Twenty years ago, when I was writing Accidental Empires, my book about the PC industry, I included near the beginning a little rant about how good engineers were incapable of lying, because their work relied on Terminal A being positive and not negative and if they lied about such things then nothing would ever work. That was before I learned much about data security, where apparently lying is part of the game. Well, based on recent events at RSA, Lockheed Martin, and other places, I think lying should not be part of the game.
Was there a break-in? Was data stolen? Was there an unencrypted database of SecureID seeds and serial numbers? All we can say at best is that we don’t really know. And in some quarters that is supposed to make us feel more secure because it means the bad guys are equally clueless. Except they aren’t, because they broke-in, they stole data, they knew what the data was good for while we — including SecureID customers it seems — are still mainly in the dark.
A lot of this is marketing — a combination of “we are invincible” and “be afraid, be very afraid.” But a lot of it is intended also to keep us locked-in to certain technologies. To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered. Why should such architectural secrecy even be required if those 1024- or 2048-bit codes really would take a thousand years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough?
Good question.
Alas, the answer is “no.” There are several reasons for this but the largest by far is that the U.S. government does not want us to have really secure networks. The government is more interested in snooping in on the rest of the world’s insecure networks. The U.S. consumer can take the occasional security hit, our spy chiefs rationalize, if it means our government can snoop global traffic.
This is National Security, remember, which means ethical and common sense rules are suspended without question.
RSA, Cisco, Microsoft and many other companies have allowed the U.S. government to breach their designs. Don’t blame the companies, though: if they didn’t play along in the U.S. they would go to jail. Build a really good 4096-bit AES key service and watch the Justice Department introduce themselves to you, too.
The feds are so comfortable in this ethically-challenged landscape in large part because they are also the largest single employer… on both sides. One in four U.S. hackers is an FBI informer, according to The Guardian. The FBI and Secret Service have used the threat of prison to create an army of informers among online criminals.
While security dudes tend to speak in terms of black or white hats, it seems to me that nearly all hats are in varying shades of gray.
Yet there is good news, too, because IPv6 and Open Source are beginning to close some of those security doors that have been improperly propped open. The Open Source community is building business models that may finally put some security in data security.
The U.S. government is a big supporter of IPv6, yet the National Security Agency isn’t. Cisco best practices for three-letter agencies, I’m told, include disabling IPv6 services. From the government’s perspective, their need to “manage” (their term, not mine — I would have said “control”) is greater than their need to engineer clean solutions. IPv6 is messy because it violates many existing management models.
The key winners are going to be those companies that embrace IPv6 as a competitive advantage. IPv6-ready outfits in the U.S. include Google, AT&T, and Verizon. Yahoo and Comcast still have work to do. Apple has been ready for years.
Some readers will question why I appear to be promoting the undermining of U.S. intelligence interests. Why would I promote real data security if what we have now is working so well for our spy agencies?
I’m not a spy, for one thing, but if I was a spy and trying to keep my secrets secret I wouldn’t buy any of these products. I’d roll my own, which is what I think most governments have long done. So the really deep dark secrets were probably always out of reach, meaning most low-hanging fruit is simple commercial data like the 125+ million credit card numbers stolen so far this year from Sony, alone.
If the NSA needs my credit card information let them show me why. I think they don’t need it.
We’ve created a culture of self-perpetuating paranoia in military-industrial data security by building systems that are deliberately compromised then arguing that draconian measures are required to defend these holes we’ve made ourselves. This helps the unquestioned three-letter agencies maintain political power, doing little or nothing to increase national security, while at the same time compromising personal security for all of us.
There is no excuse for bad engineering.
Bravo Bob, Bravo. Wouldn’t it be nice if we could actually have privacy and security features built into the Internet? I say lets get going and roll it out with IPv6.
With regard to the gray hats out there, the Anonymous posting of internal HBGary e-mail providing a fascinating look at one contractor building malware.
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars
If a private company build a more secure system, how would the government know unless they attempt to hack it?
Or are you flat out saying the government hacks all the systems, and if they can’t they go to the company and basically say make your system weaker?
This doesn’t add up.
-dan
He was referring to creating an encryption service, something you are marketing and selling to others. The idea is that the government will then want a back door in place to insure they can access the data (if ‘warranted’) encrypted by your service.
I am baffled by this too. I was one of the first to get an export license when the U.S. reluctantly deregulated export of strong encryption. The only pushback I got from the government was a phone call from a nice lady at the BXA who reminded me that even though I was releasing the encryption module as open source (good practice, so that the open source cryptography community can review it), if anybody else used my encryption module in a commercial product they’d need a license to export it too, so I should be careful to document that in the release package for the encryption module. I did.
