Posts Tagged “security”

The Equifax breach is a disaster »

Mike Masnick, Techdirt:

At some point, we need to rethink why we’ve given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can’t opt-out. They collect most of their data without us knowing and in secret. You can’t avoid them. And now we know that at least one of them doesn’t know how to secure that data.

Data is a toxic asset »

Bruce Schneier:

We can be smarter than this. We need to regulate what corporations can do with our data at every stage: collection, storage, use, resale and disposal. We can make corporate executives personally liable so they know there’s a downside to taking chances. We can make the business models that involve massively surveilling people the less compelling ones, simply by making certain business practices illegal.

Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.

This piece by Bruce Schneier is worth revisiting in light of yesterday’s Equifax breach. We’re in the middle of a fresh wave of outrage over it but, as that fades, we should remember that we can do better than this. Companies and organizations that hold and collect our personal information can do better than this1.

There will be more breaches and we’ll have to deal with the fallout, but we shouldn’t be apathetic about it. Any company that collects that much data about the public should be held to higher standards when storing it (or, better yet, shouldn’t store it at all). An insincere apology and a free year of some service provided by the company that failed to protect our data in the first place isn’t good enough.

  1. They might consider starting by patching nine year old vulnerabilities before they’re exploited

EFF argues border agents need warrants to search digital devices »

“Our cell phones and laptops provide access to an unprecedented amount of detailed, private information, often going back many months or years, from emails to our coworkers to photos of our loved ones and lists of our closest contacts. This is light years beyond the minimal information generally contained in other kinds of personal items we might carry in our suitcases. It’s time for courts and the government to acknowledge that examining the contents of a digital device is highly intrusive, and Fourth Amendment protections should be strong, even at the border,” said EFF Staff Attorney Sophia Cope.

It’s ludicrous that a warrant is not currently required for these searches. If a search is truly necessary, the authorities in question should be able to obtain a warrant with ease.

Senate push for encryption legislation falters

Via Reuters:

Draft legislation that Senators Richard Burr and Dianne Feinstein, the Republican and Democratic leaders of the Intelligence Committee, had circulated weeks ago likely will not be introduced this year and, even if it were, would stand no chance of advancing, the sources said.

Fantastic news. This bill (and the push behind it) was ill-conceived at best and would have caused untold damage were it to pass.

DHS Boss Calls For More Fear, Less Encryption »

Techdirt:

This is wonderful stuff if you’re a fan of authoritarianism. Shut up and show your support. It’s a message that’s been sent several times by the new president. Now, it’s being echoed by his top officials.

Yet another ill-considered power grab in the name of safety.

Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.

Securing your personal devices and accounts »

Jonathan Zdziarski has a detailed write up on personal, technical security that you should read and consider implementing (particularly given recent events).

With the current US administration pondering the possibility of forcing foreign travelers to give up their social media passwords at the border, a lot of recent and justifiable concern has been raised about data privacy. The first mistake you could make is presuming that such a policy won’t affect US citizens.

The year encryption won »

Via Wired:

It’s not a firm guarantee, and who knows what a Trump administration will bring. For now, though, it’s enough to appreciate the gains encryption made in 2016, and be hopeful that 2017 will only build on them.

DOJ takes war on encryption to WhatsApp

Via The EFF:

The government’s theory, that the All Writs Act gives it the power to compel American companies to write code and design products to ensure law enforcement access to encrypted content, is virtually without limits. No devices, and indeed no encrypted messaging services, would be safe from such backdoor orders. If the government wins in San Bernardino, it could even force companies to give it access to software update systems, and send their users government surveillance software disguised as security patches.

The government is taking its war on encryption to WhatsApp’s front door. This is, perhaps, even more terrifying than their effort to force Apple to hamstring its device security. It’s one thing if the government can force its way in to devices but, oftentimes, services used on secured devices have their own, additional layers of security. This is the government attempting to compromise security further by making inroads in to security provided by messaging (and other) service providers.

Chilling.

Dutch government on encryption

Via Ars Technica:

…forcing companies to add backdoors to their products and services would have “undesirable consequences for the security of communicated and stored information,” since “digital systems can become vulnerable to criminals, terrorists and foreign intelligence services.”

Exactly.

Backdoor password in Juniper's firewall code

Via Ars Technica:

On December 17, Juniper Networks issued an urgent security advisory about “unauthorized code” found within the operating system used by some of the company’s NetScreen firewalls and Secure Service Gateway (SSG) appliances. The vulnerability, which may have been in place in some firewalls as far back as 2012 and which shipped with systems to customers until late 2013, allows an attacker to gain remote administrative access to systems with telnet or ssh access enabled.

This is exactly why creating back doors in to encryption is a really bad thing. We don’t need a ‘Manhattan-like project’ to create more security holes like this one — if you create backdoors, even for legitimate purposes, you’ll simply be increasing the likelihood that incidents like this will continue to happen.