Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.50
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 1 Oct 2013 14:31:11 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 1 October 2013  Volume 27 : Issue 50

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.50.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Cybersecurity should be seen as an occupation, not a profession (Steve Ragan)
Cost and Responsibility for Snowden's Breaches (Jonathan S. Shapiro)
What Facebook, Twitter, Tinder, Instagram, and Internet Porn Are Doing
  to America's Teenage Girls (Nancy Jo Sales via Monty Solomon)
LAUSD halts home use of iPads for students after devices hacked (Re: Blume,
  RISKS-27.49)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, Sep 30, 2013 at 2:50 AM
From: InfoSec News <alerts () infosecnews org>
Subject: Cybersecurity should be seen as an occupation, not a profession,
  (Steve Ragan)

  [From Dave Farber's IP list]

Steve Ragan, CSO Online, 26 Sep 2013
http://www.csoonline.com/article/740456/cybersecurity-should-be-seen-as-an-occupation-not-a-profession-report-says

A panel from the National Academy of Sciences, commissioned by the U.S.
Department of Homeland Security, says that cybersecurity should be seen as
an occupation and not a profession.  After being commissioned by the
U.S. Department of Homeland Security, a panel from the National Academy of
Sciences reported that the cybersecurity field is too young, and the
technologies, threats, and actions taken to counter them change too rapidly,
for professionalization to be considered. Thus, cybersecurity is an
occupation and not a profession.

For some organizations, making cybersecurity a profession may provide a
useful degree of quality control, the report says, but at the same time,
professionalization also imposes barriers, which would prevent talented
workers from entering the field at a time when "demand for cybersecurity
workers exceeds supply."

Sticking to the quality control aspect of the report, professionalization,
it says, has the potential to attract workers and establish long-term paths
to improving the work force overall, but measures such as standardized
education or requirements for certification, have their disadvantages
too. ...

  [According to *Webster's*, an occupation is the principal business of
  one's life.  Is the world's youngest would-be "profession" somehow in the
  same league as the "world's oldest profession", which might also deserve
  to be called an occupation -- and that it has occupied such a prominent
  place in our civilization?  One more thought: we have often noted here
  that software engineering is not really an engineering discipline,
  although millions of people are occupied with it.  Does that mean that
  software engineering also needs to be termed an occupation rather than a
  profession?  Furthermore, if cybersecurity is really an occupation, then
  we need to recognize the occupational hazards -- one of which seems to be
  that every computer user's life is unfortunately being occupied and
  preoccupied with the collateral damage of the lack of professionalism
  among computer system developers?  (Let's not blame the sys admins, who
  have a really thankless job under the circumstances in trying to protect
  systems and networks that are inherently unprotectable.)  PGN]

------------------------------

Date: October 1, 2013 9:28:07 AM PDT
From: "Jonathan S. Shapiro" <shap () eros-os org>
Subject: Cost and Responsibility for Snowden's Breaches

  [Via Dave Farber's IP]

The press has lately been recirculating stories about the dollar damages of
the Snowden disclosures. The repudiation of key cryptography standards - the
ones that underly our electronic currency exchanges and clearinghouses, and
are present in an overwhelming number of products - may in the end cost
billions of dollars of damage. Some of the press would have us believe that
all of this is Snowden's fault. Better, some feel, to focus attention on the
messenger and protect the perpetrator. Or even if not better, easier. It
sells more papers to focus on a "David vs. Goliath" story than to examine
whether Goliath was actually a Philistine.

In compromising these cryptography standards, NSA's alleged goal was to read
the electronic communications of terrorists, arms dealers, and other savory
characters. In a world of open cryptography standards, the only way to do
that was to compromise *everybody*. That includes ordinary citizens,
businesses, governments (ours and others), armed forces command and control,
domestic and global financial systems, and so on. This goes beyond
privacy. Cryptography sits under all of our most essential electronic
communications. Focusing on Snowden has people asking "How safe are my
secrets from the NSA?" when a more pertinent question might be "Is my bank
still safe from the eastern block mafia and the terrorist of the month?"
Banks for the most part don't operate by storing dollar bills; they operate
electronically. Then there is the power delivery infrastructure, or... the
list goes on. *That* is what NSA compromised. And when you understand that,
it becomes clear that the damage to *us* was far worse than any cost to the
terrorists. In fact, the damage is proportional to your dependence on
electronic infrastructure.

That's bad. Because it means that people inside our government, at the
direction of government officials, sworn to protect and defend the
constitution and the country, actively conspired to undermine every segment
of the United States along with our key allies. While the run-of-the-mill
staff may not have understood this, the more senior people at NSA knew what
they were doing. They were certainly told by people on the outside often
enough. Frankly, I think some of them should hang. And I mean that
literally. These decisions by NSA weren't made by extremist muslims. They
were made by people from Harvard, Yale, and Princeton (and elsewhere) right
here in America.

But there is something worse. In a certain sense, the NSA's primary mission
is the discovery of secrets. Being in the secret breaking business, one of
the things they know very well is that the best way to break a secret is to
get someone to tell you what it is. And there is *always* someone who will
tell you, either out of conviction or out of fear of compromise. There was
never a question whether the fact that NSA compromised every first world and
second world country would leak. The only questions were *who* would leak it
and *how soon*. It happened to be Snowden, but if not for Snowden it would
have been somebody else.

So setting aside the technical damage, there is the fact that the
U.S. Government is now known - and more importantly, believed - to have
compromised ourselves and our allies. We need to ask what the consequences
are of that. Here are some questions that suggest themselves:

1. Cryptography is clearly too important to entrust to the government. Who
   can we trust?

2. Fragmentation seems likely. Does that help or hinder us?

3. Do the issues differ for communications cryptography vs. long-term
   storage cryptography? Given that communications is recorded and stored
   forever, I suspect not.

4. Can our allies ever again trust an American-originated crypto system?
   Software system? Can we trust one from them?

5. Can our allies ever again afford to trust an American manufacturer of
   communications equipment, given that every one of the major players seems
   to have gotten in bed with NSA when pressured to do so by the
   U.S. Government?

6. What *other* compromised technologies have been promulgated through
   government-influenced standards and/or back room strong arm tactics?

One thing seems clear: we must now choose between the credibility of
American technology businesses and the continuation of export controls on
cryptography and computer security technology. The controls are ineffective
for their alleged purpose; there are too many ways to circumvent them. The
main use of these laws has been to allow government pressure to be brought
to bear on vendors who won't "play ball" with U.S. Government objectives. As
long as the big players in the U.S. computing and networking industries can
be be backdoored by their government (take that either way), only a fool
would buy from them. If the goal is to destroy the American technology
industry, this strategy is even better than software patents. As long as
those laws remain on the books, the American tech sector has a credibility
problem.

A second thing seems clear: we need to move to openly *developed* standards
for critical systems, not just open *standards*. And not just openly
developed standards, but standards whose "theory of operation" is explained
and critically examined by the public. No more unexplained magic tables of
numbers. We need fully open public review, and public reference
implementations as part of the standardization process.

A third thing seems clear: fixing the cryptography doesn't solve the
problem. Even with back doors, the best place to break crypto is at the
insecure end points. We need to develop information management methods
(e.g. "zero knowledge" methods, but also others) and software architectures
that let us limit the scope of damage when it occurs. The operating systems
- and consequently the applications - that we are using today simply weren't
designed for this. Fortunately, the hardware environment has converged
enough that we can do a lot better than we have in the past. There will
never be perfect security, but we can largely eliminate the exponential
advantage that is currently enjoyed by the attacker.

Jonathan S. Shapiro

------------------------------

Date: Mon, 30 Sep 2013 10:36:47 -0400
From: Monty Solomon <monty () roscom com>
Subject: What Facebook, Twitter, Tinder, Instagram, and Internet Porn Are
 Doing to America's Teenage Girls (Nancy Jo Sales)

Nancy Jo Sales, *Vanity Fair*, 26 Sep 2013

Friends Without Benefits

This year, 81 percent of Internet-using teenagers in America reported that
they are active on social-networking sites, more than ever before.
Facebook, Twitter, Instagram, and new dating apps like Tinder, Grindr, and
Blendr have increasingly become key players in social interactions, both
online and IRL (in real life).  Combined with unprecedented easy access to
the unreal world of Internet porn, the result is a situation that has
drastically affected gender roles for young people.  Speaking to a variety
of teenaged boys and girls across the country, Nancy Jo Sales uncovers a
world where boys are taught they have the right to expect everything from
social submission to outright sex from their female peers.  What is this
doing to America's young women? ...

http://www.vanityfair.com/culture/2013/09/social-media-internet-porn-teenage-girls

------------------------------

Date: Sun, 29 Sep 2013 13:27:54 -0400
From: Monty Solomon <monty () roscom com>
Subject: LAUSD halts home use of iPads for students after devices hacked
  (Re: Howard Blume, RISKS-27.49)

Howard Blume, *LA Times*, 25 Sep 2013

Following news that students at a Los Angeles high school had hacked
district-issued iPads and were using them for personal use, district
officials have halted home use of the Apple tablets until further notice.

It took exactly one week for nearly 300 students at Theodore Roosevelt High
School to hack through security so they could surf the Web on their new
school-issued iPads, raising new concerns about a plan to distribute the
devices to all students in the district. ...

http://www.latimes.com/local/lanow/la-me-ln-lausd-ipad-hack-20130925,0,6974454.story

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.50
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.50 RISKS List Owner (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]