supertechguy.com
supertechguy   supertechguy

Blog

-=Save Security Today=- posted Mar 21, 2016, 3:37 PM by supertechguy There is a lot of confusion regarding the Apple vs FBI case. Most simply do not understand the enormous ramifications that this action will have on the future of this country, and even the future of the world. Strong encryption is what makes the world go around. The entire world economy depends on encryption functioning exactly as it is supposed to. What seems to simply be a battle for one iPhone, is not all it appears. If the FBI creates a legal precedence that it can force Apple to create a backdoor into the iPhone, it will establish a simple path to create backdoors into any technology solution available. Including all the solutions that protect your identity, your money, and your privacy. The fight with Apple is the beginning. Complete Government oversight could easily be the end. To those of you who believe that you can trust the Government to protect your data and to protect the backdoors that will be created due to this action, you should ask the 20,000 FBI employees who lost their personal data to hackers following a breach of government systems. If backdoors are created, the question is not if they will be released into the wild, the real question you should ask is when? To those of you who believe that the Government will never go beyond the specific iPhone, or others like it. I would refer you to the extensive NSA spying operation that was uncovered by Edward Snowden. We live in a world where a little more intelligence is never quite enough. Reminds me of a book I have read, "if you give a mouse a cookie" Finally, if you really think that creating all these backdoors is going to help. I would remind you that we dont own encryption, that any programmer can build an app with extensive encryption capabilities. Ultimately the criminals, terrorists and others who want full encryption without a backdoor, will still find it. Meaning, all we did was shoot ourself in the foot. Unlike some people, I still believe that America is Great. I believe that protecting everyone with strong security is the right thing to do. Taking away strong security is like putting the whole country on house arrest because there is some idiot with a gun somewhere shooting others. Its a extremely aggressive move, promoted entirely by fear, and in the end will really not accomplish much more than destroying the freedom of millions of people. Let us show that America is great, that her people do care, and that we will stand up for what is right instead of succumb to fear and hatred. #savesecurity https://savesecurity.org/ ==== -=Utah HB 225 Continued=- posted Feb 19, 2016, 1:46 PM by supertechguy Lines 140-145 read (with amendments): 140 (4) A person who intentionally or knowingly, and with or without authorization, 141 interferes with or interrupts computer services to another authorized to receive the services is 142 guilty of a class A misdemeanor. 143 (5) A person who by means of a computer, computer network, computer property, 144 computer system, computer program, computer data or software intentionally or knowingly 145 interferes with or interrupts critical infrastructure is guilty of a class A misdemeanor . There is some significant problems with the plausible interpretation of this wording. Section 4 and 5 do not classify that such interruption have intent to commit a crime, to cause damage or to harm. This is the problem with the "with or without authorization" in section 4 and the blanket statement ignoring any authorization whatsoever in section 5. We know that IT employees have authorization to interrupt services for maintenance purposes, and must do so in order to maintain network equipment. Since these two sections do not make allowances for said authorization, nor do they classify the action with the intent to commit a crime, to do damage or to harm, it removes the burden of proof from the state, and puts ordinary network engineers and administrators at risk of prosecution. I have found no previous section in the current bill or the current law that would lead me to believe otherwise. Since its not a subsection, I have concluded that it could be interpreted this way, even though I dont believe this was the intent. ==== -=Utah House Bill 225=- posted Feb 3, 2016, 10:05 AM by supertechguy I have serious concerns with Utah House Bill 225. Currently as written, the bill makes standard IT procedures punishable by law. Let me explain. A standard security practice mentioned in security models is something called Penetration Testing, also known as Red Team Exercises. Please see the SANS Critical Security Controls number 20 (https://www.sans.org/critical-security-controls). Penetration Testing is essentially hacking into a system with authorization to prove wether or not it is vulnerable. These tests intentionally cause non permanent damage to systems in a controlled environment. These methods are used to identify and eliminate risks. Penetration Testing is normal, and Washington County School District and other state entities use it to identify problems before outside data can be compromised by other actors. HB 225's language makes these practices punishable by law. In the following section 102 (1) A person who with or without authorization gains or attempts to gain access to any 103 computer and unlawfully alters, damages, destroys, discloses, or modifies any computer, 104 computer network, computer property, computer system, computer program, or computer data 105 or software, and [thereby] as a result causes economic or property damage, or both, to another 106 person or entity, or obtains money, property, information, or a benefit for any person without 107 legal right, is guilty of: The "with or without authorization" is where the problem is. HB 225 addresses the use of these methods as an "affirmative defense". 146 [(5)] (6) It is an affirmative defense to Subsections (1) and (2) that a person obtained 147 access or attempted to obtain access in response to, and for the purpose of protecting against or 148 investigating, a prior attempted or successful breach of security of a computer, computer 149 network, computer property, computer system whose security the person is authorized or 150 entitled to protect, and the access attempted or obtained was no greater than reasonably 151 necessary for that purpose. But as written I would have to defend myself after every security assessment. Any other individual with knowledge of the assessment would be required to report it. As stated in the following section: 154 Every person, except [those] a person to whom a statutory or common law privilege 155 applies, who has reason to believe that [the provisions] any provision of Section 76-6-703 [are] 156 is being or [have] has been violated shall report the suspected violation to: I would have an "affirmative defense", but it would come at great cost to me and my employer. I understand that the writer is concerned with disgruntled employee's who intentionally and maliciously damage systems and currently have access and authorization to use said systems. I appreciate and applaud a law that protects organizations from disgruntled employees. But if you read the current definition of authorization it states: 44 (2) "Authorization" means having the express or implied consent or permission of the 45 owner, or of the person authorized by the owner to give consent or permission to access a 46 computer, computer system, or computer network in a manner not exceeding the consent or 47 permission. So exceeding authorization is equivalent to having no authorization. Since such employee's have affirmatively exceeded their authorization, I dont believe this bill accomplishes anything other than creating a extremely broad legislation that can easily be twisted and used to prosecute routine IT tasks. In addition the same "with or without authorization" language is used in the following section and also could be extremely problematic. 