Byron Sonne, who spent two years fighting trumped up terrorism-related charges after he was arrested before Toronto’s G20 summit, has been found not guilty of all charges. It’s a small breath of sanity in an otherwise insane judicial process. BoingBoing has a good series of posts that cover the story going back to his arrest.
Also worth checking out are Jesse Brown’s Search Engine podcasts on the subject.
Anonymous have been in the news a lot recently with attacks on everything from the New York Stock Exchange to the CIA and FBI. I hadn’t heard about this one though, where they attacked the Vatican, apparently as a protest against sexual abuse of children by priests. While the attack wasn’t entirely successful, it does offer some insights into the way Anonymous works.
The group’s attack on the Vatican was confirmed by the hackers and is detailed in a report that Imperva [IMPV 36.89
0.08 (+0.22%)
], a computer security company based in Redwood City, Calif., plans to release ahead of a computer security conferencehere this week. It may be the first end-to-end record of a full Anonymous attack.
Though Imperva declined to identify the target of the attack and kept any mention of the Vatican out of its report, two people briefed on the investigation confirmed that it had been the target. Imperva had a unique window into the situation because it had been hired by the Vatican’s security team as a subcontractor to block and record the assault.
“We have seen the tools and the techniques that were used in this attack used by other criminal groups on the web,” said Amichai Shulman, Imperva’s chief technology officer. “What set this attack apart from others is it had a clear timeline and evolution, starting from an announcement and recruitment phase that was very public.”
I got my first “Microsoft has found a virus on your PC” scam phone call last week. Actually, Nancy got the call and knew immediately that it was a scam, because I’d warned her and the other members of our family about it some time ago. I took up the call and I’m afraid I was rather short with the person on the other end. A better response probably would have been to string the person along for as long as possible, to keep them away from other less aware victims.
These calls seem to be increasing in frequency. I’m sure no one reading this blog would be taken in by one, but it might be a good idea to warn other family members, especially the less computer-savvy ones. My mother-in-law is quite aware of the scam and has already had three such calls.
Ed Bott has more details about the people behind these scams.
A caller with a thick accent tried to run this scam on my mom, who peppered the caller with questions. What’s your name? What’s your company’s name again? What’s your phone number? (She raised six kids. She’s used to social engineering attempts.)
My mom’s Caller ID said the call originated from 999-910-0132; the caller claimed to be from a company that sounded something like Alert Center, and she gave a callback number of 609-531-0750.
If you plug those numbers into a search engine, you’ll find that they lead to a group of companies using identical website templates under different names, including TechResolve, Itek Assist, and—bingo—AlertSoft. A company with the unimaginative name Custom Design Firm, at the same address in Kolkata, India, also offers custom web-design and search-optimization services at exorbitant prices.
It’s worth noting that these callers may also claim to be from your ISP – something that would reduce any Rogers’ subscriber to fits of helpless laughter.
Although it’s titled “Network Security in the Medium Term, 2061-2561 AD“, SF author Charles Stross’ keynote speech at the USENIX 2011 conference covers a lot more than network security. Stross is one of the few SF writers these days who’s willing to tackle near-future SF and who has the chops to make it believable. (I’m currently reading his latest novel, Rule 34, set about 10 years into the future). Read his talk for an idea of what the world of your grandchildren might be like.
A brief aside on storage density is in order at this point. I’m throwing around fairly gigantic amounts of data in this talk – where are we going to store it all? The answer is, as Richard Fenyman put it in 1959, there’s plenty of room at the bottom. Let’s hypothesize a very high density, non-volatile serial storage medium that might be manufactured using molecular nanotechnology: I call it memory diamond. It’s a diamondoid mesh, within which the state of a single data bit is encoded in each atom: because we want it to be rigid and stable, we use a carbon–12 nucleus to represent a zero, and a carbon-thirteen to represent a one. How we read and write these bits is left as an exercise for the student of mature molecular nanotechnology, but we can say with some certainty that we can store Avogadro’s number of bits – 6 x 1023 – in 12.5 grams of carbon, or around 13 thousand terabytes in an ounce of memory diamond. Going by the figures in a report from UCSD last year, the average worker processed or consumed 3 terabytes per year, and there are around 3.18 billion workers; which works out at 23 tons of memory diamond needed to storeeverything without compression or deduplication. At a guess, once you take out cute captioned cat videos and downloads that annoy the hell out of the MPAA you can reduce that by an order of magnitude.
(So I conclude that yes, in the long term we will have more storage capacity than we necessarily know what to do with.)
There’s a nasty new Trojan out there that requires a re-installation of Windows if you’re unlucky enough to get infected by it.
A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group’sblog .
“If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,” said Feng.
The Trojan installs itself into the Master Boot Record where security software can’t detect it or remove it.
Presumably Microsoft’s own Security Essentials and third-party anti-virus products that offer real-time protection will block it before it has a chance to install itself, so keep your security software up-t0-date. Or run Linux.
It used to be conventional wisdom that if your password was made up of a random string of characters and symbols and eight or ten characters long (for example, uQ4*b+Pax?), then is was secure enough that noboby but a government organization like the NSA could crack it. (A so-called strong password). Of course, the problem with that type of a password is that normal human beings can’t remember it, so they write it down on a sticky note and attach it to their monitor, completely defeating the purpose of strong passowrds. Or if they aren’t forced to use a strong password, they pick something simple like 123456 or their wife’s name. More sophisticated, and paranoid users, might come up with something like rAnd0m#No1se.
For most purposes, a possword like the last would probably be good enough to defeat the type of hacker who’d run a dictionary attack on a hacked password database or try to access your wi-fi connection. But computers are getting faster, much faster, and new approaches are being used to crack passwords that would have been perfectly secure only a couple of years ago. One approach, described in this PC Pro article, uses a graphic card to attain an amazing rate of 3.3 billion paswords per second. (Graphics cards are ideal for this kind of work because of their highly parallel structure, which allows many simultaneous, simple computations).
So what can you do to make your password more secure? Security researcher Steve Gibson has come up with a possible solution. According to Gibson, there are two factors that matter most when creating a secure password. The first is obvious, length. Longer passwords take more time to crack than shorter passwords. The second factor is the character depth – how many characters have to be searched in the set of symbols used in the password. If your password is lowercase alphabetic there are only 26 possible characters. If you use uppercase and lowercase letters, that doubles to 52. Add numbers, and it’s 62. Add symbols and punctuation, and you’re up to almost a hundred possibilites for each character.
Although it’s not intutively obvious, according to Gibson, what doesn’t matter is entropy. In a brute force attack, “HouseKeeping” is just as secure as “QkosrunWtsmj”.
So, what do you do to make your password more secure? Use upper and lower case letters and numbers, to be sure, but also pad the password with symbols or punctuation. For example, HouseKeeping might become .,H)0)useKeep!1!ng,.. Easy enough to remember, if you remeber the algorithm. Start wtih .,, capitalize the first letter of each word, replace 0 and I with 0 and 1 but preceded and followed by the shifted symbol for that number, and end with ,..
Gibson describes this technique in a episode 303 of his Security Now podcast, which I highly recommend listening to. You can also read the transcript. On his website, he has a calculator that will tell you how secure your password is, based on certain assumptions about what type of system is being used to crack it. The H0useKeep1ng password is still pretty secure – the NSA could probably break it in a month or so, but the extended version would take longer than the age of the universe.
I wouldn’t bother with this for all of my passwords, most of which are fairly secure to start with, but I’ve upgraded my banking and other passwords for accounts that might have a financial impact.