Create an Account
username: password:
  MemeStreams Logo

It's always easy to manipulate people's feelings. - Laura Bush


Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
   Sci-Fi/Fantasy Literature
   Sci-Fi/Fantasy Films
   Electronic Music
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Markets & Investing
Health and Wellness
Home and Garden
Current Events
  War on Terrorism
  Cars and Trucks
Local Information
  United States
   SF Bay Area
    SF Bay Area News
  Nano Tech
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
   Intellectual Property
  Computer Security
  High Tech Developments

support us

Get MemeStreams Stuff!

"I don't think the report is true, but these crises work for those who want to make fights between people." Kulam Dastagir, 28, a bird seller in Afghanistan

RE: at the ragged edge
Topic: Miscellaneous 12:03 pm EDT, Mar 26, 2015

noteworthy wrote:
Astro Teller, on Google Glass:

I'm amazed by how sensitively people responded to some of the privacy issues. When someone walks into a bar wearing Glass ... there are video cameras all over that bar recording everything.

They STILL don't understand what went wrong with Google Glass!? I'll try to write more about this later, but this has the appearances of a serious cultural/institutional blindspot within Google. They really believe that privacy is irrelevant and they just can't wrap their heads around evidence to the contrary. It reminds me of that Upton Sinclair quote: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

The problem is that given the amount of information Google has been entrusted with, their failure to understand this failure means that it may be repeated in other contexts where the stakes are higher.

RE: at the ragged edge

Why I don't agree with Access on Wassenaar's scope, even though I wish I could.
Topic: Miscellaneous 1:30 pm EDT, Mar 13, 2015

Earlier this month Collin Anderson at Access published a whitepaper on the new Wassenaar controls relating to "intrusion software."

The whitepaper takes the position that the exchange of exploits and vulnerability information across borders is completely outside of the scope of what is controlled by Wassenaar. The whitepaper asserts that :

Exploitation is not concomitant with Intrusion Software nor is vulnerability research necessarily Intrusion Software development.

I'd like to think thats the case, but when I read the Wassenaar text I have trouble reaching the same conclusion. Even if Wassenaar didn't intend to cover vulnerability research, the text they wrote certainly seems to do so. I've come away with the conclusion that the Wassenaar authors may have crafted their policy under an erroneous understanding of how exploitation works.

Wassenaar defines "Intrusion Software" was follows:

"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Lets expand that part of defeating 'protective countermeasures' as those are also defined specifically in the Wassenaar text:

"Software" specially designed or modified to defeat techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing, of a computer or network-capable device, and performing... the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

This seems to be a perfect description of an exploit. In fact, I don't think that I could have written a clearer legal definition for "exploit" if I tried.

An exploit is software that modifies the standard execution path of a program in order to allow the execution of externally provided instructions. These days, most operating systems have countermeasures that are designed to make it difficult to write an exploit. Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) are examples of exploit countermeasures. If you're going to write a successful exploit for a modern operating system in this day and age, you have to contend with and defeat those countermeasures most of the time.

So, most exploits that are being written today meet both of these criteria. They defeat a countermeasure like DEP and then modify the execution path in order to ... [ Read More (1.0k in body) ]

My comments to BIS regarding Intrusion Software
Topic: Miscellaneous 4:13 pm EDT, Mar 12, 2015


I'm writing you because my understanding is that BIS is currently in the process of considering implementation of the new Wassenaar controls related to "Intrusion Software." These controls have started to raise some concerns within the professional community associated with information security vulnerability research. I asked XXXXXXXXXXXXX who I might reach out to in order to provide some input and he suggested that I start by emailing the two of you.

I appreciate your time in reading this. I have some experience working with the EAR as a technical SME within export compliance programs at IBM and Internet Security Systems, and I have great deal of professional experience with security vulnerability research and coordination, so I believe I have sufficient experience to provide you with an informed perspective.

Although there are a number of different concerns that have been raised regarding these new controls, I want to focus my comments specifically on the Category 4.E.1.C controls on "technology" for the "development" of "intrusion software." I don't believe that the potential unintended consequences of the technology controls in particular have received enough emphasis in the comments that I have read to date by other parties.

Computer security professionals use the word "vulnerability" to refer to a flaw in a software system which allows another program, such as an "intrusion" program, to modify "the standard execution path of a program or process in order to allow the execution of externally provided instructions." A great deal of the work that we do in information security has to do with finding and fixing these vulnerabilities, and that work involves getting information about newly discovered vulnerabilities into the hands of people who are in a position to fix them before that information falls into the hands of computer criminals. The exchange of information about these vulnerabilities is the life blood of information security, and that exchange often happens behind closed doors, across international borders, and sometimes, in exchange for money.

Unfortunately, the technical information that you would provide another person about a security vulnerability if you wanted them to fix it is the exact same information that you would provide them if you wanted to enable them to write an "intrusion program" that exploits it. In fact, one of the jobs that I personally held at IBM and Internet Security Systems was to take information about vulnerabilities that was provided to us and use that information to implement a corresponding "intrusion program" so that we could verify that the vulnerability had been fixed properly.

Therefore, an export control on "technology" for the "development" of "intrusion software" may wind up also controlling the exchange of information needed to fix the flaws that "intrusion software" takes advantage of. Any export control regime that d... [ Read More (0.5k in body) ]

Humera Khan | Washington's Top-Down Approach to Countering Violent Extremism Fails to Include Civil Society | Foreign Affairs
Topic: Miscellaneous 11:56 am EST, Feb 20, 2015

The objective of counter-extremism messaging should be to dissuade people from supporting violence, not to defend policy choices made by lawmakers and politicians. This messaging is best done by non-government actors,

This might be the single most intelligent thing I've read on counter terrorism since 9/11.

We've engaged in mountains of bullshit - preemptive wars, torture chambers, totalitarian surveillance. There is very little evidence that any of it is effective and its all stuff we should have known wasn't going to work.

What people want is "pre-crime." But "pre-crime" is by definition not criminal and so its something that law enforcement simply isn't equipped to deal with.

This is more like suicide counseling than law enforcement. Instead of identifying at risk individuals and throwing them in dungeons, you identify at-risk individuals and you help them make better choices.

Why has this insight been missing from the dialog for so long?

Humera Khan | Washington's Top-Down Approach to Countering Violent Extremism Fails to Include Civil Society | Foreign Affairs

The War Nerd: Boko Haram and the Demon Consensus | PandoDaily
Topic: Miscellaneous 6:14 pm EST, Feb  5, 2015

This is why I love the War Nerd:

“Yup, in today’s inverted-neocon Left dumbery, it’s assumed you’re a *reactionary* if you care about sub-Saharan African victims of Arab/Muslim religious jihadis…It goes something like this: The US is the most powerful on the planet, and power is evil. So anything at all that is anti-American is good because it’s fighting Power; anything that distracts from that is evil; and anything that America professes to care about is even eviler, because of America’s monstrous hypocrisy.

“It makes you dumb just writing that down, but it’s Assange’s worldview and it’s pretty much the dominant Left’s as well.”

Sometimes it helps to keep in mind that most people just don't understand how to tell right from wrong, and nearly everyone is lying to them about it - but they are lies that they want to believe.

The War Nerd: Boko Haram and the Demon Consensus | PandoDaily

EFF Statement on President Obama's Cybersecurity Legislative Proposal | Electronic Frontier Foundation
Topic: Miscellaneous 12:35 am EST, Jan 14, 2015

Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.


EFF Statement on President Obama's Cybersecurity Legislative Proposal | Electronic Frontier Foundation

R. Crumb on the Cartoon War
Topic: Miscellaneous 4:21 am EST, Jan 12, 2015

Given the stream of uninformed politically partisan claptrap coming out of all sides on the American political spectrum at the moment this link is worth sharing. R. Crumb understands Charlie Hebdo in context.

R. Crumb on the Cartoon War

RE: with blindfold removed
Topic: Miscellaneous 9:22 am EST, Jan 11, 2015

Teju Cole:

It is necessary to understand that free speech and other expressions of liberté are already in crisis in Western societies; the crisis was not precipitated by three deranged gunmen.

We may not be able to attend to each outrage in every corner of the world, but we should at least pause to consider how it is that mainstream opinion so quickly decides that certain violent deaths are more meaningful, and more worthy of commemoration, than others.

For what its worth, I am extremely unimpressed with this and the hoard of similar pieces streaming out of the American left at the moment. Nearly every argument that is made in this essay is refutable, from the extremely ignorant mischaracterization of Charlie Hebdo as racist, to the false equivalency regarding people who violated security clearances.

It seems that people on the left just aren't comfortable with the fact that sometimes, members of the oppressed masses that they take pity on do things which are, in fact, evil, and not merely an understandable reaction to their circumstances. Evil is a thing that people are capable of regardless of their social position. It is not something that the powers that be have a monopoly on.

RE: with blindfold removed

Don't you dare call it an intelligence failure.
Topic: Miscellaneous 12:04 am EST, Jan 11, 2015

It seems the unease I expressed earlier in the week was warranted.

We were told that we needed to record everybody's telecom metadata in order to find the needles in the haystack. Its not clear that many needles have been found that way, but regardless, we already had THESE particular needles. We didn't need the telecom metadata program to find them. And, apparently, having the needles isn't enough.

A rational question to ask is why, if these people were on watch lists, were they able to successfully carry out an attack? If its a matter of resources, then its reasonable to ask why we don't invest more resources in actually keeping track of known suspected terrorists? If there isn't enough money to go around, perhaps that is because we've spent too much money chasing unknown unknowns and not enough money chasing known unknowns? Even if you don't buy that, then perhaps you'd accept that you simply ought to be spending more total money on anti-terrorism if your country is being deluged with militants returning from Syria and you can't keep track of them all effectively?

Of course, we're not going to be allowed to ask those questions.You see, there is no such thing as an "intelligence failure." The intelligence community is beyond question and it is not appropriate to think critically about their strategy or focus.

The problem we have is the ancient right of habeas corpus. If you want fewer terrorist attacks, you're going to have to get rid of that.

Nice western civilization you've got there, with all your silly little historical precedents. It would be a shame if something happened to it.

RE: there's a lot of nodding
Topic: Miscellaneous 6:52 pm EST, Jan  9, 2015

James Comey:

In the wake of Mr. Snowden’s so-called revelations, there’s a wind blowing that I worry has blown what is a healthy skepticism of government power—I think everybody should be skeptical of government—to a cynicism so that people don’t want to be with us anymore. Meet us out behind the 7-Eleven late at night and I’ll talk to you as long as nobody sees me. Or wear a bag over my head to a meeting with the government. Because there is this wind blowing that there’s something bad if you’re touching the United States Government. We have to build even though there’s that wind. We’ve got to do our best to speak into that wind to try to explain how we’re using our authorities in the government.

How does healthy skepticism turn into cynicism?

Our public policy is an agreement, between the government, and the people, regarding what the government may and may not do. Those of us who are concerned about civil liberties, we often don't like where that agreement ends up.

Its important to appreciate that a lot of the people who the government wants to work with - a lot of the people in the private sector who protect the Internet - they care about civil liberties. They care about civil liberties because they are engineers, and to engineers, civil liberties seem logical.

Why should we care especially about civil liberties? Why programmers, more than dentists or salesmen or landscapers?

Let me put the case in terms a government official would appreciate. Civil liberties are not just an ornament, or a quaint American tradition. Civil liberties make countries rich. If you made a graph of GNP per capita vs. civil liberties, you'd notice a definite trend. Could civil liberties really be a cause, rather than just an effect? I think so. I think a society in which people can do and say what they want will also tend to be one in which the most efficient solutions win, rather than those sponsored by the most influential people. Authoritarian countries become corrupt; corrupt countries become poor; and poor countries are weak. It seems to me there is a Laffer curve for government power, just as for tax revenues. At least, it seems likely enough that it would be stupid to try the experiment and find out. Unlike high tax rates, you can't repeal totalitarianism if it turns out to be a mistake.

This is why hackers worry. The government spying on people doesn't literally make programmers write worse code. It just leads eventually to a world in which bad ideas win. And because this is so important to hackers, they're especially sensitive to it.

So the people that you need to work with, James Comey, the people who run this cyber world that is changing everything, many of those people are people who care about civil liberties. And people who care about civil liberties often don't like where the agree... [ Read More (0.3k in body) ]

RE: there's a lot of nodding

<< 1 - 2 - 3 - 4 - 5 ++ 15 >> Older (First)
Powered By Industrial Memetics