Habemus plus vis computatoris quam Deus

Security researchers point out that SSL (Secure Sockets Layer) is vulnerable to what they call the compelled certificate creation attack, in which a government agency (say, the NSA) or operative thereof coerces a certificate issuer (such as Verisign) to issue a falsified SSL certificate, which the agency can then use with certificate renegotiation to perform a transparent man-in-the-middle attack against SSL.

Robert Cringely talks about gag orders from Apple, and the day AT&T learned about Moore's Law.  A short but interesting read, in several ways.  (Ever heard of the PortalPlayer iPod?  ...No, I didn't think so.)

In other news, SecurityWire reports that despite a lack of visible activity, Conficker is still quietly out there doing its thing.  The Conficker botnet is currently estimated at around 7 million machines.  Mikko Hyppönen of F-Secure Corp says that due to the botnet's size and the way it is being monitored, "it would be difficult for anyone to use it to make money or break it up and rent portions out without being detected".

"Conficker was unique in many ways and the biggest mystery around Conficker is why?" Hyppönen said.  "The most logical explanation is that Conficker got too big and too noisy.  It attracted too much attention."

Botnet monitoring organization The ShadowServer Foundation reported that "Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now", but its creators — despite suspicions — have still not been positively identified.

And while I'm at it, the Wall Street Journal reports that insurgents in Iraq and Afghanistan are using off-the-shelf software such as SkyGrabber, purchased off the Internet, to snoop unsecured communication links on US Predator drones and see what the drone's operator is seeing, enabling them to know what roads and buildings are under drone surveillance.  The Pentagon has known about the vulnerability since the Bosnia campaign in the 199s, but hadn't done anything about it until now because they didn't think any adversary would possess the know-how to exploit it.  The newer, uprated Reaper drone has the same vulnerability, despite the fact that the vulnerability was already known when General Atomics began designing the Reaper.

Personally, I'm boggled that it didn't occur to General Atomics to encrypt drone downlinks in the first place.  It seems like a no-brainer.

The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put ahead of national security, an investigation by The Washington Times has found.

The Government Printing Office's decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.

The profits have raised questions both inside the agency and in Congress because the law that created GPO as the federal government's official printer explicitly requires the agency to break even by charging only enough to recover its costs.

[ FACEPALM ]

"We have n00 s00p3r s3kur3 biometric RFID passports to FOIL TERRORISTS!  We're going to outsource the manufacturing to a Thai company that's already been compromised, so that we can make a bunch of money in violation of our charter!"

This isn't security theater.  It's security farce.

Bruce schneier makes some interesting comments about patterns of behavior and tactics.  In particular, the key point is the following:  If you have an attacker who has a consistent pattern of not attacking you the same way twice, it's not only ineffective to put in place massive preparations against a repeat of each new one-off attack, it's stupid, because it diverts resources from emergency preparedness measures that you could use to respond to ANY attack or disaster.

Al-Qaida terrorism is different yet again.  The goal is to terrorize.  It doesn't care about the target, but it doesn't have any pattern of tactic, either.  Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response.  And to refuse to be terrorized.

These measures are effective because they don't assume any particular tactic, and they don't assume any particular target.  We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don't stare them down).  Otherwise, general countermeasures are far more effective a defense.

There's only just so many one-off attacks that even the US can afford to put billion-dollar infrastructures in place to defend against a repeat of.  And every time we do, every time we overreact, every time Congress wets its pants and hides in the corner, every time we return an airline flight to the airport because a passenger had hand cream in her carry-on — every time we throw the baby out with the bathwater — we hand the terrorists a victory.  The way to win against terrorists is to deliver a swift and deadly beatdown whenever we're sure of the right target to respond against, and otherwise refuse to allow them to change how we live our lives.  Deny them the terror.

Aircraft hijackings are really pretty rare these days, right?  But as schneier reports, the European Commission, Airbus, Siemens and the Technical University of Munich are spending 36 million Euros to develop a system whereby in the event of an actual or suspected hijacking, controllers on the ground can remotely take control of the aircraft, fly it to the nearest airport and land it, with no intervention necessary or possible from the pilots.

I've actually been aware of this project for some time now, and schneier's reaction now is the same as mine was when I learned about it:  This is a really bad idea.  The situation in which it's intended to be used is so uncommon the benefit is probably minimal, but it opens up a whole new vulnerability -- because you KNOW that once a system like this goes into service, the protocols will sooner or later become public, the equipment specs will be leaked, the encryption protocols protecting it (pray there IS encryption) will be cracked, and once that happens, it will no longer be necessary for hijackers to get on -- or even near -- the airplane at all.  They'll be able to hijack any airliner so equipped, from the ground, and presumably fly it wherever they want by passing control to successive previously-placed ground stations.  Had this technology been in place and already cracked on 9/11, the hijackers could have gotten all four aircraft to their targets instead of just three, and none of them would even have had to die.

This is one of the most stupid and ill-thought-out flight-safety ideas I've ever heard of.  As pointed out in the comment thread in schneier's post, there is one perfectly simple way to prevent 100% of hijackings:  Physically isolate the cockpit on all airliners from the passenger cabin with an unbroken bulkhead, give the flight crew their own separate entry, their own lavatory, and their own refrigerator and microwave for their in-flight meals.

Of course, would-be hijackers could take the flight attendants and passengers hostage, and threaten to kill them if the pilots don't comply with their instructions.  But that's fixable, too, by allowing passengers with legitimate CCW permits to fly armed.  Hell, offer discounted fares for passengers willing to fly armed and intervene in the event of a hijack attempt.

There's one thing I think schneier missed, though.  Even if the system isn't cracked, this would open up a whole new ability for terrorists to DOS the entire commercial air fleet and ground all commercial travel world-wide.

You see, they don't have to actually crack the system.  All they have to do is convince the world that they probably have cracked it.  Every nation would have to order its commercial air fleets grounded until they could be certain the system had been resecured.  They would have no choice.  Can you think of the consequences for any government if a terrorist group announced that it had acquired the ability to subvert this system and take over control of any airliner from the ground, and that government alone decided that the terrorists were bluffing and did not ground its commercial fleet -- and subsequent events proved them wrong?

sierra_nevada found this Inquirer article, which claims that the popular ZoneAlarm personal firewall secretly sends data to Israeli parent company CheckPoint.

This, of course, leads me to wonder whether Checkpoint Firewall-1 has ever been audited for any malicious behavior....

There's a new eBay phishing spoof in the wild.  It's not too badly done, and quite convincing at first glance; I'm guessing they're relying on you thinking "This is bullshit!  This idiot hasn't bought anything from me!" and clicking the "Respond" link before you think to actually examine it and see if it's legit.  Social engineering.  If you do stop to examine it, there's several flaws.

• "Your registered name is included to show this message originated from eBay."  Well, actually, now that you mention it ... no, it isn't.  Not anywhere in the message.  "Oops."
• That "Respond" button doesn't go to an eBay URL.  As a matter of fact, it goes to 62.193.212.56, which is vds-381430.amen-pro.com, registered in Paris, France.
• Oh, and all the links in the right-side sidebars, and the "learn more" link?  They aren't.  Links, that is.  They're faked and don't connect to anything.  There's no anchor tag.  Mouse over them and see.
• And did you notice that the "Thank you for using eBay" URL is to ebay.com, but all the other eBay links on the page are ebay.co.uk links?  A little bit inconsistent there, neh?
• And of course, there's the minor problem that it doesn't come from an eBay address, and isn't even convincingly spoofed.  Mine came from "eBay <qezzobvasze@pisem.net>".  The X-mailer header is oddly curious, too:  "pig pen 3095 guardian angels"
• And then there's the actual, non-HTML message body:  "When over marzipan takes a coffee break, cough syrup related to parking lot starts reminiscing about lost glory.When behind ski lodge procrastinates, from movie theater gets stinking drunk.toothaches remain nearest.pocket living with graduated cylinder reads a magazine, but bubble bath from short order cook learn a hard lesson from about pine cone."  Whoa!  Lay off the glue, dude.

Here it is, in all its phishy stench:

eBay sent this message to you. Your registered name is included to show this message originated from eBay. Learn more. Question from eBay Member -- Respond Now eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included).

Question from jell     I have not received any item from you, what happend, I've sent you the money, now were is my item ? If you don't Respond Now I will contact ebay and I will report you, I will also go to the police !Lett me know, I am not a fool !  Thank you ! Respond to this question in My Messages. Thank you for using eBay http://www.ebay.com/ Marketplace Safety Tip If this message is an offer to sell an item without winning it on the eBay Web site (including Second Chance Offers sent through My Messages) please do not respond to the sender. These external transactions are unsafe and not covered by eBay purchase protection programmes. Never pay for your eBay item through instant wire transfer services such as Western Union or MoneyGram. These payment methods are unsafe when paying someone you do not know. Is this email inappropriate? Does it breach eBay policy? Help protect the community by reporting it. Learn how you can protect yourself from spoof (fake) emails at: http://pages.ebay.co.uk/education/spooftutorial This eBay notice was sent to you on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your notification preferences. See our Privacy Policy and User Agreement if you have questions about eBay's communication policies. Privacy Policy: http://pages.ebay.co.uk/help/policies/privacy-policy.html User Agreement: http://pages.ebay.co.uk/help/policies/user-agreement.html Copyright © 2005 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc.