×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Ask Slashdot: Best Anti-Virus Software In 2015? Free Or Paid?

dweller_below Depends on your attacker. (467 comments)

My experience may not be applicable to you. I do IT Security for a university. We encounter a wide variety of attackers from script-kiddy to aggressive hostile government.

When our attackers desire to remain hidden, we usually can not detect and remove them using any common tool. The techniques for remaining in hidden control of systems are straightforward, effective and available to any attacker. We can detect all kinds of stuff by carefully inspecting network activity, but learning to do it takes years. And, analyzing 1 machine's traffic is slower than real-time.

For example, a while ago one of my coworkers managed to crack the C&C for a major fake-antivirus group. For 2 months we grabbed the rootkits as they went by. Code on compromised machines was updated daily. VirusTotal pronounced it all clean. Usually, the victims had no clue. None of the virus or malware detectors/removers would regain control of a compromised system. Sometimes the utilities would claim to have done something. It was never complete or successful. On the other hand, if we isolated a compromised machine from the C&C for 3 weeks, some of the utilities would start to be effective. At 6 weeks, almost all of them were effective. Of course, this fake antivirus group was indiscriminate and had a huge footprint.

We still use Microsoft Security Essentials or EndPoint Protection. It almost never prevents compromise, but in some circumstances it will let us know that that we have been had. Some attackers get what they want immediately and don't try to hide. Others break discipline after a few days or weeks. Then there are the ones that get what they want and sell you to less capable attackers. Finally, if the user/machine is vulnerable to attack then the machine eventually gets infested with multiple attackers. Once multiple attackers start interfering with each other, something always gets dropped.

We always recommend a "change passwords/backup/wipe/rebuild/restore" when we discover compromise. Even then, sometimes an attacker regains control by hiding hostile code in user files.

The preventative measures that seem to be most effective for us are:

  1. 1) Some form of Addblock. The primary attack vector for most of our people is hostile browser adds.
  2. 2) Limiting the execution of unwanted browser code. We recommend Chrome/Click-To-Run for most users. Motivated users can get better protection with Firefox/NoScript.
  3. 3) Working with our users to improve our defenses. See: https://www.youtube.com/playli...

about a week ago
top

What Isn't There an App For?

dweller_below Inexplicable gaps in Crypto products. (421 comments)

In my completely uninformed opinion, there seem to be inexplicable and congenital faults in IT's use of cryptography.

A few crypto products need efficiency and performance. But, many don't. Many existing products are optimized for efficiency and performance, even when these goals are contrary to the stated goals of the product. Frequently, crypto solutions unnecessarily limit the size of keys. They extend the lifetime of keys. They limit the number of available keys. In many cases, all three of these latter goals are false savings.

We rarely use symmetric crypto, even though it is frequently simpler and more robust. Public Key is almost always preferred, even when it is easy to distribute keys.

Reliable, trustworthy sources of truly random numbers seem to be very useful, inexpensive, and straightforward to create. See: http://en.wikipedia.org/wiki/C...

If we are interested in secure communications, it should be normal and expected that we would pick up several hardware random number generators. We should have multiple simple, robust, trustworthy tools to generate symmetric keys. We should have multiple tools to utilize simple, robust, trustworthy symmetric crypto.

Instead, we seem to focus on always using a single complex public key solution even when it is not appropriate.

In my ignorance, I have been trying to map out a simple, robust tool for system administration, that makes use of symmetric crypto. See: https://it.wiki.usu.edu/201501...

I would really like to learn that I have been wasting my time.

about three weeks ago
top

Snowden Documents Show How Well NSA Codebreakers Can Pry

dweller_below Re:Anyone can intercept SSH some of the time (278 comments)

This guide doesn't recommend disabling passwords. That's a huge omission.

Thanks. I figured that was obvious enough to not need explanation. So I decided it was out of scope. But, I am wrong all the time.

I am assuming you feel that we should teach our admins to test all their SSH passwords against standard attack dictionaries and disable/notify any that fail. This is a good idea. I will try to add it tomorrow.

Are there other conditions that are detectable by SSH admins that require disabling passwords?

about 1 month ago
top

Snowden Documents Show How Well NSA Codebreakers Can Pry

dweller_below Re:Anyone can intercept SSH some of the time (278 comments)

You should have user honeypots. Once in a while present a fake certificate. If the user ignore the wrong fingerprint and type in the correct password, reset the account password.

