|There are great benefits to connectedness, but we haven't wrapped our minds around the costs.|
||such reluctance. much democratization. wow.
||11:17 pm EDT, Apr 29, 2015
American military officials have been reluctant to let go of the war, arguing that their involvement remains necessary ... the distance seems to be widening between the administration's public statements and what the military appears to be doing ...
David Maxwell, a former Special Forces colonel now at Georgetown University:
This isn't spying -- this is armed anthropology.
If it's useless, why is there such a focus on a cybersecurity strategy? Because tactics are hard.
As the computers already critical to running our infrastructure become connected, our vulnerability to cyberattack grows. I worry about a future a decade from now if these problems aren't addressed.
I worry about the democratization of cyberattack techniques, and who might have the capabilities currently reserved for nation-states.
C. J. Chivers:
Weapons can be steered for only so long.
The GAO cited the need to make design changes to the engines and then retrofit planes already built, along with continuing flaws in the plane's software, in a report that warned the Defense Department's "procurement plan may not be affordable."
Mark Goodwin, of Virginia Tech:
Some reports say that we have globally less than 1,000 people who are truly qualified [in cyber defense], whereas we need over 30,000 to address the problem.
I heard Jamie Dimon of JP Morgan say at a conference that his firm is doubling the amount they spend on computer security in 2015 ...
||10:11 pm EDT, Apr 28, 2015
The notion that electronic devices and communications could never be unlocked or unencrypted ... is troubling.
There's no scenario in which we don't want really strong encryption.
Universal encryption is difficult and expensive, but unfortunately necessary.
About 1,500 iPhone and iPad apps contain an HTTPS-crippling vulnerability that makes it easy for attackers to intercept encrypted passwords, bank-account numbers, and other highly sensitive information.
The truth is, people will never achieve true privacy and anonymity online. Tracking is not only here to stay, it's getting more pervasive and sophisticated.
In reality, it's incredibly hard to isolate individuals responsible for cyber attacks -- especially when it comes to industrial espionage, where attacks may take place over months and years, and even harder to prove that a company has benefited from such an attack.
This isn't something the market can solve on its own ...
The continued reporting on state surveillance by the media contrasts with the public's quickly faded interest.
No one cares. [Americans] don't give a shit.
The US requires strong intelligence, forensics, and indications and warning capabilities to reduce anonymity in cyberspace and increase confidence in attribution. Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups.
Even people outside China are being weaponized to target things the Chinese government does not like ...
Today dozens of militaries are developing cyber forces, and because stability depends on avoiding miscalculation that could lead to escalation, militaries must talk to each other and understand each other's abilities. DoD must do its part to shed more light on cyber capabilities that have previously been developed in the shadows.
When nonviolence begins halfway through the war with the aggressor calling time out, it exposes itself as a ruse.
Self-deception remains the most difficult deception.
||10:10 pm EDT, Apr 27, 2015
It's all one network, and it's all critical infrastructure.
We constantly find very vulnerable technology being used ... for critical infrastructure without any security testing.
Vulnerable data systems present state and non-state actors with an enticing opportunity ...
[APT30] has been able to operate with the same tools and the same infrastructure for nearly a decade. That means the governments and the organizations they're targeting have not been able to detect them. That is truly scary.
It may be time to ask: Is that a cost we, as a society, are prepared to pay?
People say to me, "Whatever it takes." I tell them, It's going to take everything.
|| 7:32 am EDT, Apr 27, 2015
Between attendees, vendors, speakers, and other hangers-on, there were more than 30,000 people at the Moscone Center in San Francisco this week. To put that number in perspective, that's roughly 30% of the worldwide membership of (ISC)^2, the umbrella organization for CISSPs and related certifications.
If I were a hacker, this would have been the week to strike.
While Mr. Carter got a respectful hearing, Jeh Johnson, the secretary of Homeland Security, and a group of other government officials ran into a buzz saw of skepticism ... cryptographers say the need for encryption is greater than ever.
