Educational CyberPlayGround ®

SECURITY

We now know that
states have superseded hackers
as the internet's apex predator!

Definition of Security -
"The Person In Charge Of Being The House Illusionist"

Walt Mossberg's common-sense writings define our era. Walt's first column, Personal Technology, began in the Wall Street Journal on October 17th, 1991. His first sentence: “Personal computers are just too hard to use, and it's not your fault.” His last column appeared in the Verge, May 25, 2015 the disappearing computer.

';--have i been pwned?
check if you have an account that has been compromised in a data breach.

Home computers connected to the internet aren't private - court ruling 7/1/2016
The usual pattern of using horrible defendants to create horrible precedents. Not only does this ruling continue to chip away at personal privacy, it seems to also establish a precedent that computer security will always be ineffectual.
A federal judge for the Eastern District of Virginia has ruled that the user of any computer that connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers. The June 23 ruling came in one of the many cases resulting from the FBI's infiltration of PlayPen, a hidden service on the Tor network that acted as a hub for child exploitation, and the subsequent prosecution of hundreds of individuals. To identify suspects, the FBI took control of PlayPen for two weeks and used, what it calls, a "network investigative technique," or NIT—a program that runs on a visitor's computer and identifies their Internet address.

Why a staggering number of Americans have stopped using the Internet the way they used to WP 2016/05/13 the insecurity of the Web is beginning to have consequences that stretch beyond the direct fall-out of an individual losing personal data in breach. The research suggests some consumers are reaching a tipping point where they feel they can no longer trust using the Internet for everyday activities.

"Like all rights and privileges, security is about power. Who gets it, who doles it out and what interests it protects. If the internet revolution can successfully liberate people from traditional power structures -- totalitarianism, bias, poverty -- like we've hoped, that'll be awesome. But at this inflection point, there are signs that surveillance, censorship and entrenched powers may successfully co-opt the internet. It's up to us." ~ Jennifer Gannick Director of civil liberties at the Stanford Center for Internet and Society
Black Hat 2015 keynote, The Lifecycle of A Revolution

The mere act of creating any backdoor to these systems weakens them enormously and catastrophically. The fact that politicians and law enforcement continue to try bend physics, math, and computer science to their wills -- irrespective of the realities -- should come as no surprise. Any attempt to backdoor strong encryption systems will by definition make them immensely vulnerable not only to abuse by authorities, but also to outside hacking -- including by sophisticated terrorist groups! -- that would put all honest users at immense risk as ever more of our financial and other aspects of our personal lives are online. Ultimately it's mostly a game of political cover, of politicians being willing to massively weaken the security and privacy of us all to ensure themselves an excuse to spout at the press when bad things happen. ~ Lauren

Good rule:: If a tech company gives you a product for free .. YOU likely *are* the product.

A flaw in the design

 

“We didn't focus on how you could wreck this system intentionally,” said Vinton G. Cerf.

Yet 1988's attack by the “Morris Worm” — named for Robert T. Morris, the Cornell University graduate student who created it — was a wake-up call for the Internet's architects, who had done their original work in an era before smartphones, before cybercafes, before even the widespread adoption of the personal computer. The attack sparked both rage that a member of their community would harm the Internet and alarm that the network was so vulnerable to misdeeds by an insider. But the realization came too late. The Internet's founding generation was no longer in charge. Nobody really was. washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/

Marcus Ranum: If you are not depressed by security, you probably just don't understand it well enough.

2016 6 DDoS attack delivered by botnet of hijacked IoT devices is the total nightmare. Securing the internet of things should become a major priority now that an army of compromised devices - perhaps 1 million strong - has swamped one of the industry's top distributed denial-of-service protection services. A giant botnet made up of hijacked internet-connected things like cameras, lightbulbs, and thermostats has launched the largest DDoS attack ever against a top security blogger, an attack so big Akamai had to cancel his account because defending it ate up too many resources.
It seems this is just the beginning - and most people feel it is going to get worse. What will happen when another 10 billion plus IoT devices come online in the coming years, connected to gigabit connections at home? See Mutually Agreed Norms for Routing Security.

US military uses 8-inch floppy disks to coordinate nuclear force operations - Security by Obscurity
There probably aren't any bad guys left who would know how to hack into them.

 

I ACCEPTED THE RISK

It's inappropriate to call hackers "wizards" because it completely denies the hard work and study involved. To call their craft magical is to call it deeply incomprehensible, something which defies logic. This metaphor distracts people from the nuts-and-bolts reality: anyone can hack systems, including you -- all it takes is patience and an inquisitive mind. This is knowledge that people want to suppress. -- Phaedrus

2015 If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router. This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool. A highly sophisticated form of malicious called SYNful Knock, has been implanted in routers made by Cisco the world's top supplier and reported to have been found in 14 routers across four different countries.

2015 The Government Accountability Office has been tracking EINSTEIN's implementation since about 2010 and will later this year issue an update on the status of the state of federal security systems, and all is not well. But those people were told all about it in 1998.

In 1998 LOpht's warnings about the Internet drew notice but little action
Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world. The making of a vulnerable Internet: This story is the third of a multi-part project on the Internet's inherent vulnerabilities and why they may never be fixed.
Part 1: The story of how the Internet became so vulnerable
Part 2: The long life of a 'quick fix' Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don't care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it. “If you're looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes.
17 years later the world is still paying the price in rampant insecurity. The testimony from L0pht, as the hacker group called itself, was among the most audacious of a rising chorus of warnings delivered in the 1990s ! ! !

Who Cares 'I've got
nothing to hide'

#Snowden's response to the 'I've got nothing to hide' #privacy argument is excellent!

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

Apple patents technology enabling police to prevent iPhones from filming police abuse
The technology exists, it will also be used by authorities who don't want police violence and abuse of power documented by members of the public.

PRIVACY

The word "privacy" is generally used as a euphemism for power. Knowing this, you can safely substitute the word "power" for "privacy" nearly everywhere it appears.

SECURITY OF PASSWORDS

ENTER PASSWORD. WRONG.
WRONG.
WRONG.
WRONG.
WRONG.
WRONG.
RESET PASSWORD.
NEW PASSWORD CAN'T BE OLD PASSWORD.
sets fire to computer

Don't encrypt passwords

 

The current state of password-based security on the Internet today, as illustrated by Chico and Groucho Marx in "Horse Feathers" (1932):

 

08/20/2015 @_IMPACT_TEAM_ "NOBODY WAS WATCHING. NO SECURITY."
Avid Life Media's CEO Noel Biderman. #AshleyMadison #Password List: 376120 passwords To open the Ashley Madison Passwords list you will need to provide the following password: cyberwarzone.com
Researchers fun exercise! It's just a list of passwords, no user names / email addresses. Most of these are very weak passwords. Hard to believe this is the real file. According to reports there were millions of accounts stolen, this file contains only about 376,000. There are also very few duplicates only a few repeated 2 or at max 3 times all numeric. One password was actually "ashleymadison". This file is a very clear example of the lack of concern for privacy. There were 8551 passwords with "123" in the password. Other popular words "love" (3133 times), "ass" (2620 times), "sex" (2356 times).
The Impact Team reveals that not only did the Ashley Madison portal have no security measures in place, the admins were stupid enough to use a simple pass phrase for their servers' root: " Motherboard: What was their security like? The Impact Team: Bad. [...] Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers." This allowed the hackers to gain full control over all the servers, internal and external, letting them quietly download customer data, private conversations, user photos, credit card details, financial records, the site's source code, documentation, and internal emails exchanged by Avid Life Media, the company that ran the Ashley Madison site. Ashley Madison admins used Pass1234 as their password.
Asked what their motivation for the hack was, The Impact Team explained, "We watched Ashley Madison signups growing and human trafficking on the sites." This places the group in the category of hacktivists and not blackmailers, and their future hacking plans reveal that they are interested in righting some of the society's wrongs: "Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians."

Oh so now 15,000 government email revealed on Ashley Madison Leak and NOW 8/24/15 Federal appeals court says has the authority to crack down on companies for having bad computer security: FTC

When Must Lawyers Ethically Encrypt Data? Texas Answers

WHAT CAN GO WRONG?

The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair. -- Douglas Adams

THERE IS NO SUCH THING AS SECURTY
any asset can be compromised.

RULE #1

Every big hack discovered will eventually prove to be more serious than first believed.

2015 A Hack That Undermines All Software

Stealing and corrupting legitimate certificates is particularly galling to the security community because it undermines one of the crucial means for authenticating legitimate software. Digital certificates are like passports that software makers use to sign and authenticate their code. They signal to browsers and computer operating systems that software can be trusted. But when attackers use them to sign their malware “the whole point of digital certificates becomes moot,” says Costin Raiu, director of Kaspersky's Global Research and Analysis Team. In all three attacks Stuxnet, Duqu 1.0 and Duqu 2.0 the attackers employed digital certificates from companies based in Taiwan. Seems attackers have a stockpile of stolen certs. They also had zero-day exploits for the Windows operating system that allowed the intruders to bypass the Windows requirement that all drivers be signed. So they didn't need to sign anything else because they had administrative access and relied on [zero-day exploits] to load the code into kernel mode! BUT If any of the [zero-day] vulnerabilities get patched and all the computers are rebooted and the malware is evicted from the network, they still have the signed driver, which is almost invisible and will allow them to come back to the infected networks.

On June 23, 2009 the company Foolad Technic was the first victim. This version of Stuxnet contained 2 0days that caused it to spread globally, leading to its discovery. Stuxnet is the first ever known Cyber Weapon. It changed the world.
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

.

2015 Ooops just a little late and it's so STUPID!:
As top FBI officials are arguing that the tech industry needs to “prevent encryption,” the federal government's CIO, Tony Scott, has officially announced that all federal government websites will only be available via encrypted HTTPS connections by the end of next year. The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services.

6/12/15 Cyberbreach of federal records
dramatically worse than first acknowledged. Hackers linked to China have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances. The forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies, applicants' financial histories and investment records, children's and relatives' names, foreign trips taken and contacts with foreign nationals, past residences and names of neighbors and close friends potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant is required.

Wickr-Top Secret Messenger - Escape the Internet

There is a strange intransigence with some who reject improved security with the line: “but we're not criminals! Why do we need this?” Well, the only answer I have is that OPSEC is prophylactic, you might not need it now, but when you do, you can't activate it retroactively. As I phrased it in my “The Ten Hack Commandments” — be proactively paranoid, it doesn't work retroactively. ~ grugq

 

Humans are the weakest link in the security ecosystem and yet many corporations fail to recognize that.
Companies need to stop solely focusing on preventing attacks and invest effort in detecting when attackers have breached their systems. A good way to do that is to train employees to better recognize threats and respond to potential security issues in the proper way, turning worker from liabilities into assets.

