Follow grumpybozo on TwitterFollow me on Twitter, where I write more and shorter
April 4, 2013
A Subversive Concept: MOAR SMRT HUMANZ

[ Originally Posted: 04 Apr 2013 13:45 as a comment at Ars Technica ] 

Seraphiel wrote:
BillCole wrote:
The only reason to switch off SELinux on a web server is a lack of human capacity to define the necessary policies.
I would suggest that it’s not a reason to switch off SELinux, but instead a reason to find new humans to be responsible for that server. ;)

You’ve caught me! I am in fact a subversive sysadmin agitator roaming the net planting the logical seeds to counterpunch the trend of replacing highly skilled (and highly compensated) sysadmins with low-skill (i.e. low-cost) button-pushers. That trend is facilitated by increasingly sophisticated system management tools that guys like me have built to free up our time to hang out all day on /. and Ars, foolishly leaking their existence to Management, which responds to phrases like “it’s all automatic” and “any idiot can do it” with jolly rejoinders like “reduced human resource costs” and “human change management.” In my defense, I ‘m only spreading the gospel of hiring more and better sysadmins because I’m only about half done with making a living as one and would rather not abandon the profession to stay employed.

But aside from that tangent: Yes, it is increasingly important for the people in direct operational control of exposed servers to have the talents, skills, and time necessary to understand and evaluate the “work” done by the increasingly powerful “idiot-proof” tools used to manage them. Any idiot can instantiate 100 new LAMP-stack VPSs with 10 seconds of pointy-clicky and a few minutes of waiting for them to all deploy and boot, but keeping such a herd of systems safe and useful will probably always demand the ongoing support of multiple professional system administrators. Humans are devising the new modes of attack and subterfuge after a compromise, so the proliferation of effectively discrete systems demands a proliferation of similarly-skilled humans working on defense and detection.

January 26, 2013
I’m a terrible father

Full title for youngest spawn: 

Kyle the Deranger and Dementor, Prince of Darkness

I can justify every part of that, and he likes it. 

January 20, 2013
Jacktron 9000: Prescott Pharmaceuticals Side Effects - Full List

brentbuford:

Took some digging but I found this over the weekend and made myself cry reading it out loud at lunch on Sunday.

Abdominal Migration

Abdominal Salad Shooters

ADHDEAD

An Inability to Breathe on Weekends

Ankle Bearding

Aortal Collapse

Arby’s Mouth

Argyle Pattern Baldness

Armpit Homunculus

(Source: )

January 18, 2013
Lessig Blog, v2: A time for silence

lessig:

A week ago today, Aaron gave up. And since I received the call late Friday night telling me that, like so many others who were close to him, I have not rested. Not slept, really. Not connected with my kids, at all. Not held my wife except to comfort her tears, or for her to comfort mine.

Instead…

January 13, 2013
Remember Aaron Swartz: Official Statement from the family and partner of Aaron Swartz

rememberaaronsw:

Our beloved brother, son, friend, and partner Aaron Swartz hanged himself on Friday in his Brooklyn apartment. We are in shock, and have not yet come to terms with his passing.

Aaron’s insatiable curiosity, creativity, and brilliance; his reflexive empathy and capacity for selfless, boundless…

January 13, 2013
Remember Aaron Swartz: Official Statement from the family and partner of Aaron Swartz

rememberaaronsw:

Our beloved brother, son, friend, and partner Aaron Swartz hanged himself on Friday in his Brooklyn apartment. We are in shock, and have not yet come to terms with his passing.

Aaron’s insatiable curiosity, creativity, and brilliance; his reflexive empathy and capacity for selfless, boundless…

January 12, 2013
Lessig Blog, v2: Prosecutor as bully

lessig:

Boston Wiki Meetup

(Some will say this is not the time. I disagree. This is the time when every mixed emotion needs to find voice.)

Since his arresting the early morning of January 11, 2011 — two years to the day before Aaron Swartz ended his life — I have known more about the events that began this…

December 17, 2012
saboma:

[Enter maniacal laughter here]

saboma:

[Enter maniacal laughter here]

December 17, 2012

December 17, 2012
whitedork:

Cookies.

Cultural sensitivity is important

whitedork:

Cookies.

Cultural sensitivity is important

(Source: kallichaos, via saboma)

December 17, 2012
I guess it’s not the best week for a trip to Paris

I guess it’s not the best week for a trip to Paris

(Source: gueasan)

September 5, 2012
Autism Isn’t One Thing And No One Serious Talks About Curing It All

Composed as a comment (awaiting moderation) at Seebs Exhibit 7: This is sorta freaky, and I am not at all sure what I think of it

As someone coming from a somewhat similar place (getting a little help from ADHD meds and a general recognition that I could be labelled as autistic but there’s not really any point to it) I definitely understand your concern. Having 2 kids also on the autistic spectrum adds something to that perspective. My 21yo daughter followed my path: very high functioning, quirky, ADHD diagnosis but ill-served by meds, needs no CURE because her divergence from “normal” is a very mixed bag. I’d even say it is a net positive, but I’m very biased.

Then there’s my son. Whatever genetic aspect of autism he shares with myself and his sister was compounded by being born at 23 weeks and having a significant cerebral hemorrhage in his first week. It is impossible to untangle his complex neurological issues into discrete components, but the classical defining behavioral features of autism are all there and they have been roadblocks to helping him overcome his many other challenges. Curing his autism would change “who he is” but it would also give him a better shot at having a decent life.

That’s a deep problem with the label of autism. It is biologically accurate to classify the whole spectrum of autistic features together, but that doesn’t make the people exhibiting those features all the same. Some of our brains manage to work out adaptations to a world full of people with very different perception and thinking, some can’t. Would I cure Kyle’s autism if I could? Absolutely. I’d cure his CP and epilepsy and damaged eyes and generally underdeveloped left side too. Would I give him a choice? No, because he’d definitely say no. He’d much rather spend the day slamming doors, entertaining himself by seeing how hard he can make the parents flinch at his shrieks (we’re funny…), and asking us to hunt down books (which he cites by ISBN) so that he can read the first word of every line. In a decade as a putative adult 22, he’d likely make the same choice. Would I cure Megan? Not my choice, she’s 21. I’d advise against it. Would I cure myself? Well, after a week full of people insisting on teleconferences instead of email exchanges, I might take that cure. Unfortunately, no one saved cord blood in 1965 so I couldn’t participate in this trial.

That points out important features of the specific treatment in the trial: no one involved is using the word cure, it’s really only applicable to young children, and its about as close to a natural treatment as you’ll find in a modern medical trial: autologous cord blood stem cell infusion. If it actually works, it is pretty hard to argue that the process is radically changing who those children are/would/could be, since they are getting cells they missed out on having at birth by the accident of a few minutes. Whatever such a treatment actually could do would be properly called “healing” or maybe “regeneration” and it would make a strong case for whatever it changes being damage.

For reference, Seebs (someone I have a deep and multi-faceted respect for) cited a tertiary source that linked to a Faux News story that provided enough info to eventually get to the actual trial description at http://clinicaltrials.gov/ct2/show/NCT01638819 which is very narrow in scope and design. Even the PR from the hospital doing the study doesn’t say anything about curing autism. 

August 10, 2012
And yet more boring advice…

If you have many email accounts (as so many of us do these days) but don’t much use some (as Mat Honan didn’t much use his me.com address,) you shouldn’t be using one that you ignore as a place for any other provider to send password recovery emails.

And at a deeper level, it is careless to be ignoring any working email account. In the teachable moment of the week, the ignored account was an iCloud (me.com) account, which Apple sent a notification message when they reset the password. That may seem silly, but if MH had forwarding set up on that account or had a connected IMAP IDLE session from whatever mail client he uses or even if he just checked the account every 10 minutes with a smartphone, he would have known of the crack in progress faster.  With providers as careless as they have proven themselves to be, mail accounts get cracked. A user who doesn’t keep a trivial watch on an empty and unloved Inbox won’t see a crack when it happens. If you don’t exercise your ownership of an account, you won’t notice it being stolen. 

11:22pm  |   URL: http://tmblr.co/ZaUL7yRAht1O
(View comments
Filed under: security rant 
August 9, 2012
Another Stab At The Apple & Amazon Pwning

Inspired by: Secret Security Questions Are a Joke - Slashdot

So-called “Security Questions” have been spreading in use as a mechanism for password recovery, but anyone who knows anything about computer security knows that they are not about securing anything, they are about loosening security.

That’s not altogether bad. The flipside of strong authentication is that it is easy for users to lose the ability to authenticate themselves. Passwords are forgotten, certificates are deleted, temporal PIN gadgets are lost or destroyed, etc. Having a way to reset the primary authentication mechanism helps mitigate that risk. However, the “security question” mechanisms in broad use are mostly far too loose because they draw on a common universe of research-vulnerable questions (e.g. “Mother’s maiden name”) and in many cases (as with Apple and Amazon) are mediated by humans whose jobs are mostly not focused on security, but rather on low-skill customer support for which their employers pay very little. It is not rational to expect that those workers will follow a rigorous security policy that requires them to take time and risk disappointing customers. No amount of security policy rigor can address the problem that security policy is routinely ignored.

It appears that the case of Mat Honan hinged on absurdly weak security question policy at Amazon and a failure at Apple to follow policy in regards to security questions. The best fix isn’t to tighhten and try to enforce policy, it is to change the nature of the process. Authentication recovery mechanisms need to meet 2 simple criteria:

  1. The secondary authentication information must be truly secret, known only to the user and the provider.
  2. There must be no way for a special pleading to override the formal mechanism short of persuading the people who defined the mechanism that it should be bypassed.

This means that sometimes users will lose access to their accounts because they can no longer provide either the primary or secondary authentication factors. It may mean that sometimes real security professionals will have to listen critically to the sob stories of careless users. 

For the real world where that sort of change isn’t going to happen in most cases at any point in the near future, smart users must adapt to the fact that most service providers have de facto lax security. I included some user-relevant lessons in my last post but here are a few more concrete ways to stay safe:

  • When offered a choice, pick security questions with non-researchable answers. If your spouse or sibling could answer the question, it’s a bad one. If a Facebook “friend” could answer it, it’s worthless. 
  • Answer bad security questions with memorable and unique lies. For example, you might tell Apple that your mother’s maiden name is Wozniak or that you graduated from Cupertino High School, while telling Amazon that she was born a Bezos and you went to Seattle Country Day School (dunno if that even exists…)
  • Use an email service that provides a way to invent working unique addresses on the fly so that you can give a unique email address to everyone who asks for one. This is easier than you may think, since GMail supports “+” tagging and arbitrary insertion of periods in addresses.
  • Don’t let anyone store a credit card number in their system that can be used by any other vendor. I said this in my prior post but it is worth repeating.
  • Shun providers who behave badly. For example, some time ago a provider who shall remain nameless (as they may have changed) tried to “canonicalize” addresses I gave them by doing transformations on parts that might have been tags and trying to send mail to the modified addresses. Because I use my own complex and obscure mechanism for unique addresses this only meant that they bounced a few messages off my mail server, but the result was that I deleted my account and blocked all of their mail on my mail server.
  • Avoid the temptation of making any online identity a “hub” for everything you do online. Especially avoid this with free accounts (e.g. Google, Facebook, Twitter, Yahoo, etc.) because ultimately those are provided and governed at the whim of the provider. Apple accounts are slightly better because their email accounts are associated with you being a paying customer, but they also can have such serious powers (e.g. remote wipe) that it is unwise to have them hooked to anything else (like a GMail account) that might turn out to be part of an attack surface.
  • Be as autonomous as you can be. Having your own domain name is a start, but it’s just the prerequisite for a stack of DIY online services that you may or may not be up to handling on your own. At a minimum, having your own domain can be the basis for varying degrees of control over your email addresses that you really cannot have if you stick to using addresses in domains that you do not own. 
 

August 7, 2012
The Lessons of Mat Honan’s Very Bad Weekend Are Not Really New

The story is here: How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com

This is only news because it happened to a writer for Wired. The “hack” didn’t expose any previously unknown vulnerabilities, the children doing it didn’t demonstrate any significant technical skill or use any sophisticated tools,  it was essentially just a case of random vandals digging around online where they could dig easily and telling a few lies to “customer support” staff whose work can never be worth much more than the sub-median 3rd-world wages they are paid.

I’m NOT picking on Mat Honan here. It’s pretty clear that he’s a gadget guy not a security expert and as a journalist I’m sure he gets more and slicker pitches from hucksters who find security a nuisance than from security experts. Real computer security isn’t cool. It isn’t fun. It isn’t in any sense spiffy. If you think it is, you’re a geek. I do not say that as an insult, just to note that we are not normal. I have given up scolding normal people for not being security geeks. It’s pretty well proven that a lot of generally normal people love gadgetry but have no affinity for system security.Mat Honan wasn’t particularly careless or clueless, he just had never absorbed some clues that those of us who work in security have sadly stopped talking about much. Clues that are among the least cool, fun, or in any way spiffy lessons of computer security:

  • Any secret which you share with someone else so that they can authenticate your identity later is a password. That includes things that are not very secret (e.g. “mother’s maiden name”) that can be used to recover or reset “the” pasword. This means that “security question” access recovery mechanisms are de facto security-weakening tools.
  • Don’t use the same password for different accounts. This is a hard one, since it really is not practical to use a completely different password for every account without using a keyring tool, which ultimately is one password for everything. However, a secure keyring is MUCH better than using just one password everywhere or keeping all of your passwords in a plaintext note in some “cloud” service.
  • Don’t give anyone an unrestricted credit card number or bank account number to store for easy reuse. Yes, I know Amazon, PayPal, Apple, and others all really want this. They are stupid and effectively evil. Really. It’s not in a bad way; they don’t intend to be stupid or evil. That doesn’t make it much better. If you can’t resist easy one-click purchasing, get a Discover or other card that provides single-vendor numbers, so that you can’t break the previous rule with a card number. After all, a credit card number is a password to your money and Mat Honan’s example shows that even a part of a number can become part of a de facto alternative password to your account. The same card number linked to many accounts becomes a common and very weak password to them all and to your money.
  • An authentication system that has a fallback system that lets you recover from a lost or forgotten password is less secure than one which does not.
  • If it can be, human judgment almost always will be the weakest link in any security system. It takes an unusually weak assembly of mechanical security mechanisms to out-fail a person who has the power to circumvent it. If an authentication system includes the ability to call a human and beg for access, that will be the easiest way to break it.
  • Security and convenience are directly and intrinsically opposed to each other. Secure systems are not cumbersome and easy-to-use systems are not insecure as a result of poor design, but by necessity.
  • Using email addresses as unique identifiers for people is irresistible, so they become (sigh) a sort of secondary password. If you use one email address for everything, see the second clue…
  • Incumbent technical constraints are often not seen as part of security but may in fact be critical tacit assumptions for the security of systems that are perfectly functional — but are made insecure —with those constraints removed. Parables of this include WEP, the silly kerfuffle created by Steve Gibson over “raw socket” support in Windows, and a long parade of schemes to stop spam based on assumptions that spammers wouldn’t do things that they so far hadn’t done which basically only demanded audacity and motivation.
  • Email isn’t secure. It can be in specific cases and could be in general with existing tools, but in the real world as it is today the main protection most people have against undetected interception of their email in transit is the fact that there’s so much email in transit all the time and so much of it is pure worthless garbage.  The “needle in a haystack” analogy applies, but a better one would be “corn kernels in the sewer.”
  • Backup is a critical security component because information loss is much more common than and usually worse than information leakage.
  • There are many degrees of security and many degress of attacker. If you allow yourself to be “low-hanging fruit” you will be vulnerable to low-effort attacks from a huge population of weakly motivated opportunists. The other side of this is that very small improvements in how you maintain your own security can raise your vulnerability above where most random vandals will bother.

These boring old truths have implications for “Cloud” services that sell themselves as hubs for a digital life enabled by frictionless sharing and synchronization and yadda yadda yadda. Mat Honan did things that those of us who are Security Geeks have given up warning against. Those warnings make people who wear ties and sign paychecks doze off and wake up grumpy. We’ve spent the past decade or so biting our tongues and taking paychecks and hoping that it would all work out, but it hasn’t. It never will, because it fundamentally can’t. Systems and applications that are most appealing when used in fundamentally insecure ways cannot be made secure. Systems and applications whose security is dependent on end users practicing good security hygeine will not be secure. Systems and applications whose provider-side security is dependent on adherence to policy rather than operation of tools will always be crackable by social engineering.

None of this is news. Back when the press made a big deal of Kevin Mitnick as a great “hacker” it was known by many people who wore that label proudly with no connotation of criminality that he was in fact just a very good con man with unremarkable technical tools and skills. We have had standards, tools, and tested best practices for online security since before most people had heard of the Internet, but still most service providers don’t bother with them. There is a geek subculture where good security hygeine is the norm and then there’s the world at large where many people use one email address and one password and let all of their accounts everywhere interact freely with each other to the extent that losing one to a random script kiddie essentially means losing them all. People who don’t understand that they have to deal with inconvenience as a price of security and that they can’t rely on providers who promote convenience to maintain security will always be the easiest prey for the largest field of predators.


 

Related articles, courtesy of Zemanta:

Liked posts on Tumblr: More liked posts »