Archive for December, 2013

physical security, part two

Tuesday, December 31st, 2013

And again with the physical access meme:

Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.

The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs.

Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.

Using commercial-off-the-shelf products to build a system makes sense from a cost management point of view, but only if all aspects of that system’s security are then considered.

physical security

Tuesday, December 31st, 2013

It remains true that physical access remains the hardest to secure:

TAO has a catalog of all the commercial equipment that carries NSA backdoors. And it’s a who’s who of a list. Storage products from Western Digital, Seagate, Maxtor and Samsung have backdoors in their firmware, firewalls from Juniper Networks have been compromised, plus networking equipment from Cisco and Huawei, and even unspecified products from Dell. TAO actually intercepts online orders of these and other electronics to bug them.

it recruitment

Sunday, December 29th, 2013

Federal and state governments have already spent millions investigating ways to fill thousands of empty jobs.

However, IT workers argue that government money would be better spent hiring graduates for big projects so they can get valuable on-the-job experience.

Yes, but…

HR executives have a special term for this 6:1 market advantage when they’re trying to fill jobs today: They call it a “talent shortage.”

and…

Many businesses that struggle to find employees would state that while there are plenty of people, there are not plenty of people who can do the jobs that need to be done.

This is rubbish.

There isn’t a talent shortage, and nor is there a job shortage.

There are plenty of jobs. There are also plenty of people — good people — searching. Making the two match up relies more on old-fashioned recruitment (for the employer) and job-seeking (for the candidate employee) and less on whichever HR fad is flavour of the moment.

rfc1149

Saturday, December 28th, 2013

On June 30, 2013, prompted by revelations of surveillance programs in the United States and Britain, former Union of International Associations Assistant Secretary-General Anthony Judge published a detailed proposal titled “Circumventing Invasive Internet Surveillance With Carrier Pigeons.” In it, Judge discusses the proven competence of carrier pigeons for delivering messages, their non-military and military messaging capacity, and Chinese experiments to create pigeon cyborgs. Judge acknowledges that pigeon networks have their own vulnerability (such as disease, hawks, or being lured off course by sexy decoys), but argues that others have proven pigeons are effective at transmitting digital data.

the sound of silence

Friday, December 27th, 2013

It’s because Abbott’s approach was so perfectly suited to the age. Much has been written about the 24-hour news cycle, and the culture of sound-bite politics it generates. All that is true. But the problem is much bigger than that. It’s society-wide.

Our entire mode of living is now built on speed. We communicate instantly and constantly, and we command an impressive array of gadgets to facilitate this. The very moment we receive news, we’re reacting to it, usually with virtual people whose role – either as ideological friend or foe – is pre-determined.

A political development is not as important as the immediate argument we intend to prosecute with it. We’ve arranged ourselves into teams, and we take our cues from our teammates. We’re becoming captive to a kind of digital tribalism.
This is a whole new sociology, and it brings with it a whole new politics of obstinate, snap judgment. Put simply, we commit too hard, too early. That’s why political parties take the huge step of replacing leaders so much quicker than they used to. They know we’re not really for turning any more. And that’s because, while we’re smothered with information, we simply don’t have time to digest it.

But since we all have megaphones now, it’s unthinkable to be silent; to have nothing to say. So we make noise. And, in the process, what we’re losing as a society is the capacity for reflection.

The other unfortunate result of this mentality is the “extremist” politics it encourages, both from relatively moderate parties and — dangerously commonly, these days — organisations like both the Tea Party movement and the 99% groups. When the only way to be heard is to be an extremist, then all will become extremists.

This way lies trouble.

tenacity and control

Thursday, December 26th, 2013

Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks,” the report found, “and could readily have been obtained in a timely manner using conventional section 215 orders.”

Then there’s the tale of three captured soldiers in Iraq, invoked in 2007 to show the need for the predecessor to the FISA Amendments Act, basis for the NSA’s PRISM program. The secret Foreign Intelligence Surveillance Court had supposedly ruled that even totally foreign communications could not be intercepted without a warrant if they were picked up as they passed through the United States. As a result, claimed then-Director of National Intelligence Michael McConnell, a time-sensitive effort to wiretap the insurgents believed to be holding the soldiers was delayed for 12 hours.

Only later did it become clear that the delay was due to internal bureaucratic wrangling, not the new court ruling—which had not even taken effect yet, and in any event, would not have required the government to obtain a warrant in such an emergency situation. As James Bamford recounts in his book The Shadow Factory, it turned out that several of the subjects of that wiretap were already under surveillance, but it didn’t matter: The NSA’s primary target was quickly captured by troops in the field, and found to have been uninvolved in the kidnapping.

Perhaps most egregious is the case of Magdy Mahmoud Mostafa el-Nashar, a former acquaintance of the perpetrators of the 2005 London transit-system bombings. Though he was ultimately cleared of any wrongdoing, FBI Director Robert Mueller later told Congress that investigators had been delayed in obtaining the suspect’s education records because they were not covered by the bureau’s National Security Letter authorities—supposedly showing the need for a broader power to demand records without judicial approval. “We should’ve been able to have a document, an administrative subpoena that we took to the university and got those records immediately,” Mueller testified.

Yet it later came out that an FBI agent had quickly obtained the records under a traditional grand-jury subpoena—then, with the documents in hand, been ordered over the phone to return them and try again with an NSL, even though NSLs clearly didn’t apply to education records. The FBI had, in other words, created its own unnecessary delay, then used the story to claim it needed more power.

collateral damage

Thursday, December 26th, 2013

This is why Internet filtering is a bad idea:

but the changes have led to Internet users being denied access to a wide range of organisations including child protection charities, women’s charities and gay rights groups. Among institutions that have found themselves subject to the blocks are the British Library and the National Library of Scotland.

The opt-in filters also deny access to the Parliament and Government websites and the sites of politicians, including Claire Perry, the MP who has campaigned prominently for the introduction of filters.