There was no demand to put in a back door, no demand that I add the ability to decrypt it in the absense of a key, none of that. Much discussion in the open source cryptography community turned up a man-in-the-middle attack in the algorithm for initial key exchange (which happened once when you added a new node to the network), but one that was of no practical use on a production network. We added a shared secret (passphrase) to deal with that flaw anyhow, just because.
As for IPv6, it is security fail. The first line of defense for my network is my NAT firewall, which gives my IPv4 network its own private address space that it simply is impossible to directly reach from outside my network. Even if my firewall rules miss a possible attack due to one hole too many punched into the firewall, IPv4 NAT provides an additional layer of defense to keep out attackers. IPv6 NAT basically doesn’t exist in a usable form at the moment. You want me to put my entire network onto the Internet for hackers to exploit? Are you insane?!
Most companies PURCHASE their security tools from other firms. Those firms are required to limit the capability of the products they sell. If company xyz decided to add a better layer of encryption to their data communications, the USA government may not notice or care.
Now consider the problem this causes on Internet based commerce. To get encrypted communications (like SSL) you need a trusted third party (like Verisign). The best you can get is 128 bits. If Verisign offered a 1028 bit service they would probably get a visit from the USA government.
Ok, let’s say this is all true.
If the government already has a back door, why would they care if Verisign made a 1028 bit service?
It would be more secure for the public but the government spooks can still get in.
But this all hinges on the premise that anyone who starts up an encryption service company will by default get that visit to either play or be leaned on heavily.
Still doesn’t add up.
You don’t understand how SSL works. Once Verisign sold the certificate the person/company who bought it would implement the security and encryption. Open source projects would be able to support higher strength keys if people could only buy them. And once people could buy them it would be almost impossible for the government to control or get back door access because the number of implementations would be in the millions.
Law to the contrary, NSA vacuums everywhere. You can look it up.
Actually, a presidential order by Carter in the late 70s allowed for electronic discovery in the name of national security. It was codified with laws in the 80s and then 90s under Clinton for further intrusion allowance (read up on the Zimmerman PGP case), culminating in the Patriot Act in the early 2000s which gives government agencies official authority to look anywhere at any time while using an ambiguous “terrorism” justification, supposedly presented to a tribunal of secret judges but rarely in practice.
All encryption products built or housed in the US are required by those laws to provide backdoors on demand. Which is why all high quality encryption development shifted overseas at the end of the 90s, beyond the reach of US agencies.
Correction: Encryption products used to be classified as munitions and therefore subject to export controls which required shorter key lengths depending on algorithm and none other. No such limitations (or any other) was placed on product meant for domestic consumption historically and no law at any time including the present requires back doors.
That said, attempts have been made from time to time regarding the introduction of such laws in the U.S., none successful. In the realm of international commerce however, certain E.U. members have requested such features under threat of market denial and “color of law” — see: Microsoft Bitlocker — although not known (and certainly subject to change) codified into law specifically.
The Zimmerman case was a matter where the program Pretty Good Privacy (PGP) clearly violated ITAR export restrictions when compiled from source although the case determined that source code in and of itself was not subject to restrictions. An important distinction. Not only was Zimmerman off the hook so to speak but the entire issue of peer review-able and compilable source code was brought into sharp focus as a matter of insurance against the threat of compromising code inclusion.
A distinction not to be forgotten when entrusting security products cast in hardware or for which no compilable source exists. An example of this would be IBM’s self encrypting Solid State Hard Drives (SSD’s) where it is publicly known the passcode being divorced from the encryption keys thus opening the door of suspicion these drives being untrustworthy. A matter that will stand until such time the firmware can be interrogated and verified in its entirety and in all regards to stated purpose and none other. Good luck with that.
We are likewise reminded the absence of law precluding “back doors” and that security product might be compromised to curry favor with government organs and client states given profit motives. Depending on perspective, lawlessness maximizes freedom to operate within markets corruptible by and for those in quest of greater rewards. Consumers are exploitable feed stock when viewed from the top down on one hand, while intelligence desires justifies itself with feckless ease on the other.
In short, U.S. laws demanding backdoors past or present is a misnomer and currently there is no need as contemptible market forces have given rise to a flourishing insecurity industry.
See also: cloud computing.
Bob,
I’m glad you cleared up the misleading title of this blog. It isn’t engineers doing the lying; it is management and the government!
