How can they ask for something like this after doing everything in their power to ensure something like this can't be created?
This all makes perfect sense when you consider what the NSA's desired state of affairs is: * The NSA, and only the NSA, are technically capable of spying on everybody and anybody at the drop of a hat. * Nobody can spy on US government officials, and especially nobody can spy on the NSA.
It's worth pointing out that both of these activities are very much within the stated mission of the NSA.
While it is true that the NSA can technically spy on anyone and everyone, it's not technically or practically true that nobody can spy on US government officials.
The NSA cracks codes and spies on everyone and this device wont help so I don't understand why its being created.
Top Secret/secure compartmentalized information is traditionally read in SCIFs--special, leak-proof rooms designed just for reading/reviewing/discussing this sort of super super double top secret stuff.
The specs for SCIFs are pretty tough. Unused communications wires have to be bonded to ground. If a voice evacuation system speaker is required in the SCIF, it has to be self-amplified, since anyone who's ever attended a K-12 school knows that a PA speaker can be flipped into a microphone.
So what happens when an NSA employee on official travel is in their non-SCIFfed hotel room reading their Super Duper Secure Smartphone?
Exactly what I was thinking. I don't understand why they haven't thought of that or why they would think this is a good idea. Using smartphones for top secret, secret, or even just sensitive information might not be a good idea. I guess if the information is just sensitive or not very secret it wont make a difference but why use the NSA phone? Why not just let the NSA create a certification standard and let commercial phones design for that standard?
Maybe you could program a stealthy mechanism to have the phone send a "help, my user is having a gun to his head" message, like entering and leaving a set of menus in a certain order?
More likely it'l be forgotten or stolen, ovbiously, but if it contains no information but a password-encrypted VPN or authentication key by itself and the password is of proper length it should be practically safe anyway? And the data it has access to is presumably really, really limited and segregated?
None of that would work because they could simply pick off the emissions the phone produces and get information that way. Unless of course the phone doesn't produce any but 99% of phones will and do, and also you have to worry about securing the user of the phone itself. The whole idea is technologically impossible at this time.
Anything password encrypted will be broken. Anything authenticated by fingerprint, eyes or whatever can and will be broken as well. And if the user isn't safe everything is broken.
How can they claim to be worried about situations presented in the Bradley Manning case if they want to simultaneously bring SIPRNet to your hip? Just the concept of trying to have mobility and security seems a bit naive.
Fundamentally, there is a problem with mobile access for top secret communications - you don't know who is looking over the shoulder of the authorized user. Or if someone is pointing a gun at the head of an authorized user. These problems are reduced when you make the user come in to the office.
That's just one problem and possibly the main problem. But you also don't know for sure the person reading it is the person authorized. Looking over their shoulder isn't the only problem, as most authentication schemes can be faked.
When an individual has access to classified information it's best to monitor their every move. This is why it's best if they access it from an environment where their every move is seen. This would have to be a completely secured location.
Mobile phones create insecurity because now there is no way to guarantee the location is a secure location or that the individual is the authorized individual.
It's a really bad, in fact, it's a stupid idea to try to use a mobile toy smartphone for something like this.
It's not about the encryption either. Every single component in that smartphone will have to be made by the right people and in such a way so that there isn't a hardware backdoor. Every piece of software would have to be audited, And even then I still think it's a bad idea to do this.
The encryption part is easy. It's easy to create schemes which are perfectly secure. It's difficult to defend against user error, against the phone being lost or being operated by someone other than the owner.
How would they even do authentication? If it's a password then that will be easily defeated. If it's 2 factor authentication that could still be easily defeated. I just cannot see how this is a good idea, and I'd think it would be silly use smart phones to handle classified information.
They could do the same thing that they do with the War on Drugs. They might either liaison with other intelligence agencies in the target country, or they will just work out of the embassy like the DEA does in Colombia.
What does that mean for citizens, for human rights, civil rights, or just our rights online in general?
If you're thinking along those lines, then consider this. Sony is being used by the United States government as a puppet to go after LulzSec. They put their man, the former DHS employee, at Sony so that they have an insider on the front lines. Sony is just a casualty in the war. They have nothing to gain by actively going after LulzSec and everything to lose. On the other hand, the United States government might want to nip LulzSec in the bud.
We don't live in such a police state that they can simply go after people without cause. They would need a pawn like Sony. Sony has suffered "damages" due to LulzSec and therefore Sony can engage the Department of Justice to bring down the hammer on LulzSec.
I don't agree with that line of thinking, but if that is what was going on, it would be happening along those lines.
That's fine but who says LulzSec are Americans? What are American law enforcement types supposed to do if LulzSec is spread around the globe? My best information indicates they are mostly located in the UK, but once again what is the FBI going to do? Extraordinary rendition? And if LulzSec has any skill at all they'll be behind proxies making it even harder to track them down. Once again what is the FBI supposed to do?
But I do think your theory makes logical sense. It does seem like Sony is becoming a puppet of the US Government to go after Lulz Sec. I just wish they weren't so damn obvious about it. They couldn't pick a more hated company.
You canont stop political actions with law enforcement. I'm not saying everything Anonymous does is political, but the core of their organization is political and cracking down on them will only gain them support.
Cellmate A: I'm in here for political crimes
Cellmate B: Really? Whaddya do?
Cellmate A: I hacked some thirteen year old camwhore's facebook account and got her expelled from school.
Cellmate B: Come and suck my dick, you little shit.
If you want to try and imply that all hackers are child pornographers, that's not going to work either.
The people who hack big corporations for political reasons, who happen to get caught, chances are it wouldn't be about hacking a Facebook account. If we are going to start treating script kiddies like mobsters then we have a problem because millions of teenagers are doing dumb stuff like that.
