In a recent blog post, Security Economics of the Internet of Things on Schneier on Security, security expert and cryptologist Bruce Schneier describes economics related to securing IoT devices.  The post was written due to unprecedented DDOS attacks against investigative security journalist Brian Krebs and his web site krebsonsecurity.com.

Read more

CNBC: Execs We’re Not Responsible for Cybersecurity, “…executives like CEOs and CIOs, and even board members — didn’t feel personally responsible for cybersecurity or protecting the customer data…” (Twitter: @ArigatoDamato)

Video: Execs We’re Not Responsible for Cybersecurity

Laws and regulations have not kept pace with growth of Internet technologies.  No clear expectations have been communicated to the software industry or users of these services by policy makers.  Executives have responsibility for protecting customer data but enforcement remains selective.  In the most egregious incidents, top C-level execs have been terminated for poor cybersecurity (e.g., Target).

I saw recent article on Wassenaar and it included a link to Adam Back’s website, www.cypherspace.org.

Photo 1: Front (click to enlarge)

Adam developed a Perl script that was at one time considered a munition under ITAR.  Of course, handling a 3-line Perl script like a bomb is ridiculous.  Especially since the encryption algorithms were widely known, even at the time.  To bring public attention to ITAR, the script was printed on a t-shirt making it a non-exportable munition.  The t-shirt was featured by media publishers like Wired Magazine.

 Adam is no longer printing these t-shirts but provides the graphics to the

Photo 2: Back (click to enlarge)

public if you want to print your own.  Designs for the t-shirt if your interested to print one yourself.  I have used CustomInk to print custom t-shirts in the past with good results.  I appreciate clever and thought provoking t-shirts.  I may have to make one of these classics for myself.  Wearing an export controlled munition around the office is extremely cool.

Images and Perl Munitions T-Shirt, Adam Back of www.cyberspace.org

Apple responds to the courts order on two primary fronts.

First Amendment Violation
Compelled software code and code signing is “…compelled speech…in violation of the First Amendment”.

Fifth Amendment Violation
“…conscripting a private party…to do the government’s bidding…” violates Fifth Amendment rights

Article on Motherboard along with copy of Apple’s Motion to Vacate filing with the court.  I’m not a lawyer but two points I find interesting, 1) software code and signing of software coding is argued as protected speech protected under Constitution, 2) major corporations have constitutional rights just as US citizens do (I didn’t realize this).

EU-Flag.jpgYou may be hearing about EU-US Safe Harbor discussion in the news.  At risk is the multinational companies ability to store and process EU data in the US.  Companies like Apple, Facebook, and Google provide EU services through computers located in the US.  Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.

October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.

“…the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country” [4] Court of Justice of the European Union

The ECJ recommended where protections cannot be guaranteed, “suspending the contested transfer of data”[4].  The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs.  Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU.  Either option is not very tenable for US multinationals or citizens of the EU.

Even if Internet bellwethers underwrote efforts to build EU data centers it’s not clear EU data will be safe from US government overreach.  In a developing case between Microsoft and the US government,  the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US [6].  Presumably, the legal precedent established for email would apply more broadly to all data.  I have been covering developments in this area over the last couple of years [1][2] for interested readers.

[1] Securitycurmudgeon.com, Balkanization of US Products and Service Technology Accellerates
[2] Securitycurmudgeon.com, A Crisis of Confidence Costs Real Money
[3] The Register, US tries one last time to sway EU court on data-slurping deal
[4] Politico.eu, Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
[5] Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
[6] Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider

Image: Wikipedia, EU Flag

In Arstechnica article, “Feds warn first responders of dangerous hacking tool: Google Search” (sent via @wh1t3Rabbit) describes individuals that use advanced Google search commands called Google Hacking or Dorking are acting like, “malicious cyber actor[s]”.

Considering all Google dorkers as malicious is very disturbing since advanced search commands have many legitimate uses and the reason Google makes them available to the public.  In fact, the article I wrote about Johnny Long’s (Twitter, @ihackstuff) Google Hacking in “Google Hacking — Blast from the Past” is a popular post and I’m guessing since it helps people find legitimate information they need on the Internet.  Sorry readers, in my blast from the past post I showed you how to use Google’s filetype: command.  You are now acting like malicious cyber actors and likely monitored by governments for you subversive activities.

Profiling individuals that use Google advance search commands in the same class as malicious cyber actors is disturbing.   I think we should treat data like money.  There are a number of uncanny similarities, data provides those who manage it a living wage, it has value, it’s traded, it’s electronic, it’s easy to duplicate, etc.  At least it seems like a place to start.

Consider, a bank that leaves it’s money on it’s door step and complains when thieves steal it.  We call that bank foolish.  Yet, do similar with our most sensitive data posted on public web sites and we hold site owners blameless.

The concern with profiling those that use powerful tools is that it’s a distraction from the real problem – unsecured sensitive data on a public Internet.  There are many tools that can be used both for beneficial or malicious purposes, knifes, guns, etc.  Even if Google removed their advanced search commands it amounts to burying our heads in the sand and ignoring the real problem.  Attackers will only craft new tools to evade detection.

–Milton