Later On

A blog written for those whose interests more or less match mine.

Archive for August 7th, 2012

More on computer security: Some things you can do

leave a comment »

First, Lifehacker has an excellent post on how to audit and update your passwords. Read and follow.

Second, James Fallows has some good tips as well.

Read the above—as it turns out, there are some things you can do.

Written by Leisureguy

7 August 2012 at 7:39 pm

Posted in Daily life, Technology

Wow! “Computer security” is now an oxymoron

with one comment

Read this chilling account by Brian Chen in the NY Times “Bits” column:

The break-in of a journalist’s Apple iCloud account serves as a cautionary tale about how vulnerable people can be to malicious hackers, no matter how digitally sophisticated they are. Mat Honan, a seasoned technology writer, was spectacularly hacked over the weekend.

On Friday evening, the password for Mr. Honan’s iCloud account was reset. Later the bad guys broke into his Gmail account, and eventually they erased the data on his iPhone, iPad and MacBook Air using Apple’s remote-wipe feature — a self-destruct mechanism of sorts designed for use when a device has entered the wrong hands. To make matters worse, they also gained access to his personal Twitter account, as well as the account belonging to the tech blog Gizmodo, where he used to work.

Mr. Honan published a detailed account of the story on Wired. He says the hackers gained entry by phoning Apple’s tech support and using some clever “social engineering” to let them bypass security questions. That may point to a weakness in Apple’s identity verification process. But the root of the issue was brought to light when Evelyn M. Rusli and I reported on iTunes account hacks back in March: Apple encourages customers to use the sameApple ID and password for just about everything. That’s a concern because iTunes is no longer just a music store; it’s also a place to buy e-books, apps and TV shows. And the same credentials are used to log in to iCloud, Apple’s cloud service, where confidential documents could be retrieved or a remote wipe done, as in Mr. Honan’s case.

A security expert pointed out back in March that this would be a problem:

“Apple wants to pretend that everything is magic,” said Alex Stamos, co-founder of iSEC Partners, a security firm. “They need to admit that their products can be used by bad people to do bad things.”

One problem, Mr. Stamos said, is that iTunes customers use a single account and password for access to all Apple services. For example, the same login can be used to download a $1 game or buy a $2,000 laptop through the Apple Store app. He said that Apple could adopt a two-step verification method like Google’s. For example, if a user wanted to log in to the iTunes store on a new device, Apple could send a message to his iPhone containing a code, which he would enter to verify his identity.

To be fair, iTunes is successful largely because it was one of the first friction-free ways to purchase digital content. But perhaps iTunes has grown too big and too powerful to be so simple.

In a statement issued late Monday, Apple said that it had made a mistake when resetting Mr. Honan’s Apple ID password because it had not completely followed protocol. . .

Continue reading. So Apple made a mistake—cold comfort to Mr. Honan.

And that’s nothing: Chinese hackers have hacked everything. Read this report by Michael Riley and Dune Lawrence in Bloomberg BusinessWeek. (WARNING: a video begins talking when you click the link—you can stop it, but note that you get sound at the page.).

When Greece was falling apart last summer, European Union leaders rushed to prepare another round of capital injections for Athens. Someone with advance knowledge of just where those hundred billion-plus euros were going and when they’d be deployed could have made a fortune. Someone like the hackers who had infiltrated the EU Council’s computers.

Over 10 days last July, the hackers returned to the Council’s computers four times, accessing the e-mails of 11 top economic, security, and foreign affairs officials. On July 18, they accessed the e-mails of EU Council President Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the Greek bailout, in just 14 minutes.

The EU breach, first reported by Bloomberg News on July 27, was a particularly audacious act of cyber-espionage by the team long known to U.S. intelligence as Byzantine Candor. Arguably China’s preeminent hacker collective, it also has government ties, according to a 2008 U.S. State Department cable published by WikiLeaks. The collective’s tactic, hacking computers using hidden HTML code known as comments, earned it another name in private security circles: the Comment Group.

