Dog Brothers Public Forum
Return To Homepage
Welcome, Guest. Please login or register.
September 02, 2014, 10:47:17 PM

Login with username, password and session length
Search:     Advanced search
Welcome to the Dog Brothers Public Forum.
82158 Posts in 2247 Topics by 1047 Members
Latest Member: MikeT
* Home Help Search Login Register
  Show Posts
Pages: [1] 2 3 ... 11
1  DBMA Martial Arts Forum / Martial Arts Topics / Re: the titles of the teachers in the fillipino martial arts ("Kali") on: June 23, 2014, 09:03:44 PM
Some good reading in this thread!
2  DBMA Martial Arts Forum / Martial Arts Topics / 73 year old's workout on: June 14, 2014, 04:26:48 PM
Pretty freakin' impressive.

The link should take you to a video of a 73 year "old" man working out.

https://www.facebook.com/photo.php?v=456053531164394
3  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Re: Health Thread (nutrition, medical, longevity, etc) on: June 12, 2014, 10:28:41 PM
There is a video and slides at the link.

http://quantifiedself.com/2014/06/max-gotzler-testosterone-diet-experiment/

What did I do?
I explored how diet changes influenced my level of free testosterone. In addition, I observed how changes in testosterone related to my mood, sleep and energy level.

How did I do it?
Over the course of one year, I regularly checked my level of free (active) testosterone in saliva and correlated the results to other data I had collected using apps and tracking devices.

What did I learn?
I learned that eliminating carbs from my diet resulted in lower testosterone and adding carbs together with fat and protein increased testosterone. I also learned that sleep was closely tied to my level of testosterone. After good nights of sleep (usually more than 8 hours), my level was elevated the next morning.
4  DBMA Martial Arts Forum / Martial Arts Topics / Re: The Older Warrior on: June 12, 2014, 10:27:02 PM
There is a video and slides at the link.

http://quantifiedself.com/2014/06/max-gotzler-testosterone-diet-experiment/

What did I do?
I explored how diet changes influenced my level of free testosterone. In addition, I observed how changes in testosterone related to my mood, sleep and energy level.

How did I do it?
Over the course of one year, I regularly checked my level of free (active) testosterone in saliva and correlated the results to other data I had collected using apps and tracking devices.

What did I learn?
I learned that eliminating carbs from my diet resulted in lower testosterone and adding carbs together with fat and protein increased testosterone. I also learned that sleep was closely tied to my level of testosterone. After good nights of sleep (usually more than 8 hours), my level was elevated the next morning.
5  DBMA Martial Arts Forum / Martial Arts Topics / Re: The Art in its Homeland FMA Legends on: June 07, 2014, 09:45:42 PM


K. Dumb question is that in Hawaii?  I'm guessing the people in the front row from Left to Right Mike Del Mar, Braulio Pedoy, Floro Villabrille and Josephine Del Mar.   
I could be totally wrong about the location but I know for sure that is Ben Largusa and Dan Inosanto, LOL.
6  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Re: Health Thread (nutrition, medical, longevity, etc) on: June 02, 2014, 09:31:33 AM
Very interesting!


I agree Guro, but with all this data sometimes it seems like you will need help interpreting it to make it useful, some of the info is obvious and then since all this data has the ability of being stored in the cloud here come the security issues.  

Which takes us to another thread of Cyber Security.  Now that I am working for a hospital in the InfoSec field I have become more aware of things that I just never thought of.  I read a few articles where your health information is more valuable than just your credit card.  Your health records never really expire and they contain a lot of data about you including your payment methods.
7  DBMA Martial Arts Forum / Martial Arts Topics / Re: Condtioning for the stick on: June 01, 2014, 12:53:02 AM
http://www.8weeksout.com/2013/03/07/what-is-conditioning/

http://www.8weeksout.com/2008/10/06/metabolic-conditioning-one-size-does-not-fit-all/
8  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / The Future of Health Care? on: June 01, 2014, 12:43:58 AM
9  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / THREE REASONS WHY APPLE WILL BRING DIGITAL HEALTH MAINSTREAM on: June 01, 2014, 12:40:02 AM
Excerpt:

There has been much discussion on when a big player such as Apple, Facebook or Google fully commit to digital health the industry will scale rapidly. Predictions say that when this happens the sociological tipping point will create a paradigm shift in much the same way the iPhone did for apps and mobile computing or like Amazon did for publishing.

While we aren’t there yet it seems we are moving in that direction and if one large corporation is helping to steer us there more than anyone else it would be Apple. Here’s three reasons why.

http://bionicly.com/2013/03/three-reasons-why-apple-will-bring-digital-health-mainstream/
10  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Health \ Fitness related Technology on: June 01, 2014, 12:34:21 AM
Two links that could possible fit into two different threads.

I first heard of Heart Variability Training from Joel Jamieson of www.8weeksout.com but it was pretty darn expensive.  Years later I found this article and there is a cheaper version, I doubt that it does everything expensive version does but what the heck.
 
http://bionicly.com/2014/04/heart-rate-variability-training-and-why-you-should-be-doing-it/

This article is pretty darn cool to me.

http://bionicly.com/2014/04/forget-the-iwatch-10-examples-of-next-generation-body-sensors/
11  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Re: Health Thread (nutrition, medical, longevity, etc) on: May 31, 2014, 11:59:56 PM
Not sure if this should go into the Technology thread, its kind of both....

I really dig the new technology health \ fitness related technology that is coming.

http://bionicly.com/2014/04/forget-the-iwatch-10-examples-of-next-generation-body-sensors/

I have stuff like the Bodymedia device and I pitched in on another device by Push Strength.
12  DBMA Martial Arts Forum / Martial Arts Topics / Re: 2014 Dog Brothers Tribal Gathering of the Pack on: May 27, 2014, 11:33:11 AM
That was some serious fun!
13  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Re: Music on: May 06, 2014, 09:56:11 AM
The Green - The Power in Words
https://www.youtube.com/watch?v=8JC-di8CjCY
14  DBMA Martial Arts Forum / Martial Arts Topics / Re: 2013 Open Gathering info on: September 11, 2013, 04:29:05 PM
Hi Lamont - love the moniker you've chosen  wink
Hee hee hee.....
Actually, Lamont, I have a great fight for you - Dog Clint, my training partner. You two would be an interesting match. He is good with any combination you care to try, including double stick or staff. I'll put you in touch that day. Trust me on this one.
Dr Dog

I'll 2nd that. Ive watched Clint at the spring Tribal and it was impressive.
15  DBMA Martial Arts Forum / Martial Arts Topics / Re: Fixing the headgear on: August 13, 2013, 05:17:45 PM
We may have to look into welding or soldering.  
16  DBMA Martial Arts Forum / Martial Arts Topics / Re: Son finds wife and dad fg on his son's bed on: August 07, 2013, 03:58:52 PM

Wow, that is just beyond f'd up.  Would have to contemplate but stepping outside of myself; would have to look into the law and crimes of passion.  I mean its not like he secretly found and then put forth a plan. It was more of a passionate reaction.  A whole lot of powerful emotions invoked in that moment.  Dang.
17  DBMA Martial Arts Forum / Martial Arts Topics / Re: Umpad Corto-Kadena on: August 05, 2013, 01:58:50 AM

Very nice.
18  Politics, Religion, Science, Culture and Humanities / Politics & Religion / NSA director heckled at Black Hat cybersecurity conference on: August 01, 2013, 06:43:27 PM
LAS VEGAS National Security Agency director Gen. Keith Alexander was met with cheers and heckling Wednesday at the Black Hat conference in Las Vegas, an annual meeting of hackers and cybersecurity professionals.

Alexander was asked to give the keynote address at the conference before former NSA contractor Edward Snowden leaked documents to the media about PRISM -- a government surveillance program that collected metadata over telecommunication lines. Black Hat organizers say that he could have easily backed out, but chose to attend open a dialog with the hacking community.

The mood was one of respectful skepticism among a majority of audience members. But halfway through the address, which promised to answer tough questions in the wake of the PRISM leak, some in the audience decided they had heard enough.

Alexander was speaking about ways the controversial initiative FAA 702 has thwarted terrorism plots, when he said of the NSA: "We stand for freedom."

"Bulls***," a heckler in an audience of hundreds yelled out. After a handful of claps, he continued, "You lied to Congress. Why should we believe you're not lying to us?"

Unfazed by the comment, Alexander calmly replied, "I did not lie to Congress."

 
Play VIDEO
Rogers: NSA program stops real terrorist attacks
Alexander spent the majority of his speech explaining how the U.S. government arrived at its current cybersecurity posture and where to go next. The director pointed at some of the major terrorist attacks in the last 20 years, like the first World Trade Center bombing in 1993, the U.S.S. Cole bombing in 2000, and the September 11th attacks as examples of why the intelligence community had to step up its data gathering.

"The intelligence community failed to connect the dots," Alexander said.

Addressing the concerns that NSA analysts can access the personal data of Americans at will, Alexander said there is a misconception about how much information is being accessed, adding that the program can be completely audited.

Leaked documents give new insight into NSA searches
Administration declassifies more NSA surveillance documents
Alexander said there are only 22 people at the NSA who can approve the surveillance of a phone number, and 35 analysts who are authorized to review the queries. Of 300 phone numbers that were approved for query, 12 were reported to the Federal Bureau of Investigation.

The director said that if a query appeared unrelated to national security, its auditing tools would detect it and the analyst would have to explain their intent. He added that an audit conducted by Congress found no incidences of abuse of the program.

Alexander shared a slide that revealed a sample of what a document with metadata looks like. A snippet of a spreadsheet reveals columns including date, time, from address, to address, length, site and source -- not the content of the communication itself. The director added that the NSA does not "collect everything."

"It's focused," Alexander said. "We don't want to collect everything."

Alexander ended his speech with a plea to the audience, saying, "help us defend the country and find a greater solution.The whole reason I came here is to ask you to make it better."

"Read the constitution," a heckler in the audience yelled out.

"I have. You should too," Alexander calmly responded. His comment was followed by cheering from the audience.
19  DBMA Martial Arts Forum / Martial Arts Topics / Re: Juror: Zimmerman got away with murder on: July 25, 2013, 06:04:51 PM

Every time I read something from the Pro-Trayvon crowd it seems their opinion on everything is based on feeling rather than facts that were presented.  
20  DBMA Martial Arts Forum / Martial Arts Topics / Re: Self-Defense and other law related to martial arts on: July 23, 2013, 05:30:54 PM
That was \ is awesome.
21  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / DOJ say NSA snooping OK on: July 23, 2013, 02:51:36 PM
 --US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights (July 19, 2013)
The US government has responded to a series of lawsuits challenging the NSA's authority to snoop on phone records, saying that the intelligence agency's activity cannot be challenged in court.

