[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Security quotes of the week

[Posted May 14, 2014 by jake]

The ECJ ruling didn't order the newspaper itself, La Vanguardia, to remove its original article, as [Mario Costeja] González had also requested. Instead, the court simply ordered Google to remove all links to the auction notice from its search engine. Ironically, the ECJ's ruling explicitly mentions González's auction notice and financial trouble. Will the court order that its own decision be made unsearchable online?

The court recognized what some European legislators call "the right to be forgotten"—the idea of giving ordinary citizens more control over their personal data, including its deletion.

Matt Ford at The Atlantic

What we found alarmed us. There were staggering gaps in procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers, such as Russia. These attacks could alter votes or leave election outcomes in dispute. We have confirmed these attacks in our lab — they are real threats. We urgently recommend that Estonia discontinue use of the system.
— A report on the security of Estonia's internet voting system

The moral of the story is clear: be very cautious about poisoning the banquet you serve your guests, lest you end up accidentally ingesting it yourself. And there's an unpalatable (to spooks) corollary: we the public aren't going to get a crime-free secure internet unless we re-engineer it to be NSA-proof. And because of the current idiotic fad for outsourcing key competences from the public to the private sector, the security-industrial contractors who benefit from the 80% of the NSA's budget that is outsourced are good for $60-80Bn a year. That means we can expect a firehose of lobbying slush funds to be directed against attempts to make the internet NSA-proof.

Worse. Even though the pursuit of this obsession with surveillance in the name of security is rendering our critical infrastructure insecure by design, making massive denial of service attacks and infrastructure attacks possible, any such attacks will be interpreted as a rationale to double-down on the very surveillance-friendly policies that make them possible. It's a self-reinforcing failure mode, and the more it fails the worse it will get. Sort of like the war on drugs, if the war on drugs had the capability to overflow and reprogram your next car's autopilot and drive you into a bridge support, or to fry your insulin pump, or empty your bank account, or cause grid blackouts and air traffic control outages. Because that's what the internet of things means: the secret police have installed locks in everything and the criminals are now selling each other skeleton keys.

Charles Stross

But just that very admission highlights that the auditing system the NSA keeps insisting we should trust is completely broken. As we've noted, if the NSA can't tell how its own systems are being used, then it has no idea how they're being abused. Even worse, the NSA has no idea if other people with powers similar to [Edward] Snowden may have taken other documents and given them to those who actually mean to do us harm, rather than reporters looking to serve the public interest.

In admitting that the NSA has no way of knowing what Snowden did, [former NSA head Keith] Alexander is admitting that all this talk of the infallible audit system is all smoke and mirrors. And, because of that, the claims that we can trust the NSA not to abuse its systems are equally untrustworthy.

Mike Masnick
to post comments

Security quotes of the week

Posted May 15, 2014 19:43 UTC (Thu) by gerdesj (subscriber, #5446) [Link] (2 responses)

Great quotes here this week. They very neatly encapsulate what is wrong with the current state of affairs.

I'll be off to see my (UK) Member of Parliament pretty soon armed with something substantive at last. I don't expect much action as a result but this is the way of democracy and it needs input from the bottom. I suspect it might have more effect than whining on /. or the Reg forums!

Thanks for putting words in my mouth.

Security quotes of the week

Posted May 16, 2014 18:53 UTC (Fri) by RogerOdle (guest, #60791) [Link] (1 responses)

I get tired of hearing about how bad the NSA is. You are surprised at what they do? You must know that there is no effective oversight of ISPs and that many of them can be and probably are compromised by organized crime. Some of these organized criminals are in government, but surely not all of them are. Much ado is made about what is an essential consequence of doing things in public. When you are on the Internet, you should always act as if you were having a conversation in a crowded room where anyone could hear you. It doesn't mean that every is out to get you. Sometime, it is just you being too careless and letting your voice carry too far. This is what happens when you share too much information on Facebook and other social media. It would be nice if only people we like and could trust used the Internet but whether we like it or not, the Internet also belongs to the scoundrels. Ultimately, we are responsible for our personal information. It is our credibility and our reputations that are at stake.

One thing that we can do is develop a mechanism so that transactions can be conducted on the Internet without personal information ever being exchanged through the Internet. It can be done though it is not convenient. It would become more convenient if it were more common. I am thinking of something along the lines of escrow accounts. This is not the same as a credit account. In an escrow account, you put a specific amount of money in the bank for a specific purpose (transaction). The money is transferred only when the conditions of the transaction are satisfied. Then the money is transferred and the escrow account is closed. Even if someone later discovers the account number it doesn't matter because the account doesn't exist anymore. These accounts can be setup with your local banks and there never needs to be any personal information exposed on the Internet. (This does not mean that the bank would not put you at risk by exposing their database). This is only a skeleton of an idea.

I think that it is silly ask the governments of the world to solve the NSA problem. That like asking robbers to solve the crime problem. The solutions have to come from the public side. Via some grass-roots effort. We need to defuse the problem by reducing the need for exchanging personal information in the first place. A database can not leak information it doesn't have.

Security quotes of the week

Posted May 16, 2014 19:20 UTC (Fri) by raven667 (subscriber, #5198) [Link]

> I think that it is silly ask the governments of the world to solve the NSA problem. That like asking robbers to solve the crime problem. The solutions have to come from the public side. Via some grass-roots effort.

The government's is supposed to be a distillation of the public will, that whole of the people, by the people, for the people stuff. That is never perfect, there will always be some corruption where the government apparatus is directed in ways which are not of the public will or for the public interest, but if that corruption is too large than it is better to fix that problem first, which will allow you to then fix your original problem, than to make a separate grass-roots effort which will not have the force of law and will eventually devolve into street theatre, cathartic but ineffective.


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds