« The Revolution was indeed televised; UPDATED | Main | Remeet Liberal Japonicus, New ObWi Front Pager, Longtime Presence »

February 11, 2011

Comments

For every vengeance, there is an equal and opposite revengeance.

Also, Palantir Tech? God deliver us from Tolkien geeks with advanced cyberpowers.

You know, a few years back I stumbled on Greenwald and thought, well something along the lines of "shrill." But I kept reading, 'cause he had this interesting tendency to bring a metric f*ton of backup to each post.

He's been right in his core arguments over and over and over. And that's terribly depressing.

Fiddler, I feel bad for you because this is a really well written post that looks like it might get lost in the excitement of events in Egypt. I'm sure it took a long while to put together and I appreciate it.

Turbulence, thank you. I had hoped to post it last night (missing the last few paragraphs, but I would have written a follow-up for them) but I was unwell and couldn't get it done. That's the way it goes, sometimes.

but the ones I talked with while putting this together uniformly agreed that any security company employee who was out of town for a demo and was so unlucky as to forget his password would get this reaction if he called in: tough luck.

Well, I can see trying to get something done if the situation is critical, but it should involve extraordinary measures- phone calls from trusted people who know the user, etc. If it's not worth that level of extraordinary effort, then it's not critical.
But I have seen that kind of behavior before; some high-level types think that rules only apply to underlings, that the fact that they can break any rule is evidence of their high standing. Ive even seen people go out of their way to break rules to demonstrate this.

Fiddler, right now I'm only skimming; later I will read closely.

Computer security. *sigh*

You might enjoy this quote from a 1997 essay by Bruce Schneier (I had occasion recently to include it in a design document):

The good news about cryptography is that we already have the algorithms and protocols we need to secure our systems. The bad news is that that was the easy part; implementing the protocols successfully requires considerable expertise. The areas of security that interact with people--key management, human/computer interface security, access control--often defy analysis. And the disciplines of public-key infrastructure, software security, computer security, network security, and tamper-resistant hardware design are very poorly understood.

Companies often get the easy part wrong, and implement insecure algorithms and protocols. But even so, practical cryptography is rarely broken through the mathematics; other parts of systems are much easier to break. The best protocol ever invented can fall to an easy attack if no one pays attention to the more complex and subtle implementation issues. Netscape's security fell to a bug in the random-number generator. Flaws can be anywhere: the threat model, the system design, the software or hardware implementation, the system management. Security is a chain, and a single weak link can break the entire system. Fatal bugs may be far removed from the security portion of the software; a design decision that has nothing to do with security can nonetheless create a security flaw.

Why Cryptography Is Harder Than It Looks
By Bruce Schneier

Great, wonderful, terrific post. It made my day.

It makes me wonder what legal remedies may be available to Wikileaks, Mr. Greenwald, et. al.

Ral, thank you for the quote and the link. And Schneier's right about the simple, sometimes stupid things often being the loophole. I know of a situation some years back where a company's phone system was hacked (somewhat ineptly) because the hacker got hold of a corporate phone directory and called every phone until he found one where the user hadn't changed the basic "1234" passcode -- then got into the system and made international phone calls for hours one weekend. Such a simple thing. The hackers were caught, but sorting some of it out with the phone company apparently took longer.

Very interesting post. The whole scenario is just weird. It has the feel of the film The Informant!, only not as funny.

I made the mistake of following the Greenwald link and reading the whole thing. Now I'm disgusted and pissed about the oligarchic, corporatist cleptocracy that our country has been turning into. I feel like a Bizzaro World Tea Partier right now.

Barr seems like a particularly unwise person. His behavior is stealing-a-bear-cub-stupid.

It just shows nothing much has changed since Hackers became one of the top 5 movies I watch every time it comes on.

Oh, except its life mimics art.

The point about people in executive positions assuming that the rules do not apply to them is well taken. But even there, I would expect something like "I'll call your cell to confirm" or "I'll call your hotel to confirm" from a sysadmin in a security firm. Anything less would be a one-way ticket to a pink slip. [Totally off topic: are "pink slips" even used, let alone pink?]

If I were Bank of America, I would be really hustling to delete any and all copies of any communications with HB Gary. Including any archives and back-ups. Because otherwise Anonymous have a huge incentive to hack BofA and produce documents proving that their denials are less that perfectly accurate.

Aaron Barr put his head into the lion's mouth. He goes to one of the most powerful hacking groups in the world, breaks into their inner circle and then publicly announces it.

This bit is wrong I think. Anonymous isn't a particularly powerful hacking group. That is, they don't have the world's best experts on staff. What they are is a loosely coordinated group of people who are skilled at applying attacks that actual security experts have come up with. That means that they're quite powerful, but in a narrow way.

I mean, their attacks against Visa/Mastercard/Amazon accomplished nothing, because those companies were not completely incompetent. Any security expert that thinks Anonymous is one of the most powerful hacking groups in the world is...not smart.

The movie Sneakers may be a better preview of the next decade or so.

Thanks for this post.

I think of Aaron Barr as Sneakers and Anonymous as Hackers. Great post.

Turbulence: You're right that Anonymous isn't a particularly powerful hacking group, but what they *are* probably makes them an even worse group to meddle with.

Anonymous is decentralized, activist, vindictive, juvenile, unaccountable, and essentially uncontrollable.

If he'd interfered with a Russian criminal hacking group, they may have threatened him with violence, they may have defrauded him, or blackmailed him. That's all bad and dangerous, but they also have the ability to stop hassling him and blackmail requires them to keep their blackmail material secret from the rest of the world.

Anonymous (probably) won't threaten him with violence, but it also doesn't have any motivation to refrain from publishing his emails and since it has no stable membership or means to punish its members, Barr's harassment will likely continue for a long time.

Anonymous won't cut his brake lines, but Barr should expect to spend the next few years cleaning Mudkipz off his website and turning away prank-pizza.

Any security expert that thinks Anonymous is one of the most powerful hacking groups in the world is...not smart.

They are, however, smarter than Aaron Barr. He's the new poster boy for "hoist by his own petard".

And yeah, jussi jaakonaho is probably looking for a new gig. He's gonna have to change his name, he's now documented in black and white as the sysop who gave up the system root password and changed his boss' password based on an email conversation.

Ouch.

It's not nice to screw with people. Sometimes they respond in kind. And the tech world is one in which just knowing how to do stuff can actually out-leverage money.

Fantastic post, and if possible, I think you should move it so that it is back up at the top of the page, especially if you add any updates. I'd like to think that my joining the collective forced Jacob to deliver this gem of a post, but that is practically the same as HB Gary's business model.

Off to read all the links. Thanks again.

Liberal, how do I do that? I'm new at working in TypePad.

Hi FIddler, drop me a line at libjpn@gmail and I can tell you what I've figured out about the interface.

This other Ars Techinca post has more details about the back and forth between Barr and Anonymous. It's 3 pages, and the exchange between Barr and one of the programmers at HBGary is worth a look.

Anonymous is decentralized, activist, vindictive, juvenile, unaccountable, and essentially uncontrollable.

The one part that most clearly underscores this is the bit where Barr tried to end the whole affair by pleading with CommanderX. Only someone who has no idea what Anonymous is or how it works could possibly think that this would have any effect. Even if he wanted to, CommanderX has no more power to call off Anonymous than a mad scientist has to tell his monster to get back in the cage.

This other Ars Techinca post has more details about the back and forth between Barr and Anonymous.

My favorite quote from the article: the programmer's reply to Barr when asked to hack up some freeware code:

"I'm not compiling that shit on my box!"

Barr appears to be an arrogant jerk, as well as something of an obsessive paranoid weirdo. He's cost his company millions in direct costs and who knows how much in lost opportunities downstream.

My guess is that Barr will come out this whole mess a rich man. From his point of view, that will be mission accomplished.

And Schneier's right about [...]
Beyond this is redundant. :-)

Really. I know not everyone was getting Cryto-gram since '98, despite the reposts to Usenet, and I certainly know that most or none of you have known him since the Seventies or Eighties, but Bruce and Karen go a ways back in sf fandom.

It's always interesting to me to watch old friends go on to become world famous experts.

But Bruce has long been one of the top people in the fields of cryptography and security in general, and always worth reading.

The comments to this entry are closed.