Category Archives: Security

Glitches and Cybergeddon

Posted on by

If you read the kinds of news feeds and websites I do, you can’t help but have come away with the breathless, panicky sense that the cyber world is collapsing in on itself as the result of what has been, so far, three unrelated technical glitches involving United Airlines, the New York Stock Exchange, and the Wall Street Journal.

While it may yet prove that some or all of these were attacks and that those attacks may have somehow been linked, it’s important to remember that nearly all of the rest of the unimaginable amalgam we call the internet is still working just fine. Attempts to label the glitches that have occurred miss the point that, even with the most widespread attacks that have so far occurred, most of the internet kept right on as it always had.

That’s not to say we shouldn’t all be vigilant, because we should, or that we should accept the explanations the various victims have put out that these aren’t attacks, because half the time they don’t even know they’ve been attacked until someone else points out they have, but rather to say that attacks on the internet are more like two armies trying to play capture the flag in a dismal swamp than cyber-themed nuclear holocaust.

It may yet turn out these were attacks, and the attacks may yet get worse, but more than likely, even if they do, it won’t be the end of things, and if it turns out to be, there will be no doubt it is.

DLH

Glitches and Cybergeddon

Posted on by

If you read the kinds of news feeds and websites I do, you can’t help but have come away with the breathless, panicky sense that the cyber world is collapsing in on itself as the result of what has been, so far, three unrelated technical glitches involving United Airlines, the New York Stock Exchange, and the Wall Street Journal.

While it may yet prove that some or all of these were attacks and that those attacks may have somehow been linked, it’s important to remember that nearly all of the rest of the unimaginable amalgam we call the internet is still working just fine. Attempts to label the glitches that have occurred miss the point that, even with the most widespread attacks that have so far occurred, most of the internet kept right on as it always had.

That’s not to say we shouldn’t all be vigilant, because we should, or that we should accept the explanations the various victims have put out that these aren’t attacks, because half the time they don’t even know they’ve been attacked until someone else points out they have, but rather to say that attacks on the internet are more like two armies trying to play capture the flag in a dismal swamp than cyber-themed nuclear holocaust.

It may yet turn out these were attacks, and the attacks may yet get worse, but more than likely, even if they do, it won’t be the end of things, and if it turns out to be, there will be no doubt it is.

DLH

The LastPass hack and the Internet security dark war

Posted on by

There are those who will see the latest LastPass hack as a vindication of their view that online password managers are a disaster waiting to happen. Frankly, despite some of the hyperbolic headlines,  I believe the concept is still sound.

Here’s why:

First, it’s nearly impossible for any particular user to manage his internet presence without a password manager simply because reusing usernames and passwords becomes more inevitable if you’re generating them any other way than a manager, and reuse of easily remembered passwords is a far greater vulnerability. LastPass has a good reputation for fixing its mistakes and continuing to work hard to safeguard user data, so in the rub, a service like LastPass is still the way to go.

Second, the way LastPass protects the most important asset we entrust to them–usernames and passwords to other sites–is still fundamentally sound. Even if hackers manage to break the encryption on any individual set of user data, that likely does not give them access to everyone’s data.

Third, like most reputable web services, LastPass allows for additional safeguards like multifactor authentication to help further increase security. Using LastPass at the highest security setting is still the safest bet over the same username and password over and over.

Granted, the damage could still be more severe that LastPass currently knows, but my view right now is that it is not and the service is still safe. If it proves to be otherwise, we’ll have to dig into alternatives.

DLH

Stop CISPA

Posted on by

STOP_CISPA_cybersecurity_lockdown_gridWhile most of us were focused on the unfolding events in Boston, the House of Representatives passed a bill whose language would allow government regulators and corporations to, among other things, collect data on your internet usage and determine what kind of content you can and cannot access on the internet. The bill, as currently contrived, is a broad assault on the Bill of Rights, attacking the 4th as well as the 1st, 9th, and 10th amendments. The internet should be free because, without that freedom, the innovation, exchange of information, and entrepreneurship that has defined the last two decades will come to a halt. If you are reading this post on Facebook, you have benefited from the free internet. Contact your Senators today and demand they vote against CISPA.

https://www.eff.org/deeplinks/2013/04/us-house-representatives-shamefully-passes-cispa-internet-freedom-advocates

http://www.senate.gov/reference/common/faq/How_to_contact_senators.htm

Stop SOPA/PIPA

Posted on by

Tomorrow, Worldview and the rest of my active websites will be blacked out from 8 a.m to 8 p.m. in protest against the Stop Online Piracy Act/Protect Intellectual Property Act wending their way through Congress right now. These are bad bills conceived for bad reasons intended for bad purposes and they should not have ever been put forward let alone have the chance to go into law.

These pieces of legislation also represent part of ongoing actions on the part of our government, bot the executive and Congress, to encroach on the liberties of individual citizens for reasons that have nothing to do with making those citizen’s lives better. Examples include the latest iterations of the Patriot Act, the social media surveillance of social media by the Department of Homeland Security, a provision in the Defense Authorization Act that allows for the indefinite detention of US citizens suspected of terrorism links, and the individual mandate provisions of the health care law.

Unless we the people–which people the government is supposed to be of, by, and for–stand up against such abuses, we have no hope of securing our liberty for ourselves or for future generations. We must act now or lose more. You can start by speaking out against SOPA/PIPA by contacting your representatives using the form from the menu on the right. Then you can go further by carefully considering how you vote in 2012. Finally, you can realize that the next election begins the moment the last one ends and become involved in the entire political process.

Act now or lose more.

DLH

Some thoughts on the Sony hack

Posted on by

More than any other thing, what surprises me about the Sony hack is how unprepared anyone seemed to be for something like this to happen. To me, it seems like it was almost inevitable, yet Sony has taken down its network for days and does not seem to have any remedy for the problems that happened in the first place. Meanwhile, users whose information has been compromised seem to be as paralyzed as Sony itself.

Beneath all of this lies a simple fact: individual user data has value to criminals and, because of that value, is going to be pursued with diligence by criminals capable of exploiting it. Companies offering online services, especially ones that involve financial or private, personally identifiable information, must commit themselves to making the protection of that information their highest priority, even ahead of profit. Unless companies make security their priority, they won’t have to worry about profit.

Consumers, on the other hand, cannot simply sit back and expect companies to protect their information. Every individual who has that kind of information online must assume that it is going to be stolen and must do due diligence in protecting themselves from theft. If the consumers do not, then the damage done by such theft is as much their responsibility as it is the companies whose systems are compromised.

Finally, consumers, companies, credit providers, and banks alike must all work toward establishing more sophisticated ways of securing individual data. Simple firewall and encryption methods no longer suffice and need to be replaced with methods that more closely tie online data to its owners.

For the time being, there are simple steps anyone can take to ensure they are protecting themselves:

  • Only use credit cards or proxy money services (like PayPal) online. Never, ever use your debit card (I know this from firsthand experience), and monitor your bank accounts regularly for unfamiliar transactions.
  • Monitor credit card accounts for unfamiliar transactions and dispute such transactions through the credit card’s fraud protection service as soon as they appear.
  • Monitor your credit using the free credit report service authorized required under federal law. Be familiar with your outstanding credit and be vigilant for new credit lines you did not open.
  • If you know your identity has been compromised, consider using a credit monitoring service and consider freezing your credit.

DLH

Once upon a time

Posted on by

A few years ago, I vigorously defended the power of the  government to use warrantless searches as an intelligence gathering tool against foreign nationals and their collaborators living on American soil who our intelligence agencies believed were enemy agents. I defended that action based on precedence (e.g.: forms of warrantless searches for intelligence purposes have been conducted since the Lincoln administration) and the fundamental lack of better tools (e.g.: federal laws do not adequately provide for domestic intelligence gathering methods). I stand by that defense, yet I also stand by my observation that it was only necessary because there were not better tools.

These years later, our intelligence agencies still do not have the better tools they need, and the government has taken even more obtrusive steps in its efforts to secure intelligence through ever-looser definitions of the laws that govern what it can and cannot do.

At the risk of taking a black eye from my opponents in the warrantless searches debate, I must now say that the government has proven incapable of using the powers it possesses by precedent and function in keeping with the ideals of federal republicanism, the guarantees of the Bill of Rights, and fundamental individual liberty. While I still believe that the warrantless search tool was one the government had the right to use in the proper time and place, I also now believe that the time has come for the people and the government to specifically spell out the type and scope of powers the government has to use for domestic intelligence gathering and to define a meaningful process for due process and appeal against intelligence gathered on US soil.

At the heart of this–partial–reversal in thinking is the following evidence:

“The FBI is building a database with the names and certain personal information, such as employment history, of thousands of U.S. citizens and residents whom a local police officer or a fellow citizen believed to be acting suspiciously. It is accessible to an increasing number of local law enforcement and military criminal investigators, increasing concerns that it could somehow end up in the public domain.”

If suspicion is the only threshold for placing anyone, especially citizens, under surveillance, then the system is broken. Suspicion is not probable cause, nor will it ever be, even in the shadowy world of intelligence gathering. This new threshold represents a fundamental change in thinking on the part of the government, and because it has proven itself so prone to abuse, it also represents a fundamental threat to liberty.

If we are going to bother to call ourselves a nation, we must accept that our government needs tools to act in our national interests, and effective intelligence gathering is one of those tools. Yet, we can now see that the government cannot be trusted to use loosely defined tools responsibly, so the time has come to create limits so that the liberty of the people can be preserved from government abuse.

DLH

I sense a revolution coming, and a lot of you aren’t going to like it

Posted on by

As some of you may have gathered, I do a lot of reading, especially about history, politics, and current events. Over the past few months, I’ve noticed a new theme starting to grow, first in comments, then in mainstream articles wherein the writers have begun to question the salaries earned by public sector employees at the taxpayers expense.

I am not commenting on whether or not public sector employees make too much, not enough, or whether what they do is of benefit to the people paying for it. Instead, I am considering what may be the first casualty of the coming taxpayer revolution against bloated government: public sector pay.

Let’s face it. Most taxpayers have no idea what most public sector employees do for a living outside vague notions of the jobs people like teachers, police officers, or firefighters have. Even with jobs the taxpayers think they understand, I suspect most taxpayers think people doing those jobs get paid too much, take advantage of the system, and (perhaps worst of all) could not get jobs elsewhere.

Having been a public sector employee at one time, I can see how the taxpayers might get that impression, which is why I think it is so easy for the taxpayers, angry at the situation we find our nation in but yet unwilling to realize the solution means they will have to make sacrifices, to think that part of the solution is to pay public sector employees less.

Unfortunately, if history is any indication of future trends, the employees who will be targeted by this anger will be the ones who least deserve it. The taxpayers will target local public sector employees–teachers, police officers, fire fighters, etc–who they depend on the most while ignoring the excesses carried out by the actual guilty parties–elected officials and career bureaucrats.

I think if history does repeat itself, the problem this time will be that many public sector employees will just quit. It will be impossible for the taxpayers to demand that, say, teachers begin their careers at 22 with master’s degrees, engage in constant professional development, put up with the taxpayers undisciplined and incapable children, and deal with the never-ending onslaught of government regulations for laborers wages. Take your pick of public sector employees, and you will find similar ridiculous notions.

I am not saying that there are not public sector employees–even teachers, police officers, and fire fighters–who do not get paid more than they should, take advantage of the system, and could not get jobs elsewhere. I am saying that the tendency is for the taxpayers to pick on the public sector employees they rely on the most because they are the most visible and the most accessible.

If we look at the history of such reactions, what we discover is that the governments enduring them and the people making them often fare badly. In the worst cases, the governments collapsed or the nations thrust themselves into civil war. In the best cases, nations endured long periods of malaise.

As a nation, we need to tackle the problems before us, and I understand that even public sector pay needs to be reformed if we are going to find our way out of the mess we’re in. I also understand that making irrational decisions based on anger rarely produces positive outcomes. Consider your demands carefully, because they will have consequences if they become reality.

DLH

Julian Assange: The new kingmaker?

Posted on by

The rise of Julian Assange and WikiLeaks represents the rise of the non-state actor as a significant force on the world state. While historically such actors were terrorist groups, Assange and his website represent a new entry: that of the information broker.

It seems to me that, given his albeit rather tepid success so far, it is almost inevitable that he will eventually stumble upon the kind of information he is looking for: information capable of toppling powerful people or governments.

The question that remains is “then what?”

I know there are people who think that what Assange and WikiLeaks is doing is good because it somehow holds governments accountable for their actions. I find that most people who think that way rarely consider the consequences of their actions.

The consequences of Assange’s actions have the potential to be world changing, but not in a good way. What will the consequences of power vacuums be? What will the consequences of more strained international relations be? What will the consequences of reducing the most powerful nation on the planet’s ability to act be?

More than likely, Assange and his supporters will be responsible for more hardship, violence, war, and death than the people, nations, and governments they seek to discredit. They will achieve this dubious distinction by creating an international climate of distrust, suspicion, and aggression through the selective release of information designed to have those effects. And, when they succeed, far too few people will make the connection.

We have entered a dangerous time, and non-state actors represent part of that danger. The question remains as to whether the United States and the world are capable of meeting the threat and dealing with it.

DLH