Tempes Fugit 's Techdirt Comments

Latest Comments (686) comment rss

  • On the post: Hosting Companies Threaten To Leave France Over (Yet Another) Surveillance Law. But Where Could They Go?

    Tempes Fugit ( profile ), 21 Apr, 2015 @ 02:32am

    Surveillance == back doors and security holes

    Once these black boxes are in place, it can only be a matter of time before the copyright industry starts pushing to use them to detect copyright infringement.

    Bad as that is, it's not the worst part. The presence of those boxes on a provider's network means that it's already compromised AND equipped with data exfiltration capabilities. This lowers the bar for attackers considerably, since now all they have to do is compromise those boxes -- at which point they can leverage them against the provider, its customers and its users.

  • On the post: If Virginia Elections Weren't Hacked, It's Only Because No One Tried

    Tempes Fugit ( profile ), 17 Apr, 2015 @ 05:59am

    Re: Someone may want to "steal" an election?

    Bruce Schneier wrote a cost analysis of this over a decade ago. The numbers have changed, of course, but it's still just as incisive as it was when published: Stealing An Election.

  • On the post: If Virginia Elections Weren't Hacked, It's Only Because No One Tried

    Tempes Fugit ( profile ), 17 Apr, 2015 @ 05:31am

    Re: Voter IDs

    Troll quality: A, with extra credit for pulling it off so effectively so early in the day.

  • On the post: Wall Street Journal Suggests Snowden Gave China Its 'Great Cannon' Software… Based On Pure Random Speculation

    Tempes Fugit ( profile ), 17 Apr, 2015 @ 10:15am

    Once again, we must remember what Mike Royko said

    " "No self-respecting fish would want to be wrapped in a Murdoch paper."

    True in 1984. Still true now. Everyone with the slightest trace of intelligence and awareness knows that the WSJ functions only as Murdoch's propaganda mouthpiece: its editors and writers are his flunkies and his toadies, ready to bow down before him and lie, lie, lie on his command.

  • On the post: If Virginia Elections Weren't Hacked, It's Only Because No One Tried

    Tempes Fugit ( profile ), 17 Apr, 2015 @ 05:23am

    These are features, not bugs

    They just happen to be features designed and implemented for a certain select group of people:

    "Those who cast the votes decide nothing. Those who count the votes decide everything."

  • On the post: Netflix Moving To Encrypted Streams, As Mozilla Moves To Deprecate Unencrypted Web Pages As Insecure

    Tempes Fugit ( profile ), 16 Apr, 2015 @ 05:53am

    Re: Re: Re: Re:

    I certainly agree with everything you said here. However: there are more important things -- at the moment -- than https.

    For example (1) having functional role addresses and paying attention to them is one of the best security tactics available. After all, if the entire rest of the Internet is willing to provide you with free consulting, why would you turn it down?

    For example (2) following BCP 38.

    For example (3) setting up your web server on as secure an OS as possible with as minimal a software footprint as possible with as feature-poor a web server as possible.

    Those things are easier to do and don't require understanding of https/certificates/etc. that. I'm not saying that they're the whole list -- of course they're not. And I'm not saying that https shouldn't be on the list: for a lot of sites, it should. But i think it's important to start with fundamentals and work up to more sophisticated measures.

  • On the post: Netflix Moving To Encrypted Streams, As Mozilla Moves To Deprecate Unencrypted Web Pages As Insecure

    Tempes Fugit ( profile ), 16 Apr, 2015 @ 05:37am

    Re: Re: Re: Development

    Pointless tinkering on the workbench or in the lab is indeed a wonderful thing.

    But when it's applied to UI design of production software and inflicted on hundreds of millions of people, it's not. Mozilla's developers have only succeeded in making the UI far less useful than it was and in penalizing competent users. Meanwhile, serious security and performance bugs remain unaddressed -- have you looked lately? (where "lately" could be any time in the past several years)

  • On the post: Netflix Moving To Encrypted Streams, As Mozilla Moves To Deprecate Unencrypted Web Pages As Insecure

    Tempes Fugit ( profile ), 16 Apr, 2015 @ 04:30am

    Re: Re: Re: Development

    No, it's not. Try again.

