Dr Andy Farnell at The Cyber Show writes about the effects of the "splinternet" and division in standards in general on overall computing security. He sees the Internet, as it was less than ten years ago, as an ideal, but one which has been intentionally divided and made captive. While governments talk out of one side of their mouth about cybersecurity they are rushing breathlessly to actually make systems and services less secure or outright insecure.
What I fear we are now seeing is a fault line between informed, professional computer users with access to knowledge and secure computer software - a breed educated in the 1970s who are slowly dying out - and a separate low-grade "consumer" group for whom digital mastery, security, privacy and autonomy have been completely surrendered.
The latter have no expectation of security or correctness. They've grown up in a world where the high ideals of computing that my generation held, ideas that launched the Voyager probe to go into deep space using 1970's technology, are gone.
They will be used as farm animals, as products by companies like Apple, Google and Microsoft. For them, warm feelings, conformance and assurances of safety and correctness, albeit false but comforting, are the only real offering, and there will be apparently "no alternatives".
These victims are becoming ever-less aware of how their cybersecurity is being taken from them, as data theft, manipulation, lock-in, price fixing, lost opportunity and so on. If security were a currency, we're amidst the greatest invisible transfer of wealth to the powerful in human history.
In lieu of actual security, several whole industries have sprung up around ensuring and maintaining computer insecurity. On the technical side of things it's maybe time for more of us to (re-)read the late Ross Anderson's Security Engineering, third edition. However, as Dr Farnell reminds us, most of these problems have non-technical origins and thus non-technical solutions.
Previously:
(2024) Windows Co-Pilot "Recall" Feature Privacy Nightmare
(2024) Reasons for Manual Image Editing over Generative AI
(2019) Chapters of Security Engineering, Third Edition, Begin to Arrive Online for Review
Related Stories
Ross Anderson, a British professor who was recently denied entrance to the US, well-known for his extensive background in cryptography and computer security research, is in the process of writing a new edition of his book on computer security engineering. So far, the preface and two chapters of Security Engineering, 3rd edition are online available for review. Other chapters will follow online as well. The first and second editions will remain available too.
Today I put online a chapter on Who is the Opponent, which draws together what we learned from Snowden and others about the capabilities of state actors, together with what we've learned about cybercrime actors as a result of running the Cambridge Cybercrime Centre. Isn't it odd that almost six years after Snowden, nobody's tried to pull together what we learned into a coherent summary?
There's also a chapter on Surveillance or Privacy which looks at policy. What's the privacy landscape now, and what might we expect from the tussles over data retention, government backdoors and censorship more generally?
Earlier on SN:
Sustainable Security for Durable Goods (2018)
Daniel Stenberg, Author of cURL and libcurl, Denied US Visit Again (2018)
Dr Andy Farnell at The Cyber Show writes about motivations behind dropping use of generative AI for graphics and moving back to manual design and editing of images. The show had been using generative AI to produce images since its first episode, but now find that it is time to rethink that policy. As the guard rails for generative AI are set up and the boundaries restricted, it gets more racist, more gendered, and less able to output edgy ideas critical of its corporate owners and its potential as an equalizing force seems dead already. So, while the show could set up its own AI instance to generate the images they desire, there is the matter of association and the decision to stop using it has been made.
Doubts emerged late last year after Helen battled with many of the generative platforms to get less racist and gendered cultural assumptions. We even had some ideas for an episode about baked bias, but other podcasters picked up on that and did a fine job of investigating and explicating.
Though, maybe more is still to be said. With time I've noticed the "guardrails" are staring to close in like a pack of dogs. The tools seem ever less willing to output edgy ideas critical of corporate gangsters. That feels like a direct impingement on visual art culture. Much like most of the now enshitified internet there seems to be an built-in aversion to humour, and for that matter to hope, love or faith in the future of humaity. The "five giant websites filled with screenshots of text from the other four" are devoid of anything human.
Like the companies that make them, commercial AI tools seem to have blind-spots around irony, juxtaposition and irreverence. They have no chutzpah. Perhaps we are just bumping into the limits of machine creativity in its current iteration. Or maybe there's a "directing mind", biasing output toward tepid, mediocre "acceptability". That's not us!
As Schneier writes;
"The increasingly centralized control of AI is an ominous sign. When tech billionaires and corporations steer AI, we get AI that tends to reflect the interests of tech billionaires and corporations, instead of the public."
Of course we have the technical chops to put a few high end graphics cards in a rack and run our own uncensored models. But is that a road we want to go down? Do we want to adopt the technology of the enemy when it might turn out to be their greatest weakness, and our humanity our greatest strength?
The Cyber Show is a long-form, English language podcast based in the UK which does deep dives into information communication technology, how it effects society, and various aspects of those effects.
As reported by https://www.msn.com/en-us/news/technology/windows-recall-sounds-like-a-privacy-nightmare-heres-why-im-worried/ar-BB1mNGFI , Microsoft is introducing a new "feature" in Windows 11:
If you haven't read about it yet, Recall is an AI feature coming to Windows 11 Copilot+ PCs. It's designed to let you go back in time on your computer by "taking images of your active screen every few seconds" and analyzing them with AI, according to Microsoft's Recall FAQs. If anyone other than you gets access to that Recall data, it could be disastrous.
...
On the surface, this sounds like a cool feature, but that paranoid privacy purist in the back of my mind is burying his face in a pillow and screaming. Imagine if almost everything you had done for the past three months was recorded for anyone with access to your computer to see. Well, if you use Recall, you won't have to imagine.
That might seem like an overreaction, but let me explain: Recall is taking screenshots every few seconds and storing them on your device. Adding encryption into the mix, that's an enormous amount of bloaty visual data that will show almost everything you've been doing on your computer during that period.
...
But that's just the tip of the iceberg. Microsoft openly admits that Recall will be taking screenshots of your passwords and private data:
"Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry."
...
Arguably, the worst part about this is that it will be on by default once you activate your device. Microsoft states:
On by default
A user going by the name of "Alex von Kitchen" summarised the issues quite well: https://aus.social/@Dangerous_beans/112477798730314983
(Score: 4, Interesting) by RamiK on Monday June 24, @10:38AM (8 children)
I get people wanting to make a stand against the surveillance economy and authoritarianism, but it's wrong to say there's no technical solutions to these problems. e.g.
1. https://en.wikipedia.org/wiki/National_digital_identity_systems [wikipedia.org] solves many if not most of the problems with data theft and money laundering without requiring businesses to build (insecure) databases of their clients with copies of their identification papers that can be turned and used to falsify their identities.
2. Requiring open source and safer languages in civic infrastructure will force contractors to step up their security practices beyond relying on obscurity which will reduce the surface area to something the likes of big corporations can afford getting fined on when failing to secure.
Essentially, the bi partisan issue with the surveillance economy we need to be transparent about is that it's a parasitic cost that disadvantages western economy since foreign brands use them to target our markets while we don't have similar access to data on their markets. That is, in effect, we're left paying more to target our own markets as well as our foreign competitors while we're failing to target them with the costs of putting together and securing the systems behind this failure are coming off our own consumers and tax payers.
So, we just need to be transparent about how, like tobacco and petrol, Google and Microsoft are bad faith actors on these issues since they benefit from what hurts the nation. Otherwise, we'll just end up with making the issue a minor partisan quibble that will always be traded off for more voter-friendly tickets.
compiling...
(Score: 3, Interesting) by JoeMerchant on Monday June 24, @08:16PM (7 children)
Far more than Google or even Microsoft, every Harry Dick Tom with an app out there is looking to get in your private parts for whatever value they can grab. Apps on your phone, IoT devices in your home (which require apps on your phone), social media websites (which either run as apps on your phone, or load up virtual apps into your browser).
I installed a garage door opener 8 years ago, it came with an app - luckily, they still sold them with the traditional RF remotes as well, so I've got those in the cars, but I'm not always in a car when I want to open/close the garage door, so the app is damned handy. Of course, over those 8 years that app has transformed from a simple open/close button to multiple layers of advertising attempting to convince their "device owners" to grant access to Amazon to deliver packages into the garage, integrate with their doorbell cameras, post their door status automatically on X-Twitter, integrate with Alexa and Google Home and have geo-fencing automatically open/close the door as the AI deems appropriate, etc. etc. etc.
The day may come when I finally have enough and change my WiFi password, locking the door opener out of our guest WiFi network (no, I don't trust it enough to let it in to the network our phones, computers, file servers, etc. connect to.) But, for now, being able to send the door up and down and check its current position from my "Handy" (as I understand it that's German slang for smart phone / porn access screen), is just a bit more valuable than the creep factor of having the overhead door opener company's marketing team constantly scheming new ways to worm their way into a monthly draft from our bank account or other income stream based on our "value" as a consumer.
