Archive for the 'Risk' Category

Oct 17 2013

What’s a micromort?

Published by under Family,Humor,Risk

One of the cool things we’ve found on TV since moving to the UK is QI XL.  It’s a BBC show hosted by Stephen Fry where they take a rather comedic romp through a bunch of facts that may or may not have anything to do with one another.  Last night’s show was about Killers and a term that was completely new to me came up, a unit of measure called the ‘micromort’.  It’s basically a measurement equal to a one in a million chance of dying because of a specific event.  Really, it’s a scientifically valid measurement of risk.  And yes, our family has a strange idea of ‘cool’.

Why is the micromort important and relative to security?  Because humans, and security professionals are included in that category, have a horrible sense of the the risks involved in any action.  For example, you are 11 times more likely to die from a 1 mile bike ride, .22 micromorts, than you are from a shark attack, .02 micromorts.  Yet the same people who fear sharks greatly but are willing to go on a bike ride on a daily basis.  And many of those people smoke, which is a single micromort for each 1.4 cigarettes smoked.  People suck at risk analysis.

So could we come up with a similar unit of measurement for the risk in a million of a single action leading to a breach?  Someone needs to find a better name for it, but for the sake of argument, let’s call it a microbreach.  Every day you go without patching a system inside your perimeter is worth a microbreach.  Deploying a SQL server directly into the DMZ is 1000 microbreaches.  And deploying any Windows system directly onto the Internet is 10 million microbreaches, because you know that it’ll be scanned and found by randomly scanning botnets within minutes, if not seconds.

The problem is that the actuarial tables that the micromort measurements are drawn from millions of daily events.  People die every day, it’s an inevitability and we have a very black and white way of measuring when a person is dead.  We can’t even really agree on what constitutes a breach in security at this point in time, we don’t have millions of events to draw our data from (I hope) and even if we do, we’re not reporting them in a way that could be used to create statistical data about the cause of these events.

Some day we might be able to define a microbreach and the cost of any action in scientific terms.  There are small sections of the security community that argue endlessly about the term ‘risk’ and I have to believe they’re inching slowly towards a more accurate way to measure said risks.  I don’t expect those arguments to be settled any time soon, and perhaps not even in my lifetime.  So instead I’ll leave you with an entertaining video on the micromort to watch.  Thanks to David Szpunar (@dszp on twitter) for pointing me to it.

No responses yet

Oct 15 2013

Don’t ask for my password or PIN, United!

I’ve been a United Airlines customer for years.  I’ve been very loyal to United and the Star Alliance.  I’ve flown over 300k miles with them, I’ll have flown over 100k miles this year alone as of my next trip.  I’m in the top tier of their frequent flyer program and they generally treat me very well, with the kinds of exceptions that plague every airline, like maintenance and weather delays.  But they do one thing that really, really bugs me and they need to change it: When I call in use my mileage or alter a ticket, their customer service representative asks for my PIN!

When you log into the United site, you have two choices; you can use your password or a four digit PIN to log in.  The same PIN or password can be used to login to the mobile application as well.  This login allows access to all aspects of the account’s capabilities, allowing the user to change flights, get updates and spend frequent flier miles.  In other words, total control of the account.  And the customer service reps need this PIN in order to make changes to my account.

This is why I’m extremely annoyed by the way United treats my PIN.  In effect, every time I call in to United, I have to give up total control of my account to a complete stranger.  I have to either trust that they are well vetted by airline, something I’m not entirely sure is true or go through the hoops of changing my PIN every time I call in to United’s customer care services.  Alternatively, I can ignore both of those options and simply hope that nothing happens when I give up my password.  I’ve done all three at various times, but it still makes me angry that I have to choose one of these options.

I’ve complained to United several times when calling in.  I’ve talked to the agent on the phone, I’ve asked to speak to a manager, but as recently as last week they show no sign of understanding that this is a problem or making any changes.  The requirement to give up my password seemed to coincide with the merger of United and Continental and the adoption of the Continental computer systems.  The impression I’ve received from sources inside of United and out is that the Continental system was developed in the mid-70′s and has been largely unchanged since then.  Yes, they slapped some lipstick on the pig in the form of a web interface, but the back end is still a mainframe of some sort with a security model that hasn’t changed since it’s inception.

