Slashdot Mirror

In 2015, OPM's dataset of security clearance data regarding nearly the entire Federal Government was stolen. This was a treasure trove for foreign intelligence, and for "regular" identity theft. There were no consequences for anyone in the government.

The lack of consequences is not the result of corporations or government, it's the result of the lack of criminal law regarding these issues. If negligence leading to data theft carried criminal consequences, the world would be very different...

Depends on what country you are in, Australia's recent metadata laws collect all, no warrant required to look up.

The trouble with using encryption when such sweeping items become the norm is that using encryption places you as a target. Even if you have nothing to hide simply not wanting to be passively stalked can mark you as a person of interest for further scrutiny. Which could be a less than fun position to be put in.

Even not using the internet at all would not render you immune. It is one piece of a far larger puzzle Have a drivers license? congratulations your face is now in the national face recognition database.

Catch public transport recently? The scan cards used in different states can be linked to identities and profile your usage and location. While giving your names for the card is optional even if you always pay cash to top up and regularly change cards, the cctv footage combined with facial recognition can be enough to still get a pattern on you.

Welcome to the future, 1984 has nothing on our present. The craziest thing is not even the lack of oversight of the organizations in charge, but how quickly the public has become complacent with it all.

I suppose those that are critical of the security circus and try to bring attention to potential abuses are either dismissed as nutters or do not last if they are competent at bringing awareness to the many issues mass surveillance can bring to a society.

The night of long knives was amateurish and crude compared to what is capable with such sweeping surveillance of the populace. Anyone even partially trying to evade it becoming a potential target.

So long as the pot is boiled slowly, the frogs never jump.

There is nothing ridiculous there. Key signing parties are the ONLY solution to the trust problem. Everything else compromises the idea through implicit (or unintended) centralized trust, misleading obfuscation or outright snake oil. The problem itself is ridiculous, not the only real solution.

Which of my public keys is the right one? The first one you see in an unencrypted email to you or DNS-steered web page? The one that comes to you armored within SSL or S/MIME signed through a CA chain to Symantec whose subsidiary Thawte had gone a little rogue? It's that first key exchange between users that holds the greatest danger... and in the real world people suddenly feel the need for encryption only sometimes, such as a submission to WikiLeaks, I imagine that among the world's CAs the pressure to sign rogue www.wikileaks.com certs is intense. It is even illogical to assume it has never happened.

My ability to create a 'fake' WikiLeaks PGP key pair is very useful because it reveals underlying truth. You know you could do it too and therefore, the state of being vulnerable is known to both of us. To solve the problem of how key signing parties might become practical, is also to solve the people-trust problem. They are the same.

In all these years since practical RSA, there has been plenty easier this or less attackable that, but in my view there has been only ONE true lightning-strike moment. As Perfect Forward Secrecy is implemented, at least now when private server keys are compromised we will no longer have previously captured encrypted intercepts, perhaps even years of traffic, suddenly readable.

In the realm of key trust between strangers, no progress. Be wary of anyone who offers it to you. They're probably just asking you to trust them.

Perhaps while WaPo is discussing a "possible" intrusion into the US electrical grid, they should mention a confirmed penetration of the Belgian national telephone company Belgacom (now called Proximus) by the NSA and GCHQ in 2012. The code that was found on Belgacom's network had some commonality with the StuxNet virus and was introduced in order to listen on on Europe-wide GSM communication. http://www.infosecurity-magazi...

Even Apple's argument that it "needs" to do it for security doesn't fly. They're responsible for securing their hardware and OS. If people want their apps secured, there should be multiple companies competing to provide that service. And the people can choose which of these protection services they prefer to use. Exactly like Google does - you can use their Play store and whatever screening/protection they provide, or you can use someone else's store, or you can choose to use a store which doesn't purport to offer any protection at all.

You say Apple's argument "doesn't fly", yet we can link the fact that Android accounts for 99% of malware on smartphones directly back to Google's choice not to lock-out other stores. The malware is rarely from Google Play: it's almost all from other sources.

It's pretty hard to suggest that Apple doesn't have valid security concerns, given the above. You can argue that users should have the ability to make those choices, and you'd have a valid point, but given the evidence, Apple would have no-less-valid of a point in suggesting that the best way to secure the device is to lock that ability off to begin with. And the evidence backs them up.