And I don't think tougher laws are going to stop it from happening.
>hmmmm - so if a thief breaks into my home what I should do, by your logic, is build an addition on to my house and invite him to move in and several of his loser buddies over for tea so we can chat about life and all things illegal with the goal of me becoming friendly with him, his lifestyle, his friends and the illegal counterculture he resides in. Because the real problem and the real reason he broke into my home and stole all my shit is because I'm the asshole who his breaking down society and he and his friends lives with my aspirations of bringing products to market and having other people purchase them at a fair market price so that I can make a living and my customers can use their money to provide themselves some entertainment to hopefully escape the real world for a few hours.
If you were once a thief, and 10 or 20 years later you're in a position to help the next person so they don't have to do what you did, but instead you decide to say screw em, throw em all in jail, then you'd be like Sony and some of these corporations. Everyone started out as part of the counter culture. Whether you're talking about Steve Jobs who started out as a hippy, trying to invent the first personal computer, or Bill Gates trying to put Windows in every home, all of these people were doing the same stuff. You think people who work for Sony never used pirated software before they could afford it? Never downloaded illegal music? Never experimented with computers as a teenager? But now they want to criminalize the next generation of teenagers who probably will make the same dumbass mistakes they made as part of growing up?
I see this attitude as the attitude of hypocrites. The sort of person who smoked weed in college back when it was still somewhat legal, but they support throwing people in prison to get butt raped now that it's illegal. These sorts of people are selling out to try to impress people who either don't exist (people who never break laws or protest), or who exist but are from a completely different culture from mainstream society. What I'm saying is this attitude caters to the elite few who didn't protest Vietnam in the 60s, who didn't used pirated software in the 80s and 90s, who didn't download music in college, these people now who want to act holy and righteous but who did the same stuff or perhaps much worse when they were young, these are the sort of people who would be the former thief who wants to now put the thieves to death.
I'm saying this behavior from young people using computers to do this sort of stuff is no different than what young people do every generation. They politically protest using whatever means they have available to them. Sony is fighting a political battle with law enforcement to protect their profits. I wouldn't have a problem if Sony softened their political stance, but they feel a need to try to tell entire communities what is or isn't moral, or lecture people on ethics of copyright, while they lock down their hardware and software, using closed source schemes, hidden rootkits into our computers, they don't care about the actual impact of their policies on the future, on technology, on human rights, on liberty, they simply set their politics according to what makes them more profitable.
They are no better than oil companies who fund climate change denials. They are the exact same sort of people. Why would you defend Sony? They are like the climate change deniers, they'll destroy the environment to maintain their profits because they don't care about the internet, about community, about human rights, about anything other than profits and the worst thing about their policies, they'd make just as much profits if they switched their political stance, only their profits wouldn't be as damaging to human rights or to the communities.
Sony is choosing to be a bad corporate citizen and hide behind law enforcement. I'm sure oil companies would also like to do the same thing, and say climate change promoters are harming their profits
It wouldnt surprise me to see them use this in cases like Anon. That way u catch the 17 y o ddosing mastercard and can charge him with anything associated with the Anon collective(hacking the Arizona law enforcement for example). Do this once or twice(handing out those heavy sentences to someone hardly involved) and the cost of being one of Anon's sheep gets steep enough people stop doing it. Granted i dont know much about RICO, but the instant i read the headline, thats what popped into my head.
Yeah because it worked so well for drugs, and for everything else right? You canont stop political actions with law enforcement. I'm not saying everything Anonymous does is political, but the core of their organization is political and cracking down on them will only gain them support.
No, it's been proven over and again that group crimes are different, and usually worse, than crimes by an individual. It's been proven for a long time that when groups attack people and our rights, the law must attack the group - not just members of the group. It's necessary.
The problem with that is hacker groups forms spontaneously, often from an IRC chatroom, or on 4chan, or flashmob style such as the case with the MasterCard attack or a group like Anonymous.
U.S. law enforcement depends on its ability to search a suspect's computers to prosecute all kinds of crimes from terrorism to drug trafficking, child pornography, and fraud, Reitinger said at the conference, sponsored by the Smart Card Forum.
There's no worse feeling for a law enforcement official, Reitinger said, than finding that a confiscated computer is full of documents that have been sealed up by strong encryption.
The problem with this approach is it has a negative impact on the community itself. It's impact could mean the criminalization of the gaming community. This attitude is very similar to the war on drugs, it's a cultural disagreement with one side having and flexing political connections to strong arm the other side. What is or isn't criminal is determined by people at Sony who have no connection to the community and who don't care about the culture. Reitinger is a law enforcer, and he's good at fighting crime, but this isn't a problem which will be solved by simply arresting a bunch of people.
Just like drug dealing didn't stop after all those arrests, neither will file sharing, or hacking, or anything else. The difference here is hacking is mostly a political crime, at least the sort of hacking that affects Sony. If we remove politics from the equation then everyone can agree that the hackers are the bad guy, the problem with Sony is Sony has become the bully, and the bad guy to the customers (the community) as much as the hackers have and thats the problem I'm talking about addressing.
Sony ultimately is a technology company not a crime fighting company. If they want to become a copyright crime fighting company they can go ahead, but their political positions and take no prisoners crime fighting mentality has led to them suing file sharers, tinkerers and others who are punished merely for finding bugs in their system or their business model. And rather than change their business model or come up with a different solution, such as how Google would do or Microsoft would do, instead they sue and arrest, creating the most political environment possible and dividing the gaming, hacker, and other communities in such a way that when they do get hacked their own customers cheer the hackers. This is the essence of their problem.