Then there are the WiFi connected outlet relays, the IP cameras, etc. etc. all with business models based on playing as fast and loose with as much of your personal information as possible. And none of these global organizations ever give an employee access to your data without brain-wiping them should they change jobs, right? They ALL have banned the use of USB memory sticks, phones on-site (nuclear power plants actually have...), internet connected terminals inside the company offices where customer data is stored, etc. etc. etc. Until that actually happens, you are exposed - if you think about it: far more deeply exposed than anyone would have willingly signed up for in 1980. Unless they were offered the chance to be a Nielsen family... influencing TV programming was SO worth the invasion of privacy back then.
🌻🌻 [google.com]
(Score: 3, Interesting) by RamiK on Monday June 24, @08:56PM (6 children)
FYI there's a good chance you'd be able to reverse the app with jadx into a fairly readable state. I've even had luck recompiling a few things after making adjustments here and there so there's even a good chance you can just strip the crap without really putting too much effort into things...
Anyhow, most apps and websites don't collect data for themselves. Instead, they include javascript and google libraries that communicate with Google's servers directly. It's why it's easy to block trackers in both javascript and android: It's usually a standalone .js / .class you can just rip out. In fact, in the vast majority of apps I hacked on, there was a global that disabled tracker calls since the dev uses that for themselves when developing and the compiler isn't smart enough to optimize the control flow away.
So, Harry Dick Tom are really just collaborators in most cases.
compiling...
(Score: 2) by JoeMerchant on Monday June 24, @09:15PM (5 children)
>Harry Dick Tom are really just collaborators in most cases.
Agreed, but I would characterize them more as lazy customers rather than collaborators. If they ever get serious (like with State backing), they can certainly implement far more nefarious tech that is far more difficult to spot, much less counteract.
And, the first "State backed" malware that comes to mind at the moment was installed in centrifuges used for Uranium refinement...
🌻🌻 [google.com]
(Score: 2) by RamiK on Tuesday June 25, @10:57AM (4 children)
If they're getting paid for placing ads they're not the customers.
compiling...
(Score: 2) by JoeMerchant on Tuesday June 25, @12:05PM (3 children)
Customer of the advertising service. Like radio and television advertisers, yes they approve the message, but the media company more often does the content production and always does the delivery...
Viewers / listeners / readers are the product, and instead of viruses, back in the day it was subliminal messages and other psychological games... All the way back to fear and outrage in the yellow press in the 1800s still being pushed by Fox News and forum sock puppets on social media.
🌻🌻 [google.com]
(Score: 2) by RamiK on Tuesday June 25, @02:02PM (2 children)
That would be the businesses hiring marketing agencies. i.e. the business placing the ad is paying the money to agencies, google and website/app developers.
Google's product is a service for targeted advertising spots.
Look, I get the "if you're not the customers, your the product" line. But it's just metaphoric. Products sales are taxed. Businesses placing ads report it as expenses while agencies report it as income. The definition of customer is a strict legal one that involves consumer protections, liabilities and standing in courts.
It all ties back to my "don't confuse privacy and security" post: There's just too much poetic freedom being taken on these issues to the point it undermines any attempt to form policy since half the people involved don't even understand what the hell they're talking about. It gotten so bad it's becoming hard to tell what differentiate left and right wing political lines which is probably why everything is turning tribal.
Seriously, it needs to stop at least at the STEM issues. We really can't afford any more medical professionals and engineers prioritizing the party's agenda over facts if we hope to get any semblance of political sanity in the coming years.
compiling...
(Score: 2) by JoeMerchant on Tuesday June 25, @03:44PM (1 child)
> We really can't afford any more medical professionals and engineers prioritizing the party's agenda over facts if we hope to get any semblance of political sanity in the coming years.
Take comfort in the fact that politics has been a shitshow since the first cavemen took sides about sticks vs stones... it got us to where we are today, which looks like it's pretty good as compared with centuries gone by.
I have had a few conversations with a few national level Congress critters over the years. I don't think I was a fan of any of their politics, most of their posturing for the media was intentionally stupid looking as if they were deeply emotionally driven. Off-stage, in small group conversation, none of them were idiots - they all clearly took in the available information, understood it impressively quickly at impressive depth, and made considered statements in response, often deferring until they could bring their team to bear on the problems and return with good answers. And to succeed in reaching and retaining public office, they need to put that tribal crap out there for the voters to identify with.
Every communication channel carries risks of "corruption" of the security of the receivers. Whoever is paying for content to be delivered via those channels (advertisers, malware authors, etc.) is putting out that effort and expense in the hopes of influencing the receivers, or sometimes just for yucks - but that's kinda rare in the big picture.
The world definitely can benefit from a "dialing down" of energy expended on political rhetoric, posturing, etc. It would be great to make politics and religion "unprofessional" topics again.
🌻🌻 [google.com]
(Score: 2) by RamiK on Wednesday June 26, @12:50PM
Politicians making asses out of themselves by parroting dumbed down party lines is an unavoidable game element. This is a 5000 words essay. I expect more.
compiling...
(Score: 4, Insightful) by looorg on Monday June 24, @11:33AM
All users are created equal, some are just more equal then others. From George Orwells new master piece the Server Farm.
That said I don't think we should have high hopes for any of these security and privacy issues being resolved anytime soon, or ever. There is no incentive in that, for the companies. Just blame someone else for the problems and issue vague weak apologies. That said I don't offer a solution either, perhaps all the current operating systems should just be put to bed and a new OS created that doesn't inherit all these legacy flaws. But I have no hopes of it just not containing a lot of privacy violating code to track the users and all they do for commercial reasons and all those other buzzword bullshit techs nobody needed in the cloud and AI or AR or whatever that is popular when it would get finished. Gotta sell them ads and generate those clicks or the free world stops working!
(Score: 2) by looorg on Monday June 24, @11:38AM
That came as a bit of a surprise. Apparently he died in the beginning of April of this year. I quite liked his books. It's a been a while since I read any of them. But I enjoyed reading them.
(Score: 5, Interesting) by anubi on Monday June 24, @11:47AM (4 children)
One of the first things I got after I got my new AST Premium 286/AT was the Pakistani Brain Virus, which from the best of my knowledge, I got from a shareware rack of "dollar disks" at a local electronics retailer.
Needless to say for a newbie computer guy who had only assembler skills on a homemade IMSAI kit, and Commodore BASIC and 6502 assembler, I had no idea what I had just got myself into, but I had just spent several thousand dollars of my own money building a replica of the corporate system I had at work, so I could take the time to code and verify my on the job design, as on the job, I find myself limited by charge numbers and I really hate to deliver half-baked work. I don't want the reputation of one who doesn't deliver or delivering junk. It doesn't do much good to complain...the management is also under the same pressure to meet time and cost.
So I now have a flakey machine that I can't trust and I have to figure out just what happened and how to fix it. I was very fortunate to have befriended the sysop of a local BBS who had lots of connections to other computer aficionados, and introduced me to disk sector editors and information of how this virus works. No-one around has internet yet, and the sysop is working on how to implement ftp and email on his BBS, as he was several years ahead of most of us The communications company he worked for was not near so tight on charge numbers and compartmentalizing their employees as we were.
When we were bought out, we had new executives, the new guys had far more experience dealing with money, leadership, psychology, and marketing than building the kind of products we made. Upon layoff of a few critical old engineers, I knew our show was over, I saw no way we would ever be able to make anything like we used to make. Both our knowledge base and lots of test jigs had to go.
Ok, I finally found out how this boot sector thing worked and how the virus would screw it up, and was very relieved to discover it's authors did not code any malicious content...only a scare, but they could have made something really nasty if they had a mind to. I got a whole new outlook on running any unvetted executable code in my machine.
Ok..fast forward a bit. Macro Viruses. I got the "concept" virus from a Microsoft Excel file. Upon researching that, I lost trust in Microsoft products.
Then my first internet connection. Couldn't they even code a way to do simple displays?!!?! It soon became known not to open email. JavaScript soon rose to the top of my "I can't believe anyone would actually do this" list.
And then, upon leaving my then 486 to a pentium, I discover that no one puts the BIOS code in UV-EPROMS anymore. I can now flash new BIOS by software without as much as a mandatory jumper plug to inhibit this?!?!
I remembered my boot sector virus all too well. Now pranksters can modify my BIOS code too by covertly executing code using a participating installed agent such as a browser or office program? Or maybe covertly uploaded by an advertisement?