In secret, some 30 U.S.-based private-security researchers managed to monitor the group for nearly two months last summer. None of the researchers contacted by Bloomberg News wished to be named because of the sensitivity of the data. The researchers exploited a vulnerability in the hackers’ own security and created a digital diary that logged their every move as they crept into the networks of at least 20 victims, shut off antivirus systems, camouflaged themselves as system administrators, and then tried to cover their tracks.

The researchers’ computer logs offer an unprecedented minute-by-minute look at the Comment Group’s highly organized operations, believed to be at the cutting edge of China’s hacking capabilities. “They aren’t doing this for fun. They are doing it in this case because this is tradable information,” says Richard Falkenrath, formerly deputy assistant to the President and deputy homeland security adviser under George W. Bush. “We may not be able to get information that anyone either shorted or went long on EU sovereign debt on this, but that’s the obvious market.”

China’s foreign ministry in Beijing dismisses allegations of state-sponsored hacking as baseless and says the government will crack down given adequate proof. U.S. National Security Council spokesman Tommy Vietor declined to discuss the Comment Group specifically, referring reporters to a May 4 statement by Secretary of State Hillary Clinton in which she said the U.S. and China would work to “develop a shared understanding of acceptable norms of behavior” around commercial data and intellectual property online.

Beyond the Comment Group, what started as attacks on the U.S. military and defense contractors by Chinese hacker groups has widened into a campaign from which no corporate entity is safe. Attacks on Google (GOOG), Morgan Stanley (MS), and ExxonMobil (XOM) are among the few that have become public. “What the general public hears about—stolen credit card numbers, somebody hacked LinkedIn (LNKD)—that’s the tip of the iceberg, the unclassified stuff,” says Shawn Henry, former executive assistant director at the FBI’s cyber division, who left the agency in April. “I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.”

The Comment Group researchers say the sheer volume and breadth of the hacker collective’s attacks shocked them. Victims ranged from corporate giants to top lawyers, from defense contractor Halliburton (HAL) to Washington law firm Wiley Rein to a Canadian magistrate. Earlier targets included the 2008 presidential campaigns of Barack Obama and John McCain and a U.S. nuclear power plant sited next to a fault line. Alex Lanstein, a senior researcher for the security company FireEye, estimates the group has hacked more than 1,000 organizations since 2010.

Comment Group’s attacks have been so successful that a cyber-security unit within the Air Force Office of Special Investigations in San Antonio is dedicated to tracking them, according to a person familiar with the unit who could not speak on the record due to national security concerns. . .

Continue reading.

So what can be done? Nothing much, I suspect. But BusinessWeek has a collection of articles on the topic, including this discussion by five experts on how they would fix cybersecurity.

Written by Leisureguy

7 August 2012 at 3:44 pm

Joseph Stiglitz on why the rise of inequality in the US

leave a comment »

Thanks to Bob Slaughter to pointing out this NY Times review by Thomas Edsall of Joseph Stiglitz’s new book The Price of Inequality:

Joseph E. Stiglitz’s new book, “The Price of Inequality,” is the single most comprehensive counter­argument to both Democratic neoliberalism and Republican laissez-faire theories. While credible economists running the gamut from center right to center left describe our bleak present as the result of seemingly unstoppable developments — globalization and automation, a self-­replicating establishment built on “meritocratic” competition, the debt-driven collapse of 2008 — Stiglitz stands apart in his defiant rejection of such notions of inevitability. He seeks to shift the terms of the debate.

It is not uncontrollable technological and social change that has produced a two-tier society, Stiglitz argues, but the exercise of political power by moneyed interests over legislative and regulatory processes. “While there may be underlying economic forces at play,” he writes, “politics have shaped the market, and shaped it in ways that advantage the top at the expense of the rest.” But politics, he insists, is subject to change.

Stiglitz is a Nobel laureate and a professor of economics at Columbia (where I too teach, but we are not personally acquainted). He holds a commanding position in an intellectual insurgency challenging the dominant economic orthodoxy. Among his allies are Jacob S. Hacker and Paul Pierson (the authors of “Winner-Take-All Politics: How Washington Made the Rich Richer — and Turned Its Back on the Middle Class”); Lawrence Lessig (“Republic, Lost: How Money Corrupts Congress — and a Plan to Stop It”); Timothy Noah (“The Great Divergence: America’s Growing Inequality Crisis and What We Can Do About It”) and Paul Krugman (“End This Depression Now!”). The collective argument of these dissidents is not only that inequality violates moral values, but that it also interacts with a money-driven political system to grant excessive power to the most affluent. In short, those with power use it to insulate themselves from competitive forces by winning favorable tax treatment, government-­protected market share and other forms of what economists call “rent seeking.”

Conservative advocates of pure free markets, in this view, fail to acknowledge how concentrated economic power converts into political power. The right, for example, has hailed the evisceration of the estate tax and the lifting of restrictions on campaign contributions, despite evidence that such policies work to restrict competition — by further concentrating wealth in the case of the estate tax, and by further empowering corporate America to control political decisions in the case of campaign finance.

Stiglitz and his allies argue that a free and competitive market is highly beneficial to society at large, but that it needs government regulation and oversight to remain functional. Without constraint, dominant interests use their leverage to make gains at the expense of the majority. Concentration of power in private hands, Stiglitz believes, can be just as damaging to the functioning of markets as excessive regulation and political control. . .

Continue reading. Read the whole thing, and then look around. Stiglitz is right.

Written by Leisureguy

7 August 2012 at 9:00 am

On avoiding airport X-ray machines

leave a comment »

Still a lot of doubts about the safety of the machines. I’m going to avoid them on my upcoming trip. Roni Rabin reports in the NY Times:

Even before she was pregnant, Yolanda Marin-Czachor tried to avoid the full-body X-ray scanners that security officers use to screen airport passengers. Now she’s adamant about it: She’ll take a radiation-free pat-down instead any day.

“I had two miscarriages before this pregnancy,” Ms. Marin-Czachor, a 34-year-old mother and teacher from Green Bay, Wis., recalled, “and one of the first things my doctor said was: ‘Do not go through one of those machines. There have not been any long-term studies. I would prefer you stay away from it.’ ”

There are 244 full-body “backscatter” X-ray scanners in use at 36 airports in the United States. They operate almost nonstop, according to the Transportation Security Administration. Other airports use millimeter wave scanners, which look like glass telephone booths and do not use radiation, or metal detectors.

Most experts agree that as long as the X-ray backscatter machines are functioning properly, they expose passengers to only extremely low doses of ionizing radiation.

But some experts are less sanguine, and questions persist about the safety of using X-ray machines on such a large scale. A recent study reported that radiation from the machines can reach organs through the skin. In another report, researchers estimated that one billion X-ray backscatter scans per year would lead to perhaps 100 radiation-induced cancers in the future. The European Union has banned body scanners that use radiation; it is against the law in several European countries to X-ray people without a medical reason.

The machines move a narrowly focused beam of high-intensity radiation very quickly across the body, and David Brenner, director of the Center for Radiological Research at Columbia University Medical Center, says he worries about mechanical malfunctions that could cause the beam to stop in one place for even a few seconds, resulting in greater radiation exposure.

For security reasons, much about how the machines work has been kept secret. The T.S.A. says the full-body scanners have been assessed by the Food and Drug Administration, the United States Army Public Health Command and the Johns Hopkins University Applied Physics Laboratory.

But researchers at these institutions have not always had direct access to the scanners in use, and some of the published reports about them have been heavily redacted, with the authors’ names removed. Independent scientists say limited access has hampered their ability to evaluate the systems. . .

Continue reading. To a great extent, this becomes a question of how much trust one has in the government agencies involved. Unfortunately, the level of trust has been seriously eroded by various problems, scandals, and increasing secrecy. “Heavily redacted” reports do not provide confidence. Given the way the government now works, one suspects that the heavy use of these machines in the US (and note that Europe does not use them at all) is due in party to lobbyists from manufacturers influencing the right people through the usual means: money.

Written by Leisureguy

7 August 2012 at 8:53 am

The Army’s suspicious conduct toward a Medal of Honor nomination

leave a comment »

The Army, despite its frequent exhortations of “honor,” seems increasingly removed from it. This report by Jonathan Landay in McClatchy is astounding—and equally astounding is that the Army seems totally uninterested in finding out what happened or in fixing the problem.

Like other U.S. trainers with the Afghan force that day, former Army Capt. William Swenson had expected light resistance. Instead, the contingent walked into a furious six-hour gunfight with Taliban ambushers in which Swenson repeatedly charged through intense fire to retrieve wounded and dead.

The 2009 battle of Ganjgal is perhaps the most remarkable of the Afghan war for its extraordinary heroism and deadly incompetence. It produced dozens of casualties, career-killing reprimands and a slew of commendations for valor. They included two Medal of Honor nominations, one for Swenson.

Yet months after the first living Army officer in some 40 years was put in for the nation’s highest military award for gallantry, his nomination vanished into a bureaucratic black hole. The U.S. military in Afghanistan said an investigation had found that it was “lost” in the approval process, something that several experts dismissed as improbable, saying that hasn’t happened since the awards system was computerized in the mid-1970s.

In fact, the investigation uncovered evidence that suggests a far more troubling explanation. It showed that as former Marine Cpl. Dakota Meyer’s Medal of Honor nomination from the same battle sailed toward approval despite questions about the accuracy of the account of his deeds, there may have been an effort to kill Swenson’s nomination.

Swenson’s original nomination was downgraded to a lesser award, in violation of Army and Defense Department regulations, evidence uncovered by the investigation showed.

Moreover, Swenson’s Medal of Honor nomination “packet,” a digitized file that contains dozens of documents attesting to his “heroism . . . above and beyond the call of duty,” disappeared from the computer system dedicated to processing awards, a circumstance for which the military said it has “no explanation.”

The unpublished findings, which McClatchy has reviewed, threaten to taint a military awards process that’s designed to leave no margin of doubt or possibility of error about the heroism and sacrifices of U.S. service personnel. They also could bolster charges by some officers, lawmakers, veterans’ groups and experts that the process is vulnerable to improper interference and manipulation, embarrassing the military services and the Obama administration.

“The whole awards system is just totally jacked up,” said Doug Sterner, a military historian who’s made a career of verifying the authenticity of commendations.

The Pentagon and the military services deny that the system is flawed, and the U.S. command in Afghanistan denied that there was any attempt to downgrade Swenson’s Medal of Honor nomination.

Yet despite the possibility of malfeasance or worse, no further effort was made to determine what happened. The “discrepancies” posed by the evidence of a downgrade to a Distinguished Service Cross “could not be resolved,” the investigators said.

Swenson’s nomination was resubmitted last year. President Barack Obama must approve it before Sept. 8, the third anniversary of the battle, or it expires and can only be revived by an act of Congress.

It couldn’t be determined whether there was an effort to kill Swenson’s Medal of Honor nomination, but there are several possible motives for doing so. . .

Continue reading. The possible motives are revealing of the state of the Army.

Written by Leisureguy

7 August 2012 at 7:17 am

Posted in Army, Military

Super shave

with 6 comments

Extremely good shave today. The Omega silvertip brush has a lopsided look because when I put it in the brush rack to dry, it was pressed against a brush on one side. Once wet this morning and filled with lather, it regained its symmetrical shape—and it make a wonderful lather. I’m quite fond of the Omega silvertips, though you don’t read much about them.

QED’s Special 218 is a wonderful dark woodsy fragrance and makes a fine lather. I continue to prize the Gillette Super Adjustable, here in the short-handled model, and with a Swedish Gillette blade it provided a terrific shave.

A splash of Musgo Real, and I’m ready to pack.

Written by Leisureguy

7 August 2012 at 7:07 am

Posted in Shaving

%d bloggers like this: