Linux is unrelated to extremism

The NSA’s spying on Linux Journal readers is precisely what’s wrong with NSA spying. Why? It paints with an overly broad brush.

Eric Raymond’s views on many things are on the fringes of what’s considered mainstream, but he’s not the kind of person who blows up buildings to try to get his point across.

And here’s the other problem. Does Eric Raymond even represent the typical Linux Journal reader? Odds are a sizable percentage of Linux Journal readers are system administrators making $50,000-ish a year, or aspiring system administrators who want to make $50,000-ish a year, who see knowing Linux as a means to that end.

It’s no different from targeting Popular Mechanics readers because someone could use information it publishes in ways you don’t agree with. Read more

Cutting through the fluff around the Target PIN breach

OK, so Target is back in the news, and it’s nowhere nearly as bad this time but there’s some posturing and some fluff in the news, so I’ll take it upon myself to demystify some of it. Some of it’s PR fluff, and some of it’s highly technical, so I’ll cut through it.

I’m just glad–I guess–to be talking about this stuff outside of a job interview. Like I said, this time the news isn’t nearly as bad as it could be. Read more

The NSA’s disaster aversion by keeping BIOSes safe for the free world

This weekend, CBS ran a story about how the NSA foiled a sinister plot to brick millions of PCs and cause a financial meltdown. At least they didn’t say MELTDOWN.

My opinion is that this is a puff piece. A source managed to scare a journalist with a threat that sounded credible enough, and make something routine sound big and threatening.

Read more

Hacker chasing, circa 1987

I’m catching up on reading. Next on my reading list is The Cuckoo’s Egg, (Amazon link), Clifford Stoll’s memoir of chasing down a computer hacker in the late 1980s. In it, he describes a very different world, ruled by mainframes and minicomputers, where Unix was something special, IBM still made PCs, but desktop PCs and Macintoshes only received occasional mention, and academia and the military owned the Internet, almost literally. And, oh, by the way, the Cold War was still raging.

The remarkable thing about this book is that it’s an approachable spy thriller, written in 1989, that explains computer security to an audience that had never seen or heard of the Internet. You don’t have to be a security professional to appreciate it, though it’s a classic in the computer security world–many people read it in the late 1980s and early 1990s and decided to get into the field. Read more

Why the government (and others) still deal in floppy disks

The revelation that the Federal Government still relies on floppy disks for some of its business is making it the butt of some jokes this week. And although that will serve as confirmation for some people that the government is completely backward, there are actually multiple good explanations for it.

From a security standpoint, using floppy disks isn’t a bad idea at all. Read more

Young people aren’t interested in information security? I think it depends on your definitions.

I saw an assertion on Slashdot today that Millennials aren’t interested in information security, in spite of the average salary in the field being six figures. I’m not sure I agree with the article’s assertion that 24% of those polled being interested translates into disinterest, though. How many of them are interested in other white-collar professions, like medicine or accounting or law?

I also disagree with the article’s definition of information security. The article asserts that information security is working for “The Man,” namely, the government, and information security isn’t just for governments anymore. Read more

Bad news about smartphones, but maybe not all bad

When you install Java on a Windows box, it brags that it runs on 3 billion devices. It’s not joking. A fair chunk of those 3 billion devices are the SIM cards that register your cell phone on its network. And those SIM cards frequently are woefully insecure. The mid-90s called, and they want their crypto back.

Via a text message you’ll never see, it’s possible to hack the 56-bit DES encryption used by many cards, or the triple-DES-in-name-only crypto used in others–repeating wimpy 56-bit crypto with the same key three times doesn’t make it any less wimpy–then send the cards a malicious Java applet, which busts out of the security on the ancient version of Java on your card, and ride this cascade of security flaws to do lots of nasty things like listen in on phone calls and intercept text messages.

Even if half of Americans don’t seem to mind the NSA listening to their phone calls, I’m pretty sure a majority of Americans don’t want the Russian Mafia listening to them. Read more