NSA

More encryption = more safety

Dave Farquhar security , , ,

Mozilla, Akamai, Cisco, the EFF, and Identrust are teaming up for Let’s Encrypt, an effort to make SSL encryption free and easy.

This is important, because it means mundane stuff will get encrypted. When SSL/TLS traffic are no longer flagged as special, security will increase. Read more

USB malware: What you need to know

Dave Farquhar security , , , , , , , , ,

Tomorrow morning on Fox 2: How this USB drive could be worse than the worst malware you’ve ever imagined!

Yes, when a security vulnerability hits TV news, it’s a big deal. It’s probably also sensationalized. And it’s not time to panic yet. Read more

Linux is unrelated to extremism

Dave Farquhar Linux , , , , , , , ,

The NSA’s spying on Linux Journal readers is precisely what’s wrong with NSA spying. Why? It paints with an overly broad brush.

Eric Raymond’s views on many things are on the fringes of what’s considered mainstream, but he’s not the kind of person who blows up buildings to try to get his point across.

And here’s the other problem. Does Eric Raymond even represent the typical Linux Journal reader? Odds are a sizable percentage of Linux Journal readers are system administrators making $50,000-ish a year, or aspiring system administrators who want to make $50,000-ish a year, who see knowing Linux as a means to that end.

It’s no different from targeting Popular Mechanics readers because someone could use information it publishes in ways you don’t agree with. Read more

Why last week’s “news” of the NSA’s quantum computer project doesn’t bother me

Dave Farquhar Uncategorized ,

Last week, another Snowden leak surfaced that stated that the NSA is working on a quantum computer capable of breaking all known current encryption, trivially.

I didn’t find this shocking. Read more

Cutting through the fluff around the Target PIN breach

Dave Farquhar security , , , , , , ,

OK, so Target is back in the news, and it’s nowhere nearly as bad this time but there’s some posturing and some fluff in the news, so I’ll take it upon myself to demystify some of it. Some of it’s PR fluff, and some of it’s highly technical, so I’ll cut through it.

I’m just glad–I guess–to be talking about this stuff outside of a job interview. Like I said, this time the news isn’t nearly as bad as it could be. Read more

The NSA’s disaster aversion by keeping BIOSes safe for the free world

Dave Farquhar security , , , , , , , ,

This weekend, CBS ran a story about how the NSA foiled a sinister plot to brick millions of PCs and cause a financial meltdown. At least they didn’t say MELTDOWN.

My opinion is that this is a puff piece. A source managed to scare a journalist with a threat that sounded credible enough, and make something routine sound big and threatening.

Read more

Hacker chasing, circa 1987

Dave Farquhar Retro Computing, security , , , , , , , , ,
Hacker chasing, circa 1987

I’m catching up on reading. Next on my reading list is The Cuckoo’s Egg, (Amazon link), Clifford Stoll’s memoir of chasing down a computer hacker in the late 1980s. In it, he describes a very different world, ruled by mainframes and minicomputers, where Unix was something special, IBM still made PCs, but desktop PCs and Macintoshes only received occasional mention, and academia and the military owned the Internet, almost literally. And, oh, by the way, the Cold War was still raging.

The remarkable thing about this book is that it’s an approachable spy thriller, written in 1989, that explains computer security to an audience that had never seen or heard of the Internet. You don’t have to be a security professional to appreciate it, though it’s a classic in the computer security world–many people read it in the late 1980s and early 1990s and decided to get into the field. Read more

Young people aren’t interested in information security? I think it depends on your definitions.

Dave Farquhar security , ,

I saw an assertion on Slashdot today that Millennials aren’t interested in information security, in spite of the average salary in the field being six figures. I’m not sure I agree with the article’s assertion that 24% of those polled being interested translates into disinterest, though. How many of them are interested in other white-collar professions, like medicine or accounting or law?

I also disagree with the article’s definition of information security. The article asserts that information security is working for “The Man,” namely, the government, and information security isn’t just for governments anymore. Read more

Bad news about smartphones, but maybe not all bad

Dave Farquhar security ,

When you install Java on a Windows box, it brags that it runs on 3 billion devices. It’s not joking. A fair chunk of those 3 billion devices are the SIM cards that register your cell phone on its network. And those SIM cards frequently are woefully insecure. The mid-90s called, and they want their crypto back.

Via a text message you’ll never see, it’s possible to hack the 56-bit DES encryption used by many cards, or the triple-DES-in-name-only crypto used in others–repeating wimpy 56-bit crypto with the same key three times doesn’t make it any less wimpy–then send the cards a malicious Java applet, which busts out of the security on the ancient version of Java on your card, and ride this cascade of security flaws to do lots of nasty things like listen in on phone calls and intercept text messages.

Even if half of Americans don’t seem to mind the NSA listening to their phone calls, I’m pretty sure a majority of Americans don’t want the Russian Mafia listening to them. Read more

Don’t be too impressed with Snowden’s “ethical hacking training”

Dave Farquhar security , , , , , , , ,

I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.

For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.

Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.

I also know about this training that Snowden put on his resume. Read more