Archive for the ‘Security’ Category

Cyberwar Paradox


(FTB stderr) – Marcus Ranum:

I pointed this problem out during my “cyberwar is bullshit” talk at RSA conference in 2012: once you begin using your cyberweapons, they become subject to commercial pressures: and competitive analysis.

This guarantees that cyberweapons will have (relatively) short lifespans, and they’ll have the same problem that copy-protect and other digital rights management systems have: in order to work, you have to give them to the enemy, which means they are subject to examination and dissection. The cost of innovation is borne by the designer of the system, and once the system is widely fielded, it can be completely mooted by a single attacker. …

stderr 2017/06/09 security-paradox

Torpig botnet takeover

TLA Computer Security


(FTB stderr) – Marcus Ranum:

There are many agencies that have some degree of charter for computer security – but “defense” has been a bit of a hot potato. Meanwhile, the NSA (and now we know CIA, and probably every other Three Letter Agency) used to go to security conferences like DEFCON and advertise that they were hiring hackers. Of course they were.

If you know anything about how the US empire operates, you’d predict right away that the effort in computer security has been pretty much all offense and no defense – like our Department of “Defense” and you’d be pretty much right. …

stderr 2017/05/18 sounds-about-right

Marcus J. Ranum: The Myth of Homeland Security

Stories About Code Obfuscation


(FTB stderr) – Marcus Ranum:

Code Obfuscation is really neat stuff. Or, it can be.

Other than the rare programmer such as the one guy I encountered in a certain university’s database research group in 1988, most programmers write somewhat readable code. It has to be readable because the compiler/interpreter’s parser is almost always more strict than a human would be – programming languages have a specific syntax that strikes a balance between the computer’s ability to be sure what the programmer wants to do, and the programmer’s laziness about expressing it. There are fun philosophical debates among programming language proponents as to the degree to which the computer should try to figure things out. …

If I’ve got to give you a copy of my source code, why not turn “prompt” into “0x000010” or something less readable? Why not turn all my variables into unreadable crud? What if my variables look like: “01oI00”, “0I00Ioo” and so forth? And all my function names can be changed, and my strings can even be removed. …

stderr 2017/04/17 stories

Stunnix obfuscation

Using a Password Vault


(FTB stderr) – Marcus Ranum:

With passwords, there are two really important things to understand, which most people don’t remember in time:

  1. The biggest danger with passwords is using the same password in multiple places
  2. If you forget your password you can almost always recover it

The best way of dealing with 1) above is to not ever actually know any of your passwords. That’s the big secret benefit of using a password vault: you never know your password, so you’ve got zero chance of reusing it and if you’re not reusing it that prevents one of your accounts being broken from leading to all of your accounts being broken. …

stderr vault


Strong Encryption Makes us all Safer


(Guardian Comments) – Editorial:

There are many things the web giants could do to help combat terrorism, but weakening privacy protection is not one of them. …

theguardian 2017/mar/27 strong-encryption

Conspiracy Size


(FTB stderr) – Marcus Ranum:

I suspect that there is an optimal and a peak conspiracy size, beyond which it becomes nearly impossible to keep a secret.

That’s one of the reasons why I tend to disbelieve conspiracy theories that involve a lot of moving parts. I completely suck at math but if I recall how this is calculated, you take the probability that any individual will leak, and then the probability your secret remains secret is the combined probability that all the individuals don’t leak. The way I think of it (because I suck at math) is that you make a saving throw on your Leak Table every year and sooner or later you’re going to come up ’01’. …

stderr 2017/03/07 conspiracy

German Parties and Ministries Vulnerable To Hacking Attacks


(Spiegel) – Fabian Reinbold:

Politicians in Germany are warning about the threat of hacking attacks, but when it comes to their own data, many are too careless. Some German political parties are failing to take advice from the country’s information security authority seriously enough. …

spiegel 1137570

Signal Adds Video Calls


(Wired) – Andy Greenberg:

Signal’s creators at the non-profit Open Whisper Systems announced a beta version of the update that, in addition to video calling, adds the ability to answer calls from a locked screen, and what they promise will be better call quality. …

wired 2017/02 signal-enables

Encrypted Signal voice call in Android

Surveillance Self-Defense


(The Intercept) – Micah Lee:

Americans have handed the U.S. presidency to a racist, xenophobic, authoritarian, climate-science-denying, misogynistic, revenge-obsessed ego-maniac — and with it control over a vast and all-too-unaccountable intelligence apparatus; and in a speech less than three weeks ago, Trump promised to sue all of the women who have come forward with sexual assault accusations against him. …

Thanks to 16 years of relentless and illegal expansion of executive power under Presidents Bush and Obama, Trump is about to have more tools of surveillance at his disposal than any tyrant ever has. Those preparing for the long fight ahead must protect themselves, even if doing so can be technically complicated.

The best approach varies from situation to situation, but here are some first steps that activists and other concerned citizens should take. …

theintercept 2016/11/12 surveillance

Encrypted Signal voice call in Android

Keep Smartphones From Betraying Their Owners


(The Intercept) – Micah Lee:

In dangerous environments like war-torn Syria, smartphones become indispensable tools for journalists, human rights workers, and activists. But at the same time, they become especially potent tracking devices that can put users in mortal danger by leaking their location.

National Security Agency whistleblower Edward Snowden has been working with prominent hardware hacker Andrew “Bunnie” Huang to solve this problem. The pair are developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. They argue that a smartphone’s user interface can’t be relied on to tell you the truth about that state of its radios. …

theintercept 2016/07/21 research

iPhone 6 disassembly