Disarming the citizens of the US

Ah, yes, prohibiting any discussion of or even link to possibly cracking-enabling information. Already worded in a veiled way, as in:

this would mean taking away the arms that a great many US citizens are equipped with (and prohibiting gun range training), once, against the English (Brits?) now against just any outsider and US citizens themselves? Quite a Second Amendment thing, these days…

As a European, I don’t want to meddle in US domestic affairs. But I tend to the interpretation of constitutions and amendments anywhere, all of them, as principles not absolutes. Absolutes never (sic) work in societal organisation. When quite a number of those concerned [again, I’m not] would gladly see all amendments interpreted to principle not literally except this very dangerous one.

‘nough of that. Now, onto the more recent EU moves towards banning hacker tools … (and the UK push for banning encryption tools, even). I just have questions:

  • What about free speech? Seems to be an issue for discussion as democracies need more absolute protection of that. Amazon wouldn’t be allowed to sell hacker books in selected countries. Banning books, anyone?
  • How many % of crackers would live in the applicable jurisdictions, to be under the prohibition provisions, and how many are outside those jurisdictions ..? What would happen if one would exclude the former from being armed and ready but giving the latter a, most probably, more vulnerable target?
  • The honest researchers in those countries would be jobless; never a good incentive to stay in the right side. The honest researchers elsewhere would have a bonanza as all bugfix trade must move to the outside. Either that XOR through a form of licensing one creates a humungous random hence erratic but totalitarian public/private cartel. In the Home of the Free, in the pursuit of happiness.
  • If through this, the balance is lost, will the US and/or EU start to isolate itself (its ‘Internet’ (quod non as per this)) from the rest of the world ..? If so, how any trillions of $/€ will be lost to others, whereas any related industry (that will be the future as the mature-industry-little-growth primary, secondary and tertiary industries will be what’s left for the EU/US but serious growth will be in the new industries?) will not come off the ground, hindering greatly any recovery from the intermediate term (slump) before booming, à la this.
  • Will stego boom? The Hiding in Plain Sight can bring an additional benefit of plausible deniability (with some tweaking).

Seems like the above POTUS quote might indicate that he’s not planning any censoring of the spread of direct or indirect vulnerability information but on the contrary would be stepping up efforts to bring the US back on top of the game. E.g., by not focusing solely on physical terrorists but also on outside-in and from-within (sic) cyber attacks. Or was the quote an apology for the NSA being in NK even before the (known to them!) Sony hack ..?

The picture is still murky. Too murky to take sides already, for my take. I’ll leave you with:

20140905_201502
[Bergen aan Zee, Autumn dominos]

Predictions 2014 the InfoSec edition


[DUO Groningen (couple of years ago), where a leak led to many a student’s funds were defrauded. Looks original, is just chasing outer effects]

So, some of you have seen my Predictions 2014 including the update or two, and other posts on developments in the Information world at large.
But what you desparately needed, awaited before even starting on the Christmas decorations (for those in the West), and held out any shopping for food or beverage for, I know, I know [Heh, that’s the opposite of Unk Unk’s ;-], is my completely and utterly unpretentious predictions for the Information Security arena of 2014.

Well, here we go then:

Advanced Persistent Threats will blossom like weeds (not wiet!) in 2014. APTs being the ultimate blended threats to confidentiality of information. There may be cases of government-on-government espionage, that highlight the ‘modern’ squared or cubed variant of traditional intrusion & spying (information exfiltration) work. But moreover, there will be incidents much publicised where business-on-business espionage, possibly helped by shady government agencies, is outed as more than a theoretical possibility. Of course, you all know that this is nothing new, but the general public will demand an answer from some Board members and State secretaries here and there (literally) of victims and perpetrators (denial becoming less if at all plausible). These answers will be the definition of lame. The infosec industry will rush to develop (maybe not yet fully utilise) the market; contra but hush-hush, also pro…

Certificate vulnerabilities will be shown to be a factor of import. Yesterday’s unprotected printer WiFi, will be the current certificates being stolen or manipulated. Bot victimisation of clients will be less by trojan planting and more by means of hijacking certificates (‘Certjacking’? You read it here, first! [Update to add: well, in this spelling …]) to do … sort of low-level ID / trust theft. This will not be explained nearly well enough to the general public to get them concerned, but with tech-savvy CIOs and IT managers, this will give a stir. And major sweeps through the own infra. And not much by means of future better cert management.

Crypto-failures. Cryptography, as far as actually implemented at all (some ‘implementations’ may embarassingly be found out to be done on paper only!), will show to have failures in at least two ways: procedural errors will lead to (much publicly visible) non-availability of information, e.g., when asymmetry isn’t implemented well due to lack of understanding of bureaucrat procedures writing committees mumbling and fumbling about; and by public demonstration of bad technical implementation, the coding being so shoddy that the strength of crypto will drop to n-day crackability (with 0 < n < 2 I guess).

Quantum computing, on the plus side, for crypto, will see its first practical proofs of concept. Where the PoCs are used to protect the most secret of some government’s information, but with that information having to be used by the most bumbling-about officials hence the overall end user -to- end user effectiveness being close to zero and helping any and all attackers (rogues, organised or not; state(-sponsored) organisations, etc.) to learn about tentative, among them maybe class-hack, attack vectors.

Methodological innovation in information security. As already discussed earlier, and here, and here, and with OSSTMM, and before that in quite some other posts as well. Now, also Docco joined the fray, advising SMEs from the accountancy side … Which shows this prediction for 2014 is already hatching.
On this item, we will see much improvement. E.g., combining the OSSTMM framework with SABSA. Combining the rebooted CIA with the fresh install of the (alternative to the) ‘15.5 risk’ management approach via the OSSTMM framework. And so on. Interesting! Want to contribute!

I’ll leave these here for you to follow up. When (not if) I’m right on any of the above: Yeah, see? Told you so! And if (not when) not all five are square-on: Hey, they’re only predictions! Don’t shoot the messenger that only conveyed the message of the Great Engineer Behind The Scene.
Though I would like to receive a bottle of good (I mean, really good) red Bourgogne for each prediction that shows to be somewhat right; at the good side of 50-50. Any takers?
The opposite, I can unfortunately not do as it would have way too many takers…

Maverisk / Étoiles du Nord