Engineers, and some scientists, are part of the few elements of society who primarily deal with reality, as opposed to mere beliefs. Thank heavens for them.
I hate to rain on the US Governments parade, but…. There are now (cloud-like) software tools that allow many computers work as one. Bob wrote about one such firm several years ago. (For national security reasons I am not providing a link.) With this software anyone can build a super computer. With enough math and programming skills, anyone can go into business breaking encrypted data.
Data security must be security in depth. Encryption can not be the ONLY way one protects their data. Much more must be done. One also needs to monitor who and what is accessing your critical data. Lets use Sony as an example. How many financial transactions were done in a day by the Playstation Live service? How many Sony customer service transactions were done? The answer is a very finite number. If one observed 2x as many transactions being requested — that should throw up a red flag. Good security isn’t hard. It just requires one to serious think through how data is used and managed.
Shorthand: re-watch “The Phantom Menace,” ignore Jar-Jar Binks, and pay attention to the theme.
Please help us out and just tell us what the theme is. Jar-Jar is impossible to ignore and too painful to watch.
The theme is a democratic government getting pushed into war becoming a fascist dictatorship along the way. Sounds familiar?
I admit it. I was wrong.
I’ve been saying for quite some time that iPv6 was unnecessary. As in “What problem does it solve aside from how can a Cisco account manager get a better sailboat berth in Sausalito?”. I know see what problem it solves.
The other issue that should trouble security minded people: one of the initialized members of RSA who’s happy to expound on many matters great, small, and squidly has been conveniently silent on the company’s response to the original theft. If it were any other company than the one that bears his namesake, he would have roasted them in the depths of the slor in thirty blog postings by now.
RSA is Rivest, Shamir, and Adleman. I get the feeling you are, incorrectly, making a reference to Bruce Schneier.
I think the theme of this post is, overall, consistent with the kinds of things Bruce Schneier has been talking about for years. In other words, security isn’t *that* hard, but requires common sense and practicality—two things woefully lacking in politics. But the politicians are instituting the “security” measures.
I think your premise regarding data security is the same for the security *theater* we see in the airline industry. We’re straddled with intrusive, time- and money-consuming, privacy-invading measures whose effectiveness is impossible to prove (like the trinket I carry in my pocket to prevent bear attacks—I’ve never been attacked by a bear, so it must work, right?). And yet, I’m sure a truly motivated bad person, or bad people working together, could subvert these measures. I don’t doubt that these measures dissuade the low-grade, just-plain-stupid bad people, but those types should be filtered much more easily.
And really, now that the cabins are sealed, planes should no longer fly into buildings. Worst case is a mass slaughter of all passengers on a plane. Not to undermine that scenario, as it’s truly a tragedy, but it’s better than another 9/11. And while we have all this crazy, over-the-top security for flight, ground-based mass transit systems are virtually unprotected (at least in my town, Chicago). Blowing up a train would kill far more people (and more collateral damage) than an airplane slaughter. And yet, even an unsophisticated bad person could pull this off. Perhaps I’m missing something, but I call this an epic fail with regards to common sense.
I guess in the end, fear is an easy sell. People see a big data breach or a 9/11 and they’re scared. And that’s a natural, human reaction. But just like with grieving, eventually, you’re supposed to “get over it”, and move on. But if people with an agenda (politicians and the military-industrial complex) keep reminding us of those things or even causing them (if you believe the conspiracy theorists), it’s really hard to move on. It’s a great appeal to emotion, as opposed to reason. An appeal to reason says, “let’s first recognize that this was a rare event, then look at what has happened, and find and fix the biggest holes in our system.” And I think most people would be on-board with that line of thinking, until someone comes along and screams, “OMG! What about 9/11?! We need more, more, MORE security!” And the cycle continues.
I’m still afraid. If the “cabin is sealed” that just means a little more force or finesse is required to break in. And the determined bad guys will simply be prepared to do just what is needed. We should just be aware of the government’s desire to have all the security keys they can get. And the government should be aware of the people’s desire to get all the privacy they can. The people cannot trust the government to always do the right thing and the government cannot trust all people to do the right thing.
Sigh. It’s far more complex than just “politicians” doing “irrational things”. SInce its inception, the United States has never *not* been at war for a period of longer than 12 years. At some point in the early to mid 19th century, government representatives became involved in earning profits from the manufacture of arms. Since then, the autocratic class in the US has built state reason for conflict in order to generate revenue. It isn’t a rare occurrence, and it will never go away. Moreover, there are vast sections of the world that have lived through these US-generated conflicts that seek revenge daily. They will not forget nor go away. Flying airplanes into a few buildings is just one outcome. Assured, someone is busy somewhere planning a way to ship a nuclear weapon into Times Square. Or downtown Los Angeles. Or Silicon Valley.
That is why engineers are pressed into service to lie and build inadequate encryption technology. That is why doctors are forced to monitor and treat state-sponsored torture. That is why nothing you say into a phone or write into a computer is “private”. Because they are sniffing through everything. Not to protect you. To protect their revenue streams.
well said.
“The U.S. government is a big supporter of IPv6, yet the National Security Agency isn’t. Cisco best practices for three-letter agencies, I’m told, include disabling IPv6 services. ”
While Bob appears to interpret this as evidence that IPv6 is just Too Secure (the security people couldn’t snoop), it could equally be evidence that IPv6 is just Too Insecure (everyone can snoop). Which it is, we wouldn’t know just from this article.
Did you follow the link in that paragraph? All is explained.
Bob, you mean the ultimate link to the NSA MacOS-X hardening tips? All that says is “Disable IPv6 and AirPort when Not Needed”.
I couldn’t find the actual tips, only blog comments. It feels like maybe there is a broken link somewhere.
http://1.usa.gov/e2fJxe
Thanks Frank, I didn’t realize we had to download a pdf to see what Bob meant. As a pervious poster said, it only says to turn off unnecessary stuff, including IPv6. If, after everyone switches to IPv6, I’ll bet they reprint the brochure changing the “6” to a “4”, so I still don’t see how it supports the notion that 6 is more secure than 4.
Not to mention that the US DoD (and DISA) is one of the biggest supports of IPv6 and pushing it internally very heavily.
From 1998 to 2007 I worked in the security field. My experience from those days regarding IPv6 and security is that you wouldn’t want to deploy IPv6 on stuff that really needed to be secure for the plain and simple reason that all your security tools wouldn’t work (as well) as they would with ipv4.
Packet filtering, IDSs, log analyses, loads of other stuff just worked a lot better, with better and more features, using IPv4 then IPv6. Which is understandable, given the amount of time it had taken to get proper security tools for IPv4 in the first place.
In addition: you often and up with a dual stack situation. IPv4 *and* IPv6. This doubles your system/network administration headaches when something goes wrong *and* more then doubles your security worries.
My assumption is that where IPv6 doesn’t get deployed out of security concerns, it has a lot more to do with the basic fact that more complexity = less security.
It will be fascinating to see how “bitcoin” plays out. It has many technically desirable features for an internet currency. However some of those technically desirable features, namely anonymity and no central choke-point are anathema to governments. I can see boths sides – I like the idea of something as anonymous as cash (Perhaps more, after all there are marked bills – I wonder if bitcoins can somehow be “marked” similarly.) for internet use, but I can also see how it enables criminal endeavours to completely sidetrack many law enforcement tools.
It might be a little like the fsp protocol. They designed fsp to be like ftp, but low priority so that it could gently sit there using excess bandwidth to transfer files instead of prime-time bandwidth like ftp. But it became known primarily for distributing warez, and nobody legit would touch it.
Chuck Schumer has already criticized bitcoin because it is becoming a “payment of choice” method for drug runners, illegal arms dealers, etc.
This IS related to the cryptography discussion, because bitcoing if cryptography based, and is really at the exact intersection of cryptography and money.
Its not the anonymity that they fear about Bitcoin, its the idea that people and countries can repudiate the worlds financial system like Iceland did. If more people realize that you can live without monetary systems run by the world banks, they just might not get their huge bonuses this year.
There’s been a good deal of ink (real and virtual) spilled the last couple of years (including my other venue) questioning the viability of finance based economies. The US corporate profit had reached about 40% from financial trading, nearly double its previous historical average.
As “we” have pointed out, the sole value add of Banksters (by whatever name) is to marry Savers with Borrowers. The manipulations concocted over that last couple of decades serve only to siphon ever more of that fixed money flow into the Banksters pockets. One might view the financialization of the world economy as omen for collapse. I did so, back the 1970’s in my analysis of Uruguay. It’s one thing for a small South American country to de-industrialize; quite another for the USofA to do it.
meanwhile, Chittybank announces one month after the fact that a quarter million customers’ data has been on the walls of bus stop shelters for a month.
what good is tranport security if the endpoints are porous as an Arab marketplace? what the bad boys don’t get from keyloggers that piggybacked on your dirty-surfing habits, they get from social engineering or kiddie-cracking the business titans.
it’s about time for a whole new approach to online security, one in which consumers are going to have to waterboard Uncle Sam to get it implemented.
To anyone who has been a programmer and worked in IT for any appreciable amount of time, they know IT is really a successive learning process. New work is based on and is built from the experience of past work. The art of programming, the design of programming languages, the design of user interfaces are all based on a long succession of prior work.
Data security follows the same successive learning process. We know how to secure systems because of past mistakes, past intrusions, etc. Because we are dependent on prior work and experience it is very important for firms like Lockheed Martin to be honest and forthright the rest of the industry. They do not have to share the gory details about how the attack was done, that information should be (and is probably being) shared with the government and their data security technology providers (eg RSA).
To keep a major data security breach a complete public secret does a disservice to the whole industry. You KNOW the bad guys are comparing notes on what works. The good guys need to work together too.
You could use the term “successive learning process” to describe engineering in general.
Rupe
A wonderful and poignant article. Remember that the three letter acronyms from the USA also affect the world. This is a global society not limited by borders.
J.
Bob, the book “Accidental Empires” is excellent as is the movie “The Triumph of the Nerds”.
Thank you for making the effort to do both.
Finally , the evil empire (Microsoft) is forced to pay ($290m) for their theft:
https://www.guardian.co.uk/technology/2011/jun/10/microsoft-canada-i4i-patent
They had to pay for “stealing” DOS, although, IIRC, even less.
This makes me want to run out and iCloud all my personal data ASAP.
I remember attending a network world presentation 5 years ago by Bechtel on how they had converted all of their worlwide internal networks to fully registered (No NAT needed) IPV6 space. If they did this 5 years ago why haven’t the ISPs moved any faster?
I think you may have some crypto confused in your article.
– The AES symmetric algorithm uses key sized between 128 and 256 bits. 4096 bit AES that you mention is truly outrageously large and impractical. I expect you meant 4096 bit RSA.
– The RSA public key algorithm uses keys between 1024 and 4096 bits.
– The RSA SecurID tokens do NOT use the RSA public key algorithm. Some years ago RSA Data Security was bought by Security Dynamics, the original manufacturer of SecurIDs. Security Dynamics then changed its name to RSA for marketing reasons. Today RSA is owned by EMC.
Also, I have dealt with export compliance for implementations of most of this stuff to China, India, South Korea and other countries and run into few fundamental restrictions by the US government. You can export this stuff if you do it according to the rules.
I’ve argued this for teh longest time. I protect the privacy of people, and they need the truth. Not telling them the truth (and I mean that as “the truth in a way they can understand and which does not lead them to understand something else”) is endangering them.
So what control does the NSA or anyone else have over long-keys used in software-based encryption? You are free to hack Blowfish or any other block cipher to accept 4k or larger keys if you like. You just can’t sell it. PGP survived.
This guy (RIM CEO) does not look like he is under control of the NSA or anyone else:
https://www.youtube.com/watch?v=izUG8Zep02s
“I think lying should not be part of the game.” Wow! What radical ideas you come up with Bob.
Exactly which games should lying be part of then?
Poker?
Politics?
Bob makes an early assertion in his article that, for its own snooping purposes, the US government doesn’t want its citizens to have seriously secure networks.
The US government used to regard 128-bit encryption software as a weapon and shouted this loud and clear in the early 90’s when they arrested the legendary Phil Zimmerman for his free distribution of PGP. It was quite a news story at the time and I’m surprised no-one else has mentioned it yet.
Under the Clinton administration regulation of the export of crypto was moved to the commerce department and relaxed. It is no longer considered a munition.
There is still some restriction, particularly “crypto with a hole”, a communication system that facilitates easy replacement of the crypto the communication system is shipped with with some crypto that is different/stronger.
In this era of download-able “How to Build a Bomb” guides and the ability for anyone to walk out of secure facilities with CD-ROMs full of secrets, it makes sense to discourage the use of highly effective, commercially available encryption systems. This helps keep unbreakable encryption tools out of the hands of amateur terrorists and thieves, thereby helping our security agencies to better monitor these idiots — the majority of the threats we face. Businesses and customers may complain their data security is threatened, but this may be the price we pay for helping our law enforcement officials prevent future attacks. Saying that our enemies can simply “roll their own” encryption systems ignores the fact that most would-be terrorists only know how to buy over-the-counter products.
“Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.” – Benjamin Franklin
— This helps keep unbreakable encryption tools out of the hands of amateur terrorists and thieves, thereby helping our security agencies to better monitor these idiots — the majority of the threats we face.