I knew I had lost the war. I had tried for years to warn of what I had been through, but I lacked the rank, or authority to come across to the decision makers as a credible source. I only have my personal experience, understanding, and fear of what I believe is very probable. I found myself like today's people who don't agree with the promoted narrative. Who am I to witness against those in high corporate positions, that have never experienced what I have? These are men of high privilege and rank, and haven't experienced anyone that would take them down just for shits and giggles.
I'm only going to drive myself nuts fighting this, as I see these modern systems, planes, appliances, cars, designed by politicians and marketing folks, not engineers. Emphasis on presentation, not on substance. We take natural resources, energy and make junk which rapidly becomes useless by enforced obsolescence by expiry of subscription models. All protected by patent and copyright.
We have given birth to the beast. The beast that will enslave most all of us. It's not the machine, per se, but the little men behind the curtain who control the machine's back doors.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Interesting) by looorg on Monday June 24, @11:57AM (2 children)
I think the first virus I got, that had a visual indicator, was the SCA bootblock virus on the Amiga. Sort of gave itself away with the graphical display every 10 boots or whatever it was; "Something wonderful has happened ...". Then there was that one that turned the mouse pointed into a penis. The first one that was really bad in some regard was probably the Lamer Exterminator as it wrote the word LAMER at random, I think it was random so long ago since I looked into it, blocks on the disk. But it taught the paranoia. I don't think I had many issues with virii and such on the PC. To paranoid and not stupid enough to fall for the low hanging fruit of macro-viruses.
(Score: 2) by HiThere on Monday June 24, @01:32PM
The first "virus" I saw was the cookie monster. I forget how we fixed it.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Interesting) by anubi on Tuesday June 25, @12:00AM
You nailed it. Paranoia. Stemming from ignorance.
I remember the sysop telling me about that Excel concept virus...imagine coding one that just lies low, occasionally opens a [random].xls file, over 67Kb in length, looks for strings of digits, randomly changes a few digits here and there, quietly puts it back, and goes back to sleep, to awaken when the spreadsheet is again opened and the sum of the digits in time_t mod 37 = 7 and it hasn't run today yet.
Once on the executive machine, this thing would demonstrate to the executive class what is so risky about using closed source software in the language an executive would understand.
But that will only annoy the executive. It's far more profitable to scrape the executive machine and telemeter the goodies back home. This could go on for years, undetected, as very few know just what is in the secret sauce.
I guess Microsoft fixed whatever it was, as I don't hear much about office viruses much anymore...it seems these days, it's JavaScript, popping up from time to time. So far, all of mine has just been scare ware to convince me to do something they need done in order to penetrate.
I've had that "long paranoia" ever since I was exposed to that brain virus. It changed my life forever. It's why I have lost so much respect for those leadership types who enforce ignorance on their underlings by means of charge numbers and compartmentalization, yet think planned efforts will be fruitful. There exists a well known old-school aircraft company, taken over by new leadership, who are doing a pretty good job of demonstrating the fallacies of inexperience on the design and implementation teams. I feel for the teams as this is just like the things I did when I was under pressure to do things I had not done before, use unfamiliar tools, deliver on schedule, parse redacted documents, compete with co-workers also under leadership evaluation, where the "Tragedy of the Commons" paradigms were kicking in and we each had to decide to preserve the pond, or take all the fish.
Would I help a co-worker knowing his success would place me lower in the ranking? Would any help me? The answers became negative. The charge number and compartmentalization issue was new to me as I had previously worked in smaller companies who simply did not have the financial excess to hire and empower those who put policies like this in place. We were too busy trying to please our customer, rather than asskiss the privileged rank. It took all of us to do this, and we all knew it. We all knew our customer and had frequent visits. We were making this for him. It was going to be exactly what he wanted. We were all artisans, and had many ways of getting things done. We didn't have time or inclination to dicker about who ranked what. Yeh, the owner made a lot of money. He spent a lot of money too. Looked to me like an expensive and risky wash. But he hobnobbed with the right people. People who had money and knew what they wanted. I was just very appreciative to work where I could run fullbore. It takes a helluva lot out of me to asskiss. I'm not good at it, and it really takes the wind out of my sails to have to do it.