  • On the post: Netflix Moving To Encrypted Streams, As Mozilla Moves To Deprecate Unencrypted Web Pages As Insecure

    Tempes Fugit ( profile ), 16 Apr, 2015 @ 02:40am

    Re: Development

    I'm strongly of the opinion that protocol layers should be independent.

    Yes. They should. That's arguably one of the reasons why the Internet's protocol layers are what they are and not something else. It is a serious architectural error to introduce dependencies between them -- or between network data transport protocols and content.

    It's also a dubious idea to push for even more reliance on the CA model when (nearly) every day new research results show that it's coming apart at the seams.

    There are far more pressing things for Mozilla to work on than this. The functionality of add-ons like AdBlock Edge, NoScript, BetterPrivacy, Disconnect, etc. all need to be in the browser -- because those address some of the most significant threats. Reliance on Adobe Flash needs to be phased out. Ports to other architectures need to be prioritized. (One of the best ways to find bugs in your code, security and otherwise, is to get it running on another CPU/operating system.)

    And geez, PLEASE stop the endless, pointless, silly tinkering with the UI - which was perfectly fine 25 revisions ago.

  • On the post: Another Reason To Deploy Encryption Widely: Spiking China's 'Great Cannon' Attack

    Tempes Fugit ( profile ), 14 Apr, 2015 @ 02:47am

    Yet another reason to block/blacklist/firewall advertising

    "Some of the scripts being injected in this attack are from online ad networks"

    Of course they are, since the worthless morons running those ad networks have failed, for YEARS, to make even token efforts to ensure the security and integrity of the content they're serving. (They're much too busy spying and invading privacy.) As a result, ad networks are knives held to the throats of Internet users and should be blocked, blacklisted and firewalled whenever and wherever possible.

  • On the post: Baltimore Cops Asked Creators Of 'The Wire' To Keep Cellphone Surveillance Vulnerabilities A Secret

    Tempes Fugit ( profile ), 13 Apr, 2015 @ 01:50pm

    Probably not the first time

    But the inherent ridiculousness of asking a fictional television show to withhold dramatic elements just because they may have hewed too closely to reality can't be ignored.

    "Three Days of the Condor" examined this topic many years ago. It probably wasn't speculation then. It's certainly not speculation now.

  • On the post: Two And A Half Years Later, Verizon Finally Lets People Opt Out Of Its Stealth Zombie Cookie

    Tempes Fugit ( profile ), 06 Apr, 2015 @ 02:36pm

    The Principle of Opt-Out

    If it's opt-out, it's abusive.

    Nobody in the history of ever has needed to deceptively force people to do something that they really wanted to do; that's reserved exclusively for things that nobody wants. Whether it's telemarketing or spyware or spam or anything else doesn't matter: the principle holds.

    Prediction: in eight months, Verizon will quietly reset all the opt-out preferences to "no". Fifteen months later when that's discovered, they'll deny it. Four months after that they'll call it a "glitch". Seven months after that they'll say that the opt-out "expired". A year after that they'll make everybody do this song-and-dance again. And why not? It's not like their executives will be prosecuted and tossed in federal prison for this: if anything, they'll get bonuses.

  • On the post: Following Canada's Bad Example, Now UK Wants To Muzzle Scientists And Their Inconvenient Truths

    Tempes Fugit ( profile ), 01 Apr, 2015 @ 04:11am

    Re:

    True. It's a pity we live on a planet with inferior primates so miserably stupid and so horribly uneducated that they think creationism is real and human-driven global warming isn't. It gives me a headache just trying to think down to their level.

  • On the post: Spyware-For-Business Company Thinks Concerns About 'Medical Bills' Are Indicators Of An 'Insider Threat'

    Tempes Fugit ( profile ), 30 Mar, 2015 @ 04:54am

    Email content scanning doesn't work

    We've learned that -- painfully -- over 20+ years of trying to detect spam, phishing, and malware.

    If you haven't been working in these areas, let me summarize: the code which attempts to do this requires daily updates in order to have a decent chance of yielding results with acceptable FP (false positive) and FN (false negative) rates. And even with all that constant, meticulous attention to detail, it still fails miserably all day, every day. It really is a horrible mess.