Mind you, I'm not suggesting Apple got it right or Google got it wrong. Not at all. I'm merely pointing out a logical incongruity in the arguments you're presenting. Apple's approach is certainly heavy-handed, but the effects are obvious. It's fine and well to talk about "an ideal world", but in practice what we see is that there's a real cost to the security of the platform if you allow untrusted apps onto your OS. Neither approach is right. Both approaches have benefits and drawbacks, and different companies weigh them differently.

The British and French are reported to have pushed for weak encryption in cellular phones (A5/1 and A5/3) to make snooping easier for law enforcement. http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285.html.

Apparently, these governments didn't want to bother with having to serve warrants to telephone companies... Which would require, you know, legal warrants. So we ended up with 54-bit encryption (A5/1) when the engineers involved were pushing for 128.

So what happened?

What virtually everyone here will already have guessed: The back doors left for convenient government snooping made it easy for *anyone* to snoop, effectively rendering the encryption worthless. (http://www.infosecurity-magazine.com/news/3g-encryption-cracked-in-less-than-two-hours/.

Modular arithmetic is not a crime. If you make it one, French law will suddenly sit in conflict with privacy laws around the world *and in France*. And will it be illegal to transmit random bits? What about SSL?

Idiots.

April 2013: "Sonatype's annual survey of 3,500 software developers and shows struggle in setting corporate policy on open source and enforcing it" ref

April 2013: "Control and security of corporate open source projects proves difficult | New Sonatype survey finds 80 percent of most Java applications comes from open source" ref

Nov 2014: "Software developers use a large number of open-source components, often oblivious to the security risks they introduce or the vulnerabilities that are later discovered in them." ref

April 2015: "open-source also represents a vast, unpatched quagmire of cyber-risk that’s putting public safety at grave risk. That’s the assessment of Joshua Corman, CTO at Sonatype" ref

Actually, the terrorists are known to communicate through porn. That's why bin Laden was caught with a stash of porn. It makes up something like 30% of all internet traffic, so it's perfect noise in which to hide a signal. Encrypt that signal with something like PGP, then hide it in porn via steganography, and you've got a secure, nearly invisible channel for communication.

Rather misleading article and slant there. It implies that the NSA deliberately took action to make TCP/IP insecure. However, in reality, the NSA merely didn't contribute their classified work towards the specification of TCP/IP.

Yes, Slashdot is rather sad these days.

But the NSA isn't just about withholding classified information. The NSA is about weakening encryption standards. Vint Cerf said he would have used encryption if he had the opportunity to do it over again. The Internet community had such an opportunity, IPv6 with IPsec, and the NSA bungled it up.

IPsec doesn't involve the routers, because that would kill performance. IPsec is designed to handle different algorithms, so you don't need to support the same broken algorithms indefinitely. But the IPsec spec is a horrible design that in practice has made it very little used outside of very professional environments with very full-time engineers to keep it running.

Some more at http://www.infosecurity-magazi... is6
"He received a fake LinkedIn invite from a non-existent person in the European patent office (Quisquater holds 17 patents).
This dropped a variant of the MiniDuke malware which covertly opens a backdoor onto the infected computer."
and http://www.infosecurity-magazi...

Some more at http://www.infosecurity-magazi... is6
"He received a fake LinkedIn invite from a non-existent person in the European patent office (Quisquater holds 17 patents).
This dropped a variant of the MiniDuke malware which covertly opens a backdoor onto the infected computer."
and http://www.infosecurity-magazi...

If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.

The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.

You mean like when people who develop encrypted messaging systems or encrypted phone applications get added to watch lists and get harassed every time they enter the country even though they are citizens?

According to TFA, NSA knows full well exactly this and tried it, but couldn't gain control of a sufficient number of exit nodes. That's not surprising, it really would take controlling quite a lot of exit nodes.

Are we sure they didn't just root the botnet around mid-August/early September?

http://www.infosecurity-magazine.com/view/34453/massive-botnet-is-behind-tor-usage-spike-/

Can we be absolutely certain that the botnet itself, and every single node, is 100% secure and non-rootable from the NSA's 0-day toolkits?

The US government is all for fundamental freedoms, providing your use of them can be logged, queried at will and used against you later.

No, I'm afraid not. Let's go down the amendments one by one and see where we come out:

First amendment: Freedom of speech and the press.
The United States has no Journalistic shield law. Basically, if a whistleblower drops of some incriminating government documents, publication can land you in jail. Failing to reveal your source? That's a one-way trip to Guantanamo. Then there's the designated Free Speech Cages, surrounded by police, cameras, and barbed wire, and usually located far away from a place where your protect might be visible. Failure to protest within the cage will and you in a different cage. Don't worry -- they pre-construct them for all major events at nearby warehouses.

The right to bear arms
In New York and elsewhere... yeah, no. There are so many examples of the constant attempts to remove this or at least regulate it to the point it is effectively removed, I won't provide more examples. Go look them up yourself.

Not having soldiers quartered in your home
Yeah... a guy was recently arrested, beaten, and dragged out of his house for refusing to allow the police entry, so they could pitch a tent and enact surveillance of one of his neighbors. The story has since vanished off the internet, and very few sites still have any information on it.

Unlawful search and seizure
The Department of Homeland Security has granted itself the ability to declare arbitrary constitution-free zones, which cover approximately 80% of the US population -- as most of the population lives within 50 miles of one of the country's borders, and that's one of the areas covered.

Right not to self-incriminate
unless of course, the FBI thinks you might have child porn. ...

I could go on, but I think you get the point: They're not for all fundamental freedoms... they just want them on paper, but not in reality. Subtle difference.

Why not continue this story with further 'count down' stories?

ANYTHING to push another MS related post to the FP. Every day/week. We can't live here at /. without MS stories!

Has there been a new Microsoft related post today?

Of course!

Let's all celebrate proprietary monopolies!

Let's replace the Microsoft logo, which used to be a Borg logo, with a friendly Care Bear with the Windows logo on his chest! Let's market these toys so we all have Microsoft Care Bears on us all of the time - with bluetooth! When we rub his belly a beam shoots across the room to the latest Slashdot story about another Microsoft news or not news happening!

Dell and HP should sell out to MS: Why not own the OEMs?

Finally:

Spanish Linux users launch legal challenge to Microsoftâ(TM)s secure boot

@ http://www.infosecurity-magazine.com/view/31499/spanish-linux-users-launch-legal-challenge-to-microsofts-secure-boot/
@@ http://www.infosecurity-magazine.com/view/24199/rsa-2012-malware-gets-the-boot-in-windows-8-notes-charney
@@ http://www.reuters.com/article/2013/03/26/us-microsoft-eu-idUSBRE92P0E120130326
@@ http://www.h-online.com/open/news/item/Secure-Boot-complaint-filed-against-Microsoft-1830714.html
@@ http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2013-000162&language=EN
@@ http://www.hispalinux.es/node/758
@@@ http://www.nbcnews.com/id/51329950/ns/business-us_business/t/exclusive-open-software-group-files-complaint-eu-against-microsoft/
@@@ http://newyork.newsday.com/business/technology/microsoft-target-of-hispalinux-open-source-software-users-in-complaint-to-eu-1.4909950
@@@ http://www.mobilenapps.com/articles/8058/20130327/linux-users-file-complaint-against-microsoft-over-secure-boot-windows.htm
@@@ http://rcpmag.com/articles/2013/04/01/spanish-complaint-windows-8-secure-boot.aspx
@@@ http://www.eitb.com/en/news/technology/detail/1297786/hispalinux-microsoft--hispalinux-files-complaint-microsoft/

Lock yourself in, boys! (At the BIOS level) We're in for a heck of a ride!

Mark me troll because you know it's true and you enjoy lying to yourself.

"LOOKS LIKE MEAT IS BACK ON THE MENU, BOYS!"

The logo for MS should be a plate of Soylent Green and a rainbow behind it.

Why not continue this story with further 'count down' stories?

ANYTHING to push another MS related post to the FP. Every day/week. We can't live here at /. without MS stories!

Has there been a new Microsoft related post today?

Of course!

Let's all celebrate proprietary monopolies!

Let's replace the Microsoft logo, which used to be a Borg logo, with a friendly Care Bear with the Windows logo on his chest! Let's market these toys so we all have Microsoft Care Bears on us all of the time - with bluetooth! When we rub his belly a beam shoots across the room to the latest Slashdot story about another Microsoft news or not news happening!

Dell and HP should sell out to MS: Why not own the OEMs?

