This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Schneier on Security: Last 100 Comments

Schneier on Security

Blog >

Recent Comments


Note: new comments may take a few minutes to appear on this page.

January 18, 2019 3:38 AM

Cassandra on Prices for Zero-Day Exploits Are Rising:

@Clive Robinson
...I don't feel like we have mined out even a small fraction of the "low hanging fruit" vulnerabilities just yet, just those in one or three silos our existing tools cover.

I can see it's being so cheerful as keeps you going, Clive.

Needless to say, I share your sunny optimism. Even when flaws are publicly known, the problem still arises of assuring that all the Information Processing systems for which someone is responsible both have fixes, and have been updated. Exploits have a long half-life, and the problem of...

Read More →

January 18, 2019 3:36 AM

Clive Robinson on Prices for Zero-Day Exploits Are Rising:

@ Phaete,

Ideally you would want to setup an international organisation who buys the zero days and then by law bills the company who's product it is.

Uh no that's known in some parts as the "sewerage solution".

Due to history from early Roman times the sewerage solution has been to ship the crap etc as far out of mind as you can and in the process everything gets mixed together. As environmental engineers will tell you this is realy a bad idea, not only does it make filtration and clean up way way harder than it should be, you are creating a...

Read More →

January 18, 2019 12:24 AM

Phaete on Prices for Zero-Day Exploits Are Rising:

Ideally you would want to setup an international organisation who buys the zero days and then by law bills the company who's product it is.
Too bad the current world politics evolved as they did, no chance of the above.

January 17, 2019 8:51 PM

James on Prices for Zero-Day Exploits Are Rising:

Why is it any better for exploits to be sold to the US government than for those same exploits to be sold to other parties?

January 17, 2019 6:24 PM

Sancho_P on Prices for Zero-Day Exploits Are Rising:

@Clive Robinson re silos

As we know the driving force behind some of the silos is “nazzional security”, the NOBUS access.

January 17, 2019 6:23 PM

Sancho_P on Prices for Zero-Day Exploits Are Rising:

”… the U.S. Government could openly corner the world vulnerability market …” (Dan Geer)

Aren’t they doing that, only keeping them (the vuls) secret?

But:
”… he's right. There's no other way to solve this. (@Bruce, my emph)

To be clear, this is a very bad idea, completely against capitalism.

January 17, 2019 5:34 PM

Clive Robinson on Prices for Zero-Day Exploits Are Rising:

I look at this,

    The steeper prices indicate not only that the demand for these exploits continues to grow, but also that reliably compromising these targets is becoming increasingly hard.

The first part "demamd" alone could be indicatove of a growing number of purchasers thus the old "Supply and demand" argument says the price goes up.

But the second part, of "reliably compromising" I think may be a little suspect as an argument without further amplification.

A compromise requires some form of vulnerability be it "Man or Machine". These days...

Read More →

January 17, 2019 5:02 PM

Tony on Prices for Zero-Day Exploits Are Rising:

@twka90: "I am sure Apples and Googles of the world can figure out internal processes to distinguish genuine bugs from "I am writing me a new minivan" plants."

Really. Go look at the "goto fail" SSL bug from around five years ago. Was that deliberate? Or just an unfortunate result of some cut & paste programming?

January 17, 2019 3:27 PM

65535 on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ JustBlowSnow

“…the competition are crushed if they are crowding the market or not playing ball i.e. must be made an example of. Hence the large profile busts to "protect the public" from time to time, which I guess El Chapo falls into.” – JustBlowSnow

That could be true.

I have heard stories about the CIA’s blunt but effective means [not necessarily above board or legal means]. I can’t prove those stories or refute them. It is “National Security” and top secret. I am not in the loop so to speak.

@ Clive Robinson

“…I read, claims that the judge is...

Read More →

January 17, 2019 12:58 PM

twka90 on Prices for Zero-Day Exploits Are Rising:

The problem is that gobs of money are already thrown around by bad people. If we want to improve security, we do need to buy out the vulnerabilities and fix them. But we also need to align the incentives -- make the companies pay the market rate (or more) for the bugs. I am sure Apples and Googles of the world can figure out internal processes to distinguish genuine bugs from "I am writing me a new minivan" plants.

January 17, 2019 10:58 AM

me on Prices for Zero-Day Exploits Are Rising:

given how much they are paid i'm sure that insiders will start to add bugs to sell them later...

if you find a bug you should report it, you might get less money but at least you can sleep well.
they don't pay you that much because you are pro hacker but because they want you to ignore your moral compass

January 17, 2019 10:39 AM

Impossibly Stupid on Prices for Zero-Day Exploits Are Rising:

I agree that it shouldn't be the government who pays for trillion dollar companies to continue to do a poor job. Worse, the whole scheme seems to revolve around the idea that there is infinite money to pay for these exploits because a) creating an artificial market at 10x (or whatever) an arbitrary baseline will only serve to quickly and repeatedly jack up that price, and b) there is no limit on the number of exploits that will be discovered.

I remember an old Dilbert where the boss was going to start paying a bug bounty, and a software engineer said something to the effect of...

Read More →

January 17, 2019 10:14 AM

twka90 on Prices for Zero-Day Exploits Are Rising:

May be in addition to being the highest bidder, the US should also turn around and bill the companies for the vulnerabilities? (So that security is not an externality anymore)

January 17, 2019 9:47 AM

Humma humma on Prices for Zero-Day Exploits Are Rising:

@bernie

Exactly. The problem with this solution there is no such thing as objectivly safe code. All software bugs are manmade and if the someone provides an incentive to make bugs someone will make bugs. So in the long run all code will be government funded, one way or the other.

January 17, 2019 9:07 AM

Bernie Sanders on Prices for Zero-Day Exploits Are Rising:

What you're recommending Mr. Schneier is that the United States taxpayer pick up the tab when large multinational companies like Microsoft fail to invest the necessary resources to perform the due diligence to prevent buggy code. Just as in 2008 when the banks knowingly failed to check the integrity of the loans which they handed out like candy to anyone with a pulse. And guess who bailed them out while the execs walked away with their bonuses?

Companies should be held accountable for their screw-ups, just like the banks.

It's disappointing that you would position...

Read More →

January 17, 2019 9:04 AM

Awwww on Prices for Zero-Day Exploits Are Rising:

Why whould I trust Zerodium for anything else than make sure my exploit is used ?

E.g., why should they give me the promised amount and make sure there is no US-based trap (fine, jail, ...) ?

Once they cornered me, I am game over.

January 17, 2019 8:56 AM

required on Prices for Zero-Day Exploits Are Rising:

Do not waste your time for decrypting WhatsApp messages. Just go inside of cell phones by Telegram app, Yahoo Mail app and etc. then go inside of WhatsApp to read all messages.

January 17, 2019 8:47 AM

Bong-Smoking Primitive Monkey-Brained Spook on Prices for Zero-Day Exploits Are Rising:

Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications:

goddamit! Now you tell me after I put all my investments in crypto-currency crap? Geeez, I could have bought a couple of zero-days and retired!

When will they list zero-days on the stock exchange so I keep track of it?

January 17, 2019 7:10 AM

Paul on Prices for Zero-Day Exploits Are Rising:

And wouldn't it be wonderful for the world if China were the one to do that rather than the USA? Trump's reaction would be even more amusing than usual to behold!

January 17, 2019 6:53 AM

Clive Robinson on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ JustBlowSnow,

The "War on Drugs" always was, and always will remain strictly a propaganda exercise.

Yup because it's a very lucrative market with very very high profit margins and no taxes or tracability of funds...

What's not to love it from the capatalist view point...

But as a quite famous economist put it, the current methord was not working and was in effect a massive sink hole of resources, thus unsustainable in an economic sense. He went on to point out the only two ways of dealing with it was the Chines way or the Indian way. In...

Read More →

January 17, 2019 6:42 AM

efk on El Chapo's Encryption Defeated by Turning His IT Consultant:

Do people still have the illusion, that any data on electronic devices will be 'secure'? Wouldn't it be better to completely move away from devices that can be hacked at any time? How many possibilities are there for secret services to hack devices? The official story, that e.g. Apple devices are secure, are imo complete rubbish, if a service wants a device to be opened up, they can do it immediately, maybe the FBI (officially) doesn't get access to these fancy technologies like baseband hacks, but in case of emergency they would just call the NSA, and they could do the job.

January 17, 2019 5:16 AM

Clive Robinson on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ 65535,

A different picture is beginning to emerge and it looks like a tug of war between who was paying off who.

An earlier story I read, claims that the judge is keeping a great deal out of court thus out of the public eye. Such as bribed politicians on both sides of the border. Apparently on the South side of the border all the way up to the highest circles of Government and Telecommunications and Media...

January 17, 2019 4:37 AM

JustBlowSnow on El Chapo's Encryption Defeated by Turning His IT Consultant:

@65535

US federal agencies like the DEA are falsely claiming to fight a war on drugs, since gangster sister agencies like the CIA have been trafficking since at least the mid 20th century to further their aims e.g. cash for black ops, arming paramilitaries, etc.

No doubt the competition are crushed if they are crowding the market or not playing ball i.e. must be made an example of. Hence the large profile busts to "protect the public" from time to time, which I guess El Chapo falls into.

Consider the CIA's virtually assured involvement in:

- moving smack in...

Read More →

January 17, 2019 12:43 AM

Clive Robinson on Alex Stamos on Content Moderation and Security:

@ RealFakeNews,

Google refuses absolutely to censor results in Russia is two-fold

Whilst the second is an internal choice for Google and their owners there could be a lot more behind the first.

If you remember back some time ago Google were trying to setup in China and ran into all sorts of problems which included from what leaked out some of the localy employed staff not acting in their employers interests... Also there was the issue with the Dali Lama and others from Tibet having their electronic mail plundered. We now have reason to think it...

Read More →

January 16, 2019 11:45 PM

65535 on El Chapo's Encryption Defeated by Turning His IT Consultant:

A different picture is beginning to emerge and it looks like a tug of war between who was paying off who. In fact, if EL Chapo’s son is telling the truth it is dirty picture.

El Chapo Son’s lawyer[s]:

“In essence,” his lawyers wrote in a 2011 pretrial motion, “the United States government entered into a conspiracy with one of the largest drug cartels in the world.”-NYY

Other odd points:

“…federal agents plucked him [El Chapo’s son] from his jail cell in Chicago late one night in 2012. From there, he said, he was taken to an office and handed a phone. His...

Read More →

January 16, 2019 11:08 PM

RealFakeNews on Alex Stamos on Content Moderation and Security:

The reason Google refuses absolutely to censor results in Russia is two-fold:

1) It assists the foreign policy goals of the USA/West in destabilization of Russia

2) It makes Google appear not to censor in the USA/Western societies, which they absolutely do at the direction of various Governments.

The problem with propaganda is realizing that you're the subject of it.

January 16, 2019 10:17 PM

Tom on El Chapo's Encryption Defeated by Turning His IT Consultant:

"he can be a paranoid micro manager one moment and an expansive friend to all at another moment. Which suggestes that he might be on somebodies scale of non-neuro-typical behaviour."

Could describe a guy on drugs.

Clearly not Clive Robinson.

January 16, 2019 8:28 PM

JG4 on Friday Squid Blogging: New Giant Squid Video:


Thanks for the ever-helpful discussion. The entire situation can be derived from first principles. I prefer to work with the a priori assumption that I own myself and my effects, including my brain and its output. They prefer to work with the a priori assumption of guaranteed profits.

[www.nakedcapitalism.com]
...

Big Brother is Watching You Watch

Teachers are scanning students’ brains to check they are concentrating New Scientist (Dr....

Read More →

January 16, 2019 7:47 PM

required on El Chapo's Encryption Defeated by Turning His IT Consultant:

"he can be a paranoid micro manager one moment and an expansive friend to all at another moment. Which suggestes that he might be on somebodies scale of non-neuro-typical behaviour."

Are you describing him or yourself?

January 16, 2019 6:30 PM

madmike on Why Internet Security Is So Bad:

@Anon Y. Mouse

"If we have the means to do secure vehicle-to-vehicle communication, then
we could use those same means to secure the Internet. And if we can't
secure the Internet (and so far, we can't), then what makes anybody think
we can securer V2V communications in self-driving cars?"

I think networked self driving cars are a safety and liability nightmare just waiting to happen but we'll rush full steam ahead for the sake of convenience.

Sounds like an assassination vector. Just hack some dignitary's car and run it off a cliff.

January 16, 2019 6:29 PM

VinnyG on Friday Squid Blogging: New Giant Squid Video:

@Clive Robinson re: biometrics, DNA & legal compulsion - Unfortunately, at the rate at which two-legged sheep are submitting family relationship data to for profit organisations that knit the data provided into larger swatches of fabric (e.g., ancestry.com) and sell the results to anyone with sufficient ducats, it may not matter for much longer whether or not the individual can be compelled to furnish a personal sample. In just the past week, I have read of two cases where a suspect was arrested due to correlated family data and DNA provided by (or harvested from) a relative.

January 16, 2019 6:00 PM

Jon (fD) on Using a Fake Hand to Defeat Hand-Vein Biometrics:

@ Clive Robinson

"Thus every body else on earth must if they are likewise standing there have their zenith beneath your plane. Thus,

From your POV everyone is beneath you ;-)"

I've stood in my backyard and watched the ISS (International Space Station) fly over. They were not beneath me.

Although you may have a point that the astronauts were not 'on earth' at the time.

J.

January 16, 2019 4:35 PM

chris on El Chapo's Encryption Defeated by Turning His IT Consultant:

@An:

The "IT Guy" was caught in a sting operation by the FBI in 2010 and flipped. Apparently, he feared US federal prison more than El Chapo which seems misplaced. One thing I'll be sure to do if I'm ever a crime kingpin is to pay my IT staff enough to keep them exclusive to my organization -- the FBI ensnared this guy in a sting operation by posing as Russian mobsters looking for a similar system.

January 16, 2019 4:32 PM

65535 on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ An

“…I get the feeling there's a lot more to this story than we've been told?”-An

I agree.

In Chirs’ post on the Friday squid thread includes an NTY paragraph indicated his main IT felt that his life was in danger and naturally would seek protection from the DEA or FBI.

“…All this came crashing down in 2012 when Mr. [Cristian or Christian] Rodriguez intercepted a phone call between two of Jorge Cifuentes’s siblings in which he heard them saying they had figured out that El Chapo’s tech guy was working with the Americans. After fleeing to the United...

Read More →

January 16, 2019 4:05 PM

RGL on Friday Squid Blogging: New Giant Squid Video:

Summary:
Walgreens Pharmacy welcomes business partners Microsoft and Google to knock-down HIPAA medical privacy walls and rules. The key concept is big-data health care business partners are no longer classified as third-party advertisers.

Business Insider
Walgreens pharmacy has partnered with health plans like UnitedHealth Group and Humana, the laboratory testing company LabCorp, the grocery store Kroger. Walgreens reached another such deal with Microsoft. In December, it partnered with Alphabet's life-sciences arm, Verily.

A Tall Tale
Walgreens new...

Read More →

January 16, 2019 3:50 PM

Gerard van Vooren on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ Clive Robinson,

About that Dutch wiretap. They have a history and it originates back to the friendly state of Israel. Well, a part of it. But I have to say that "today" they are in a shady business.

January 16, 2019 3:21 PM

Clive Robinson on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ Chris,

How do you know El Chapo was even aware that his servers had been moved?

I didn't, but other stories about him tends to suggest he can be a paranoid micro manager one moment and an expansive friend to all at another moment. Which suggestes that he might be on somebodies scale of non-neuro-typical behaviour.

Thus I would assume that anything out of place would switch him from expansive to paranoid, unless he had been forewarned of changes.

But it also raises another issue. The likes of the FBI have legal powers that in effect can...

Read More →

January 16, 2019 2:31 PM

Keith Moore on Congressional Report on the 2017 Equifax Data Breach:

Just skimmed this and I do like how it covers chronology, root cause(s), and technical remediation. However I am really left wondering what legislative value it has. I see no evidence of significant legislative action nor is there anything represented in the recommendations that seems to embolden government representatives to protect consumers, restrict or limit exposure (or better yet, increase the COST risk for these CRAs). The references to the FCRA and GLBA are mostly in retrospect and do not seem to deliver any significant legislative action to enforce the existing acts or protect...

Read More →

January 16, 2019 2:28 PM

Iggy on Alex Stamos on Content Moderation and Security:

@MikeA, I heard about the study, out of the NYT - a bastion of scrupulous accuracy (remember this? [www.nytimes.com] complete dedication to being fraud free (Jayson Blair) and a leader in championing the defeat of racism (oh wait, but not against whites: Sarah Jeong). You'll forgive me if I pass on that study.

But for argument's sake, let say it's true, that over 60 year olds are more likely to forward/RT fake news than...

Read More →

January 16, 2019 2:08 PM

chris on El Chapo's Encryption Defeated by Turning His IT Consultant:

@Clive Robinson: How do you know El Chapo was even aware that his servers had been moved? The "routine upgrade" cover story could have simply been an excuse for the outage caused by the move. Still, it just strengthens your point not to rely on one person for your IT/Comms security.

January 16, 2019 1:34 PM

Clive Robinson on El Chapo's Encryption Defeated by Turning His IT Consultant:

@ Gerard van Vooren,

If you need any translation, just ask.

How about the Dutch wire tap law that is alledgedly very very friendly to LEOs..

El Chapo, should have realised there was something up by moving from North America to Europe.

I guess it pays to check with various people about your Comms Security not just one guy... When you are an internationaly wanted man such as a terrorist, drugs cartel leader or just a whistle blower...

January 16, 2019 1:27 PM

required on El Chapo's Encryption Defeated by Turning His IT Consultant:

Haha, IT guy moved servers to Netherland to let FBI to better listen to encrypted messages!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This means that Canada is helping bad guys in Canada?????????

Although, whoever that steal money in million or billion dollars in other countries, they go to Canada and I have heard that Canada agencies protect them from extradition.

January 16, 2019 12:09 PM

Al on Alex Stamos on Content Moderation and Security:

Google declines to moderate search results for Russia.
[www.theinquirer.net]
"GOOGLE HAS SHRUGGED OFF requests from Russia's Roskomnadzor to censor its search engine in accordance with local laws ... A law passed in the country last year requires search engines to be connected to the federal state information system (FGIS) that allows the Kremlin to...

Read More →

January 16, 2019 10:42 AM

Impossibly Stupid on Alex Stamos on Content Moderation and Security:

@jones

Nothing corporations control is under democratic control: that's the existential threat posed by the privatization of public services. At work, you don't get to vote on who your boss is, or what the dress code is, or what your hourly rate is, etc.

Rubbish. If you don't like a work environment, you are free to simply leave, or to never take the job in the first place, or not follow the rules you think are silly. Under the control of a government, though, democratic or otherwise, those rules are called laws, and there can be pretty serious...

Read More →

January 16, 2019 10:36 AM

TRX on Why Internet Security Is So Bad:

> And why are most work environments provided with wifi?

And why do even cheap USB inkjet printers have wifi enabled by default, and "strongly suggest" you let them upload every print job or scan to someone's "cloud"? And why do they need a built-in web server that can't be turned off?

Lots of people worry about malware and routers and hackers, but other than cursing at the price of cartridges, printers are never on their radar...

January 16, 2019 10:20 AM

MikeA on Alex Stamos on Content Moderation and Security:

@Iggy I'm not so sure raising the age will help. Wasn't there a recent study that found over-60's (present company excepted, of course :-) are the most likely to forward/re-tweet/upvote/whatever fake news?

Maybe it will be like driving; over some age limit and involved with more than some arbitrary count of violations, and "It's the bus for you, Gramps"

Hm, being past the probable age limit and a bit of a jerk on UseNet back in the day, I might not want TPTB to hear that...

January 16, 2019 9:36 AM

Undisclosed on Machine Learning to Detect Software Vulnerabilities:

As a developer I can talk about bugs and security. Those are the product of two things which are not related to programming.

First is that writing good quality code requires experience and hard work, knowledge to acquire. Companies want to pay as low as possible and will tend to use cheaper developers, without the required experience. You get as a result crap because you're not willing to pay properly the best developers, and they go work for more intelligent people that will pay good money for good security (banks especially). To give you an idea, a Java dev in France is paid...

Read More →

January 16, 2019 9:34 AM

Iggy on Alex Stamos on Content Moderation and Security:

Raise the minimum age limit in all the TOS from 13 to 18, the age of majority in the US, and watch a lot of the demand for moderation fall away. Of course, cheating will continue, but most parents will enforce it. Mature adults know to ignore or discount spurious and outlandish comments scrawled on the internet fence. Children are easily manipulated by ads and graffiti. Sadly, we have far too many humans with rights and responsibilities stuck in a persistent state of neoteny, and they rival sub-adults in refusing to learn and use critical thinking.

And:

Hippo Birdie Two...

Read More →

January 16, 2019 5:28 AM

Trung Doan on Why Internet Security Is So Bad:

Might part of a solution be "Name & shame"? Say, an online list of makes and models with known problems. Before buying, buyers consult it.

January 16, 2019 3:34 AM

wowow on Why Internet Security Is So Bad:

Another very significant reason why Internet Security would benefit from a reduction of sociopathology and so-called "copycats" of sociopaths and psychopaths and narcissists and bullies and high-octane competitors or relentless warriors, etcetera...

[www.businessinsider.com]

please read the previous data of that aforementioned webpage.
sincerely,

wowow

January 16, 2019 3:11 AM

wowow on Why Internet Security Is So Bad:

“Deepfake porn,” which involves using artificial intelligence software to swap faces in pornographic videos, is quickly emerging as a troubling new method of sexual exploitation. Motherboard has reported extensively on the growth of this worrying phenomenon, by which celebrities, exes, or classmates can be made to look like they’ve participated in porn.

Notice severe hash collision: "EXEs"

still workin' on support

bonus: linguistics and phonemics of those without teeth (or any other biological part).
bonus: linguistics of those who...

Read More →

January 16, 2019 1:01 AM

tiger_spots on Why Internet Security Is So Bad:

I think that readers of this blog probably have only the vaguest notion of how security illiterate many internet users are, and even very computer savvy people may not know how much even their deliberately publicised info can affect security.

