Police In Japan Are Asking ISPs To Start Blocking Tor | Techdirt

The National Police Agency in Japan is apparently asking ISPs in that country to “voluntarily” block the use of Tor, the well-known and widely used system for anonymously surfing the internet.

An expert panel to the NPA, which was looking into measures to combat crimes abusing the Tor system, compiled a report on April 18 stating that blocking online communications at the discretion of site administrators will be effective in preventing such crimes. Based on the recommendation, the NPA will urge the Internet provider industry and other entities to make voluntary efforts to that effect.

This is an extreme and dangerous overreaction. Yes, some people abuse the anonymity of Tor to do illegal things. Just as some people abuse the anonymity of cash to do bad things. But we don’t then outlaw cash because of this. There are many, many reasons why people have good reason to seek out an anonymizing tool like Tor to protect their identity. What if they’re whistle blowing on organized crime or corruption (say) in the police force? As for the fear that it’s being used for criminal activity, that doesn’t mean that police cannot identify them through other means. We’ve seen time and time again people leave digital tracks in other ways when they’re committing crimes. Yes, it makes life more difficult for police, and it means they have to do actual detective work, but that’s what their job is.

via Police In Japan Are Asking ISPs To Start Blocking Tor | Techdirt.

“27 largest companies have admitted to the SEC that cyberattacks are basically meaningless” #security /ht @arashiyama

Since the beginning of the cybersecurity FUDgasm from Congress, we’ve been asking for proof of the actual problem. All we get are stories about how airplanes might fall from the sky, but not a single, actual example of any serious problem. Recently, some of the rhetoric shifted to how it wasn’t necessarily planes falling from the sky but Chinese hackers eating away at our livelihoods by hacking into computers to get our secrets and destroy our economy. Today, Congress is debating CISPA (in secret) based on this assumption. There’s just one problem: it’s still not true.

The 27 largest companies have now admitted to the SEC that cyberattacks are basically meaningless and have done little to no damage.

The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen.

MetLife Inc., Coca-Cola Co. (KO), and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks in recent filings with the Securities and Exchange Commission, according to data compiled by Bloomberg. Citigroup Inc. (C) reported “limited losses” while the others said there was no material impact.

So what’s this all really about? It goes back to what we said from the very, very beginning. This is all FUD, engineered by defense contractors looking for a new way to charge the government tons of money, combined with a willing government who sees this as an opportunity to further take away the public’s privacy by claiming that it needs to see into corporate networks to prevent these attacks.

If this was a real problem, wouldn’t we see at least some evidence?

via As Congress Debates CISPA, Companies Admit No Real Damage From Cyberattacks | Techdirt.

Snoopers’ laws could be used to ‘oppress us’, says David Cameron technology adviser – Telegraph

Ben Hammersley, a Number 10 adviser to the Tech City project, said the draft Communications Data Bill could be turned from a force for good into something more sinister under future governments.

The main aim of the Bill is to give security services like MI5 and GCHQ the ability to monitor email traffic, without actually looking at its content.

However, it is currently being revised after a committee of MPs and peers raised privacy concerns about the bill’s intrusion into people’s lives.

Asked for his views on the new laws, Mr Hammersley said the consequences could be “disastrous” in an interview with Tank magazine.

“I don’t trust future governments,” he said. “The successors of the politicians who put this in place might not be trustworthy.

via Snoopers’ laws could be used to ‘oppress us’, says David Cameron technology adviser – Telegraph.

Thought for today: APT is a racist term – #security #apt /cc @kevinmitnick

From discussion with friends, an extract:

If the definition or example that somehow APT is a ‘newer, better and prolonged method of attack and stealth to obtain the crown jewels’ then what was Kevin Mitnick’s attack on Sun Microsystems?

It’s because Mitnick was an American – not “a Red” – and the net was not infrastructure back then.

In short: since the threat model has moved on from “Commies” now, APT is essentially a racist/jingoistic term for “foreign hacker who is other than us”.

My friend Jon Care says that ‘cloud’ is an irregular noun:

  • I have a Private Cloud
  • You have a Botnet
  • They have a Cyberwarfare Capability / Cyberweapon

…and I am basically thinking that APT is the equivalent third term for government pentester – the second being the eternally-slightly-tarnished Hacker, of course.

ps: obligatory tip for decyber

Next time you see a plea for #cybersecurity spending on more #cyberwarriors …

…check some history:

http://en.wikipedia.org/wiki/Bomber_gap

The “bomber gap” was the unfounded belief in the Cold War-era United States that the Soviet Union had gained an advantage in deploying jet-powered strategic bombers. Widely accepted for several years, the gap was used as a political talking point in order to justify greatly increased defense spending. One result was a massive buildup of the United States Air Force bomber fleet, which peaked at over 2,500 bombers, in order to counter the perceived Soviet threat. Surveillance flights utilizing the Lockheed U-2 aircraft indicated that the bomber gap did not exist. Realizing that mere belief in the gap was an extremely effective funding source, a series of similarly nonexistent Soviet military advances were constructed in a tactic now known as “policy by press release.”

http://en.wikipedia.org/wiki/Missile_gap

The missile gap was the term used in the United States for the perceived disparity between the number and power of the weapons in the U.S.S.R. andU.S. ballistic missile arsenals during the Cold War. The gap only existed in exaggerated estimates made by the Gaither Committee in 1957 and in United States Air Force (USAF) figures. Even the CIA figures that were much lower and gave the US a clear advantage were far above the actual count. Like thebomber gap of only a few years earlier, it is believed that the gap was known to be illusionary from the start, and was being used solely as a political tool, an example of policy by press release.

http://en.wikipedia.org/wiki/Policy_by_press_release

Policy by press release refers to the act of attempting to influence public policy through press releases intended to alarm the public into demanding action from their elected officials. The practice is frowned upon, but remains effective and widely used. In modern times, the term is used to dismiss an opponent’s claims, suggesting they are lacking in substance and created to generate media attention.

Now: Compare with:

You Call This an Army? The Terrifying Shortage of U.S. Cyberwarriors.

The United States doesn’t have nearly enough people who can defend the country from digital intrusions. We know this, because cybersecurity professionals are part of a larger class of workers in science, technology, engineering, and math–and we don’t have nearly enough of them, either. We’re just two years into President Obama’s decade-long plan to develop an army of STEM teachers. We’re little more than one year from his request to Congress for money to retrain 2 million Americans for high-tech work (a request Republicans blocked). And it has been less than a month since the Pentagon said it needed to increase the U.S. Cyber Command’s workforce by 300 percent–a tall order by any measure, but one that’s grown even more urgent since the public learned of massive and sustained Chinese attempts at cyberespionage last month.

Where are Cyber Command’s new hires going to come from? Even with so many Americans out of work, it isn’t as though there’s a giant pool of cyber professionals tapping their feet, waiting to be plucked up by federal agencies and CEOs who’ve suddenly realized they’re naked in cyberspace. In fact, over the next couple of years, the manpower deficit is only going to get worse as more companies come to grips with the scale of the danger.

Demand for cyber labor is still far outstripping supply, Ron Sanders, a vice president at Booz Allen Hamilton, told National Journal in a phone interview. “With each headline we read,” he said, “the demand for skilled cyber professionals just increases.”

The number of industry employees is already growing at double-digit rates. A new report released Monday finds that the number of people working in the cyber field is going to grow worldwide by 11 percent every year for the next five years. In North and South America, according to the paper–published by the International Information System Security Certification Consortium (ISC2)–that will mean almost a million more workers in the field by 2017. Many of them will be highly qualified. But not all of them will be in the employ of U.S. entities, to say nothing about working in the United States itself.

“…doomed to repeat it.”

I am wondering if we are going to end up with people who are skilled in security getting quite literally drafted in order to quell the panic?

 

Epic #mustread on DDoS, re: Spamhaus/Cyberbunker and “bringing down the Internet” with DDoS

Extract from the posting:

First off I can confirm a few basic facts, namely that we really did receive a ~300 Gbps attack directed at Cloudflare, and later specifically targeted at pieces of our core infrastructure. This is definitely on the large end of the scale as far as DoS attacks go, but I wouldn’t call it “record smashing” or “game changing” in any special way. It’s just another large attack, maybe 10-15% larger than other similar ones we’ve seen in the past, and I’m certain we will continue to see even larger ones in the future as global traffic levels increase. What made this particular attack notable is where it was targeted, which greatly increased the number of people who noticed it.

In defense of the claims in other articles, there is a huge difference between “taking down the entire Internet” and “causing impact to notable portions of the Internet”. My company, most other large Internet carriers, and even the largest Internet exchange points, all deliver traffic at multi-terabits-per-second rates, so in the grand scheme of things 300 Gbps is certainly not going to destroy the Internet, wipe anybody off the map, or even show up as more than a blip on the charts of global traffic levels. That said, there is absolutely NO network on this planet who maintains 300 Gbps of active/lit but unused capacity to every point in their network. This would be incredibly expensive and wasteful, and most of us are trying to run for-profit commercial networks, so when 300 Gbps of NEW traffic suddenly shows up and all wants to go to ONE location, someone is going to have a bad day.

But, having a bad day on the Internet is nothing new. […]

The whole thing is worth reading, all of which is a response to this Gizmodo article and apparently re: one comment on it from someone looking for primary sources.

I hope the comment’s author feels he got his money’s worth.

tl;dr – breaking the internet is still really hard via DDoS.

Cyber-security: The digital arms trade | The Economist # It’s shit like this which will hurt Full Disclosure

IT IS a type of software sometimes described as “absolute power” or “God”. Small wonder its sales are growing. Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

via Cyber-security: The digital arms trade | The Economist.

“It’s like selling guns to criminals” – where have I heard something like that before?

Oh yes, here:

[…] people can now crack a system, using “crack“, without even being decent programmers. There is no rite-of-passage for these people, they may not even realize that there are laws which could stick them in jail for years.

Someone once broke into another system which I control, I discovered it, tracked them down, and they got fired. For what? This person wasn’t even a good programmer–they didn’t even know they could be traced. I didn’t feel very good about this firing–didn’t want them to be fired–I just wanted to stop them from breaking into my system. When I discussed this case with CERT, I made it clear that I didn’t want the perpetrators arrested since they did no damage, I just wanted them to stop. However, under present US law they committed a felony. Frankly, it did waste about $500 of my time. The CERT people tried to assuage my feelings: at least they didn’t get thrown in jail, because you didn’t press charges, they said.

A publically available raw “crack” is somewhat like throwing a pile of guns into a day care center. There isn’t even a “safety” on crack.

I want to make it clear that I am not trying to impose some sort of mandate onto the developers of “crack”. They have the right to produce and distribute whatever software they choose.

Instead, I am appealing to them to produce a piece of software which errs more on the side of usefulness than destructiveness.

That was in 1992, and the discussion continues at that link; and here we are again with sploitz and vulnz and 0days, oh my…

Sigh.

Some muppet is going to get their hands on the article and convince Governments to waste money on them, just wait and see; and attempts at “regulation” will follow.

BBC News – Saudi Arabia ‘threatens Skype ban’ # TWIST: #interception breaks the #privacy of the #Hijab

Strange bedfellows…

Encrypted messaging services such as Skype, Viber and WhatsApp could be blocked in Saudi Arabia, the telecommunications regulator there is reported to have warned.

It is demanding a means to monitor such applications, but Saudis say that would seriously inhibit their communications.

Saudi newspapers are reporting that the companies behind the applications have been given a week to respond.

No explanation has been given of why the demand has been made.

Ahmed Omran, a Saudi blogger who runs the Riyadh Bureau site, says that Saudi telecom companies may be tempted to go along with the request from the regulator – even though it will upset their customers – because of the loss of revenue they suffer from the free apps, which are hugely popular in the country.

One Saudi source goes further – with an article in the local Arab News suggesting that it may even have been the telecom companies themselves that have been demanding that action be taken against the apps.

The move is similar to attempts to rein in the Blackberry messaging service several years ago.

Simple and affordable

The explosion in social media networks has had a big impact in Saudi Arabia, which has the highest take-up of Twitter in the world, reports the BBC’s Arab affairs editor Sebastian Usher.

Outside interest in the phenomenon has largely focused on how this has allowed Saudis to express themselves in a public forum on social or political issues in an unprecedented way.

Saudis see this latest threat a little differently, our correspondent says. Any move to monitor or block sites like Skype and WhatsApp would potentially deprive them of what has become an essential means of simply communicating with friends and family.

One Saudi user told the local media that she would feel uncomfortable talking to her relative on Skype without her hijab (headscarf) if she believed someone might be monitoring her.

Expatriate workers have messaged newspapers pleading with the Saudis not to stop their only affordable means of communication to their families back home.

If it did happen, though, one Saudi told the BBC that it would not take long for people to find a new way to communicate for free.

via BBC News – Saudi Arabia ‘threatens Skype ban’.

NetBSD: RNG Bug May Result in Weak Cryptographic Keys #sameold #sameold

Due to a misplaced parenthesis, if insufficient GOOD bits were available to satisfy a request, the keying/rekeying code requested either 32 or 64 ANY bits, rather than the balance of bits required to key the stream generator.

The result of this bug is that even after the minimum entropy threshold was reached, the generators for in-kernel and userspace consumers could in the worst case be keyed, or re-keyed, with as few as 32 bits (on 32 bit platforms) or 64 bits (on 64 bit platforms) of data, plus a 32-bit cycle counter value, plus the name of the generator (an LWP ID for userspace, a fixed string for kernel consumers), plus stack noise for the remainder.

Systems which never experience an “insufficient entropy” condition (for example, systems with hardware random number generators supported by NetBSD) are not impacted by this bug.

All cryptographic keys generated on NetBSD 6 or NetBSD-current (prior to 2013-01-27) systems should be regenerated, unless it is certain that the system in question cannot have suffered a low-entropy condition when the keys were generated.

via .

AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison | Threat Level | Wired.com # But surely here in the UK we are safe? #techcity? #siliconroundabout?

Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty last November in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization after he and a colleague created a program to collect information on iPad owners that had been exposed by a security hole in AT&T’s web site.

The two essentially wrote a program to send Get requests to the web site.

The controversial case is one of a string of highly criticized prosecutions of security researchers who have been charged with serious computer crimes under the Computer Fraud and Abuse Act, prompting calls for reform of the legislation to make clear distinctions between criminal hacking and simple unauthorized access and to protect researchers whose activities are not criminal in intent.

Computer security researcher Charlie Miller tweeted Monday morning in reference to Auernheimer’s case that any security researcher could be facing the same fate.

via AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison | Threat Level | Wired.com.