You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.
This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.
No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.
Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.
You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.
If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.
The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.
Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).
So if you could get that Enterprise Admin access, well it might be a house cards from there. Given the recently published MS14-068 it might not even be that hard: https://www.trustedsec.com/dec...
So if you can get your foot in the door, however you do it just grabbing some tools off git hub and few blogs can get you near total ownage without having to do much of anything in the way of exploit development on your own. Consider this vuln was an off cycle patch put out in November, think there ~4 weeks on there are some big orgs that have lead times to get Windows patches applied to DCs longer than that? I would bet so, think an org like Sony stands a chance against a vuln like that when its an unpublished zero day? So get any access to the network at all, brute force one password for basically any user account crack a hash sniffed off the wire etc, and boom your a member of any windows groups you want!
Frankly I would not be surprised given the timing if MS14-068 was involved in the breach and I would not be surprised to hear of other major compromises thru leveraging it.
I did not give them a back door either. I you can check the thumbprints of the certs are not changing or not trust any third party CA's if that what YOU want to do under my scheme. For most folks that won't be practical, we will want to be able to call people and organizations we have never been in a position with to safely exchange keys; so just like on the web we will have to trust some third parties.
By making it easy to exchange certs directly with people you do meet in person you remove the CA chain from that point on and encourage the system in a way third parties can't compromise unless the cryptography is eventually broken. Nobody not a LEA or anyone else than has the capability to MITM calls between your devices from that point, provided they don't hack your phone somehow and change your settings modify your cert store etc.
My acceptable compromise isn't really with the LEAs but more with reality. You can't very well use a third parties network without them being able to identify the end points, TOR even if it was untraceable and its not would not be practical for a wireless voice network. My proposal has the benefit of being possible to implement with out replacing the existing cellular and telephone network infrastructure. You just need handsets that no how to negotiate with each other. In that sense its plausable that it could actually get off the ground because as we all know expecting AT&T or VZW to do anything ever without first bending over for the spooks is a non starter.
So AC and Mods who marked my post flamebate for some reason let me ask you?
[1] Do you have a better technical solution? [2] Does your solution work without requiring the carriers to spend billions radically altering/upgrading their infrastructure [3] Can your proposal somehow conceal which endpoints calls are between? [4] Can your proposal somehow conceal the duration of the call, beyond padding it out for some additional period? [5] Can your solution easily inter-operate on with existing endpoints?
congratulations you have just invented privateIP MPLS service.
Someone should tell ALL the major TELCOs about this, and anyone who has ever want to build a WAN link between more than two sides in the last 15 years, needing anything better than best effort service.
Yea Sony might as well pack up and go home until this thing is resolved. There isn't a lot they can do.
The U.S. on the other hand should recognize this for what it is. An act of war. Once the possibility of real physical violence and attacks were introduced it was no longer an attack on Sony Pictures but on society as a whole.
Its time for Government to step up and actually do one of the very few things its actually charged with doing, provide for the common defense! We now have a situation where a foreign actor is assaulting our citizens (putting in fear) and by extension infringing their rights of free expression.
What concerns me is that 0bama is figuring out a "proportional response" you don't "proportionally" respond to an act of war. This situation calls for a very disproportionate response.
We should do something like smart bomb Kim's palace. It would minimally impact the innocent citizens of the DPRK while sending the message acts of aggression will not be tolerated and will be met with swift and brutal reprisal against YOU, not your nation, not your people YOU. That is something a despot can understand and might actually fear. If we really luck he dies in the attack.
The Chinese need to be TOLD to just sit tight, lest they be considered conspirators in this attack against us.
And that isn't really an option either. Sony lost lots of HR and other PII data. If you work at Sony pictures there is a good chance the "GOP" knows where you live.
If Sony releases it at all and there any attack on its own employees they might also open themselves up to lawsuits for negligence. To say nothing of the fact that they might loose their best talent due to people being afraid working their makes them a target.
The obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets (or any other digital endpoint for that matter) should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.
People could use third party CAs like they do for the web today for most callers. Phone software should be easily configured to ONLY accept previously installed self signed certificates for certain subjects. IE if a call wants to identify itself as being from cousin bob's cellphone it will be rejected unless it its signed with the public key Bob previously gave me; even if the cert has a valid their part signature and is otherwise valid. Users could easily exchange keys in person using bluetooth + pin etc.
This would allow LEAs to eavesdrop by MTIMing calls between say an individual and a financial institution. With a warrant the third party CA the financial uses could be compelled to provide the LEA with valid cert for that subject hopefully with a expiry of only a few days. Of course techniques like cert pinning could be used to detect this by individuals. It would leave LEA's with no easy avenue to eavesdrop on calls between Bob and myself. I think this is a reasonable compromise.
On the other hand it still does nothing to address the mass surveillance concern. It will still be easy for instance for an LEA to obtain call records from the phone company. They won't have the content and won't be able to get at it, but they absolutely can know when, how long, and how often Bob and I spoke. They can also know who else Bob and I called. We know that this information is very revealing, its been used very effectively to identify relationships. Its less clear it violates the 4th than accessing the content. I don't like it but it might be again part of an acceptable compromise.
When your entire business in intellectual property I would expect some data leak protection to be in place. As security professional I really can't understand how a business in the IP industry does not have at least somewhat effective egress filtering.
Sure the volume in the case of Sony pictures might not have raised any red flags but their gateway/firewall whatever darn well should be capable of differentiating between a huge batch of uncompressed video and their HR documents.
is not the same thing as being able to carry out physical, 9/11-style attacks in 18,000 locations simultaneously.
Who said anything about them having to hit 18,000 locations simultaneously. That isn't how terrorism works. The 911 guys did not have have to hit thousands of targets, they only tried for three, managed only two (counting the WTC complex as a single target) and look at all the trouble they caused!
A coordinated attack on only a handful of movie theaters the same night would be plenty to cause an economically significant portion of this countries population spend the holiday Christmas - New Years stretch cowering in their homes rather than going out and spending money. It would almost certainly lead to all kinds of wild ill considered national security response.
Hell look at the Batman Shooting a few years ago. It takes one suicide attacker to "hit" a theater with essentially no real resources. A few thousand in counterfeit notes (which DPRK has produced in the past) would allow would be assailants to put together the arsenal they need. Its perfectly plausible even DPRK could get three or four people into this country with limited fake credentials and no access to anything privileged enough to do even a basic background check.
I am not saying "OMG we all going to die here" but you can't completely dismiss the threat either here. Having hit Sony they have already demonstrated some capability.
That was my reaction as well a week ago when the new broke. I actually heard on the NBC Nightly news first and the moment Williams said TB of data; the first thought I had was how do you ex-filtrate that much info without it being noticed by the NOC team?
The only think I can think of is that largish transfers are probably very common for them as they push media assets out to contractors etc. Still you wonder why are they not MTIMing everything in what is essentially an all IP business and why can't their IPS/IDS system tell the difference between a 2TB of raw YUV video and their HR database?
I don't know given our current antagonistic relations with Russia and the fact we are already imposing sanctions on them I kinda think if it had Russian finger prints they'd name names.
If anything it would make Putin look worse and serve to counter Gorby's argument that Putin isn't a bad actor but Russia is just being bullied by expansionist NATO policy.
I also suspect old Vlad recognizes his current situation is tenuous and complex enough without adding direct aggression against the US homeland to the mix at least not without being prepared to take credit for it. If the Russian state had anything to do with it they'd probably be out claiming it was done to hit back US economy in response to our "unjustified" sanctions or something.
I'll admit I am just arm chairing this thing with no real info but my guess is if it was done from/in Russia its organized crime without direct ties to the Kremlin.
I agree certainly if the official line turns out to be untrue than the rest of my thinking has to be tossed out along with it. I also agree they ought to release code and show the analysis.
Trouble is if it does implicate the Chinese they have keep it under wraps for the same reasons they won't come out and say "China" in the first place. So we don't have a good way to know if its all a false flag to justify the surveillance state as I think your suggesting or if they are being truthful with us. At least until I have a little greater personal stake in this than not seeing a probably terrible Seth Rogan movie, I guess I'll take their word for it. Now once someone start proposing legislation or invading some place, etc; than I'd be very cautious of the fact that in absence of the hard facts the very real possibility they are lying as they are know to often do exists.
Right, I think that's the important difference here if there is one. In general I agree with the GP post cyber security should be the responsibility of the network/computer operator not the government. Costs should be born by the victims and their insurers; or by the perps when they can be identified and brought to justice as a general principle.
In this case though we have a threat of violence and terror on top of the simpler criminal matter. These guys are not threatening to just empty a few bank accounts and embarrass some more celebrities. They have moved from the realm of nuisance crimes to violent crimes and the state definitely has an interest preserving public safety.
As to how credible the threat is and should we be reacting to every threat to do violence out there, well I would say they have displayed at least enough capability to hack a major corporation that no doubt has a security team. They also have at least some financial resources backed by the DPRK. So this isn't an angsty 14 year old on facebook. Do I think they can project themselves into the physical world they way they claim, probably not, but its probably not worth risking that by just ignoring them entirely either.
The official line so far is "The DPRK is responsible, but the attack originated from somewhere else".
"Responsible" most likely means hired someone to do it. Knowing the DPRK they probably paid those someones in reasonably good quality counterfeit US currency. Though that is pure speculation on my part bast on past news events.
The fact they won't tell us form where else means "China" again pure speculation on my part but common its not like DPRK has exactly normal relations with anywhere else. They would tell us if it was some other pariah regime some place, so I assume it has to be China as its the only place I can think of that DPRK would have access and would be to politically sensitive to name.
Keep in mind, I can't recall if it was 2k11 or 2k12 but the Obama admin did not exactly dispute the pentagons view that "cyber" attacks could/should be viewed as an act of war. The "terror" threats against theaters have escalated things from a criminal matter, attack on a corporation, to a state matter attack on the public and order; therefore some kind of "response" is required. I am sure 0bama is trying to find a way to "do something" or appear to be without pissing off the Chinese.
Which to now purely editorialize, I think pissing off the Chinese and souring trade relations would/could be the best possible outcome here for our nation but that is a different discussion.