The Obama administration maintains that the actions do not violate citizens' constitutional rights and are conducted in the "public interest."
http://www.wired.com/threatlevel/2013/07/spygate-snooping-standing/

US DOJ Filing:
http://www.wired.com/images_blogs/threatlevel/2013/07/nsaacluresponse.pdf
22  Politics, Religion, Science, Culture and Humanities / Politics & Religion / In his own words: Confessions of a cyber warrior on: July 17, 2013, 05:57:11 PM
http://www.infoworld.com/print/222266

By Roger A. Grimes
Created 2013-07-09 03:00AM

Much of the world is just learning that every major industrialized nation has a state-sponsored cyber army [1] -- though many of the groups, including team USA, have been around for decades.

I've met a few cyber warriors. As you might imagine, they can't talk much about their duties. But if you work shoulder to shoulder with them long enough, certain patterns emerge. For starters, there are a lot of them. They are well armed with cyber weaponry, and they're allowed to experiment and hack in ways that, as we all now know, might be considered illegal in some circles.

[ It's over: All private data is public [2] | Learn how to secure your systems with the Web Browser Deep Dive PDF special report [3] and Security Central newsletter [4], both from InfoWorld. ]

I've been a longtime friend to one cyber warrior. On condition of anonymity, he agreed to be interviewed about what he does for a living and allowed me to record our conversation on a device he controlled, from which I transcribed our conversation. I was able to ask clarifying questions the next day.

We met in person in my boat off the coast of Florida, which might sound very clandestine, except that our primary goal was to catch some fish. It's interesting to note that he did not want me to contact him by email or phone during the months leading up to this interview or for a few months after, even though what he revealed does not disclose any national security secrets. The following is an edited version of our conversation. Certain inconsequential details have been altered to protect his identity.

Grimes: Describe yourself and your occupation.

Cyber warrior: Middle-aged, white male, not married. Somewhat smart. Music lover. Lifetime hacker of all things. Currently working on behalf of armed services to break into other countries' computer systems.

Grimes: What is your background? How did you learn to hack?

Cyber warrior: I got into computers fairly early in my life, though I grew up in a foreign country. My dad split when I was young, and my mom worked a lot. I got into computers by visiting one of the few Radio Shacks near my neighborhood. The sales guy hated me at first because I was always on their computers, but after I taught him a few things, we became good friends for years. I realized I had an aptitude for computers ... that most of the adults around me did not have. By the time I was 15, I had dropped out of school (it wasn't as big of a deal in the country I was in, as it is in most developed countries), and I was working a full-time job as the head IT guy at a federal hospital.

I was hacking everything. I hacked their systems, which wasn't too much of a problem because I was already the head IT guy. They had lost some of the admin passwords to the network and other computer systems, so I had to use my hacking skills to reclaim those systems. I hacked everything: door locks, Master locks, burglar alarms -- anything. For a while, I thought I was a master spy and thief, even though I never stole anything. I would spend all my earnings on buying security systems, install them in my house, then spend all my time trying to bypass them without getting caught. I got pretty good, and soon I was breaking into any building I liked at night. I never got caught, although I did have to run from security guards a few times.

Grimes: What did you like hacking the most: security systems or computer systems?

Cyber warrior: Actually, I loved hacking airwaves the most.


Grimes: You mean 802.x stuff?

Cyber warrior: How cute. How quaint. No, I liked hacking everything that lives in the sky. Computer wireless networks are such a small part of the spectrum. I bought literally dozens of antennas, of all sizes, from small handheld stuff to multi-meter-long, steel antennas. I put them all in a storage shed I rented. I put the antennas up on the roof. I don't know how I didn't get in trouble or why the storage shed people didn't tell me to remove the antennas. I had to learn about electricity, soldering, and power generation. I had dozens of stacked computers. It was my own little cloud, way back when. I would listen for all the frequencies I could. I was next to an airbase and I captured everything I could.

Back then a lot more was open on the airwaves than today. But even the encrypted stuff wasn't that hard to figure out. I would order the same manuals as the equipment they were using and learn about backdoors in their equipment. I could readily break into most of their equipment, including their high-security telephone system. It was fun and heady stuff. I was maybe 16 or 17 then. I was living and sleeping in the shed more than at my home.

One day I started to see strange cars show up: black cars and trucks, with government markings, like out of movie. They cut the lock off my shed and came in the door. My loft was up near the rafters, so I scooted over into the next storage area, climbed down, and went out the side door at the far end of the shed area. I walked off into desert and never went back. I must have left $100,000 worth of computers, radio equipment, and oscilloscopes. To this day, I don't know what happened or would have happened had I stayed -- probably not as much as I was worried about.

Grimes: Then what did you do?

Cyber warrior: My mom got married to my stepdad, and we moved back to the States. I was able to get a computer network admin job pretty quickly. Instead of hacking everything, I started to build operating systems. I'm a big fan of open source, and I joined one of the distros. I wrote laptop drivers for a long time and started writing defensive tools. That evolved into hacking tools, including early fuzzers.

Eventually I got hired by a few of the big penetration-testing companies [5]. I found out that I was one of the elite, even in a group of elites. Most of those I met were using tools they found on the Internet or by the companies that hired us, but all that code was so [messed up]. I started writing all my own tools. I didn't trust any of the hacking tools that most penetration testers rely on. I loved to hack and break into to things, but to be honest, it was pretty boring. Everyone can break into everywhere -- so I made it a game. I would only break in using tools that I built, and I would only consider it a success if none of my probes or attacks ended up in a firewall or other log. That at least made it more challenging.

Grimes: How did you get into cyber warfare?

Cyber warrior: They called me up out of the blue one day -- well, an employment agency on behalf of the other team. They were offering a lot more money, which surprised me, because I had heard that the guys working on behalf of the feds made a lot less than we did. Not true -- it's certainly not true anymore, if you're any good.

I had to take a few tests. I had a few problems getting hired at first because I literally didn't have a background: no credit, no high school or college transcripts. Even the work I had done was not something you could easily verify. But I scored really well on the tests and I was honest on what I had done in the past. They didn't seem to care that I had hacked our own government years ago or that I smoked pot. I wasn't sure I was going to take the job, but then they showed me the work environment and introduced me to a few future coworkers. I was impressed.


Grimes: Explain.

Cyber warrior: They had thousands of people just like me. They had the best computers. They had multiple supercomputers. They had water-cooled computers running around on handtrucks like you would rent library books. The guys that interviewed me were definitely smarter than I was. I went from always being the smartest guy wherever I worked to being just one of the regular coworkers. It didn't hurt my ego. It excited me. I always want to learn more.

Grimes: What happened after you got hired?

Cyber warrior: I immediately went to work. Basically they sent me a list of software they needed me to hack. I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.

But I quickly went from writing individual buffer overflows to being assigned to make better fuzzers. You and I have talked about this before. The fuzzers were far faster at finding bugs than I was. What they didn't do well is recognize the difference between a bug and an exploitable bug or recognize an exploitable bug from one that could be weaponized or widely used. My first few years all I did was write better fuzzing modules.

Grimes: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.

Grimes: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.

Grimes: What do you like hacking now?

Cyber warrior: Funny enough, it's a lot of wireless stuff again: public equipment that everyone uses, plus a lot of military stuff that the general public knows nothing about. It's mostly hardware and controller hacking. But even that equipment is easy to exploit.

Grimes: Does your team sometimes do illegal things?

Cyber warrior: Not that I know of. We get trained in what we can and can't do. If we do something illegal, it's not on purpose. Well, I can't speak for everyone or every team, but I can tell you the thousands of people I work with will not do anything intentionally illegal. I'm sure it happens, but if it happens, it's by mistake. For instance, I know we accidentally intercepted some government official's conversations one day, someone high-level. We had to report it to our supervisors and erase the digital recordings, plus put that track on our red filter list.

Grimes: You say you don't do anything illegal, but our federal laws distinctly say what we cannot offensively hack other nations. And we are hacking other nations [6].

Cyber warrior: They say we can't hack other nations without oversight. John Q. Public and John Q. Corporation can't hack other nations, but our units operate under laws that make what we are doing not illegal.


Grimes: I know you from many years ago, and I think the young you would revile hacking any government by any government. I think I heard you say this many times, and you were passionate about it.

Cyber warrior: I'm still passionate about it, but the older self realizes that the young self didn't have all the facts. We have to do what we do because [other nation states and other armies] are doing it. If we didn't, we would literally be dead. It's already something that I don't know if we are winning. I know we have the best tools, the best people, but our laws actually stop us from being as good as we could be.

Grimes: What about your job would surprise the average American?

Cyber warrior: Nothing.

Grimes: I really think the average American would be surprised you do what you do.

Cyber warrior: I don't agree. I think everyone knows what we have to do to keep up.

Grimes: What does your work location look like?

Cyber warrior:  I work in obscure office park in Northern Virginia. It's close to DC. There's no lettering or identifiers on the building. We park our cars in an underground garage. There are about 5,000 people on my team. I still work for the same staffing company I was hired by. My badge does not say "U.S. government" on it. We are not allowed to bring any computers, electronics, or storage USB drives into the building. They aren't even allowed in our cars, so I'm the guy at lunch without a cellphone. If people were to look around, they could spot us. Look for the group of people being loud that don't have a single cellphone out -- no one texting. Heck, they should let us carry cellphones just so we don't look so obvious.

Grimes: What do you do for a hobby?

Cyber warrior: I play in a hardcore rap/EDM band, if you can imagine that. I play lots of instruments, make beats and percussion stuff. I wish I could make more money doing music than hacking. I'm even considering now leaving my job and doing music. I don't need much money. I have enough for retirement and enough to support my lifestyle.

Grimes: What do you wish we, as in America, could do better hacking-wise?

Cyber warrior: I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don't have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.

Grimes: What do you think of Snowden [7]?

Cyber warrior: I don't know him.

Grimes: Let me clarify, what do you think of Snowden for revealing secrets [8]?

Cyber warrior: It doesn't bother me one way or the other.

Grimes: What if it could lead to your program shutting down? You'd be without a job.

Cyber warrior: There's no way what we do will be shut down. First, I don't intentionally do anything that involves spying on domestic communications. I don't think anyone in my company does that, although I don't know for sure. Second, it would be very dangerous to stop what we do. We are the new army. You may not like what the army does, but you still want an army.

If I was out of job I'd just get better at playing my instruments. I like to hack them, too.

This story, "In his own words: Confessions of a cyber warrior [9]," was originally published at InfoWorld.com [10]. Keep up on the latest developments in network security [11] and read more of Roger Grimes' Security Adviser blog [12] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [13].

Security Hacking Government Security

--------------------------------------------------------------------------------

Source URL (retrieved on 2013-07-17 03:40PM): http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266
Links:
[1] http://www.infoworld.com/t/data-security/us-china-please-stop-hacking-our-companies-if-you-dont-mind-214322
[2] http://www.infoworld.com/d/security/its-over-all-private-data-public-220901?source=fssr
[3] http://www.infoworld.com/browser-security-deep-dive?idglg=?ifwelg_fssr
[4] http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr
[5] http://www.infoworld.com/d/security/penetration-testing-the-cheap-and-not-so-cheap-050
[6] http://www.infoworld.com/d/security-central/stuxnet-marks-the-start-the-next-security-arms-race-282
[7] http://www.infoworld.com/t/cringely/snowden-has-answers-nsa-still-holds-the-questions-220881
[8] http://www.infoworld.com/t/government/nsa-leaker-snowden-leaves-hong-kong-reportedly-russia-221306
[9] http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266?source=footer
[10] http://www.infoworld.com/?source=footer
[11] http://www.infoworld.com/d/security?source=footer
[12] http://www.infoworld.com/blogs/roger-a.-grimes?source=footer
[13] http://twitter.com/infoworld

23  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Re: Cyberwar and American Freedom on: July 15, 2013, 03:56:54 PM
I thought it might be of use for people who are curious of how some attacks work.  I always like to look at \ read new stuff.

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Dubious HTTP II - Unusual HTTP Content-Encodings:
http://noxxi.de/research/unusual-http-content-encoding.html

Another year, another rogue. Not what the doctor ordered:
http://blogs.technet.com/b/mmpc/archive/2013/06/27/another-year-another-rogue-not-what-the-doctor-ordered.aspx

Skype for Android lockscreen bypass:
http://seclists.org/fulldisclosure/2013/Jul/6

Cybercriminals experiment with Tor-based C&C, ring-3 rootkit empowered, SPDY form-grabbing bot:
http://blog.webroot.com/2013/07/02/cybercriminals-experiment-with-tor-based-cc-ring-3-rootkit-empowered-spdy-form-grabbing-malware-bot/

Securing Microsoft Windows 8: AppContainers:
http://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/

A penetration tester's guide to IPMI and BMCs:
https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Analysis of CVE-2013-0809:
http://axtaxt.wordpress.com/2013/07/06/analysis-of-cve-2013-0809/

Postpwnium writeup:
http://rpw.io/blog/2013/06/11/postpwnium_writeup/

24  Politics, Religion, Science, Culture and Humanities / Politics & Religion / DEF CON Feds Ban Polarizes Hacker Community on: July 15, 2013, 03:36:07 PM
http://www.google.com/search?hl=en&source=hp&q=Technical+Tactical+Procedures+&gbv=2&oq=Technical+Tactical+Procedures+&gs_l=heirloom-hp.13..0i22i30.641.641.0.2953.1.1.0.0.0.0.281.281.2-1.1.0...0.0...1ac.1.15.heirloom-hp.KIZwIFt223U


Michael Mimoso    July 12, 2013 , 2:25 pm
For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

—Jeff Moss

Those are the 105 words that have polarized the hacker community.

DEF CON founder Jeff Moss turned the annual hacker conference on its ear Wednesday night when he asked federal government employees to stay away from this year’s show, which starts Aug.1 in Las Vegas. Strained by the revelations of surveillance by the National Security Agency and accusations of unwarranted access to Americans’ online activities, Moss decided to ask for a timeout.

The reaction since has been mixed, if not predictable. Some think events such as DEF CON should be open and collaborative, and that includes with the feds, while others find it counterintuitive to include the feds at an event that fosters technology and thinking that leads to secure and private communication and enterprise.

Moss, who is currently ICANN’s chief security officer, told Reuters that it was a tough call for him to make.

“The community is digesting things that the Feds have had a decade to understand and come to terms with,” Moss told the news agency. “A little bit of time and distance can be a healthy thing, especially when emotions are running high.”

Moss told Threatpost that he is in Durban, South Africa for the ICANN 45 meetings and was not available for comment at the time of publication.

The fallout has begun already, however, with two researchers pulling out of DEF CON after Moss’ decision. Kevin Johnson and James Jardine of Secure Ideas were scheduled to deliver a talk on SharePoint security, but instead decided against giving the talk at the show. Johnson saw the post on Wednesday night from Moss and slept on it a night before meeting with Jardine and other colleagues and making their final decision.

“It sat wrong with me,” Johnson said. “My immediate reaction was that I don’t want to be part of this.”

“I had the same reaction,” Jardine said. “I said I don’t want to be part of something disallowing or not bringing certain groups invited in.”

Jardine and Johnson explained their position in a blogpost, stating that DEF CON is a neutral ground that encourage open communication regardless of industry.

“We believe the exclusion of the “feds” this year does the exact opposite at a critical time. James and I do not feel that this should be about anti/pro government, but rather a continuation of openness that this event has always encouraged,” Johnson wrote. “We both have much respect for DEF CON and the entire organization and security community. It is with this respect that we are pulling our talk from the DEF CON 21 lineup. We understand that this may cause unfortunate change of plans for some, but feel we have to support our beliefs of cooperative collaboration to improve the state of information security technology.”

Robert Graham, CEO of Errata Security, steered the discussion away from politics and said Moss and DEF CON are simply heading off conflict.

“A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate. From shouting matches, to physical violence, to ‘hack the fed’, something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict,” Graham, a past DEF CON presenter, wrote on his company’s blog. “The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren’t the ones who would be starting these fights. But here’s the thing: it’s not a fed convention but a hacker party. The feds don’t have a right to be there — the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it’s still the feds who have to go.”

Nick Selby, another security professional and frequent speaker at industry events, said Moss’ decision is self-defeating. He points out that most hackers understand full well the depths of surveillance by the signals intelligence community.

“The relationship between hackers and feds is symbiotic,” Selby wrote. “To deny this is shortsighted, wrong and panders to a constituency that is irrelevant to our shared goals. It also defies the concept that, ‘Our community operates in the spirit of openness, verified trust, and mutual respect.’”

Black Hat, which precedes DEF CON, features NSA director Gen. Keith B. Alexander as its keynote speaker and several sessions given by employees of government agencies. Black Hat general manager Trey Ford said he would not consider a similar decision to the one made by Moss.

“Black Hat strives to cultivate interaction, innovation, and partnership within the security ecosystem—offense and defense, public and private,” Ford said via email, adding that he hopes Black Hat will move the conversation forward regarding the revelations of NSA surveillance of Americans.

“I think the Prism announcement got more attention than prior leaks to the general population, but we in InfoSec have no excuse for acting like we didn’t know this was possible or happening. (it is done inside companies every day),” Ford said. “Privacy is a very real concern for both the security and intelligence communities and we look forward to encouraging conversations about this very topic onsite. Everyone that comes to Black Hat is serious about security, has a professional level of interest, and is here to engage and improve that conversation.”

Alexander, meanwhile, is still scheduled to deliver his keynote and Ford would not comment on a contingency plan should he pull out, nor did he have specifics on what the general will be speaking about.

“General Alexander faces hard decisions about where privacy and security cross, a way of thinking that the security community is also very familiar with,” Ford said. “I am hoping we get a glimpse into his world and thinking.”

Meanwhile, Johnson said he and Jardine did not make their decision to pull out of DEF CON lightly and their intention is not to have others follow suit.

“[Moss’] decision seems really opposite of what DEF CON stands for. From the reaction of some people, I find it hypocritical where some are saying that [the hacker community’s] idea of openness doesn’t involve the feds. I think that’s naïve,” Johnson said. “Openness has to involve everybody. People have been overwhelmed by political issues and the outing of spying and surveillance. They’re letting their feelings toward that overshadow what the DEF CON message has always been which is to get together, break stuff and learn together.”

Johnson and Jardine said they will still release a paper on their talk which covers an overarching plan for assessing SharePoint installations, including a tool they will release as open source, and guidelines for SharePoint assessments for pen-testers and internal teams to help them understand risks associated with the Microsoft collaboration platform.

*DEF CON image via leduardo‘s Flickr photostream, Creative Commons


25  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Re: Cyberwar and American Freedom on: July 15, 2013, 03:32:09 PM

Just taking a wild guess but I would assume Tactics, Techniques & Procedures (TTP), Standard Operating Procedures (SOP) and many other internal documents about how things or done \ carried out.

Probably Network Diagrams and more too.

Not going to look at anything Snowden related while at work, I think some of its blocked anyway.  
26  Politics, Religion, Science, Culture and Humanities / Politics & Religion / France, Too, Is Sweeping Up Data, Newspaper Reveals on: July 11, 2013, 06:08:24 PM


http://www.cnn.com/2013/06/30/world/europe/eu-nsa/index.html

As disconcerting as the NSA Prism program is, worth noting is that other powers do this too. 

The question must be asked:

Are we to be the only who does not?


http://www.nytimes.com/2013/07/05/world/europe/france-too-is-collecting-data-newspaper-reveals.html?_r=0&pagewanted=print

By STEVEN ERLANGER
PARIS — Days after President François Hollande sternly told the United States to stop spying on its allies, the newspaper Le Monde disclosed on Thursday that France has its own large program of data collection, which sweeps up nearly all the data transmissions, including telephone calls, e-mails and social media activity, that come in and out of France.

Le Monde reported that the General Directorate for External Security does the same kind of data collection as the American National Security Agency and the British GCHQ, but does so without clear legal authority.

The system is run with “complete discretion, at the margins of legality and outside all serious control,” the newspaper said, describing it as “a-legal.”

Nonetheless, the French data is available to the various police and security agencies of France, the newspaper reported, and the data is stored for an indeterminate period. The main interest of the agency, the paper said, is to trace who is talking to whom, when and from where and for how long, rather than in listening in to random conversations. But the French also record data from large American networks like Google and Facebook, the newspaper said.

Le Monde’s report, which French officials would not comment on publicly, appeared to make some of the French outrage about the revelations of Edward J. Snowden, a former N.S.A. contractor, about the American data-collection program appear somewhat hollow.

But French officials did say privately on Thursday that there was a difference between data collection in the name of security and spying on allied nations and the European Union. While French officials have said that they do not spy on the American Embassy in France, American officials are skeptical of those reassurances, and have pointed out that France has an aggressive and amply financed espionage system of its own.

The French interior minister, Manuel Valls, said Thursday at the July 4 reception at the American ambassador’s residence in Paris that Mr. Hollande’s demands for clear explanations about the reports of American spying were justified because “such practices, if proven, do not have their place between allies and partners.” He said that “in the name of our friendship, we owe each other honesty.”

Separately, in a statement, Mr. Valls said that France had received an asylum request from Mr. Snowden, but that it would be rejected.

The European Parliament, meeting in Strasbourg, France, to debate the Snowden disclosures, overwhelmingly passed a resolution that “strongly condemns the spying on E.U. representations,” warned of its “potential impact on trans-Atlantic relations” and demanded “immediate clarification from the U.S. authorities on the matter.”

The legislators rejected an amendment calling for the postponement of talks scheduled for Monday on a potential European-American free-trade agreement. France and Mr. Hollande had called for the talks to be delayed, but the European Commission said that they would go ahead in parallel with talks on the American spying programs.

Many Europeans have been shocked and outraged less by the idea of American espionage than the sheer scale of the data-collection abroad. According to Mr. Snowden’s revelations, between 15 million and 60 million transmissions are collected by the Americans every day from Germany alone.

American officials had privately warned French officials to be careful about speaking with too much outrage about American espionage given that major European countries like France spy, too, and not just on their enemies.



27  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Silent War on: July 09, 2013, 02:44:55 PM
5 page article.

http://www.vanityfair.com/culture/2013/07/new-cyberwar-victims-american-business
28  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Al-Qaida said to be changing its ways after Snowden leaked info on spy programs on: June 27, 2013, 08:54:47 PM
http://www.deseretnews.com/article/765632912/Al-Qaida-said-to-be-changing-its-ways-after-leaks.html

WASHINGTON — U.S. intelligence agencies are scrambling to salvage their surveillance of al-Qaida and other terrorists who are working frantically to change how they communicate after a National Security Agency contractor leaked details of two NSA spying programs. It's an electronic game of cat-and-mouse that could have deadly consequences if a plot is missed or a terrorist operative manages to drop out of sight.

Terrorist groups had always taken care to avoid detection — from using anonymous email accounts, to multiple cellphones, to avoiding electronic communications at all, in the case of Osama bin Laden. But there were some methods of communication, like the Skype video teleconferencing software that some militants still used, thinking they were safe, according to U.S. counterterrorism officials who follow the groups. They spoke anonymously as a condition of describing their surveillance of the groups. Those militants now know to take care with Skype — one of the 9 U.S.-based Internet servers identified by former NSA contractor Edward Snowden's leaks to The Guardian and The Washington Post.

Two U.S. intelligence officials say members of virtually every terrorist group, including core al-Qaida members, are attempting to change how they communicate, based on what they are reading in the media, to hide from U.S. surveillance. It is the first time intelligence officials have described which groups are reacting to the leaks. The officials spoke anonymously because they were not authorized to speak about the intelligence matters publicly.

The officials wouldn't go into details on how they know this, whether it's terrorists switching email accounts or cellphone providers or adopting new encryption techniques, but a lawmaker briefed on the matter said al-Qaida's Yemeni offshoot, al-Qaida in the Arabian Peninsula, has been among the first to alter how it reaches out to its operatives.

The lawmaker spoke anonymously because he would not, by name, discuss the confidential briefing.

Shortly after Edward Snowden leaked documents about the secret NSA surveillance programs, chat rooms and websites used by like-minded extremists and would-be recruits advised users how to avoid NSA detection, from telling them not to use their real phone numbers to recommending specific online software programs to keep spies from tracking their computers' physical locations.

House Intelligence Committee Chairman Mike Rogers, R-Mich., said there are "changes we can already see being made by the folks who wish to do us harm, and our allies harm."

Sen. Angus King, I-Maine, said Tuesday that Snowden "has basically alerted people who are enemies of this country ... (like) al-Qaida, about what techniques we have been using to monitor their activities and foil plots, and compromised those efforts, and it's very conceivable that people will die as a result."

Privacy activists are more skeptical of the claims. "I assume my communication is being monitored," said Andrew Prasow, senior counterterrorism counsel for Human Rights Watch. She said that's why her group joined a lawsuit against the Director of National Intelligence to find out if its communications were being monitored. The case was dismissed by the U.S. Supreme Court last fall. "I would be shocked if terrorists didn't also assume that and take steps to protect against it," she said.

"The government is telling us, 'This has caused tremendous harm.' But also saying, 'Trust us we have all the information. The US government has to do a lot more than just say it," Prasow said.

At the same time, NSA and other counterterrorist analysts have been focusing their attention on the terrorists, watching their electronic communications and logging all changes, including following which Internet sites the terrorist suspects visit, trying to determine what system they might choose to avoid future detection, according to a former senior intelligence official speaking anonymously as a condition of discussing the intelligence operations.

"It's frustrating. You have to start all over again to track the target," said M.E. "Spike" Bowman, a former intelligence officer and deputy general counsel of the FBI, now a fellow at the University of Virginia's Center for National Security Law. But the NSA will catch up eventually, he predicted, because there are only so many ways a terrorist can communicate. "I have every confidence in their ability to regain access."

Terror groups switching to encrypted communication may slow the NSA, but encryption also flags the communication as something the U.S. agency considers worth listening to, according to a new batch of secret and top-secret NSA documents published last week by The Guardian, a British newspaper. They show that the NSA considers any encrypted communication between a foreigner they are watching and a U.S.-based person as fair game to gather and keep, for as long as it takes to break the code and examine it.

Documents released last week also show measures the NSA takes to gather foreign intelligence overseas, highlighting the possible fallout of the disclosures on more traditional spying. Many foreign diplomats use email systems like Hotmail for their personal correspondence. Two foreign diplomats reached this week who use U.S. email systems that the NSA monitors overseas say they plan no changes, because both diplomats said they already assumed the U.S. was able to read that type of correspondence. They spoke on condition of anonymity because they were not authorized to discuss their methods of communication publicly.

The changing terrorist behavior is part of the fallout of the release of dozens of top-secret documents to the news media by Snowden, 30, a former systems analyst on contract to the NSA.

The Office of the Director for National Intelligence and the NSA declined to comment on the fallout, but the NSA's director, Gen. Keith Alexander, told lawmakers that the leaks have caused "irreversible and significant damage to this nation."

"I believe it will hurt us and our allies," Alexander said.

"After the leak, jihadists posted Arabic news articles about it ... and recommended fellow jihadists to be very cautious, not to give their real phone number and other such information when registering for a website," said Adam Raisman of the SITE Intelligence Group, a private analysis firm. They also gave out specific advice, recommending jihadists use privacy-protecting email systems to hide their computer's IP address, and to use encrypted links to access jihadi forums, Raisman said.

Other analysts predicted a two-track evolution away from the now-exposed methods of communication: A terrorist who was using Skype to plan an attack might stop using that immediately so as not to expose the imminent operation, said Ben Venzke of the private analysis firm IntelCenter.

But if the jihadi group uses a now-exposed system like YouTube to disseminate information and recruit more followers, they'll make a gradual switch to something else that wasn't revealed by Snowden's leaks — moving slowly in part because they'll be trying to determine whether new systems they are considering aren't also compromised, and they'll have to reach their followers and signal the change. That will take time.

"Overall, for terrorist organizations and other hostile actors, leaks of this nature serve as a wake-up call to look more closely at how they're operating and improve their security," Venzke said. "If the CIA or the FBI was to learn tomorrow that its communications are being monitored, do you think it would be business as usual or do you think they would implement a series of changes over time?"

Terrorist groups have already adapted after learning from books and media coverage of "how U.S. intelligence mines information from their cellphones found at sites that get raided in war zones," said Scott Swanson, a forensics intelligence expert with Osprey Global Solutions. "Many are increasingly switching the temporary phones or SIM cards they use and throw them away more often, making it harder to track their network."

The disclosure that intelligence agencies were listening to Osama bin Laden drove him to drop the use of all electronic communications.

"When it leaked that bin Laden was using a Thuraya cellphone, he switched to couriers," said Jane Harman, former member of the House Intelligence Committee and now director of the Woodrow Wilson International Center. "The more they know, the clearer the road map is for them."

It took more than a decade to track bin Laden down to his hiding place in Abbottabad, Pakistan, by following one of those couriers.

Follow Kimberly Dozier on Twitter at http://twitter.com/kimberlydozier

29  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Re: New Encryption Technology on: June 27, 2013, 07:39:43 PM
Interesting Ill have to keep an eye out on the blogs about this subject.
30  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Bradley Manning Trial Begins on: June 05, 2013, 12:58:01 PM
Bradley Manning Trial Begins

The court-martial of Army Pfc. Bradley Manning for offenses related to the leak of classified information has begun. Manning, who has been detained since his 2010 arrest, allegedly gave more than 700,000 government and military documents to WikiLeaks. Among the 22 charges. Manning faces is a count of aiding the enemy, which could bring a life sentence without the chance of parole.

http://www.washingtonpost.com/world/national-security/bradley-manning-court-martial-opens/2013/06/03/9c65ea48-cc51-11e2-8f6b-67f40e176f03_story.html

http://www.washingtonpost.com/world/national-security/bradley-manning-leak-trial-set-to-open-monday-amid-secrecy-and-controversy/2013/06/01/b2bad2fa-c93a-11e2-9f1a-1a7cdee20287_story.html
31  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Re: Media Issues on: June 05, 2013, 12:57:00 PM
LOL, no problem.  I appreciate the organization of the forums Guro!

Moved to:

http://dogbrothers.com/phpBB2/index.php?topic=1024.msg72813#msg72813
32  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Journalists trawling for leaks should be willing to share the risks. on: June 04, 2013, 02:31:09 AM
Insert Quote
http://articles.washingtonpost.com/2013-05-31/opinions/39653041_1_national-security-leaks-npr-reporter-classified-information

Journalists trawling for leaks should be willing to share the risks
By Sarah Chayes,May 31, 2013
Sarah Chayes is a senior associate at the Carnegie Endowment for International Peace. She was an NPR reporter from 1997-2001 and special assistant to the chairman of the Joint Chiefs of Staff from 2010-2011.

“Are you kidding me?”

I was always stunned to hear reporters ask me — as they did half a dozen times when I worked at the Pentagon — to show them some classified document or other. They’d just pop the question blithely, unfazed, without an apparent thought for the implications. My incredulous retort would usually reap an only half-sheepish answer: “Well, I had to ask.”

Countless national security officials have had some version of this conversation – including the State Department security adviser that Fox News correspondent James Rosen  allegedly plumbed for information on North Korea. Rosen wrote in an e-mail that he’d “love to see some internal State Department analyses.”

I’ve served on both sides of the line, as an NPR reporter and a Defense Department official, and it’s from that split perspective that I’ve been observing the furor over the seizure of journalists’ telephone and e-mail records in Justice Department investigations of national security leaks. Especially troubling to some reporters and pundits is a search warrant application  suggesting that Rosen was “an aider and abettor and/or co-conspirator” with his source. Commentators have decried the Justice Department for criminalizing journalism itself.


The value to democracy of a courageous and unfettered press poking into back corners that agencies would rather keep hidden is incontrovertible. But I find myself wondering why journalists shouldn’t shoulder some responsibility for transgressions they often goad their sources to commit.

Every government employee who obtains a security clearance receives a briefing on the rules about accessing and using classified information, and, as part of his or her terms of employment, must sign a piece of paper acknowledging the potential consequences of violating the law. Many officials, including me, have been subjected to a polygraph exam — an exceedingly unpleasant experience for anyone with a conscience or a literal mind. National security staffers’ careers can be wrecked over how they handle documents stamped SECRET.

Reporters, on the other hand, have little to lose when trawling for leaks. No American journalist has been prosecuted for publishing classified information. And the media could gain even greater protections under a shield law or new procedures now being hammered out with the Justice Department .

I’ve heard from reporters and senior government figures alike that the Obama administration’s leak investigations are having a chilling effect on officials who normally interact with journalists. That’s unfortunate, because regular conversations about the business of government, as well as the injection of alternative perspectives by way of the questions reporters ask, or their reflections on what they hear, are critical to a healthy state.

But the stakes might be clearer if sources knew that reporters had skin in the game, too: if they understood that journalists weren’t asking questions idly — in hopes of a passing scoop, or even happy to be made use of in some messaging campaign — but because the information is so critical to the public interest that they are willing to risk repercussions for finding and airing it.


Ads by Google
Security Clearance Help Personnel Security Clearance (PCL) & Facility Security Clearance www.jeffreylawgroup.com
Comparatively unfettered though the press may be in the United States, its courage is frequently lacking. Washington relationships cemented by orchestrated leaks and background innuendo can verge on the sycophantic. Then again, government disingenuousness has also been on display in the current imbroglio.

Far too much information is protected by unwarranted classification. It’s hard to take a system seriously that places so many gigabytes of material that are not critical to national security under the same umbrella as the few nuggets that are. I’ve seen a New Yorker article included among prep documents for a National Security Council meeting stamped SECRET//NOFORN (meaning that only cleared U.S. citizens were allowed to read it). I’ve had a colleague contradict a sunny e-mail he sent me on the unclassified system with a SECRET snarl. Such misuse makes a mockery of rules that the leak investigations seek to enforce.

At least as troubling is the double standard that has seemed to apply in the recent investigations. The six criminal prosecutions under the Obama administration have all targeted working-level government employees. Meanwhile, senior officials leak — or authorize leaks — with impunity.

In September 2010, a flurry of coverage in major U.S. newspapers reported a supposed government decision on how corruption in Afghanistan would be handled. Perusing the articles with growing wonder, I looked down at a memo on my desk. Not only were passages quoted from it classified, the document was also watermarked DRAFT. No decision had been made yet because debate on the draft had not even reached the level of Cabinet secretaries. It was a classic Washington case of offensive leaking. For months, I was convinced that the perpetrator was the late Richard Holbrooke, then special representative to Afghanistan and Pakistan. But I kept asking reporters. Finally I traced the leak to a senior White House official, whose career has progressed untroubled.

Last year, Washington Post columnist David Ignatius was given an exclusive preview of 17 redacted documents that had been retrieved from Osama bin Laden’s compound in Abbottabad, Pakistan. Ignatius wrote that the documents had been declassified but had not yet been made available to the public. More than six weeks later, those 17 documents — and only those 17, out of some 1.5 million scooped up at Abbottabad — were released. How does such selectivity square with a coherent declassification policy?

Perhaps the most remarkable example of disclosure of classified information in plain sight was the detail offered up to the media in the wake of the raid that killed bin Laden — capped off by briefings from then-White House chief counterterrorism adviser John Brennan. The superfluous specificity left a number of officials who had helped plan the raid aghast, including a longtime Washington insider, then-Defense Secretary Robert Gates.

The law, including regulations protecting national security secrets, should be taken seriously, and decisions to break it for reasons of conscience should not be taken lightly. But by the same token, the law should not be stretched for purposes far beyond its original, legitimate intent. And most important, it should be applied equally to all who vow to uphold it.


UPDATE: Saturday, June 1, 2013. Sarah Chayes writes: Thanks to all who have contributed great comments. This is just the type of debate such a fraught issue should generate. One thing I regret in this piece is not taking my argument about over-classification beyond criticism. Could any of you -- particularly with government experience -- suggest practical recommendations for how to reduce the amount of material that gets classified, and how to change the incentives for over-classification? Who should issue what directives? What type of implementation and follow-up mechanisms would have to be designed? Let’s use the comments forum to start hammering out a solution to this long-festering problem.
33  Politics, Religion, Science, Culture and Humanities / Politics & Religion / NSA/CyberCom To Get Green Light Response to Cyber Attack on: May 29, 2013, 01:24:59 PM
--NSA/CyberCom To Get Green Light Response to Cyber Attack
 (May 27, 2013)
 DoD is on the verge of approving new standing rules of engagement, rules  that will for the first time authorize a U.S. response to cyber attacks.   It's part of a general push to move more cyber warfare into the  traditional military strategy and away from the often contentious realm  of National Security Council debate. The new rules will empower  commanders to counter direct cyberattacks with offensive efforts of their own - without White House approval.

http://www.defensenews.com/article/20130527/DEFREG02/305270014/Slowed-by-Debate-Uncertainty-New-Rules-Green-Light-Response-Cyber-Attacks


  --Iranian Hackers Are Targeting US Energy Companies' Industrial Control
     Systems
 (May 27, 2013)

 US officials say that hackers operating on behalf of the Iranian government are targeting industrial control systems at US energy companies in an attempt to damage the country's critical infrastructure.  Thus far, the attacks have focused on gathering intelligence about how  the systems operate. Some US officials have posited that Stuxnet, the  sophisticated malware attack that targeted centrifuges at an Iranian  nuclear facility in 2010 pushed Iran to develop stronger cyberattack  capabilities and to retaliate.

http://www.theregister.co.uk/2013/05/27/iran_payback_stuxnet_ics_attacks/

http://www.eweek.com/security/iranian-hackers-launching-cyber-attacks-on-us-energy-firms-report/
34  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Jefferson's Cipher for Lewis on: May 22, 2013, 01:58:52 AM
This article is a 3 page article, probably better to read it at the direct link as it includes examples of how it was used.

Jefferson's Cipher for Lewis
http://lewis-clark.org/content/content-article.asp?ArticleID=2222
35  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Thomas Jefferson: Two Centuries On, a Cryptologist Cracks a Presidential Code on: May 22, 2013, 01:57:11 AM
The Jefferson Disk:

First invented by Thomas Jefferson in 1795, this cipher did not become well-known and was independently invented by Commandant Etienne Bazeries, the conqueror of the Great Cipher, a century later. The system was used by the United States Army from 1923 until 1942 as the M-94.

The Jefferson disk, or wheel cypher as Thomas Jefferson named it, also known as the Bazeries Cylinder, is a cipher system using a set of wheels or disks, each with the 26 letters of the alphabet arranged around their edge. The order of the letters is different for each disk and is usually scrambled in some random way. Each disk is marked with a unique number. A hole in the centre of the disks allows them to be stacked on an axle. The disks are removable and can be mounted on the axle in any order desired. The order of the disks is the cipher key, and both sender and receiver must arrange the disks in the same predefined order. Jefferson's device had 36 disks. [Kahn, p. 194]

http://en.wikipedia.org/wiki/Jefferson_disk


Two Centuries On, a Cryptologist Cracks a Presidential Code
Unlocking This Cipher Wasn't Self-Evident; Algorithms and Educated Guesses

http://online.wsj.com/article/SB124648494429082661.html

For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now.

The cryptic message was sent to President Jefferson in December 1801 by his friend and frequent correspondent, Robert Patterson, a mathematics professor at the University of Pennsylvania. President Jefferson and Mr. Patterson were both officials at the American Philosophical Society -- a group that promoted scholarly research in the sciences and humanities -- and were enthusiasts of ciphers and other codes, regularly exchanging letters about them.

Enlarge Image

University of Pennsylvania Archives
Robert Patterson

In this message, Mr. Patterson set out to show the president and primary author of the Declaration of Independence what he deemed to be a nearly flawless cipher. "The art of secret writing," or writing in cipher, has "engaged the attention both of the states-man & philosopher for many ages," Mr. Patterson wrote. But, he added, most ciphers fall "far short of perfection."

To Mr. Patterson's view, a perfect code had four properties: It should be adaptable to all languages; it should be simple to learn and memorize; it should be easy to write and to read; and most important of all, "it should be absolutely inscrutable to all unacquainted with the particular key or secret for decyphering."

Mr. Patterson then included in the letter an example of a message in his cipher, one that would be so difficult to decode that it would "defy the united ingenuity of the whole human race," he wrote.

There is no evidence that Jefferson, or anyone else for that matter, ever solved the code. But Jefferson did believe the cipher was so inscrutable that he considered having the State Department use it, and passed it on to the ambassador to France, Robert Livingston.

The cipher finally met its match in Lawren Smithline, a 36-year-old mathematician. Dr. Smithline has a Ph.D. in mathematics and now works professionally with cryptology, or code-breaking, at the Center for Communications Research in Princeton, N.J., a division of the Institute for Defense Analyses.

A couple of years ago, Dr. Smithline's neighbor, who was working on a Jefferson project at Princeton University, told Dr. Smithline of Mr. Patterson's mysterious cipher.

Dr. Smithline, intrigued, decided to take a look. "A problem like this cipher can keep me up at night," he says. After unlocking its hidden message in 2007, Dr. Smithline articulated his puzzle-solving techniques in a recent paper in the magazine American Scientist and also in a profile in Harvard Magazine, his alma mater's alumni journal.

The "Perfect" Cipher?

View Graphics

The 1801 letter from Robert Patterson to Thomas Jefferson
The code, Mr. Patterson made clear in his letter, was not a simple substitution cipher. That's when you replace one letter of the alphabet with another. The problem with substitution ciphers is that they can be cracked by using what's termed frequency analysis, or studying the number of times that a particular letter occurs in a message. For instance, the letter "e" is the most common letter in English, so if a code is sufficiently long, whatever letter appears most often is likely a substitute for "e."

Because frequency analysis was already well known in the 19th century, cryptographers of the time turned to other techniques. One was called the nomenclator: a catalog of numbers, each standing for a word, syllable, phrase or letter. Mr. Jefferson's correspondence shows that he used several code books of nomenclators. An issue with these tools, according to Mr. Patterson's criteria, is that a nomenclator is too tough to memorize.

Jefferson even wrote about his own ingenious code, a model of which is at his home, Monticello, in Charlottesville, Va. Called the wheel cipher, the device consisted of cylindrical pieces, threaded onto an iron spindle, with letters inscribed on the edge of each wheel in a random order. Users could scramble and unscramble words simply by turning the wheels.

More

Congress's Travel Tab Swells
07/03/09
California Lays Plans to Issue IOUs to Creditors
07/03/09
Wash Wire: Analysis from inside and outside the Beltway
But Mr. Patterson had a few more tricks up his sleeve. He wrote the message text vertically, in columns from left to right, using no capital letters or spaces. The writing formed a grid, in this case of about 40 lines of some 60 letters each.

Then, Mr. Patterson broke the grid into sections of up to nine lines, numbering each line in the section from one to nine. In the next step, Mr. Patterson transcribed each numbered line to form a new grid, scrambling the order of the numbered lines within each section. Every section, however, repeated the same jumbled order of lines.

The trick to solving the puzzle, as Mr. Patterson explained in his letter, meant knowing the following: the number of lines in each section, the order in which those lines were transcribed and the number of random letters added to each line.

The key to the code consisted of a series of two-digit pairs. The first digit indicated the line number within a section, while the second was the number of letters added to the beginning of that row. For instance, if the key was 58, 71, 33, that meant that Mr. Patterson moved row five to the first line of a section and added eight random letters; then moved row seven to the second line and added one letter, and then moved row three to the third line and added three random letters. Mr. Patterson estimated that the potential combinations to solve the puzzle was "upwards of ninety millions of millions."


THOMAS JEFFERSON

After explaining this in his letter, Mr. Patterson wrote, "I presume the utter impossibility of decyphering will be readily acknowledged."

Undaunted, Dr. Smithline decided to tackle the cipher by analyzing the probability of digraphs, or pairs of letters. Certain pairs of letters, such as "dx," don't exist in English, while some letters almost always appear next to a certain other letter, such as "u" after "q".

To get a sense of language patterns of the era, Dr. Smithline studied the 80,000 letter-characters contained in Jefferson's State of the Union addresses, and counted the frequency of occurrences of "aa," "ab," "ac," through "zz."

