Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[From Dave Farber's IP list] Steve Ragan, CSO Online, 26 Sep 2013 http://www.csoonline.com/article/740456/cybersecurity-should-be-seen-as-an-occupation-not-a-profession-report-says A panel from the National Academy of Sciences, commissioned by the U.S. Department of Homeland Security, says that cybersecurity should be seen as an occupation and not a profession. After being commissioned by the U.S. Department of Homeland Security, a panel from the National Academy of Sciences reported that the cybersecurity field is too young, and the technologies, threats, and actions taken to counter them change too rapidly, for professionalization to be considered. Thus, cybersecurity is an occupation and not a profession. For some organizations, making cybersecurity a profession may provide a useful degree of quality control, the report says, but at the same time, professionalization also imposes barriers, which would prevent talented workers from entering the field at a time when "demand for cybersecurity workers exceeds supply." Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too. ... [According to *Webster's*, an occupation is the principal business of one's life. Is the world's youngest would-be "profession" somehow in the same league as the "world's oldest profession", which might also deserve to be called an occupation—and that it has occupied such a prominent place in our civilization? One more thought: we have often noted here that software engineering is not really an engineering discipline, although millions of people are occupied with it. Does that mean that software engineering also needs to be termed an occupation rather than a profession? Furthermore, if cybersecurity is really an occupation, then we need to recognize the occupational hazards—one of which seems to be that every computer user's life is unfortunately being occupied and preoccupied with the collateral damage of the lack of professionalism among computer system developers? (Let's not blame the sys admins, who have a really thankless job under the circumstances in trying to protect systems and networks that are inherently unprotectable.) PGN]
[Via Dave Farber's IP] The press has lately been recirculating stories about the dollar damages of the Snowden disclosures. The repudiation of key cryptography standards - the ones that underly our electronic currency exchanges and clearinghouses, and are present in an overwhelming number of products - may in the end cost billions of dollars of damage. Some of the press would have us believe that all of this is Snowden's fault. Better, some feel, to focus attention on the messenger and protect the perpetrator. Or even if not better, easier. It sells more papers to focus on a "David vs. Goliath" story than to examine whether Goliath was actually a Philistine. In compromising these cryptography standards, NSA's alleged goal was to read the electronic communications of terrorists, arms dealers, and other savory characters. In a world of open cryptography standards, the only way to do that was to compromise *everybody*. That includes ordinary citizens, businesses, governments (ours and others), armed forces command and control, domestic and global financial systems, and so on. This goes beyond privacy. Cryptography sits under all of our most essential electronic communications. Focusing on Snowden has people asking "How safe are my secrets from the NSA?" when a more pertinent question might be "Is my bank still safe from the eastern block mafia and the terrorist of the month?" Banks for the most part don't operate by storing dollar bills; they operate electronically. Then there is the power delivery infrastructure, or... the list goes on. *That* is what NSA compromised. And when you understand that, it becomes clear that the damage to *us* was far worse than any cost to the terrorists. In fact, the damage is proportional to your dependence on electronic infrastructure. That's bad. Because it means that people inside our government, at the direction of government officials, sworn to protect and defend the constitution and the country, actively conspired to undermine every segment of the United States along with our key allies. While the run-of-the-mill staff may not have understood this, the more senior people at NSA knew what they were doing. They were certainly told by people on the outside often enough. Frankly, I think some of them should hang. And I mean that literally. These decisions by NSA weren't made by extremist muslims. They were made by people from Harvard, Yale, and Princeton (and elsewhere) right here in America. But there is something worse. In a certain sense, the NSA's primary mission is the discovery of secrets. Being in the secret breaking business, one of the things they know very well is that the best way to break a secret is to get someone to tell you what it is. And there is *always* someone who will tell you, either out of conviction or out of fear of compromise. There was never a question whether the fact that NSA compromised every first world and second world country would leak. The only questions were *who* would leak it and *how soon*. It happened to be Snowden, but if not for Snowden it would have been somebody else. So setting aside the technical damage, there is the fact that the U.S. Government is now known - and more importantly, believed - to have compromised ourselves and our allies. We need to ask what the consequences are of that. Here are some questions that suggest themselves: 1. Cryptography is clearly too important to entrust to the government. Who can we trust? 2. Fragmentation seems likely. Does that help or hinder us? 3. Do the issues differ for communications cryptography vs. long-term storage cryptography? Given that communications is recorded and stored forever, I suspect not. 4. Can our allies ever again trust an American-originated crypto system? Software system? Can we trust one from them? 5. Can our allies ever again afford to trust an American manufacturer of communications equipment, given that every one of the major players seems to have gotten in bed with NSA when pressured to do so by the U.S. Government? 6. What *other* compromised technologies have been promulgated through government-influenced standards and/or back room strong arm tactics? One thing seems clear: we must now choose between the credibility of American technology businesses and the continuation of export controls on cryptography and computer security technology. The controls are ineffective for their alleged purpose; there are too many ways to circumvent them. The main use of these laws has been to allow government pressure to be brought to bear on vendors who won't "play ball" with U.S. Government objectives. As long as the big players in the U.S. computing and networking industries can be be backdoored by their government (take that either way), only a fool would buy from them. If the goal is to destroy the American technology industry, this strategy is even better than software patents. As long as those laws remain on the books, the American tech sector has a credibility problem. A second thing seems clear: we need to move to openly *developed* standards for critical systems, not just open *standards*. And not just openly developed standards, but standards whose "theory of operation" is explained and critically examined by the public. No more unexplained magic tables of numbers. We need fully open public review, and public reference implementations as part of the standardization process. A third thing seems clear: fixing the cryptography doesn't solve the problem. Even with back doors, the best place to break crypto is at the insecure end points. We need to develop information management methods (e.g. "zero knowledge" methods, but also others) and software architectures that let us limit the scope of damage when it occurs. The operating systems - and consequently the applications - that we are using today simply weren't designed for this. Fortunately, the hardware environment has converged enough that we can do a lot better than we have in the past. There will never be perfect security, but we can largely eliminate the exponential advantage that is currently enjoyed by the attacker. Jonathan S. Shapiro
Nancy Jo Sales, *Vanity Fair*, 26 Sep 2013 Friends Without Benefits This year, 81 percent of Internet-using teenagers in America reported that they are active on social-networking sites, more than ever before. Facebook, Twitter, Instagram, and new dating apps like Tinder, Grindr, and Blendr have increasingly become key players in social interactions, both online and IRL (in real life). Combined with unprecedented easy access to the unreal world of Internet porn, the result is a situation that has drastically affected gender roles for young people. Speaking to a variety of teenaged boys and girls across the country, Nancy Jo Sales uncovers a world where boys are taught they have the right to expect everything from social submission to outright sex from their female peers. What is this doing to America's young women? ... http://www.vanityfair.com/culture/2013/09/social-media-internet-porn-teenage-girls
Howard Blume, *LA Times*, 25 Sep 2013 Following news that students at a Los Angeles high school had hacked district-issued iPads and were using them for personal use, district officials have halted home use of the Apple tablets until further notice. It took exactly one week for nearly 300 students at Theodore Roosevelt High School to hack through security so they could surf the Web on their new school-issued iPads, raising new concerns about a plan to distribute the devices to all students in the district. ... http://www.latimes.com/local/lanow/la-me-ln-lausd-ipad-hack-20130925,0,6974454.story
Please report problems with the web pages to the maintainer