Now that Secretary of Defense Leon Panetta has warned of a possible Cyber-Pearl Harbor, it’s time to change your passwords. And guess what: a more secure password is actually easier to remember, if you follow a very simple rule.

Continue reading »

Whether sea levels rise or fall, your amphibious house will ride the waves of climate change.

A controversial new study suggests that most of humankind’s maladies — from wars to epidemics to economic downturns — can be traced to climate fluctuations….

Climate shifts were a statistically significant cause of social disturbance, war, migration, epidemics, famine, and nutritional status, the researchers report online today in the Proceedings of the National Academy of Sciences. And climate caused famines, economic downturns, and catastrophic human events far more often than did any of the other 14 variables. The most direct way in which extreme climate shifts influence human society is through agriculture, Zhang says; a falling supply of crops will drive up the price of gold and cause inflation. Similarly, epidemics can be exacerbated by famine. And when people are miserable, they are likely to become angry with their governments and each other, resulting in war.

But golden ages rise out of these dark periods, the team argues. For instance, a 100-year cold period beginning in 1560 caused shortened crop growing seasons. The researchers found a causal linkage with a decline in average human height by nearly an inch during this period, and the century was rife with disease and conflict. But the world began to warm in 1650; when Charles II was crowned king of England in 1660, the coronation sparked the Enlightenment era in Europe.

http://feeds.wired.com/~r/wired/index/~3/3KOUud3C3M4/

Meanwhile a different study pins a mini Ice Age in Europe on Christopher Columbus.

“Science News reports on a story which blames a centuries long cooling of Europe on the discovery of the new world. Scientists contend that the native depopulation and deforestation had a chilling effect on world-wide climate. ‘Trees that filled in this territory pulled billions of tons of carbon dioxide from the atmosphere, diminishing the heat-trapping capacity of the atmosphere and cooling climate, says Richard Nevle, a geochemist at Stanford University.’

http://news.slashdot.org/story/11/10/14/0345253/columbus-blamed-for-mini-ice-age

In this century, rising sea levels have inspired a new architectural style that might be called the ‘amphibian avant-garde.’

“Venice may soon be sharing its ‘Floating City’ moniker thanks to a research project developing ‘amphibian houses’ that are designed to float in the event of a flood. The FLOATEC project sees the primary market for the houses as the Netherlands, whose low-lying land makes it particularly susceptible to the effects of rising sea levels. Such housing technology could also allow small island-states in the Indian and Pacific Oceans that are at the risk of disappearing in the next 100 years to maintain their claim to statehood through the use of artificial, floating structures.”

http://science.slashdot.org/story/11/09/05/007211/Floating-Houses-Designed-For-Low-Lying-Countries

Yet another reason to choose a Facebook photo that’s hotter than you really are.

With Carnegie Mellon’s cloud-centric new mobile app, the process of matching a casual snapshot with a person’s online identity takes less than a minute. Tools like PittPatt and other cloud-based facial recognition services rely on finding publicly available pictures of you online, whether it’s a profile image for social networks like Facebook and Google Plus or from something more official from a company website or a college athletic portrait. In their most recent round of facial recognition studies, researchers at Carnegie Mellon were able to not only match unidentified profile photos from a dating website (where the vast majority of users operate pseudonymously) with positively identified Facebook photos, but also match pedestrians on a North American college campus with their online identities. … ‘[C]onceptually, the goal of Experiment 3 was to show that it is possible to start from an anonymous face in the street, and end up with very sensitive information about that person, in a process of data “accretion.” In the context of our experiment, it is this blending of online and offline data — made possible by the convergence of face recognition, social networks, data mining, and cloud computing — that we refer to as augmented reality.’ http://yro.slashdot.org/story/11/09/30/1422217/Cloud-Powered-Facial-Recognition-Is-Terrifying

But then again, who really pays attention to dry academic studies? The FBI, for one.

“The FBI by mid-January will activate a nationwide facial recognition service in select states that will allow local police to identify unknown subjects in photos, bureau officials told Nextgov. The federal government is embarking on a multiyear, $1 billion dollar overhaul of the FBI’s existing fingerprint database to more quickly and accurately identify suspects, partly through applying other biometric markers, such as iris scans and voice recordings.” http://yro.slashdot.org/story/11/10/07/2342240/FBI-Plans-Nationwide-Face-Recognition-Trials-In-2012

Donkeys, solar power, and trash are the Internet Service Providers for censored Syrians, beleaguered Afghans, and others without government-sponsored Internet.

These DIY ISPs would make great solutions to the privacy concerns about social networks cited in some recent NMDnet posts–and give new meaning to the term “data mules.”

Syrians Using Donkeys Instead of DSL After Gov’t Shuts Down Internet

“Rebelling Syrians are using all possible alternate methods to pass information to the world amidst a total blackout on the internet by the Government. Believe it or not, Donkeys are a part of the revolution now. From the article: ‘To get the news out, activists have been smuggling videos to Jordan through the desert and across a nearly 80-kilometer border Jordan shares with Syria. Some risk approaching the border with Jordanian cellphones to report to the outside world and send clips. It’s a dangerous task because the Syrian and Jordanian armies traditionally have the area under heavy surveillance to prevent the smuggling of drugs and weapons into the kingdom or further to the Gulf states.’”

http://tech.slashdot.org/story/11/05/15/1810215/Syrians-Using-Donkeys-Instead-of-DSL-After-Govt-Shuts-Down-Internet

The US military is taking note:

Move Over, Robots: Army Prefers Flesh-and-Blood Mules

The experimental four-legged, pack-hauling robots aren’t gonna be ready for frontline duty any time soon. So the Army is considering a big step backward in frontline logistics: more mules and donkeys, with a revived “Animal Corps” to oversee the four-legged recruits.

http://feeds.wired.com/~r/wired/index/~3/ct7GAqIUi8Y/

The Afghans are at it:

Afghans Build Open Source Internet From Trash

“Residents of Jalalabad have built the FabFi network: an open-source system that uses common building materials and off-the-shelf electronics to transmit wireless ethernet signals across distances of up to several miles.”

http://hardware.slashdot.org/story/11/06/26/0322238/Afghans-Build-Open-Source-Internet-From-Trash

And there’s more:

Look Ma, No Internet! Free Software Gives Text-Messaging New Reach

Frontline SMS, an open source software that turns a laptop into an internet-free communication hub has been used in more than 50 countries by thousands of organizations.

http://feeds.wired.com/~r/wired/index/~3/C4bjgmQ7rT8/

Berkeley’s working on solar-powered cell phone networks.

Low-Cost DIY Cell Network Runs On Solar

Shareable writes with word of the intriguing work of a Berkeley professor who has developed a “low-cost, low-power cell base station featuring easy, off-the grid deployment with solar or wind power; local services autonomous from national carriers; and an impressive portfolio of voice & data services (not just GSM). It’s designed to connect rural areas in the developing world, but could have wider application like disaster recovery.”

http://mobile.slashdot.org/story/11/08/28/0048211/Low-Cost-DIY-Cell-Network-Runs-On-Solar.

Limewire’s founder wants to distribute pedals as well as MP3s.

Peer-to-Peer Pioneer Sees New York Bicycles Pier-to-Pier

Mark Gorton founded LimeWire, but his true passion is transit — specifically, bikes — and sharply curtailing the role of cars in our cities. We sit down with him to find out why. http://feeds.wired.com/~r/wired/index/~3/8SOZGbSiQ84/

Governments and vigilantes are using Facebook and other social media to identify and jail protesters–even if they never left their keyboards.

A Chat With Zavilia, a Tool For Identifying Rioters

“Social media isn’t just great for starting ‘social unrest,’ it’s proving to be quite helpful for quashing it too. Not long after the bricks began to fly in London’s latest kerfuffle, locals angry over raging mobs scrambled to assist the police in their attempt to identify street-fighters and free-for-all hooligans … Now with more than 1,000 people charged over the chaos, a few citizen groups continue to provide web-based rioter identification platforms, in hopes of being good subjects, maintaining the country’s pursuit of order, and keeping their neighborhoods safe.”

http://it.slashdot.org/story/11/08/19/0248220/A-Chat-With-Zavilia-a-Tool-For-Identifying-Rioters

In Britain, a Meeting on Limiting Social Media

Government officials and representatives of Twitter, Facebook and BlackBerry met to discuss voluntary ways to limit or restrict the use of social media to combat crime and periods of civil unrest.

http://feeds.nytimes.com/click.phdo?i=bc98f459d24fe76a1cb358676020620b

UK Men Get 4 Years For Trying to Incite Riots Via Facebook

“In addition to the 12 arrests from last week, a judge has sentenced 20-year-old Jordan Blackshaw and 22-year-old Perry Sutcliffe-Keenan to four years in prison for their failed attempts to use Facebook to incite riots in the UK. The judge said he hoped the sentences would act as a deterrent. The two men were convicted for using Facebook to encourage violent disorder in their hometowns in northwest England.”

http://yro.slashdot.org/story/11/08/18/0224214/UK-Men-Get-4-Years-For-Trying-to-Incite-Riots-Via-Facebook

Slashdot / Soulskill nonprofiteer writes “A bunch of vigilantes are organizing a Google Group dedicated to using recently revealed facial recognition tools to identify looters in the London riots. While Vancouver discussed doing something similar after the Stanley Cup riots, the city never actually moved forward on it. Ring of Steel London, though, is far more likely to incorporate FRT into its investigative work.” A related article points out how development of face-recognition technology has been kept under wraps by some organizations, but we’re getting to the point where it’ll soon be ubiquitous.

http://yro.slashdot.org/story/11/08/10/062225/The-London-Riots-and-Facial-Recognition-Technology

When police and vigilantes fail, there’s always PayPal.

PayPal Joins London Police Effort

“PayPal has joined a music copyright association and the City of London police department’s bid to financially starve websites deemed ‘illegal.’ When presented with sufficient evidence of unlicensed downloading from a site, the United Kingdom’s PayPal branch ‘will require the retailer to submit proof of licensing for the music offered by the retailer,’ said the International Federation of the Phonographic Industry’s latest press release.”

http://yro.slashdot.org/story/11/07/22/2345217/PayPal-Joins-London-Police-Effort

Meanwhile, Egyptian activists are getting in trouble for what they post on Facebook.

Egyptian Charged For Threatening Facebook Post

“The Egyptian Military Prosecution has charged 26-year-old activist and blogger Asmaa Mahfouz for allegedly defaming the country’s ruling generals and calling for armed operations against the military and the judiciary. Mahfouz, a prominent activist, was accused of using Facebook to call for the assassinations of Supreme Council of Armed Forces (SCAF) members and certain judges.”

http://yro.slashdot.org/story/11/08/15/0156222/Egyptian-Charged-For-Threatening-Facebook-Post

Anonymous Wikileaks LogoUS security consultants may have been conspiring in secret to bring WikiLeaks down, but Britain’s former intelligence chief links WikiLeaks with the downfall of oppressive regimes in the Middle East. And then there’s WikiLeak’s staunchest supporter, Anonymous, which caught said security consultants with their pants down (and may have even erased their CEO’s iPad).

Continue reading »

You’ve spent your winter break tricking out your Arduino board and now you’re planning to bring it back to school on the plane. Whoops! You forgot that your custom art installation looks just like a homemade bomb to the airport scanner.

Here’s a handy guide to getting your gizmos through security without ending up on the terror suspect watch list.

(via Bruce Sterling)

http://teachmetomake.wordpress.com/traveling-with-diy-electronics/

High-tech engineering for those who want more privacy for their privates. Will Victoria’s Secret come out with a Kevlar-lined bra in time for the holidays?

http://idle.slashdot.org/story/10/11/23/150207/Underwear-Invention-Protects-Privacy-At-Airport

Thanks to Jeff Buske you don’t have to be embarrassed while going through the full body scanners at the airport. Buske has invented radiation shielding underwear for the shy traveler. From the article: “Jeff Buske says his invention uses a powdered metal that protects people’s privacy when undergoing medical or security screenings. Buske of Las Vegas, Nev.-Rocky Flats Gear says the underwear’s inserts are thin and conform to the body’s contours, making it difficult to hide anything beneath them. The mix of tungsten and other metals do not set off metal detectors.”

Admittedly, it’s the “Steven King” in this story that caught my eye, this being a UMaine blog and all.  But beyond the fake name that isn’t the same spelling as Maine’s prolific author, this is a good resource for those interested in Internet non-security,

On the off chance someone might defeat that first bastion of security, Cavion® employs another fool-proof barrier: JavaScript.

Full text at http://thedailywtf.com/Articles/Classic-WTF-Banking-So-Advanced.aspx.

Bookmark this category

via Byline *Suppose that Richard Clarke had written a somewhat speculative book about security in 1998, and he said that, at the cost of a few airplanes and two and one-fifth buildings, Arab terrorists could bog down the USA in the longest and most expensive wars the US ever had. You think people would have sized him up as an alarmist? As an ambitious defense contractor?

*This stuff Clarke says about Microsoft is obviously factual. He’s saying things everyone knows. Maybe SCADA attacks are indeed mostly mythical, but look what’s going on in the Gulf right now. Of course vulnerable infrastructure doesn’t look like a weapon. Till it is one. Civilian airplanes and flaming skyscrapers didn’t look like weapons, either.

*The guy is a security expert. If you want your infrastructure to be up to mil-spec, you can’t use commercial off-the-shelf material that was kicked out the door as fast as it would sell. It’s a fact. Mind you, I’m not saying that government oversight necessarily improves this stuff — especially when a government’s for sale to the private sector anyway. But he is telling the truth.

*If you’ve got oil wells run by oil companies for oil companies, why wouldn’t they blow up and fall over? If you’ve got finance systems run by finance systems for finance systems, why wouldn’t they blow up and fall over, too? If governments are run by governments for the sake of governance, they blow up and fall over. It’s hard to manage complex systems, especially if you’re beset with saboteurs who can’t face you on a battlefield.

If you build huge elaborate systems on single points of failure (like, say the health of Steve Jobs), why do you claim the luxury of acting all surprised when they come apart like favela tin shacks? He’s talking factually about making these systems secure. Of course the ones we have are insecure. How could they not be? Look how they were built.

*I can perfectly well understand why that happened, and how advantageous that was for the stakeholders, and the consumers like our happy selves. But it’s cynical to dismiss this guy when he’s saying something blatantly true in an area where his expertise is both deep and hard-earned.

http://arstechnica.com/security/news/2010/06/cyber-war-microsoft-a-weak-link-in-national-security.ars

(…)

“Clarke takes readers through various famous cyberwar incidents, most notably the Distributed Denial of Service (DDoS) attack on Estonia back in 2007, but how bad could such events really get?

“The hypothetical answer is on page 64. There Clarke deputizes you as Assistant to the President for Homeland Security and takes you through a scenario of doom. The National Security Agency has just sent a critical alert to your BlackBerry: “Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure.”

“But by the time you get your office, one of the DoD’s main networks has already crashed; computer system failures have caused huge refinery fires around the country; (((Oh wait, oil chernobyls, strictly far-fetched alarmism, how could that possibly, no way, drill baby drill, etc etc))) the Federal Aviation Administration’s air traffic control center in Virginia is collapsing, and the hits just keep coming.

“The Chairman of the Fed just called,” the Secretary of the Treasury tells you. “Their data centers and their backups have had some sort of major disaster. They have lost all their data.” Power blackouts are sweeping the country. Thousands of people have already died. “There is more going on,” Clarke narrates, “but the people who should be reporting to you can’t get through.” (((Maybe because somebody else bought all the Google search terms.)))

File under fiction (((Look: stop being stupid. Planning war-game scenarios isn’t “fiction.” That is no more “fiction” than the WWII plans to invade Normandy. It’s not factual, but it’s what there is. What do you want? A backhoe through your fiber-optic? More malware in your PC?)))

“Clarke’s book has gotten tons of play with this sort of stuff— check out, for example, the scary interview he did with Terry Gross on NPR’s Fresh Air. But little of it impresses his critics. (((There are political reasons why people never do what this guy says. It’s not him or his credibility. It’s all about the power and money and the free-market ideology.)))

“File under fiction,” begins Ryan Siegel’s review over at Wired. “Like in real war, truth is the first casualty.” Siegel warns that the tome is based on hypothetical scenarios (see above) or alarmist and inaccurate rehashings of various cyber emergencies. Plus, we note the book has no references or index. (((Unlike us WIRED bloggers, who always maintain a nifty index to go along with our chairmanship of the Counter-terrorism Security Group and our seats on the United States National Security Council. Richard Clarke was the top of the heap there. There ISN’T anybody better-informed or with more credibility. No such person exists.)))

(((I get it that there’s plenty of cybarmageddonism around that deserves a good round laugh, but the modern world has more cellphones than toilets. If you don’t think that cellphones are modern weapons of global warfare, you’re crazy.)))

Ditto, says Evgeny Morozov in the Wall Street Journal. “We do not want to sleepwalk into a cyber-Katrina,” he writes, “but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.” Clarke is one of four partners in the Good Harbor Consulting security firm. (((Yeah, Clarke is in the Beltway biz now, but jeez, Morozov is a Belarusian Soros guy who hangs out with US State Department people. He’s not some kind of stainless icon of objectivity when it comes to electronic warfare.)))

But even his detractors acknowledge that some of Clarke’s broad arguments make sense—most notably his warning that the Pentagon can’t assume that the energy and financial sectors will effectively defend themselves from cyber attacks. (((Obviously.)))

“At the beginning of the age of cyber war,” Clarke ruefully notes, “the US government is telling the population and industry to defend themselves.” (((Yes, they are. And you can sop our your own oil spills and provide your own pension and health insurance while you’re at it. Educate your college kids? Tough luck!)))

Money talks (((Yes it does, and lately money has started screaming hysterically and throwing grandma out the window while eviscerating national governments. But it’s not like we have vulnerability in our poorly regulated core infrastructural systems, or anything. Why worry about “flash crash” problems? Still got a house, right?)))

Why has the national response to this problem been so slow? Lack of consensus on what to do and fear of the “R-word”—government regulation, Clarke contends. Then there’s Reason Number Five on his list, which basically boils down to “Microsoft.” (((J’accuse.)))

“Some people like things the way they are,” Clarke obliquely observes. “Some of those people have bought access.” Microsoft, he notes, is a prominent member of OpenSecrets.org’s “Heavy Hitters” political donor list. Most of the list’s stars are trade associations. “Microsoft is one of only seven companies that make the cut.”

The software giant’s largesse has shifted from Republicans back in the Clinton antitrust days to Obama, he continues, but the agenda is always clear: “Don’t regulate security in the software industry, don’t let the Pentagon stop using our software no matter how many security flaws it has, and don’t say anything about software production overseas or deals with China.” (((That’s all true, too.)))

Clarke tries to be fair. He notes that Microsoft didn’t originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft’s original goal “was to get the product out the door and at a low cost of production,” he explains. “It did not originally see any point to investing in the kind of rigorous quality assurance and quality control process that NASA insisted on for the software used in human space-flight systems.” (((I would note in passing that NASA is so freakin’ moribund and top-heavy that they can’t deliver a manned spacecraft system.)))

But people brought in Microsoft programs for critical systems anyway. “They were, after all, much cheaper than custom-built applications.” And when the government launched its Commercial Off- the-Shelf program (COTS) to cut expenses, Microsoft software migrated to military networks. These kind of cost cutting reforms “brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer,” Clarke writes. (((That’s very much the case. If Turing was working against Nazi Germany under today’s conditions, he woulda knocked it off with the cipher machines and just mugged a few guys in Berlin for their thumb drives.)))

Floating i-brick (((It’s the truth, he didn’t make it up)))

The former White House advisor cites the 1997 USS Yorktown incident as a consequence. The Ticonderoga-class ship’s whole operational network was retrofitted with Windows NT. “When the Windows system crashed, as Windows often does, the cruiser became a floating i-brick, dead in the water.”

In response to this “and a legion of other failures,” the government began looking into the Linux operating system. The Pentagon could “slice and dice” this open source software, pick and choose the components it needed, and more easily eliminate bugs.

Clarke says that, in response:

[Microsoft] went on the warpath against Linux to slow the adoption of it by government committees, including by Bill Gates. Nevertheless, because there were government agencies using Linux, I asked NSA to do an assessment of it. In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security. Microsoft gave me the very clear impression that if the US government promoted Linux, Microsoft would stop cooperating with the US government. While that did not faze me, it may have had an effect on others. Microsoft’s software is still being bought by most federal agencies, even though Linux is free. (((Everybody does it, so it must be great.)))

The company took a similarly hard line towards the banking and financial industry, Cyber War says, rebuffing access requests from security specialists for Microsoft code. When banks threatened to use Linux, Microsoft urged them to wait for its next operating system— Vista.

“Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks,” Clarke confides. Sure enough, when Apple and Linux began to offer serious competition, Microsoft upgraded quality in recent years. But what the company did first was to lobby against higher government security standards. (((Of course they did that. By now, though, it’s likely too late. Even the Red Chinese don’t have it together to impose “high government security standards.” They’ve sure got it together to riffle through the hard disks of the rest of us, though.)))

“Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems,” concludes Clarke’s section on the software firm. (((Yes they can. But it’s even better than that: we got online fundraising systems with more clout than a party apparatus, so even our elected representatives have a weaker grip on reality than a radio talk-show host. You think you’re gonna get a serious response on computer security from people who think Obama lacks a birth certificate? Richard Clarke is a relic from an era when American government looked and acted like a responsible superpower. But his experience doesn’t make him wrong about what he says.)))

http://www.wired.com/beyond_the_beyond/2010/06/richard-clarke-is-telling-the-truth-about-computer-security/

via Byline *Suppose that Richard Clarke had written a somewhat speculative book about security in 1998, and he said that, at the cost of a few airplanes and two and one-fifth buildings, Arab terrorists could bog down the USA in the longest and most expensive wars the US ever had. You think people would have sized him up as an alarmist? As an ambitious defense contractor?

*This stuff Clarke says about Microsoft is obviously factual. He’s saying things everyone knows. Maybe SCADA attacks are indeed mostly mythical, but look what’s going on in the Gulf right now. Of course vulnerable infrastructure doesn’t look like a weapon. Till it is one. Civilian airplanes and flaming skyscrapers didn’t look like weapons, either.

*The guy is a security expert. If you want your infrastructure to be up to mil-spec, you can’t use commercial off-the-shelf material that was kicked out the door as fast as it would sell. It’s a fact. Mind you, I’m not saying that government oversight necessarily improves this stuff — especially when a government’s for sale to the private sector anyway. But he is telling the truth.

*If you’ve got oil wells run by oil companies for oil companies, why wouldn’t they blow up and fall over? If you’ve got finance systems run by finance systems for finance systems, why wouldn’t they blow up and fall over, too? If governments are run by governments for the sake of governance, they blow up and fall over. It’s hard to manage complex systems, especially if you’re beset with saboteurs who can’t face you on a battlefield.

If you build huge elaborate systems on single points of failure (like, say the health of Steve Jobs), why do you claim the luxury of acting all surprised when they come apart like favela tin shacks? He’s talking factually about making these systems secure. Of course the ones we have are insecure. How could they not be? Look how they were built.

*I can perfectly well understand why that happened, and how advantageous that was for the stakeholders, and the consumers like our happy selves. But it’s cynical to dismiss this guy when he’s saying something blatantly true in an area where his expertise is both deep and hard-earned.

http://arstechnica.com/security/news/2010/06/cyber-war-microsoft-a-weak-link-in-national-security.ars

(…)

“Clarke takes readers through various famous cyberwar incidents, most notably the Distributed Denial of Service (DDoS) attack on Estonia back in 2007, but how bad could such events really get?

“The hypothetical answer is on page 64. There Clarke deputizes you as Assistant to the President for Homeland Security and takes you through a scenario of doom. The National Security Agency has just sent a critical alert to your BlackBerry: “Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure.”

