Subscribe: CircleID: Comments
http://www.circleid.com/rss/rss_cmnts/
Preview: CircleID: Comments

CircleID: Comments



Latest comments posted on CircleID



 



RE: Hidden in Plain Sight: FCC Chairman Pai's Strategy to Consolidate the U.S. Wireless Marketplace (Rob Frieden)

2017-05-21T15:36:30-08:00

Hello Frank:

Thanks for your interest.  When presented with the opportunity to avoid sleepless afternoons competing many ventures opt for the path of least resistance.  The term consciously parallel conduct refers to the willingness of former Mavericks to avoid provocative and consumer welfare enhancing conduct opting instead to follow the lead and umbrella pricing of market leaders.

Link | Posted on May 21, 2017 3:36 PM PDT by Rob Frieden




RE: Hidden in Plain Sight: FCC Chairman Pai's Strategy to Consolidate the U.S. Wireless Marketplace (Frank Bulk)

2017-05-21T15:15:28-08:00

Dr. Frieden,

Do you see the marketplace as four strong competitive providers, or two strong ones and two weaker ones?  Or someone different?  And if Sprint and TMO combined, do you think the combined entity would be in a stronger or weaker position to compete against VZW and ATT?

Link | Posted on May 21, 2017 3:15 PM PDT by Frank Bulk




RE: The 2-Character Answer to this GAC Advice Should be "No" (George Michaelson)

2017-05-17T22:38:31-08:00

I suspect others will disagree, but my own personal sense of the investment in thinking which led people to prefer not to permit existing TLD to appear as 2LD under existing TLD was defensive: it was a reaction to the behaviour of software systems at the time, and stemmed from experiences at the time. Thus, ac.uk and the .ac domain was a known problem, in a world where uk.ac.domain existed (in those days, email domain names were reversed in the UK/JANET network and were converted on the fly by mail systems)

Many "rules" are a function of praxis. They are not always inherently logical, but stem from experience, and a precautionary approach to change.  I do not wish to comment on the actual substance of GAC or nation-state concerns, I just observe that in the days when systems did perform 'mangling' of names constructed as sequences, there were reasons people tried to avoid this kind of collision. Are they applicable in a modern DNS world? I don't know. I do know that we continue to have software which reflects on the number of dots seen in a label, and behaves differently depending on zero, one or more, and we have other systems which infer specific meaning to strings in hand-maintained, compiled in lists of "special" meaning.

Link | Posted on May 17, 2017 10:38 PM PDT by George Michaelson




RE: Security Costs Money. So - Who Pays? (Charles Christopher)

2017-05-17T10:42:47-08:00

>If software companies can't pay, perhaps patching should be funded through general tax
>revenues. The cost is, as noted, society-wide; why shouldn't society pay for it?

This is not an option, it is a current fact, we are paying for it now.

Our tax dollars pay for NSA and they failed to notify Microsoft of the problem, because they benefited from the problem. In fact they pay developers to find and develop exploits for them. Classic conflict of interest. Does the government represent itself, or the people who pay it taxes?

Thus our tax dollars are being used to make problems worse. How can more money "reverse the current direction"? Where as defunding, less taxes, would seem to address the issue as desired.

>Computer security costs money.

And asymmetric warfare is paying personal income taxes for the "service" of making your day job even harder ...

>In addition, while Microsoft, Google, and Apple are rich and can afford the costs, small developers
>may not be able to. For that matter, they may not still be in business, or may not be findable.

Which is why the growth of Linux continues.

An option you did not mention, where developers are coming together and making choices away from that which they have no control over .... But it would seem we are not quite at the point of being able to say "Nobody ever got fired for choosing Linux", current events might get us there faster.

With the availability of Wine, I am moving there myself, not a perfect solution but it is a start. Like others I have too much heritage code and development tools to start over.

Link | Posted on May 17, 2017 10:42 AM PDT by Charles Christopher




RE: Digital Identity and Branding: The Five Most Common Mistakes in Naming (Alex Tajirian)

2017-05-17T01:47:31-08:00

Are there any “black swan” mistakes, the ones that have low probability of making but very high cost?