I've seen that mindset take down huge companies. Their stuff becomes poorly considered and not resilient to condition variations. Design expertise takes decades of experience to master. And lots of collaboration with others. Often leadership types fail to make the distinction between fear and respect. Both externally appear identical. Both get saluted and sir'd. Internally, one is constructive, the other quite destructive. One works as a team to meet the need of the customer, the other sacrifice themselves to entertain the King.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Insightful) by JoeMerchant on Monday June 24, @08:27PM
I knew lots of people who got the "Stoned" floppy spread, HDD resident, virus back in the 1990 timeframe, I never got that myself... my first was "Happy 99" which I received as an e-mail attachment from a friend who I was expecting to send me a photo of his new 1999 car... I clicked on it without reading the .exe extension... oops.
>We have given birth to the beast. The beast that will enslave most all of us.
"You're all f-ing peasants, as far as I can see." - John Lennon, Working Class Hero. Put yourself in Lennon's shoes, do we not all look like peasants from that vantage point? Is there really much difference between outright slaves, and wage slave peasants who may freely choose to quit and move at any time, but will be stuck right back in the same pigeonhole or a worse one if they choose to not starve to death?
> the little men behind the curtain who control the machine's back doors.
Those little men behind the curtain work for much bigger men who reap the profits extracted through the back doors. https://en.wikipedia.org/wiki/The_Laundromat_(2019_film) [wikipedia.org]
🌻🌻 [google.com]
(Score: 5, Insightful) by Ingar on Monday June 24, @01:14PM (13 children)
Those who understand computers and those who don't.
It was like this in the seventies, the eighties, the nineties, the nillies, in whatever the decade after that is called, and it still is today.
It just got worse.
Understanding is a three-edged sword: your side, their side, and the truth.
(Score: 2) by PiMuNu on Monday June 24, @02:13PM (12 children)
> It just got worse.
Any evidence that it is getting worse?
(Score: 3, Touché) by Ingar on Monday June 24, @02:40PM
Any evidence that it is getting worse?
Ask a random programmer about pointers.
Understanding is a three-edged sword: your side, their side, and the truth.
(Score: 2) by Freeman on Monday June 24, @03:39PM
Any evidence that it's not?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2, Touché) by anubi on Monday June 24, @08:15PM (9 children)
"Any evidence that it is getting worse?"
Wireshark.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Informative) by JoeMerchant on Monday June 24, @08:35PM (8 children)
That is my first line security check: what shows on Wireshark?
If you are communicating a secret "in the clear" on any interface that is accessible without opening the chassis of the device, you are doing it wrong.
If an attacker can "sniff" something from Wireshark, then replay it with simple modifications to permanently alter the functioning of your device, you are doing it wrong.
Really, we all should all be running SSL/TCP/IP instead of straight TCP/IP or UDP/IP for virtually all communications, but that would break too many existing toys...
I give Google significant credit for at least pushing https: as a ubiquitous standard nearly obsoleting http.
🌻🌻 [google.com]
(Score: 2, Insightful) by Anonymous Coward on Monday June 24, @11:15PM (5 children)
And f*cking up internal applications with that f*cking HSTS flag blocking HTTP in subdomains. Fan-f*cking-tastic: now I need certs on every f*cking little app around the place whether it needs encryption or not.
And then the f*cking certs expire every 2 f*cking minutes (thankyou again f*cking Google), so there goes more of my f*cking time doing f*cking unwanted and f*cking unnecessary f*cking admin.
Yeah, I give f*cking Google significant credit too, for being too f*cking influential.
(Score: 2) by JoeMerchant on Tuesday June 25, @02:17AM (4 children)
So, don't use Chrome.
Better still, fork Chromium and do that one simple trick...
🌻🌻 [google.com]
(Score: 2) by gawdonblue on Tuesday June 25, @10:24PM (3 children)
You think Firefox doesn't follow the HSTS rules? Or Edge?
The problem is that some random external developer on the public website includes the "includeSubdomains" HSTS HTTP header and then that infects any employees browsers who visit it for any internal sub-domains later visited.
E.g. header supplied by https://sample.com [sample.com] will prevent http://infoonly.internal.sample.com [sample.com] from ever working again.
A nice little landmine for internal devs who then spend a stupid amount of time trying to work out why their internal information-only website starts complaining about certificates.
(Not sure that the language was necessary in the previous post, but the frustration about this "HTTPS everywhere even when unnecessary" nonsense is very understandable.)
