Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:The Congressman is dangerously uninformed. (Score 2) 305

If the internet suffers an extended outage, there would be massive numbers of deaths. During the first few days, there would be thousands of deaths. During the first few weeks there would be millions of deaths. During the first few months, there would be billions of deaths.

So... two-three months without the Internet and billions will die. The hyperbole is strong in this one. ---SNIP--- I think we'd lose the modern tech that requires a civilization-level effort like computers and such, but I think Amish-level societies would be reasonably self-sufficient enough to survive.

So, to summarize, we agree that if we lose the internet, we are screwed. You feel that we can somehow return to 18th century farming practices and still sustain current population levels.

I pray that we will avoid this situation. The only thing that might take down the internet is a sustained, determined effort by a large group of crazy people. Unfortunately, it sounds like Congressman Sensenbrenner might be an example of such a group.

I don't think it is hyperbole to say the billions will die in an extended (months long) internet outage. Here are a few more depressing facts:

  • * Almost all of the world's money is virtual. It exists as trust and electronic records. It's potential is only the potential to create certain types of communication. All these communications depend on the internet. Without the internet, the computers in the banks are simply odd shaped piles of toxic waste. An internet-less credit card only has value as a book mark. There are no financial transactions without the internet. There is only barter.
  • * Most of the US cultivated farmland is degraded from 200 years ago. The soils have increased levels of minerals and salts. The soils have decreased levels of organic material. The aquifers are depleted. Most US farmland requires high-tech intervention to maintain productivity.
  • Almost all the cultivated farmland west of the Mississippi requires high-tech irrigation to produce crops.
  • * There are no meaningful stocks of "heritage" seeds. The US lives off of hybrid seed that is produced in a small number of high-tech farms. Even if the current crops could be used for seed stock, most farmers no longer have the means or knowledge to preserve and treat seed.
  • * Farming is HARD, specialized work. It takes decades to get good at it. 18th century farming is even harder and more specialized. It requires knowledge, skills, and culture that only exists in the Amish. The Amish are good, but they aren't going to feed more than a few thousand people.
  • There are almost no available animals to support a large return to 18th century farming. Virtually no oxen. very limited stocks of chickens, geese, ducks, pigs, and sheep. There are only a few thousand work-horses.
  • 18th century farming requires a lot of specialized support skills that no longer exist. I would be surprised if there are 100 blacksmiths in the US that could support a farming community. I expect I could count the number of coopers that can work at that level of technology on my fingers. And that is only 2 of a couple dozen specialists that would be needed to create a viable farming community.
  • Even if somebody could figure out what people need to know to survive, there is no way to communication that information to people without the internet. We don't have the old, low-tech printing presses anymore. If the old printing presses still existed, you couldn't get supplies for them. Even if you could somehow print the information, you couldn't distribute it before most of the people died.
  • The population of the world back in 1800 was about 1 billion people. There is a considerable state transition between our current state and that state. It may not be reversible.

So, to summarize, if we lose the internet, first the money disappears, then the food disappears, then the people disappear.

Comment The Congressman is dangerously uninformed. (Score 3, Insightful) 305

I hope somebody convinces the congressman that the internet is essential to the US economy before he causes too much damage.

Our society requires rapid, successful transportation and communication. We have almost completely transitioned to a Just In Time (JIT) economy. See: https://en.wikipedia.org/wiki/...

Thanks to JIT optimization, there are no large stores of immediately useful resources and goods in the US. All elements of our society depend on tight, reliable links between supply and demand. The stores only have a few days supplies. The stores rely on timely orders and deliveries to maintain stock and reduce overhead. The suppliers of stores only have a few days of supplies. They rely on receiving accurate and timely orders to know where to deliver. Those suppliers then must place timely and accurate orders to keep the next link in the chain moving. This continues all the way to the harvesting and transportation of raw materials. Every step is optimized to reduce overhead and unnecessary stock. Any supplier that fails to optimize is replaced by a more efficient supplier that has optimized. Every step is dependent on quick, accurate communication and transport. When this breaks down, people die.

For example, most of the deaths during the Hurricane Katrina debacle were not caused by the initial flooding. They were caused by the breakdown in transportation and communication.

ALL aspects of the US transportation and communication grids are dependent on the continued functionality of the internet. The phone systems are now interlinked with the internet. The management of the highways and the supermarkets all depend on the internet. The internet supports all orders and deliveries in the US. Without the internet, there is no food in the stores or gas in the gas stations. If the internet goes, the electrical grid quickly follows.

If the internet suffers an extended outage, there would be massive numbers of deaths. During the first few days, there would be thousands of deaths. During the first few weeks there would be millions of deaths. During the first few months, there would be billions of deaths.

On the other hand, the internet is built and maintained by hordes of capable people. We can overcome almost any obstacle. Once the dying starts, we will come up with answers. They will not be pretty, but they should be functional. Hopefully, one of the first acts will be the elimination of anybody who claims that the internet is unnecessary.

Comment Encryption lessons from CIA and NSA leaks. (Score 3, Interesting) 202

The CIA and the NSA leaks teach us several important lessons. They include:
  • * The Intelligence communities are much better at creating problems than fixing them. They can easily destroy individuals, communities, governments and trust. They don't create anything of lasting value. Nor do they clean up the messes that they create.
  • * Secrecy really REALLY isn't security. Secrecy creates and maintains private agendas. Secrecy creates and fosters waste. Secrecy destroys trust. Secrecy interferes with almost all aspects of security and good governance.
  • * A large, complex intelligence organization can't keep secrets. They can't keep secrets from hostile governments. They can't keep secrets from organized crime.
  • * Finally, we have learned that cryptanalysis can be surprisingly effective, but a full frontal assault on an encryption algorithm is the hardest way to break a crypto-system. There are many easier ways to break or bypass crypto.

There is a huge gap between crypto theory (https://www.cs.princeton.edu/~felten/encryption_primer.pdf) and expressed and implemented crypto reality. This gap provides many opportunities for anybody who wishes to favor attack over defense.

Traffic Analysis/meta data collection provides cheap, effective attack against virtually all current communication channels. Once you know who, when, where, how, and approximately what they are saying, you usually don't need to break their crypto.

The easiest way to weaken crypto implementation is to simply withdraw support for updates and improvements. Good crypto is hard. Defense is expensive. Without constant support, defenses fail. If you wish to weaken crypto defenses, it is usually sufficient to withhold support for good standards and good processes, and fail to eliminate mistakes.

The next most cost effective ways to weaken crypto implementation is to focus on degrading or hindering:

  1. 1) Transparency and disclosure;
  2. 2) Purchasing standards;
  3. 3) Vetting or approval standards;
  4. 4) Programming environments and standards.
  5. 5) Crypto standard processes;
  6. 6) Crypto implementation projects;
  7. 7) And crypto standards;

Good crypto implementations are almost indistinguishable from bad crypto implementations. The market will cheerfully purchase poor crypto if it is available, cheap, and the consequences are not immediate.

If an attacker ever needs to access info that is protected by a robust crypto implementation, it is usually faster and cheaper to subvert it's surrounding environment, people, hardware or software.

Reform of the Intelligence agencies should begin by greatly reducing their budget. Currently, they are huge, bloated, unmanageable monsters. They twist government to their whim. They distort the civilian economy. They cause massive incidental damage. A slim, tightly focused agency can be more carefully controlled and managed. A small, efficient CIA or NSA would achieve almost all of OUR important goals with a tiny fraction of the collateral damage.

Comment Complex password rules are a sign of bad IT. (Score 2) 498

For years, IT has used complex password rules to make up for the failings of IT security. Specifically, we have required complex passwords because:
  • * IT fails to protect our password hashes. Password hashes require almost as much protection as plain text passwords. They both must be protected from exposure. Password hashes must be continually upgraded to the strongest hashing algorithms. They must be individually salted. Their communication pathways must have the highest level of protection to prevent exposure and pass-the-hash attacks.
  • * IT fails to detect and limit password guessing. Short passwords can be quite effective when there are effective limits on password guessing.
  • * IT fails to implement multi-factor authentication. We have known that multi-factor authentication was necessary for decades.
  • * IT fails to audit itself or transparently track the use of IT resources, including authentication.

None of this is magic. We have known that this is required of IT security since the mainframe days. Defense in depth with different security layers is not just a good idea. It is central to all effective defense planning for thousands of years. However, instead of doing good IT security, we attempted to push the burden and failings of IT onto the users via complex password rules.

Of course, there should be some password rules. They should look more like:

  • * You must use some form of password management. It should be secure. It could be a piece of paper that you keep in your wallet. I personally use KeePass.
  • * You must use different passwords for every different trust situation.
  • * You must have an effective strategy for generating non-guessable passwords. I personally use KeePass's random password generation or the "shocking nonsense" approach to generating password phrases.
  • * You must change your password when you have a reason to suspect that they might have been compromised. The recent Cloudbleed issue is a good reason to change many of your passwords. Fortunately, if you have a good password manager, it just takes a couple minutes to change them all.
  • * You should change your passwords when there has been a significant change the in trust relationship with the remote party. This can include non-obvious things like when they go public, or when they outsource (or in-source) their IT. A good hint is when they start offering multi-factor or Single Sign On. This means that they have reviewed and updated their entire authentication system. You should change passwords to take immediate advantage of the improved system.

