Notatypewriter's Blog

Umm… what?

Archive for September 2010

Cybersecurity consultants don’t really care about your security #fb

with one comment

I don’t get why privacy advocates and cybersecurity consultants are at each other throats. These two concepts are not complementary, not mutually exclusive. More secure code leads to better protection of the data being handled by that code.

No I lie. I do get why.

Cybersecurity consultants are almost never peddling methods to detect insecure code, but rather they want to enable an attribution system. After all, selling one off analysis solutions doesn’t make any money and you have to spend a lot of money to employ smart people to make better tools. However, government contracts to develop and maintain hardware and software that would be large ISPs would be mandated to purchase, now that’s the money maker.

So I wish all these “cybersecurity experts” would change their job titles to something like “Internet attribution expert”. Then they would be easier to laugh at.

Never mind that attribution is a strategy designed to enable deterrence. Then these cybersecurity guys would like you to forget that deterrence really only works against nations that have something to lose (think Cold War). Deterrence doesn’t work against criminal organizations, lone wolf hackers (increasingly rare), or terrorist groups because these groups reside among civilians or hide out in countries where they are outside the reach of American law. Will a President order a Predator strike on a known hacker in Kazakhstan who has 11 million credit card numbers? I don’t think so. Bombs don’t work well against these small groups.

Not that deterrence worked all that well during the Cold War either. Look at all the people who died in the Korean War, Vietnam War, Soviet invasion of Afghanistan, etc etc. We just avoided nuclear war but millions of people still died. That’s not the kind of deterrence I want to see.

Furthermore, attribution will only work if the attack is detected. The cybersecurity experts don’t tell you that there is no known way to tell when your system has been compromised by a well designed piece of malware. You can’t trust the output your system is returning, so you need to bring in a known good tool. (Please define known good. How do you know if your upstream is secure?) A well designed piece of malware would hide so well that the victim would not realize anything has changed. And by then, you have already lost the game. Your systems are compromised and you can never trust them again.

The ONLY thing that will help in this fight to keep your data safe is to have better engineering, code, and interfaces. This means hiring well-educated CS majors (most of whom reside in expensive first world countries) and not outsourcing crap to China and India. (I’ve seen Indian code, and it is mostly crap. Kid you not.) It means paying for classes to keep your programmers up to date with the latest in software security. It means developing and enforcing security policies. It means funding and rewarding white-hat hackers to find vulnerabilities in systems. It means funding research into automatically detecting vulnerabilities.

This is expensive and the rewards are not very visible. But it’s the only correct path forward.


Written by notatypewriter

2010 September 28 at 6:35 pm

Posted in Nerding out

Tagged with ,

Documents from the latest round of #Bitorrent lawsuits

leave a comment »

On 2010 September 3, three complaints were filed in court by three pornography studios against about 100 BitTorrent file-sharers each. These complaints alleged copyright infringement. You can see some coverage on Slashdot.

Using PACER (a shitty ass system run by the Courts that retrieves court documents) and RECAP (an awesome equivalent service), I downloaded each case’s Exhibit A, which lists the IPs and ISPs of the alleged infringers, the date on which the alleged infringement occurred, and the filename. Sadly the info-hash nor the BitTorrent tracker was listed so without lots of legwork, I can’t tell you which trackers were being targeted by these studios.

Anyways, here are the documents, via and RECAP. You want the document labeled Exhibit A:

More on PACER and RECAP after the jump. Read the rest of this entry »

Written by notatypewriter

2010 September 5 at 11:51 am

%d bloggers like this: