Re: Everything Is Broken

1

Come on, 50,000 machines? That's nothing.

There was a serious (like, show-stopper) bug that affected the backbone routers for the internet that was pretty well known that got fixed recently, after I think eight years. Somebody with a little bit of access could have easily used it to take down the internet. Everything is always already broken, and actually securing a computer that's connected to the internet is essentially impossible, and this has been the case since at least the beginning of the (modern) internet. I always forget that not everybody knows this.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 6:04 AM
horizontal rule
2

1 is a pretty good summary of the linked piece ogged hasn't finished.


Posted by: fake accent | Link to this comment | 05-29-14 6:41 AM
horizontal rule
3

You know what else is broken on the internets? Twitter. I mean wtf was wrong with it that they had mess it up like that? It's now very inconvenient to view conversations and they took away the feature that indicated how many new tweets there were. They actually took away useful features and added...Big ass type that fills up my computer screen (and that other people can read halfway across the room). Yes I use the web version as I don't have an account myself and probably won't get one. And I may stop following a lot of people I've enjoyed reading on account of what a pain in the ass it is.


Posted by: Barry Freed | Link to this comment | 05-29-14 6:52 AM
horizontal rule
4

The long-form article, I guess because of the conventions of such things, had to end on a positive note. Translated from the original, it is "If there is hope, it lies in the proles."

This is wrong. If there is hope, it lies in those drunken security experts she writes about earlier in the piece.


Posted by: DaveLMA | Link to this comment | 05-29-14 8:24 AM
horizontal rule
5

There is not actually hope.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 8:28 AM
horizontal rule
6

Hope has been hacked since forever. I once accidentally gained control of 50,000 people's hopes but quickly dropped it before they noticed.


Posted by: fake accent | Link to this comment | 05-29-14 9:17 AM
horizontal rule
7

actually securing a computer that's connected to the internet is essentially impossible

I don't think I understand what this means.


Posted by: urple | Link to this comment | 05-29-14 10:06 AM
horizontal rule
8

I mean, does it mean that a smart person shouldn't use internet banking? Shouldn't buy anything online? Or just that, you know, if the NSA really wants to hack into your home computer, they can, and there's basically nothing you can do about it?


Posted by: urple | Link to this comment | 05-29-14 10:10 AM
horizontal rule
9

7: if you have a computer that is connected to the internet there are some number n of people who are capable of doing the following from a remote location: reading the contents of every file, the contents of memory, impersonating any user, installing a keylogger, taking screenshots, taking pictures of you with your webcam if you have a webcam, and rendering the computer temporarily or (essentially) permanently unusable. In the vast majority of cases -- but not 100% -- this can be done without any particular risk of detection. This goes not just for home computers but for any server as well. If the computer is not connected to the internet the task is much harder but not, as a general rule, impossible.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 10:11 AM
horizontal rule
10

You have my permission to use internet banking.


Posted by: Moby Hick | Link to this comment | 05-29-14 10:12 AM
horizontal rule
11

8: not using internet banking certainly does not mean that your account information is not stored on insecure computer systems. Not buying anything online certainly does not mean that your credit card information is not stored on insecure computer systems (the recent Target breach was notable only in that it got publicized).


Posted by: Sifu Tweety | Link to this comment | 05-29-14 10:13 AM
horizontal rule
12

not using internet banking certainly does not mean that your account information is not stored on insecure computer systems. Not buying anything online certainly does not mean that your credit card information is not stored on insecure computer systems

Was assumption was that it would perhaps reduce the number of insecure computer systems on which it was stored.


Posted by: | Link to this comment | 05-29-14 10:16 AM
horizontal rule
13

If all the kool kids have known forever that there's never any hope for any security anywhere on the internet, why are they the ones who obsess about the evil NSA?


Posted by: Cryptic ned | Link to this comment | 05-29-14 10:17 AM
horizontal rule
14

The fuck? That was me. And I wasn't relying on "remember personal info"--I actually typed my name. Not sure where it went.


Posted by: urple | Link to this comment | 05-29-14 10:17 AM
horizontal rule
15

I hope 6 is going on fake accent's dating profile. (I'm not sure when I became the dating profile police.)


