http://www.washingtonpost.com/blogs/worldviews/wp/2013/10/09/oops-azerbaijan-released-election-results-before-voting-had-even-started/?hpid=z4 Azerbaijan's big presidential election, held on Wednesday, was anticipated to be neither free nor fair. President Ilham Aliyev, who took over from his father 10 years ago, has stepped up intimidation of activists and journalists. Rights groups are complaining about free speech restrictions and one-sided state media coverage. The BBC's headline for its story on the election reads `The Pre-Determined President'. <http://www.bbc.co.uk/news/world-europe-24450227> So expectations were pretty low. Even still, one expects a certain ritual in these sorts of authoritarian elections, a fealty to at least the appearance of democracy, if not democracy itself. So it was a bit awkward when Azerbaijan's election authorities released vote results—a full day before voting had even started. <http://www.eurasianet.org/node/67607?utm_source=dlvr.it&utm_medium=twitter> The vote counts—spoiler alert: Aliyev was shown as winning by a landslide -- were pushed out on an official smartphone app run by the Central Election Commission. It showed Aliyev as "winning" with 72.76 percent of the vote. That's on track with his official vote counts in previous elections: he won ("won"?) 76.84 percent of the vote in 2003 and 87 percent in 2008. [...] [PGN-ed. The rest of this story is interesting as well. [Also noted by Dan Swinehart, who said, “This is a variant on the punch line to a joke that I've told for decades. Reality trumps fiction again.'' http://politics.slashdot.org/story/13/10/10/0043217/azerbaijan-election-results-released-before-voting-had-even-started PGN]
AP item in *The New York Times*, PGN-ed, 13 Oct 2013: People in 17 states (including NJ and CA) were unable to use their food stamp debit cards for several hours on 12 Oct 2013, because a routine test of backup systems by Xerox failed. (Yes, RISKS readers know nothing is always "routine".)
Woody Leonhard, InfoWorld, 10 Oct 2013 Another botched Black Tuesday: KB 2878890 patch brings back two-year-old KB 951847—repeatedly Microsoft's four-month body count: 23 bad patches. It's past time for Microsoft to improve the quality of its Automatic Updates http://www.infoworld.com/t/microsoft-windows/another-botched-black-tuesday-kb-2878890-patch-brings-back-two-year-old-kb-951847-repeatedly-228538 [It's a (Bach -> Batch -> BOTCH) FUGUE, which recapitulates the same themes repeatedly, although sometimes in a slightly different form. PGN]
Apparently, D-Link SOHO routers sold under their own and some private labels have been reported to contain a "backdoor" which can allow anyone Administrator without the device password. This "feature" is implemented by the codebase using a pre-defined username, which does not need a password. Users are cautioned to act appropriately. When will firm's learn that backdoors are generically dangerous and should not be created? The original article is at: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ Bob Gezelter, http://www.rlgsc.com
http://j.mp/GI5Ro3 (*St. Petersburg Times* via NNSquad) "Local reporters have infiltrated a covert organization that hired young people as "Internet operators" near St. Petersburg and discovered that the employees are being paid to write pro-Kremlin postings and comments on the Internet, smearing opposition leader Alexei Navalny and U.S. politics and culture."
With all due respect to the respective people involved, in my opinion you have the problem backwards. By attempting to create a trustworthy Internet, you are ignoring the fact that practically any platform carrying data over the Internet only survives by exactly NOT doing that. The nice thing about not trusting the network layer is that it then becomes irrelevant what the carrier is: a comfy "hard shell, soft centre" insider threat corporate LAN, or a shaky "I have only 1 bar and my battery is dying" EDGE connection somewhere out in the field. Well, irrelevant from a security perspective :). Only when we ensure that everything that travels over the Internet has at least a basic level of security attached can we progress, and there is much to fix. Why do websites still default to FTP uploads? Why is encrypted SMTP not the default for inter-party email exchange? You improve security by adjusting the equation effort & risk vs. reward, and use tools you control yourself: content, framing and encryption. What is out of your control is by default untrusted, and doing it right also means that it's no longer worth doing the lower level intercept. Finally, in context I appreciate the irony of sending that submission from a Google account :)
[via Dave Farber's IP distribution. PGN] This assumes that the Internet is a layer on top of a physical infrastructure—a notion which misses the revolutionary idea of the Internet. The Internet is not the switches. It is a way we use the physical infrastructure as a resource rather than a dependency. For that matter the very wording assumes there is an Internet that is apart from everything else when many of the issues are in the practices both in the way we exchange bits and the service we create using connectivity. As long as we require that operators and service providers make a profit we force the creation of the meta data that can then be used to analyze our usage of the network. If we have funding model that doesn't require every wire be a profit center than we wouldn't need to disclose (as much) metadata and the network operators wouldn't obliged to monetize it. There is a risk in seeking the social and business problems in technology rather than in understanding.
> Eli Dourado, *The New York Times*, 8 Oct 2013 > Can we ever trust the Internet again? As usual, the press gets it wrong soup to nuts. Starting with the premise that the Internet was ever worthy of trust in the first place, which leads to the question - trust for what? If you trusted the Internet for integrity, confidentiality, availability, use control, or accountability, you were making a mistake, and this is nothing new. I refer you to the series of articles I wrote in the mid-1990s called Internet Holes and the continuation of that series through the present day (http://all.net/Analyst/index.html). Not that the problems began then... > In the wake of the disclosures about the National Security Agency's > surveillance programs, considerable attention has been focused on the > agency's collaboration with companies like Microsoft, Apple and Google, > which according to leaked documents appear to have programmed "back door" > encryption weaknesses into popular consumer products and services like > Hotmail, iPhones and Android phones. The difference being that they used legal process or money to get willing cooperation? Does anybody really believe that this wasn't being done earlier by planted insiders? And why worry about the NSA when they are only one of more than 100 countries likely undertaking the same sort of thing (many known to be doing so) since the beginning of the Internet. > But while such vulnerabilities are worrisome, equally important - and > because of their technical nature, far less widely understood - are the > weaknesses that the N.S.A. seems to have built into the very > infrastructure of the Internet. We didn't need them to build weaknesses in. The commercial companies are perfectly capable of doing it intentionally and by accident. Weaknesses were always there. In terms of understanding, while I believe the press widely ignored these issues for much of the last 30+ years, the information protection field has been pointing them out since the technology was put into use. > The concern is that even if consumer software companies like Microsoft and > telecommunications companies like AT&T and Verizon stop cooperating with > the N.S.A., your online security will remain compromised as long as the > agency can still take advantage of weaknesses in the Internet itself. As they always have and always likely will. > Fortunately, there is something we can do: encourage the development of an > "open hardware" movement - an extension of the open-source movement that > has led to software products like the Mozilla browser and the Linux > operating system. Open software has nothing on closed software in terms of protection, In fact, arguably, closed source has produced fewer vulnerabilities per line of code over time than open source. I say "arguably" because, as a field, we have few and poorly collected metrics of such things. But those metrics seem to indicate that open source is not more secure as a rule. > The open-source movement champions an approach to product development in > which there is universal access to a blueprint, as well as universal ability > to modify and redistribute the blueprint. Wikipedia is perhaps the > best-known example of a product inspired by the movement. Open-source > advocates typically emphasize two kinds of freedom that their products > afford: they are available free of charge, and they can be used and > manipulated free of restrictions. Open source is not the same as free, not the same as anybody can (legally) modify it, or any such thing. It just means you can see the "blueprint". > But there is a third kind of freedom inherent in open-source systems: the > freedom to audit. With open-source software, independent security experts > can scrutinize the code for vulnerabilities - whether accidentally or > intentionally introduced. The more auditing by the programming masses, the > better the security. As the open-source software advocate Eric S. Raymond > has put it, "given enough eyeballs, all bugs are shallow." This is a fallacy. It is simply not true that more eyes makes better security or that "all bugs are shallow" as a side effect. Experiments have historically shown that even if we point out the location of an intentional Trojan horse to within a few hundred lines of code, experts don;t find it. And automated software doesn't even look for the sorts of intentional subversion that is used in many Trojan horses. > Perhaps the greatest open-source success story is the Internet itself - at > least its "soft" parts. The Internet's communications protocols and the > software that implements them are collaboratively engineered by loose > networks of programmers working outside the control of any single person, > company or government. The Internet Engineering Task Force, which develops > core Internet protocols, does not even have formal membership and seeks > contributions from developers all over the world. And the Internet is full of holes. It is the best example of how open source does not provide protection. And its success is largely because it (the process) doesn't seek to provide protection. The Internet is designed for functionality - widespread, general, rapidly deployed, easily developed, flexible, changeable, etc. functionality. As such, it is designed to support rapid change, not stability. It is designed to be redundant, recoverable, etc. NOT private, unalterable, etc. "Security" is afforded by this approach, but not secrecy, integrity, use control, or accountability. Availability is somewhat questionable. The security provided is the ability to change, learn, adapt, create, do your own thing, etc. > But the problem is that the physical layer of the Internet's infrastructure > - the hardware that transmits, directs and relays traffic online, as well as > its closely knit software (or "firmware") - is not open-source. It is made > by commercial computing companies like Cisco, Hewlett-Packard and Juniper > Networks according to proprietary designs, and then sold to governments, > universities, private companies and anyone else who wants to set up a > network. Making it "open source" will not help the situation. It will likely reveal far more vulnerabilities, but not fix them, and not reveal the tricky ones. But it will certainly cause these companies financial problems as their technical advantages over competitors will collapse, and their investment in new technology be reduced, thus reducing innovation and rate of progress. > There is reason to be skeptical about the security of these networking > products. The hardware firms that make them often compete for contracts > with the United States military and presumably face considerable pressure > to maintain good relations with the government. It stands to reason that > such pressure might lead companies to collaborate with the government on > surveillance-related requests. And those made in China have Chinese Trojan horses. > Because these hardware designs are closed to public scrutiny, it is > relatively easy for surveillance at the Internet's infrastructural level > to go undetected. To make the Internet less susceptible to mass > surveillance, we need to recreate the physical layer of its infrastructure > on the basis of open-source principles. This won't work. It will just make it more expensive to run the government surveillance programs, costing the taxpayers more money and forcing the NSA back into the darker corners. > At the moment, the open hardware movement is limited mostly to hobbyists - > engineers who use the Internet to collaboratively build "open" devices > like the RepRap 3D printer. Which uses what open source processor chips? None! They all depend on proprietary chips. > But the Internet community, through a concerted effort like the one that > currently sustains the Internet's software architecture, could also > develop open-source, Internet-grade hardware. Governments like Brazil's > that have forsworn further involvement with American Internet companies > could adopt such nonproprietary equipment designs and have them > manufactured locally, free from any N.S.A. interference. As if this would free them. It won't. > The result would be Internet infrastructure, both hardware and software, > that was 100 percent open and auditable. Again, a fantasy. Even if realized, it would not accomplish the stated goal. The "open source" version of the Internet would not be an improvement. It is already largely open source, and has all of the problems that the Information age portends. It is an inherent property of the information age that in order to have effective protection, we need to restrain ourselves from doing the wrong thing in high volume and an effective government has to restrain itself or be restrained by its people. But this is nothing new. Perhaps we need well armed Internet militias. Draft of the Xth amendment: A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Internet Arms, shall not be infringed. Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies http://all.net/ PO Box 811 Pebble Beach, CA 93953
> Among IT security professionals, it has been long understood that the > public disclosure of vulnerabilities is the only consistent way to improve > security. That's why researchers publish information about vulnerabilities > in computer software and operating systems, cryptographic algorithms, and > consumer products like implantable medical devices, cars, and CCTV > cameras. This is a fallacy. There is no substantial science behind the asserted claim (that disclosure improves protection) and no statistics behind the actual claim (that IT security professionals have long understood that or even agree to the asserted claim). The rest of the article repeats this mistake. It asserts cause and effect without a substantial basis. > It's folly to believe that any NSA hacking technique will remain secret > for very long. Really! You may rest assured that they have plenty of methods that, while published long ago in some form, remain largely a secret to anyone who is affected by them. That's because, as a community, we don't bother to review the literature before proclaiming ourselves experts. Nothing I have seen published about what the NSA is asserted to have done is a big secret in terms of the ability to do it. The secret (if there is one) is that they did do it, with whom, etc. The techniques I have heard about are hardly a secret. Bribe a company, extort a company, plant an insider, plant a Trojan, not new, not secret methods. In terms of longevity, I would bet that there are lots of things still secret from the 1950s, some of which died with those who held them. > The NSA has two conflicting missions. Its eavesdropping mission has been > getting all the headlines, but it also has a mission to protect US > military and critical infrastructure communications from foreign attack. > Historically, these two missions have not come into conflict. During the > cold war, for example, we would defend our systems and attack Soviet > systems. The equities issue has always been present, and the equities have historically always favored attack over defense. The question that needs to be addressed is how this balance should be as opposed to how it has been. My personal view is that the defense should be favored far more than it is at present or has been in the past, but then I am a defender. The reason for my view? Because the US and our allies are asymmetrically dependent on information and technology. So successful attack can hurt us a lot more than it hurts them. Meanwhile, successful defense depends on knowledge, skills, effort, etc. which we presumably have more of then our enemies. So if we build strong defenses that require ongoing effort, we will win as long as we are willing to spend the effort and they are not. Of course if it takes too much effort, it will sap our strength... and somewhere in there is an equation to be produced and solved. Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies http://all.net/ PO Box 811 Pebble Beach, CA 93953
... it appears the problem isn't with the grid supplying the power, but with the electrical system on the NSA site.
The link for the first item ("Cyber Schools Fleece Taxpayers for Phantom Students and Failing Grades") is actually: http://www.prwatch.org/news/2013/10/12257/junk-bonds-junk-schools-cyber-schools-fleece-taxpayers-phantom-students-and-faili (The item's link was missing "cyber-schools-".)
> A couple thousand years ago, the way you moved from Slave or peon to > Citizen in Imperial Rome was you raised enough money to afford a sword and > shield ... This is empirically false, and it's a shame to see made-up "facts" given credibility by appearing in RISKS. Without this and the several other similar assertions of "fact" in the piece I quote above, I'm not sure there is any support for its argument at all. If you'd like to know how changes in status really took place in Imperial (or pre-Imperial) Rome, I can recommend Crook, J.A., _Law and Life Of Rome_, 90 B.C. - A.D. 212 (Ithaca: Cornell, 1967). Thor Lancelot Simon, : Public Access Networks Corp., firstname.lastname@example.org
Please report problems with the web pages to the maintainer