erroneous thoughts

And so is promptly demonstrated in this sharply wit satire:

Via a comment in Que Treta

A former college professor of mine once wrote in a slide something like: “passwords are the cornerstone of computer security”. There’s a fair bit of truth in that. Email accounts, home banking, endless forums, remote logins, subversion accounts, twitter and it’s friends, social networks, the list seems endless. This poses the question of how to manage so many credentials. The simplest of answers (and here I mean in it the naïve sense), is to use the same password for everything. Make no mistake about it: it is an incredibly stupid idea. I mean would you use the same password for your main email account and to subscribe one of those forums that asks you for an email address upon subscription, and then give you a link to go when you have “lost your password”, and when you do that, they just email you your old password, in plain text? I doubt it.

But, never mind it’s stupidity. Every single time I was asked about this, and tried to explain why it is a lousy idea, I get the same retort: yeah right, but that’s never going to happen to me, it only happens to others. I careful, I’m not stupid, I’m not going to do something stupid. And so, the inescapable conclusion is once more yielded: I’ll keep using the same password for everything. I’m secure.

No, you’re not. And I’m going to give two real life examples: one mine, the other one from Jeff Atwood, the guy behind the Coding Horror blog.

Ok, mine first. A long time ago, I was given a subversion account for a repository we used at work. And we used a web front-end to access it, viz. trac. And, you’ve guessed it, accessing trac (authentication included) was done over plain old (unencrypted) http. Nobody cared back then because, well, back them there were less then a hand full of people with subversion accounts. This one day, I finished up my task, and committed the code. Moments later, one of my colleagues shouts: “Guess who’s password just passed right in front of me!”. Yep, he happened to be debugging a piece of code using a network sniffer, and as the connection to subversion server was not encrypted, he got my password. Now I, being your all time favourite paranoid, noticed beforehand that the connection to the server wasn’t encrypted, and so I chose a password I wasn’t using for anything else. And so I dodged one more.

The one with Jeff is narrated by himself in two different posts. To make a long story short, he used an insecure password to manage a site of which he is admin (!), while also using the same password in an account for another site, which stored passwords insecurely. Somebody connected the dots, and was able to login into the admin account.

Both of these situations would have been impossible if passwords were not shared. Don’t get me wrong: the problem here is not using weak passwords for accounts with modest security requirements. The problem is sharing the password: if it’s a strong password, you’ll end up using it some place with poor password management, compromising the other accounts. And I’m not going to take the trouble of explaining why you should not share a weak password. Get a decent password management scheme (I use a variation of this) up and running, train your memory, do whatever works for you, but don’t share passwords. After all, they’re the cornerstone of computer security.

Slashdot has a thread on a online Q&A session by Bruce Schneier. The questions were asked by the public. They cover a wide range of issues, from security and privacy to online businesses and identity thefts. There are LOTS of links provided that further detail the issues around each Q&A.

I generally agree with the author’s perspective on many issues; one notable exception is wireless network security. When he was asked about the benefits of securing home WiFi networks, here’s Schneier’s answer:

I run an open wireless network at home. There’s no password, and there’s no encryption. Honestly, I think it’s just polite. Why should I care if someone on the block steals wireless access from me? When my wireless router broke last month, I used a neighbor’s [sic] access until I replaced it.

WoW! That was unexpected! Of course the guys who commented the article seized upon this:

“YIKES. Speaking of not being able to utter your words lightly. The problem is not that someone is stealing your wireless access, the problem is that a malicious intruder is potentially inside your firewall.”

My philosophy is to keep the network open and secure the hosts.

— Posted by Bruce Schneier

This is Schneier’s response to a reader who complained of one of the issues that arise by giving away your connection to everyone. There are, of course,other problems, referred to by other readers in other comments, most notably, the fact that you may be (even if only partially) liable for what a malicious user does using your unprotected connection. I don’t know if that’s the case in Portugal, but I do remember this project: FON. Of course that here in Portugal, the same (rather stupid) ISP imposed limitation that makes running FON nodes obsolete does the same thing for Schneier’s view on wireless connection’s security: ISPs here will charge you not only for the broadband of your connection, but also for the actual amount of traffic you’ve used. Add to this free (as in for everybody to use) wireless connection, and you’re in for some astronomical bills…

… to go unnoticed. And the following comment, posted in this Slashdot thread, is surely one of them:

The Bush administration has shit all over the Constitution and this country. They have committed treason.