As a freelancer, I've occasionally taken temp jobs. One of these revealed that the company intranet for the call centre of a major international brand looked much like a "worst web design faux pas of the dialup era" just two years ago, flashing gifs and all. I can't imagine what the security was like in this third party call center, with...

Read More →

January 15, 2019 8:36 PM

Lord Talksalot on Alex Stamos on Content Moderation and Security:

"Proving not only can a turd be polished, it can also polish it's self when it suits..."

Kind of like your assertions about the bitcoin theft motive, what with attribution being "so very difficult" and all.

Phoning it in.

January 15, 2019 6:23 PM

jones on Alex Stamos on Content Moderation and Security:

I'm more concerned that the elimination of net neutrality will create content liability, which will lead to widespread corporate censorship and legal abuse, as with the DMCA.

Nothing corporations control is under democratic control: that's the existential threat posed by the privatization of public services. At work, you don't get to vote on who your boss is, or what the dress code is, or what your hourly rate is, etc.

Net neutrality is "common carrier" status in telecommunications. "Common carrier" status is why an individual postal worker is not personally liable if he...

Read More →

January 15, 2019 4:53 PM

Clive Robinson on Friday Squid Blogging: New Giant Squid Video:

"Reasons to be chearfull"

I suspect quite a few people not just in Britain but Europe and other parts of the world to have a wry smile on their face.

UK Prime Minister had a historic crushing rejection of "her Brexit deal proposals". So much so there can be little or no doubt about what Parliment thought of her two and a half years of farting about.

[www.bbc.co.uk]

The important thing to note is that the looming deadline of March 29 might not be of relevence any...

Read More →

January 15, 2019 4:12 PM

Al on Alex Stamos on Content Moderation and Security:

@MikeA

(1) Whatever the site was, was the first site that showed up to make my point. Here's a site with another aspect.
[en.wikipedia.org]
" The act was passed in part in reaction to the 1995 New York state court decision Stratton Oakmont, Inc. v. Prodigy Services Co.,[3] which suggested that service providers who assumed an editorial role with regard to customer content, thus became publishers, and legally...

Read More →

January 15, 2019 3:45 PM

Clive Robinson on Why Internet Security Is So Bad:

@ HJohn,

Hope life is going well for you!

Well the medical proffession as normal have decided I'm a contrary person... The latest is I now have AF with an ECG pulse rate of around 150-60 when sitting normally. It then goes up to around 180 when just slow walking. There is a little formular that says max heart rate equals 210 minus your age in years. As I'm older than our host who is 55 today you can see I have a "hit the end stop" problem... But there is the contrary side as well, which is occasionaly my heart was beating about once every five seconds......

Read More →

January 15, 2019 3:41 PM

Wael on Alex Stamos on Content Moderation and Security:

@Clive Robinson,

It would be so much easier if it was the rack mount server with a birthday rather than the owner/operator.

True! Skipping this one -- too difficult and dangerous.

Explanation of the exchange between Clive Robinson and I:

He replied to my:

I'm having a mental block!

by saying:

No wonder you bowling ball feels like it's stuffed with something less usefull than a bucket of wet concrete ;-)

He is saying my skull (which I called a bowling ball...

Read More →

January 15, 2019 3:41 PM

Ross Snider on Alex Stamos on Content Moderation and Security:

From my perspective, this has already happened.

Facebook has politically censored content I've posted numerous times (e.g. Snowden documents). Twitter and Facebook have recently given way to Congressional requirements to turn them into perception and content management systems for the US. Facebook even worked with the US military to study how to manipulate foreign elections. That - and the promise of these platforms to advertisers (including political advertisers) is that they will be able to "drive engagement with targeted demographic subgroups". Facebook was originally _funded_...

Read More →

January 15, 2019 3:29 PM

Wael on Alex Stamos on Content Moderation and Security:

@Clive Robinson,

No wonder you bowling ball feels like it's stuffed with something less usefull than a bucket of wet concrete ;-)

Then lend me your brain (and walk barefooted.) lol ;)

January 15, 2019 3:03 PM

Clive Robinson on Alex Stamos on Content Moderation and Security:

@ Wael,

Start the Security related lyrics. I'm having a mental block!

It would be so much easier if it was the rack mount server with a birthday rather than the owner/operator.

You could start with a simple,

    Happy bootday 2U

The problem with the song is in the way it's sung in the UK it's just two lines,

1) Happy birthday to you.
2) Happy birthday dear Xxxx

Where Xxxx is the persons prefered social name. That said the first line is sung twice befor the second then once after. So around two thirds (52:24) is...

Read More →

January 15, 2019 2:25 PM

HJohn on Why Internet Security Is So Bad:

@Clive Robinson: Speaking of Children how are your "youngsters" I should think they must be getting on for their teens?
__________

Great memory, Clive! My identical twin daughters will be 10 in June.

Hope life is going well for you!

January 15, 2019 2:21 PM

bigmacbear on Alex Stamos on Content Moderation and Security:

@MikeA 1) LiveJournal started in Seattle, moved to San Francisco, and was then purchased by a Russian firm who were more or less competitive with VKontakte.

I left LJ when the Russian government stuck their nose in, required the servers be physically moved to Russia, and made them subject to Russian law instead of US by forcing agreement to a new TOS document.

January 15, 2019 1:38 PM

Wael on Friday Squid Blogging: New Giant Squid Video:

and the decerning reader will see the message beyond the humor cover.

Here is an example:

I was telling @Ratio where to find the thread. But I will not send it to him in clear text

You didn't think I'll give you clear text, did you?

Line-by-line explanation.

There once was a cephalopod named Alice

Talking about a squid. Probably a Squid post. There is someone named Alice in the post. Search space still too big -- need more search space reduction hints......

Read More →

January 15, 2019 1:02 PM

MikeA on Alex Stamos on Content Moderation and Security:

@Al -- two things:

1) Is this the LiveJournal that is/was an early social network run by vkontakt?

2) How does "where did you copy it from" come in? Years of media sites blithely switching ad revenue from Indy bands playing their own compositions to shady "publishing companies" who claimed copyright violations should have made clear that copyright is right up there with "She's a witch!" from a neighboring landowner looking to expand. Plus there's the whole "Back date an article stolen from some news outlet, post on a newly created domain, and get the actual article taken...

Read More →

January 15, 2019 12:57 PM

Weather on Friday Squid Blogging: New Giant Squid Video:

Clive
In windows you can create a memory space and copy a DLL across, but you can also change Tib and kernal32. DLL data strings which will crash and pass control to the new alloc range.

You can set Gdt to segment code,stack,heap,os data in a program, doing this takes real memory address 82:7f80 to virtual address 0x00-7ff80 each virtual block can't access another without being ring 0.

You can use xmm 128 bit register to mem move,add,sub,mul,div between vblocks.

Windows made a Api that ring 3 can access to do process injection, wouldn't be hard to remove, but...

Read More →

January 15, 2019 12:50 PM

Wael on Friday Squid Blogging: New Giant Squid Video:

@Clive Robinson, @Thoth, @Vinny,

Right...

To which I have to ask "at what level"

Any! Specifications, Protocols, Architecture, Design, Implementation, Lifecycle management, OpSec, Hardware, Microcode, Virtualization layer, Kernel, Bootloaders, BIOS, UEFI, Firmware, Upper layer Software, Cloud, Services, API's ... and of course the geniuses1 that sit at layer 7 and above.

as I've pointed out before, perfect design can fail to poor implementation, perfect implementation can fail due to a poor tool chain and...

Read More →

January 15, 2019 12:45 PM

MikeA on Why Internet Security Is So Bad:

The argument in the (second) paper seems to be based on "so far, so good" and "mostly harmless", but I still see more than I'd like of "frog boiling" and "first they came for ... and there was nobody left to speak out for me".
By the time the Lizard People (or however you imaging powerful sociopaths) have gotten so cheeky that even self-described "normal people" (non-tech, 90+ percentile, or imagine themselves as such) notice, the boot will be millimeters from their own faces.

January 15, 2019 12:44 PM

Clive Robinson on Why Internet Security Is So Bad:

@ HJohn,

One problem with technology is so much of the use and decision making is being performed by people whose VCRs have been flashing "12:00" for two decades.

That's because they work silky hours have no social life don't have a partner, thus no kids to set the VCR for them...

Speaking of Children how are your "youngsters" I should think they must be getting on for their teens?

January 15, 2019 12:39 PM

Clive Robinson on Why Internet Security Is So Bad:

@ Frank,

Shouldn't we see it coming already? Automated cars

The bottom line is nobody sees the car that runs them over as a threat untill it's way to late to do anything to stop it...

Nearly all automobile accidents happen due to people not paying attention. Most usually the person being least observant is the one causing the accident, who is also the person who can most easily stop it progressing towards being an accident.