That is an interesting idea. It is easy to MITM our SSH client connections. But, this control comes with a large expense. Because it is easy for our clients to see Security's actions, and it is hard for them to see the actions of attackers, they will conclude that Security is being evil for no good reason. This will greatly reduce our effectiveness by isolating Security from our community. Other controls may mitigate this problem with less expense.

For example, we are currently pushing our people to adopt widespread 2-factor authentication. Our people are ready to accept 2-factor. They understand it's value. They are familiar with it's use. We have multiple cheap 2-factor solutions. 2-factor somewhat mitigates MITM and also helps other issues.

That said, I think we really need a simpler form of SSH for trusted point-to-point communications. It should exclusively use pre-distributed one-time pads for it's authentication and encryption. We can now generate and distribute 100+ Gigabyte files of true-random data. This data can be used to authenticate. It can be used to generate secure symmetric encryption keys. We can handle millions of secure connections before we need to redistribute pads again.

Since I am not a cryptographer, this idea has many problems. But I believe that securely using these huge one-time pads could be as easy as:

  • Ask Schneier for a good, symmetric encryption algorithm :)
  • Select a key-size that is twice as long as Schneier thinks we need :) So, if Schneier thinks 512bits are fine, we use 1024 bit keys. This is only 128 bytes.
  • Generate about 128 Gigabytes of random data from a truly random noise source. Use 64Gigs of it for connection keys. That will allow about 512 million connections. This may be excessive and need to be adjusted.
  • Use the rest of the Random data 2 Gigs at a time. This gives you 32 records. The server always gets the first copy/install of the file. The server always uses the first record. Each subsequent client copy/install uses the data in it's record for install identification and session identification. This may not be enough records. It may need to be adjusted. But, it probably should not increase to hundreds. If there are too many copies, it is impossible to protect confidentiality.
  • Throw away the first key record. You can spare some. Use that space to write down the GMT time-stamp when this file was created and the number of times the file has been copied.
  • Use the next key record as the FileID for this file.
  • The server only tries to use uses 1 pad file at a time.
  • When the server starts up, it skips down the number of keys indicated by it's current key index or the number of minutes since pad creation, whichever is greater. If the server detects that GMT time is running backwards, it should terminate with a descriptive error message.
  • Every minute, it switches to the next key in the list. Don't worry, this will only use up 10 million of your possible keys in 20 years. The server should not attempt to respond to more than one connection attempt per second.
  • Whenever the server has authenticated a successful connection, it switches to the next key in the list.
  • When something pokes it's port, the server assembles a message that says something like: Number of non-padding bytes in message. Message Type 0. Server Message#1. I have received 0 of your messages. I am copy 1 of the file with the ID of #FileID. My Copy ID is (the first field in my Copy ID Record). The local time is (current time). The number of times I have incremented keys is: (CurrentKeyIndex). The number of successful connections is (ConnectionNumber). The authentication number for this connection is (use ConnectionNumber to index into the Copy ID Record and retrieve the value). Optional padding. End of Server Message #1.
  • Then the server encrypts all that info using the current encryption key and sends it out to the client. It should all fit in a standard ethernet/IP/TCP packet. All messages must be padded to the same length. A good starting message length is probably 1400 bytes.
  • The client uses the current time as a guess to a starting index into the key data. It should probably start 1 before to allow for sloppy timekeeping. It sequentially tries each key until it manages to decrypt the server's message. It should probably give up and fail with an error if tries more than 20 keys. This number may need adjusting. When it fails, the client drops the connection without saying anything.
  • If the client decodes the server message, it then checks it's own expected and calculated information against the info provided by the server. If it doesn't check out, it drops the connection and sends an urgent error message that somebody is attempting to mimic the server using a replay attack. If it checks out, it uses the key to encrypt it's response. It also updates it's CurrentKeyIndex.
  • The response of the client looks like: Number of non-padding bytes in message. Message Type 1. The latest message I have decoded from you is (LastServerMessageNumber). This is my Message #1. Nice to meet you. I am copy (whatever) of the file with the ID of #FileID. My Copy Id is (the first field in my Copy ID Record. My local time is (timestamp). I have now updated and crossed off (CurrentKeyIndex) number of keys. My number of successful connections is (ConnectionNumber). The authentication number for this connection is (use ConnectionNumber to index into the Copy ID Record and retrieve the value.) Optional padding. End of Client Message #1.
  • Then the server checks the client's supplied info for inconsistencies. If it fails, the server crosses off the key, drops the connection, and sends an urgent error message that somebody is attempting to mimic the client via a replay attack. It if checks out, the server sends an encrypted acknowledgement, and updates it status information on that copy of the file.
  • Once the client receives the acknowledgement, it updates it's info on the server. Then both sides continue the encrypted conversation. The conversation looks like a sequence of encrypted messages.
  • Most messages have the same format: Number of non-padding bytes in message. Message Type 2. Timestamp. From (Copy #) To (Copy #). Your latest message was (whatever). This is my message (whatever). [MESSAGE CONTENTS] Optional padding. End of message (whatever).
  • You will also need some utility messages. A NAK may look like: Number of non-padding bytes in message. Message Type 3. Timestamp. From (Copy #) To (Copy #) Please re-transmit everything after message (whatever). This is my message (whatever). Optional padding. End of message (whatever).
  • A FIN may look like: Number of non-padding bytes in message. Message Type 4. Timestamp. From (Copy #) To (Copy #) Your latest message was (whatever). Time to say goodbye. Optional padding. End of message (whatever).
  • A Change Key may look like: Number of non-padding bytes in message. Message Type 5. Timestamp. From (Copy #) To (Copy #) Your latest message was (whatever). I'm feeling paranoid. Lets change to the next key. Optional padding. End of message (whatever).
  • An Oh Shit may look like: Number of non-padding bytes in message. Message Type 6. Timestamp. From (Copy #) To (Copy #) Somebody just showed up with a NSL. I'm wiping my key-files/one-time pads. You should wipe this key-file/pad. Send lawyers, money, guns. So long and thanks for all the fish. Optional padding. End of message (whatever).

