June 22nd, 2017
posted by [syndicated profile] bruce_schneier_feed at 10:52am on 22/06/2017

Posted by Bruce Schneier

According to a recently declassified report obtained under FOIA, the NSA's attempts to protect itself against insider attacks aren't going very well:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department's inspector general completed in 2016.

[...]

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of "privileged" users, who have greater power to access the N.S.A.'s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

In all, the report concluded, while the post-Snowden initiative -- called "Secure the Net" by the N.S.A. -- had some successes, it "did not fully meet the intent of decreasing the risk of insider threats to N.S.A. operations and the ability of insiders to exfiltrate data."

Marcy Wheeler comments:

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

Read the whole thing. Securing against insiders, especially those with technical access, is difficult, but I had assumed the NSA did more post-Snowden.

June 21st, 2017

Posted by Bruce Schneier

Last week, Microsoft issued a security patch for Windows XP, a 16-year-old operating system that Microsoft officially no longer supports. Last month, Microsoft issued a Windows XP patch for the vulnerability used in WannaCry.

Is this a good idea? This 2014 essay argues that it's not:

The zero-day flaw and its exploitation is unfortunate, and Microsoft is likely smarting from government calls for people to stop using Internet Explorer. The company had three ways it could respond. It could have done nothing­ -- stuck to its guns, maintained that the end of support means the end of support, and encouraged people to move to a different platform. It could also have relented entirely, extended Windows XP's support life cycle for another few years and waited for attrition to shrink Windows XP's userbase to irrelevant levels. Or it could have claimed that this case is somehow "special," releasing a patch while still claiming that Windows XP isn't supported.

None of these options is perfect. A hard-line approach to the end-of-life means that there are people being exploited that Microsoft refuses to help. A complete about-turn means that Windows XP will take even longer to flush out of the market, making it a continued headache for developers and administrators alike.

But the option Microsoft took is the worst of all worlds. It undermines efforts by IT staff to ditch the ancient operating system and undermines Microsoft's assertion that Windows XP isn't supported, while doing nothing to meaningfully improve the security of Windows XP users. The upside? It buys those users at best a few extra days of improved security. It's hard to say how that was possibly worth it.

This is a hard trade-off, and it's going to get much worse with the Internet of Things. Here's me:

The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never. Already the banking industry is dealing with the security problems of Windows 95 embedded in ATMs. This same problem is going to occur all over the Internet of Things.

At least Microsoft has security engineers on staff that can write a patch for Windows XP. There will be no one able to write patches for your 16-year-old thermostat and refrigerator, even assuming those devices can accept security patches.

posted by [syndicated profile] xkcd_feed at 04:00am on 21/06/2017


Click here to go see the bonus panel!

Hovertext:
Wow, I've penetrated your fortress as if it were made of pillows!

New comic!
Today's News:

Thanks geeks :)

posted by [syndicated profile] bruce_schneier_feed at 11:12am on 21/06/2017

Posted by Bruce Schneier

Last week, the Department of Justice released 18 new FISC opinions related to Section 702 as part of an EFF FOIA lawsuit. (Of course, they don't mention EFF or the lawsuit. They make it sound as if it was their idea.)

There's probably a lot in these opinions. In one Kafkaesque ruling, a defendant was denied access to the previous court rulings that were used by the court to decide against it:

...in 2014, the Foreign Intelligence Surveillance Court (FISC) rejected a service provider's request to obtain other FISC opinions that government attorneys had cited and relied on in court filings seeking to compel the provider's cooperation.

[...]

The provider's request came up amid legal briefing by both it and the DOJ concerning its challenge to a 702 order. After the DOJ cited two earlier FISC opinions that were not public at the time -- one from 2014 and another from 2008­ -- the provider asked the court for access to those rulings.

The provider argued that without being able to review the previous FISC rulings, it could not fully understand the court's earlier decisions, much less effectively respond to DOJ's argument. The provider also argued that because attorneys with Top Secret security clearances represented it, they could review the rulings without posing a risk to national security.

The court disagreed in several respects. It found that the court's rules and Section 702 prohibited the documents release. It also rejected the provider's claim that the Constitution's Due Process Clause entitled it to the documents.

This kind of government secrecy is toxic to democracy. National security is important, but we will not survive if we become a country of secret court orders based on secret interpretations of secret law.

posted by [syndicated profile] savagelove_feed at 04:00am on 21/06/2017

Posted by Dan Savage

Woman's "perfect" guy charmed her before admitting he's already in a poly relationship by Dan Savage

I am a 34-year-old straight woman. I'm monogamous and have an avoidant attachment style. I've been seeing a guy I really like. He's just my type, the kind of person I've been looking for my whole life. Thing is, he's in an open relationship with someone he's been with for most of his adult life. He was sneaky—he didn't reveal he was in an open relationship until the second date, but by then I was infatuated and felt like I wasn't in control of my actions. So what I've learned is that poly couples often seek out others to create NRE or "new relationship energy," which may help save their relationship in the long run. I was deeply hurt to learn about NRE. What about the people who are dragged into a situation by some charmer in an attempt to breathe new life into a stale relationship? I feel like no one cares about the people on the side, the ones who might be perceived to be cheating with someone's partner, as some sort of competitor, a hussy. How can I reconcile the fact that I've fallen for someone who sees me as a tool to be discarded once the excitement wears off? I know we all have a choice, but we also know what it's like to be infatuated with someone who seems perfect. I feel like such a loser.

Sobbing Here And Making Errors

"One of life's hardest lessons is this: Two people can be absolutely crazy in love with each other and still not be good partners," said Franklin Veaux, coauthor of More Than Two: A Practical Guide to Ethical Polyamory (morethantwo.com). "If you're monogamous and you meet someone you're completely smitten with who isn't, the best thing to do is acknowledge that you're incompatible and go your separate ways. It hurts and it sucks, but there it is."

This perfect, sneaky guy who makes you feel like a loser and a hussy? He told you he was in an open relationship on your second date. You knew he wasn't "your type" or "perfect" for you the second time you laid eyes on him, SHAME, and you needed to go your separate ways at that point. And I'm not buying your excuse ("I was too infatuated!"). What if he had revealed that he was a recreational bed wetter? Or a serial killer? Or Jeffrey Lord? Or all of the above? Surely you would've dumped him then.

Veaux advocates ethical polyamory—it's right there in the title of his book—and he thinks this guy did you wrong by not disclosing his partner's existence right away. "Making a nonmonogamous relationship work requires a commitment to communication, honesty, and transparency," said Veaux. "Concealing the fact that you're in a relationship is a big violation of all three, and no good will come of it."

I have a slightly different take. Straight women in open relationships have an easier time finding men willing to fuck and/or date them; their straight male counterparts have a much more difficult time. Stigma and double standards are at work here—she's sexually adventurous; he's a cheating bastard—and waiting to disclose the fact that you're poly (or kinky or HIV-positive or a cammer) is a reaction to/work-around for that. It's also a violation of poly best practices, like Veaux says, but the stigma is a violation, too. Waiting to disclose your partner, kink, HIV status, etc., can prompt the other person to weigh their assumptions and prejudices about poly/kinky/poz people against the living, breathing person they've come to know. Still, disclosure needs to come early—within a date or two, certainly before anyone gets fucked—so the other person can bail if poly/kinky/poz is a deal breaker.

As for that new relationship energy stuff...

"There are, in truth, polyamorous people who are NRE junkies," said Veaux. "Men and women who chase new relationships in pursuit of that emotional fix. They're not very common, but they do exist, and alas they tend to leave a lot of destruction in their wake."

But your assumptions about how NRE works are wrong, SHAME. Seeing your partner in the throes of NRE doesn't bring the primary couple closer together; it often places a strain on the relationship. Opening up a relationship can certainly save it (if openness is a better fit for both partners), but NRE isn't a log the primary couple tosses on the emotional/erotic fire. It's something a poly person experiences with a new partner, not something a poly person enjoys with an established one.

And there are lots of examples of long-term poly relationships out there—established triads, quads, quints—so your assumption about being discarded once NRE wears off is also off, SHAME. There are no guarantees, however. If this guy were single and looking for a monogamous relationship, you could nevertheless discover you're not right for each other and wind up being discarded or doing the discarding yourself.

I'm going to give the final word to our guest expert...

"Having an avoidant attachment style complicates things, because one of the things that can go along with avoidant attachment is idealizing partners who are inaccessible or unavailable," said Veaux. "That can make it harder to let go. But if you're radically incompatible with the person you love, letting go is likely your only healthy choice. Good luck!"


I'm gay and married. My husband regularly messes around with this one guy who treats me like I'm a cuckold. He will send me a pic of my husband sucking his cock, for example, and a text message meant to degrade me. But I'm not a cuckold and I don't find these messages sexy. My husband wants me to play along because it gets this guy off. Advice?

Can't Understand Cuckold Kink

It depends, CUCK. If you're upset by these messages—if they hurt your feelings, are damaging your sexual connection to your husband, are traumatizing—don't play along. But if you find them silly—if they just make you roll your eyes—then play along. Respond positively/abjectly/insincerely, then delete. Not to please the guy sending the messages (who you don't owe anything), but to please your husband (who'll wind up owing you).


I am a straight male grad student in my mid-20s. My girlfriend wants to have sex with another girl in our class. Neither of us have had a threesome before, but both of us are game. Unfortunately, I am not attracted to this girl. When we started dating, my girlfriend told me that she is sexually attracted to women. We agreed to be monogamous except that she could have sex with other women as part of a threesome with me. She is not hell-bent on having sex with our classmate, but she would like to and says it's up to me. I don't want her to suppress her same-sex tendencies, but I am jealous at the thought of her having sex with someone else while I am not participating. What should I do?

Feeling Out Moments Orgasmic

You should take yes for an answer, FOMO—or take your girlfriend's willingness to say no to this opportunity for an answer. She's into this woman but willing to pass on her because you aren't. There are billions of other women on the planet—some in your immediate vicinity—so you two have lots of other options. Unless you find a reason to object to every woman your girlfriend finds attractive, you aren't guilty of suppressing her same-sex tendencies. recommended


On the Lovecast, Michael Hobbes on gay, middle-aged dating: savagelovecast.com.

mail@savagelove.net

@fakedansavage

ITMFA.org

[ Comment on this story ]

[ Subscribe to the comments on this story ]

June 20th, 2017


Click here to go see the bonus panel!

Hovertext:
I wonder how badly robots will damage our ability to be basically decent with our humans.

New comic!
Today's News:


Click here to go see the bonus panel!

Hovertext:
It's nice to know app developers want us to be so productive.

New comic!
Today's News:

Stay tuned for two more updates...

Posted by Bruce Schneier

I have no comment on the politics of this stabbing attack, and only note that the attacker used a ceramic knife -- that will go through metal detectors.

I have used a ceramic knife in the kitchen. It's sharp.

EDITED TO ADD (6/22): It looks like the knife had nothing to do with the attack discussed in the article.

June 19th, 2017
solarbird: (tracer)
posted by [personal profile] solarbird at 03:24pm on 19/06/2017 under
Finally put up the pride flag, only halfway through the month XD

Mood:: 'pleased' pleased
solarbird: (tracer)

Remember that novella I’ve been writing, On Overcoming the Fear of Spiders? It’s finished. 32 chapters, a bit under 35,000 words (there is a canon digression linked at the appropriate time, but not contained within the primary volume, that boosts the word count), and I’m rather pleased to hear from a couple of readers who do not know anything about the Overwatch world that it makes sense even to them. They know there are emotional beats they’re missing, but it still works as a story.

I wasn’t specifically trying to do that, but I’m really quite pleased that it happened.

If you don’t know the lore at all, but are interested, here’s the original animated short introducing the world of the game, and here is the animated short “Alive” that featured Widowmaker. You’ll see the latter story in short form in Chapter 10, but in the cinematic, the chemistry between Amélie and Lena is absolutely smokin’, which spawned a lot of ships.