The NRA gunnuts get all frothy about not being allowed to have an M-16 with 500 round barrel clip, as if that would have any effect against a squadron of F-16’s. But they cheerfully ignore the real threat to personal freedom. Wouldn’t want the wimins to have an abortion, or white folk marry black folk, or or or. But they’ll let government/corporations put them through a sausage grinder in the name of National Security (any zit on the body politic qualifies, of course).
The security agencies mostly monitor gossip.
https://www.amazon.com/Shadow-Factory-NSA-Eavesdropping-America/dp/0307279391
“To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered.”
Um, no. The vast majority of widely used crypto algorithms and protocols are open standards. You can find any number of specs and books that describe the details of RSA, DSA, PGP, AES, Blowfish, SHA, ECC, SSL/TLS, S/MIME, IPSEC, etc. All legitimate cryptographers and security experts agree that peer review is the only way to ensure security. The few proprietary encryption systems I’ve heard about are basically scams aimed at customers too ignorant to realize this.
It’s also not at all difficult anymore to export crypto code from the US. I understand there’s some paperwork involved if the key sizes are ‘big enough’, but I haven’t heard of companies having trouble with it lately. You may be misremembering the state of affairs back in the ’90s.
Researchers at Virginia Tech have developed a method to…and I quote from the executive summary:
“To combat the increasing threat to network security and privacy, the IT Security Lab and the Bradley Department of Electrical and Computer Engineering at Virginia Tech have developed the Moving Target IPv6 Defense (MT6D), which uses a new form of dynamic addressing in IPv6 to secure and anonymize network hosts and their communications.”
https://www.nhdf.org/library/2011_NSIC/Virginia_Tech_Exec_Summary.pdf
I shudder to think the security implications of this concept!
As long as Facebook is secure, all our personal information will be safe. /sarcasm
The implication that IPv6 is somehow more secure than IPv4 is simply false. The protocol specs say that devices supporting IPv6 must support encryption; *but* there is no requirement for it actually being used.
The only difference at present between IPv4 and IPv6 is maturity of security features in various bits of networking software and firmware, which is *less* for IPv6, not *more*. Guess why.
[…] Robert X. Cringely posted and insightful and disturbing post on the recent RSA/Secure ID hacking incident and how IPv6 and other more secure technologies run counter to the objectives of the USG’s “three-letter” agencies — When Engineers Lie. […]
“RSA, Cisco, Microsoft and many other companies have allowed the U.S. government to breach their designs.”
What evidence is there to support this assertion?
They are after me. I know it. I have to wear this tin foil hat because the military industrial complex is working with the White House and NSA to force Steve Jobs to keep the iPhone open to hacking so that they can watch me play Words With Friends and see what I am spelling.
And the bastards at LM will not tell ME what is happening so I can write snarky articles about it! They won’t tell me, me!
Wanna’ buy a roll of foil? Cheap?
When Bob lies: I don’t have a PhD., but neither does Bob.
He complains about the Japanese with their heads in the sand and red tape, but the American solution is much better, LIES, LIES, LIES
[…] Schneier on Security Patrick Gray on why we secretly love LulzSec, and Robert Cringely on why we openly hate RSA. […]
[…] Cringely » Blog Archive » When Engineers Lie – Cringely on technology https://www.cringely.com/2011/06/when-engineers-lie/ If the NSA needs my credit card information let them show me why. I think they don’t need […]
So one of the largest procurers of technology (US Govt) accepts technologies’ inherent weaknesses and the exposures that come with it in order to gain an advantage in snooping? Isn’t that a bit like saying home insurance companies really don’t like locked doors and alarm systems as it let’s them *truly* know what’s in your house? The costs vs. benefits don’t add up and are contradicted by the multitude of initiatives to better secure COTS technology and cyberspace, including efforts by the NSA (think SCAP). Methinks the gentleman is not terribly well versed in a complex mix of government imperatives but would rather spin easier to grasp conspiracy nonsense.
Bob’s point is that there are some government officials, in all countries not just the US, who want the government to have the ability to monitor all communications. In fact Steve Gibson (www.grc.com) was going to release his new patented product “Crypo Link” but put the entire thing on hold due to recent legislative attempts to require that anyone providing such a service must provide the “keys” to the government.
[…] When Engineers Lie Robert Cringley (hat tip reader Crocodile Chuck) […]
[…] Backfires: Sweden’s Lesson for Real Sustainability Common Dreams (hat tip reader May S). Eeek.When Engineers Lie Robert Cringley (hat tip reader Crocodile Chuck)Panetta: Escalate Shadow Wars, Expand Black Ops […]
The business of intelligence services is not and never has been national security; the business of intelligence services is making a business out of intelligence services. The undending ‘War on Terror’ is nothing more than an unending conduit through which money passes to corporate command and control systems, whereas any reasonable person understands that democracy is under far more threat from the activities of the Kochs, the Coors, the Murdochs than it ever could be from Osama bin Laden or a million like him.
Illuminati – A secret group with the need to control the world by any means necessary including mass confusion and centrifuge tactics. IPV 6 is not made for security reasons. http://en.wikipedia.org/wiki/IPv6 There is nothing inherently more secure with 6 over 4. Its simply an address system. Gov does not like it simply because there would more addresses to monitor.
“IPv6 has ‘VPN’ capabilities built in ready for use and some features to get more traffic encrypted. This is great for privacy, but could challenge some network security as more traffic can’t be monitored.” (see https://www.thetechherald.com/article.php/201123/7249/Q&A-Things-to-consider-when-it-comes-to-IPv6-and-security-Part-II)
I believe the US Govt frowns on IPv6 because there are less avenues to monitor traffic flows, encrypted or not. The more privacy and security built into the protocol the less “big brother” has to work with.
-Mike D
What do you think the govt frowns on IPv6? They’ve been pushing transition for it hard and often w/o good business case other than to be “hip” and “cutting edge”. And Mich R is right, it’s just more addresses. IPv4 has ‘VPN’ capabilities too. Don’t expect VPN usage to go up w/ migration to IPv6.
Advanced IPSec security protocols, ESP (encapsulating security protocol) and AH (authentication header), which are add-ons to IPv4, are not widely used globally. IPv6 VPNs requires these protocols, which will mean that strong encryption will become much more prevalent and much easier to build and deploy in an IPv6 world.
Because the VPN support in IPv6 is built in as opposed to a separate add-on the use of VPN communications to ensure privacy will become more commonplace, IMO. Governments won’t like this as it will impede their ability to monitor communications that today are quite a bit easier to monitor.
You can’t say the US Govt supports IPv6 but the NSA doesn’t… they’re one and the same. big brother isn’t thrilled with the prospect of more challenging encryption to break. This is why there are export controls on encryption standards here in the U.S.. What do you think IPv6 does to that?
– Mike
[…] related: When Engineers Lie […]
Actually, Mr. Cringley, as anybody who has ever had even a simple conversation with a crypto guy knows, when you come up with a really good crypto systems, it’s the departments of Defense and Commerce that come after you. There’s something called the Armaments Act that pertains, or at least pertained the last time I looked under the hood.
Engineers tend to not lie; you are talking about RSA management, not the underlying engineers. It’s a company run by committees of MBAs, a trade with known ethical lapses, with the marketeers doing their front work.
What lovely spam.
[…] Patrick Gray on why we secretly love LulzSec, and Robert Cringely on why we openly hate RSA. […]
[…] Trust No One. Especially not the RSA. […]
Bob,
This is a very poor piece of work consisting of: Unsubstantiated conspiracy theories, references to SNAC config guides that say disable unnecessary services, a plug for your book that noone bought.
The real problem with IPv6 right now is that from a security perspective it is incomplete. It could be better than v4 but it isn’t… because frankly it is only halfway thought out.
The entire government is staggering toward implementing v6 because there is an executive order to do so. (which they are years late implementing because they dragged their feet the whole way)
Compound the lack of v6 superiority with the inherit vulnerabilities of running dual stacked and you can see why noone wants to be first moving to v6. but you go ahead and jump on that if you think it makes you more secure.
I know rumour mongering is your thing, but don’t bring it to a technical discussion.
thanks
-jeff
Some of the confusion comes from equating anonymity with security. Usually they go together, from an engineering standpoint, but from the point of view of government wanting to keep track of criminals, anonymity is less secure. So to the extent that IPv6 is less anonomous, it’s more secure to the government but less secure from a privacy standpoint.
In 1990’s Bush 1 stole from Canada a security system program for use in Diplomatic Emails and sold it to other nations as secure and USA made.
The point being inside information! Always good for negotiating. Deception and ambush are the best and cheapest methods to win wars! But as everyone becomes more equal it is harder to do so spying take the lead.
The farce that was HBGary Federal showed it having access to hundreds if not thousands of off the shelf vulnerabilities that are in windows.