If they needed a law enforcement guy, did they have to get the head of the DHS? Out of every guy they could have picked it had to be a guy coming from the DHS? I'm sure there were other guys who could have done the job but who didn't have that kind of political baggage.
You want a hacker to run security? That's just stupid. You want a manager who knows how to hire people who have the right skill set to protect a network. And the whole concept of hiring hackers is a bit naive. Hacking in to Sony is fun. Protecting Sony from hackers on a day to day business is hard work. Of course, a hacker doesn't need to hack once they have internal access...so not too brilliant there either. There are security professionals out there who are equipped with the knowledge of how to hack in to and protect systems. Hiring hackers is one of those things that sounds good to the masses...like lower taxes...but there is more to it than just that.
You need a hacker AND a manager. We've seen how well it works to just hire a manager who knows nothing about the hacker community. The manager has to set good policies, and to do that the manager has to at least understand the nature of his attackers and I doubt this manager does. Sure if Sony hires hackers and they give good advice to the manager that could help but the problem Sony has had for a long time is Sony is always slow to change, resistant to change, and slow to adapt. They simply haven't been able to get out of the 1980s walkman era thinking.
The first time your Hypothetical Hacker gets rubbed the wrong way by corporate he'll torch Sony's security from the inside out. Sony's corporate culture may be antiquated but corporations are the antithesis of the hacker mentality. Sony doesn't want to change their ways - they just don't want to be p0wn'd on a regualr and continuing basis.
That's just not true at all. Not every hacker is like that. That's like saying every programmer on your development team, if you just piss the wrong one off he could write a virus and fuck the system up. Sure that's possible but that's why you don't hire just any random hacker, you hire the ones who are psychologically stable. If someone gets mad and sabotages the company that is because they are psychologically unstable, just like that guy who brought a gun to work and shot everyone up, that could happen too but that doesn't mean we should stop hiring.
If necessary, they should give a psychological exam or read the guys history to make sure he's not the sort of person to do that. But he also should have in his history something which can connect him to the community. Maybe he was a white hat for example, or maybe he contributed to some open source projects or started one, or maybe he hosted a website. No one is advocating that you hire the irresponsible black hat into the top management position.
This guy was hired to run their security. Hiring a hacker will be helpful for understanding your attackers, but a hacker will understand the corporate culture about as much as Mr Reitinger will understand the gamer/hacker/fan community. Hire former hackers a soldiers in your security arsenal but generals need to be able to survive the corporate ranks.
Corporate culture is what is causing Sony to be targeted. Sony is the target of hackers because their culture is so messed up, so authoritarian, that most hackers find it completely unacceptable and they try to spread their culture through their products with lockins, lock downs, and all kinds of bs. It's that culture which I advocate should be changed in order to save Sony.
Because if they keep their authoritarian corporate culture, sure they can hire this guy who might understand that culture but then they run the risk of not understanding the hacker culture or wider internet culture in general which is the source of all their problems. They need to hire a sociologist or an anthropologist because they just have not been able to adapt to the internet age at all.
Chief Information Security Officer is a manger job not a tech job while tech skills may help a hackers is better used at a more hands on level.
I know what the job is. But Sony is a tech company. How are you going to be a Chief Information Security Officer at Sony and not have tech skills? I'm not saying this guy doesn't have tech skills, I'm just saying he seems to be focused on law and that's not going to help him deal with some of the type of problems which can only be solved technologically.
If he's the guy in charge, and we are using Microsoft as his gauge, once again he's associated with all the wrong companies in my view. It's nothing against the guy, he might know what he's doing.
The problem with this guy is I don't think he really gets the details. I don't know enough about him to judge him completely, but his resume seems no better than the last guy they had. I don't see how this guy is special or different. Yes it's an administrative position, but there are plenty of hackers who also have been or are in administrative positions. Look at some of the other companies out there, and you'll see that some of these companies (especially the smaller companies) are actually run by hackers.
Look at Slashdot and you see many different people giving various interviews. You see some familiar names. Look at this guy, and the only time we ever heard of him is associated with Anonymous and honestly it looked like they pushed the guy out.
Now we find out he's working for Sony? It makes Sony into big brother. In my opinion it was a terrible move. I know they needed someone with some government connections so I understand why they hired him, I just don't have any faith in Sony's decision making or hiring practices. They tend to make a lot of dumb political authoritarian type decisions which might look good on paper but never actually get anything accomplished.
But it's not about law enforcement. It's about politics and just like you can't change people politically by mass arrests, you can't threaten to arrest hackers and expect that to stop an organization like Anonymous. These organizations see Sony as an existential threat.
You cannot solve a political problem with law enforcement. Sony if they were smart would hire some of the hackers in the hacker community. Adopt a new culture which accepts and embraces the hacker community, and over time their stock will rise in the hacker community and then they could have better security by working with their hacker community ties. The problem is they are going entirely authoritarian, which is exactly the wrong direction to go politically if they want any sort of political cover or to not be seen as the most evil. I mean to hire the head of some government agency, a guy who if you look at his resume and record seems to have absolutely no experience with the hacker community, the gaming community, nothing whatsoever. He went to school for computer science and then went to Yale of all possible schools for law.
What is this man's backround? What are his political beliefs? Is he just another law and order government robot type who wants to make arrests and solve crimes? If that's all he is, he's exactly the wrong sort of person. What is his technical skill level? Does he have any skill outside of the classroom? Once again the government types usually think anything can be learned in the classroom setting, and that this setting can make up for the lack of actual experience in the hacking community. I'm talking about the IRC channels, the knowledge of the various groups, but most importantly knowing who is what.
I will assume since this guy headed a government agency that he either would know the hacker community inside out or he should have a connection to someone who does. The problem is if the only thing he plans to do is outlaw their activities and then find ways to arrest them, this isn't going to be very popular. More lawsuits? More arrests? More busts? That is more potential talent that goes to waste sitting in prison or in jail.
Sony has a cultural problem. Sony as a corporation has an authoritarian culture. A culture where Sony must have absolute control over everything in order to make a profit. This culture has to change, and it's more important to change this culture than to simply arrest all the anti-authoritarian hackers who don't share that culture. It's also more efficient to hire some of these hackers than to just arrest. And of course the guy they choose to solve all their problems at least from his backround and resume, looks to be another authoritarian type.
I can hope that he's different but given Sony's history, and given his resume, he's exactly the sort of character that Anonymous is going to gobble up. This could actually cause Sony to get attacked more frequently. Sony likely was thinking that this guy has connections to the feds, has at least some backround in computer science, and has a law degree from Yale with plenty of experience working for X amount of companies. This is all well and good but if this guy were serious, and were a part of the community, he would be giving an interview with Slashdot.
Sony is picking the sort of guy who wont know what hes doing, who seems to have no ties to the hacker community, who graduated from Yale so he's going to seem like another elitist. If you look at who he has worked for, he's connected to governments and law enforcement which goes to show what Sony's priorities are.
Sony should be hiring from within the hacker community. Hiring this guy wont accomplish a damn thing, while this guy might know about the community from the big brother pro government perspective it's very unlikely he will actually understand the community from the perspective of someone who was actually a part of it.
Sony and companies in this position need to start hiring some of these hackers. Look at the situation, you have thousands of young talented hackers. As the unemployment rate rises, they'll be easily recruited or much more likely to join organizations like Anonymous. The best thing Sony could do is hire some of these people, the policy of arresting hackers is dumb. It's like arresting amateur scientists, or arresting mathematicians. The fact that they selected this guy shows me they are focused on arresting them and are going to treat it as a low enforcement problem rather than as a technical and cultural problem.
Sony's problems are technical and cultural. Technical because they design their products in a way so they can only make money with absolute control over how the products are used but then they don't even know how to maintain that control technologically, and second they typically take stances which go against the wishes of millions of people in the hacker community, the gaming community, etc. They simply don't care at all about the customer, the fan, the hacker, the people who buy their products. This lack of respect for the culture of those who buy the product is the main part of the problem.
And this new guy they hired does not seem to come from the sort of backround that most gamers, hackers, or fans come from. He's a hyper connected lawyer who happens to know computer science. When they should have found someone who knows computer science and who happens to understand the law, with connections to the hacker community as well as to the government. This guy is going to be seen as an outsider, a government suit and the hackers are going to attack Sony harder.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
How is that good? There is no one to protect those citizens. Just knowing it is happening doesn't mean the government has a higher chance of failing. Citizens around the world know governments hate encryption and that includes citizens within the USA who know their government tortures and kills. It's not that people don't know, it's more that people can't do anything about it because governments work together to crack codes, torture and kill individuals.
On top of that, individual citizens cannot trust corporations, as corporations are even more ruthless than governments. So I don't know what good you will have in exposing them. Extraordinary rendition is already common knowledge in the USA, and it hasn't stopped the government from doing what it does here so why would we think Pakistan would be an exception? In China I'm sure they know about the great firewall but it hasn't stopped the Chinese government from applying it.
Usually results in PGP being cracked. So just telling everyone to use PGP will only make the government rely more on wiretaps, bugging, keyloggers, hacking into your computer and waiting for you to type your passwords, and only when all that fails, physically raiding you.
the government which can't break your code will focus instead on breaking you.
Increasing the attacker's costs is a good thing. I don't know about your government, but my government can't afford (either economically or politically) to torture hundreds of thousands of their own citizens per day. And they can't do it without those citizens finding out that it's happening ("um.. what's this pain in my knee? Oh, hi there. What are you doing?" "Give me the key!!!"). That's a big step up from the current situation.
Resisting abusive power doesn't make it more ruthless; it reveals and exposes its ruthlessness. Call their bluff, and if it's not a bluff, then they will be voted out.
This is because you assume torture would cost a lot of money. When the government knows everything about you, it's only a matter of time before their trained psychologists learn which buttons to push. And if all else fails they can simply threaten your family and you'd give up the keys. So I don't think it really would cost very much for any government to do that to thousands of people or even millions, since the same torture tactics will probably work on thousands of people it's not like they'd have much difficulty.
If you have a family and they cant crack your shit, then they could threaten to go after your family on bullshit charges unless you give them the key to your shit. The reasoning being if they cannot crack your shit they can compel you to open your shit. This is why encryption isn't effective, especially if the government is relatively high tech like the US government or even Pakinstan.
Of course it's worth it, because the cost of a wrench (and using it) is astronomical compared to passively intercepting plaintext. And wrench-use is much more easily detected, too.
Only this isn't going to be the case 90% of the time.
Encryption isn't good enough to stop extraordinary rendition. The government essentially views anyone who uses encryption in an ubiquitous opportunistic way as a terrorist. Encryption didn't protect Bradley Manning from Adrian Lamo. Encryption will only force the governments to rely on informants, which means the government which can't break your code will focus instead on breaking you.
So if you don't give up your key prepare to be tortured until you do. That's how code breaking actually works. Also prepare to be burglarized, keylogged, surveillanced around the clock, dumpster dived, and generally treated as a member of a mafia or terrorist group.
Slashdot Mirror
How can they ask for something like this after doing everything in their power to ensure something like this can't be created?
This all makes perfect sense when you consider what the NSA's desired state of affairs is:
* The NSA, and only the NSA, are technically capable of spying on everybody and anybody at the drop of a hat.