    The reason is simple: it's an attempt to "enumerate badness", which is aptly described by Marcus Ranum in The Six Dumbest Ideas in Computer Security as Dumb Idea #2. Stroz's software isn't exempt from this problem -- but given their marketing pitch, which is geared toward naive customers who only care about FN rates and not FP, they'll probably just ignore it.

  • On the post: Officials Upset Tech Companies Reluctant To Play Along With Administration's 'Information Sharing' Charade

    Tempes Fugit ( profile ), 13 Mar, 2015 @ 01:03pm

    Security clearances are bullshit

    I could use this space to discuss the very high correlation between people holding security clearances and people caught conducting espionage, but let me skip that and instead point to an object lesson: David Petraeus.

    Here's someone who held all kinds of security clearances, including whatever ultra top double-secret useless nonsense that four-star generals and CIA directors hold.

    Here's someone who was vetted for those clearances via every form of investigation known to the USG.

    Here's someone who handed over classified documents because he wanted to get laid.

    And yet the USG still has a massive bureaucracy (some of which has been outsourced to contractors with security problems of their own) devoted to this farsical charade.

    There is zero reason for anybody in the tech world to submit themselves to this stupidity. It's not like the CIA and the NSA are going to share their knowledge: this is going to be a one-way pipeline into the USG and every scrap of knowledge it acquires will be used to make the world less secure, not more, because the USG has made it quite clear that it doesn't give a damn about anybody's security except its own.

  • On the post: Verizon Latest To Balk At Weather Channel Rate Hikes For 'Weather Coverage' That's 70% Fluff And Nonsense

    Tempes Fugit ( profile ), 12 Mar, 2015 @ 10:18am

    A brief analogy

    Weather Channel:weather::MTV:music

  • On the post: Hillary Clinton Finally Answers Questions About Her Email… And It Only Raises More Questions

    Tempes Fugit ( profile ), 11 Mar, 2015 @ 06:08am

    In re running email servers securely

    Experts have already pointed to basic holes in the email server’s security based on public data, and as any systems administrator will tell you, running your own email server is never simple.

    No, it's not. But even if they'd fixed the problem with transport layer security pointed out by Mayer, there would be many more issues to deal with.

    The threat model for a mail server and a mail client used by the Secretary of State of the United States is very different than the threat model appropriate for nearly all other mail servers/clients. I've run a lot of them, but if I were tasked with this, I'd call in Ranum, Bellovin, Kaminsky, and a heck of a lot of other people for design advice before even thinking about more mundane issues like operating system, MTA, and so on.

    It also speaks volumes that the Secretary chose personal convenience (i.e., not carrying two phones) over data security. Who else in government has made the same choice?

  • On the post: Indian Film Industry To Punish Pirates Paying Customers With 3-Month Film Release Boycott

    Tempes Fugit ( profile ), 10 Mar, 2015 @ 10:24am

    Every crisis provides an opportunity

    This will provide a three-month period during which all the movies that would have been released can be replaced with copies of India's Daughter.

  • On the post: Why Online Attacks By Nations Are Problematic: Enemies Can Learn From Your Digital Weapons, Then Turn Improved Versions Against You

    Tempes Fugit ( profile ), 06 Mar, 2015 @ 02:48am

    Consider the Internet of Things

    Or as I think it's more properly called, The Internet of Bots (because nobody hyping this has even made a cursory attempt to consider the massive security and privacy implications). Deployment has already started, and any adversary worthy of the title is busy figuring out how to exploit the surveillance and sabotage capabilities it promises.

  • On the post: There Is No Way That Hillary Clinton Didn't Know She Was Supposed To Use A Government Email Account

    Tempes Fugit ( profile ), 03 Mar, 2015 @ 11:04am

    Let me see if I have this straight

    The Secretary of State of the United States of America used a personal email account for official government business for four years and during all that time, everyone in possession of that fact (which would necessarily include everyone she corresponded with) refrained from raising hell?

    Didn't any of them grasp that this necessarily meant that their messages were also traversing whichever service was hosting her account? And that they were thereby trusting that service's system and network admins? (Even if the messages were encrypted, which I doubt, the mail system logs would yield useful data for traffic analysis.)

    From an opsec standpoint (forget the records retention issue for a moment) this is insane.

Next >>