 

 

This Animated MAP Shows Who's Hacking Who In Real Time
Every second, Norse collects and analyzeslive threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports). <more>

8/13/14 Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat. Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says if the NSA knows how a malicious algorithm generates certain attacks, this activity may produce patterns of metadata that can be spotted. Think of it as a digital version of the Star Wars initiative President Reagan proposed in the 1980s, which in theory would have shot down any incoming nuclear missiles. In the same way, MonsterMind could identify a distributed denial of service attack lobbed against US banking systems or a malicious worm sent to cripple airline and railway systems and stop—that is, defuse or kill— it before it did any harm. More than this, though, Snowden suggests MonsterMind could one day be designed to return fire—automatically, without human intervention—against the attacker. Because an attacker could tweak malicious code to avoid detection, a counterstrike would be more effective in neutralizing future attacks.

 

Cybersecurity as Realpolitik by Dan Geer presented at Black Hat USA 2014
Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.
Surveillance "... Ever Cheaper Surveillance substantially changes the balance of power in favor of the executive and away from the legislature. Things that need no appropriation exist outside the system of checks and balances."

George Carlin said, "they're not Constitutional 'rights' they're 'privileges' that can be revoked at any time."

With a sign of the pen, official 'reality' and 'truth' are redefined. Pentagon May Put JSOC Under Secretive CIA Control in 2014 Special Ops under CIA control would be considered spies, allowing the White House to claim US troops have been withdrawn. CIA control means they become spies with no accountability and transparency, since activities and funding would become classified and journalists or other forms of oversight would not be welcomed. Joint Special Operations Command (JSOC) forces are around the world, where U.S. military interventions occur mostly in the shadows. JSOC forces “reportedly conduct highly sensitive combat and supporting operations against terrorists on a world-wide basis. Without the knowledge of the American public. This new Pentagon power elite is waging a global war whose size and scope has never been revealed. 2012
http://news.antiwar.com/2012/03/03/pentagon-may-put-jsoc-under-secretive-cia-control-in-2014/

Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte.

7/10/13 Perfect Forward Secrecy: A creepy PRISM thought, a defense against it. Episode 412 SSL Forward Secrecy

 

"It is the first responsibility of every citizen to question
authority." -- Benjamin Franklin

US 'Blackmails' EU Into Agreeing To Hand Over Passenger Data
from the You-have-no-more-fundamental-rights dept.

Reading the bit about the Reagan document: you couldn't help but think of how much of it, like some controversial religious texts, can be disavowed as "heresy" since their contents can underrmine the self-perceived legitimacy and self-claimed purpose in the world. ~Rick Forno

The Purpose of National Security Policy, Declassified [Oct. 17th, 2012]
http://www.fas.org/blog/secrecy/2012/10/nsdd_238.htmlThe most fundamental purpose of national security policy is not to keep the nation safe from physical attack but to defend the constitutional order. At least, that is what President Reagan wrote in a Top Secret 1986 directive.
“The primary objective of U.S. foreign and security policy is to protect the integrity of our democratic institutions and promote a peaceful global environment in which they can thrive,” President Reagan wrote in National Security Decision Directive 238 on “Basic National Security Strategy,” which was partially declassified in 2005. In a list of national security objectives, the directive does note the imperative “to protect the United States… from military, paramilitary, or terrorist attack.” But that is not the primary objective, according to the Reagan directive. Defense of the Constitution evidently takes precedence.
The first purpose of national security policy is “to preserve the political identity, framework and institutions of the United States as embodied in the Declaration of Independence and the Constitution,” President Reagan wrote. This is a remarkable statement, for several reasons. First, it recognizes that the political identity and institutions of the United States are not simply a given, but that they are vulnerable to many types of threats and must be actively defended and sustained. This task is not normally assigned the urgency or the priority given to “national security.”
Second, the directive distinguishes between constitutional governance and physical security. Not every measure intended to promote security is constitutional. And not every act in defense of democratic self-governance is likely to promote public safety. (The American Revolution was not calculated to increase “homeland security.” Quite the opposite.) Sometimes a choice between the two is required. President Reagan indicated what he thought the choice should be. And third, the directive is remarkable because its rhetoric was so imperfectly realized by the Reagan Administration (and egregiously defied in the Iran-Contra Affair) and has been largely abandoned by its successors.
“Defending our Nation against its enemies is the first and fundamental commitment of the Federal Government,” wrote President George W. Bush in his 2002 National Security Strategy, skipping over President Reagan's “primary” objective. Likewise, “As President, I have often said that I have no greater responsibility than protecting the American people,” President Obama wrote in his National Strategy for Counterterrorism. The Reagan directive invites reflection on what U.S. national security policy would look like if it were truly structured above all “to protect the integrity of our democratic institutions.”
In a section of the directive that was only classified Confidential, President Reagan contrasted the U.S. with the Soviet Union, which was described as its polar opposite. “Our way of life, founded upon the dignity and worth of the individual, depends on a stable and pluralistic world order within which freedom and democratic institutions can thrive. Yet, the greatest threat to the Soviet system, in which the State controls the destiny of the individual, is the concept of freedom itself.” “The survival of the Soviet system depends to a significant extent upon the persistent and exaggerated representation of foreign threats, through which it seeks to justify both the subjugation of its own people and the expansion of Soviet military capabilities well beyond those required for self-defense,” President Reagan wrote.
Numerous Presidential directives from the Reagan Administration have been declassified in recent years and have released by the Reagan Library, though others still remain partially or completely classified. Many of the declassified directives provide a fascinating account that enlarges and enriches the public record of events of the time. Only last year, for example, a 1985 directive (NSDD-172) on “Presenting the Strategic Defense Initiative” was finally declassified. This year, NSDD 159 on “Covert Action Policy Approval and Coordination Procedures” (1985) was declassified. NSDD 207 on “The National Program for Combatting Terrorism” (1986) was declassified in 2008. Among other things, that directive ordered the Attorney General to “Review the Freedom of Information Act (FOIA) and determine whether terrorist movements or organizations are abusing its provisions.”

NSA SURVEILLANCE

 


Snooping by Big Business has a mundane objective: to sell you more stuff. Big Brother snooping is about judging you. And there's the rub. With Moore's Law Big Brother is getting better and better at judging you, your character, your ideas, your connections, your trustworthiness (esp. with Manning and Snowden). Everything about what makes you human can be measured, quantified, and judged.
There's another difference: Big Business isn't much interested in what you did, said, or wrote, a year ago, two years, ten years ago, it throws away much of that data. Big Brother keeps it all. What it can't use today, because the files are strongly encrypted, or distributed across many databases, it knows it can use tomorrow. Tomorrow's computer systems will be able to decrypt those files, tomorrow's computer systems will be able to analyze and cross-link data in a myriad of databases, they'll be able to know more about you in ways that are impractical today. Historical data grows in usefulness to Big Brother because it makes possible a more accurate digital simulacrum of you. With every doubling in computer performance, the simulation of you grows closer and closer to the real you. The computer models get better at predicting what you will or won't do. Big Brother gets better at predicting intent. The horror of George Orwell's 1984 was the government's ability to uncover and punish "thoughtcrimes." Tomorrow's Big Brother will have the means to predict thoughtcrimes before they become actual crimes. They are designed to discover intent. To be judged on the privacy of your thoughts is bad enough, to be judged on your future thoughts and the crimes that they will likely lead to, is far worse. And that's the difference between Google and the NSA: Big Business is purely interested in your wallet. Big Brother is interested in the purity of your soul. ~ Tom Foremski

 

John Gilmore, Entrepreneur and Civil Libertarian In the U.S., the prison population is the largest of any country on earth. We also lock up a larger fraction of our population than any country on earth.

elliott.org says Airlines are federally regulated, and these are the regulators. If you can cite the rule being violated, DOT's airline cops can ask the airline about the case, and if the carrier acted improperly, they can either penalize it or pressure it into compensating you.Office of Aviation Enforcement and Proceedings
Aviation Consumer Protection Division
1200 New Jersey Ave, SE
Washington DC 20590
Phone: (202) 366-2220
TTY / Assistive Device Number: (202) 366-0511
8:30am-5:00pm ET, M-F

Most Popular Services
File an Aviation Consumer Complaint
Air Travel Consumer Reports
Aviation Enforcement Orders
Guidance on Aviation Rules and Statute
Travel Tips and Publications

 

$1B of TSA Nude Body Scanners Made Worthless How Anyone Can Get Anything Past The Scanners

 
2012 The Supreme Court ruled by a 5-to-4 vote that officials may strip-search people arrested for any offense, however minor, before admitting them to jails even if the officials have no reason to suspect the presence of contraband.

THE 5TH AMENDMENT

Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be "compelled in any criminal case to be a witness against himself," which has become known as the right to avoid self-incrimination. "I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well. The Department of Justice is relying on the All Writs Act, which dates back to 1789. It doesn't seem intended to address this situation.
Dubois: It wasn't intended to address this. It was basically: If the judge orders someone to transfer title of property, he can also order whatever else is necessary to make that happen. It was pretty clearly necessary to allow judges to enter orders they've always been able to enter anyway. It wasn't designed to expand the judge's power or the government's power. This is the place where technology has bumbled right on ahead of the law, as it always does.
http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/

THE 4TH AMENDMENT

Beginners Eyes: Digital Birds: Nothing is what it seems. The Illusions of Security: The Known and Unknown Rules, becoming part of the borg. The Masters, The Humplings, and The Dregs but so what! You never get the truth from the company Memo ~ Timothy Leary.

 


The Tallinn Manual on International Law lays down rules for online attacks.
http://www.ccdcoe.org/249.html
Curated by NATO's Cooperative Cyber Defense
Center of Excellence and calls upon two dozen experts from around the world to help lay the groundwork for cyberwar guidelines as attacks aimed at computer
grids, networks and systems increasingly become the target of foreign agents. Michael Schmitt, a professor with the US Naval War College and the editor of the manual, told the Associated Press before publication that the guidelines come at a time when few laws formally exist governing the use of so-called cyberweapons. Just like bombs and missiles, hackers and state-sponsored parties can use malicious code to wipe out entire databases, break down machinery and
otherwise render enter infrastructures useless.

Cyber protection forces -- will comprise more than 60 Cyber Teams. National mission forces will employ 13 teams focused on securing U.S. private networks powering critical infrastructure such as transportation systems and other vital industries. Gen. Keith Alexander, head of Cyber Command, said the combat mission forces will include 27 teams and would “support the combatant commands in their planning process for offensive cyber capabilities.”

The U.S. National Security Act defines "covert" as government activities aimed at influencing conditions abroad "where it is intended that the role of the United States Government will not be apparent or acknowledged publicly." USAID hires subcontractors but deny that contractors perform covert work. "All too often, the outside perception is that these USAID people are intelligence officers," said Philip Giraldi, an ex-CIA officer. "That makes it bad for USAID, it makes it bad for the CIA and for any other intelligence agency who like to fly underneath the radar." Citing security concerns, U.S. agencies have refused to provide operational details even to congressional committees overseeing the programs. the State Department, which oversees USAID which has long relied on visitors willing to carry in prohibited material, such as books and shortwave radios, U.S. officials briefed on the programs say. And USAID officials have acknowledged in congressional briefings that they have used contractors to bring in software to send encrypted messages over the Internet, according to participants in the briefings. [ see discreet sim card ]

ARE YOU Cranky, SKANKY AND INFECTED??
A map of global malware distribution in March 2012
SPYWARE REMOVAL DIRECTIONS

EMAIL VIRUS & HOAX INFO

ARTICLES
How to Find your COOKIES - FILTERING - SCHOOLS - NEWS - PLAGIARISM - The First WORM

COPYRIGHT / COPYLEFT | CHILDREN'S PRIVACY RIGHTS

Security TOOLS - secure your code

security TECHnology TRENDS

#1! - Learn about Badware so you won't download it.

September 11th
World Trade Center

SECURITY CRISIS
CURRICULUM RESOURCES

CENSORSHIP
HISTORY
BOOKS

SECURITY PEOPLE

SECURITY COMPANIES

LISTS, RESOURCES, ROBOTS, TROUBLE FINDERS
ABOUT THAT WORD "TRUSTED" CREDIT CARD FRAUD
Learn about "URIICA"
Union for Representative International Internet Cooperation and Analysis

Hurricanes - How prepared are people and systems for severe weather? What historians have too rarely emphasized, is how interconnected all of our systems have become. We called it the "supersystem." The "teachable moment" has become a ubiquitous cliche, like holding a teach-in / discussion in a classroom - but in the middle of a disaster zone it's useful.
What is the role of cost-benefit analysis in engineering? How much money should we spend to ensure that the New York subway will not be flooded again? We will have to rethink our infrastructure. Sea water may have corroded the electrical substation, but if we are to replace those parts, we will need to use other systems, like roadways or rail lines, which were down for some time after the storm. In New York, where fuel is running short, because of Hurricane Sandy, there is a refinery full of gasoline, but it requires electricity to pump it out. The mind boggles. Hold on, you have fuel right there, and it didn't occur to you that you should perhaps build a generator on site? Interdependency, not fail safe-redundancy, is the norm. It was a map produced by Google that stood out as the most comprehensive display of the data available about the storm and its recovery. The maps were built by Google's Crisis Response Team which is a project of , Google's philanthropic arm. The map is embeddable Google wants news organizations to use it.


How to Delete Yourself from the Internet

Espionage: Nearly every secret worth stealing sits on a computer server. U.S. intelligence agencies fear that Chinese spies have already siphoned terabytes of data from thousands of Western companies.

ENCRYPT EVERYTHING

Operation Encrypt Everything (OpE^2) was started in 2012 by members of the Pirate Party of Canada to counteract the increasing threat of total communications surveillance by governments and private industry. It is intended to bring together information about protecting your data and privacy online, and making easily-understood instructions available to our digital comrades.

Dead Drops Uncloud your files in cement.

mailvelope.com Application that provides [Open]PGP for Webmail

 

dr. strangelove

IN A DISASTER
Command and Control Communications always breaks down;
"Hello? Hello, Dimitri?
Listen, I can't hear too well, do you suppose you could turn the music down just a little? Oh, that's much better. Yes. Fine, I can hear you now, Dimitri. Clear and plain and coming through fine. I'm coming through fine too, eh? Good, then. Well then as you say we're both coming through fine." ~ Dr. Strangelove

 

The real goal of Cyber War, is the theft of national secrets, intellectual property from corporate R&D labs, corporate M&A deal documents, government policy, plans, negotiating terms and the ultimate concession of our nation's competitiveness to other countries. The year 2011 will be remembered as the year that the fundamental underpinnings of Internet security fell. Military Networks 'Not Defensible,' Says General Who Defends Them. It is cyber espionage and theft akin to the spy vs. spy efforts of the Cold War, but on a massive and pervasive scale. Easily forgotten are spectacular breaches across every major industrial sector this year, including "Operation Shady RAT", which was disclosed by McAfee in August. This disclosure identified over 70 companies in 6 different sectors targeted in a single campaign. Similarly, the “Nitro” campaign,disclosed by Symantec, targeted chemical companies and industrial manufacturing concerns. Secure Sockets Layer (SSL), Certificate Authorities, and two-factor authentication were all compromised. SSL, long considered the bastion of online secure protocols, was broken by a couple of researchers with a prototype called BEAST. The SSL protocol is today the most widely used Web-based protocol for securing online transactions, including banking and e-commerce. Certificate Authorities (CAs) have been the subject of repeated compromise this year, mainly for the purpose of forging legitimate certificates subsequently used in attacks on both SSL sessions and also software authentication.
http://www.forbes.com/sites/ciocentral/2011/11/18/cyber-spies-are-winning-time-to-reinvent-online-security/

Dr. Strangelove Video Clips

Depending on the Breaks
One of the best scenes in movie/comedy history. Peter Sellers plays 2 roles in this scene and George C. Scott is brilliant as Buck Turgidson. The back and forth dialogue is true genius. Dr. Strangelove or How I Learned to Stop Worrying and Love the Bomb (c) Stanley Kubrick

big

Turgidson: Ahh, am I to understand the Russian Ambassador is to be admitted entrance to the War Room?
Muffley: That is correct. He is here on my orders.
Turgidson: I... I don't know exactly how to put this, sir, but are you aware of what a serious breach of security that would be? I mean... [begins closing his notebooks] he'll see everything. He'll See The Big Board!
Muffley: That is precisely the idea, General.
Stains, get Premier Kissov on the Hotline.

  • US hypocrisy in China cyberwar says Mr Ranum, chief security officer of Tenable Network Security Expert.
  • Defcon's Jeff Moss on cybersecurity, government's role by Elinor Mills
    As a hacker and organizer of Defcon, at event at which computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June. But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.
  • 2012 Study Confirms The Government Produces The Buggiest Software
  • Hacking the Human Brain: The Next Domain of Warfare 12.11.12
    It's been fashionable in military circles to talk about cyberspace as a “fifth domain” for warfare, along with land, space, air and sea. But there's a sixth and arguably more important warfighting domain emerging: the human brain. This new battlespace is not just about influencing hearts and minds with people seeking information. It's about involuntarily penetrating, shaping, and coercing the mind in the ultimate realization of Clausewitz's definition of war: compelling an adversary to submit to one's will. And the most powerful tool in this war is brain-computer interface (BCI) technologies, which connect the human brain to devices.Chloe Diggins and Clint Arizmendi are research & analysis officers at the Australian army's Land Warfare Studies Centre. The views expressed are their own and do not reflect those of the Australian Department of Defence or the Australian Government.
    wired.com/opinion/2012/12/the-next-warfare-domain-is-your-brain

2015 Pentagon Moves More Communications Gear into Cheyenne Mountain Largely abandoned a decade ago, the iconic Cold War bunker is getting an upgrade. Since 2013, the Pentagon has awarded contracts worth more than $850 million for work related to Cheyenne Mountain. The Colorado complex is the embodiment of the Cold War, an era when bunkers were built far and wide to protect people and infrastructure. Cheyenne Mountain was the mother of these fallout shelters, a command center buried deep to withstand a Soviet nuclear bombardment. The complex was locked down during the Sept. 11, 2001, attacks on New York and Washington.

2015 A New Material Promises NSA - Proof Wallpaper A Utah company has a new nickel-carbon material that could help the Pentagon fight off some of its most haunting threats. A small company called Conductive Composites 435.654.3683
357 West 910 South Heber City, UT 84032 ::
has developed a flexible material — thin and tough enough for wallpaper or woven fabric — that can keep electronic emissions in and electromagnetic pulses out.

2013 Shodan: The scariest search engine on the Internet Shodan navigates the Internet's back channels. It's a kind of "dark" Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. What's really noteworthy about Shodan's ability to find all of this -- and what makes Shodan so scary -- is that very few of those devices have any kind of security built into them.
http://money.cnn.com/2013/04/08/technology/security/shodan/

2013 "Annualcreditreport.com" A website that provides U.S. consumers with a free annual credit report appears to have been the source used by hackers to download credit reports including - SSN's Phone, address, everthing.

Secure Computers Are Not Secure. The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab's Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them. Complete extraction of the private key, Tromer says, “takes merely seconds, and the measurements that are needed, of the actual cryptographic process being attacked, can be carried out in milliseconds.” Clouds - By spying on the caches of the servers hosting their software, they could determine which were also trying to keep pace with their fake traffic spikes. Once they'd identified the target site's servers, they could use cache monitoring to try to steal secrets. Any information at all about a computer's internal workings “is actually fairly damaging,” Rohatgi says. “In some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.”

The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit

The Smart Card Detective: a hand-held EMV interceptor by Omar Choudary
Abstract Several vulnerabilities have been found in the EMV system (also known as Chip and PIN). Saar Drimer and Steven Murdoch have successfully implemented a relay attack against EMV using a fake terminal. Recently the same authors have found a method to successfully complete PIN transactions without actually entering the correct PIN.

Stop Bad Ware

Technology Quotes


"Whenever you have a secret, you have a vulnerability." ~ Whitfield Diffie

"We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect Us." ~ Anonymous

"Mrs. Robinson: "We'd like to know a little bit about you for our files, we'd like to help you learn to help yourself " ~ Paul Simon 1968

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor saftey." -- Ben Franklin 1759

" Security is mostly a superstition. It does not exist in nature."
~ Helen Keller

"There are no secrets in the world. The only hard part is finding the right person to ask," "If you have a phone, you can find out anything you want in under 60 minutes. With the Internet, it's even faster." -- Tom Clancy

No Such Thing as Nuclear Secrecy ~ KEhttp://nuclearsecrecy.com/nukemap/
run by Alex Wellerstein, an historian of science at the American Institute of Physics.

"Why do hackers use social engineering? It's easier than exploiting a technology vulnerability. You can't go and download a Windows update for stupidity... or gullibility." -- Kevin Mitnick

PRIVACY

Cnet Hacker Chart

Freedom Box gets off the ground
While providing "safe social networking" is one of the aims of the Freedom Box, it is only part of the picture. The project wants to protect users' data as well as their communications, including internet traffic, email, and voice. Beyond that, Freedom Box is specifically targeted at routing around ISPs' restrictions on the types of traffic they will carry, as well as attempts by governments to do similar traffic restrictions. In short, the goals of the Freedom Box live up to Moglen's original vision, as spelled out in his February 2010 talk at the New York branch of the Internet Society, as well as those outlined in a more recent talk at FOSDEM 2011: it is geared towards restoring users' freedoms.
Those freedoms are best guarded by keeping our data safe within the walls of our homes, because there are typically more legal protections there than there are when storing data on some company's servers. We have already seen that companies will often bow to governmental pressure in ways that would be more difficult to orchestrate when the data is spread out across the net. To that end, Freedom Box also plans to provide ways to securely back up encrypted data on friends' and neighbors' servers. In addition, it will provide ways for those under repressive regimes to anonymously publish information, such that those regimes will find it difficult to stop or track down the publishers. If the FreedomBox is going to handle all of these kinds of things, obviously the security of the device itself is paramount, but it is also targeted at protecting other systems in the home that live "behind" the Freedom Box. Eben strongly recommended reading the Top Secret America articles published by the Washington Post. It is eye-opening to see just how many Google-like operations there are, all under the control of the government.

Privacy of Consumer Information and Devices in the Electric Power Industry Executive Overview PDF October 2009
The Energy Independence and Security Act of 2007 mandated that NIST report to Congress on cyber security for the electricity grid. NIST established a Smart Grid Cyber Security Coordination Task Group and is issuing position papers. Privacy is an important adjunct to security and uses some of the same data tools. However, privacy goes beyond data tools and confidentiality. How personal information is collected, used, shared, stored, retained, and disposed of all impact privacy. Stringent and effective security can be in place and still result in egregious privacy breaches that fall outside of security controls. The Smart Grid Cyber Security Coordination Task Group sought input about home-to-grid issues from Home-to-Grid Domain Expert Working Group members and was consulted in the development of this paper on privacy.

Trusting cell phones to work in many emergency situations can be dangerous or fatal.

Social Engineering

People are trusting of other people, especially if there is a request for help. One of the biggest things that worked was asking "Can you please help me with this?" Asking people for help, the human vulnerability, has not changed. There is an inherent desire for people to help other people. There are trends of a positive nature, but they still get exploited.
Now people use social media to such an extent that their whole lives are on the Web. With sites like Blippy which people can tie into their Twitter and Facebook accounts and it in essence tweets every time you use a credit card or bank account, and it tweets what you've purchased and the amount. So you can go to these sites, find someone on Twitter, link them to a Blippy account and to Facebook and now you have their pictures, what they like to buy, what restaurants they go to, when they leave the house, when they work. And within an hour you can have a very detailed profile of a company or an individual based on the amount of social media they use.

Q. How many security engineers would it take to design a system for ATM security today?
A. I don't think it could be done.
We would be debating biometric-enabled smartcards, assurance, protection profiles, denial of service, non-repudiation, viruses and buffer-overflow attacks till we were blue in the face. There is no way that such a system with "good enough" security could be designed and built today on the basis of conventional security wisdom. ~ Peter Gutmann

In 1985, the federal government published the first set of computer security criteria that computer professionals could understand and integrate into systems.
"A trusted computer system must provide authorized personnel with the ability to audit any action that can potentially cause access to, generation of, or effect the release of classified or sensitive information. The audit data will be selectively acquired based on the auditing needs of a particular installation and/or application. However, there must be sufficient granularity in the audit data to support tracing the auditable events to a specific individual (or process) who has taken the actions or on whose behalf the actions were taken."

WAIT! I thought YOU were in charge of security!!!
The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking.
The General Services Administration has shut a Web site for government contractors after a computer industry consultant reported that he was able to view and modify corporate and financial information submitted by vendors.

OK GO "The system relies, rather stupidly, on making it difficult to get in in the first place, by forcing you to get a client certificate for your browser," a mechanism for establishing the user's identity, said Mark Seiden, a security consultant who perform tests for corporations....
In filing an electronic application to become a government contractor, Mr. Greenspan was forced to repeat the process several times. After doing so, he noticed that the file's identifying number had been changed to a number one digit higher. 1/2006 QUOTE

"Good-Enough Security: Toward a Pragmatic Business-Driven Discipline", Ravi Sandhu,IEEE Internet Computing, Vol.5, No.3 (January/February 2003), p.66 The author offers three design principles for good-enough security:

1. Good enough is good enough.
2. Good enough always beats perfect.
3. The really hard part is determining what is good enough.

What Happened to Major Kong?

yahoooooooooo

 

The Dark Side Of Crime Fighting, Security and Professional Intelligence

 

Speaker: Andrew Gavin Consultant, Verizon Business DEFCON 19: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP http://www.youtube.com/watch?v=Xv8kbjziCds
Got domain admin to a couple of thousand Windows systems? Got an hour to spare? Steal sensitive data from all of these systems simultaneously in under an hour with OpenDLP. OpenDLP is an open source, agent-based, massively distributable, centrally managed data discovery program that runs as a service on Windows systems and is controlled from a centralized web application. The agent is written in C, has no .NET requirements, uses PCREs for pattern matching, reads inside ZIPs like Office 2007 and OpenOffice files, runs as a low priority service so users do not see or feel it, and securely transmits results to the centralized web application on a regular basis. The web application distributes, installs, and > uninstalls agents over SMB; allows you to create reusable profiles, view results in realtime, and mark false positives; and exports results as XML.