January 15, 2019 12:29 PM

Clive Robinson on Friday Squid Blogging: New Giant Squid Video:

@ VinnyG, MarkH,

I am skeptical that this ruling will hold up, but imo we should savor any privacy victories that we get in such proceedings...

Like you I'm skeptical. My reason is it is easy to see how this rulling could also be applied to DNA sample taking (it's just another bio-metric etc).

And that's a place both Federal and State investigators realy do not want things to go...

January 15, 2019 12:21 PM

Clive Robinson on Friday Squid Blogging: New Giant Squid Video:

@ Wael, Thoth, VinnyG,

My challenge is: show me a solution that's bug-free.

To which I have to ask "at what level" as I've pointed out before, perfect design can fail to poor implementation, perfect implementation can fail due to a poor tool chain and so on down.

That is the lower the level of bug/attack the less a developer can do to ensure the final result is "bug-free".

But with Rowhammer and similar hardware failings where by the contents of one peocesses memory space can be changed by another process, then there is nothing the...

Read More →

January 15, 2019 12:12 PM

Wael on Alex Stamos on Content Moderation and Security:

@Bruce,

Happy Birthday and congratulations on being fifty five years young.

Ditto!

@Clive Robinson,

Happy birthday to you
Happy ___ dear ____

Start the Security related lyrics. I'm having a mental block!

January 15, 2019 12:10 PM

Al on Alex Stamos on Content Moderation and Security:

"Could Moderating Your Website Invalidate Your “Safe Harbor”? "
[copyright.nova.edu]
Yep.

And I don't think it's just safe harbor for copyright infringement, but could include things like libel. In a way, fake news is all right, because, where did you copy it from? 😜

I think this area is going to lead to a balkanization of the internet. Under U.S. law, government doesn't regulate speech. Other countries want to regulate speech.

In recent news, it is old people who...

Read More →

January 15, 2019 12:02 PM

Clive Robinson on Alex Stamos on Content Moderation and Security:

@ Bruce,

Your interpretation of,

that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off -- which would be more profitable for them and bad for society.

Is correct as far as it goes and not difficult to reason out.

However I feel that "Alex Stamos" is aping the behaviour of a number of Federal directors of the likes of the DHS. Who play the political game all through their tenure, then on leaving turn around and recant what they have done.

It...

Read More →

January 15, 2019 11:46 AM

Clive Robinson on Why Internet Security Is So Bad:

@ VinnyG,

it occurred to me that perhaps we (wide scope) should be separating practical security measures into two domains

It would be a sensible starting point.

@ Albert,

Or are we?

I remember a time when the D in BYOD, stood for either "Drink" or "Drunkard", depending on who was inviting who and to what social event.

But insanity now says it's "Device" and it's not social but work... So the Boss and his boys get to put their iPlodephones or Handroid directly onto the core systems the company are reliant...

Read More →

January 15, 2019 11:34 AM

HJohn on Why Internet Security Is So Bad:

One problem with technology is so much of the use and decision making is being performed by people whose VCRs have been flashing "12:00" for two decades.

January 15, 2019 11:34 AM

Wael on Friday Squid Blogging: New Giant Squid Video:

@VinnyG,

I'm aware of attempted backdoor creations at various levels. I'm not disregarding their existence, but want to elevate the discussion a notch beyond: look, a bug, I told it's bad.

Tell me what incremental threats TEE, TZ, SGX, Secure Enclave, etc... (and I'm not saying they don't change the security posture of the system) add. Tell me how current solutions that people find convenient can be made more secure without using the above constructs. Also, these constraints are just one piece of a complex network of protection mechanisms against criminals. If you want to...

Read More →

January 15, 2019 11:17 AM

Frank on Why Internet Security Is So Bad:

Shouldn't we see it coming already? Automated cars ... already hackable and ever will be. The more we will have on the street, the more interesting it will become for hackers. By chance, accident or intention... there will be blood!!! :-(

January 15, 2019 11:03 AM

Humma humma on Alex Stamos on Content Moderation and Security:

"In ways we never intended..."

Your honor, it is true that I took an ax and clove my husband's head in two, but I never intended to kill him! That was just an unfortunate and unforseeable consequence. You can't convict me of murder on an inference.

January 15, 2019 10:54 AM

Patrik chartrand on Why Internet Security Is So Bad:

More and more as I encounter negative impacting events on the job - (As IoT Design Engineer and Full Stack) - I realize that widespread eduction is the first form of protection.

Perhaps an initiation to Cyber Security should be taught in middle school.
More and more we see programming being taught to early age kids, In my opinion this does raises the overall risk level.

Ok I am calling my congressman...

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.