Archive

Category Archives for "Security"

Jeb Bush is a cyber-weenie

Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.

For example, his recent position opposing "NetNeutrality" regulations says this:
these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their services
Uh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.

Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.

Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.


A better example is Jeb's position Continue reading

Prez: Candidate synchronization

So last week I gave $10 to all the presidential campaigns, in order to watch their antics. One thing that's weird is that they often appear to act in unison, as if they are either copying each other, or are all playing from the same secret playbook.

The candidates must report their donations every quarter, according to FEC (Federal Elections Commission) rules. The next deadline is September 30th. Three days before that deadline, half the candidates sent out email asking for donations to meet this "critical" deadline. They don't say why it's critical, but only that's is some sort of critical deadline that must be met, which we can only do so with your help. The real reason why, of course, is that this information will become public, implicitly ranking the amount of support each candidate has.

Four days before this deadline, I didn't get donation pleas mentioning it. Three days before, half the candidates mentioned it. It's as if one candidate sees such an email blast, realizes it's a great idea, and send's out a similar email blast of their own.

Two days before the deadline, three of the candidates sent out animated GIFs counting down to the deadline. Continue reading

How Encryption of Network Traffic Works?

How does Internet work - We know what is networking

I recently started studying again, this time as an attempt of deep-diving into some security concepts for one of my PhD courses. It’s interesting how, as much as you try to escape from it, mathematics will sooner or later catch you somewhere and you will need to learn a bit more of it. At least that happened to me… In this process I realised that if you go beyond simple security theory and network device configuration all other stuff is pure mathematics. The reason behind my unplanned course in mathematics is explained through the rest of this text. It will

How Encryption of Network Traffic Works?

I gave $10 to every presidential candidate

What happens when your candidate drops out of the 2016 presidential race? What do they do with the roughly million names of donors they've collected?

I've decided that somebody needs to answer this question, so I've donated $10 to each of the roughly ~25 current presidential candidates (yes, even the hateful ones like Trump and Lessig). By donating money, I've put myself on the list of suckers who they can tap again for more donations. After the election next year, we'll be able to figure out how each candidate has used (or misused) the email addresses I gave them.

For most candidates, the first two pieces of information they ask of your is #1 your email address and #2 your zip code. They need the zip code so that when there is a local rally in your area, they can contact you to get your to turn out. But as a side effect, it means being able to extract favors from local politicians. 

Therefore, to do this right, I'd have to make a donation from every congressional/senate district in the country. I suspect one use of this information is when one Representative goes to another and says "If you Continue reading

Zerodium’s million dollar iOS9 bounty

Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.

It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.

The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).

Every time Apple comes out with a new version (like iOS9), they Continue reading

Some notes on NSA’s 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.


Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, Continue reading

There are two sides to every story

In today's "clock" controversy, the clock didn't look like these:


Instead, this is the picture of the device (from the police department):



It's in a "pencil case", not a briefcase. You can compare the size to the plug on the right.

They didn't think it was a bomb, but a "hoax bomb". If they thought it might be a real bomb, they would've evacuated the school. Texas has specific laws making illegal to create a hoax bomb -- it is for breaking this "hoax bomb" law that the kid was arrested.

This changes the tenor of the discussion. It wasn't that they were too stupid they thought it was a bomb, it was that they were too fascist believing it was intentionally a hoax.

These questioned him, and arrested him because his answers were "passive aggressive". This is wrong on so many levels it's hard to know where to begin. Of course, if the kid's innocent his answers are going to be passive aggressive, because it's just a clock!!!

It was the english teacher who turn him in. Probably for using a preposition at the end of a sentence. The engineering teacher thought it was a good project.

It's actually Continue reading

Maybe with less hate

I wanted to point out President's rather great tweet in response to Ahmed Mohamed's totally-not-a-bomb:


The reason this tweet is great is that it points out the great stupidity of the teachers/police, but by bringing Ahmed up rather than bringing them down. It brings all America up. Though the school/police did something wrong, the President isn't attacking them with hate.

The teachers/police were almost certainly racist, of course, but they don't see themselves that way. Attacking them with hate is therefore unlikely to fix anything. It's not going to change their behavior, because they think they did nothing wrong -- they'll just get more defensive. It's not going change the behavior of others, because everyone (often wrongly) believes they are part of the solution and not part of the problem.

Issues like Ahmed's deserve attention, but remember that reasonable people will disagree. Some believe the bigger issue is the racism. Other's believe that the bigger issue is the post 9/11 culture of ignorance and suspicion, where Continue reading
1 162 163 164 165 166 182