Link | Posted on May 17, 2017 1:47 AM PDT by Alex Tajirian




RE: IoT Devices Will Never Be Secure - Enter the Programmable Networks (Juha Holkkola)

2017-05-16T14:50:22-08:00

Thanks for the link - I hadn't seen Geoff's speech before but really liked it.

Assuming that the device manufacturers are unable to produce secure things that the public would be willing to buy, I think we have to change something else in the equation. Given the advances that have been made on the networking side, that's the direction from which I would start looking for answers.

As far as SD-WAN goes, it is mostly used for enterprise connectivity between data centres and branches. But as the technology matures, I don't think it would be outside the realm of possibility to think that CSPs would start offering cloud-based SD-WAN services that would offer dedicated virtual overlay networks at price points that made them available to pretty much everyone.

Once we move on to 5G, one possibility would be to use smart phones as vCPEs that are part of the SD-WAN. With this kind of setup, networks wouldn't necessarily be tied up to physical devices at all. Rather, one could set up a new private network segment pretty much anywhere and use that to provide a WiFi, Bluetooth or NFC connectivity for different things.

Now, assuming that our things connected to the public Internet via a private network established between the vCPE and the cloud DC, there are a lot of different services that could be used to enhance the security even further. For example various kinds of scrubbing services, unified threat management and application sensitive routing come to mind. The NFV part comes into the picture when these services are deployed (at the edge) as virtual network functions.

While I do appreciate the fact that all the technologies I've described above are still in their infancy, they are are already there and could be used today to create very secure network environments. For now, this would be a cost-prohibitive approach to most use cases, but I believe that economies of scale could drive down the prices to a very reasonable level over time.  Much like the microprocessors that Geoff talked about.

Link | Posted on May 16, 2017 2:50 PM PDT by Juha Holkkola




RE: IoT Devices Will Never Be Secure - Enter the Programmable Networks (Mike Burns)

2017-05-16T11:55:24-08:00

https://ripe74.ripe.net/archives/video/48/

Can the author comment more on how exactly SD-WAN and NFV will provide security for IoT devices by surrounding them inside a virtual perimeter?

Link | Posted on May 16, 2017 11:55 AM PDT by Mike Burns




RE: Dot-Com is Still King - of Domain Name Disputes (Alex Tajirian)

2017-05-15T10:46:27-08:00

John,

My reply is only to your comment above, not what you have said elsewhere.
(1) Significant correlation does not necessarily imply causality.
(2) Suppose one finds significant correlation between new gTLDs and UDRP disputes. What are the implications? Should we not lauch new gTLDs?

Link | Posted on May 15, 2017 10:46 AM PDT by Alex Tajirian




RE: The Criminals Behind WannaCry (Charles Christopher)

2017-05-15T08:01:46-08:00

A friend works for Unisys. His group authors the code that runs on very high end custom "PCs", that run Linux, which emulates a VAX, so their customers can continue using their heritage software. The users of these systems everyone would recognize, most depend on them daily.

The PC is cheap, and everyone and their dog (j/k) can author reliable code for it.

That is what drives its ubiquitous use, and like the VAX, its not going away anytime soon. Back to our tax dollars recognizing this fact of life and being used to protect it, and commerce and industries in general. With all the billions spent to watch and record our every move, there is actually no incentive for our tax dollars to be used to solve these problems. Every time I am on the highway I can see NSA's Bluffdale facility, another reminder of the use of our tax dollars. That is the issue, if there was a will to harden general purpose "PCs" they would be far more secure than they are. Wannacry would not be happening right now.

We need to make a choice and verbalize it:

“Those who surrender freedom for security will not have, nor do they deserve, either one.”
- Benjamin Franklin

"I prefer dangerous freedom over peaceful slavery."
- Thomas Jefferson

https://www.aclunc.org/blog/feds-refuse-release-documents-zero-day-security-exploits

March 3, 2015

"But the effectiveness of such exploits depends on their secrecy—if the companies that make the affected software are told about the flaws, they will issue software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use."

"While zero-day exploits are no doubt useful to U.S. law enforcement and intelligence agencies, their use raises serious public policy concerns. Zero-days are also regularly used by foreign, hostile governments, criminals and hackers engaging in cyberattacks. That means our government’s choice to purchase, stockpile and use zero-day exploits instead of promptly notifying manufacturers is effectively a choice to leave both the Internet and its users less secure."