I have said it before. I don't think this "girls only" stuff sends kids the right message at all. (young) Girls don't see this kind of thing as an opportunity (not my nices anyway). They see this oh computers must be really hard and it must be kinda "weird" for girls to do otherwise the adults would not be so bent on pushing it on us as a career. Its kinda like "eat your vegetables" kids know if the adults thought it was going to be a pleasant experience for them, they would let them discover it on their own and not be so insistent about it.
Honestly if we really want a post-gender/sex society where everyone is treated the same, I think we might start by trying to treat people the same. Stop emphasizing gender when we talk about people. We don't need to say "SHE is a success researcher/mathematician/computer engineer/software architect etc". We would use her name "Jane is..."
Rather than decide we are going to have a 40%+ female makeup of our middle school into to comp-sci class we would just let the kinds that want to take the elective enroll and do our best to help ALL of them succeed.
But the problem I have with this is, the WHY. I am not a big picture taker; but seriously what are really doing with 7000 pictures of anything?
Nobody is cataloging every shot, and nobody really needs the 15 shots taken in the space of 3 seconds using sports mode / virtual motor wind etc. You need the "best" shot(s) from that group.
Nobody is realistically going to want sort through 1000 shots in the album "Pictures of the kids Tuesday December 16th 2014" looking for that special memory the want to revisit, especially when the same thing exists for the day before and after.
Why not take all the pictures and at the end of the day, trip, event, maybe week, get rid the ~90% you will never want?
Honestly I can't understand having that quantity of pictures. The reason you take them is so you can look back on them, but with so many how can you ever find something really worth looking back at?
I keep a highly organized well structured system of directories. I don't know what all I got; and I delete things when I know I won't want them again. Actually its taken me years to train myself to be a little slower on the delete key trigger, space *is* cheap and its better to keep something you might want than regret having purged it later, no fun having to wait while your box huts through that multi-volume tar streamed over 5 USB sticks. I keep my entire digital life, which includes things like my music library at about 120GB. Its easy to back that all up, and I can find anything that is important quickly.
I know lots of people with TBs of stuff, and with a few exceptions where they are working with lots of raw video etc, none of them have a clue what they have. They don't do backups because the volumes are to large, etc. Mostly their lives are worse for having it. My online storage is a raid array of SSDs, I wait for nothing, not even writes ( lots of cache ). Their systems grind away sorting through a fragmented mess of junk on disk. I honestly don't get it.
Now I know the gamers might need a few hundred more GBs than I do for content; but I agree with you its really suspect when Joe Typical User is telling you he needs 6TB for anything. I would say chances are he is doing something not well considered.
Property taxes happen to be about the worst kind of taxes imaginable. Essentially the people who really pay them are the people you want paying them the least.
First folks with large amounts of property -- tend to be farmers. They are making productive use of the land that economically you would want to encourage not discourage. Cheap plentiful nutrition is good for a society.
Second people who don't actually own any property -- Renters of all kinds, the cost of property taxes on the occupied property are passed on.
The retired -- never mind retired folks that still live at home probably consume the least in terms of local public resources they stuck paying the taxes even without the income to support it.
No property taxes are pretty much bullshit. The only fair taxes are consumption based taxes. Want to participate in the economy you pay. Don't want to participate well that is fine.
We should move to a system of pure sales taxes and import taxes. With a few carve outs for categories like public transportation, unprepared foods for human consumption, clothing, and education; which the lower incomes earns spend disproportionately on so the system isn't overly regressive. This would also eliminate virtually all opportunities for cheating. Securities like stock should be taxes on their purchase price, buy a share for $10 you pay taxes on the $10 at purchase time, does not matter if you sell it later for $1000 or $0 there is no subsequent tax event. If you sell it the next purchaser will be paying the tax on the sale price. Lastly business must also pay sales tax on the labor they purchase from their employees; local or over seas, but there should be no other employer or payroll taxation.
Who cleans the toilets on the starship Enterprise?
There are no toilets. Seriously ever see on the show. Clearly all the replicated food is entirely observable with no metabolic outputs beyond the amount of water that can eliminated through sweat and nobody ever poops, ever.
You right, the obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.
People could use third party CAs like they do for the web today for most callers. Phone software should be easily configured to ONLY accept previously installed self signed certificates for certain subjects. IE if a call wants to identify itself as being from cousin bob's cellphone it will be rejected unless it its signed with the public key Bob previously gave me; even if the cert has a valid their part signature and is otherwise valid. Users could easily exchange keys in person using bluetooth + pin etc.
This would allow LEAs to eavesdrop by MTIMing calls between say an individual and a financial institution. With a warrant the third party CA the financial uses could be compelled to provide the LEA with valid cert for that subject hopefully with a expiry of only a few days. Of course techniques like cert pinning could be used to detect this by individuals. It would leave LEA's with no easy avenue to eavesdrop on calls between Bob and myself. I think this is a reasonable compromise.
On the other hand it still does nothing to address the mass surveillance concern. It will still be easy for instance for an LEA to obtain call records from the phone company. They won't have the content and won't be able to get at it, but they absolutely can know when, how long, and how often Bob and I spoke. They can also know who else Bob and I called. We know that this information is very revealing, its been used very effectively to identify relationships. Its less clear it violates the 4th than accessing the content. I don't like it but it might be again part of an acceptable compromise.