As you can see, this system is very simple,crude and inefficient. We are just re-implementing the old concepts of secure phones using 1-time pads. None of this is new. We can use simple logic because we don't want or need complexity. It allows for 1 server and multiple clients. You have to redo this logic to have more than one server per pad/keyfile. It only solves one problem, but it is so simple that it should eliminate almost all opportunity for logic and programming flaws. Remember, complexity is the enemy. We don't care about efficiency. We want security. The NSA has used feature creep to corrupt many forms of existing crypto.

This proposal is connection oriented, but it can run on TCP or UDP or ICMP. You probably want to use TCP to reduce spoofing, DoS opportunities and sort out some of the low level attacks. If you do, you have to remember that you can't trust TCP to eliminate spoofing or verify message delivery.

about 1 month ago
top

Snowden Documents Show How Well NSA Codebreakers Can Pry

dweller_below Re:Anyone can intercept SSH some of the time (278 comments)

Protecting SSH communications for your organization is fairly straightforward if you do some work. You need to use multiple layers. Here is our guide to protecting SSH:

https://it.wiki.usu.edu/ssh_de...

We try to use multiple overlapping security layers to protect SSH:

  • * If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
  • * Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
  • * If possible, treat the SSH Port as a shared secret. Then, only interesting, targeted attacks find the SSH server. In many situations, this gives you very real protection. This protection is based on the very real increase in cost for an attack to find and attack an SSH server on an alternate, properly obscured port.
  • * The SSH server should not allow known usernames including root. The attacker must find a username.
  • * Motivated admins should use 2-factor authentication to access their critical SSH servers.
  • * Admins are trained to create good passwords for their usernames.
  • * SSH users should verify the identity of their systems when they first connect.
  • * System admins must regularly review the activity of their SSH servers.
  • * Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
  • * We have SSH Honeypots that help us track, understand and respond to SSH attack. These Honeypots allow us to track which credentials are being attacked. They give us advance warning when a institutional credential is attacked. And, analyzing the use of unique credential lists gives us insight into our attackers.

Much of this work can be automated. The rest is excellent training material for new security recruits and interns.

Looking back, the main change I should have made to improve our SSH protections would be to default block incoming TCP/22 at the border years ago. Then, only allow it for groups that can show they use it to provide services to a large community. Anybody using SSH for administration can change the SSH port.

about a month ago
top

Cornering the Market On Zero-Day Exploits

dweller_below Inflating the Exploit marketplace hurts us all. (118 comments)

Anything that inflates the Exploit/Vul marketplace just hurts us all. We can fight hackers. We can even fight governments. But, we can't fight economics. If economics strongly encourage the discovery and secret utilization of exploit, we are all doomed. A few may experience a short-term benefit from a booming market in exploit and vulnerability, but the consequences of that marketplace will harm all the rest of us. The only sane behavior is to do everything we can to depress the market for vulnerability and exploit. We have to change the economics.

  • 1) The government must always, immediately, publicly, disclose any purchased vulnerability or exploit. Once they are for sale, there is no point in keeping them secret. Secrecy inflates the market. Then the market creates more vulnerability and exploit.
  • 2) Any benevolent government should target the exploit marketplace. This is a sensible and reasonable target for the NSA and the FBI. The exploit market creates the uncontrollable weapons of the internet apocalypse. Any exploit or vulnerability that the FBI or NSA can seize from others should be immediately published. This will suppress the desirability of the goods in the exploit marketplace.
    • * The legal fictions of intellectual property should never be allowed to adhere to exploit information.
    • * There is no public interest in preserving exploit.
    • * There is a great deal of public harm in encouraging exploit.
  • 3) For the good of us all, we need to beat the NSA black and blue and force them to publicly disclose any of their vulnerabilities and exploits that are over a year old.
    • * This provides the NSA with tangible deliverables that they can use to justify their existence and we can use to measure their competence.
    • * This gives them a year to play with their toys.
    • * This will greatly suppress the exploit marketplace.

about 6 months ago
top

Patent Troll Ordered To Pay For the Costs of Fighting a Bad Patent

dweller_below Re:Sounds awesome except.... (191 comments)

The problem is also that the USPO granted the patent in the first place :/

I heartily agree. Improving the process of litigating patents is nice, but we really need to improve the quality of granted patents. I believe that this problem is solvable, if we can muster the courage to admit that we have made mistakes in managing the patent office. In my opinion, the most important of these mistakes are:

1) More patents are not better than fewer patents.

Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. An occasional lawsuit might spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. Reform must recognize that patents are dangerous monopolies. Reform must place hard limits on the number of patents.

2) Running the US Patent Office as a cost-recovery operation is a mistake.

The US Patent Office is a very small, but critical component of the US economy. It's purpose was "..to promote the Progress of Science and useful Arts.." (US Constitution Article One, Section 8(8).) But, once the USPTO became completely cost recovery (Omnibus Budget Reconciliation Act of 1990, Title X, Subtitle B), that primary goal became overshadowed by the more pressing goal of securing funding via patent fees. The primary effect of cost recovery has been to promote the collection of patent fees.

Reform is painful, but simple. Admit cost recovery is a failed experiment. Revert the funding model to the model used for the first 200 years. The USPTO must be centrally funded by the US government. Any collected fees should be returned to the US Government.

3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents.

Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." A recent study by the Richmond School of Law found that the USPTO's actual grant rate is currently running at about 89%. In 2001, it was as high as 99%. See http://papers.ssrn.com/sol3/pa... page 9. In 2001, it didn't matter if an application was overbroad, obvious, trivial, a duplicate, or unreasonable, they ALL got granted. Things haven't improved much since then.

Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents. The filing fee should be high enough to discourage spurious patent applications.

4) Scaling up the Patent Office to produce more poor quality patents is a mistake.

Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process.

Reform must tightly control and limit the number of patent examiners.

5) It is a mistake to grant all patents that meet minimum standards.

A review of the last couple decades changes in the patent approval criteria will reveal that the minimum standard for granting a patent has consistently shifted downwards. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always degrades. Reform is easy. You rank Patent Applications according to an agreed measure of quality, and only grant the top few percent. Over time, the pressure will be to improve the quality of patent applications, instead of degrade them.

6) Finally, please consider that it is a mistake to allow patent applicants to modify or extend their patents after submission.

This complicates the patent pipeline. It facilitates ‘submarine’ patents. It enables capturing Standards. It also enables gaming the patent system. Reform must simplify and reduce the patent process. Patents should be quickly evaluated. Most should be denied. If an applicant wishes to modify a denied patent, they should alter it, resubmit, and pay a new filing fee.

Real patent reform is possible. The pressures that currently give rise to bad patents are fairly obvious. We can mitigate those pressures and institute processes that tend to increase patent quality. If we can just summon the courage and political will to correct our mistakes.

about 8 months ago
top

Church Committee Members Say New Group Needed To Watch NSA

dweller_below How do we clean this radioactive, toxic swamp? (143 comments)

At this point, governance of the NSA is a constitutional sham. There is no just rule because there is no consent of the governed.

There appear to be 2 paths forward.

  1. 1) The path of trusted representation. If you can trust your representatives, maybe you can trust their oversight. This is the pathway that started with Frank Church and lead to Dianne Feinstein. The problem is, how do you regain trust when it has been so thoroughly abused? We now have lots of evidence that both the process and the people involved in this distribution of trust are not trustworthy. Simply resetting the process will not restore trust.
  2. 2) The path of transparency. For the last few years, our dreams of empire have tempted us to discard openness, transparency and rightful rule. But these are the very things that have created and preserved us. There is nothing new about the temptations of tyranny. The dream of power has not changed or evolved in the last few thousand years. The architects of our nation were just as familiar with these temptations are are we. We just need to turn back to open laws, open courts, and open public discourse.

about 10 months ago
top

How the NSA Plans To Infect 'Millions' of Computers With Malware

dweller_below When am I going to get rid of this tinfoil hat? (234 comments)

So, now it turns out that the NSA really was attacking me. Just because I ran the routers and a few other critical things.

20 years ago, when I first started ranting about the NSA it was mostly theoretical. I ranted because there was no proof they were not evil. The stickers on my laptop's mic and camera were a bit of a joke. People would ask about them and it would give me a chance to rant. That's all I really wanted. A chance to rant from time to time.

But, now it is clear that all my rants were too conservative.

Now I am doing IT security for a university. I spend all day attempting to hold off the attacks of foreign governments. Some of those attacks now appear to be my own government. I never really wanted to be this paranoid. And it still appears that I am not paranoid enough.

When will I ever be able to take off this stupid tinfoil hat?

Congress keeps railing against money wasted on social programs. It appears the NSA and the CIA are elaborate social programs for sociopaths. Why can't we defund them?

about a year ago
top

Schneier: Break Up the NSA

dweller_below Re:NSA Walks a Fine Line (324 comments)

But, for the last 10 years, the NSA has not walked the line at all. If the NSA could evenly balance the equities issue: https://www.schneier.com/blog/..., then there would less problems. But, now, there is no balance. The NSA takes many actions that demonstrate that their drive to Attack has suppressed their duty to Defend. They include:

  1. 1) BULLRUN - http://en.wikipedia.org/wiki/B...
  2. 2) The exploit marketplace is greatly enhanced by the activities of the NSA. This marketplace drives the creation of new exploit. It threatens us all. The NSA never publishes an exploit. Instead, they purchase exploit. Again and again. Many times, they are purchasing exploit they already own, because they don't want to reveal what they own. It is inevitable that they frequently purchase info on exploit that they create. The exploit marketplace would collapse, if the NSA, CyberCommand and their consultants would just stop buying. The exploit marketplace would vanish, if the NSA freely disclosed a fraction (say 30%) of their exploits every year.
  3. 3) Large networks of Bots can only exist at the sufferance of the NSA. Again, if the NSA wished, they could easily, trivially track the C&C of the large criminal Bots. Then they could be dismantled using the ShadowServer's infrastructure: https://www.shadowserver.org/w... Instead, it appears the NSA is maintaining the existence of the Bots for it own reasons.
  4. 4) The lack of malware Epidemiology. The NSA could publish accurate statistics on incidence of malware. Again, the NSA is in a unique position to track the dissemination and activity of malware. With those stats, we could make accurate determinations of the effectiveness of different security measures. With accurate Epidemiology, we can move defense from superstition to science. Instead, it appears the NSA doesn't want effective defense.
  5. 5) Spoofed DoS packets on the internet can only exist because the NSA tolerates them. If the NSA wished, they could easily, trivially identify all the sources of Spoofed packets. The NSA has enough listening points they can track a stream of spoofed packets back to it's source. Then those sources would be identified, fixed/shunned, and eliminated. Instead, it appears the NSA maintains those sources as cover for their own activities.

That is why Schneier is advocating the breakup of the NSA. We must remove the equities debate from their hands. One part will be driven by offense, the other by defense. And Offense will stop being able to suppress Defense.

about a year ago
top

Schneier: Break Up the NSA

dweller_below Re:since when is the FBI a spy agency? (324 comments)

Looking at the FBI Mission: http://www.fbi.gov/about-us/qu... it looks like the Priorities are based on Crazy Congressional Wishlist. There are just too many Priorities. And, they are ranked according to sensationalism, not importance to the survival of the Nation. That page lists them as:

  1. 1. Protect the United States from terrorist attack
  2. 2. Protect the United States against foreign intelligence operations and espionage
  3. 3. Protect the United States against cyber-based attacks and high-technology crimes
  4. 4. Combat public corruption at all levels
  5. 5. Protect civil rights
  6. 6. Combat transnational/national criminal organizations and enterprises
  7. 7. Combat major white-collar crime
  8. 8. Combat significant violent crime
  9. 9. Support federal, state, local and international partners
  10. 10. Upgrade technology to successfully perform the FBI’s mission

At this point, I think we can all clearly see that Terrorism only has as much importance as we create for it. If we don't regard it as important, the Terrorism threat goes almost entirely away. If you were to rank these Priorities according to what most impacts the survival of the Nation, I believe it would look more like:

  1. 1. Combat public corruption at all levels
  2. 2. Combat transnational/national criminal organizations and enterprises
  3. 3. Protect civil rights
  4. 4. Combat major white-collar crime
  5. 5. Combat significant violent crime
  6. 6. Support federal, state, local and international partners
  7. 7. Upgrade technology to successfully perform the FBI’s mission
  8. 8. Protect the United States against cyber-based attacks and high-technology crimes
  9. 9. Protect the United States against foreign intelligence operations and espionage
  10. 10. Protect the United States from terrorist attack

about a year ago
top

Physicist Unveils a 'Turing Test' For Free Will

dweller_below Freewill is Fun! (401 comments)

Freewill is fun to debate. There are so many levels:

  • 1) If It bothers you to be following somebody else's orders, then you probably have free will.
  • 2) If you can ask: "Do I have Free Will?" then you have finished level 2.
  • 3) You complete Level 3 by doing a random thing, and then saying: "I'll bet they didn't predict that!"
  • 4) Level 4 consists of unproductive analysis of the limits of comprehension and influence of an unknown Capable Mind.
  • 5) Level 5 is when you realize that you don't need to know everything, you just need to know yourself. Once you clearly understand yourself, you lose free will.
  • 6) Level 6 mostly consists of drunken babbling.

about a year ago
top

The Hail Mary Cloud and the Lessons Learned

dweller_below Some more guidance on setting up SSH (99 comments)

Here is the guide we provide to the SSH users at our University: https://it.wiki.usu.edu/ssh_description

Some of the major points:

  • We try to use multiple overlapping security layers to protect SSH:
  • * The firewall limits the vulnerable scope of SSH to a few trusted hosts.
  • * The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port.
  • * The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
  • * The SSH server should not allow known usernames including root. The attacker must find a username.
  • * The admin is trained to create good passwords for his usernames.
  • * SSH users are taught to verify the identity of their systems when they first connect.
  • * System admins must regularly review the activity of their SSH servers.
  • * USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
  • * USU has SSH Honeypots that help us respond to SSH attack.

about a year ago
top

Former NSA Honcho Calls Corporate IT Security "Appalling"

dweller_below Re:Security is possible, but you must focus. (174 comments)

Tell me which university do you work for

Hi Ruir,

I work for USU. We are the Land Grant university for Utah. We built the WISE satellite for NASA.

If you are interested in our approach to security, I made a couple introductory Youtube videos:

Good Luck!

about a year ago
top

Former NSA Honcho Calls Corporate IT Security "Appalling"

dweller_below Security is possible, but you must focus. (174 comments)

I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

Critical Control 1: Unity of Vision

Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

  • A. How does your organization create a sense of community?
  • B. What are your Institution's Goals?
  • C. How are those goals propagated throughout the organization?
  • D. How do your security actions promote your institutional goals?
  • E. How do your security actions provide assurance to your institution?
  • F. How does your institution reward long term loyalty?

Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

Critical Control 3: Enable a Better Future

This control assumes that our actions affect the future. Do your actions enable a more secure future?

  • A. How do you increase the cost of attack?
  • B. Do you report attack to the remote ISP/attacker?
  • C. How do you coordinate with law enforcement?
  • D. How do you decrease the cost of defense for yourself and others?
  • E. How do you reduce the motivation for local attack?
  • F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
  • G. Do you facilitate others disclosing vulnerabilities to you?
  • H. Do you help your peers improve their security?