Link | Posted on May 15, 2017 8:01 AM PDT by Charles Christopher




RE: The Criminals Behind WannaCry (The Famous Brett Watson)

2017-05-15T02:56:41-08:00

Given the risks associated with both applying updates and not applying updates in a medical environment (or similar environments where system failure has the potential to endanger lives), the problem is that they've used an operating system which is singularly unfit for purpose. Windows is the single biggest target for such attacks on the planet, has a history of ongoing vulnerability, and is frequently updated for risky non-security reasons. This kind of application needs an ultra-conservative OS with an emphasis on stability and security over novelty and generality. That OS could, in principle, be some special variant of Windows — just not the mainstream desktop-oriented one.

It's harsh to go after the systems administrators when they've had the worst of all possible worlds foisted on them by market forces outside their control. Sue the vendors if you want to apply pain where it's actually likely to have a beneficial outcome. There has to be some kind of "fitness for purpose" angle when plain old desktop Windows is embedded in critical hardware.

Link | Posted on May 15, 2017 2:56 AM PDT by The Famous Brett Watson




RE: The Criminals Behind WannaCry (Neil Schwartzman)

2017-05-15T01:45:16-08:00

"Microsoft once or twice a year would push out an update that would trash one major system or another."

that's why we have back-ups, and try a single system before applying the patches across the board.

Link | Posted on May 15, 2017 1:45 AM PDT by Neil Schwartzman




RE: The Criminals Behind WannaCry (Charles Christopher)

2017-05-14T21:08:52-08:00

From your link:

https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/#more-39367

We find the following comment:

"Steve C
May 14, 2017 at 6:26 pm
I read in the British press that due to underfunding, 90% of the hospitals there are to some degree still using Windows XP and Server 2003. This is why they were so heavily impacted.

Where I used to work I was responsible for managing WSUS. I normally would wait to approve Windows Updates after they had been out for a month, unless if something was super critical. This was done because Microsoft once or twice a year would push out an update that would trash one major system or another. After a week or two the bad patches would be silently fixed."

Yup, I have seen Microsoft "updates" break things, and one of many reason why I turn off updates on my personal equipment.

In addition to that, NSA at taxpayer expense, developed the core of this attack. So why are my tax dollars being used to author exploits rather than reporting bugs to authors so that we are all safer and more secure? And why should I blame administrators now dealing with the mess tax payers funded the authorship of?

>Criminal charges should be considered: Anyone who administers a system that touches critical
>infrastructure, and whose computers under their care were made to Cry, if people suffered, or
>died, as is very much the possibility for the NHS patients in the UK, should be charged with
>negligence.

Yup, so lets start with the NSA employees ....

Link | Posted on May 14, 2017 9:08 PM PDT by Charles Christopher




RE: Patching is Hard (Neil Schwartzman)

2017-05-14T08:04:30-08:00

Please enjoy my other side of the coin, here: http://www.circleid.com/posts/20170514_the_criminals_behind_wannacry/

Link | Posted on May 14, 2017 8:04 AM PDT by Neil Schwartzman




RE: The Criminals Behind WannaCry (Neil Schwartzman)

2017-05-14T08:03:33-08:00

I think the other side of the coin is well-represented by Professor Steven Bellovin, who isn't wrong about the realities of patching. That said, given the rampant proliferation of exploits these days, people failing to do expeditious patches in a professional environment, particularly critical infrastructure is akin to a trucking company failing to heed recalls, or do basic vehicle maintenance.

Link | Posted on May 14, 2017 8:03 AM PDT by Neil Schwartzman




RE: Patching is Hard (Niel Harper)

2017-05-13T04:05:24-08:00

Hardened servers make it more difficult for core infrastructure to be compromised by ransomware. And because most ransomware is propagated by an endpoint visiting a compromised website that host rootkits, the use of virtualized desktops with non-persisent images can reduce the time and complexity associated with patch management. One of the best defenses for malware is a robust backup and recovery solution. My preferred approach is disk-to-disk-to-tape with the encrypted tapes and offsite backup storage. Couple this with real time replication for critical data sets, and this allows an organization to better protect themselves from malware attacks, because recent versions of critical day are available for recovery.

Link | Posted on May 13, 2017 4:05 AM PDT by Niel Harper