Michael Schmidt and Nicole Perlroth:

Hackers are increasingly exploiting the lack of security to gain access to the nation's most critical infrastructure.

Jon Kalish:

The kids in Hacker Scouts are not breaking into computer networks. They make things with their hands.

Susan Landau:

What are the personal consequences for employees who allow data breaches to happen?

Until people lose their jobs, nothing is going to change.

Nicole Perlroth and Nick Bilton:

A common saying among security experts is that there are now only two types of American companies: Those that have been hacked and those that don't know they've been hacked.

Ellen Nakashima:

Cyber-espionage, which was once viewed as a concern mainly by U.S. intelligence and the military, is increasingly seen as a direct threat to the nation's economic interests.

Christopher Soghoian:

On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices.

David Chavern, Chief Operating Officer at the US Chamber of Commerce:

It's nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in.

It's the new normal.

George Chidi:

I'm consistently surprised by what can be learned from a friendly conversation with the right person. The only thing more surprising has been what I've learned without talking to a soul.

Brian Stelter:

Not too long ago, theorists fretted that the Internet was a place where anonymity thrived. Now, it seems, it is the place where anonymity dies.

Howard Schmidt:

I don't have to get a credential if I don't want to.

Robin Wauters:

You never know who's sniffing.

Sandy Pentland:

Phones can know.

Evgeny Morozov:

Finding a way to articulate a critical stance ... before technology giants like Facebook usurp public imagination with their talk of "frictionless sharing" should be top priority for anyone concerned with the future of democracy.

Occupy Google Reader:

If I wanted Facebook I'd use it.

Theodor Holm Nelson:

We are in a world nobody designed or expected, driving full tilt toward -- a wall? a cliff? a new dawn? We must choose wisely, as if we could.

John Gruber:

There's still never been a better time to not have a Facebook account.

Nik Cubrilovic:

Even if you are logged out, Facebook still knows and can track every page you visit.

Nick Bilton:

The Internet never forgets.

Howard Schmidt:

With our partners around the world, we will work to create a future for cyberspace that builds prosperity, enhances security, and safeguards openness in our networked world. This is the future we seek, and we invite all nations, and peoples, to join us in that effort.

NIST:

The identity ecosystem is voluntary.

Erin Nealy Cox, a former U.S. federal computer crimes prosecutor:

It's not a matter of if, it's a matter of when.

Art Coviello:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).

A Secret Service analyst:

The experienced ones take their time and slowly bleed the data out.

David Sanger and John Markoff:

The International Monetary Fund was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown.

David Chavern, Chief Operating Officer at the US Chamber of Commerce:

It's nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in.

Christopher Drew and John Markoff:

Lockheed sells cybersecurity services to military and intelligence agencies, and some experts said its failure to take greater precautions with its own systems could be embarrassing.

Ashar Aziz:

The world is in this state of persistent insecurity.

Bruce Sterling:

This is gonna get worse before it gets better, and it's gonna get worse for a long time.

Bryan Sartin:

If you think financially motivated breaches are huge now, just wait another year.

Eric Schmidt:

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Undersecretary of Commerce Mark Foulon:

It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.

David Chavern, Chief Operating Officer at the US Chamber of Commerce:

It's nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in.

It's the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.

Robert Reich:

Fully two-thirds of Americans recently polled by the Wall Street Journal say they aren't confident life for their children's generation will be better than it's been for them. The last time our hopes for a better life were dashed so profoundly was during the Great Depression.

The New Normal

Susan Landau:

How can we get communications security right?

Steve Bellovin et al:

Architecture matters a lot, and in subtle ways.

Cory Doctorow:

I am enough of a techno-pessimist to believe that baking surveillance, control and censorship into the very fabric of our networks, devices and laws is the absolute road to dictatorial hell.

Andy Greenberg:

The exploitation of lawful intercept is more than theoretical.

Eric Schmidt:

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Decius:

What you tell Google you've told the government.

Chaos Computer Club:

The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

Julia Angwin:

Anecdotal data suggest that digital searches are becoming common.

Noam Cohen's friend:

Privacy is serious. It is serious the moment the data gets collected, not the moment it is released.