I don't think this is right. While some people no doubt feel this way, as a society we rarely complain that some people have tons of possessions and status having done relatively little work. Lots of people inherit fortunes and we don't say its undeserved.
What we do think is that people who put in a lot of effort should be compensated, and we do that with possessions and status. Which becomes a problem if nobody wants your effort anymore and you don't have possessions and status already how can you obtain them?
Technology has always been in the business of reducing labor. The upshot has always been there has been more worth doing and society's wealth has increased. Once you don't have to have everyone hunting and gather constantly it frees time up, farming produces more food with less laybor resources so you start writing. Once you discover printing writing and copying takes less time, meaning more people can start reading; and it all snowballs. Fewer people are need to produce food, they produce other things.
The last area where technology has not saved labor is thinking. Once humans are freed from having to do all the thinking there is very real possibility the machines will solve the automation of the last hard to automate physical tasks which exist. At that point labor will no longer have any value, in trade. Now individuals might take personal satisfaction in doing something by hand but nothing produced that way will be marketable.
Trying to answer how society will function if it comes to pass that only capital is valuable and there is no value in labor and little in ideas is an interesting question. We are not there yet, not by a long stretch but the potential for it is looking less science fiction like all the time.
I have seen that too. I used to live in a Cleveland suburb where the City avoided making any repairs to the street outside the local high school. This effectively held everyone to the 25MPH speed limit better than any deliberately introduced speed bumps ever could have.
I agree but there is a good and a bad. I don't live in a gated community but my neighbors and I do have a "private road" I suppose when the lots were originally sold and the houses originally build people desired to not have drive ways running right up to US-11.
On the one hand its great. We know we can turn out of our drive ways safely. Our pets can run and there is little risk of them being hit by a cars, because there are only 7 of us along our dead end road. Naturally we all use it cautiously and respectful because we all know each other.
On the flip side its a couple miles of road that "we" have to maintain. Our little association has to pay to have it plowed and I suppose someday probably re-graded (its dirt). Until the plowman gets there we are snowed in the winter. We could probably get more prompt service but that would cost even more. We also get to pay sky high rates for home owners insurance because of the (perceived) greater fire risk. The insurance adjusters insist that responses may be longer because of the private road. I kind of doubt it, the guys at the local fire department know exactly where everything is and our road is probably at least as good as most of the public roads off US-11 in the area.
Now out in southern CA I suppose you don't have the snow concern. Still you got heat and I suspect lost of these "city folk" wont want a dirt road. Which means you going to have some sort of pavement that will require maintaining. That might prove fairly expensive. Our association considered paving the road some years before I bought in, from what I am told it was cost prohibitive to the point nobody had any interest in reviewing the idea when I brought it up.
Someone's making money, many others flock to the market
TRUE
nobody ends up profitable market retrenchment.
FALSE -- If the good or service has a long term marketability someone will find a away to make a profit. Some fads just play out but if there is an actual want / need for the product equilibrium will be reached.
Cases in point:
Remember all the x86-compatible cpu manufacturers... most bit the dust.
Right the market was hot everybody and their brother with the capital goods to make chips started producing compatibles. The two best of bread manufactures along with a tiny handful of also-rans most of us can't name ultimately survived. The rest went bust or move on to other things once the margins thinned out. Currently the market provides some competition, inexpensive high performance x86 parts are readily available in the market place. Society + 1
Or the mom-and-pop computer stores?
These are gone because they really provided zero value, not because there were to many. Most of these were run by people with limited and domain specific knowledge, and lacked the capital resources to handle large orders. As business computerized they missed the boat, because they were unable to provide the goods and services required. The individual market moved on, too. You used to shop there because there was no other way to get parts quickly. Then the Internet happened. Newegg + UPS can offer me lower prices and infinitely better selection, great customer service too. I don't miss the mom and pop computer store at all. Good riddance actually. Society - 0
Or all the different donut franchises?
Again no idea what your point is, Doughnut like most specialty food products enjoy some cyclical popularity booms. At least here in Richmond VA, there are plenty of independent doughnut shops. Sellers who got a good location, estimate production requirements well, do just fine, as do some big chains like Dunkin and Jack Frost. The hobbyists who popped up and needed $5 doughnuts to be profitable are gone. I am sure they will be back in few years during the next doughnut craze. In the mean time I can get a good quality doughnut anytime I want for a low price without having to travel to far to get one. Society + 1
Or now, all the new mobile developers who aren't even breaking even and are running on a wing and a prayer?
Have you used the "average" mobile app? Its worse than horse shit, really. At least with horse pucky you can fertilize something, the typical mobile app your actually worse off having it on your phone. Its probably a security vuln, is consuming space and will require at least some tiny effort to remove it. Once again the only people who lose anything when that market shakes out will be the people delivering the shovelware, who today are profiting on consumer ignorance, preying on those folks can't differentiate between good apps and bad (which do how the market places work is pretty much everyone unless you buying an app in a very common category). I really look forward to the day these mobile "developers" are gone. Things will be better when equlibrium is reached and there is a smaller but competitive group of software house putting out quality product at a reasonable price. Sure apps won't be $1 anymore they will probably be $4 or $10, but you also won't have to try 15 of them to find something worth a $1. Society - 0
Slashdot Mirror
You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.
This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.
No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.
Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.
You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.
If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.
The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.