* Nobody can spy on US government officials, and especially nobody can spy on the NSA.
It's worth pointing out that both of these activities are very much within the stated mission of the NSA.
While it is true that the NSA can technically spy on anyone and everyone, it's not technically or practically true that nobody can spy on US government officials.
The NSA cracks codes and spies on everyone and this device wont help so I don't understand why its being created.
Bingo.
Top Secret/secure compartmentalized information is traditionally read in SCIFs--special, leak-proof rooms designed just for reading/reviewing/discussing this sort of super super double top secret stuff.
The specs for SCIFs are pretty tough. Unused communications wires have to be bonded to ground. If a voice evacuation system speaker is required in the SCIF, it has to be self-amplified, since anyone who's ever attended a K-12 school knows that a PA speaker can be flipped into a microphone.
So what happens when an NSA employee on official travel is in their non-SCIFfed hotel room reading their Super Duper Secure Smartphone?
Exactly what I was thinking. I don't understand why they haven't thought of that or why they would think this is a good idea. Using smartphones for top secret, secret, or even just sensitive information might not be a good idea. I guess if the information is just sensitive or not very secret it wont make a difference but why use the NSA phone? Why not just let the NSA create a certification standard and let commercial phones design for that standard?
Maybe you could program a stealthy mechanism to have the phone send a "help, my user is having a gun to his head" message, like entering and leaving a set of menus in a certain order?
More likely it'l be forgotten or stolen, ovbiously, but if it contains no information but a password-encrypted VPN or authentication key by itself and the password is of proper length it should be practically safe anyway? And the data it has access to is presumably really, really limited and segregated?
None of that would work because they could simply pick off the emissions the phone produces and get information that way. Unless of course the phone doesn't produce any but 99% of phones will and do, and also you have to worry about securing the user of the phone itself. The whole idea is technologically impossible at this time.
Anything password encrypted will be broken. Anything authenticated by fingerprint, eyes or whatever can and will be broken as well. And if the user isn't safe everything is broken.
How can they claim to be worried about situations presented in the Bradley Manning case if they want to simultaneously bring SIPRNet to your hip? Just the concept of trying to have mobility and security seems a bit naive.
It's from General Dynamics:
http://www.gdc4s.com/content/detail.cfm?item=32640fd9-0213-4330-a742-55106fbaff32
Blackberry is very good, it currently holds many certifications (but not top secret):
http://us.blackberry.com/ataglance/security/certifications.jsp
Fundamentally, there is a problem with mobile access for top secret communications - you don't know who is looking over the shoulder of the authorized user. Or if someone is pointing a gun at the head of an authorized user. These problems are reduced when you make the user come in to the office.
That's just one problem and possibly the main problem. But you also don't know for sure the person reading it is the person authorized. Looking over their shoulder isn't the only problem, as most authentication schemes can be faked.
When an individual has access to classified information it's best to monitor their every move. This is why it's best if they access it from an environment where their every move is seen. This would have to be a completely secured location.
Mobile phones create insecurity because now there is no way to guarantee the location is a secure location or that the individual is the authorized individual.
It's a really bad, in fact, it's a stupid idea to try to use a mobile toy smartphone for something like this.
It's not about the encryption either. Every single component in that smartphone will have to be made by the right people and in such a way so that there isn't a hardware backdoor. Every piece of software would have to be audited, And even then I still think it's a bad idea to do this.
The encryption part is easy. It's easy to create schemes which are perfectly secure. It's difficult to defend against user error, against the phone being lost or being operated by someone other than the owner.
How would they even do authentication? If it's a password then that will be easily defeated. If it's 2 factor authentication that could still be easily defeated. I just cannot see how this is a good idea, and I'd think it would be silly use smart phones to handle classified information.
They could do the same thing that they do with the War on Drugs. They might either liaison with other intelligence agencies in the target country, or they will just work out of the embassy like the DEA does in Colombia.
What does that mean for citizens, for human rights, civil rights, or just our rights online in general?
If you're thinking along those lines, then consider this. Sony is being used by the United States government as a puppet to go after LulzSec. They put their man, the former DHS employee, at Sony so that they have an insider on the front lines. Sony is just a casualty in the war. They have nothing to gain by actively going after LulzSec and everything to lose. On the other hand, the United States government might want to nip LulzSec in the bud.
We don't live in such a police state that they can simply go after people without cause. They would need a pawn like Sony. Sony has suffered "damages" due to LulzSec and therefore Sony can engage the Department of Justice to bring down the hammer on LulzSec.
I don't agree with that line of thinking, but if that is what was going on, it would be happening along those lines.
That's fine but who says LulzSec are Americans? What are American law enforcement types supposed to do if LulzSec is spread around the globe? My best information indicates they are mostly located in the UK, but once again what is the FBI going to do? Extraordinary rendition? And if LulzSec has any skill at all they'll be behind proxies making it even harder to track them down. Once again what is the FBI supposed to do?
But I do think your theory makes logical sense. It does seem like Sony is becoming a puppet of the US Government to go after Lulz Sec. I just wish they weren't so damn obvious about it. They couldn't pick a more hated company.
You canont stop political actions with law enforcement. I'm not saying everything Anonymous does is political, but the core of their organization is political and cracking down on them will only gain them support.
Cellmate A: I'm in here for political crimes
Cellmate B: Really? Whaddya do?
Cellmate A: I hacked some thirteen year old camwhore's facebook account and got her expelled from school.
Cellmate B: Come and suck my dick, you little shit.
If you want to try and imply that all hackers are child pornographers, that's not going to work either.