CCC | Chaos Computer Club analyzes government malware

Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi:

This paper presents the first wireless pairing protocol that works in-band, with no pre-shared keys, and protects against MITM attacks. The main innovation is a new key exchange message constructed in a manner that ensures an adversary can neither hide the fact that a message was transmitted, nor alter its payload without being detected. Thus, any attempt by an adversary to interfere with the key exchange translates into the pairing devices detecting either invalid pairing messages or an unacceptable increase in the number of such messages. We analytically prove that our design is secure against MITM attacks, and show that our protocol is practical by implementing a prototype using off-the-shelf 802.11 cards. An evaluation of our protocol on two busy wireless networks (MIT's campus network and a reproduction of the SIGCOMM 2010 network using traces) shows that it can effectively implement key exchange in a real-world environment.

Recently:

Tom Cross, Manager IBM X-Force Threat Intelligence and Strategy, talks through the challenges of using open wifi and his proposal for secure open wireless networking.

Also:

I sat down last night and recorded a 70 minute long presentation on Secure Open Wireless Access. You can download the recording as a 37 Meg Quicktime Movie here.

Don't forget to download our code.

Secure In-Band Wireless Pairing

Art Coviello:

We recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance.

Steve Grand:

Clouds aren't really things -- instead, it makes more sense to think of them as regions of space in which a cooler climate prevails.

You are like a cloud: Something that persists over long periods, while simultaneously being in flux.

Matter flows from place to place and momentarily comes together to be you.

Whatever you are, therefore, you are not the stuff of which you are made.

Roger Highfield:

The reality is that, despite fears that our children are "pumped full of chemicals", everything is made of chemicals.

An exchange:

Ernie: Is there anything fluffier than a cloud?

Big Tom: If there is, I don't want to know about it.

Bryan Sartin:

If you think financially motivated breaches are huge now, just wait another year.

Ed Tom Bell:

You can say it's my job to fight it but I don't know what it is anymore.

More than that, I don't want to know. A man would have to put his soul at hazard. He would have to say, okay, I'll be part of this world.

Cordelia Dean:

There are those who suggest humanity should collectively decide to turn away from some new technologies as inherently dangerous.

Mark Foulon:

It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.

Decius:

I said I'd do something about this, and I am.

Fear not:

We're going to be okay, aren't we Papa?
Yes. We are.
And nothing bad is going to happen to us.
That's right.
Because we're carrying the fire.
Yes. Because we're carrying the fire.

David Sanger and John Markoff:

The International Monetary Fund was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown.

The concern about the attack was so significant that the World Bank, an international agency focused on economic development, whose headquarters is across the street from the IMF in downtown Washington, cut the computer link that allows the two institutions to share information.

Undersecretary of Commerce Mark Foulon:

It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.

Rebecca Brock:

People say to me, "Whatever it takes." I tell them, It's going to take everything.

Sanger and Markoff:

The fund's database includes communications with national leaders as they negotiate, often behind the scenes, on the terms of international bailouts. Those agreements are, in the words of one fund official, "political dynamite in many countries."

Eric Schmidt:

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Cory Doctorow:

The real reason to wear the mask is to spare others the discomfort of seeing your facial expression ... To make it possible to see without seeing.

The Horror, The Horror:

Owner: Take this object, but beware it carries a terrible curse!

Homer: [worried] Ooooh, that's bad.

Owner: But it comes with a free Frogurt!

Homer: [relieved] That's good.

Owner: The Frogurt is also cursed.

Christopher Drew and John Markoff:

Lockheed Martin, the nation's largest military contractor, has battled disruptions in its computer networks this week that might be tied to a hacking attack on a vendor that supplies coded security tokens to millions of users, security officials said on Friday.

Lockheed sells cybersecurity services to military and intelligence agencies, and some experts said its failure to take greater precautions with its own systems could be embarrassing.

Art Coviello, in March:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).

From the Loose Tokens Boil Oceans department:

What in the world is going on? Oh, it's a hacker causing all of this chaos.

Undersecretary of Commerce Mark Foulon:

It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.

Samantha Power:

There are great benefits to connectedness, but we haven't wrapped our minds around the costs.

Jack Kerouac:

"You boys going to get somewhere, or just going?" We didn't understand his question, and it was a damned good question.

SecurID Breach Suggested in Hacking Attempt at Lockheed