Let’s Be Careful Out There

I ended my my blog post Secure? You better believe it about the discovery of microprocessor security vulnerabilities with this:

I wonder what Bruce Schneier will say?

The question has been answered. Here are some notable points:

“Throw it away and buy a new one” is ridiculous security advice, but it’s what US-CERT recommends. It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

In short, we are all stuck in a hole not of our making.

Later on, there is some practical advice about what you should do:

This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.

As they used to say on Hill Street Blues, let’s be careful out there.


Secure? You better believe it

Earlier this week, the Register reported the bombshell news that Intel chips have a major security flaw.

Since Intel chips are the most widely used, and dominate the PC, Apple, and big server market, and fixes seem likely to impact performance, to say that this was a shocker is something of an understatement.

Intel leapt into defense mode and issued a statement about how it’s no big deal, it’s going to be fixed, and we are not the only ones with a problem. I thoroughly recommend you read the Register‘s takedown of that statement here.

It’s from that analysis, I offer the following snippet as something to muse over:

“One step below security by obscurity, there’s security by belief. Demand more.”

Secure? You better believe it!

I wonder what Bruce Schneier will say?


More IoT security stories

In Smart toys may be a dumb purchase, I highlighted a Register article about woeful security in Internet of Thing (IoT) items. Here are a couple of links to more stories along the same lines. However, in these cases, it looks as if the companies were aware of the risks – well aware of the risks, having in one instance received repeated, knowledgeable warnings – but ignored them. Shocking behavior.

Will the marketplace sort these companies out, or will there be legislation? The latter course is rarely successful with technology, but some may argue there has to be some kind of specific backstop to prevent companies behaving in such an apparently reckless fashion.


Smart toys may be a dumb purchase

The Internet of Things, with connectivity and data transfer operating in non computer household items – like fridges, cars, and toys, for example – means that issues of security, confidentiality, and so on, need to be addressed by whole swathes of industry that are rather inexperienced in these areas. I have heard several stories of producers who include a security review as one of the last things on the production timeline, whereas most experts seem to highlight the need for security to be built in to products from the very beginning.

The Register has an interesting item about two toys that seem to have been produced with security flaws, leaving users – OK, the child users – and their families as targets for data theft, surveillance, and who knows what other misfortune.

One flaw found in a toy watch:

“…created a possible means for hackers to add their account to a family’s user group, enabling them to see the child’s location, history, profile details and even to message them.

It highlights how insidious and potentially dangerous the Internet of Things (IoT) is. Expect more stories like this, as the IoT is only going to become more extensive, and it’s unlikely security performance by producers will improve. At least in the cases referred to, the companies involved were praised:

“…for a prompt reaction and response to the reported problems. Other IoT toy vendors should take lessons from the incident and endeavor to bake in basic security controls into products…”

Manufacturers of the world, you have been warned!


The Paris attacks and the exploitation of fear

Bruce Schneier has an excellent blog piece entitled Policy Repercussions of the Paris Terrorist Attacks (which I have only just come across) that is the usual breath of fresh air about terrorism, security, and surveillance.

For example:

The politics of surveillance are the politics of fear. As long as the people are afraid of terrorism — regardless of how realistic their fears are — they will demand that the government keep them safe. And if the government can convince them that it needs this or that power in order to keep the people safe, the people will willingly grant them those powers.

In short, governments use fear as a justification to acquire more intrusive powers.

It doesn’t matter that mass surveillance isn’t an effective anti-terrorist tool: a scared populace wants to be reassured.

That point is worth emphasizing, too. For example, there already was surveillance operating before the Paris terror attacks. Increasing it wouldn’t have increased the chances of preventing the attacks. Mass surveillance does not work in this arena. It does work in terms of keeping tabs on your political opponents…

So far as the opportunities and politicians are concerned, Schenier writes:

And politicians want to reassure. It’s smart politics to exaggerate the threat. It’s smart politics to do something, even if that something isn’t effective at mitigating the threat. The surveillance apparatus has the ear of the politicians, and the primary tool in its box is more surveillance. There’s minimal political will to push back on those ideas, especially when people are scared…

…Terrorism is singularly designed to push our fear buttons in ways completely out of proportion to the actual threat. And as long as people are scared of terrorism, they’ll give their governments all sorts of new powers of surveillance, arrest, detention, and so on, regardless of whether those powers actually combat the threat. This means that those who want those powers need a steady stream of terrorist attacks to enact their agenda. It’s not that these people are actively rooting for the terrorists, but they know a good opportunity when they see it.

So, even though it does not work, the politicians are going to keep trying to secure more surveillance and other intrusive powers.

Do read the whole post (which includes some excellent links to other material on the same issues) here.



All I’m going to say is that the next time you hear a (so-called) pro Palestinian bleating about checkpoints, security, and inconvenience, you can tell them from me, to go forth and procreate.


Assurances, or empty promises?

The next time somebody criticizes Israel for being difficult about its own security – and not just accepting the assurances from Obama, the USA, and others – ask them how much good those types of assurances look to have benefited Ukraine.

Arutz Sheva has this:

The lesson for Israel from Ukraine’s current plight, according to ex-MK Aryeh Eldad, is that Western guarantees of Israel’s security must never be trusted.

“The Russian parliament has given Putin approval to use the military in the Ukraine,” wrote Eldad on Facebook Sunday.

“The Jews have no special fondness for the Ukrainians,” noted Eldad, adding that this did not begin with Bohdan Khmelnitzky, the 17th century Cossak leader under whom tens of thousands of Jews were murdered – nor did it end with the SS guards who murdered Jews in the Nazi death camps.

And yet, he said, Israel should not be indifferent to the fact that Russia is gearing up to invade the Ukraine.

After the Soviet Union broke up, the world suddenly realized that the Ukraine had become a nuclear power, he explained. “Hundreds of nuclear warheads were stored on its territory, ready for use.”

“In a quick diplomatic move, the US and Britain signed an agreement with Ukraine for the disarming of all its nuclear weapons, in exchange for a signed contract that said that the two powers would guarantee Ukraine’s intactness and and security, and are committed to intervening if and when its intactness is threatened.

It’s not difficult to imagine a parallel situation in a future Israel/Palestinian peace agreement.

“Today, Russia is threatening. It would seem that the US and Britain should send armies to the Ukraine, to prevent a Russian invasion or repulse it. It is clear that Britain and the US have no intention of doing so. Russia knows this well, and that is why it is clear that the western powers will ignore the security guarantees it gave Ukraine, and allow Russia to run the crumbling Ukrainian state from outside or from within.

“What do we care? You remember that ‘security guarantees’ will, of course, be an inseparable part of any ‘peace agreement’ that the US intends to force upon us and the Palestinians. These guarantees are not worth a cent, of course,” Eldad added.

“This is just meant to refresh the memory of all those who support the establishment of ‘a demilitarized Palestinian state with US guarantees’ or a retreat from the Jordan Valley, from the mountains of Judea and Samaria, from half of Jerusalem. This is the true worth of international guarantees,” he concluded.

He’s got a point.


Hey princess, what’s in the bag?

Checkpoints. Either Israel needs them for its security, or Israel needs them to inflict hardship on the Palestinians. Somehow, nobody – and I mean nobody – who rants and raves about the unfairness of the security fence and checkpoints, seems able to concede there might be a genuine security issue. These people seem incapable – or unwilling – to accept the possibility of a terrorist threat. It appears they would prefer Israel and its people were left unprotected. Now why might that be?

Meantime, back on the front line, one of these pesky checkpoints resulted in the discovery of a weapon in a kid’s backpack. From the IDF blog:

Late Tuesday evening, a battalion from the IDF’s Kfir Brigade discovered an improvised firearm and ammunition inside of a Palestinian vehicle during a routine inspection in the Jordan Valley. The weapon was found inside of a child’s bookbag at a checkpoint not far from the driver’s home. “The driver aroused suspicion after a preliminary search,” said Captain Sefi Mor, an IDF company commander involved in the inspection. “He seemed anxious, so we decided to perform a comprehensive search of the vehicle.”


Just another day trying to keep the people of Israel safe. Just another day proving that those who want to remove the security fence and the checkpoints are either dangerously deluded, or thirsty for blood.


State of fear

The latest Crypto-gram from Bruce Schneier has a piece about the massacre in Aurora which should be mandatory reading; young, old, employed, unemployed, lawyers, legislators, politicians, policemen, soldiers, sailors, teachers, technicians, programmers, plumbers, civil rights activists, sportsmen, butchers, bakers and candlestick makers to name a few. Everyone should read it! Continue reading


Fear not

From chapter three:

Such dread was a large part of the post-9/11 decade.  A culture of
fear had created a culture of spending to control it, which, in
turn, had led to a belief that the government had to be able to
stop every single plot before it took place, regardless of whether
it involved one network of twenty terrorists or one single
deranged person.  This expectation propelled more spending and
even more zero-defect expectations.  There were tens of thousands
of unsolved murders in the United States by 2010, but few
newspapers ever blared this across their front pages or even tried
to investigate how their police departments had to failed to solve
them all over the years. But when it came to terrorism, newspaper and other media outlets amplified each mistake, which amplified the threat, which amplified the fear, which prompted more spending, and on and on and on.

Top Secret America by Dana Priest and William M Arkin, published by Back Bay. There’s a web site with more material here.

Looks to be interesting material about a debate that is badly overdue. And not just in the USA. There are elements of the UK security approach which have mimicked that of the USA, without stopping to question their relevance and suitability. Even in Israel, a discussion about these issues would be beneficial, though it is way down the list of pressing needs.

Thanks to Bruce Schneier.

Query for the publishers: why is this not available on the Kindle?