"I don't think the report is true, but these crises work for those who want to make fights between people." Kulam Dastagir, 28, a bird seller in Afghanistan
More Homes Return to Positive Equity | The Big Picture
8:36 am EDT, Mar 20, 2013
This heat map shows areas with significant negative equity. Many areas have improved. Atlanta ranks among Detroit, Las Vegas, Phoenix, as well as most of Florida and the central California valley as being among the last places to recover.
Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com
2:51 pm EDT, Mar 18, 2013
Today Weev was sentenced to 3.5 years in prison for collecting AT&T iPad Customer Data:
A friend of mine wrote:
Weev's sentence is steep, but remember, a) he didnt disclose to att, b) he talked about making a profit & causing att stock to drop.
I read the IRC thread (link below). There is really nothing wrong about talking about AT&T's stock dropping. If you found that AT&T was polluting a river, and you called the press, you might talk about how the coverage would impact their stock price. There is nothing criminal about that at all. If some friend of yours joked about trading on the information before it was disclosed, you might tell them to keep you out of it. That seems to be exactly what happened here. It seems clear from the thread that he was seeking a legal way to benefit off of the discovery, but he seems to be trying to avoid doing something illegal and seems to be trying to avoid having his friends involve him in doing something illegal.
I would have disclosed the vulnerability to AT&T, but I'm not sure that I can fault him for failing to do that. History is full of examples of organizations that reacted to vulnerability disclosures by shooting the messenger, and refusing the fix the underlying problem. Does the fact that the disclosure was public and uncoordinated MAKE this a crime? That conclusion requires deciding that ALL vulnerability disclosure must be coordinated to be legitimate, and I'm uncomfortable with that conclusion.
I think we have to allow for the possibility that people will find vulnerabilities in public facing infrastructure like this, we have to allow for the fact that the only way to validate that a vulnerability like this exists is to actually try it, we have to allow for the fact that a disclosure of such a vulnerability might not be coordinated. Basically, I think that this ought to be legal.
If he was trying to fence the data that would be a problem. If he dumped a bunch of people's personal info publicly that would be a problem, but he clearly decided against doing so.
He found a vulnerability, he verified his finding, and he publicly disclosed the issue so that it would be fixed. I think we have to allow for that.
I think they threw someone in prison for 3.5 years for something that needs to be legal if we're going to run public infrastructure with computers the way we are.
Arguably there is a legal grey area between allowing for the fact that someone might stumble upon a rather obvious vulnerability and disclose it without taking advantage of it criminally, which is what occurred in this case, and allowing people to aggressively pen test public systems without permission. It might be difficult to have the later be illegal while allowing for the former case. This is where the discretion of prosecutors comes into play. An example like this shouldn't have been prosecuted. We don't need to put people in prison for disclosing vulnerabilities to the press.
AT&T Hacker 'Weev' Sentenced to 3.5 Years in Prison | Threat Level | Wired.com
2:02 pm EDT, Mar 18, 2013
A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release.
Federal Judge Finds National Security Letters Unconstitutional, Bans Them | Threat Level | Wired.com
7:55 am EDT, Mar 18, 2013
Ultra-secret national security letters that come with a gag order on the recipient are an unconstitutional impingement on free speech, a federal judge in California ruled in a decision released Friday.
The Biggest Failure of Open Data in Government | Open Knowledge Foundation Blog
11:16 am EDT, Mar 15, 2013
Unfortunately, somewhere in this new wave of open data we forgot some of the most fundamental information about our government, the basic “who”, “what”, “when”, and “where”.
Do you know all the different government bodies and districts that you’re a part of? Do you know who all your elected officials are? Do you know where and when to vote or when the next public meeting is? Now perhaps you’re thinking that this information is easy enough to find, so what does this have to do with open data?
Lawfare › Drones, Domestic Detention, and the Costs of Libertarian Hijacking
11:15 am EDT, Mar 15, 2013
It seems to me that both of these episodes represent examples of what might be called “libertarian hijacking”–wherein libertarians form a short-term coalition with progressive Democrats on national security issues, only to pack up and basically go home once they have extracted concessions that don’t actually resolve the real issues.
Groening also did other artwork for Apple. Before his brochure, he created a poster titled, 'Networking in Hell,' which was also based around his Life in Hell characters. The poster is rather amusing, and the headline reads, “Looking for advanced communications between your Macintosh and that ‘Big Blue’ mainframe? Then bring your floppies down to Akbar ‘n’ Jeff’s Communications Hut.” Jeff Miller, an engineer at Apple during that time, recalls that Groening did the poster in exchange for a LaserWriter, which retailed for many thousands of dollars back in the 80s.
I wrote up the following response to Rob Graham's cyberwar blog post. I'm posting here because it is too large for his comment system:
I think the problem here is that the question of whether or not cyberwar is real is being conflated with the question of what the right response ought to be.
There is no question that the powers that be are over hyping this issue in an attempt to grab power. Our new Secretary of State John Kerry referred to "cyber weapons" as a "the modern day, 21st century nuclear weapons equivalent." Thats just silly.
I think that a lot of people in the computer security "scene" have responded to that overhyping by swinging the pendulum too far in the other direction. Are they taking that position because there really is no problem, or are they taking that position because they don't like the solutions that men like John Kerry have on offer?
The computer security "scene," such as it is, is incredibly guilty of claiming to be, as Dan Holden says, "holier then though." A lot of these people are primarily motivated by a desire to feel smarter than the establishment. Its a good feeling, but sometimes it is a self-delusion.
Take Advanced Persistent Threat. Its a real problem and its very difficult to manage. But you get this constant counterpoint being offered by people in the "scene."
Here you argue that spear phishing isn't an "Advanced" technique. These people are not trying to get a talk accepted at Blackhat. They are trying to break into computer networks. They will use whatever technique is effective, no matter whether or not people in the "scene" think it deserves to be called "Advanced." They have the capability to do things that are very sophisticated. They use that capability when they need to. Often, they don't.
Computer based espionage is real. Its a hard problem. Comparing it to "basic teenager attacks" comes dangerously close to confirming all the BS marketing out of the vendors at RSA this year. "Just buy my product and it will block all the APTs at your perimeter." If it were easy, those claims would have merit. Just press the "easy" button, problem solved!
Denial of Service attacks are real. Computer based sabotage of physical infrastructure is real. Yes, it fits into a greater geopolitical context. No, I don't have lots of information about the kind of stuff the NSA has cooked up in the lab, but I can imagine, and I'll bet they've shown John Kerry some pretty wicked software in a classified briefing somewhere.
The question is, what do we do about it?
Overregulation presents a risk of tying people down and preventing them from effectively defending themselves. For example, the original draft of the big cybersecurity bill required people who defend critical infrastructure networks to carry professional certifications with a variety of rigid requirements that have no relationship at all to whether or not someone is knowledgeable and effective a... [ Read More (0.1k in body) ]