(Score: 2) by JoeMerchant on Tuesday June 25, @10:29PM (2 children)
There was a time that Chrome did and Firefox didn't, but I haven't checked Firefox lately.
I see how that can be frustrating for internal site devs, but isn't there a workaround header for that?
🌻🌻 [google.com]
(Score: 3, Interesting) by gawdonblue on Saturday June 29, @02:23AM (1 child)
The workaround is to get the user to clear out their browser cache.
This has two problems:
1. It teaches users that "security" is something that gets in the way and to work around it, and
2. Makes experienced devs wonder how well thought out this setting is. It looks like someone at Google had a "good idea" that pretends to do security but doesn't really do that while breaking existing systems.
On the 2nd point, it might make sense if the setting applied only to results returned on the current request to prevent anything non-encrypted in that instance. But it's not, instead it's being retained and being applied to totally unrelated sites. Or perhaps it could be applied at the domain level, say via DNS, so that it is a conscious decision of the administrators of each domain / sub-domain, rather than an uninformed decision of some random external developer who works on the public website.
(Score: 2) by JoeMerchant on Saturday June 29, @02:36PM
>it's being retained and being applied to totally unrelated sites.
The blue Muppet named cookie monster comes to mind...
>it could be applied at the domain level, say via DNS, so that it is a conscious decision of the administrators of each domain / sub-domain, rather than an uninformed decision of some random external developer who works on the public website.
Must admit, I don't care enough to find out how it works, but my site i set up in 1997 is still functioning under Chrome as http://
🌻🌻 [google.com]
(Score: 4, Insightful) by NotSanguine on Tuesday June 25, @12:19AM (1 child)
I wholeheartedly disagree! SSL (these days, TLS) was (and is) a kludge and a pox.
Rather, we should all be using IPSec [wikipedia.org] to encrypt/sign all network traffic. Especially with IPv6, as ESP/AH were built in, rather than bolted on as with IPv4.
To clarify, I wholeheartedly agree with your sentiment, just not your preferred implementation.
More detail here: https://datatracker.ietf.org/wg/ipsecme/documents/ [ietf.org]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by JoeMerchant on Tuesday June 25, @02:20AM
I defer to those more versed in the tech for "the ideal way." As you say it's the sentiment that counts. Implementation of that sentiment is always going to be an exercise in compromise.
🌻🌻 [google.com]
(Score: 3, Interesting) by hendrikboom on Tuesday June 25, @12:53AM (2 children)
I've had two security incidents.
The first was in the mid 1990's. I suspect someone used a flaw in the Twiki software to break into my system. The attacker seems to have done nothing more than delete my email file, which had about a month's messages in it. I suspected Twiki because the email log showed that Twiki had sent a message somewhere shortly before the mail file disappeared.
I took a fresh backup, reinstalled Linux from pristine media, and then gradually restored files from the backup -- but only nonexecutable files.
I did not reinstall Twiki.
The second is ongoing. I've encountered IP number blocking, which some anti-malware organisations have imposed because attacks appear to be coming from my IP number. Something on my home network has been sending frequent ssh login requests to try to break into computers elsewhere. I've checked the regular computers at home, but their ssh logs are clean. Of course, I don't trust malware to create proper log entries; that means little. And something might be running on my tablet, chromecast, or phone. As a stopgap, I have reconfigured my ISP-provided VDSL modem to block all outgoing ssh requests, and some of the IP blockades have been disappearing since.
(My ISP has technically competent telephone support, and they seem to recognise technically competent customers.)
But I don't have a solution yet. Someday I might need to use a legitimate outgoing ssh connection.
The vdsl modem will block those connections, but it will not log them. If it did, I might be able to identify the machine that's causing the trouble from its IP number or MAC address. I've thought of sticking some intermediate computer between my network and the VDSL modem and having it filter and log, but that requires hardware I don't have.
Still, being successfully attacked only twice in almost three decades isn't terrible. Though it of course shouldn't have happened even once.
-- hendrik
(Score: 0) by Anonymous Coward on Friday June 28, @01:33PM (1 child)
Given that you didn't notice the ssh stuff till others did and seem to have difficulty truly resolving it, you might not have noticed other stuff.
(Score: 2) by hendrikboom on Tuesday July 02, @12:36AM
True. And I still need to track it down. Or reinstall a lot of stuff from scratch. like what I did back in the 1990's. But it's not as easy now I have multiple machines and a *lot* more data.