The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

about a year ago
top

NSA Bought Exploit Service From VUPEN

dweller_below NO No no. You ATTACK enemies. You HELP friends. (81 comments)

We finally found the NSA mentioned in the same sentence as an actual, tangible, external threat. And now we see that instead of attacking them, they are giving them money?!? How can they get confused on this? You ATTACK enemies. You HELP friends.

The Exploit marketplace (here symbolized by VUPEN) is possibly the greatest threat to to existence of the internet. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is a great driving force reconfiguring the Internet for Attack, instead of Defense.

VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

It looks like the Exploit Marketplace was dreamed up, founded and sustained by the NSA. The leaked Black Budget showed that the NSA devotes huge resources to purchasing exploit. We have also learned that the NSA's budget included vast resources to create exploit:

"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs." (From last weeks New York Times and Guardian articles)

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace. The NSA is no longer debating the Equities issue (https://www.schneier.com/blog/archives/2008/05/dualuse_technol_1.html ) They have only token interest in defending the Internet.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like 2008's Housing bubble.

about a year ago
top

The Man Who Created the Pencil Eraser and How Patents Have Changed

dweller_below Re:You know where it went.. (234 comments)

You're missing the point. A lot of this was unintentional. They made the USPTO run on fees that were charged for patents which gave the USPTO and incentive to rubber stamp patents while not receiving sufficient funding to cover the cost of having patent examiners that could do the investigation that they used to do.

I'd like to think that this mess is unintentional. But many of the recent changes to the USPTO appear to have optimized it to create lots of poor quality patents. I believe that we could reverse these changes. But, we would need to muster the political will to admit we have made mistakes. I have listed some of these obvious structural problems at: https://plus.google.com/b/101806809558932714222/101806809558932714222/about

I believe that the most serious problems with the structure of the USPTO are:

  • 1) More patents are not better than fewer patents. Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. An occasional lawsuit might spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. Reform must recognize that patents are dangerous monopolies. Reform must place hard limits on the number of patents.
  • 2) Running the US Patent Office as a cost-recovery operation is a mistake. The US Patent Office is a very small, but critical component of the US economy. It's purpose was "..to promote the Progress of Science and useful Arts.." (US Constitution Article One, Section 8(8).) But, once the USPTO started to become completely cost recovery, (See: Omnibus Budget Reconciliation Act of 1990, Title X, Subtitle B), that primary goal became overshadowed by the more pressing goal of securing funding via patent fees. The primary effect of cost recovery has been to promote the collection of patent fees. Reform is painful, but simple. Admit cost recovery is a failed experiment. Revert the funding model to the model used for the first 200 years. The USPTO must be centrally funded by the US government. Any collected fees should be returned to the US Government.
  • 3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents. Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." A recent study by the Richmond School of Law found that the USPTO's actual grant rate is currently running at about 89%. In 2001, it was as high as 99%. See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2225781 page 9. In 2001, it didn't matter if an application was overbroad, obvious, trivial, a duplicate, or unreasonable, they ALL got granted. Things haven't improved much since then. Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents. The filing fee should be high enough to discourage spurious patent applications.
  • 4) Scaling up the Patent Office to produce more poor quality patents is a mistake. Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process. Reform must tightly control and limit the number of patent examiners.
  • 5) It is a mistake to grant all patents that meet minimum standards. A review of the last couple decades changes in the patent approval criteria will reveal that the minimum standard for granting a patent has consistently shifted downwards. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always degrades. Reform is easy. We rank Patent Applications according to an agreed measure of quality, and only grant the top few percent. Over time, the pressure will be to improve the quality of patent applications, instead of degrade them.
  • 6) Finally, I suggest that it is a mistake to allow patent applicants to modify or extend their patents after submission. This complicates the patent pipeline. It facilitates ‘submarine’ patents. It enables capturing Standards. It also enables gaming the patent system. Reform must simplify and reduce the patent process. Patents should be quickly evaluated. Most should be denied. If an applicant wishes to modify a denied patent, they should alter it, resubmit, and pay a new filing fee.

about a year ago
top

New Jersey Congressman Seeks To Bar NSA Backdoors In Encryption

dweller_below First the Stick, THEN the carrot. (200 comments)

Congressman Holt,

Thanks for your efforts. But please remember that you have other, more effective tools at your disposal. The NSA has shown themselves a master in creative interpretation of law. Any new law will be twisted to their purposes. Then there will be years of appeals in the courts. Before you attempt new laws, you should immediately reassert Congress's most basic and irresistible power: The power to control the purse.

Your first act should be to slash the NSA's budget in half.

It is like working with a mule. First, you have to get their attention. As you slash their budget, explain that many of the NSA's actions have been dishonest. They have created long term problems for the rest of the country. And they have been spending their budget in ways that congress does not approve.

After you slash their budget, ask them to give the complete Congress a full accounting of how they intend to spend their remaining budget. Give them a week.

If they waffle or present an incomplete accounting, then cut their remaining budget in half.

Don't worry about the NSA. They have tens of billions of budget. You can cut their budget in half several times and they will still be able to support their best analysts. Their hardware is cheaper and more powerful than ever before. Even after the cuts, they will be as effective as any time in the past few decades. But, the cuts will remove their ability to dominate entire industries. And they will not be able to use that support to justify their illegal and unethical acts. And that is a good thing.

Above all, don't let the executive branch deter you. Controlling budget is your natural, constitutionally mandated role. Congress has been shirking their duties lately. The Black Budget has been a shameful abrogation of your responsibilities. Controlling the budget of the executive branch is your job. Don't let anybody talk you out of it.

It may take several rounds of budget cuts, but eventually they will come back in line. Then you can use law to guide them.

about a year ago
top

NSA Foils Much Internet Encryption

dweller_below The NSA must serve us, not attack us. (607 comments)

As a security professional, one of my greatest threats is the Exploit Marketplace. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is the greatest driving force optimizing the Internet for Attack, instead of Defense. Now, it looks like the Exploit Marketplace was justified, founded and sustained by the NSA. We have learned that the NSA has enormous budgets devoted to purchasing exploits. Today we learn:

"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.

The other chilling revelation is the names of these programs:

"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."

The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.

  • * The NSA must be stripped of it's ability to create exploit.
  • * The NSA must be stripped of it's ability to purchase exploit.

If we survive as a nation of liberty, the NSA must serve us, not attack us.

about a year ago
top

UK Government Destroys Guardian's Snowden Drives

dweller_below Spooks are trying to provoke an irresponsible act. (508 comments)

So far, Poitras and Greenwald have done an incredibly good job of handling the Snowden material. They have been implementing a long term, strategic, plan that seems to have 2 goals:

  • * Restore the US Constitutional limits on the Executive branch.
  • * Make the Executive branch accountable to the Legislative and Judicial branches.

As ambitious as it seems, this level of correction has happened several times in US history. I believe that these goals can be achieved if 3 conditions are met:

  • 1) Poitras and Greenwald must succeed in maintaining public awareness of the problem.
  • 2) Poitras and Greenwald must continue to be regarded as responsible journalists.
  • 3) The Public must agree that the threat of an unbridled Executive is greater than the external threat.

So far, Poitras and Greenwald have played Obama and the US Intelligence like a hooked trout. They have skillfully countered every attempt to divert or end the discussion. It looks like they have a chance of advancing reform of the US Executive branch. They may also help bring reform to England.

But now, I think we are seeing the beginning of more strategic responses from the US Intelligence community. I suspect that they are now trying to end the discussion by re branding Poitras and Greenwald as traitorous threats. This approach worked so well with Manning and Assange. Not only did they succeed in discrediting the messenger, they also turned the messenger into an external threat. Now, they can use 'Traitors' to justify Executive excess.

I suspect that the goals of US Intelligence are now:

  • * Get Poitras and Greenwald to do an irresponsible disclosure. From the Intelligence communities viewpoint, even an immediate, complete disclosure of the Snowden material is a small price to pay in return for swift end to the discussion and discrediting the whistle-blowers.
  • * Or create an irresponsible disclosure of the Snowden material. Remember, neither Manning nor Assange/WikiLeaks did the big, irresponsible disclosure. But, they were blamed when it happened. On considering this objective, it seems to me that the primary objective of the Miranda incident may have been to acquire the secret key of the distributed file, so they could create an irresponsible disclosure.

If they can't shutdown or re-brand Poitras and Greenwald, then I expect the next step will be to create an immediate, external threat that requires an unbridled Executive.

I am praying for Poitras and Greenwald. We need their help. And their enemies are capable of doing terrible things.

about a year and a half ago

Submissions

dweller_below hasn't submitted any stories.

Journals

dweller_below has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?