State and non-state actors also pay experts to search for vulnerabilities and develop exploits. This practice has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes.
We want you to make money.
A ransomware culture of "pay me or I won't tell you about your terrible security bug" does not feel very far off ... These researchers need to be working together in public, not in secret against each other.
I am concerned that we may be slowly moving toward a world where given enough money, all bugs are shallow. Money does introduce some perverse incentives for software security, and those incentives should be watched closely.
Well-designed tests also can help with specific job assignments, for example by suggesting some cyber warriors are better suited for offensive, rather than defensive, operations.
"The way the brain works for people who can find things works a little different than for the guys who build things," said Alan Paller, the SANS research director.
||11:53 am EDT, Apr 26, 2015
Gregory D. Johnsen:
This is John Brennan's story, his life and his career. But it's also ours. The excesses and mistakes of more than a decade of war, what we tolerate and what we don't. What we're willing to forgive and what we won't. Politicians who don't deliver on their promises, and well-intentioned individuals who bring about great harm. It's about the man he is, and the country we've become.
DHS is out of step, out of touch, and so arrogant and ambivalent with a keynote like Johnson's that it's actually surprising at the end of the day that they can't even try to fool us into believing that cybersecurity isn't just another thing they have to pretend to understand until they retire.
We are vulnerable in this wired world. Today our reliance on the confidentiality, availability, and integrity of data stands in stark contrast to the inadequacy of our cybersecurity.
I don't think security breaches are stoppable in the current computing paradigm.
Inside the White House, the intrusion has raised a new debate about whether it is possible to protect a president's electronic presence, especially when it reaches out from behind the presumably secure firewalls of the executive branch.
Embedded Packet Capture (EPC) was designed by Cisco as a troubleshooting and tracing tool. The feature allows network administrators to capture data packets flowing through a Cisco router. Brazilian security researchers Joaquim Espinhara and Rafael Silva were able to abuse the feature and build a system to hoover up massive volumes of data.
Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication.
These days, network security has to be pushed into the end nodes ...
The big take-away is that cleartext is just dead.
||not especially confidence-inspiring
|| 1:29 pm EDT, Apr 25, 2015
Most of what we think of as expertise, knowledge and intuition is being deconstructed and recreated as an algorithmic competency, fueled by big data.
It was natural for doctors, nurses and pharmacists to expect that, once computers entered our complex, chaotic and often dangerous world, they would make things better.
Any arrangement that promotes an adversarial relationship between doctor and patient compromises medicine.
Doctors who support policies that make them into police should ask themselves what practicing medicine will be like when all their patients lawyer up.
Nicholas Carr's angle on automated trading is concerned with what algorithms do to traders -- and not what traders and algorithms do to the rest of us. "A reliance on automation is eroding the skills and knowledge of financial professionals," he notes dryly. Only a technology critic -- with no awareness of the actual role that "financial professionals" play today -- would fail to ask a basic follow-up question: How is this not good news?
Economists from Harvard University and the University of Chicago wrote in a recent paper that every dollar a worker earns in a research field spills over to make the economy $5 better off. Every dollar a similar worker earns in finance comes with a drain, making the economy 60 cents worse off.
It's not especially confidence-inspiring to read that a guy with a spreadsheet can trick everyone into thinking that the market is crashing, and thereby cause the market to crash.
Zachary M. Becker, an assistant Franklin County prosecutor:
You had some rogue employees who took advantage of both the trust of their companies and their knowledge of the security measures ...
The massive screwup that led to the loss of funds is when the Marketing Director forwarded that [password reset] email to myself and the tech team member. He forwarded the password reset link. To the breached email account.
"The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person.
The immigration officer then recommended that the world leaders not be made aware of the breach of their personal information.
|| 7:43 am EDT, Apr 24, 2015
What companies really need to measure is not how engaged their employees are, but rather how consistently energized they feel.
It's this ability to persist, more than intelligence or talent, that separates the people who achieve their goals from the ones who do not.
Shift your focus away from what you want (a billion dollars) and get deeply, intensely curious about what the world wants and needs.
The only way to stay fully alive is to dive down to your obsessions six fathoms deep.
Make a contribution. Feel what it's like to be a part of something that's bigger than yourself.
People on the road to character understand that no person can achieve self-mastery on his or her own.
|| 7:43 am EDT, Apr 24, 2015
Terrorism of any type cannot succeed if the people refuse to be terrorized.
The most powerful way to represent power has always been to refuse to represent it.
Yuval Noah Harari:
Terrorists don't think like army generals; they think like theatre producers.
The fact that parts of our government wanted to kill, without a trial, a citizen who, even if convicted, will face a maximum of fifteen years in prison, illustrates the dramatic divide between the military and law enforcement models for addressing terrorism. Remote-control killing without trial away from battlefields should be disturbing regardless of the passport the victim holds.
No one cares. [Americans] don't give a shit.
As a military, we have to embrace openness.
The only thing that seems to truly terrorize the industry is the prospect of transparency and public accountability.
People don't even seem to recognize the damage these [police body] cameras will do ...
||excellent copy that people find meaningful, now with fifty percent more urgency!
|| 7:10 am EDT, Apr 23, 2015
Reporters are going to be looking for other stories to cover over the next year, and a quixotic campaign by the quotable and unpredictable Lincoln Chafee could be excellent copy.
Because policies that command the agreement of the two parties' establishments are largely ignored by the DC press in favor of the issues where they have some disagreements, the illusion is created that they agree on nothing.
David Sanger: There's a lot we miss every day. I go to work every day convinced that I've got a handle on fully 3% of what's going on, okay?
Stewart Baker: [laughing] The key is [that] you can persuade us it's the most important 3%.
David Sanger: [laughing] That's right. [laughing] That's right.
Martin Baron, executive editor of the Washington Post:
It used to be, in companies like ours, that we hired people who could learn from us. Now we aim to hire people who can teach us what we need to know.
Who can we turn to if not our news anchors?
David W. Dunlap:
Publicity surrounding the observatory's opening next month may temporarily divert public attention from the scrutiny being paid to the friendship between Gov. Chris Christie of New Jersey, who exercises a great deal of control over the Port Authority, and Jerry Jones, the owner of the Dallas Cowboys and an owner of Legends.
Max Eulenstein and Lauren Scissors:
Pages should continue to post things that people find meaningful.
New York Times:
Top Stories is now more urgent, more visual and more helpful.
||Ninety one percent of Americans feel they're living in a golden age of reasonable assistance
||10:10 pm EDT, Apr 22, 2015
Now, finally, I have an ask: for your indulgence and your understanding on the subject of encryption. Our inability to access encrypted information poses public safety challenges.
Pew, via Elizabeth Dwoskin:
91% of Americans feel they've lost control over their personal data.
Just through a five-minute normal conversation we have gotten every ounce of information possible from them to commit identity theft.
We'll be never lost until we lose our tools, and then we'll be much more lost than ever before.
It is something of the paradox of technological progress that, in our efforts to become invulnerable, we usually gain new, unexpected vulnerabilities, leaving us in vaguely the same condition after all.
It is probably true that entities with useful vulnerability information are not sharing it frequently enough with the government. And when the government asks them why they don't share, they say,"because we'd like liability protection." Because what even slightly regulated corporation doesn't want liability protection?
Over the next decade, advanced weapons platforms ... will flood the arms market ...
As the Middle East descends into proxy wars, sectarian conflicts and battles against terrorist networks, countries in the region that have stockpiled American military hardware are now actually using it and wanting more. The result is a boom for American defense contractors ... but also the prospect of a dangerous new arms race ...
IBM's Open Power program is getting particular attention in China ... because it plays into local demands that foreign tech companies disclose intellectual property, open up encryption standards and submit to invasive security audits of products.
The truth is, law enforcement ... is ... [ Read More (0.2k in body) ]