Dr. Smithline then made a series of educated guesses, such as the number of rows per section, which two rows belong next to each other, and the number of random letters inserted into a line.

To help vet his guesses, he turned to a tool not available during the 19th century: a computer algorithm. He used what's called "dynamic programming," which solves large problems by breaking puzzles down into smaller pieces and linking together the solutions.

The overall calculations necessary to solve the puzzle were fewer than 100,000, which Dr. Smithline says would be "tedious in the 19th century, but doable."

After about a week of working on the puzzle, the numerical key to Mr. Patterson's cipher emerged -- 13, 34, 57, 65, 22, 78, 49. Using that digital key, he was able to unfurl the cipher's text:

"In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events..."

That, of course, is the beginning -- with a few liberties taken -- to the Declaration of Independence, written at least in part by Jefferson himself. "Patterson played this little joke on Thomas Jefferson," says Dr. Smithline. "And nobody knew until now."

Write to Rachel Emma Silverman at rachel.silverman@wsj.com
36  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Re: Science on: May 22, 2013, 01:54:51 AM
You got it Guro, just found another interesting article.

http://lewis-clark.org/content/content-article.asp?ArticleID=2222

This is a 3 page article, its easier to just share the link.
37  Politics, Religion, Science, Culture and Humanities / Science, Culture, & Humanities / Two Centuries On, a Cryptologist Cracks a Presidential Code on: May 22, 2013, 01:42:06 AM
Not sure where exactly this would fit, science was the best I could think of.

While preparing for an IT certification there is a small section within the Encryption chapter that mentions the Jefferson Disk, yes it is the same person that is one of our forefathers.  


First invented by Thomas Jefferson in 1795, this cipher did not become well-known and was independently invented by Commandant Etienne Bazeries, the conqueror of the Great Cipher, a century later. The system was used by the United States Army from 1923 until 1942 as the M-94.

The Jefferson disk, or wheel cypher as Thomas Jefferson named it, also known as the Bazeries Cylinder, is a cipher system using a set of wheels or disks, each with the 26 letters of the alphabet arranged around their edge. The order of the letters is different for each disk and is usually scrambled in some random way. Each disk is marked with a unique number. A hole in the centre of the disks allows them to be stacked on an axle. The disks are removable and can be mounted on the axle in any order desired. The order of the disks is the cipher key, and both sender and receiver must arrange the disks in the same predefined order. Jefferson's device had 36 disks. [Kahn, p. 194]

http://en.wikipedia.org/wiki/Jefferson_disk


Two Centuries On, a Cryptologist Cracks a Presidential Code
Unlocking This Cipher Wasn't Self-Evident; Algorithms and Educated Guesses

http://online.wsj.com/article/SB124648494429082661.html

For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now.

The cryptic message was sent to President Jefferson in December 1801 by his friend and frequent correspondent, Robert Patterson, a mathematics professor at the University of Pennsylvania. President Jefferson and Mr. Patterson were both officials at the American Philosophical Society -- a group that promoted scholarly research in the sciences and humanities -- and were enthusiasts of ciphers and other codes, regularly exchanging letters about them.

Enlarge Image

University of Pennsylvania Archives
Robert Patterson

In this message, Mr. Patterson set out to show the president and primary author of the Declaration of Independence what he deemed to be a nearly flawless cipher. "The art of secret writing," or writing in cipher, has "engaged the attention both of the states-man & philosopher for many ages," Mr. Patterson wrote. But, he added, most ciphers fall "far short of perfection."

To Mr. Patterson's view, a perfect code had four properties: It should be adaptable to all languages; it should be simple to learn and memorize; it should be easy to write and to read; and most important of all, "it should be absolutely inscrutable to all unacquainted with the particular key or secret for decyphering."

Mr. Patterson then included in the letter an example of a message in his cipher, one that would be so difficult to decode that it would "defy the united ingenuity of the whole human race," he wrote.

There is no evidence that Jefferson, or anyone else for that matter, ever solved the code. But Jefferson did believe the cipher was so inscrutable that he considered having the State Department use it, and passed it on to the ambassador to France, Robert Livingston.

The cipher finally met its match in Lawren Smithline, a 36-year-old mathematician. Dr. Smithline has a Ph.D. in mathematics and now works professionally with cryptology, or code-breaking, at the Center for Communications Research in Princeton, N.J., a division of the Institute for Defense Analyses.

A couple of years ago, Dr. Smithline's neighbor, who was working on a Jefferson project at Princeton University, told Dr. Smithline of Mr. Patterson's mysterious cipher.

Dr. Smithline, intrigued, decided to take a look. "A problem like this cipher can keep me up at night," he says. After unlocking its hidden message in 2007, Dr. Smithline articulated his puzzle-solving techniques in a recent paper in the magazine American Scientist and also in a profile in Harvard Magazine, his alma mater's alumni journal.

The "Perfect" Cipher?

View Graphics

The 1801 letter from Robert Patterson to Thomas Jefferson
The code, Mr. Patterson made clear in his letter, was not a simple substitution cipher. That's when you replace one letter of the alphabet with another. The problem with substitution ciphers is that they can be cracked by using what's termed frequency analysis, or studying the number of times that a particular letter occurs in a message. For instance, the letter "e" is the most common letter in English, so if a code is sufficiently long, whatever letter appears most often is likely a substitute for "e."

Because frequency analysis was already well known in the 19th century, cryptographers of the time turned to other techniques. One was called the nomenclator: a catalog of numbers, each standing for a word, syllable, phrase or letter. Mr. Jefferson's correspondence shows that he used several code books of nomenclators. An issue with these tools, according to Mr. Patterson's criteria, is that a nomenclator is too tough to memorize.

Jefferson even wrote about his own ingenious code, a model of which is at his home, Monticello, in Charlottesville, Va. Called the wheel cipher, the device consisted of cylindrical pieces, threaded onto an iron spindle, with letters inscribed on the edge of each wheel in a random order. Users could scramble and unscramble words simply by turning the wheels.

More

Congress's Travel Tab Swells
07/03/09
California Lays Plans to Issue IOUs to Creditors
07/03/09
Wash Wire: Analysis from inside and outside the Beltway
But Mr. Patterson had a few more tricks up his sleeve. He wrote the message text vertically, in columns from left to right, using no capital letters or spaces. The writing formed a grid, in this case of about 40 lines of some 60 letters each.

Then, Mr. Patterson broke the grid into sections of up to nine lines, numbering each line in the section from one to nine. In the next step, Mr. Patterson transcribed each numbered line to form a new grid, scrambling the order of the numbered lines within each section. Every section, however, repeated the same jumbled order of lines.

The trick to solving the puzzle, as Mr. Patterson explained in his letter, meant knowing the following: the number of lines in each section, the order in which those lines were transcribed and the number of random letters added to each line.

The key to the code consisted of a series of two-digit pairs. The first digit indicated the line number within a section, while the second was the number of letters added to the beginning of that row. For instance, if the key was 58, 71, 33, that meant that Mr. Patterson moved row five to the first line of a section and added eight random letters; then moved row seven to the second line and added one letter, and then moved row three to the third line and added three random letters. Mr. Patterson estimated that the potential combinations to solve the puzzle was "upwards of ninety millions of millions."


THOMAS JEFFERSON

After explaining this in his letter, Mr. Patterson wrote, "I presume the utter impossibility of decyphering will be readily acknowledged."

Undaunted, Dr. Smithline decided to tackle the cipher by analyzing the probability of digraphs, or pairs of letters. Certain pairs of letters, such as "dx," don't exist in English, while some letters almost always appear next to a certain other letter, such as "u" after "q".

To get a sense of language patterns of the era, Dr. Smithline studied the 80,000 letter-characters contained in Jefferson's State of the Union addresses, and counted the frequency of occurrences of "aa," "ab," "ac," through "zz."

Dr. Smithline then made a series of educated guesses, such as the number of rows per section, which two rows belong next to each other, and the number of random letters inserted into a line.

To help vet his guesses, he turned to a tool not available during the 19th century: a computer algorithm. He used what's called "dynamic programming," which solves large problems by breaking puzzles down into smaller pieces and linking together the solutions.

The overall calculations necessary to solve the puzzle were fewer than 100,000, which Dr. Smithline says would be "tedious in the 19th century, but doable."

After about a week of working on the puzzle, the numerical key to Mr. Patterson's cipher emerged -- 13, 34, 57, 65, 22, 78, 49. Using that digital key, he was able to unfurl the cipher's text:

"In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events..."

That, of course, is the beginning -- with a few liberties taken -- to the Declaration of Independence, written at least in part by Jefferson himself. "Patterson played this little joke on Thomas Jefferson," says Dr. Smithline. "And nobody knew until now."

Write to Rachel Emma Silverman at rachel.silverman@wsj.com
38  Politics, Religion, Science, Culture and Humanities / Politics & Religion / How easy is it to shut off a country’s Internet? on: May 21, 2013, 09:58:12 PM
Not picking fights or starting new arguments but portion of a comment intrigued me. 
BTW - I'm still reading the articles listed below.

"...shut down their internet until they understand our concern." 


How easy is it to shut off a country’s Internet?
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/01/how-easy-is-it-to-shut-off-a-countrys-internet/


Could It Happen In Your Country?
http://www.renesys.com/blog/2012/11/could-it-happen-in-your-countr.shtml


How did Syria cut off the entire country from the Internet?
http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/08/how-did-syria-cut-off-the-entire-country-from-the-internet/
39  Politics, Religion, Science, Culture and Humanities / Politics & Religion / US Government is the Largest Purchaser of Hacking Tools on: May 15, 2013, 05:34:21 PM
(May 10 & 13, 2013)
According to a report from Reuters, the US government is the single largest buyer in the "gray market" of offensive hacking tools. While tools that exploit unknown vulnerabilities provide a tactical advantage, not disclosing the flaws leaves other organizations, including those in the US, vulnerable to attacks. Former high level cybersecurity officials have expressed concern about the situation. Former White House cybersecurity advisor Richard Clarke said, "If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users." Howard Schmidt, also a former White House cybersecurity advisor, said, "It's pretty naive to believe that with a newly-discovered zero-day, you are the only one in the world that's discovered it." And former NSA director Michael Hayden said that although "there has been a traditional calculus between protecting your offensive capability and strengthening your defense, it might be time now to readdress that at an important policy level."

Paying the vulnerability purveyors for the malware also removes the incentive for talented hackers to inform software makers about the flaws.

http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

http://www.zdnet.com/u-s-government-becomes-biggest-buyer-of-malware-7000015242/

[Editor's Note (Pescatore): Governments are the largest buyers of all offensive weapons and the US government (DoD/Intelligence plus national law enforcement) is usually the largest of the government buyers, so this is sort of a "drug companies are the biggest buyers of opiates" story.

(Assante): The main ramification of a thriving tools market is greater investment in vulnerability discovery and the development of more powerful tools to assemble and test exploits.  2006 is considered a turning point as the emerging underground tool market breed specialization and provided paths for money to cycle through the system. Monetization of hacking gains began to feed upstream tool developers and people willing to commit attacks became more reliant on tools that were purchased.  Super buyers will certainly influence this market place, but they are only one category of participant - these markets are here to stay.]
40  Politics, Religion, Science, Culture and Humanities / Politics & Religion / --Chinese General Says Cyber Attacks Are Like Nuclear Bombs on: April 26, 2013, 01:51:48 PM

  --Chinese General Says Cyber Attacks Are Like Nuclear Bombs
 (April 22, 2013)
 While rejecting claims that the Chinese military is behind cyberspying aimed at Western companies, the chief of staff of the People's Liberation Army, likened cyber attacks to nuclear bombs, saying "If the security of the Internet cannot be guaranteed, then ... results may be  as serious as a nuclear bomb."

http://online.wsj.com/article/SB10001424127887323551004578438842382520654.html

http://www.informationweek.com/security/attacks/cyber-strikes-like-nuclear-bombs-says-ch/240153442

[Editor's Note (Paller): Not so far fetched. When Gary Roughead was U.S.  Chief of Naval Operations he told Tony Sager and Jim Lewis and me, "for  the Navy, Cyber is more important now than nuclear." Sadly, the Navy's  new leadership hasn't followed through on making the Navy a leader in  cyberspace.)
41  Politics, Religion, Science, Culture and Humanities / Politics & Religion / --EPIC Urges NIST to Draw Distinction between Cybercrime and Cyberterrorism on: April 16, 2013, 04:00:13 PM
--EPIC Urges NIST to Draw Distinction between Cybercrime and Cyberterrorism
(April 15, 2013)
The Electronic Privacy and Information Center (EPIC) wants the US National Institute of Standards and Technology (NIST) to make clear distinctions between cyber crime and cyber terrorism. NIST is developing a cybersecurity platform as part of the president's executive order on cybersecurity, and asked for public comments on the development of that platform. In its comments, EPIC notes that "the overwhelming majority of cybersecurity incidents do not fall within the 'national security' designation."

http://www.gsnmagazine.com/node/28918?c=cyber_security

[Editor's Note (Pescatore): First: the horrible attacks at the Boston Marathon once again point out the schlockiness of the term "cyberterrorism."  After each bombs and blood actual terrorist attack, from Oklahoma City in 1995 through the terrorist attacks against the US in September 2011, someone says "The next terror attack will be cyber" - - no, it will not. With that out the way, EPIC is dead on here. The cyber attack public relations focus shifted from cybercrime to China because that is a great way to go after funding and government budgets. The actual volume of attacks and likelihood of damage most companies face did *not* shift.  (Murray): Well, EPIC is right to take the opportunity of the NIST RFC to raise the issue.  However, the problem is not limited to NIST.  Most of the attacks in the Internet are motivated by things other than terror (e.g., economics).  Those that are intended to terrorize represent a "national security" threat only to the extent that we react to them as the terrorists hope.  Government policy that treats them all as "war" is not efficient and, at least arguably, is not effective.  It is essential that we distinguish between existential threat and the human condition.

(McBride): This is a pivotal distinction that needs to be addressed. Having a set of predetermined criteria to judge between national security issues and non-national security issues would help the federal government provide appropriate support while maintaining civil liberties and conserving taxpayer resources. It would also encourage rather than discourage participation and innovation that comes from private sector cyber security firms. ]
42  Politics, Religion, Science, Culture and Humanities / Politics & Religion / US Creating Cybersecurity Working Groups With Japan and China on: April 16, 2013, 03:57:35 PM
US Creating Cybersecurity Working Groups With Japan and China
(April 14 & 15, 2013)
US Secretary of State John Kerry says that the US is creating working groups with Japan and China to address cybersecurity related issues. Because "some of the most serious cyber threats to businesses emanate from" the Asia Pacific Region, it is important to have countries there be part of the solution to the problem.

http://www.computerworld.com/s/article/9238385/John_Kerry_Cyberdefense_a_major_part_of_Asian_security?taxonomyId=17

http://www.zdnet.com/cn/us-china-to-form-cybersecurity-working-group-7000013976/

[Editor's Note (Pescatore): There are strong parallels between the US/USSR in the Cold War and "Mutually Assured Destruction" nuclear restraint strategies, and today's international cybersecurity issues. Having *both* diplomatic and military initiatives in the cyber area is important. 

(Murray): China wants to control the content.  (If one is running a single-party state, Facebook is more than a mere inconvenience.)  The US wants to defend its fragile infrastructure.  That said, both have an interest in an orderly Internet.  Before we turn the Internet into a battlefield, we should at least try diplomacy to find mutually agreed state behavior, short of "war," that serves  both interests.]

43  Politics, Religion, Science, Culture and Humanities / Politics & Religion / On Security Awareness Training on: March 26, 2013, 03:53:46 PM
http://www.darkreading.com/blog/240151108/on-security-awareness-training.html

On Security Awareness Training
The focus on training obscures the failures of security design
Mar 19, 2013 | 07:39 AM | 

By Bruce Schneier
Dark Reading


 
Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater failings in security design.

In order to understand my argument, it's useful to look at training's successes and failures. One area where it doesn't work very well is health. We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever. And people are forever ignoring the lessons. One basic reason is psychological: We just aren't very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald's Super Monster Meal sounds really good right now.

Similarly, computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.

Another reason health training works poorly is that it’s hard to link behaviors with benefits. We can train anyone -- even laboratory rats -- with a simple reward mechanism: Push the button, get a food pellet. But with health, the connection is more abstract. If you’re unhealthy, then what caused it? It might have been something you did or didn’t do years ago. It might have been one of the dozen things you have been doing and not doing for months. Or it might have been the genes you were born with. Computer security is a lot like this, too.

Training laypeople in pharmacology also isn't very effective. We expect people to make all sorts of medical decisions at the drugstore, and they're not very good at it. Turns out that it's hard to teach expertise. We can't expect every mother to have the knowledge of a doctor, pharmacist, or RN, and we certainly can't expect her to become an expert when most of the advice she's exposed to comes from manufacturers' advertising. In computer security, too, a lot of advice comes from companies with products and services to sell.

One area of health that is a training success is HIV prevention. HIV may be very complicated, but the rules for preventing it are pretty simple. And aside from certain sub-Saharan countries, we have taught people a new model of their health and have dramatically changed their behavior. This is important: Most lay medical expertise stems from folk models of health. Similarly, people have folk models of computer security (PDF). Maybe they're right, and maybe they're wrong, but they're how people organize their thinking. This points to a possible way that computer security training can succeed. We should stop trying to teach expertise, pick a few simple metaphors of security, and train people to make decisions using those metaphors.

On the other hand, we still have trouble teaching people to wash their hands -- even though it’s easy, fairly effective, and simple to explain. Notice the difference, though. The risks of catching HIV are huge, and the cause of the security failure is obvious. The risks of not washing your hands are low, and it’s not easy to tie the resultant disease to a particular not-washing decision. Computer security is more like hand washing than HIV.

Another area where training works is driving. We trained, either through formal courses or one-on-one tutoring, and passed a government test to be allowed to drive a car. One reason that works is because driving is a near-term, really cool, obtainable goal. Another reason is even though the technology of driving has changed dramatically over the past century, that complexity has been largely hidden behind a fairly static interface. You might have learned to drive 30 years ago, but that knowledge is still relevant today.

On the other hand, password advice from 10 years ago isn't relevant today (PDF). Can I bank from my browser? Are PDFs safe? Are untrusted networks OK? Is JavaScript good or bad? Are my photos more secure in the cloud or on my own hard drive? The “interface” we use to interact with computers and the Internet changes all the time, along with best practices for computer security. This makes training a lot harder.

Food safety is my final example. We have a bunch of simple rules -- cooking temperatures for meat, expiration dates on refrigerated goods, the three-second rule for food being dropped on the floor -- that are mostly right, but often ignored. If we can’t get people to follow these rules, then what hope do we have for computer security training?

To those who think that training users in security is a good idea, I want to ask: "Have you ever met an actual user?" They're not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behaviors to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.

Even if we could invent an effective computer security training program, there's one last problem. HIV prevention training works because affecting what the average person does is valuable. Even if only half of the population practices safe sex, those actions dramatically reduce the spread of HIV. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in. As long as we build systems that are vulnerable to the worst case, raising the average case won't make them more secure.

The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones. Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested. That's how we should be designing security interfaces. And we should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.

If we security engineers do our job right, then users will get their awareness training informally and organically from their colleagues and friends. People will learn the correct folk models of security and be able to make decisions using them. Then maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off. That makes a whole lot more sense.

Bruce Schneier is chief security technology officer at BT, and the author of several security books as well as the Schneier On Security blog. Special to Dark Reading

44  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Survey Says! Employees deliberately ignore security rules on: March 26, 2013, 03:52:05 PM
A recent survey from Lieberman Software reveals that more than 80% of IT security professionals believe that corporate employees deliberately ignore security rules issued by the IT department.

The survey, which looked at the attitudes of nearly 250 IT security professionals, also discovered that more than half of those who think that workers deliberately ignore IT security directives do not believe end-users would listen more even if these mandates were issued by executive management.

These findings are despite the fact that more IT security professionals and vendors are insisting that in order to improve IT security within organizations, strategic guidance must be issued from the board level.

Commenting on the research, Philip Lieberman, CEO of Lieberman Software, said: “These figures highlight the fact that most end-users are still not taking IT security seriously and are unnecessarily putting corporate data – and potentially customer information – at risk. And these behaviors are continuing even after it has been proven that human error is the leading cause of data breaches. Organizations need to implement better cyber security training that properly instructs staff about the consequences of data breaches.

“IT groups must also look beyond conventional security products and invest in technology like privileged identity management (PIM),” continued Lieberman. “PIM products ensure that powerful privileged accounts found throughout the enterprise in large organizations are available only to authorized IT personnel with limited-time, audited access. This ensures that end-users are not able to accidentally or maliciously change configuration settings, access systems with sensitive data, or perform other actions that are not required of their jobs.”

http://www.net-security.org/secworld.php?id=14650

45  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Re: Cyberwar and American Freedom on: March 06, 2013, 02:06:28 PM
Robert, as best as I can tell you are the most knowledgeable of us about the tech side this sort of thing.

What sort of solutions suggest themselves to you?

Hey Guro, havent been ignoring the question been kind of busy this week, will give some thoughts as soon as I can.

Aloha.
46  Politics, Religion, Science, Culture and Humanities / Politics & Religion / China is Behind more than 20 Serious Cyber Attacks against Norway on: March 05, 2013, 12:26:09 AM
Norwegian National Security Authority accuses China of computer espionage against Norwegian companies.

After TV2 revelaed last week that a Chinese military hacker group connected to Chinese government is behind cyber attacks against sensitive targets in Norway, National Security Authority deputy Eiliv Ofigsbø today said Norwegian companies have probably lost contracts because of computer espionage.

According to Ofigsbo, at least 20 of these serious cyber attacks can be traced back to China.

- The consequence of espionage cases may be losing data or losing the contract negotiations. We have seen concrete examples of Norwegian companies probably have lost as a result of these espionage activities. Our organization works with a number of Norwegian firms, and we know a number of those who have been subjected to such attacks, says Ofigsbø to TV2.

Ofisbo also noted that particularly high-tech firms, defense and oil and gas industries are the most severely affected ones by the attacks. Some in the energy sector have also been attacked. He says the U.S. report, designated "Unit 61398" also shows the Chinese military as responsible for an attack aimed at a larger company on Norwegian soil.

- Since 2008, the number of cases increased by 30 percent each year. The past year was particularly remarked with the increased serious cases, including espionage cases, says he.
47  Politics, Religion, Science, Culture and Humanities / Politics & Religion / The Cyber Threat Planning for the Way Ahead on: March 05, 2013, 12:24:32 AM
http://www.fbi.gov/news/stories/2013/february/the-cyber-threat-planning-for-the-way-ahead/the-cyber-threat-planning-for-the-way-ahead

 Director Mueller speaks to cyber security professionals in San Francisco. Read text of his remarks.
 
The Cyber Threat
Planning for the Way Ahead


02/28/13

Denial of service attacks, network intrusions, state-sponsored hackers bent on compromising our national security: The cyber threat is growing, and in response, said FBI Director Robert S. Mueller, the Bureau must continue to strengthen its partnerships with other government agencies and private industry—and take the fight to the criminals.


“Network intrusions pose urgent threats to our national security and to our economy,” Mueller told a group of cyber security professionals in San Francisco today. “If we are to confront these threats successfully,” he explained, “we must adopt a unified approach” that promotes partnerships and intelligence sharing—in the same way we responded to terrorism after the 9/11 attacks.




 
Focus on Hackers and Intrusions

The FBI over the past year has put in place an initiative to uncover and investigate web-based intrusion attacks and develop a cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code. Learn more


The FBI learned after 9/11 that “our mission was to use our skills and resources to identify terrorist threats and to find ways of disrupting those threats,” Mueller said. “This has been the mindset at the heart of every terrorism investigation since then, and it must be true of every case in the cyber arena as well.”


Partnerships that ensure the seamless flow of intelligence are critical in the fight against cyber crime, he explained. Within government, the National Cyber Investigative Joint Task Force, which comprises 19 separate agencies, serves as a focal point for cyber threat information. But private industry—a major victim of cyber intrusions—must also be “an essential partner,” Mueller said, pointing to several successful initiatives.


The National Cyber Forensics and Training Alliance, for example, is a model for collaboration between private industry and law enforcement. The Pittsburgh-based organization includes more than 80 industry partners—from financial services, telecommunications, retail, and manufacturing, among other fields—who work with federal and international partners to provide real-time threat intelligence.


Another example is the Enduring Security Framework, a group that includes leaders from the private sector and the federal government who analyze current—and potential—threats related to denial of service attacks, malware, and emerging software and hardware vulnerabilities.


Mueller also noted the Bureau’s cyber outreach efforts to private industry. The Domestic Security Alliance Council, for instance, includes chief security officers from more than 200 companies, representing every critical infrastructure and business sector. InfraGard, an alliance between the FBI and industry, has grown from a single chapter in 1996 to 88 chapters today with nearly 55,000 members nationwide. And just last week, the FBI held the first session of the National Cyber Executive Institute, a three-day seminar to train leading industry executives on cyber threat awareness and information sharing.


“As noteworthy as these outreach programs may be, we must do more,” Mueller said. “We must build on these initiatives to expand the channels of information sharing and collaboration.”


He added, “For two decades, corporate cyber security has focused principally on reducing vulnerabilities. These are worthwhile efforts, but they cannot fully eliminate our vulnerabilities. We must identify and deter the persons behind those computer keyboards. And once we identify them—be they state actors, organized criminal groups, or 18-year-old hackers—we must devise a response that is effective, not just against that specific attack, but for all similar illegal activity.”


“We need to abandon the belief that better defenses alone will be sufficient,” Mueller said. “Instead of just building better defenses, we must build better relationships. If we do these things, and if we bring to these tasks the sense of urgency that this threat demands,” he added, “I am confident that we can and will defeat cyber threats, now and in the years to come.”


Resources:
- Read Director Mueller’s remarks
http://www.fbi.gov/news/speeches/working-together-to-defeat-cyber-threats

- Cyber Crime page
http://www.fbi.gov/about-us/investigate/cyber

- National Cyber Investigative Joint Task Force
http://www.fbi.gov/about-us/investigate/cyber/ncijtf

- National Cyber Forensics and Training Alliance
http://www.fbi.gov/news/stories/2011/september/cyber_091611

- Infragard
http://www.fbi.gov/news/stories/2010/march/infragard_030810
48  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Cyber war crucial to edge in regional arms race on: March 05, 2013, 12:20:40 AM
http://www.afr.com/p/technology/cyber_war_crucial_to_edge_in_regional_9iXE9ux1Njz4mnmLBykREM

The paper nominates cyber warfare, electronic warfare and undersea warfare systems as areas where industry will need to stay “abreast of key enabling technologies’’ to stay ahead of the threat. Photo: Jessica Hromas
JOHN KERIN

Australia risks losing a regional arms race unless closer links can be forged between the government and the defence industry on countering cyber attacks, the Australian Industry Group Defence Council warns.

The council’s submission to the federal government’s 2013 defence white paper warns Australia will struggle to win a regional arms race unless the Gillard government pursues policies to align defence and industry.

“Given the more rapid acquisition of advanced military capabilities in our region of primary strategic concern, maintaining a capability edge is going to become much more demanding,’’ it says.

It calls for a closer relationship between the Defence Science and Technology Organisation and industry in promoting faster innovation. It nominates cyber warfare, electronic warfare and undersea warfare systems as areas where industry will need to stay “abreast of key enabling technologies”. “ADF capabilities must be capable of adaptation and evolution to meet changing threats,’’ the paper says.

CYBER ATTACKS
A defence white paper draft leaked to The Australian Financial Review warned in January that an adversary could try to use cyber attacks on defence networks to bring down systems crucial to deploying troops to war.

It also warned that Australia’s neighbours were increasingly buying sophisticated ships, aircraft and weapons systems that would make it harder to maintain the traditional capability edge.

The submission recommends an industry-wide survey be conducted to ensure industry and defence industry research and development more closely align to defence needs.

It says the government must bring forward projects to preserve the naval shipbuilding industry as the air warfare destroyer and troop transport ship projects wind down before an ambitious new submarine project worth up to $36 billion.

The submission also says the government should consider outsourcing some capabilities within the government weapons buyer, the Defence Materiel Organisation, to industry provided conflicts of interest can be avoided.

It says an Australian defence export push should become part of formal defence ties with south-east Asian nations to try to ensure the defence sector is not so vulnerable to traditional peaks and troughs of domestic defence buying.

FISCAL CONSTRAINT
The submission urges a wider review of the priority industry capabilities scheme. This scheme nominates areas vital to national security for special assistance in light of the government focusing on challenges closer to home in Asia-Pacific as the war in Afghanistan winds down.

The AiGroup warns that the white paper comes when “confidence has collapsed’’ in the defence industry after the government failed to deliver on its ambitious $275 billion weapons wish list.

The government has cut or deferred almost $25 billion in defence spending since the 2009 defence white paper and imposed cuts of $5.5 billion, or 10.5 per cent, this year. “By 2012 defence spending had reduced to its lowest level since 1938 (1.6 per cent of GDP) and the planned equipment acquisition program had been scuttled,’’ it says.

“A number of defence industry companies have closed and more than 5000 people have lost their jobs. Confidence has collapsed and uncertainty prevails throughout defence industry . . . this has a direct effect on national security.”

49  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Re: Cyberwar and American Freedom on: February 19, 2013, 03:53:40 AM
Interesting report, but this is also from a vendor of a product as well, Ill be searching other sites to see if anything else is being mentioned about this article.

https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/?utm_source=rss

Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators
By Dan Mcwhorter on February 18, 2013

Today, The Mandiant® Intelligence Center™ released an unprecedented report exposing APT1′s multi-year, enterprise-scale computer espionage campaign.  APT1 is one of dozens of threat groups Mandiant tracks around the world and we consider it to be one of the most prolific in terms of the sheer quantity of information it has stolen.

 

Highlights of the report include:

Evidence linking APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398).
A timeline of APT1 economic espionage conducted since 2006 against 141 victims across multiple industries.
APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos  showing actual APT1 activity.
The timeline and details of over 40 APT1 malware families.
The timeline and details of APT1′s extensive attack infrastructure.
 

Mandiant is also releasing a digital appendix with more than 3,000 indicators to bolster defenses against APT1 operations. This appendix includes:

Digital delivery of over 3,000 APT1 indicators, such as domain names, IP addresses, and MD5 hashes of malware.
Thirteen (13) X.509 encryption certificates used by APT1.
A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1′s arsenal of digital weapons.
IOCs that can be used in conjunction with Redline™, Mandiant’s free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant’s commercial enterprise investigative tool.
 

The scale and impact of APT1′s operations compelled us to write this report.  The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one.  What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk of losing much of our ability to collect intelligence on this particular APT group.  It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively.  The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage.  Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.  We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.

We recognize that no one entity can understand the entire complex picture that many years of intense cyber espionage by a single group creates.  We look forward to seeing the surge of data and conversations a report like this will likely generate.

You can download the report, the appendices and view the video showing APT1 attacker activity at http://www.mandiant.com/apt1.

Dan McWhorter

Managing Director, Threat Intelligence

 
50  Politics, Religion, Science, Culture and Humanities / Politics & Religion / Classified Report Says Chinese Cyberespionage is a Serious Economic Threat ... on: February 14, 2013, 04:19:05 AM
Classified Report Says Chinese Cyberespionage is a Serious Economic Threat to the US (February 10, 2013)
According to a National Intelligence Estimate, China more than any other country in the world is targeting the US in a focused cyberespionage campaign that threatens the country's economy. The classified report lists organizations in the energy, finance, aerospace, information technology and other sectors that have been the targets of these attacks. Russia, Israel, and France have also been named as engaging in similar activity, but China's alleged activity outstrips theirs by far.

http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html

[Editor's Note (Henry): Not really sure what the news is; I re-read the article twice to see what I missed. The Chinese and other nations are engaged in cyber espionage against the US...really? While this has been happening for at least 15 years, corporate executives, government agencies, and administration officials have been talking about this openly for the past two or three years. I hope the open dialogue and public recognition of the true impact of this threat move us faster and closer to truly effective mitigation actions.

(Ranum): US agencies responsible for protecting the country against cyberespionage have been doing their constituents a disservice. Instead of trading on fears, they could release and document details of the kind of thing that is happening and couple that with specific actions that should be taken by corporations and organizations that might be targeted. Today's taxpayers interpret a full-on fear sell as a request for a blank check and are understandably reluctant to write one.

(Paller): A powerful defense, discovered by another country and validated by U.S. Intelligence agencies, has emerged. Look for an upcoming report from the Center for Strategic and International Studies with evidence of the effectiveness of this defense against the most common methods of attack used in the nation-state espionage attacks. It's time to stop admiring the problem, and start fixing it. ]
Pages: [1] 2 3 ... 11
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!