No hack would ever result in that kind of control
Disagree.
Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).
So if you could get that Enterprise Admin access, well it might be a house cards from there. Given the recently published MS14-068 it might not even be that hard: https://www.trustedsec.com/dec...
So if you can get your foot in the door, however you do it just grabbing some tools off git hub and few blogs can get you near total ownage without having to do much of anything in the way of exploit development on your own. Consider this vuln was an off cycle patch put out in November, think there ~4 weeks on there are some big orgs that have lead times to get Windows patches applied to DCs longer than that? I would bet so, think an org like Sony stands a chance against a vuln like that when its an unpublished zero day? So get any access to the network at all, brute force one password for basically any user account crack a hash sniffed off the wire etc, and boom your a member of any windows groups you want!
Frankly I would not be surprised given the timing if MS14-068 was involved in the breach and I would not be surprised to hear of other major compromises thru leveraging it.
I did not give them a back door either. I you can check the thumbprints of the certs are not changing or not trust any third party CA's if that what YOU want to do under my scheme. For most folks that won't be practical, we will want to be able to call people and organizations we have never been in a position with to safely exchange keys; so just like on the web we will have to trust some third parties.
By making it easy to exchange certs directly with people you do meet in person you remove the CA chain from that point on and encourage the system in a way third parties can't compromise unless the cryptography is eventually broken. Nobody not a LEA or anyone else than has the capability to MITM calls between your devices from that point, provided they don't hack your phone somehow and change your settings modify your cert store etc.
My acceptable compromise isn't really with the LEAs but more with reality. You can't very well use a third parties network without them being able to identify the end points, TOR even if it was untraceable and its not would not be practical for a wireless voice network. My proposal has the benefit of being possible to implement with out replacing the existing cellular and telephone network infrastructure. You just need handsets that no how to negotiate with each other. In that sense its plausable that it could actually get off the ground because as we all know expecting AT&T or VZW to do anything ever without first bending over for the spooks is a non starter.
So AC and Mods who marked my post flamebate for some reason let me ask you?
[1] Do you have a better technical solution?
[2] Does your solution work without requiring the carriers to spend billions radically altering/upgrading their infrastructure
[3] Can your proposal somehow conceal which endpoints calls are between?
[4] Can your proposal somehow conceal the duration of the call, beyond padding it out for some additional period?
[5] Can your solution easily inter-operate on with existing endpoints?
congratulations you have just invented privateIP MPLS service.
Someone should tell ALL the major TELCOs about this, and anyone who has ever want to build a WAN link between more than two sides in the last 15 years, needing anything better than best effort service.
Yea Sony might as well pack up and go home until this thing is resolved. There isn't a lot they can do.
The U.S. on the other hand should recognize this for what it is. An act of war. Once the possibility of real physical violence and attacks were introduced it was no longer an attack on Sony Pictures but on society as a whole.
Its time for Government to step up and actually do one of the very few things its actually charged with doing, provide for the common defense! We now have a situation where a foreign actor is assaulting our citizens (putting in fear) and by extension infringing their rights of free expression.
What concerns me is that 0bama is figuring out a "proportional response" you don't "proportionally" respond to an act of war. This situation calls for a very disproportionate response.
We should do something like smart bomb Kim's palace. It would minimally impact the innocent citizens of the DPRK while sending the message acts of aggression will not be tolerated and will be met with swift and brutal reprisal against YOU, not your nation, not your people YOU. That is something a despot can understand and might actually fear. If we really luck he dies in the attack.
The Chinese need to be TOLD to just sit tight, lest they be considered conspirators in this attack against us.
Is that you number 6?
And that isn't really an option either. Sony lost lots of HR and other PII data. If you work at Sony pictures there is a good chance the "GOP" knows where you live.
If Sony releases it at all and there any attack on its own employees they might also open themselves up to lawsuits for negligence. To say nothing of the fact that they might loose their best talent due to people being afraid working their makes them a target.
The obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets (or any other digital endpoint for that matter) should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.
People could use third party CAs like they do for the web today for most callers. Phone software should be easily configured to ONLY accept previously installed self signed certificates for certain subjects. IE if a call wants to identify itself as being from cousin bob's cellphone it will be rejected unless it its signed with the public key Bob previously gave me; even if the cert has a valid their part signature and is otherwise valid. Users could easily exchange keys in person using bluetooth + pin etc.
This would allow LEAs to eavesdrop by MTIMing calls between say an individual and a financial institution. With a warrant the third party CA the financial uses could be compelled to provide the LEA with valid cert for that subject hopefully with a expiry of only a few days. Of course techniques like cert pinning could be used to detect this by individuals. It would leave LEA's with no easy avenue to eavesdrop on calls between Bob and myself. I think this is a reasonable compromise.
On the other hand it still does nothing to address the mass surveillance concern. It will still be easy for instance for an LEA to obtain call records from the phone company. They won't have the content and won't be able to get at it, but they absolutely can know when, how long, and how often Bob and I spoke. They can also know who else Bob and I called. We know that this information is very revealing, its been used very effectively to identify relationships. Its less clear it violates the 4th than accessing the content. I don't like it but it might be again part of an acceptable compromise.