“But by the time you get your office, one of the DoD’s main networks has already crashed; computer system failures have caused huge refinery fires around the country; (((Oh wait, oil chernobyls, strictly far-fetched alarmism, how could that possibly, no way, drill baby drill, etc etc))) the Federal Aviation Administration’s air traffic control center in Virginia is collapsing, and the hits just keep coming.

“The Chairman of the Fed just called,” the Secretary of the Treasury tells you. “Their data centers and their backups have had some sort of major disaster. They have lost all their data.” Power blackouts are sweeping the country. Thousands of people have already died. “There is more going on,” Clarke narrates, “but the people who should be reporting to you can’t get through.” (((Maybe because somebody else bought all the Google search terms.)))

File under fiction (((Look: stop being stupid. Planning war-game scenarios isn’t “fiction.” That is no more “fiction” than the WWII plans to invade Normandy. It’s not factual, but it’s what there is. What do you want? A backhoe through your fiber-optic? More malware in your PC?)))

“Clarke’s book has gotten tons of play with this sort of stuff— check out, for example, the scary interview he did with Terry Gross on NPR’s Fresh Air. But little of it impresses his critics. (((There are political reasons why people never do what this guy says. It’s not him or his credibility. It’s all about the power and money and the free-market ideology.)))

“File under fiction,” begins Ryan Siegel’s review over at Wired. “Like in real war, truth is the first casualty.” Siegel warns that the tome is based on hypothetical scenarios (see above) or alarmist and inaccurate rehashings of various cyber emergencies. Plus, we note the book has no references or index. (((Unlike us WIRED bloggers, who always maintain a nifty index to go along with our chairmanship of the Counter-terrorism Security Group and our seats on the United States National Security Council. Richard Clarke was the top of the heap there. There ISN’T anybody better-informed or with more credibility. No such person exists.)))

(((I get it that there’s plenty of cybarmageddonism around that deserves a good round laugh, but the modern world has more cellphones than toilets. If you don’t think that cellphones are modern weapons of global warfare, you’re crazy.)))

Ditto, says Evgeny Morozov in the Wall Street Journal. “We do not want to sleepwalk into a cyber-Katrina,” he writes, “but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.” Clarke is one of four partners in the Good Harbor Consulting security firm. (((Yeah, Clarke is in the Beltway biz now, but jeez, Morozov is a Belarusian Soros guy who hangs out with US State Department people. He’s not some kind of stainless icon of objectivity when it comes to electronic warfare.)))

But even his detractors acknowledge that some of Clarke’s broad arguments make sense—most notably his warning that the Pentagon can’t assume that the energy and financial sectors will effectively defend themselves from cyber attacks. (((Obviously.)))

“At the beginning of the age of cyber war,” Clarke ruefully notes, “the US government is telling the population and industry to defend themselves.” (((Yes, they are. And you can sop our your own oil spills and provide your own pension and health insurance while you’re at it. Educate your college kids? Tough luck!)))

Money talks (((Yes it does, and lately money has started screaming hysterically and throwing grandma out the window while eviscerating national governments. But it’s not like we have vulnerability in our poorly regulated core infrastructural systems, or anything. Why worry about “flash crash” problems? Still got a house, right?)))

Why has the national response to this problem been so slow? Lack of consensus on what to do and fear of the “R-word”—government regulation, Clarke contends. Then there’s Reason Number Five on his list, which basically boils down to “Microsoft.” (((J’accuse.)))

“Some people like things the way they are,” Clarke obliquely observes. “Some of those people have bought access.” Microsoft, he notes, is a prominent member of OpenSecrets.org’s “Heavy Hitters” political donor list. Most of the list’s stars are trade associations. “Microsoft is one of only seven companies that make the cut.”

The software giant’s largesse has shifted from Republicans back in the Clinton antitrust days to Obama, he continues, but the agenda is always clear: “Don’t regulate security in the software industry, don’t let the Pentagon stop using our software no matter how many security flaws it has, and don’t say anything about software production overseas or deals with China.” (((That’s all true, too.)))

Clarke tries to be fair. He notes that Microsoft didn’t originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft’s original goal “was to get the product out the door and at a low cost of production,” he explains. “It did not originally see any point to investing in the kind of rigorous quality assurance and quality control process that NASA insisted on for the software used in human space-flight systems.” (((I would note in passing that NASA is so freakin’ moribund and top-heavy that they can’t deliver a manned spacecraft system.)))

But people brought in Microsoft programs for critical systems anyway. “They were, after all, much cheaper than custom-built applications.” And when the government launched its Commercial Off- the-Shelf program (COTS) to cut expenses, Microsoft software migrated to military networks. These kind of cost cutting reforms “brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer,” Clarke writes. (((That’s very much the case. If Turing was working against Nazi Germany under today’s conditions, he woulda knocked it off with the cipher machines and just mugged a few guys in Berlin for their thumb drives.)))

Floating i-brick (((It’s the truth, he didn’t make it up)))

The former White House advisor cites the 1997 USS Yorktown incident as a consequence. The Ticonderoga-class ship’s whole operational network was retrofitted with Windows NT. “When the Windows system crashed, as Windows often does, the cruiser became a floating i-brick, dead in the water.”

In response to this “and a legion of other failures,” the government began looking into the Linux operating system. The Pentagon could “slice and dice” this open source software, pick and choose the components it needed, and more easily eliminate bugs.

Clarke says that, in response:

[Microsoft] went on the warpath against Linux to slow the adoption of it by government committees, including by Bill Gates. Nevertheless, because there were government agencies using Linux, I asked NSA to do an assessment of it. In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security. Microsoft gave me the very clear impression that if the US government promoted Linux, Microsoft would stop cooperating with the US government. While that did not faze me, it may have had an effect on others. Microsoft’s software is still being bought by most federal agencies, even though Linux is free. (((Everybody does it, so it must be great.)))

The company took a similarly hard line towards the banking and financial industry, Cyber War says, rebuffing access requests from security specialists for Microsoft code. When banks threatened to use Linux, Microsoft urged them to wait for its next operating system— Vista.

“Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks,” Clarke confides. Sure enough, when Apple and Linux began to offer serious competition, Microsoft upgraded quality in recent years. But what the company did first was to lobby against higher government security standards. (((Of course they did that. By now, though, it’s likely too late. Even the Red Chinese don’t have it together to impose “high government security standards.” They’ve sure got it together to riffle through the hard disks of the rest of us, though.)))

“Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems,” concludes Clarke’s section on the software firm. (((Yes they can. But it’s even better than that: we got online fundraising systems with more clout than a party apparatus, so even our elected representatives have a weaker grip on reality than a radio talk-show host. You think you’re gonna get a serious response on computer security from people who think Obama lacks a birth certificate? Richard Clarke is a relic from an era when American government looked and acted like a responsible superpower. But his experience doesn’t make him wrong about what he says.)))

http://www.wired.com/beyond_the_beyond/2010/06/richard-clarke-is-telling-the-truth-about-computer-security/

The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine.

The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded.

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.

This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine.

According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.

The hackers say that later releases of the program will allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement hands. The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it.

Update: The developers of DECAF have taken issue with Threat Level referring to them as hackers. “We’re just two developers who support the free flow of information and privacy,” one of them wrote Threat Level in an anonymous e-mail. “You could say we’re just average joes.”

Photo: Jim Forest/Flickr

The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine.

The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded.

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.

This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine.

According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.

The hackers say that later releases of the program will allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement hands. The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it.

Update: The developers of DECAF have taken issue with Threat Level referring to them as hackers. “We’re just two developers who support the free flow of information and privacy,” one of them wrote Threat Level in an anonymous e-mail. “You could say we’re just average joes.”

Photo: Jim Forest/Flickr

Bookmark this category

The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine.

The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded.

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.

This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine.

According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.

The hackers say that later releases of the program will allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement hands. The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it.

Update: The developers of DECAF have taken issue with Threat Level referring to them as hackers. “We’re just two developers who support the free flow of information and privacy,” one of them wrote Threat Level in an anonymous e-mail. “You could say we’re just average joes.”

Photo: Jim Forest/Flickr

© 2011 UMaine NMDNet Suffusion theme by Sayontan Sinha