Tempes Fugit 's Techdirt Comments

Latest Comments (686) comment rss

  • On the post: Norwegian Security Service Wants Details Of Citizens' Web Comments Retained For Six Months

    Tempes Fugit ( profile ), 26 Apr, 2012 @ 05:04am

    "This will make it possible to identify which IP address to publish a given post at a particular time," writes PST letter also signed the acting chief Roger Berg.

    A. No, it won't.

    B. Even if it did, it won't reliably identify which computer was at that address.

    C. Even if it did, it won't reliably identify which person was sitting at that computer.

    D. Even if it did, it won't reliably identify who's responsible for that post.

    It continues to boggle my mind (although by now it probably shouldn't) that legislators, politicians, judges, lawyers, pundits, and even some IT people are not FULLY aware of the bot/zombie epidemic, of its scope, and of the direct impact of that on issues just like this one. We're now (roughly) a decade into it; there are thousands of articles, blog posts and research papers about it; it's the single largest security problem (by size) on the Internet; and yet these idiots are either (a) blissfully unaware of it or (b) pretending it doesn't exist.

    There are days that I think I should just skip the coffee and go straight to scotch.

  • On the post: Obama Administration Threatens To Veto CISPA

    Tempes Fugit ( profile ), 25 Apr, 2012 @ 02:31pm

    The people to ask (slight recap of post from another thread)

    Off the top of my head (and I apologize to anybody that I should have remembered but didn't) these are the people that Congress should have in the room before they even dream of writing legislation that touches the Internet: Jacob Appelbaum, Steve Bellovin, Danah Boyd, Bill Cheswick, Ben Edelman, Dave Farber, Ed Felten, Richard Forno, Dan Gillmor, Alex Halderman, Dan Kaminsky, Valdis Kletnieks, Susan Landau, Chris Lewis, Peter Neumann, Marcus Ranum, Bruce Schneier, Chris Soghoian, Gene Spafford, Lauren Weinstein.

  • On the post: Now Is The Time To Improve CISPA Before Friday's Vote By Pushing These Critical Amendments

    Tempes Fugit ( profile ), 25 Apr, 2012 @ 10:48am

    CISPA isn't fixable

    No amendment or collection of amendments can fix this, any more than any set of modifications could turn a 1974 Ford Pinto into a Formula 1 race car. The problem is that the entire philosophy behind the bill is wrong. (Okay, that's not the only problem, but it's the fundamental one.)

    And the philosophy is wrong because the authors didn't bother to talk to any of us who've actually been doing this stuff for a long time. They didn't bother to learn. They didn't both to hear about things that work and things that we're pretty sure are never going to work. They didn't talk to Ranum and Bellovin and Spafford and Cheswick and Schneier and Felten and Halderman and Weinstein and Neumann and Edelman and Crocker and Lewis and Forno and and and...

    If they had, and if they'd listened, then maybe they'd realize that the entire approach they've taken is not only ill-advised and fraught with extremely serious privacy issues, but its most likely outcome is to make things much worse.

    But as it stands, they're meddling in things that they don't understand, at the behest of the OMG!OMG!CYBERWAR cheerleaders and with the backing of all the ersatz security companies ready to sell horribly overpriced snake-oil. This won't end well.

  • On the post: As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous

    Tempes Fugit ( profile ), 24 Apr, 2012 @ 12:33pm

    Re: Re:

    Speaking of botnets: we're about a decade into that issue now. We know lots of stuff about them:

    - Any estimate under 100M should be laughed out of the room. 200M is plausible. 300M is possible. (Vint Cerf posited 250M five years ago. I think his estimate was high at the time...but it's not high now.)

    - They're overwhelmingly, as in well over 99%, running Windows (which we know thanks to passive OS fingerprinting). More recently: MacOS.

    - They're everywhere: consumer ISPs, corporations, universities, governments, non-profits, desktops, laptops, portable devices, servers.

    - Command/control mechanisms for organizing botnets are getting increasingly sophisticated. They're using various techniques to resist detection and destruction.

    - Individual botnets routinely include millions of members and we know some have passed the 10-million mark. Probabilities being what they are, we probably haven't seen the largest botnet.

    - They're used for everything: sending spam, DDoS attacks, harvesting email addresses, phishing/spear-phishing, hosting illegal websites, providing DNS for abuser domains...too many things to list here.

    - They're for rent. (Of course they are: supply and demand.)

    - Every now and then some combination of companies and governments announces that they've busted one, usually with a big press release and a lot of self-congratulation about how this represents progress. It's meaningless. All those systems are still compromised. All those systems are still vulnerable to the same issue that got them compromised. All those systems are now just waiting for the next botmaster to sweep them up...a process which likely started before the triumphant press conference did.

    - Anti-virus/anti-malware/anti-whatever aren't much help. (To borrow a line from Marcus Ranum: if they were ever going to work, they would have worked by now.) This is in part because they never were very effective, and in part because botmasters can commission custom malware that will evade the anti-whatever software, and because social engineering/trojan techniques work beautifully.

    - Given the sophistication of contemporary botnet operations, it's reasonable to think that we don't see all their members -- that is, that some portion is being held in reserve. It's also possible that one reason we don't see more than we do is that nobody actually needs that much CPU/memory/disk/bandwidth for anything.

    This is pretty much the largest (in terms of scale) problem in contemporary security. It's not going to be fixed by legislation, CISPA or otherwise. There already is legislation that covers it, and has been since before botnets existed. I leave it as an exercise to the reader to evaluate how effective that approach has been.

  • On the post: As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous

    Tempes Fugit ( profile ), 24 Apr, 2012 @ 12:04pm

    Re: Re:

    Richard Clark is one of the primary cheerleaders for the concept of "cyberwar" (which does not exist), a "digital Pearl Harbor" (which is breathless hype), and anything/everything else that will funnel money to his pals in the business of billing the government hundreds of millions of dollars for incompetently dealing with a non-existent threat. He's a shill for the greedy pigs at the trough (like Bit9) and that's all he is.

  • On the post: As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous

    Tempes Fugit ( profile ), 24 Apr, 2012 @ 09:10am

    Speaking as a "cybersecurity" professional...

    ...(although I hate that term) I think I should take a moment to point out the #1 threat to just about every computing operation anywhere on the planet.

    Its own users.

    I've said for years that competent system/network administrators should presume that their users are (variously) stupid, lazy, careless, insane, or actively hostile -- and plan accordingly. (And if the users turn out to be none of these things? Oh happy day. Celebrate with scotch. But go back to presuming this tomorrow.)

    Users will reply to spam and download trojans. They will infiltrate malware and exfiltrate data. They will pick extremely poor passwords, re-use them elsewhere and write them down. They will give out sensitive information to the nice man on the phone who says he's from IT. They will bring in their home laptop (the one that hasn't been updated in two years and that the kids use all the time) and plug it into the corporate finance network. They will click on every shiny thing they see. They will send critical email messages to the wrong address (because, surprisingly, not all domains end in .com) and assert that their boilerplate disclaimer complete with unenforceable adhesion makes it all better. They will pass around USB sticks that have thoughtfully been preloaded with keystroke loggers. They will mistakenly send a 4,000-page document to the printer. They will leave that DVD on the airplane and lose their laptop in the hotel. They will use IE despite being furnished with Firefox, Chromium, and Opera. They will forward chain mail fake virus warnings "just in case".

    And so on.

    If you've been following the history of major network intrusions and serious data loss incidents for the past few decades, you know that nearly all of them have been caused by someone inside the operation involved. Sometimes it's a system or network admin: we screw up too. But if you're betting to win, bet on the users: they seriously outnumber us.

    You can't just drop in a product or service like the ones that Bit9 is flogging and address this. It doesn't work that way. You have to design with this in mind, from the first cocktail napkin to the whiteboard to the formal layout. If you try to retrofit it, you guarantee failure.

    Nor can you address this with legislation. Doesn't matter who writes it or what's in it, it's all worthless.

    Good security doesn't come from products with colorful marketing brochures or from legislation dictated to congresscritters by whoever dropped the most cash into their coffers. Good security comes from smart, paranoid, ruthless, cynical people with an eye for detail and a grasp of The Big Picture. Oh, it's not perfect: we make mistakes all the time. But it's the best we've got.

  • On the post: FBI Seized Anonymizer Server

    Tempes Fugit ( profile ), 20 Apr, 2012 @ 02:15pm

    Re: Not an "Anonymizer" server.

    I'd suggest listening to Lance on this one: I think it's safe to say that he has some minor expertise in this area. ;-)

  • On the post: Tim Berners-Lee Says UK's Net Spying Plans Would Be 'Destruction Of Human Rights'

    Tempes Fugit ( profile ), 20 Apr, 2012 @ 04:10am

    Re:

    This idea of storing every email and every communication is great for hackers.

    I've been pointing this out for years.

    There are two ways to get your hands on private data:

    1. Steal it.
    2. Wait for someone else to steal it, and then steal it from them.

    Now, of course, governments will tell you that (2) isn't possible where they're concerned.

    They are lying.

  • On the post: Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites

    Tempes Fugit ( profile ), 19 Apr, 2012 @ 03:38pm

    It would be instructive and useful if...

    ...someone stood up at one of their press conferences and asked Rogers or Ruppersberger to describe, at a basic level, a DNS cache poisoning attack.

  • On the post: CISPA Has NOT Been Fixed; It Could Allow The Gov't To Effectively Monitor Private Networks

    Tempes Fugit ( profile ), 19 Apr, 2012 @ 11:57am

    Re:

    So if I'm a hacker, all I have to do is hack 1 system to get all the information I need instead of hacking 30?

    Exactly what I pointed out in the TechDirt piece here.

    For that matter, you don't even necessarily have to hack a system. You could:

    1. Wait for its operators to screw up and make the information visible on the public Internet.

    2. Wait for them to lose it (more likely in the case of laptops, of course).

    3. Wait for them to decommission it, forget to wipe its disks, and auction it off. Or toss it in a dumpster.

    4. Bribe someone who has access to it.

    5. Wait for someone else do 1-4, and then either buy or steal it from them.

    The problem, once again, is that the inexperienced and short-sighted people backing efforts like this mistakenly believe they're building weapons (against terrorists, for example).

    They're not. They're building targets.

  • On the post: The First Analysis Of The Web: Vague, But Exciting

    Tempes Fugit ( profile ), 19 Apr, 2012 @ 04:43am

    The web is only beginning...

    ...and it's still not the most important or interesting component of the Internet. Not that it doesn't show great promise -- it most certainly does, and some marvelous things have been done with it already. But contrary to the perception of many newbies (who often believe that web == Internet, that it's always been there, and that it always will be) it's just another experiment in a long line of experiments. It remains to be seen whether it can establish itself as something of lasting value.

    My guess is (a) that it will but (b) it won't look much like the web of today. There are massive improvements required in semantics, privacy, and security -- many of which are either in the architecture or design stages already. There's also, unfortunately, the possibility that it will be legislated and litigated into oblivion by utterly clueless politicians and rapaciously greedy patent trolls, monopolists, obsolete businesses, and "cyberwarfareomghackerssecurity" companies.

  • On the post: Microsoft: Open Standards Are Good… If They're The Open Standards We Get Paid For

    Tempes Fugit ( profile ), 18 Apr, 2012 @ 11:04am

    Re: Re: Re:

    I don't agree. Closed-source software is inherently unethical, insecure and intellectually dishonest. But that's a much longer and different debate than the one over open formats.

    (Let me pause to note that the entire Internet is built on open standards, open protocols, open formats, and open source. Those are key factors at to why it's the most successful computing project ever by an enormous margin.)

  • On the post: Microsoft: Open Standards Are Good… If They're The Open Standards We Get Paid For

    Tempes Fugit ( profile ), 18 Apr, 2012 @ 08:52am

    If your data isn't in an open format...

    ..then it's not YOUR data.

    (By "open" I mean "free", in case that's not clear.)

  • On the post: Fight Is On Between Oracle And Google Over Java API Copyrights

    Tempes Fugit ( profile ), 18 Apr, 2012 @ 03:13am

    Re: Oracle Sinking Deeper Into The Pit Of Its Own Greed

    I concur. And I'll add that as a 30-year Sun customer, with a long preference for their products among all the competing commercial vendors, I've concluded that I'm probably not going to buy anything from Oracle. Ever.

    So not only has Oracle quite effectively destroyed goodwill toward itself among the open source community, it's also managed to alienate (at least) one of the most loyal customers it could possibly ever hope to have.

  • On the post: Did Congress Really Not Pay Attention To What Happened With SOPA? CISPA Ignorance Is Astounding

    Tempes Fugit ( profile ), 10 Apr, 2012 @ 11:25am

    CISPA will have the following effects.

    1. It will make the Internet less secure. Much less secure.

    2. It will lead directly to mass compromises of personal information.

    3. The combination of 1 and 2 will enable/empower spammers, phishers, carders, stalkers, and other nasties in ways that they've hoped for in their wildest dreams.

    4. It will be used as a pretense for increased governmental involvement in IT security -- never mind that governments, at all levels, are hopeless incompetent when it comes to security. (Read any GAO report. It's so bad that it's laughable.)

    5. It will be used to place the appearance of security far above the reality of security. (It already has, in fact.)

    6. It will cost a fortune. (And that money won't just evaporate: it'll go into the already-bulging pockets of contractors, the pigs at the trough -- places like Stratfor, eager to take tens of millions of dollars for producing sophomoric drivel.)

  • On the post: Bad Idea: Internet Service Providers Should Assume Most Digital Locker Content Is 'Illegal'

    Tempes Fugit ( profile ), 20 Mar, 2012 @ 12:45pm

    Ah, but we did

    Once the technology is available, many people will start creating and uploading such things, just as many already create blogs, or post high-quality pictures to Flickr. Nobody predicted any of these things would happen, because it seemed unlikely that "ordinary" people would write hundreds of articles a year, or share thousands of photos.

    The folks that invented Usenet, and those of us who ran Usenet sites during its formative years, not only predicted that such things would happen, we knew they would happen and we made them happen. Both of those were going on 20 years before blogs or Flickr -- they just weren't going on in a highly-visible way, because there were a lot fewer people online. And while there have certainly been profound improvements in the underlying technology (from transport all the way up to UI), the basic principles remain the same: write, create, post, share, feedback.

  • On the post: Bruce Springsteen, Another Pirate Remixer!

    Tempes Fugit ( profile ), 17 Mar, 2012 @ 07:32am

    Re: Re: Of course he remixed and reused: he's a genius

    I suppose it's never occurred to you that the only reason those lawsuits don't happen is that it would result in mutually assured destruction?

    There is a tacit "gentleman's agreement" among them that they won't turn each others' businesses into smoking craters for just that reason. But as we've all seen, and continue to see today, there's no such agreement with independent labels, musicians, blogs, web sites, etc. -- which is why the RIAA and the major labels attempt to crush them whenever they have the chance.

    The assholes at the RIAA and the major labels don't give a damn about music; they only care about the money. We KNOW this because we've watched them, for decades peddle absolute crap not because it had any musical value, but because it was lucrative. Meanwhile, significant artists who actually had something valuable to contribute to our culture were marginalized, underpromoted, dropped, ripped off and ignored.

    (Have you ever talked to someone at a major label? As in one of the executives? Their ignorance is breathtaking -- oh, they know all about contracts and waivers and profit/loss statements, of course they do -- but they couldn't recognize a fugue or explain why Blonde on Blonde matters so much or talk about the influence of bebop if their lives depended on it.)

  • On the post: Bruce Springsteen, Another Pirate Remixer!

    Tempes Fugit ( profile ), 17 Mar, 2012 @ 06:06am

    Re:

    I certainly agree with the observation that there are thematic similarities, but disagree with the statement that they aren't musically similar as well. (Granted, "Badlands" doesn't have the descending progression that "Don't Let Me Be Misunderstood" uses in the first two verses. But...did you notice that the introductory bars to "Badlands" have nearly the exact same chord progression as the verses to the Velvet Underground's "Sweet Jane", and in nearly the same rhythm?"

  • On the post: Bruce Springsteen, Another Pirate Remixer!

    Tempes Fugit ( profile ), 17 Mar, 2012 @ 05:05am

    Of course he remixed and reused: he's a genius

    Every competent musician knows that the best writing and composition comes after you've studied as much of your predecessors' work as you possibly can. Springsteen listened to those bands, he listened to Dylan, he listened to Guthrie, he listened to Leadbelly -- and because he listened well and learned, he has created music worthy of standing beside theirs.

    Only the assholes at the RIAA and the musically ignorant (but I repeat myself) think that this happens in a vacuum. EVERYONE that we think of as a brilliant musician, from Beethoven to Ray Charles, has borrowed and reused as much as they could get their hands on.

  • On the post: Lester Chambers, Successful Musician Who Received No Royalties From '67 To '94, Planning To Sue

    Tempes Fugit ( profile ), 15 Mar, 2012 @ 02:10pm

    My challenge to TechDirt readers and commenters

    Match my $100, going to the Lester Chambers fund at Sweet Relief.

Next >>