Each time you press the “I accept” button on a program download you don’t read the legalese that says “your stupid to accept all the problems we built into the system and can’t be f$@ted fixing and for too much sucker”
Well that has become the norm in USA today so much so that Boeing is doing the same with airplanes!
Goldman Sachs does the same with CDOs.
Well the answer is in Network!
Its irresponsible governance without policing or punishment! It started with G. Ford not punishing his predecessor.
[…] we secretly love LulzSec and When Engineers Lie are about security of data in the modern […]
Lack of real security might have to do with government policy and interference. I personally think sheer lack of competence is the likelier explanation. Doing realistic, working security requires a brain, training, a certain mindset and a pretty good idea of how a lot of tech works in rather intricate detail. That is not something many people train for. Most techs learn to perform tricks, not how tech works (thank you certification programmes). Most commercial security tech sucks on details. I still remember the rather interesting security advisory about a bug in a certain commercial firewall product that on triggering that bug no longer was a packet filter but rather a packet flood-gate. That is security engineering failure.
Even where competent security staff, competent security engineers, sysadmins with security clue etc. are present, those that manage them are often stil clueless. The devil is often in the details and one does not manage on details if one manages according to modern management theories. Security details however do not easily let themselves get abstracted away. Sooner or later they will surface right through all the layers of management abstraction and cause real failures.
*That* is what makes proper security hard. If you find this hard to believe, I invite you to read up on how Diebold actually engineers its voting machines. For fun I am also quite willing to divulge some details about a similar experience in the Netherlands.
coral earrings
That was before I learned much about data security, where apparently lying is part of the game.
I Like When Engineers Lie
Developed in collaboration between legendary music producer and artist Dr. Dre, engineers from Monster Cable and renowned industrial designer Robert Brunner. The Beats by Dr. Dre Studio headphones allow you to experience music the way the artist wants you to. These high definition headphones are precision-engineered to reveal the full sound of today’s digital music including the most sonically demanding rock.
The Beats by Dr. Dre Studio headphones allow you to experience music the way the artist wants you to
This is a nice one. I´ve encountered this article several times this week searching for something alike. Now is in my news box 🙂 Keep up the good work!
We are sure that you can choose your favorite headphones here.You can easily wear these headphones beacause the they are ultra lightweight and fold inward. And unbelievably accurate sound can be delivered from the headphone.
These articles written too great,they rich contents ma le scarpe non ti donano. meglio dei sandali con stringe più sottili e caviglia libera Perfect! and data accurately.they are help to me.I expect to see your new share.
that the article is too long, speaks precisely how interesting and good contend that develops the theme.
Hi i did enjoy the blog as well as topics i am looking forward to any updates thanks!
Beats By Dr Dre Pro Red Headphones…
[…]I, Cringely » Blog Archive » When Engineers Lie – Cringely on technology[…]…
NEBOSH online training…
[…]I, Cringely » Blog Archive » When Engineers Lie – Cringely on technology[…]…
enjoyed!
Free Pogo Gems…
[…]I, Cringely » Blog Archive » When Engineers Lie » I, Cringely – Cringely on technology[…]…
From time to time, beats by dre find that even with no beats by dre studio router, they’re still picking up a wireless signal. that is the price we could accept about louis items, their wireless alerts may be broadcasting via your louis vuitton men bags space. An answer here might be ask the neighbor to show off the facility to their router before they go to mattress, to your monster beats by dre studio and theirs. the dr dre headphone features simple silver trim and closely resembles the classic handset style beats by dre solo is known for and for those who crave a little louis vuitton shoulder bags and more colour. As a common rule, limit cell cheap beats by dre phone usage, particularly lengthy calls.Driving for hours can really be boring so having some louis vuitton denim entertainment could really help to break the louis vuitton monogram handbags monotony. Think movies or music or crayons and drawing pads, even books!
cell phones…
[…]I, Cringely » Blog Archive When Engineers Lie – Cringely on technology[…]…
By wearing replica watches they could give in on their desires and yet not burn an excessive amount of money. There isn’t chance of being solaced and disappointed through the Replica watches as they’ll surely offer you more than everything you expected. This can also be one of the best selling and credit giving types of Replica watches. This suggests that as an alternative of marking each second, the other hand moves swiftly into a number of ticks very well. The exhausted versions in the Pasha will be in 18 carat craven gold, rose gold, stainless-steel, and they are bogus both in men’s and some women’s models.
CARTIER Delices de Replica Ladies Watch https://www.alexsautographs.com/teamaddresses.htm