Tag Archives: security

What really causes cyber outages?

WASHINGTON, DC—For years, the government and security experts have warned of the looming threat of “cyberwar” against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations’ fabric have been foretold repeatedly over the past two decades, and each round has become more dire. The US Department of Energy declared in its Quadrennial Energy Review, just released this month, that the electrical grid in the US “faces imminent danger from a cyber attack.”

So far, however, the damage done by cyber attacks, both real (Stuxnet’s destruction of Iranian uranium enrichment centrifuges and a few brief power outages alleged to have been caused by Russian hackers using BlackEnergy malware) and imagined or exaggerated (the Iranian “attack” on a broken flood control dam in Rye, New York), cannot begin to measure up to an even more significant cyber-threat—squirrels.

Source: Who’s winning the cyber war? The squirrels, of course | Ars Technica

The ultimate fuzz testers.

If you take credit cards, you don’t just sell hammers

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”

via Ex-Employees Say Home Depot Left Data Vulnerable – NYTimes.com.

This NY Times piece on Home Depot’s giant data breach pairs pretty well with the recent opening of a Planet Money episode on data security: Episode 568: Snoops, Hackers And Tin Foil Hats:

“One thing we’ve learned is the hackers always win. If what you do is have a lot of really valuable information in one place, and you try to secure it, you are going to lose.”

– Moxie Marlinspike, TextSecure

Things we sometimes forget

Last night I was reading though the CiviCRM documentation, which is actually incredibly well written for tech docs. I came across the following, which stopped me in my tracks.

Data storage jurisdiction

As mentioned before, CiviCRM can be run from the server or from the cloud. When working with issues around human rights, or if an organisation is gathering sensitive information about a country’s government or its officials, it is quite important to know where your data is stored. This is especially important when data is stored “in the cloud”, when it’s not obvious where the data is physically stored. Not getting into details, it might be good to have detailed information about where the servers are physically located, and which country’s jurisdiction is used in case of governmental requests for information.

Other security concerns

It should be remembered that many successful attempts of unauthorised access don’t have too much to do with IT systems security. It’s often social engineering, physical access to server and client machines or using violence against people who have authorised access to data that are responsible for break-ins. Therefore, making sure that data is secure requires also extensive, on-going training of system users and making sure that they are familiar with all the necessary precautions.

Right. This software is getting used by organizations in countries where governments are actively trying to get this data to stomp out political unrest. While I’d still have to worry about security for my deployments, I don’t have to worry about the worst of this. But for many people, in many parts of the world, this is a real and present danger.

That’s important not to forget.

You can’t fight fear with fear

A lot of people are upset about the TSA scanners, and I’m with them. It’s ridiculous how burdensome flying is becoming for no appreciable safety increase. The most dangerous part of flying is driving to the airport. We surely aren’t spending $8b to make that safer.

Unfortunately, a big part of the rallying cry is around “be afraid of the x-rays”. I was surprised how many of my tech friends got wrapped up in this one, even though the available data suggests otherwise. The FDA has a pretty thorough write up about the process and testing for the scanners. I do get that people, in general, aren’t interested in facts, but I was hoping that in a more educated and technical audience that wouldn’t be as true. Running around saying “be afraid of x-rays” is the same kind of scare mongering as the TSA is using to put all these ridiculous enhanced security measures in place.

Fighting fear with fear just generate hysteria and stampedes, and drowns out all the rational conversation, the one that shows just how ineffective and invasive these scanners are.

It’s time to rethink the TSA

I think Seth Godin gets to the heart of things around the TSA and the new scanners:

Smart marketers know how to pivot. I think it’s time to do that. Start marketing the idea that flying is safe, like driving, but it’s not perfect, like driving. If someone is crazy enough to hurt themselves or spend their life in jail, we’re not going to stop them, and even if we did, they’d just cause havoc somewhere else. So instead of spending billions of dollars a year in time and money pretending, let’s just get back to work.

The current model doesn’t scale.

The TSA scanners suck, but not because of the radiation

I’m anti TSA back scatter scanner, but it’s not because of the radiation, which is actually quite small. Coming in at a measure of 0.005 mrem, it’s about 1/2 of what you get by eating a banana. If you live in a brick house you are getting at least 20x that radiation level every day.

I’m anti back scatter scanner because I think it’s a 4th amendment violation, and that it’s an incredibly expensive waste of money. That money could be better spent on kitchen safety, as kitchen appliances kill more people a year than terrorists do.

HTTPS Everywhere: interesting idea, terrible implementation

Last night I finally figured out why Amazon wouldn’t let me view inside books, it was because I still had HTTPS everywhere enabled for amazon.  It’s a neat idea to force your web session secure for sites that support it, but don’t make it easy.  Good in theory… in practice not so much.

When I finally figured out that it attempted to work with Amazon I noticed that I had disabled all the sites I actually use in the tool.  Twitter is rediculously slow under https, like 1 minute to load a page slow.  Google images aren’t searchable under https, so you don’t see it on the sidebar as an option.  Some of the facebook javascript wasn’t fetchable over https.  Wikipedia inbound search from google doesn’t work if it’s enabled.

It makes me wonder what part of the internet is used by the folks writing this addon, because it doesn’t seem to be the same part that I’m using.