Posted by: Thorn | Link to this comment | 05-29-14 10:19 AM
horizontal rule
16

I really hope 14 is to 13, because that would be so urple.


Posted by: essear | Link to this comment | 05-29-14 10:20 AM
horizontal rule
17

13: well, a lot of the Kool Kids do actually try to make things better, if not for anybody else at least for themselves. The "there's no hope" is sort of my gloss; a lot of my friends in security would say "things are actually maybe getting marginally better a little bit sometimes!"

On the other hand then you have things like the most commonly used open source encryption package unexpectedly shutting down and announcing it is not secure, under very shady circumstances.

Anyhow, there is certainly a balance of harm; it is possible to secure a computer so that it is probably the case that only an actor like the NSA could compromise it. What drives the Kool Kids nuts is that it is really impossible to counteract the NSA, one, and two that the NSA is actively working to make things worse, which really kills all hope.

As ever, the most clear-eyed picture of what risk mitigation is really possible comes from Schneier.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 10:26 AM
horizontal rule
18

9: I think that's a bit overboard, as are all of the "doom doom doom" articles like Norton's. In principle, I suppose someone can guess your passwords and go wild. In practice, what really happens is that most people aren't very careful.

Lots of people don't have virus scanners. Yes, they all suck and they don't catch the new stuff and signature-based virus-scanning is getting past its sell-by date but so what. Polio vaccines are old and boring but you get them anyway, right?

People don't install updates. If you are lazy, just tell the machine to do it automatically and reboot if necessary. Most updates these days seem to be about security.

People use the same passwords for a lot of internet accounts. They open attachments without looking at them carefully first. The follow links without looking at them carefully first.

If you get an attachment, unless it's from someone you know, and it makes sense they'd send it to you, and (if you know how) the actual headers indicate it really came from them, don't open it. Especially don't open attachments that are ".exe" on Windows. In fact if you want to open the attachment, the safest way is to download it, then open it by explicitly invoking the program associated with the extension (Word for ".doc", etc.), not just double-clicking in the email or browser.

If an email has a link, don't follow it unless you are absolutely sure it's what it says it is. Pressing buttons in email? Ick. Don't. If it purports to be from your bank, don't follow it, in spades. If you think it might be real, type in the URL you already have for your bank and check it there. (Gmail does a pretty good job of defending against infected email these days, by the way.)

Not being sufficiently paranoid about that sort of thing is how you get the malware on your computer that lets all the bad things Sifu writes about happen.

Oh yeah, don't go to sketchy sites. You know the ones. Or if you do, wear a condom.

Sorry for the verbosity.


Posted by: DaveLMA | Link to this comment | 05-29-14 10:31 AM
horizontal rule
19

9: I think that's a bit overboard

It's the literal truth. Mostly it works out to be fine, because it'll hopefully take a bit of work for somebody to 0wn your shit up, and on the server/corporate side it's somebody else's problem who will hopefully be attentive and mitigate the damage, but it is definitely the literal truth. I... should definitely know!


Posted by: Sifu Tweety | Link to this comment | 05-29-14 10:42 AM
horizontal rule
20

I mean, come on, all of fucking Akamai was compromised for how long after Heartbleed was already public?


Posted by: Sifu Tweety | Link to this comment | 05-29-14 10:45 AM
horizontal rule
21

I'm mostly on board with 9, except with the degree of panic/despair it seems to bring with it. In many cases you can make N small enough. Somewhat like the Club for cars - you only have to make your system difficult enough to break into that most intruders won't bother and will pick some other, lower-hanging fruit. State-level actors may be able to bring more resources to bear if they feel like targeting you specifically, but if they feel like doing that they can also break into your house and physically install keyloggers, etc.. As the manual for one security tool (PGPfone, back in the day) used to read, "If you're at this point, we thank you for helping to keep the government busy with you and away from us".

The bit where the NSA is trying to make everyone's systems less secure all the time is worth being riled up about, however.


Posted by: Nathan Williams | Link to this comment | 05-29-14 11:08 AM
horizontal rule
22

Oh, yeah. I didn't mean to induce panic/despair. It's just how it is, and probably how it will always be; the goal is harm reduction, and it's definitely the case that the same goal applies with real-world security.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 11:24 AM
horizontal rule
23

I mean, I use online banking, buy shit online, run a server, etc. etc. Not much to be done about it, so, okay.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 11:25 AM
horizontal rule
24

If 9 is true, the appropriate response is to punish computer related crime extraordinarily harshly when it is possible to do so, to serve as an appropriate deterrent.


Posted by: Robert Halford | Link to this comment | 05-29-14 11:32 AM
horizontal rule
25

24: I would expect no other response from you.


Posted by: Josh | Link to this comment | 05-29-14 11:39 AM
horizontal rule
26

24: The punishment ought to fit the crime. Write the laws clumsily and you'll be hanging 15 year olds who are just curious about how stuff works. There also ought to be exemptions for people who act responsibly when they find vulnerabilities. If the dude in the first link of the OP had reported his discovery to the appropriate people he ought to be given a pass even though he technically trespassed on 50,000 computers.


Posted by: togolosh | Link to this comment | 05-29-14 11:42 AM
horizontal rule
27

26: He very likely would have been, actually, although I appreciate that the government's decisions about who to prosecute look arbitrary enough (and in some cases are in fact pretty darn arbitrary) so that he didn't feel he could take the chance.


Posted by: widget | Link to this comment | 05-29-14 11:49 AM
horizontal rule
28

19: I should also know because [details redacted], so I'm sort of curious how (to take one example) my home system (Windows 7), fully updated, virus protected and behind a router, is likely to be hacked if I take the sort of precautions I mention in my screed.

(I don't run EMET or Invincea, so I'm not even at the highest level of "easy" protection.)

If you mean "someone will guess your passwords" or "you'll eventually download malware by accident," I'll say "possible," but you seem to be making a stronger claim.


Posted by: DaveLMA | Link to this comment | 05-29-14 11:57 AM
horizontal rule
29

Thinking about it for a moment, a formal leniency/amnesty system (protection from prosecution guaranteed if you voluntarily report a security weakness and if you haven't derived pecuniary gain from the use of the weakness, something like that) would probably be a good idea in the abstract. They could model it on the one set up for antitrust, which I think is generally regarded as a success. The problem is I suspect most of the relevant community doesn't trust the government, wouldn't believe the promises, and would figure the whole thing would just get funneled to the NSA for exploitation. And, frankly, they would have some reason for at least the last piece of that.


Posted by: widget | Link to this comment | 05-29-14 11:57 AM
horizontal rule
30

24: you're funny.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 11:58 AM
horizontal rule
31

28.1: I mean, off the top of my head I don't know. I haven't really been active in that stuff for like a decade. The easiest way is probably to get you to download and run something unsigned, yes, but I suspect that your router is going to be the next best vector; once that's owned a MITM attack would presumably be doable.

But yeah, no, I don't know specifics. I just know people, and anecdotes.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 12:04 PM
horizontal rule
32

29: nobody is actually worried about getting in trouble -- that part of the article was weird -- but why would you give that shit away when Microsoft (for example) will pay you like a hundred grand for it?


Posted by: Sifu Tweety | Link to this comment | 05-29-14 12:05 PM
horizontal rule
33

28: Auto-updates are a great attack vector. Find some updater that's not quite verifying its signatures, or is depending on a TLS connection but doesn't get it quite right, or exploit a CA somewhere to mint you a certificate for the vendor and MITM your next update, etc., etc.


Posted by: Nathan Williams | Link to this comment | 05-29-14 12:09 PM
horizontal rule
34

32: Fair enough; I took it at face value since I actually don't know what the temperature on this subject is in the security community.

I do know DOJ has been a more than a bit aggressive on its interpretation of the relevant statutes lately (e.g., here), but that's actually a separate question from whether they would prosecute for a voluntary disclosure under the circumstances in the linked article.


Posted by: widget | Link to this comment | 05-29-14 12:34 PM
horizontal rule
35

A job for Sifu -- even more fun than a research lab!

Red Team Penetration Tester-236242
Federal Reserve Bank of San Francisco
Job Sensitivity
Tier III - Top Secret

The Federal Reserve System's Red Team is charged with the mission to ultimately improve the System's resilience to its attackers, a list which includes hackers, terrorists, insiders, and advanced persistent threat actors, by mimicking the real-world techniques they might leverage. As a Red Team member, you will fuse technical and non-technical skills to emulate actions that might be taken by an adversary. You will understand the psychology, the systems, and the tactics employed by threat actors to proactively test the Federal Reserve System's ability to detect, react, and adapt to attacks. Techniques you might leverage include but are not limited to social engineering, exploit development, and process exploitation.

Responsibilities
· Actively collaborate with internal and external team members to effectively deliver Red Team assessments across the FRS.
· Consistently identify technical and non-technical knowledge gaps and proactively seek to close those gaps to continuously enhance your ability operate as an effective Red Teamer.
· Consistently collaborate and share knowledge with team members via formal and informal methods.
· Lead assessments as necessary by establishing parameters, executing the Red Team assessment, and communicating the results to management.
· Perform additional incidental duties as assigned by management or job responsibilities.

Required Qualifications
· 7+ years of experience in technical security testing of multiple platforms, operating systems, software, communications, and network protocols.
· Deep architectural understanding of multiple platforms, operating systems, software, communications, and network protocols.
· Demonstrated ability to communicate security concepts to technical and non-technical audiences.
· Demonstrated ability to work on multiple projects simultaneously and to work in a highly dynamic, rapidly changing environment.
· Demonstrated ability to interface with senior executives.
· Ability to quickly adapt to a changing environment, innovate, and produce creative solutions to tough problems.
· Positive, team and mission-oriented attitude.
· Ability to obtain a Top Secret Clearance.

Additional Desired Qualifications
· Red Team experience
· Exploit development experience
· Advanced social engineering experience


Posted by: PGD | Link to this comment | 05-29-14 1:00 PM
horizontal rule
36

If I had any interest in working in computer security it would have happened a long time ago. My friends who do red team stuff do seem to enjoy the hell out of it.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 1:05 PM
horizontal rule
37

36 People who go to Blackhat and Defcon seem to enjoy the hell out of that. Mostly terrifying fun, with a little work if you do the workshops.

Anecdotes about computer security always remind me of my old friend who, whenever I talk with him, gives me about four new stories about how we are All Doomed, no tinfoil hats involved either.


Posted by: DaveLMA | Link to this comment | 05-29-14 1:41 PM
horizontal rule
38

I, uh, I know about Defcon, yes.


Posted by: Sifu Tweety | Link to this comment | 05-29-14 2:02 PM
horizontal rule
39

Every "secure" university wifi network I've used has required that I accept a certificate that my browser objects to in order to connect. I always wonder if I should worry about that.


Posted by: fake accent | Link to this comment | 05-29-14 4:18 PM
horizontal rule
40

39 Two likely possibilities:

1. They are doing Man-in-the-Middle SSL cert forgery to "protect" you and them from https: sites they are worried about. This is actually pretty common, alas. Lets say you are trying to get to Gmail (https://mail.google.com). The way it works is that they supply a forged Gmail cert to your browser. Then, after decrypting the transaction with that forged cert, deciding whether you are (e.g.) sending documents to Wikileaks, they re-encrypt it with the real Gmail cert and send it on. Some browsers don't even warn you that this is happening (the forged certs can be detected easily by them).

2. Many (too many) organizations create their own certs that aren't recognized because they aren't from a recognized certificate authority. Among the organizations that do this is the US Government, which has its own unrecognized cert authority. /headdesk

The whole cert thing is really a mess, and worse because almost no one actually understands it at the level they see it in their browser, and browsers don't really help them understand it.


Posted by: DaveLMA | Link to this comment | 05-30-14 5:58 AM
horizontal rule
41

Well isn't that helpful:

http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers


Posted by: Barry Freed | Link to this comment | 05-30-14 12:42 PM
horizontal rule
42

You know what else is broken on the internets? Twitter.

Amen. I could deal with the large print but the rest is horrible.


Posted by: teraz kurwa my | Link to this comment | 05-30-14 1:54 PM
horizontal rule