Finally:

Spanish Linux users launch legal challenge to Microsoftâ(TM)s secure boot

@ http://www.infosecurity-magazine.com/view/31499/spanish-linux-users-launch-legal-challenge-to-microsofts-secure-boot/
@@ http://www.infosecurity-magazine.com/view/24199/rsa-2012-malware-gets-the-boot-in-windows-8-notes-charney
@@ http://www.reuters.com/article/2013/03/26/us-microsoft-eu-idUSBRE92P0E120130326
@@ http://www.h-online.com/open/news/item/Secure-Boot-complaint-filed-against-Microsoft-1830714.html
@@ http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2013-000162&language=EN
@@ http://www.hispalinux.es/node/758
@@@ http://www.nbcnews.com/id/51329950/ns/business-us_business/t/exclusive-open-software-group-files-complaint-eu-against-microsoft/
@@@ http://newyork.newsday.com/business/technology/microsoft-target-of-hispalinux-open-source-software-users-in-complaint-to-eu-1.4909950
@@@ http://www.mobilenapps.com/articles/8058/20130327/linux-users-file-complaint-against-microsoft-over-secure-boot-windows.htm
@@@ http://rcpmag.com/articles/2013/04/01/spanish-complaint-windows-8-secure-boot.aspx
@@@ http://www.eitb.com/en/news/technology/detail/1297786/hispalinux-microsoft--hispalinux-files-complaint-microsoft/

Lock yourself in, boys! (At the BIOS level) We're in for a heck of a ride!

Mark me troll because you know it's true and you enjoy lying to yourself.

"LOOKS LIKE MEAT IS BACK ON THE MENU, BOYS!"

The logo for MS should be a plate of Soylent Green and a rainbow behind it.

http://www.infosecurity-magazine.com/view/16186/hhs-levies-first-fines-under-hipaa-privacy-rule/

First "privacy violation" about 15 years after it was passed, and for not sharing when required, not for accidental exposure.

Consider this: if they can access your data, theoretically anyone can. However, if they can access your data, you're also liable for HIPAA law violations./quote>If they access the data, they broke HIPAA. HIPAA doesn't require 100% security. It just requires reasonable steps. If someone familiar with your steps (a "sister" company with unlimited pen-testing access at LAN speed) were to compromise it, that's not proof you were insecure. It's just proof they illegally accessed medical records. Only the pen tester is at fault, and nobody else.

I love the people who talk about HIPAA who have obviously never read the law or worked with it. I used to keep the law printed out and on me. There was one clause (that said "this is not to be construed as to require encryption") that I quoted more than 100 times because everyone seems to think that HIPAA requires encryption, or that encryption alone somehow increased security. There hasn't been anyone fined for a computer security breach. The first fines were for failure to share information, not breaches. http://www.infosecurity-magazine.com/view/16186/hhs-levies-first-fines-under-hipaa-privacy-rule/ It took 15 years from the law to the first fine, and it was for not releasing records when legally required to do so.

If I were the US president, I wouldn't want my Blackberry to be at the mercy of a South Korean corporation. It's risky enough for a Canadian corp to be running such a sensitive device, but if it's going to be foreign (and so not entirely subject to US laws, and obviously having a national interest that sometimes competes with America's), Canadian is about the least risky. Especially after decades of integration with sensitive US operations, including the space arm on the NASA shuttles. But South Korea is not nearly as reliable, given its understandably different national interests and lower integration with US law. Not to mention the higher stakes in S. Korea with its insane nuke-armed neighbor changing kings and looking for new terms in their permanent war backed by the US.

In any case President Me would rather have an Android phone, with an OS my spooks could inspect with a fine toothed comb, than a closed OS - whether foreign made or not. I wouldn't want Steve Jobs' ghost having secret access to my top-secret iPhone messages, especially when there are so many laws and lawsuits Apple could use my help "fixing". Even just tracking my location through a commercial datacenter seems a breach of national security.

The US has such a large military, and budget to match, that I'd expect the White House to come with our own government smartphones on a secure network. There's no reason my phone couldn't use a gateway device carried by my entourage that goes over a secure military satellite network, even if the gateway is too big for me to carry myself. I don't carry the nuke football, either. But I could carry a civilian smartphone, battery out, in case I was separated from my entourage and as a last resort had to make a call on a public network.

Well, I do remember this...

You sure about that?

I realize most of those links are for British stories, but still...