(If you really find yourself getting into the lore, here’s the official site, including the comic that confirmed Tracer – the literal face of the game, she’s on the cover of the box – is a lesbian.)

Also, you should know that in canon, in-universe, we ‘know’ that Amélie Lacroix was kidnapped by Talon and recovered apparently well but in actuality neurally reconditioned to assassinate her husband, the head of anti-Talon operations at Overwatch. After that, she went on to become a supposedly-emotionless assassin who feels only satisfaction at the success of her kills.

We are also given a lot of clues in both lore and game that this is at least in some parts a pile of lies, and that we are supposed to figure that out.

Anyway, this has been an experience like few others for me – it is literally more fiction than I’ve written, combined, before, in my life, and I actually tried writing fiction for real in college. I even got published once, in a little Ontario small-press magazine for a token $20 payment. But it was always like pulling teeth, whereas this was more like just trying to stay afloat on top of the tsunami as it carried me forward. I’ve had that feeling for individual songs before, but never for fiction.

I really liked it. I hope it happens again.

Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby



Click here to go see the bonus panel!

Hovertext:
Bonus points to anyone who makes a Feynman diagram.

New comic!
Today's News:

We're launching a new thing tomorrow morning! Stay tuned, geeks!

posted by [syndicated profile] xkcd_feed at 04:00am on 19/06/2017

Posted by Bruce Schneier

Access Now has documented it being used against a Twitter user, but it also works against other social media accounts:

With the Doubleswitch attack, a hijacker takes control of a victim's account through one of several attack vectors. People who have not enabled an app-based form of multifactor authentication for their accounts are especially vulnerable. For instance, an attacker could trick you into revealing your password through phishing. If you don't have multifactor authentication, you lack a secondary line of defense. Once in control, the hijacker can then send messages and also subtly change your account information, including your username. The original username for your account is now available, allowing the hijacker to register for an account using that original username, while providing different login credentials.

Three news stories.

June 18th, 2017
solarbird: (tracer)
solarbird: justice rains on your face (pharah)
posted by [personal profile] solarbird at 03:22pm on 18/06/2017 under ,
I saw some nice enemy Junkrat play last night, while playing I was Pharah in Illios.

So the first round, we'd lost badly, because I didn't get Pharah, and whoever did wasn't good with environment kills (at the Lighthouse, even, which makes me sad) and we get scrubbed. We win in the Ruins, though, because I can D.va the shit out of the Ruins.

So at the beginning of the third round, our Pharah changes to somebody else (becoming more effective, I might add) and I grab Pharah. And we're crushing them. It's the well, they can't even really get onto the point.

And I'm flying 'round the back of the well's lighthouse, to bombard the entry to the point from over the sea, which is what I should be doing if I can. And I see Hanzo and Junks on a second-floor balcony facing the ocean.

So of course, I boop 'em, because environmental kills are my dearest love as Pharah. The archer flies directly into the ocean, and so does Junks - at first. Then he spins round, throws his mine directly in front of himself, detonates it...

...and gets blown ALL THE WAY BACK TO THE LOWER LEVEL OF THE LIGHTHOUSE, making it safely to land.

I was all like "Oh, well done. I almost hate to kill you."

Of course, we promptly three-on-oned him and he died, because he had no team behind him. But I just gotta say: enemy Junkrat from last night? That was some damned find junking. Quick thinking and well done, whoever you were.
Mood:: 'impressed' impressed


Click here to go see the bonus panel!

Hovertext:
All pain is massage now!

New comic!
Today's News:

Hey Houstonians! We need your proposals for BAHFest. Come be part of the show with Jorge Cham, and astronaut Nicole Stott!

April

SunMonTueWedThuFriSat
        1
 
2
 
3
 
4
 
5
 
6
 
7
 
8
 
9
 
10
 
11
 
12
 
13 14
 
15
 
16
 
17
 
18
 
19
 
20
 
21
 
22
 
23
 
24
 
25
 
26
 
27
 
28
 
29
 
30