When your entire business in intellectual property I would expect some data leak protection to be in place. As security professional I really can't understand how a business in the IP industry does not have at least somewhat effective egress filtering.
Sure the volume in the case of Sony pictures might not have raised any red flags but their gateway/firewall whatever darn well should be capable of differentiating between a huge batch of uncompressed video and their HR documents.
Flags should have gone up..
is not the same thing as being able to carry out physical, 9/11-style attacks in 18,000 locations simultaneously.
Who said anything about them having to hit 18,000 locations simultaneously. That isn't how terrorism works. The 911 guys did not have have to hit thousands of targets, they only tried for three, managed only two (counting the WTC complex as a single target) and look at all the trouble they caused!
A coordinated attack on only a handful of movie theaters the same night would be plenty to cause an economically significant portion of this countries population spend the holiday Christmas - New Years stretch cowering in their homes rather than going out and spending money. It would almost certainly lead to all kinds of wild ill considered national security response.
Hell look at the Batman Shooting a few years ago. It takes one suicide attacker to "hit" a theater with essentially no real resources. A few thousand in counterfeit notes (which DPRK has produced in the past) would allow would be assailants to put together the arsenal they need. Its perfectly plausible even DPRK could get three or four people into this country with limited fake credentials and no access to anything privileged enough to do even a basic background check.
I am not saying "OMG we all going to die here" but you can't completely dismiss the threat either here. Having hit Sony they have already demonstrated some capability.
That was my reaction as well a week ago when the new broke. I actually heard on the NBC Nightly news first and the moment Williams said TB of data; the first thought I had was how do you ex-filtrate that much info without it being noticed by the NOC team?
The only think I can think of is that largish transfers are probably very common for them as they push media assets out to contractors etc. Still you wonder why are they not MTIMing everything in what is essentially an all IP business and why can't their IPS/IDS system tell the difference between a 2TB of raw YUV video and their HR database?
I don't know given our current antagonistic relations with Russia and the fact we are already imposing sanctions on them I kinda think if it had Russian finger prints they'd name names.
If anything it would make Putin look worse and serve to counter Gorby's argument that Putin isn't a bad actor but Russia is just being bullied by expansionist NATO policy.
I also suspect old Vlad recognizes his current situation is tenuous and complex enough without adding direct aggression against the US homeland to the mix at least not without being prepared to take credit for it. If the Russian state had anything to do with it they'd probably be out claiming it was done to hit back US economy in response to our "unjustified" sanctions or something.
I'll admit I am just arm chairing this thing with no real info but my guess is if it was done from/in Russia its organized crime without direct ties to the Kremlin.
I agree certainly if the official line turns out to be untrue than the rest of my thinking has to be tossed out along with it. I also agree they ought to release code and show the analysis.
Trouble is if it does implicate the Chinese they have keep it under wraps for the same reasons they won't come out and say "China" in the first place. So we don't have a good way to know if its all a false flag to justify the surveillance state as I think your suggesting or if they are being truthful with us. At least until I have a little greater personal stake in this than not seeing a probably terrible Seth Rogan movie, I guess I'll take their word for it. Now once someone start proposing legislation or invading some place, etc; than I'd be very cautious of the fact that in absence of the hard facts the very real possibility they are lying as they are know to often do exists.
Right, I think that's the important difference here if there is one. In general I agree with the GP post cyber security should be the responsibility of the network/computer operator not the government. Costs should be born by the victims and their insurers; or by the perps when they can be identified and brought to justice as a general principle.
In this case though we have a threat of violence and terror on top of the simpler criminal matter. These guys are not threatening to just empty a few bank accounts and embarrass some more celebrities. They have moved from the realm of nuisance crimes to violent crimes and the state definitely has an interest preserving public safety.
As to how credible the threat is and should we be reacting to every threat to do violence out there, well I would say they have displayed at least enough capability to hack a major corporation that no doubt has a security team. They also have at least some financial resources backed by the DPRK. So this isn't an angsty 14 year old on facebook. Do I think they can project themselves into the physical world they way they claim, probably not, but its probably not worth risking that by just ignoring them entirely either.
The official line so far is "The DPRK is responsible, but the attack originated from somewhere else".
"Responsible" most likely means hired someone to do it. Knowing the DPRK they probably paid those someones in reasonably good quality counterfeit US currency. Though that is pure speculation on my part bast on past news events.
The fact they won't tell us form where else means "China" again pure speculation on my part but common its not like DPRK has exactly normal relations with anywhere else. They would tell us if it was some other pariah regime some place, so I assume it has to be China as its the only place I can think of that DPRK would have access and would be to politically sensitive to name.
Keep in mind, I can't recall if it was 2k11 or 2k12 but the Obama admin did not exactly dispute the pentagons view that "cyber" attacks could/should be viewed as an act of war. The "terror" threats against theaters have escalated things from a criminal matter, attack on a corporation, to a state matter attack on the public and order; therefore some kind of "response" is required. I am sure 0bama is trying to find a way to "do something" or appear to be without pissing off the Chinese.
Which to now purely editorialize, I think pissing off the Chinese and souring trade relations would/could be the best possible outcome here for our nation but that is a different discussion.
Right,
I have said it before. I don't think this "girls only" stuff sends kids the right message at all. (young) Girls don't see this kind of thing as an opportunity (not my nices anyway). They see this oh computers must be really hard and it must be kinda "weird" for girls to do otherwise the adults would not be so bent on pushing it on us as a career. Its kinda like "eat your vegetables" kids know if the adults thought it was going to be a pleasant experience for them, they would let them discover it on their own and not be so insistent about it.
Honestly if we really want a post-gender/sex society where everyone is treated the same, I think we might start by trying to treat people the same. Stop emphasizing gender when we talk about people. We don't need to say "SHE is a success researcher/mathematician/computer engineer/software architect etc". We would use her name "Jane is..."
Rather than decide we are going to have a 40%+ female makeup of our middle school into to comp-sci class we would just let the kinds that want to take the elective enroll and do our best to help ALL of them succeed.
But the problem I have with this is, the WHY. I am not a big picture taker; but seriously what are really doing with 7000 pictures of anything?
Nobody is cataloging every shot, and nobody really needs the 15 shots taken in the space of 3 seconds using sports mode / virtual motor wind etc. You need the "best" shot(s) from that group.
Nobody is realistically going to want sort through 1000 shots in the album "Pictures of the kids Tuesday December 16th 2014" looking for that special memory the want to revisit, especially when the same thing exists for the day before and after.
Why not take all the pictures and at the end of the day, trip, event, maybe week, get rid the ~90% you will never want?
Honestly I can't understand having that quantity of pictures. The reason you take them is so you can look back on them, but with so many how can you ever find something really worth looking back at?
I keep a highly organized well structured system of directories. I don't know what all I got; and I delete things when I know I won't want them again. Actually its taken me years to train myself to be a little slower on the delete key trigger, space *is* cheap and its better to keep something you might want than regret having purged it later, no fun having to wait while your box huts through that multi-volume tar streamed over 5 USB sticks. I keep my entire digital life, which includes things like my music library at about 120GB. Its easy to back that all up, and I can find anything that is important quickly.
I know lots of people with TBs of stuff, and with a few exceptions where they are working with lots of raw video etc, none of them have a clue what they have. They don't do backups because the volumes are to large, etc. Mostly their lives are worse for having it. My online storage is a raid array of SSDs, I wait for nothing, not even writes ( lots of cache ). Their systems grind away sorting through a fragmented mess of junk on disk. I honestly don't get it.
Now I know the gamers might need a few hundred more GBs than I do for content; but I agree with you its really suspect when Joe Typical User is telling you he needs 6TB for anything. I would say chances are he is doing something not well considered.
Ugh,
Property taxes happen to be about the worst kind of taxes imaginable. Essentially the people who really pay them are the people you want paying them the least.
First folks with large amounts of property -- tend to be farmers. They are making productive use of the land that economically you would want to encourage not discourage. Cheap plentiful nutrition is good for a society.
Second people who don't actually own any property -- Renters of all kinds, the cost of property taxes on the occupied property are passed on.
The retired -- never mind retired folks that still live at home probably consume the least in terms of local public resources they stuck paying the taxes even without the income to support it.
No property taxes are pretty much bullshit. The only fair taxes are consumption based taxes. Want to participate in the economy you pay. Don't want to participate well that is fine.
We should move to a system of pure sales taxes and import taxes. With a few carve outs for categories like public transportation, unprepared foods for human consumption, clothing, and education; which the lower incomes earns spend disproportionately on so the system isn't overly regressive. This would also eliminate virtually all opportunities for cheating. Securities like stock should be taxes on their purchase price, buy a share for $10 you pay taxes on the $10 at purchase time, does not matter if you sell it later for $1000 or $0 there is no subsequent tax event. If you sell it the next purchaser will be paying the tax on the sale price. Lastly business must also pay sales tax on the labor they purchase from their employees; local or over seas, but there should be no other employer or payroll taxation.
Who cleans the toilets on the starship Enterprise?
There are no toilets. Seriously ever see on the show. Clearly all the replicated food is entirely observable with no metabolic outputs beyond the amount of water that can eliminated through sweat and nobody ever poops, ever.
You right, the obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.
People could use third party CAs like they do for the web today for most callers. Phone software should be easily configured to ONLY accept previously installed self signed certificates for certain subjects. IE if a call wants to identify itself as being from cousin bob's cellphone it will be rejected unless it its signed with the public key Bob previously gave me; even if the cert has a valid their part signature and is otherwise valid. Users could easily exchange keys in person using bluetooth + pin etc.
This would allow LEAs to eavesdrop by MTIMing calls between say an individual and a financial institution. With a warrant the third party CA the financial uses could be compelled to provide the LEA with valid cert for that subject hopefully with a expiry of only a few days. Of course techniques like cert pinning could be used to detect this by individuals. It would leave LEA's with no easy avenue to eavesdrop on calls between Bob and myself. I think this is a reasonable compromise.
On the other hand it still does nothing to address the mass surveillance concern. It will still be easy for instance for an LEA to obtain call records from the phone company. They won't have the content and won't be able to get at it, but they absolutely can know when, how long, and how often Bob and I spoke. They can also know who else Bob and I called. We know that this information is very revealing, its been used very effectively to identify relationships. Its less clear it violates the 4th than accessing the content. I don't like it but it might be again part of an acceptable compromise.