The people who hack big corporations for political reasons, who happen to get caught, chances are it wouldn't be about hacking a Facebook account. If we are going to start treating script kiddies like mobsters then we have a problem because millions of teenagers are doing dumb stuff like that.
And I don't think tougher laws are going to stop it from happening.
>hmmmm - so if a thief breaks into my home what I should do, by your logic, is build an addition on to my house and invite him to move in and several of his loser buddies over for tea so we can chat about life and all things illegal with the goal of me becoming friendly with him, his lifestyle, his friends and the illegal counterculture he resides in. Because the real problem and the real reason he broke into my home and stole all my shit is because I'm the asshole who his breaking down society and he and his friends lives with my aspirations of bringing products to market and having other people purchase them at a fair market price so that I can make a living and my customers can use their money to provide themselves some entertainment to hopefully escape the real world for a few hours.
If you were once a thief, and 10 or 20 years later you're in a position to help the next person so they don't have to do what you did, but instead you decide to say screw em, throw em all in jail, then you'd be like Sony and some of these corporations. Everyone started out as part of the counter culture. Whether you're talking about Steve Jobs who started out as a hippy, trying to invent the first personal computer, or Bill Gates trying to put Windows in every home, all of these people were doing the same stuff. You think people who work for Sony never used pirated software before they could afford it? Never downloaded illegal music? Never experimented with computers as a teenager? But now they want to criminalize the next generation of teenagers who probably will make the same dumbass mistakes they made as part of growing up?
I see this attitude as the attitude of hypocrites. The sort of person who smoked weed in college back when it was still somewhat legal, but they support throwing people in prison to get butt raped now that it's illegal. These sorts of people are selling out to try to impress people who either don't exist (people who never break laws or protest), or who exist but are from a completely different culture from mainstream society. What I'm saying is this attitude caters to the elite few who didn't protest Vietnam in the 60s, who didn't used pirated software in the 80s and 90s, who didn't download music in college, these people now who want to act holy and righteous but who did the same stuff or perhaps much worse when they were young, these are the sort of people who would be the former thief who wants to now put the thieves to death.
I'm saying this behavior from young people using computers to do this sort of stuff is no different than what young people do every generation. They politically protest using whatever means they have available to them. Sony is fighting a political battle with law enforcement to protect their profits. I wouldn't have a problem if Sony softened their political stance, but they feel a need to try to tell entire communities what is or isn't moral, or lecture people on ethics of copyright, while they lock down their hardware and software, using closed source schemes, hidden rootkits into our computers, they don't care about the actual impact of their policies on the future, on technology, on human rights, on liberty, they simply set their politics according to what makes them more profitable.
They are no better than oil companies who fund climate change denials. They are the exact same sort of people. Why would you defend Sony? They are like the climate change deniers, they'll destroy the environment to maintain their profits because they don't care about the internet, about community, about human rights, about anything other than profits and the worst thing about their policies, they'd make just as much profits if they switched their political stance, only their profits wouldn't be as damaging to human rights or to the communities.
Sony is choosing to be a bad corporate citizen and hide behind law enforcement. I'm sure oil companies would also like to do the same thing, and say climate change promoters are harming their profits
It wouldnt surprise me to see them use this in cases like Anon. That way u catch the 17 y o ddosing mastercard and can charge him with anything associated with the Anon collective(hacking the Arizona law enforcement for example). Do this once or twice(handing out those heavy sentences to someone hardly involved) and the cost of being one of Anon's sheep gets steep enough people stop doing it. Granted i dont know much about RICO, but the instant i read the headline, thats what popped into my head.
Yeah because it worked so well for drugs, and for everything else right?
You canont stop political actions with law enforcement. I'm not saying everything Anonymous does is political, but the core of their organization is political and cracking down on them will only gain them support.
Think I'm wrong? Watch and see.
No, it's been proven over and again that group crimes are different, and usually worse, than crimes by an individual. It's been proven for a long time that when groups attack people and our rights, the law must attack the group - not just members of the group. It's necessary.
The problem with that is hacker groups forms spontaneously, often from an IRC chatroom, or on 4chan, or flashmob style such as the case with the MasterCard attack or a group like Anonymous.
And here is a quore from http://www.pcworld.com/article/11067/why_the_feds_fight_encryption.html himself.
U.S. law enforcement depends on its ability to search a suspect's computers to prosecute all kinds of crimes from terrorism to drug trafficking, child pornography, and fraud, Reitinger said at the conference, sponsored by the Smart Card Forum.
There's no worse feeling for a law enforcement official, Reitinger said, than finding that a confiscated computer is full of documents that have been sealed up by strong encryption.
The problem with this approach is it has a negative impact on the community itself. It's impact could mean the criminalization of the gaming community. This attitude is very similar to the war on drugs, it's a cultural disagreement with one side having and flexing political connections to strong arm the other side. What is or isn't criminal is determined by people at Sony who have no connection to the community and who don't care about the culture. Reitinger is a law enforcer, and he's good at fighting crime, but this isn't a problem which will be solved by simply arresting a bunch of people.
Just like drug dealing didn't stop after all those arrests, neither will file sharing, or hacking, or anything else. The difference here is hacking is mostly a political crime, at least the sort of hacking that affects Sony. If we remove politics from the equation then everyone can agree that the hackers are the bad guy, the problem with Sony is Sony has become the bully, and the bad guy to the customers (the community) as much as the hackers have and thats the problem I'm talking about addressing.
Sony ultimately is a technology company not a crime fighting company. If they want to become a copyright crime fighting company they can go ahead, but their political positions and take no prisoners crime fighting mentality has led to them suing file sharers, tinkerers and others who are punished merely for finding bugs in their system or their business model. And rather than change their business model or come up with a different solution, such as how Google would do or Microsoft would do, instead they sue and arrest, creating the most political environment possible and dividing the gaming, hacker, and other communities in such a way that when they do get hacked their own customers cheer the hackers. This is the essence of their problem.