I have to appeal to United’s security teams:  Please, please, please find some way of changing your system so that I don’t get asked for a sensitive piece of information like my password or PIN every time I need to talk to your agents for a change to my flight!  I realize there is no credit card data directly available from my account, but my flight information is and it opens up the ability to change my flights or spend my mileage.  This really is something that shouldn’t be allowed in the modern age, from a multi-national corporation that really should know something about security and securing customer data.  Between moving to the UK and your poor security, I’m seriously thinking it’s time for a different airline.

One response so far

Oct 14 2013

Your email won’t be any safer over here

I’m not sure why anyone has the illusion that their data would be safer in Europe than it might be in the US.  While some of the countries in Europe seem to have better laws for protecting email, it’s not a clear cut thing and there are always trade-offs.  While they might have better protections for data at rest, while in transit it might be fair game, or vice versa.  Plus, if you’re an American, you’re the foreigner to those nations, so many of the protections you might think you’re getting are null and void for you.

Rather than simply speculate, as many of us do, Cyrus Farivar at Ars Technica has written an article, Europe Won’t Save You: Why Email is Probably Safer in the US.  If you examine the laws closely, you’ll find that while countries like Germany appear to have stronger privacy laws, some of the caveats and edge cases make a lie of that appearance.  In this particular example, German law puts a  gag order in place by default that prevents your service provider from notifying you in case they’re served with a subpoena or similar device.  Think on that for a moment: if your service provider is served, you’ll never hear about it by default, rather than only when the large intelligence agencies take an interest in you.

Since I moved to the UK I’ve been hip deep in similar arguments with regards to cloud service providers.  Many folks in and around Europe seem to think that their own laws will somehow protect them from the threat of having their data raided by the NSA or some other, even more shadowy US organization.  But the reality is that in many countries they have less protection from their own governments than they do from the US.  Which barely scratches the fact that the core internet routers in many, if not all, countries are compromised by multiple governments, who are getting feeds of every packet that flows across their infrastructure.

The other concern that I hear quite often is about US businesses and information leaving the European Union.  I find this concern interesting, and believe it is likely to be a much more legitimate issue.  In the EU, the data protection laws appear to be much stronger than they are in the US, especially the Safe Harbor Principles.  But the reality is that businesses see the value of having as much personal information as they can get their hands on, so Safe Harbor is given lip service, while the businesses find ways to get around these requirements.  Or in many cases, ask users to opt out of some of the protections to get additional functionality out of a site.

Don’t think that hosting your email or other service is going to protect you if a government wants to get its digital fingers into your email.  As Farivar points out, the closest thing you’ll have to privacy is if you store your email on your own devices and encrypt it with your own encryption keys.  Storing it anywhere else leaves you open to all sorts of questionable privacy laws between you and your hosting provider.  You can’t just consider the jurisdiction you’re in, you have to consider every route your data might take between point A and point Z.  Being the Internet, you’ll never know exactly what route that is going to be.

Personally, I’m not pulling the plug on my Gmail account any time soon.  No government is worse than Google when it comes to intrusive monitoring of your email, lets be honest.

No responses yet

Oct 13 2013

Time to change DNS methods

I’m going to ignore the whole question of whether or not social engineering is ‘hacking’ for now.  The difference between the two is mostly academic, since the effect of having your site hacked due to a weakness in the code and having all your traffic redirected to a site that the bad guys own is immaterial.  Either way, your company is effectively serving up something other than the page you intended, which is what really matters.

There have been a number of high profile sites that have recently been attacked through their DNS registrar.  Registrars are the companies who are responsible for keeping track of who owns which domains and providing the base DNS information for where to find the systems associated with a domain.  In theory, they’re supposed to be some of the most heavily defended type of enterprise on the Internet.  But the practice is different from theory, and even registrars have their weaknesses.  In the case of, this appears to be social engineering attacks.

The latest victims of social engineering attacks were Rapid7 and the Metasploit project, as were AVG Antivirus, Avira and WhatsApp.  What’s almost funny about the latest attack is that the attackers had to send a fax in as part of the change request to make the changes.  To think that a technology that had it’s heyday in the 80′s would be the method used to attack companies in the second decade of the 21st century is amusing.  Hopefully has already begun reviewing their processes to prevent a similar event from happening again in the future.  And, again hopefully, other registrars are learning from the mistakes of and reevaluating their own processes.

There is something companies can do to lessen the chance of a similar attack happening to them, called a registrar lock. This isn’t a step a lot of companies have taken yet, since it slows down the change process by requiring the administrator to first unlock the domain before making any changes, a step that has varying complexity depending on the registrar.  Also, not all registrars support locking, so this isn’t always an available option.  If your registrar doesn’t support registrar locking, it’s time to push for it or consider a new registrar.  That last part usually gets their attention.

I do understand the pressure the registrars are under; on one hand they have to secure their clients’ DNS records, but on the other they have to be flexible for clients who have a hard time understanding the basics of DNS.  It’s not an enviable position to be in.  Which is why registrars have to work harder to prepare for social engineering attacks than most other businesses out there.  But understanding the pressure doesn’t mean I cut them any slack for failing in their duty.

Update: Add two more to the compromised list, Bitdefender and ESET.  And again is the common point of weakness.

No responses yet

Oct 06 2013

Invasive monitoring at next Winter Olympics

If you have plans to go to the next Winter Olympics, in Sochi, Russia, prepare to have any and all of your electronic communications monitored.  The Guardian has found paperwork, including procurement documents and tenders, looking for the technology needed to monitor all communications to and from the Olympic venue.  We have to assume that this means all phone calls, all wifi access and is very likely to include ways to break into other, supposedly encrypted, channels such as Skype and the TOR network.

It’s really nothing new to think of governments monitoring the communications going on at the Olympics, but the sheer size and depth to which the Russian government will be monitoring is more than a bit daunting.  Given the current environment and the fact that citizens from every walk of life are more sensitive than ever to being spied upon, it’s very likely that this will receive more attention than if it had happened at the London Olympics.  And because it’s Russia that’s doing the monitoring, rather than a western power, it makes it more suspect in many people’s eyes.

One of the scary aspects the Guardian story hints at is that monitoring won’t be aimed simply at the security and safety of attendees of the Olympics, it will also be aimed at political dissidents and ‘illegal’ activities, such as gay rights activism.  Adding to that the probability that all data captured during the Olympics is going to be stored indefinitely and analyzed in depth, anyone who holds views that are unpopular in Russian government should be very, very nervous.  I won’t be surprised to see a number of Russian citizens who attend the Olympics arrested three to six months later as the government gets around to analyzing their communications.  Or to have these communications surfacing years later to embarrass dissidents.

Yes, I’m paranoid.  But if I have an opportunity to attend the Olympics in Sochi, I’ll have to think twice before accepting it.  I’ll take a number of precautions similar to what I’d take if I was attending a big event in China: burner phone with a local SIM, laptop that will be retired after the event, email address that only gets used during the Olympics, just for starters.  I’d also be very cognizant of the fact that I’m being monitored every moment, with my movements being analyzed by computer algorithms as well as human agents.  Most importantly, I would avoid any reading that would raise my paranoia level higher than it already was before or during the trip.

Most people will be oblivious to the monitoring at the Olympic games.  And for most people, that’s a price they’re willing to pay in order to see one of the biggest events in the world.  Which could be the right decision for the average Joe.  But if you’re not the average Joe, if you have opinions or tendencies that are unpopular with the Russian government, think twice about taking some precautions before you head to the Olympics in 2014.

Last of all, remember, the monitoring of electronic communications will just part of the equation.  There will be mics and cameras everywhere as well.  Probably even the bathrooms.

No responses yet

Oct 03 2013

Not so anonymous

Published by under Government,Privacy,Risk

Maintaining anonymity on the Internet is hard.  And it’s only getting harder as governments get savvy about how to track down people who are doing “bad things”.  All it takes is one little mistake and you’re cover is completely blown.  This applies to criminals as much as it does to political activists, something to keep in mind as you wander the web and express your opinions: OPSEC (Operations Security) is hard.

We have two recent examples of this.  The Dread Pirate Roberts mastermind of Silk Roads, an online drug trafficking site that has been around for years, was arrested this week, and in part it appears that all it took was a few simple mistakes.  One mistake was accessing the servers controlling Silk Road from an internet cafe near the hotel he was staying in at the time.  Another was using an Gmail address that had additional contact information, at least if you have a subpoena forcing Google to disclose that information.  Apparent the final straw was when “Dread Pirate Roberts” tried to get fake ID’s sent to his real address.  Connecting your digital and physical identities like this is generally a bad idea.

The other story is that thirteen members of Anonymous have now been indicted on charges related to attacks against the MPAA, RIAA and several financial institutions.  When Anonymous started attacking as a form of protest, they thought that the use of tools like LOIC and HOIC would keep them from being caught, because they’d be part of a crowd and hard to track down.  That was a laughable assertion, primarily because the tools make no effort to hide the source of their traffic and makes tracking it back fairly simple.  It’s more an issue of having the time and will to hunt down a nuisance than technical difficulty.  But if you add hacking of web sites and other federal crimes to the list, you might find that the FBI suddenly has the will needed to find you.  Funny, that.

The difficulty of maintaining on the Internet is much higher than most people understand.  All it takes is logging in from the wrong location once or using an address that’s linked to your real world identity and you’re toast.  Which makes it all the more amazing that th3J35t3r has managed to maintain some anonymity for a number of years now.  Makes you think maybe he has people helping him maintain that anonymity in all sorts of places.

It’s only going to get harder to retain any sort of secrecy associated with identity as time goes by.  Due, in part, to American spying, Brazil is considering creating their own ‘Internet’.  The ITU is seriously considering taking control of the Internet away from American companies and allowing various countries to implement their own controls at their borders.  Many of the proposed changes would require end users to explicitly tie their identity to their browsing and Internet activity.  The idea of a balkanized or country specific Internet with borders, was once thought of as a laughable idea, but now might be a very real possibility.

If you’re planning on doing ‘bad things’ on the Internet, remember that keeping your identity a secret is hard now and it’s only going to get more difficult as time goes by.  Both of the examples I used are clearly criminal actions, but it’s our governments who get to decide what ‘bad things’ are; the opinion that you felt free to express today might be added to that classification at any time.  Since everything you’re doing online is now being kept in databases for future reference, keep in mind that what you’ve already said could some day be considered ‘bad’.  May you live in interesting times.

No responses yet

Jul 13 2013

Catching up on Snowden

Published by under Government,Privacy,Risk

Between a two week stint in Bangkok, Thailand and making preparation for a huge move, I’ve barely had time to keep up with the stories coming out about Edward Snowden and governmental spying around the world, let alone blog about them. The travel situation isn’t getting any better, with a huge trip to Las Vegas coming up.  And the moving component of my life will get much worse before it get’s better.  Probably some time near the end of August.  So forgive me for pre-coffee

It seems that nearly every government is getting outed on charges similar to what the NSA and US government face, if people look hard enough.  I find it interesting to see people’s reactions as they confront the new reality of government surveillance.  If we, as an international community, have a conversation about the powers the government has claimed and what legal limitations there should be around them, maybe we can come up with something more sane than we currently have.   In the mean time, the press is having fun playing “Where’s Snowden now?”

Here’s a few of the stories I have had time to grab and read.

Now off to more packing and a garage sale.

No responses yet

Jun 15 2013

Rage against the Machine III

I am out of time for blogging and heading out for a long trip across an ocean and a continent, so I’m just going to post a number of links here without commentary.  I’m hopeful the change we’ve seen in a number of lawmakers and the general attitude of the public continues to grow and that we see real, long term change.  I may be overly optimistic, but it’s better than succumbing to the malaise.

That’s enough righteous indignation for now.  I’m sure there’ll be a whole new set of information and stories that come out while I’m traveling, so expect to see more when I get back home.

No responses yet

Jun 08 2013

Rage against the machine!

Published by under Government,Privacy,Risk

If you follow me on Twitter (@mckeay) you’ll already know this:  I’m pissed!  We long suspected intellectually that that the US government had stepped over the line in their monitoring, but between learning that Verizon was willingly giving the NSA ‘metadata’ about every phone call on their network and about the PRISM program where all the major Internet companies are likely sending the Feds information on every packet we send, it is reasonable to think that we have moved beyond the pale.  What I once thought were paranoid delusions may have been demonstrated to be more innocent than the reality that’s being laid out before us.  Is it really getting that bad in the United States?  But I’ll save my ranting for twitter and simply use this post to add stories about governmental spying, one after another.  I’ll also be putting up stories about why this affects us as security professionals and why I believe things are going to get much worse before they get better.

  • Edward Snowden:  The whistleblower behind the NSA surveillance revelations – (Added 15:45, 9 June 13)  You need to watch this video and understand the nature of the person who turned over information about NSA spying on the American people. Many will call him a traitor, but I think he’s the hero America needed right now.
  • The Global Cyber Game - Recently published by the Defence Academy of the United Kingdom, this is the most thought provoking paper I’ve read in a long time.  It’s long, it’s complex, but it may change the way you view ‘cyber’ and the current situation.  Make sure you get to the sections talking about ‘N-Dystopia’, because I think that’s where we’re headed.
  • The DNI’s Non-Denial of Mass Surveillance of Security – If you don’t know who Jennifer Granick is, get out of security.  She was one of the major lawyers at the EFF for years and has done more than most of us will ever know to defend our rights.  This article breaks down the legal basis for the current spying scandal.
  • Demand Progress – I’m not sure how much this will really help, but there has to be a way to push on our Congress critters and make them stop this spying.  This might not be the answer, but it’s one way to apply pressure.
  • What We Don’t Know About Spying on Citizens:  Scarier Than What We Know – Love him or hate him, Bruce Schneier is one of the most publicly visible members of the security community in the world.  And he’s a smart guy.  His point is that it’s what the government is still hiding that’s even more important than what we’ve learned so far.  He also calls for more whistleblowers, more people to expose the programs within the government that are like cancerous sores eating away at our liberties (my words, not his.)
  • Cowards – Michael Arrington is one of my least favorite people in Silicon Valley, and that’s from personal experience, not merely reading about him.  But I have to agree with him in calling the CEO’s of all the companies accused of being part of PRISM cowards.  He’s absolutely right, they are weak and cowardly in not standing up to the federal government.  If even one of these CEOs would come clean, we might be able to have an honest conversation about what’s wrong with wholesale spying and what might be an acceptable alternative.
  • Ex-Microsoft Engineer:  PRISM is Highly Improbable for these Four Reasons – I offer this up as a counterpoint to the other articles about spying.  But I also want you to read between the lines and try to see what this engineer isn’t denying and why this denial is full of logical fallacies.
  • What if China Hacks the NSA’s Massive Data Trove – (Added 9:55, 8 June 13) Think about that for a little while.  When you gather massive amounts of data, they become massive targets for some of the best hackers in the world, both state sponsored and otherwise.  Even if you trust our own government with this data, do you really think they can keep it safe forever?
  • The spy who came in for your soul – (Added 10:31, 8 June 13) A good OpEd piece about why we need whistle-blowers and why journalists should be pushing so hard on the issues of governmental spying.
  • NSA’s Verizon surveillance: How the White House tramples our Constitution – (Added 04:10, 9 June 13) Ron Paul points out that President Obama is doing many things that Senator Obama would never have stood for.  What was the tipping point for Obama?  I hope that pressure from the American people help pass his bills propping up a 4th Amendment that is currently on it’s death bed.
  • US surveillance revelations deepen European fears – (Added 04:15, 9 June 13) Part of my job is explaining how and why the government can’t surveil the traffic of EU citizens.  It’s going to take some real thinking and soul searching before I can have that conversation again.  The German data commissioner is right to call this monitoring ‘monstrous’.  We’ve spent so much time condemning the exact same practices in other states, how can we accept them in our own?
  • Spy Agency seeks criminal probe into leaks – (Added 04:35, 9 June 13) The current administration has done more to find and punish whistle-blowers than any in modern history.  Explaining why it’s appropriate to monitor all communications is secondary to the administration when compared to finding out where the leak came from.
  • The Difference Between Wiretapping from Bush and Obama – (Added 06:00, 9 June 13) I disagree, rather vocally, with Daniel’s portrayal of the issues around the wiretapping, starting with the fact that he makes this a Bush vs. Obama issue and not a civil liberties issue.  Daniel and I have gone a couple of rounds about this on Twitter and hopefully we’ll find some time to get together for beer and talk it over.  I think he’s dead wrong on almost every issue and he thinks I’m overly emotional and relying too much on the media.  We probably both have some valid points.
  • U.S., company officials: Internet surveillance does not indiscriminately mine data – (Added 06:00, 9 June 13) Pay special attention to the details about how the NSA mines the data.  Basically, they send a request to the FBI, who mines the data for them.  Why aren’t we talking about the access the FBI has more?
  • June 6, 2013:  The Day America Found Big Brother in Big Data – (Added 08:45, 9 June 13) This will be a day that goes down in history, one way or the other.  I have to back Judy Westby in calling for an Independent Council, though I’m not sure even that would be enough at this point in time.
  • “This Week” Transcript:  Sen. Dianne Feinstein and Rep. Mike Rogers – (Added 08:45, 9 June 13) I guess it’s not much better for me to be screaming at my monitors than at my TV.  Sen. Feinstein has known what’s been going on since the beginning and she’s okay with it.  By itself, that’s a red flag to me.
  • Congress on the FISA Order and Data Mining Stories – (Added 08:45, 9 June 13) This is a great post for keeping up on what individual representatives have had to say on the NSA spying story.  Look for your own Congress-people on the list.
  • Government Says Secret Court Opinion on Law Underlying PRISM Needs to Stay Secret – (Added 04:55, 10 June 13) I have a hard time understanding (or at least agreeing) that any program that is already known to the general public has to be so secret you can’t even discuss the laws that let you put them in place.  This sounds like the excuse of a totalitarian government, not something that should be happening in a free, open, democratic society.
  • What’s the Matter with Metadata? – (Added 05:05, 10 June 13) It’s important to understand the danger of “just the metadata”.  It’s a bit hyberpolic to say that you can learn more from the metadata than you can from actually listening to the phone call, but only a little.
  • NSA is wrong, not evil – (Added 05:15, 10 June 13) On more than one occasion, Robert and I have had to ask each other “Are you mad at me?”.  We have very different views on reality, but we’re both willing to argue and change those views when provided with enough evidence.  In this case, Robert has something that most of us have never had and hopefully never will – Direct experience with the NSA.  I agree with Robert that the majority of the people in the NSA are not evil, but they may be misguided.  However, I think there are some people who actually are evil inside the NSA, and those are the ones we need to guard against.
  • Code name ‘Verax’: Snowden, in exchanges with Post reporter, made clear he new the risks – (Added 05:30, 10 June 13) He knew exactly what he was doing and what the price will be.  He’ll be living a life in exile from the US forever and looking over his shoulder as long as he lives.
  • 29-Year Old NSA Whistleblower Makes Mindblowing Claims About What Kind of Power He Had – (Added 05:30, 10 June 13) If you’ve ever been a system administrator on a poorly constructed network or system, you shouldn’t be at all surprised by Snowden’s claims of access.  It’s not unusual to have access to everything in a modern enterprise, so why should the NSA be that much different?
  • Government Secrets and the Need for Whistleblowers – (Added 05:40, 10 June 13) He’s Bruce Schneier, so just go read.
  • Edward Snowden:  saving us from the United Stasi of America – (Added 13:50, 10 June 13) I’m not sure if I agree with Daniel Ellsberg’s evaluation that this is the most important leak in American history, but it’s definitely the most important in my adult life.  Yes, the things Bradley Manning exposed were horrendous, but they didn’t effect the entire population of the United States.  I do like the hyperbole of comparing the NSA to the German Secret Police.
  • NSA’s PRISM:  Balancing Security, Privacy – (Added 14:00, 10 June 13)  While this article gives a decent amount of background to the NSA spying story, it really fails to build up anything on the balance between security and privacy.  If you’re going to have a headline like that, at least try to explore your main topics.
  • This is, hands down, the scariest part of the NSA revelations – Added 14:10, 10 June 13) Shane Harris is talking about the phone record metadata, which he finds much scarier than PRISM.  And I think that’s correct; the metadata has none of the controls and protections around it that PRISM does, as minimal as those might be.  I can almost tell more about you from the metadata of about your calls than if I listened to a few of them directly.
  • Privacy isn’t about having something to hide – (Added 14:10, 10 June 13) No one’s a saint.  They don’t exist in the modern age where everything you can be tracked and there’s no hiding even the smallest detail.  It doesn’t mean you’re a sinner, but we’ve all made mistakes.
  • NSA’s phone snooping is a different kind of creepy – (Added 14:30, 10 June 13) The point of this article is that we carry miniature tracking devices in our pockets called ‘smart phones’.  Every moment of every day, we’re leaving a digital trail and it’s only going to get worse as time goes by.  He’s right, but we have a choice to change the laws on how that data is used, if we have the will.
  • Edward Snowden is no hero – (Added 15:00, 10 June 13) I’m including this for more counterpoint.  If you trust your government and believe that the checks and balances that are in place are sufficient, then you’ll agree with this article.  I don’t though.  Calling the FISA court a check on the power is false, it’s more of a rubber stamp than anything.  And simply because something is legal, it’s not necessarily right.
  • Facts and fiction, secrets and sci-fi: Breaking down the NSA – (Added 15:05, 10 June 13) Cringely gives a decent summation of many of the issues around the spying in a fairly even handed way.  But he doesn’t add too much to the discussion.
  • where “nothing to hide” fails as logic – (Added 06:15, 11 June 13) This post does a pretty good of explaining that everyone does things on a daily basis that can be accidentally or purposefully misinterpreted to paint a person as guilty or evil.  If you’ve ever had an audit, you understand the “guilty until proven innocent” mentality that many people in positions of power employ to find people they think are ‘bad’.
  • State Dept. dismisses allegation of “endemic” misconduct – (Added 06:20, 11 June 13) I include this story not because it’s directly linked to the NSA spying story, but because it highlights why allowing the NSA to have so much power over the American people is a really bad idea.  There are people who will abuse power in ways big and small in every organization and the more power exists, the more the temptation to use it will be.  We’ve seen too many governmental agencies give into this temptation in recent years, from the Secret Service to the IRS to the State Department.  No organization is immune to temptation.
  • Connecting the PRISM Dots: My new theory – (Added 06:40, 11 June 13) This is one of the better efforts to tie everything about PRISM and NSA metadata collection that I’ve seen.  Arrington is a lawyer by trade himself, so he’s more than familiar with the weasel words that lawyers use and how to read between the lines.
  • Why the NSA PRISM Program Could Kill U.S. Tech Companies – (Added 06:50, 11 June 13) This is a very specific concern for me; how do I explain to companies in Europe that their data is safe with us despite the fact the NSA could produce a National Security Letter at any time?  The next year is going to be very interesting, as I move to London.
  • 86 Civil Liberties Groups and Internet Companies Demand an End to NSA Spying – (Added 07:00, 11 June 13) I’m a long time supporter of the EFF and I have never been as thankful for them as I am right now.  I hope they are successful in waking up Congress and the Judicial branch, but I have to assume they’ll be stonewalled in the same way they have been for years.

There will be more to come, some I’ll add to this page, some I’ll post separately.  I don’t want people to blindly follow my ranting any more than I want them to blindly believe the governments lies about the spying going on.  Use your own judgement and learn everything you can.  And if you’re someone who’s brave enough to be a whistle-blower, I have nothing but the utmost respect for you.  We need more.

4 responses so far

Feb 19 2013

This week’s ‘must read’: Mandiant APT report

Published by under Government,Hacking,Malware,Risk

If you haven’t already read it, your homework for this week is the Mandiant APT1 Report.  Don’t read someone else’s interpretation until you’ve read the report yourself.  Don’t read the analysis of reporters and consider it good.  Read the entire report yourself and draw your own conclusions, then read what other people have to say.  But in any case, read it.

No responses yet

« Prev - Next »