detail about these vulnerabilities. Look here and here. RE: Microsoft Security Bulletin Advance Notification for October 2008 |
|
