I’m speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a “Privacy Industry View of Reducing Cybercrime.” This is an extended version of Zero-Knowledge’s talk we gave to law enforcement.
I’m speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on “Beyond Penetrate, Patch and Pray,” which is a new talk that I haven’t put online yet.
I’ll be attending (but not speaking at) Phreaknic in Nashville, on the 22nd and 23rd.
In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, and kerning will prove instructive to would-be amateur forgers, who will know not to repeat the mistakes of the CBS memos’ forger. Who knows, some amateur forgers may even figure out that if you want a document to look like it came from a 1970s Selectric typewriter, you should type it on a 1970s Selectric typewriter. The discussion, in other words, provides a kind of roadmap for would-be forgers.
On top of educating forgers, the debate, at least for those who followed it, has provided an education in document authentication. So not only are the forgers smarter, but so is the general public. That’s a very good thing.
Many security problems are built into products because the designers don’t know about a problem, or become convinced that no one else will discover it. A better educated public helps to address both these issues: Designers are more likely to know about problems, and once they know them, management is less likely to dismiss them as improbable or obscure.
Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just “practising his basic rights, namely free speech”.
There are times I love cultural imperialism, and this is one of them. The idea that some rights are inalienable has spread around the world, and made the world a better place.
More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday.
The problems, unsurprisingly, are managerial:
The F.B.I. “has not prioritized its workload nationwide to ensure a zero backlog in the F.B.I.’s highest priority cases – counterterrorism cases and, in particular, Al Qaeda cases,” the report found.
The 9/11 Commission report found flaws with the “lead office” system that the FBI has, where the office where a case originates gets all the credit. I wonder if that plays in here?
Audio recordings that relate to Qaeda investigations are supposed to be reviewed within 12 hours of interception under F.B.I. policy. But the report found that deadline was missed in 36 percent of nearly 900 cases that the inspector general reviewed. In 50 Qaeda cases, it took at least a month for the F.B.I. to translate material.
Heads ought to be rolling at this point.
Overall, it doesn’t make much difference that the Army kicked out nine linguists for being gay. That’s less than 1% of the workforce at the FBI. But it does indicate that our national priorities remain somewhat skewed.
Maybe if we stopped insisting that security and liberty are always opposed, and started talking about how liberty and security can complement each other, we’d be doing better?
One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique is that after the largest attack on American soil since the civil war, they fail to think big. They spend time drawing lines on org. charts.
Regular readers will note that I spend a lot of time looking at airline security. The recommendations there (around page 383) are clearly weak. More ID cards will not change things. We need to consider broader changes.
For example, they could have considered the drug war. The easiest way to smuggle weapons of mass destruction into the US would be to pack them in cocaine. Perhaps changes there are in order?
I’m not the first to notice this. Elizabeth Drew wrote a long article for the New York Review of Books, and the Center For Strategic and International Studies has an
analysis (PDF) worth reading. An English professor at DeAnza college also caught my eye.
“Roman Catholic and Orthodox clerics have exchanged blows inside Jerusalem’s Church of the Holy Sepulchre, one of Christianity’s holiest sites,” says the BBC.
Recently, I found myself wondering why Hamlet had never gotten a proper treatment in Powerpoint. After another drink, I took it apon myself to remedy the situation.
I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.
(From Richard Bejtlich’s TaoSecurity.)
This feels wrong to me. Investigating computer crimes is still a very labor-intensive process.
(I’m experimenting to see how MarsEdit handles extended entries.)
his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!
Firefox 1.0PR now includes code to deal with this. Here’s how it works.
Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don’t know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like “Your browser will issue a warning. To use this site, click “please screw me.” Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.
Browsers have become big complex technologies. That’s not a slam at the browser folks–users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.