I think there is a potential market for upscale Faraday cages. I mentioned this a while ago on BoingBoing.

The more ostentatious, the better. It should be about the size and beauty of a fine humidor. Some would be gold, silver or platinum plated. But, you could also have ones that appeared to be mahogany, rosewood or teak. Market it as "The Privacy Box", or perhaps just pBox. You pitch it as a critical accessory for the upwardly mobile. When you absolutely need privacy, just put the phone in the "Pbox".

Expensive lawyers would use it to reassure clients that they took their privacy seriously. C-level executives would use it to highlight the importance of their discussions. The ritual of placing the cell phones in the "Privacy Box" would help seal the deal.

The primary attributes of this product would be:

• * It must demonstrate "Tasteful Expense" like a fine watch.
• * It must look good on an executive's desk.
• * It must block the sensors of any cell phone that is placed inside.
• * It must close with a smooth, audible click.

For extra points, you could easily design it to:

• * Restrict interaction between multiple cell phones in the same container, tho this isn't as critical as looking expensive.
• * Automatically trigger airplane mode (to limit battery drain.)
• * Recharge the phone(s).

Wish I had the capability to make something that looked expensive and tasteful. I think this would sell itself.

I tailor my note-taking device, depending on how I want to interact with others. I have found that some people are more willing to interact with me if I am taking notes with pen and paper. I have also found that the later work of transcribing paper to electronic form is not really wasted if it helps me to organize my followup.

But, sometimes, a phone is all I have. And sometimes, I just need the speed and organization of taking notes with a laptop.

It is nice to see that the exponential growth in the number of patents has finally faltered: http://www.uspto.gov/web/offic... It's a pity that the current rate of patent creation is more than sufficient to destroy almost all production and innovation.

We have been fooled into thinking that patents are innovation. But, the current rate of patent creation is anti-innovation and anti-productive.

Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. Patents don't guarantee production or innovation. They only enable lawsuits.

An occasional lawsuit might possibly spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. The current patent industry is responsible for enormous numbers of lawsuits every year. This legal deathtrap has captured marketplaces, destroyed production and stagnated innovation.

We had a similar problem. Fortunately we had a better outcome.

On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.

I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.

Still, it took months before the vendor deployed fixed code.

I spend a good chunk of every workday defending my institution from network attacks by the governments of China and Russia. They are not the only ones. I imagine all of them give themselves permission to attack. I expect all of them eventually make it illegal to resist their attacks. As more and more governments create these crazy laws and international agreements, my defensive actions will become more and more illegal. Thanks Five Eyes!

Part of the problem is that many believe that we can attack our way to security. They are confused about the fundamental nature of attack and defense when applied to the internet. They don't understand the combination of global connectivity and automation. They don't understand that any action of internet attack or defense has unintended consequences.

In the old days, you could attack one thing. You could defend one thing. But, that doesn't map well to the internet. Now, we all talk to each other. We all use the same methods of defense. When one actor attacks another, the attack is exposed, analyzed, and re-used. Now, when somebody attacks, they increase the cost of defense for everybody. When somebody comes up with improved defense, we all learn how to increase the cost of attack for everybody.

For over a decade, several branches of the US government have focused almost all their energy on attacking others across the internet. The result is an internet where compromise and breach are daily events. Somehow, our protectors don't see that they are crafting the tools of our demise and handing them to our enemies. If we are honest, we are more to blame for the great compromise at the OPM than our attackers. If we had spent the last decade on creating and encouraging defense, then breach would be difficult and rare.

Now, our governments are blindly following the tradition of attack. They wish to attack the protocols we use to determine identity and create security. They don't see or care that everybody else will do likewise. They don't see the great devastation that will follow.

I do IT Security for a research university. For the last 10 years, we have attempted to handle all incoming attack. Some gets missed, but we make an attempt. It is good work for the interns/trainees. We document the incident, block the attacking IP for an appropriate amount of time, and notify the remote abuse contact. We have found that handling attack provides significant benefits:

• * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
• * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
• * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
• * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
• * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

More info is available here:

• * More background on our abuse reporting: https://it.wiki.usu.edu/SingSi...
• * Our abuse report email template: https://it.wiki.usu.edu/2013Si...
• * Our list of institutional scans: https://it.wiki.usu.edu/201302...

Actually, we got the same response when we offered to send the actual logs.

A very similar thing happened to USU. We received a summons from Homeland/ICE to produce 3 months of records (plus identifying info) for an IP that was one of our TOR exit nodes.

I eventually managed to contact the Special Agent in charge of the investigation. He turned out to be a reasonable person. I explained that the requested info was for an extremely active TOR exit node. I said that we had extracted and filtered the requested data, it was 90 4 gig files (for a total of 360 gigs of log files) or about 3.2 billion log entries. I asked him how he wanted us to send the info. He replied that all he needed to know was that it was a TOR exit node. I then asked again if he wanted the data. He said something like: "Oh God no! Somebody would have to examine it. It won't tell us anything. It would greatly increase our expenditures. Thanks anyway."

And that was the end of it.

YMMV. All Rights Reserved. Not Available In All States. It helps if your institution has it's own Police, Lawyers, and (an extremely active and effective) department of Journalism. And, it doesn't hurt if it is cheaper (and easier) for you to respond to the summons/subpoena, than it is for the Authority to issue it and deal with the result.

I think this is an issue where some are more equal than others.

If an individual runs a TOR exit node, they can be easily intimidated and hassled. There is very little cost to law enforcement for engaging in the intimidation.

At the other end of the spectrum, a large public institution is not susceptible to this kind of intimidation. And, there is a very large cost if law enforcement attempts the intimidation. For example, at the institution I support, if the local cops or low level FBI attempted this kind of intimidation, they would be met by the institution's police force, the institution's lawyers and the institution's journalists. Everything would be recorded in multiple ways. Heck, we even have a state assistant DA permanently assigned to USU. He participated in the process that created the policy and procedures approving the TOR infrastructure.

At this point, if a major university's CS group is not investigating TOR, they should probably give back the funding and become a trade tech. The issues surrounding TOR are critical to our society. A university should not turn it's back to these issues.

Given all that, a law enforcement attempt at intimidation would be ineffective. And, it would likely result in the kind of bad publicity that can cause law enforcement to lose budget.

However you have a good point, libraries are widely distributed in the gap between your unfortunate friend and USU. The smaller ones would be easily intimidated. The larger ones, not so much.

Thanks DamonHD,

We did traffic analysis using net flow information of a few days of traffic on a preliminary TOR exit node. In this situation, traffic analysis is very powerful. We did not try to determine who was talking. But, we have spent years deciphering the nature of connections using flow analysis. We are very successful in determining the nature of the various connections. Encryption does not change the underlying size, flow and pace of the connection. The TOR structure does little to obscure the ultimate timing of request and response. It does nothing to conceal the size of the requests and responses leaving the exit node. We can easily distinguish:

• * Password guessing.
• * Port scanning.
• * Automated vulnerability assessment tools.
• * Automated attack tools.
• * Human driven web browsing.

When we tallied all the traffic for browsing, almost all of it was human driven. When we tallied all the traffic destined to a SSH or RDP port, over 90% of it was abusive.

Thanks Westlake,

We had risk in there earlier. But we later changed it to cost. USU is weird. I suspect all universities are weird. USU is a top tier research university. USU is not run by accountants and MBAs. It is run by researchers and teachers. We are shielded from most legal issues. We are constrained by funding. If we can fund it, we can invest in long term experiments. This is one of them.

This is an extremely significant point. In order to understand the TOR issues and implement TOR properly, an institution has to have a significant investment in IT. Not a problem for universities, and large metropolitan libraries. But, most smaller libraries will not have the expertise to even understand the issues and how to mitigate them.

True. We may need to clarify that abuse response message to make the following points more clear:

• We have made our decision.
• Here is our rationale.
• When things change, we may change.

I expect we will change our decision to implement TOR sometime in the next 5 years for one of the following reasons:

• TOR is replaced by something better. (Quite likely.)
• TOR is infiltrated by the NSA and discredited. (Somewhat likely.)
• The majority (greater than 80%) of TOR browsing traffic becomes abusive. (Somewhat likely.)
• USU decides to get serious about privacy and implements an interior solution that uses NAT and non-logging proxies to obscure to external inspection, who is doing what. (Somewhat likely.)

When we set up TOR infrastructure at USU, we looked at the costs and benefits.

There are definite costs to running TOR infrastructure. You have to be aware of them. Some of the costs can be mitigated, but some can't. At the end, you have to be able to show that the benefits outweigh the costs.

First we examined the benefit. We made a clear statement of the benefit. It is:

USU has many researchers and students who deal in sensitive subjects such as Climate Change, Reproductive Issues, Political Systems, Animal Research, etc.. These students and researchers frequently need privacy and security to advance the goals of USU.

Then we discussed the various costs and methods of mitigating the costs. Afterwards, we decided that the costs could be made acceptable, if we were careful.

• Our cost mitigation strategy had several parts:
• 1) We arranged for the TOR infrastructure to have an academic sponsor. The USU CS department agreed to sponsor the TOR project. This gave us an existing structure for providing IT support. And, frankly, TOR is easier to support than some of the other academic projects.
• 2) Most of the direct costs of creating and administering the TOR infrastructure are born by the USU CS department. It really helps that their admin is a diligent and responsible admin. It has been a joy to work with him.
• 3) We have tried to put all the TOR infrastructure on a small CIDR. If people need to block TOR, we try to make it easy for them to block it without effecting other things. That said, if I had to do it again, I think I would continue to have the TOR entry nodes and intermediate relays on a small USU CIDR. I think I would ask USU's ISP (UEN) for a small /28 and hook it up external to USU's normal security perimeter. Then I would put the TOR exit nodes on that external CIDR. This makes it easier to set routing and firewall policy. It also enables entering the TOR switching network internal to USU.
• 4) We examined the TOR traffic and tried to minimize the abusive bits. In our case, we found that most of the TOR web browsing looked non-abusive. However, the majority of the SSH and RDP traffic looked abusive. So, we asked the TOR admin to limit those protocols.
• 5) We clearly documented our TOR setup and use. The TOR nodes have meaningful hostnames. The systems have are well defined roles and responsibilities. We have strongly discouraged the TOR admin from using those systems for anything else.
• 6) We created processes for dealing with the abuse reports.

Here is our standard response to an abuse report against USU's TOR infrastructure:

=BEGIN ABUSE RESPONSE=
The activity that you have reported is being emitted by a TOR exit node:

------------
$ host 129.123.7.6 6.7.123.129.in-addr.arpa domain name pointer tor-exit-node.cs.usu.edu.

$ host 129.123.7.7
7.7.123.129.in-addr.arpa domain name pointer tor-exit-node-2.cs.usu.edu.
------------

This TOR node is a project of USU's CS department. USU has many researchers and students who deal in sensitive subjects such as Climate Change, Reproductive Issues, Political Systems, Animal Research, etc.. These students and researchers frequently need privacy and security to advance the goals of USU.

Almost all TOR traffic is generated by innocent people who are attempting to escape the shadow of a totalitarian government. But, unfortunately, sometimes criminals attempt to use TOR to attack others.

We are in discussion with our TOR admins to try to find ways to limit the attack activity. Of course, this rapidly becomes a sticky issue. If we start inspecting and censoring some of the TOR activity, then we have less of a defense when we get pressure to inspect and block the rest. And, even starting down this path may make us legally liable for ALL the TOR traffic. Our best action may be to keep our hands off and observe strict network neutrality.

We are still pondering our options.

Please accept our apologies in the mean time.

USU IT Security
=END ABUSE RESPONSE=

If you actually want to effectively counter the "Dinosaur Killer" scenario, the best answer is early detection and a large "Orion" ship. See: https://en.wikipedia.org/wiki/...

We could have build a large Orion propulsion ship anytime in the last 40 years. It would probably cost less than an aircraft carrier. A large Orion propulsion ship could get almost anywhere in the inner solar system in a few weeks. And the propulsion system will work just fine to redirect another large mass. Yes, there will be a bunch of fallout damage from the initial take-off, but we can decide where to place it. and the fallout damage from Orion's propulsion is tiny compared to the damage from an asteroid strike.

I have always hoped that there was a secret plan to convert our offensive arsenal into Orion propulsion if the need occurred.

As security definitions go, "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." is not bad. It is a bit obtuse. It lends itself to Venn diagrams and powerpoint. It is also weakened by it's fixation on adversaries. Adversaries are nice if you can blame them, but usually, you are your own worst enemy.

The worst security definition that I have seen is the one currently used by the US Security communities. Geer stated it as: "..the absence of unmitigatable surprise." This definition is horrible. It offers you no guidance on prioritization or limits. This definition says you are insecure until you have achieved omniscience and omnipotence.

The best definition of security that I have found is: "Security is a MEANINGFUL assurance that YOUR most important goals are being accomplished." This is easily understood by everybody and it guides you to effective action. Using this definition you are guided to create and maintain the potential for success. The other definitions ultimately force you to focus your efforts on less important objectives.

We see 3k PPS of attack and we probably have 1/8th of their address space. Remember, you need to scale by address space. Utah's state network is one of 3 early Utah experiments in municipal broadband. The other 2 are UEN and Utopia. When it was set up, IP addresses were allocated in /8, /16 and /24 chunks. They probably got a /16 (65K addresses) for each major department. In total, the Utah state government network probably has at least a million public IP addresses.

If you have a million public IPs, you catch about 3 million attacks every time somebody messes around with Z-Map or MasScan. They always try it at least 3 times. That is 1% of that scary 300 million per day total. And there are a lot of people in the world playing with Z-Map.

I do IT Security for Utah State University. We are at the North end of the state. We see about 3k PPS of attack all the time. We have 128K of public IP address space. Most days, we are at about 300K PPS at the border. 3K PPS of attack is about 1% of the total. Having 1% attack be incoming packets is normal for the last few years for us. This works out to about 1 attack packet per IP address every 30 seconds. Of course, almost all of them are rejected at the border. Most of my peers are seeing the same attack levels. But, all my peers are at universities.

However, In the last couple years the attack has shifted. Now, about 1/2 of our detected attack is sponsored or condoned by the Chinese government. The rest is evenly divided between other governments and organized crime. We assume that this shift is the inevitable consequence of the current cyberwar. The shift has also made it easier to do most attribution. Almost all attack by civil servants is easier to identify. It is predictable. It follows patterns. It has preferential quality of service. When you report abuse from a non-government attacker, it shifts methods, or stops, or moves to another target. When you report abuse to a government attacker, it increases. Sometimes it improves.

The shift in attack may be local to Utah and due to the NSA facility, but I think it is more likely that we are all screwed.