140 (4) A person who intentionally or knowingly, and with or without authorization, 141 interferes with or interrupts computer services to another authorized to receive the services is 142 guilty of a class A misdemeanor. The next section is even more problematic. 143 (5) A person who by means of a computer, computer network, computer property, 144 computer system, computer program, computer data or software intentionally or knowingly 145 interferes with or interrupts critical infrastructure is guilty of a third degree felony. Intentional interruption of services on a critical network is something that we do frequently under authorization. More often than not these interruptions are done by means of a computer, which would make me and many others guilty of a third degree felony. The interruptions Im referring to are network outages. I have tried to work with the author of this bill, and he was somewhat responsive last week. However, I am still extremely concerned that if this bill should pass as written it would become an entrapment for myself and other network / IT security personnel. And thats just the tip of the iceberg... The Washington Post explains more issues here: https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/02/08/utah-anti-doxxing-bill-would-outlaw-mentioning-a-persons-name-online-with-intent-to-offend/ ==== -=Computing The Value of Trust=- posted Jan 26, 2016, 8:31 PM by supertechguy The stability of the world's economy relies on trust. This trust exists between consumer and supplier, business and partner, financial institution and investor, and many other relationships that exist within the ever changing economy. Loss of trust between a significant number of entities and a business, often results in the demise of that business. Companies live and die based on the trust that exists between them and those they provide services or products to. Trust is the key factor and the crux. Trust extends in to many other aspects of how we do business and how the financial system functions. Ultimately and generally people trust the system. They trust the system when they order a product from an online store or login to their bank account. They trust that the process is safe, secure, and that they are communicating directly with the company with which they intend. The system that makes all this work is TLS public / private key encryption. TLS encryption replaced SSL as the standard method for encrypting data on the Internet. The purpose of public / private key encryption is two fold. One, it provides private point to point communication. Two, it validates who you are actually communicating with. This system of communication has created trust for communication online. Because of that trust, the economy has shifted to a online dependent environment. Even brick and mortar stores process transactions and run management systems through the Internet, and they use those same encryption protocols. Without that trust in the system, individuals and businesses would change their current processes of obtaining products and services. This change would cause disruption, chaos, and many businesses would go out of business. Besides the obvious impact on all online stores, this would impact credit card companies and processors (which process their transactions almost exclusively via the internet), financial institutions, investment companies, and many brick and mortar stores who use the internet to manage their business. So in essence, public / private key encryption is a critical system in today's economy. Without encryption, communication on the internet can be intercepted and even modified mid stream. That all being said, lets break TLS encryption. The first thing will happen is that the public will loose trust. After that, roll the dice on the economy. Plan for another depression (not just a recession). Convert all your money to gold, and go live off the grid. Washington, please compute the value of trust, and put that in your rubric when deciding if you want to break the underlying foundation of the economy. ==== -=The 70/30 Rule of Internet Filtering=- posted Aug 18, 2015, 12:12 PM by supertechguy Most people believe when they purchase an enterprise grade filter that is used to protect minors from harmful content on the internet, that its going to do exactly what the label says. They believe that the device will protect their children from the deep dark corners of the Internet. These filters do in-fact, cost an enormous amount of money, not only for the device, but also the on-going subscription. So they should work, shouldn't they? Yes they do work, but not quite how you would think they work. If you refer to my previous blog entry about the death of next generation firewalls, you will find that the Internet is embracing full encryption. That encryption, combined with SSL pinning (effectively breaking decryption methods) should be changing how we think about filtering. Today, a SSL secured websites and services are ether black or white. There is no grey. You can no longer filter a SSL service that utilizes SSL pinning by keywords, and sub pages. You ether get it all, or you get none of it. This is the world, in which K12 and other organizations must rely on the website or service to provide a acceptable content filter for their service. If they do not provide a way to filter objectionable content, then you have two choices, allow all of it or allow none of it. What does that mean? Well, in short, you ether lock the Internet down tight like Fort Knox, making it nearly unusable. Or you move on to a different way of thinking. Yes, you need to change the way you think. Filtering has never been, and never will be a 100% technological solution. There is no possible way completely prevent filter avoidance. And there never has been. Ask any middle or high school student, they can not only explain how to bypass the filter in the school, they can show you. So the only answer to this problem is the same answer we used 20 years ago: supervision. 20 years ago, kids didn't look at pornography on the computer at school, they brought magazines. There was no technological solution to prevent that; No way to scan them at the door for objectionable material; No way to prevent them from bringing it with them. The only solution we had to stop it, was to supervise. Contrary to popular belief this has not changed. Supervision remains the only way to enforce acceptable use policies and the only way to effectively keep minors safe online. So, why do we have filters at all? Well, filters do a great service. They help keep minors safe. They are an effective measure in this process. Essentially filters should keep minors safe from unintentional access to objectionable material (most of the time). But they will in no way ever keep minors safe from intentional access to objectionable material. It is simply a technological impossibility. Because of that, K12 school and other organizations that protect minors should adopt the 70/30 Rule of Internet Filtering. Filtering is 70% supervision, and 30% technology. Filtering companies will continue to do all that is possible to build better filters, but in the end, the majority of the responsibility must rest on responsible adults to supervise online activities. Any other filtering policy is a total fallacy.