 

SECURING THE INTERNET

"A lot of the security stuff is designed by crypto geeks [and] because of a lack of usability, people can't apply them correctly," Peter Gutmann said, adding usability is just as important as "having a bunch of crypto and let people figure it out from there". Gutmann said "the protocols were designed without usability and even if a user-friendly GUI could be put over it, it is unlikely the original developers would accept it. They would rather have 100 percent perfect software that's unusable than 99 percent perfect software that is usable. It will take 20 to 30 years to educate people about computer security, you wouldn't give your house key to someone, so why do the same with your password." [1]

A fragment from the archives, to remind us of how much we owe to people like Mina Rees, who stood up for Science in times when Security was being misused...
John von Neumann to J. Robert Oppenheimer, June 15, 1950:
I had a telephone call from Dr. Mina Rees, Chief of the Mathematical Sciences Section of ONR. She informed me of the following facts:
Dick Feynman and the mathematician, J. McShane, had been invited by the Institute for Numerical Analysis, which is a joint enterprise of the Bureau of Standards and the University of California at Los Angeles, to spend the summer months there, that is, at UCLA. The Department of Commerce, which apparently exercises a direct supervision over the Bureau of Standards' activities in such matters, did not approve of these appointments for security or loyalty reasons (I understand, however, that the appointments are purely scientific and do not involve classified matters).
After Mina Rees learned this, she caused ONR to inquire from the FBI about the causes for withholding Feynman's and McShane's clearance. The FBI did not make the relevant files available, and Mina Rees thinks that they are still in the hands of the Commerce Department. After this, she turned to Condon, who inquired of Mr. Gladier, Assistant Secretary of Commerce in charge of Administration, who informed him that the immediately available evidence on McShane and Feynman provided no basis for their clearance, so that a full investigation would have to effected in order to appoint them. I have heard from other sources that a full investigation is undesirable, firstly, because it is very expensive, and secondly, because it may take too much time. In view of all this, Mina Rees suggested that Feynman and McShane be appointed to the ONR mathematical contract at the IAS and sent to UCLA.

CYBERWARFARE

Cyberspace covers almost everything electrical or electromechanical, from the simplest direct-current applications to the slickest, fastest space-age GPS gadgets off to things that haven't been invented. The scale of invention and development over the decades "means the further ... you go on the electromagnetic spectrum ... the energy moves faster and it's greater. ... the higher the scale of effects you can deliver." Lani Kass
The history of modern warfare has been one of adding domains in which people can fight and lose, be the controllers or the controlled, she said. For decades, the traditional domains were land and sea. In the 20th century, air and space were added, along with the recognition that if you control air and space, you can dictate to a great degree the control of land and sea.
But it has only been in the past few years that cyberspace, the realm that links the four war domains, has been recognized as an area of combat and control in its own right, she said. "We have been using the electromagnetic spectrum longer than we have been using air and space," she said, noting that the telegraph, one of the most bedrock aspects of cyberspace, was developed around the time of the Civil War.
What makes cyber different from the other realms, she said, is that it doesn't take a lot to fight in it. You don't have to build or buy expensive ships, airplanes, tanks or spacecraft. All you need is a laptop or a link to the Internet. "For the first time, perhaps ever, we are dealing with a domain where the level of investment is disproportionate to the kind of effects you can deliver," she said. [source]

FIGHT CENSORSHIP

P3P and Privacy on the Web FAQ applications of the Platform for Privacy Preferences (P3P), and in user interfaces and usability issues related to privacy enhancing software and secure systems

NET NEUTRALITY

BANNED BOOKS ONLINE openculture.com free banned books for banned books week

PODCASTING Journalists vs. Blogger War
Podcast Information and How To AudioBlog by Phone, and RSS Instructions.

DARPA

8/1/14 DARPA Tried to Build Skynet in the 1980s Matt Novak From 1983 to 1993 DARPA spent over $1 billion on a program called the Strategic Computing Initiative. The agency's goal was to push the boundaries of computers, artificial intelligence, and robotics to build something that, in hindsight, looks strikingly similar to the dystopian future of the Terminator movies. They wanted to build Skynet. Much like Ronald Reagan's Star Wars program, the idea behind Strategic Computing proved too futuristic for its time. But with the stunning advancements we're witnessing today in military AI and autonomous robots, it's worth revisiting this nearly forgotten program, and asking ourselves if we're ready for a world of hyperconnected killing machines. And perhaps a more futile question: Even if we wanted to stop it, is it too late? < big snip >

Defense Advanced Research Projects Agency (DARPA) to develop computational techniques and software tools for processing and analyzing the vast amount of mission-oriented information for Defense activities.

DARPA Seeking to Develop a "Cognitive Fingerprint"

The Pentagon's Defense Advanced Research Projects Agency, or Darpa security articles Darpa does for the national defense and what N.I.H. does for health.

The NSA told DARPA that any attempt to introduce security mechanisms into TCP/IP's architecture would be viewed very negatively.

The DARPA Information Awareness Office (IAO) will imagine, develop, apply, integrate, demonstrate and transition information technologies, components and prototype, closed-loop, information systems that will counter asymmetric threats by achieving total information awareness useful for preemption; national security warning; and national security decision making. Is the IAO datamining Facebook?

Electronic Frontier Foundation
EFF is a respected voice for the rights of users of online technologies. We feel that the best way to protect your rights on the Net is to be fully informed and to make your opinions heard. JOHN PERRY BARLOW is cofounder of the Electronic Frontier Foundation, a former lyricist for the Grateful Dead, and a former Wyoming cattle rancher. Read More

FBI - Freedom of Information Act

Blue Ribbon Campaign The campaign for online freedom of expression

2005
The Department of Homeland Security is monitoring inter- library loans. Agents look for books on a "watch list". President Bush has authorized the National Security Agency to spy on as many as 500 people at any given time since 2002 in this country. The eavesdropping was apparently done without warrants. 1
President Bush acknowledged on Saturday that he had ordered the National Security Agency to conduct an electronic eavesdropping program in the United States without first obtaining warrants, and said he would continue the highly classified program because it was "a vital tool in our war against the terrorists." 2

Keep your K12 Schools Safe. Security at Schools.

"640K ought to be enough for anybody." - Idiot Bill Gates in 1981

IT'S SO SECURE I CAN'T LOG IN !