| |
| "The future masters of technology will have to be lighthearted and intelligent. The machine easily masters the grim and the dumb." -- Marshall McLuhan, 1969 |
|
Wired | ISS Allegedly Hiding Cisco Bugs |
|
|
|---|
| Topic: Computer Security |
2:39 am EST, Dec 7, 2005 |
The computer security researcher who revealed a serious vulnerability in the operating system for Cisco Systems routers this year says he discovered 15 additional flaws in the software that have gone unreported until now, one of which is more serious than the bug he made public last summer. Mike Lynn, a former security researcher with Internet Security Systems, or ISS, said three of the flaws can give an attacker remote control of Cisco's routing and gateway hardware, essentially allowing an intruder to run malicious code on the hardware. The most serious of the three would affect nearly every configuration of a Cisco router, he said. "That's the one that really scares me," Lynn said, noting that the bug he revealed in July only affected routers configured in certain ways or with certain features. The new one, he said, "is in a piece of code that is so critical to the system that just about every configuration will have it. It's more part of the core code and less of a feature set," Lynn said. Lynn, who now works for Cisco competitor Juniper Networks, told Wired News that ISS has known about additional flaws in the Cisco software for months but hasn't told Cisco about them. This is serious, Lynn said, because attackers may already be developing exploits for the vulnerabilities. Cisco's source code was reportedly stolen in 2004 and, while doing research on the IOS software, Lynn found information on a Chinese-language website that indicated to him that Chinese attackers were aware of the security flaws in IOS and could be exploiting them. "Essentially there are more bugs, and they've gagged me from telling anyone the details of what they are," Lynn said. "It's pretty meticulous. There's lots of notes because it's very complicated stuff," Lynn said. "I gave the most details for the ones that are the most critical -- those are all spelled out." With regard to Allor's statement suggesting that any flaws ISS found are theoretical, Lynn said, "We're not dealing with an iffy thing when I actually have the code that I'm disassembling." "At the very least," he said, "even if ISS only suspected there were flaws, you'd think they'd want to talk to Cisco about it even if they think maybe it's not true. If I'm totally wrong, great, but I have a pretty good track record on this, and you'd think they'd want to be talking to Cisco to be sure."
This story is far from over. I continue to keep my fingers crossed that we don't see a router worm hit the net. Wired | ISS Allegedly Hiding Cisco Bugs |
|
Wired 13.03: Intelligence Blogging and Army Social Networking |
|
|
|---|
| Topic: Politics and Law |
3:01 am EST, Dec 5, 2005 |
It's an open secret that the US intelligence community has its own classified, highly secure Internet. Called Intelink, it's got portals, chat rooms, message boards, search engines, webmail, and tons of servers. It's pretty damn cool … for four years ago. It doesn't have to be that way. Instead of embarking on an expensive and decades-long process of reform - the type loved by bureaucrats on Capitol Hill - the services can fix this themselves. There's no reason our nation's spy organizations can't leap frog what the Army is already doing with Web technology and, at the same time, build upon what the public is doing with the blogosphere. Unfortunately, the intelligence community has not kept up with the Army. The 15 agencies of the community - ranging from the armed services to the National Geospatial-Intelligence Agency - maintain separate portals, separate data, and separate people. The bad guys exploit the gaps, and your safety is on the line. So if all us knuckle-draggers in the Army can use technology to make ourselves better, why can't all the big brains at Langley and Foggy Bottom do the same? The first step toward reform: Encourage blogging on Intelink. When I Google "Afghanistan blog" on the public Internet, I find 1.1 million entries and tons of useful information. But on Intelink there are no blogs. Imagine if the experts in every intelligence field were turned loose - all that's needed is some cheap software. It's not far-fetched to picture a top-secret CIA blog about al Qaeda, with postings from Navy Intelligence and the FBI, among others. Leave the bureaucratic infighting to the agency heads. Give good analysts good tools, and they'll deliver outstanding results.
