The Daily Parker

Politics, Weather, Photography, and the Dog

Meetings all day

All of these articles look interesting, and I hope I get to read them:

Oh, fun! Another meeting!

Security expert: Don't blame the user

Bruce Schneier points out that we software developers have more responsibility to protect users than they have to follow all of our instructions:

The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

I'm sometimes guilty of it, too. Though, I also feel that users can do really stupid things that ought not to be our responsibility. After hearing countless stories about fraud, why do some users give credit card numbers to complete strangers, for example?

Later, when I'm done with all this coding...

Some articles to read:

That's all for now. More conference calls...

NSA has a very bad week

Via Bruce Schneier, the NSA lost control of a crap-ton of hacking tools sometime before 2013, and managed to stop the bleeding only after discovering Edward Snowden's leak:

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I've found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely that this data is authentic. And it does not appear to be information taken from compromised targets. Instead, the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.

From an operational standpoint, this is not a catastrophic leak. Nothing here reveals some special "NSA magic." Instead, this is evidence of good craftsmanship in a widely modular framework designed for ease of use. The immediate consequence is probably a lot of hours of work down the drain.

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps—which are easy to modify—the most likely date of acquisition was June 11, 2013 (see Update, however). That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks, as the NSA furiously ran down possible sources, it may have accidentally or deliberately eliminated this adversary’s access.

So, yeah. The NSA had a bigger problem than Edward Snowden until he broadcast his leak and sent their plumbers into overdrive. And even then, they didn't properly secure the data.

Link round-up

We had nearly-perfect weather this past weekend, so I'm just dumping a bunch of links right now while I catch up with work:

Back to the mines.

Later this afternoon, I'll have time to read...

What I'm reading (later today)

All for now.

Want shorter lines at the airport? Think through security

Pilot Patrick Smith outlines, one more time, a number of sensible ways to shorten airport security lines while providing better security overall:

As I’ve argued for years, there are two fundamental flaws in our approach. First is the idea that every single person who flies, from infant children to elderly folks in wheelchairs, is seen as a potential terrorist of equal threat. Second, and and even more maddening, is the immense amount of time we spend rifling through people’s bags in the hunt for harmless liquids, pointy objects, and other perceived “weapons.” In a system that processes more than two million passengers every day of the week, neither of these tactics is effective or sustainable. Our approach is so flawed, and so bogged down in ridiculous, wasteful nonsense, that it can hardly move under its own weight. Yet all we hear about is how to add yet more layers of fat to the system.

Does anybody remember the comedy of errors that allowed the so-called “Underwear Bomber” to make his way onto a Detroit-bound flight out of Amsterdam? Here was a Nigerian citizen who’d spent time in Yemen, traveling on a one-way ticket, and whose own father had tried to warn American authorities about him. And here we are confiscating plastic squirt-guns and rubber swords from four year-old kids at regional airports in Utah.

The trouble isn’t that we have “too much security” per se. It’s that we have too much security in the wrong places. The solution isn’t pouring more and more money into a defective strategy. It’s changing that strategy.

Amen. Again. Because Smith isn't advocating anything new; he's been saying all this for years, as have Schneier, former TSA directors, other pilots, and on and on. What's it going to take to change our ridiculous policies?

My stack is stacking up

Too many things to read before lunchtime:

Now, back to work.

Things in my Inbox

Some articles:

Today's other tasks include cleaning my house and writing code for about four hours.