I don't think this is right. While some people no doubt feel this way, as a society we rarely complain that some people have tons of possessions and status having done relatively little work. Lots of people inherit fortunes and we don't say its undeserved.
What we do think is that people who put in a lot of effort should be compensated, and we do that with possessions and status. Which becomes a problem if nobody wants your effort anymore and you don't have possessions and status already how can you obtain them?
Technology has always been in the business of reducing labor. The upshot has always been there has been more worth doing and society's wealth has increased. Once you don't have to have everyone hunting and gather constantly it frees time up, farming produces more food with less laybor resources so you start writing. Once you discover printing writing and copying takes less time, meaning more people can start reading; and it all snowballs. Fewer people are need to produce food, they produce other things.
The last area where technology has not saved labor is thinking. Once humans are freed from having to do all the thinking there is very real possibility the machines will solve the automation of the last hard to automate physical tasks which exist. At that point labor will no longer have any value, in trade. Now individuals might take personal satisfaction in doing something by hand but nothing produced that way will be marketable.
Trying to answer how society will function if it comes to pass that only capital is valuable and there is no value in labor and little in ideas is an interesting question. We are not there yet, not by a long stretch but the potential for it is looking less science fiction like all the time.
I have seen that too. I used to live in a Cleveland suburb where the City avoided making any repairs to the street outside the local high school. This effectively held everyone to the 25MPH speed limit better than any deliberately introduced speed bumps ever could have.
I take it those were the "other concerns"
I agree but there is a good and a bad. I don't live in a gated community but my neighbors and I do have a "private road" I suppose when the lots were originally sold and the houses originally build people desired to not have drive ways running right up to US-11.
On the one hand its great. We know we can turn out of our drive ways safely. Our pets can run and there is little risk of them being hit by a cars, because there are only 7 of us along our dead end road. Naturally we all use it cautiously and respectful because we all know each other.
On the flip side its a couple miles of road that "we" have to maintain. Our little association has to pay to have it plowed and I suppose someday probably re-graded (its dirt). Until the plowman gets there we are snowed in the winter. We could probably get more prompt service but that would cost even more. We also get to pay sky high rates for home owners insurance because of the (perceived) greater fire risk. The insurance adjusters insist that responses may be longer because of the private road. I kind of doubt it, the guys at the local fire department know exactly where everything is and our road is probably at least as good as most of the public roads off US-11 in the area.
Now out in southern CA I suppose you don't have the snow concern. Still you got heat and I suspect lost of these "city folk" wont want a dirt road. Which means you going to have some sort of pavement that will require maintaining. That might prove fairly expensive. Our association considered paving the road some years before I bought in, from what I am told it was cost prohibitive to the point nobody had any interest in reviewing the idea when I brought it up.
Someone's making money, many others flock to the market
TRUE
nobody ends up profitable market retrenchment.
FALSE -- If the good or service has a long term marketability someone will find a away to make a profit. Some fads just play out but if there is an actual want / need for the product equilibrium will be reached.
Cases in point:
Remember all the x86-compatible cpu manufacturers ... most bit the dust.
Right the market was hot everybody and their brother with the capital goods to make chips started producing compatibles. The two best of bread manufactures along with a tiny handful of also-rans most of us can't name ultimately survived. The rest went bust or move on to other things once the margins thinned out. Currently the market provides some competition, inexpensive high performance x86 parts are readily available in the market place. Society + 1
Or the mom-and-pop computer stores?
These are gone because they really provided zero value, not because there were to many. Most of these were run by people with limited and domain specific knowledge, and lacked the capital resources to handle large orders. As business computerized they missed the boat, because they were unable to provide the goods and services required. The individual market moved on, too. You used to shop there because there was no other way to get parts quickly. Then the Internet happened. Newegg + UPS can offer me lower prices and infinitely better selection, great customer service too. I don't miss the mom and pop computer store at all. Good riddance actually. Society - 0
Or all the different donut franchises?
Again no idea what your point is, Doughnut like most specialty food products enjoy some cyclical popularity booms. At least here in Richmond VA, there are plenty of independent doughnut shops. Sellers who got a good location, estimate production requirements well, do just fine, as do some big chains like Dunkin and Jack Frost. The hobbyists who popped up and needed $5 doughnuts to be profitable are gone. I am sure they will be back in few years during the next doughnut craze. In the mean time I can get a good quality doughnut anytime I want for a low price without having to travel to far to get one. Society + 1
Or now, all the new mobile developers who aren't even breaking even and are running on a wing and a prayer?
Have you used the "average" mobile app? Its worse than horse shit, really. At least with horse pucky you can fertilize something, the typical mobile app your actually worse off having it on your phone. Its probably a security vuln, is consuming space and will require at least some tiny effort to remove it. Once again the only people who lose anything when that market shakes out will be the people delivering the shovelware, who today are profiting on consumer ignorance, preying on those folks can't differentiate between good apps and bad (which do how the market places work is pretty much everyone unless you buying an app in a very common category). I really look forward to the day these mobile "developers" are gone. Things will be better when equlibrium is reached and there is a smaller but competitive group of software house putting out quality product at a reasonable price. Sure apps won't be $1 anymore they will probably be $4 or $10, but you also won't have to try 15 of them to find something worth a $1. Society - 0