If they needed a law enforcement guy, did they have to get the head of the DHS? Out of every guy they could have picked it had to be a guy coming from the DHS? I'm sure there were other guys who could have done the job but who didn't have that kind of political baggage.
You want a hacker to run security? That's just stupid. You want a manager who knows how to hire people who have the right skill set to protect a network. And the whole concept of hiring hackers is a bit naive. Hacking in to Sony is fun. Protecting Sony from hackers on a day to day business is hard work. Of course, a hacker doesn't need to hack once they have internal access...so not too brilliant there either. There are security professionals out there who are equipped with the knowledge of how to hack in to and protect systems. Hiring hackers is one of those things that sounds good to the masses...like lower taxes...but there is more to it than just that.
You need a hacker AND a manager. We've seen how well it works to just hire a manager who knows nothing about the hacker community. The manager has to set good policies, and to do that the manager has to at least understand the nature of his attackers and I doubt this manager does. Sure if Sony hires hackers and they give good advice to the manager that could help but the problem Sony has had for a long time is Sony is always slow to change, resistant to change, and slow to adapt. They simply haven't been able to get out of the 1980s walkman era thinking.
The first time your Hypothetical Hacker gets rubbed the wrong way by corporate he'll torch Sony's security from the inside out. Sony's corporate culture may be antiquated but corporations are the antithesis of the hacker mentality. Sony doesn't want to change their ways - they just don't want to be p0wn'd on a regualr and continuing basis.
That's just not true at all. Not every hacker is like that. That's like saying every programmer on your development team, if you just piss the wrong one off he could write a virus and fuck the system up. Sure that's possible but that's why you don't hire just any random hacker, you hire the ones who are psychologically stable. If someone gets mad and sabotages the company that is because they are psychologically unstable, just like that guy who brought a gun to work and shot everyone up, that could happen too but that doesn't mean we should stop hiring.
If necessary, they should give a psychological exam or read the guys history to make sure he's not the sort of person to do that. But he also should have in his history something which can connect him to the community. Maybe he was a white hat for example, or maybe he contributed to some open source projects or started one, or maybe he hosted a website. No one is advocating that you hire the irresponsible black hat into the top management position.
This guy was hired to run their security. Hiring a hacker will be helpful for understanding your attackers, but a hacker will understand the corporate culture about as much as Mr Reitinger will understand the gamer/hacker/fan community. Hire former hackers a soldiers in your security arsenal but generals need to be able to survive the corporate ranks.
Corporate culture is what is causing Sony to be targeted. Sony is the target of hackers because their culture is so messed up, so authoritarian, that most hackers find it completely unacceptable and they try to spread their culture through their products with lockins, lock downs, and all kinds of bs. It's that culture which I advocate should be changed in order to save Sony.
Because if they keep their authoritarian corporate culture, sure they can hire this guy who might understand that culture but then they run the risk of not understanding the hacker culture or wider internet culture in general which is the source of all their problems. They need to hire a sociologist or an anthropologist because they just have not been able to adapt to the internet age at all.
Chief Information Security Officer is a manger job not a tech job while tech skills may help a hackers is better used at a more hands on level.
I know what the job is. But Sony is a tech company. How are you going to be a Chief Information Security Officer at Sony and not have tech skills? I'm not saying this guy doesn't have tech skills, I'm just saying he seems to be focused on law and that's not going to help him deal with some of the type of problems which can only be solved technologically.
If he's the guy in charge, and we are using Microsoft as his gauge, once again he's associated with all the wrong companies in my view. It's nothing against the guy, he might know what he's doing.
The problem with this guy is I don't think he really gets the details. I don't know enough about him to judge him completely, but his resume seems no better than the last guy they had. I don't see how this guy is special or different. Yes it's an administrative position, but there are plenty of hackers who also have been or are in administrative positions. Look at some of the other companies out there, and you'll see that some of these companies (especially the smaller companies) are actually run by hackers.
Look at Slashdot and you see many different people giving various interviews. You see some familiar names. Look at this guy, and the only time we ever heard of him is associated with Anonymous and honestly it looked like they pushed the guy out.
Now we find out he's working for Sony? It makes Sony into big brother. In my opinion it was a terrible move. I know they needed someone with some government connections so I understand why they hired him, I just don't have any faith in Sony's decision making or hiring practices. They tend to make a lot of dumb political authoritarian type decisions which might look good on paper but never actually get anything accomplished.
But it's not about law enforcement. It's about politics and just like you can't change people politically by mass arrests, you can't threaten to arrest hackers and expect that to stop an organization like Anonymous. These organizations see Sony as an existential threat.
You cannot solve a political problem with law enforcement. Sony if they were smart would hire some of the hackers in the hacker community. Adopt a new culture which accepts and embraces the hacker community, and over time their stock will rise in the hacker community and then they could have better security by working with their hacker community ties. The problem is they are going entirely authoritarian, which is exactly the wrong direction to go politically if they want any sort of political cover or to not be seen as the most evil. I mean to hire the head of some government agency, a guy who if you look at his resume and record seems to have absolutely no experience with the hacker community, the gaming community, nothing whatsoever. He went to school for computer science and then went to Yale of all possible schools for law.
What is this man's backround? What are his political beliefs? Is he just another law and order government robot type who wants to make arrests and solve crimes? If that's all he is, he's exactly the wrong sort of person. What is his technical skill level? Does he have any skill outside of the classroom? Once again the government types usually think anything can be learned in the classroom setting, and that this setting can make up for the lack of actual experience in the hacking community. I'm talking about the IRC channels, the knowledge of the various groups, but most importantly knowing who is what.
I will assume since this guy headed a government agency that he either would know the hacker community inside out or he should have a connection to someone who does. The problem is if the only thing he plans to do is outlaw their activities and then find ways to arrest them, this isn't going to be very popular. More lawsuits? More arrests? More busts? That is more potential talent that goes to waste sitting in prison or in jail.
Sony has a cultural problem. Sony as a corporation has an authoritarian culture. A culture where Sony must have absolute control over everything in order to make a profit. This culture has to change, and it's more important to change this culture than to simply arrest all the anti-authoritarian hackers who don't share that culture. It's also more efficient to hire some of these hackers than to just arrest. And of course the guy they choose to solve all their problems at least from his backround and resume, looks to be another authoritarian type.
I can hope that he's different but given Sony's history, and given his resume, he's exactly the sort of character that Anonymous is going to gobble up. This could actually cause Sony to get attacked more frequently. Sony likely was thinking that this guy has connections to the feds, has at least some backround in computer science, and has a law degree from Yale with plenty of experience working for X amount of companies. This is all well and good but if this guy were serious, and were a part of the community, he would be giving an interview with Slashdot.
Sony is picking the sort of guy who wont know what hes doing, who seems to have no ties to the hacker community, who graduated from Yale so he's going to seem like another elitist. If you look at who he has worked for, he's connected to governments and law enforcement which goes to show what Sony's priorities are.
Sony should be hiring from within the hacker community. Hiring this guy wont accomplish a damn thing, while this guy might know about the community from the big brother pro government perspective it's very unlikely he will actually understand the community from the perspective of someone who was actually a part of it.
Sony and companies in this position need to start hiring some of these hackers. Look at the situation, you have thousands of young talented hackers. As the unemployment rate rises, they'll be easily recruited or much more likely to join organizations like Anonymous.
The best thing Sony could do is hire some of these people, the policy of arresting hackers is dumb. It's like arresting amateur scientists, or arresting mathematicians. The fact that they selected this guy shows me they are focused on arresting them and are going to treat it as a low enforcement problem rather than as a technical and cultural problem.
Sony's problems are technical and cultural. Technical because they design their products in a way so they can only make money with absolute control over how the products are used but then they don't even know how to maintain that control technologically, and second they typically take stances which go against the wishes of millions of people in the hacker community, the gaming community, etc. They simply don't care at all about the customer, the fan, the hacker, the people who buy their products. This lack of respect for the culture of those who buy the product is the main part of the problem.
And this new guy they hired does not seem to come from the sort of backround that most gamers, hackers, or fans come from. He's a hyper connected lawyer who happens to know computer science. When they should have found someone who knows computer science and who happens to understand the law, with connections to the hacker community as well as to the government. This guy is going to be seen as an outsider, a government suit and the hackers are going to attack Sony harder.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
How is that good? There is no one to protect those citizens. Just knowing it is happening doesn't mean the government has a higher chance of failing. Citizens around the world know governments hate encryption and that includes citizens within the USA who know their government tortures and kills. It's not that people don't know, it's more that people can't do anything about it because governments work together to crack codes, torture and kill individuals.
On top of that, individual citizens cannot trust corporations, as corporations are even more ruthless than governments. So I don't know what good you will have in exposing them. Extraordinary rendition is already common knowledge in the USA, and it hasn't stopped the government from doing what it does here so why would we think Pakistan would be an exception? In China I'm sure they know about the great firewall but it hasn't stopped the Chinese government from applying it.
Usually results in PGP being cracked. So just telling everyone to use PGP will only make the government rely more on wiretaps, bugging, keyloggers, hacking into your computer and waiting for you to type your passwords, and only when all that fails, physically raiding you.
Increasing the attacker's costs is a good thing. I don't know about your government, but my government can't afford (either economically or politically) to torture hundreds of thousands of their own citizens per day. And they can't do it without those citizens finding out that it's happening ("um.. what's this pain in my knee? Oh, hi there. What are you doing?" "Give me the key!!!"). That's a big step up from the current situation.
Resisting abusive power doesn't make it more ruthless; it reveals and exposes its ruthlessness. Call their bluff, and if it's not a bluff, then they will be voted out.
This is because you assume torture would cost a lot of money. When the government knows everything about you, it's only a matter of time before their trained psychologists learn which buttons to push. And if all else fails they can simply threaten your family and you'd give up the keys. So I don't think it really would cost very much for any government to do that to thousands of people or even millions, since the same torture tactics will probably work on thousands of people it's not like they'd have much difficulty.
If you have a family and they cant crack your shit, then they could threaten to go after your family on bullshit charges unless you give them the key to your shit. The reasoning being if they cannot crack your shit they can compel you to open your shit. This is why encryption isn't effective, especially if the government is relatively high tech like the US government or even Pakinstan.
Of course it's worth it, because the cost of a wrench (and using it) is astronomical compared to passively intercepting plaintext. And wrench-use is much more easily detected, too.
Only this isn't going to be the case 90% of the time.
Encryption isn't good enough to stop extraordinary rendition. The government essentially views anyone who uses encryption in an ubiquitous opportunistic way as a terrorist. Encryption didn't protect Bradley Manning from Adrian Lamo. Encryption will only force the governments to rely on informants, which means the government which can't break your code will focus instead on breaking you.
So if you don't give up your key prepare to be tortured until you do. That's how code breaking actually works. Also prepare to be burglarized, keylogged, surveillanced around the clock, dumpster dived, and generally treated as a member of a mafia or terrorist group.
If you want an idea of what it's like, here you go http://www.jbhfile.com/harm_gang.html