Comment Chocolate, Ice Cream, and Thanks all work. (Score 4, Interesting) 128

When I worked IT Security for a University, we took extra effort to thank anybody who reported a security issue. Here are some examples:
  • * We had an alert clerk notice that "something was off" when 3 people tried to sweet talk their way into a storage area. She flirted with them, while her co-worker called campus security. The cops had the penetration team spread and handcuffed before they could present their "Get Out Of Jail" documentation. Even then, they kept them handcuffed, until the cops called and verified the documentation. It was the first time that the penetration team had EVER had to use their documentation. I personally called and thanked everybody. I also arranged for the clerk to get a 2 pound box of the local Blue Bird Chocolates: http://bluebirdcandy.com/
  • * When we started our "Internet Skeptic" awareness campaign: https://it.usu.edu/computer-se... we would send a coupon for a free Aggie Ice Cream Cone: http://aggieicecream.usu.edu/ to the first person to report a new phish.
  • * Later, we found that prompt, public thanks worked as well as ice cream. We would promptly analyse every report, and then send out 2 sets of emails. The first would be the thank-you to the reporter. It included: Personalized thanks; A description of the scam; A report of how many others at USU were warned, thanks to their alertness. The second set of email would go out to everybody who had received a copy of the phishing scam. It included: A notification that the prior message was a fraud; Instructions for how to recover, if they had fallen for the fraud; A report of how many others also received the phish; A public acknowledgement of the alert reporter.
  • * This spring, we had a "Phishing Tournament" with various awards for reporting fraudulent emails. The grand prize was a tackle box full of goodies.

The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.

Comment The best answer isn't more anonymity. (Score 1) 177

Well, daaang.

Last night, my computer and Slashdot combined to throw away a 4 hour description on how to maintain anonymity when under omnipresent surveillance. That was frustrating. But, after a night's sleep and some reflection, I think it was for the best. The required skills and commitment are almost superhuman. Today, US citizens can expect little privacy in their purchases, travel, interpersonal communication or internet activity. We need better answers that will help everybody. If we train ourselves to defeat the current generation of surveillance and discovery, we will be faced with even more intrusive measures. We need to change the game in fundamental ways.

The initial problem seems to be that we don't trust each other or government. The cause of that distrust seems to be that we all keep secrets from each other. But, when you look at the cause of the secrets, you find that we have created incentives for secrecy and distrust. In our current laws and culture we benefit from keeping secrets from each other and from the government. Our government benefits from keeping secrets from us. We all have created an economy of discovering and exploiting each other's secrets. Thus, we have created incentives that motivate secrecy, deceit, surveillance, and betrayal. This is not a good way to live.

It seems like we aren't valuing privacy enough. But, I think it is just the opposite. We value privacy enough spend resources to penetrate, subvert, and deny it. The answer isn't to increase the value of anonymity. That will just increase the incentive to destroy privacy. We somehow need to regain privacy and anonymity by devaluing the secrets. We also need to increase the value of trust, while we increase the cost of betrayed trust.

I can see how to accomplish this at the local level. If I am more open, honest and involved with my friends, family and community, then we increase in trust towards each other and know each other's secrets. At that point, our secrets have no value and there is everything to lose and nothing to gain from surveillance, deceit, or betrayal.

I've got no idea how the fix my broken relationship with the highest levels of government.

Local government is small and well behaved. I know them and they know me. We have no meaningful secrets. We have years of mutual support and trust.

I have no problem with telling my next door neighbor, the-city-councilman all the details of my life. We have lived next to each other for almost 4 decades. We have raised each other's children. I know several good policemen and women. I know a good FBI agent. But, somewhere at the top, it all goes sour.

The Feds seem to get great benefit from lying to me, and betraying my trust. I don't know how to make it stop. The CPI (Consumer Price Index) is a bad, blatant lie. I can't imagine why they feel they need to lie about things that are intimate knowledge to every American. It's embarrassing. And the lie damages almost every American. The published employment rates don't pass any kind of simple fact checking. We all nodded along for decades while the Feds inflated the dangers of marijuana. And, now that it is all revealed as an colossal fabrication, they refuse to admit error or correct the damage. All for no obvious reason. The Feds can't admit mistake. The Feds can't correct mistake. And, it appears that they can't tell fact from wild delusion. With that history, I can't stand the idea of giving them more power over me.

And the Feds keep trying to pass their bad habits to my state and local governments.

Comment Re:Lots of other stuff too.. (Score 1) 112

The actual inflation rate is a rather personal thing. And, it depends on some rather personal questions:
  • * Has the price of the stuff that YOU buy gone up or down?
  • * Why did you buy that stuff?
  • * What do you actually need to buy to survive?
  • * What do you need to buy to be content?

In specific, only you can answer these questions. However, there are some common general trends:

  • * The measure of inflation published by the US government: http://www.usinflationcalculat... will be different from the measure of inflation that you experience. The pressures to influence the rate of inflation published by the US government are different from the pressures that influence YOUR purchasing. A couple years ago, Forbes had an interesting opinion piece that pointed out some of the pressures on the US government to manipulate the published rate of inflation: http://www.forbes.com/sites/pe...
  • * It is very hard to interpret the published US rate of inflation, because they change their methodology ALL THE TIME: http://www.bls.gov/cpi/cpi_met...
  • * In general, these changes in methodology tend to minimize the published rate of inflation. Older methods, yield a much higher rate of inflation: http://www.shadowstats.com/alt...
  • * If any of the things that YOU buy experience higher rates of inflation, then it's costs will dominate your budget. This is particularly compelling when the item is a non-optional part of your expenses, such as food, housing, clothing, medical, maintenance of income, community interaction, or interaction with family.

To add an insignificant personal data point, every time I have measured the increase in the expense of food, housing, medical or maintenance of income in the last 30 years, my results have traced the US methodology used back in the early '80s instead of current methodology. For the last 35 years, I have held jobs at the same university in the leading edge of IT. Back then, my monthly salary was about $35K. If my salary increases had matched the cost of living according to the methodology used in 1982, my current monthly salary would exceed $250K. The current actual costs of food, housing, medical and maintenance of income would be about the same percentage of my budget NOW as they were then. Instead, my salary has trailed the actual published inflation rate, and my current mandatory costs are crippling me.

Comment Re:The way to do it (Score 1) 222

I think the most important key to solving the current problems with credit cards is to finally accept that a single approach will not work well for many use cases.

I am looking for something that gives ME (the owner of the account/money) a number of solutions. I need the following:

  • * Options to securely manage my underlying account over the internet. I can understand why some options aren't default, but my bank doesn't seem to even know that problems exist. I would like to protect my connections with overbuilt encryption. Or choose to require refused connections unless it is the latest, strongest encryption. Or reject weak ciphers and key sizes. Or require multi-factor authentication. Or require a range of source IP addresses. Or require a single, secure, pre-distributed OS (distributed on a cheap, reliable USB stick.). Currently, they don't allow me to require any of these.
  • * I want my bank to enable single, on-time, cheap, secure, online transactions. It is crazy that my bank continues to pretend that it is not connected to the internet. Or that online commerce can only exist by using ancient, insecure, expensive, slow 19th century methods. Online purchasing should be more (not less) secure than "chip and pin", because we have much greater capability to confirm the identity of the participants and the nature of the transaction. It can also be much quicker and cheaper. Having Apple, Google, or Paypal add another non-transparent layer between me, my bank, my vendor and his bank just seems insane.
  • * I want my bank to enable ongoing, cheap, secure, ongoing static payments to pay bills. Currently, I don't allow automatic payments of my bills because Comcast (and others) think they should be able to spontaneously increase their charges. I want to set up a "Only this much, this often, to this entity" payment. Then, if somebody want's to charge more, we re-negotiate with full knowledge of the change.
  • * Chip and Pin seems to be an acceptable compromise for the current transition to payment via trusted device. I need to figure out what device method I can trust. So far, no help from my bank on that front either.

Is Paypal capable and trusted enough to be used as a bank?

Comment Potential market for upscale Faraday cages. (Score 1) 107

I think there is a potential market for upscale Faraday cages. I mentioned this a while ago on BoingBoing.

The more ostentatious, the better. It should be about the size and beauty of a fine humidor. Some would be gold, silver or platinum plated. But, you could also have ones that appeared to be mahogany, rosewood or teak. Market it as "The Privacy Box", or perhaps just pBox. You pitch it as a critical accessory for the upwardly mobile. When you absolutely need privacy, just put the phone in the "Pbox".

Expensive lawyers would use it to reassure clients that they took their privacy seriously. C-level executives would use it to highlight the importance of their discussions. The ritual of placing the cell phones in the "Privacy Box" would help seal the deal.

The primary attributes of this product would be:

  • * It must demonstrate "Tasteful Expense" like a fine watch.
  • * It must look good on an executive's desk.
  • * It must block the sensors of any cell phone that is placed inside.
  • * It must close with a smooth, audible click.

For extra points, you could easily design it to:

  • * Restrict interaction between multiple cell phones in the same container, tho this isn't as critical as looking expensive.
  • * Automatically trigger airplane mode (to limit battery drain.)
  • * Recharge the phone(s).

Wish I had the capability to make something that looked expensive and tasteful. I think this would sell itself.

Comment Re:Depends (Score 1) 286

I tailor my note-taking device, depending on how I want to interact with others. I have found that some people are more willing to interact with me if I am taking notes with pen and paper. I have also found that the later work of transcribing paper to electronic form is not really wasted if it helps me to organize my followup.

But, sometimes, a phone is all I have. And sometimes, I just need the speed and organization of taking notes with a laptop.

Comment Re:Patent != Innovation (Score 1) 54

It is nice to see that the exponential growth in the number of patents has finally faltered: http://www.uspto.gov/web/offic... It's a pity that the current rate of patent creation is more than sufficient to destroy almost all production and innovation.

We have been fooled into thinking that patents are innovation. But, the current rate of patent creation is anti-innovation and anti-productive.

Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. Patents don't guarantee production or innovation. They only enable lawsuits.

An occasional lawsuit might possibly spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. The current patent industry is responsible for enormous numbers of lawsuits every year. This legal deathtrap has captured marketplaces, destroyed production and stagnated innovation.

Comment Similar problem, better outcome. (Score 3, Insightful) 172

We had a similar problem. Fortunately we had a better outcome.

On of our university's IT group noticed that the university's police were using a packaged IT police support solution that had no security. An attacker could change arrest reports, access and change all the secret log entries, and track the real-time deployment and activity of the police. We verified that the problem existed across hundreds of police departments all over the country. The university police were horrified, when we presented the problem to them.

I think the main thing that led to a better outcome was the university IT team worked closely with the university police team to present the problem to the external vendor. During the presentation, the external vendor went through all the stages of grief: denial, anger, bargaining, depression and acceptance. When the vendor got to the anger stage, they threatened to have us arrested. We just kept asking how arresting somebody would fix the code, until they got on to the next stage.

Still, it took months before the vendor deployed fixed code.

Comment Where do I sign up for handcuffs? (Score 2) 73

I spend a good chunk of every workday defending my institution from network attacks by the governments of China and Russia. They are not the only ones. I imagine all of them give themselves permission to attack. I expect all of them eventually make it illegal to resist their attacks. As more and more governments create these crazy laws and international agreements, my defensive actions will become more and more illegal. Thanks Five Eyes!

Comment Focused on attack instead of defense. (Score 5, Insightful) 247

Part of the problem is that many believe that we can attack our way to security. They are confused about the fundamental nature of attack and defense when applied to the internet. They don't understand the combination of global connectivity and automation. They don't understand that any action of internet attack or defense has unintended consequences.

In the old days, you could attack one thing. You could defend one thing. But, that doesn't map well to the internet. Now, we all talk to each other. We all use the same methods of defense. When one actor attacks another, the attack is exposed, analyzed, and re-used. Now, when somebody attacks, they increase the cost of defense for everybody. When somebody comes up with improved defense, we all learn how to increase the cost of attack for everybody.

For over a decade, several branches of the US government have focused almost all their energy on attacking others across the internet. The result is an internet where compromise and breach are daily events. Somehow, our protectors don't see that they are crafting the tools of our demise and handing them to our enemies. If we are honest, we are more to blame for the great compromise at the OPM than our attackers. If we had spent the last decade on creating and encouraging defense, then breach would be difficult and rare.

Now, our governments are blindly following the tradition of attack. They wish to attack the protocols we use to determine identity and create security. They don't see or care that everybody else will do likewise. They don't see the great devastation that will follow.

Comment The benefits of handling attack. (Score 4, Interesting) 44

I do IT Security for a research university. For the last 10 years, we have attempted to handle all incoming attack. Some gets missed, but we make an attempt. It is good work for the interns/trainees. We document the incident, block the attacking IP for an appropriate amount of time, and notify the remote abuse contact. We have found that handling attack provides significant benefits:
  • * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
  • * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
  • * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
  • * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
  • * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

More info is available here:

Slashdot Top Deals

The cost of living hasn't affected its popularity.

Working...