Within secure networks, as we hope SIPRNET and NIPRNET are, uses of Open Souce style intelligence and media within the protected area is completely possible. They certainly seem to trust Google, so all the properitery tools necessary are available thanks to their search appliances. Wired 13.03: Intelligence Blogging and Army Social Networking |
|
More Hong Kong Democracy Protests |
|
|
|---|
| Topic: International Relations |
4:29 pm EST, Dec 4, 2005 |
Tens of thousands of people take part in a pro-democracy march in the streets of Hong Kong. An estimated 250,000 people took to the streets of Hong Kong, demanding the full democracy that was promised when Britain handed its former colony back to China eight years ago.
Here is a good picture that shows the scale of the protests which went on into the night. I know that area well... I wish I could be there when one of these protests is going on. More Hong Kong Democracy Protests |
|
Blue Boxing Wiretapping Systems |
|
|
|---|
| Topic: Computer Security |
1:02 pm EST, Nov 30, 2005 |
In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude "C-tone" audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an "on-hook" signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure.
John Markoff has a story on this today. Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it. Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well... Blue Boxing Wiretapping Systems |
|
Fuzzy logic behind Bush's cybercrime treaty | Perspectives | CNET News.com |
|
|
|---|
| Topic: Civil Liberties |
11:52 pm EST, Nov 29, 2005 |
The Convention on Cybercrime will endanger Americans' privacy and civil liberties--and place the FBI's massive surveillance apparatus at the disposal of nations with much less respect for individual liberties. For instance, if the U.S. and Russia ratify it, President Vladimir Putin would be able to invoke the treaty's powers to unmask anonymous critics on U.S.-based Web sites and perhaps even snoop on their e-mail correspondence. There's an easy fix. The U.S. Senate could attach an amendment to the treaty saying the FBI may aid other nations only if the alleged "crime" in their country also is a crime here. The concept is called dual criminality, and the treaty lets nations choose that option. Unfortunately, neither the Bush administration nor the Senate Foreign Relations Committee has been willing to make that change, calling it too "rigid."
Fuzzy logic behind Bush's cybercrime treaty | Perspectives | CNET News.com |
|
Pentagon Expands Domestic Surveillance |
|
|
|---|
| Topic: Civil Liberties |
11:51 pm EST, Nov 29, 2005 |
Pentagon expands domestic surveillance. And Bruce Schneier weighs in as well... Not only does involving the military in domestic surveillance mean bluring the line between citizens and enemies, it also means applying the 4th amendmend to military operations. What is the FBI not doing that you need them to be doing? Pentagon Expands Domestic Surveillance |
|
|
|---|
| Topic: Politics and Law |
4:25 am EST, Nov 29, 2005 |
For some, the chunk of marble that fell from the facade of the Supreme Court yesterday was a frightening safety hazard. But this is Washington, after all, where people search for hidden meaning in anything that happens at places such as the nation's highest court. And so, some couldn't help but note that the tumbling piece chipped at a carved marble figure that represents "Authority." When one of the dentil blocks fell, chipping into "Authority" and dinging the "Equal Justice Under Law" inscription, some tourists were marveling at the grand building while others stood in line to attend the morning's oral arguments. Although "Authority" was damaged, there will be no need to restore "Order," its neighboring figure. Or "Liberty Enthroned," which also survived the accident. At the foot of the Supreme Court steps, where engineers were photographing the remains of the Vermont marble pieces and carefully loading them into crates, one onlooker nudged a friend: "Notice how it happened on the right side. Not the left. The right."
A picture of the damage went over the AP photo wire. Rattle can use the following elements to create a whitty comment, pick any two:
1) The Consipracy
2) A message from Jabalon
3) Partisan politics
4) "Booga booga!" Anyone know what's currently on the court's docket? Omen on the High Court? |
|
|
|---|
| Topic: Miscellaneous |
12:31 am EST, Nov 26, 2005 |
Thanksgiving night my girlfriend's appartment was broken into. Only two things were stolen: My Powerbook and iPod My most recent backup was 3 weeks ago. This means I have lost all of the preperation work for a number of papers I have due. I have also lost a fair amount of Industrial Memetics related materials that had been worked on recently. Also toast is my schedule and all the notes I use to keep track of things. At this point, it's not exactly clear how much of this $3k+ loss will be covered by insurance. Hopefully, all of it will be. My Powerbook was my only workstation, so the next week or so is going to be pretty tough. I have a fair amount of work to make up. Don't expect much posting from me. I also have no tunes. :( |
|