That’s not what scares me (or any other onlooker from Europe or the rest of the world).

What scares us is that you shitheads let them get away with it. You almost impeached a president for lying about a blowjob, but you don’t take down an administration that is actively dismantling everything your ancestors fought and died for.

The thread deals about an article where this idiot says he wants 1984 in the good old US of A.

Personally, what scares me the most is that when I read this, I though of a lecture given by Stallman, where he says something like this: “Americans have the bad habit of instead of solving their problems, they focus more on imposing the same problems onto the rest of the world”. He said this referring to copyright laws, but it’d be naive (to put it mildly) to think they’ll stop there…

Cory Doctorow has written a piece on what would happen if Google… well, stopped not being evil. The short essay describes a hypothetical association between Google and Department of Homeland Security, a recent security US security agency. Although I’ve not finished reading it, the think the most amazed me was, how plausible the described scenario is. I’m not saying it is (or it is not) true. I’m saying that unlike some other dystopian scenarios, this one, despite being an extreme one, looks surprisingly plausible.

WHAT IF GOOGLE WERE EVIL? Cory Doctorow imagines the worst

“Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him.” —Cardinal Richelieu

“We don’t know enough about you.” —Google CEO Eric Schmidt

I might further edit this post after I finish reading the essay…

EDIT: I am now writing a couple of days after the initial post. I’ve finished reading it, and while I did not actually enjoyed the end (seemed a little far fetched, reminded me of the ending of Brave New World…) the essay itself is a joy to read. I wonder what Google guys must have thought of this… I mean, I’ve never worked at Google (though I did apply once…), but from I’ve read, it appears that most of the guys of work there, enjoys their work very much. For instance, quoting Peter Norvig, here’s what he says about his own job (he is currently Director of Reseach at Google):

Note to recruiters: Please don’t offer me a job. I already have the best job in the world at the best company in the world. Note to engineers and researchers: see why you should apply to help.

And this “working enthusiasm”, lacking a better description, appears to be pervasive at Google. So how can an IT company with such devoted workers come so close to ending privacy worldwide? This is not an easy question, but I think that this may be similar to judging the nature of scientific developments: it depends not only on the developments per se, but also on the use that they are given.The scientific development in discussion here is a great search engine, one whose greatness is only surpassed by the enormous abuse possibilities (as so many science and technological wonders before it). I think they new this for a while back, and that may have been one of the reasons for their world famous motto: “Don’t be evil”. But they already caved to Chinese censorship laws, and with the US becoming a more police state as each day goes by, one can only become wary of possibilities… Reminds me of a quote by Reagan that I previously posted:

Freedom is never more than one generation away from extinction. We didn’t pass it to our children in the bloodstream. It must be fought for, protected, and handed on for them to do the same, or one day we will spend our sunset years telling our children and our children’s children what it was once like in the United States where men were free

A final note to say that subcontracting intelligence gathering to the private sector, something referred to in the essay, is not fiction; it is a proposed measure by the US government (will post link to it when I find it).

This is one of the articles in Slashdot today:

The BBC has a nice high-level overview of some technologies for surveillance developed in the US and the UK. ‘The US and UK governments are developing increasingly sophisticated gadgets to keep individuals under their surveillance. When it comes to technology, the US is determined to stay ahead of the game …

And this is one of the comments:

 

 

This reminds me of my youth in Poland.

(Score:5, Interesting)

by Anonymous Coward on Sunday September 16, @09:19PM (#20630867)

I grew up in Poland in the 1960s and 1970s. This is the sort of shit we dealt with each day.

The Communists claimed to have devices that could read minds to determine one’s intentions. Now, we didn’t know if this was true or not. But seeing as many of us wanted to live another day, or at the very least not get tortured, we assumed they did.

It seems that the citizenry of the UK and the US are now in a very similar position….

Funny how the tables can turn in such little time… makes one wary of what freedoms can you really take for granted these days…

The million dollars (or euros, pounds, or what have you) question. And the answer:

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics.

The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And the sad reality (from the same article):

And we’re doing exactly what the terrorists want.

That link goes to an excellent post by Bruce Schneier, one that more people should be aware of. It explains why taking away people’s freedom is not a proper response to terrorism (nor an effective one, at that). This last ideia is further developed here:

One problem with securing the nation is the scope of the threat. Terrorists can attack airplanes, sports stadiums, water reservoirs, power plants, chemical storage facilities – the possibilities are endless. Securing the air transportation system isn’t much of a solution, because countermeasures that aren’t comprehensive are of limited value: If you want to defend targets, you have to defend them all. Protect half the reservoirs and the others will still be at risk. Protect all of them, and the sports stadiums are still vulnerable.

From the same post, comes the following:

The only effective way to deal with terrorists is through old-fashioned police and intelligence work – discovering plans before they’re implemented and then going after the plotters themselves. Every arrest of an al Qaeda member weakens the organization. Every country that’s unwilling to harbor such individuals interferes with its operation. Of course, we still need some perimeter defenses around airports and government buildings. But more damage was done to al Qaeda by disrupting its funding and communications than by all the guards and ID checks in the US combined.

Both posts are strongly recommended reading. As a final note, the last post starts by putting some proportion around the WTC bombings:

Terrorist attacks are very rare. So rare, in fact, that the odds of being the victim of one in an industrialized country are almost nonexistent. And most attacks affect only a few people. The events of September 11 were a statistical anomaly. Even counting the toll they took, 2,978 people in the US died from terrorism in 2001. That same year, 157,400 Americans died of lung cancer, 42,116 in road accidents, and 3,454 from malnutrition.

Makes one wonder, does it not? But then again, proportions mean what they mean. Joseph Stalin put it best:

The death of one man is a tragedy, the death of millions is a statistic

You know you’re chronically paranoid when in the effort to achieve something, you end up taking such extreme measures that eventually start to hinder the initial objective. And it appears this state of affairs has been reached in the US. Long story short, the NSA is so desperately trying to be able to spy the whole world, that they started bugging for automatic surveillance mechanism in telephone switches. The problem is that this kind of mechanism makes possible (or at least easier) for anyone with the proper resources (terrorists, Russians, … China?) to gain access to the information passing through those switches. Which ultimately fires back in what U.S. security (and privacy) are concerned. Hooray for uncle Sam!

Last, I reproduce one of the first comments on that Slashdot page:

I remember a quote from Reagan: “Freedom is never more than one generation away from extinction. We didn’t pass it to our children in the bloodstream. It must be fought for, protected, and handed on for them to do the same, or one day we will spend our sunset years telling our children and our children’s children what it was once like in the United States where men were free.”

My oh my has that come true. Sadly from the leader of his own party. Something needs to be done?

Technology has made it possible to spy on the masses on an unprecedented scale. After WTC bombings, several programs (within the US) were created that did exactly that: massive surveillance, even without requiring judicial warrants. Reporting this were several reputable sources, such as the The New York Times, among others. A short list is provided in page 3 (printed page 1) of the pdf document you can download here. And this is far from being limited only to the US.

In this state of things, what is the reaction of the ‘average joe’?

Well, among the people I know (and apparently also among americans) the so called ‘nothing to hide’ argument appears to be very popular. There are several versions of this argument, but it usually reduces to something like this: “If you aren’t doing anything wrong, what do you have to hide?” Another fairly popular ‘reaction’ is to label all those who favour privacy and things like the widespread use of strong cryptography as ‘naive’ at best, or ‘terrorists’ at worst.

I have very well known and strong opinions against this, and today I stumbled in a Bruce Schneier’s article that shows that so does he. I strongly recommend the reading of both the article and the pdf, both rather small, but above all the article. It will not sunk you in tech jargon, and it exposes very clearly the point. And the point is the complete falsehood the “premise that privacy is about hiding a wrong” (and hence if you did nothing wrong, you’ve got nothing to hide). It is not. “Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect”. The remainder of the article explains why. Next I quote the most illustrative phrase (IMHO) of the whole article:

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.”

Happy reading