IT security – Page 5 – Maverisk / Étoiles du Nord

Having fun with voice synth

In particular, having fun the wrong way.
Remember, we wrote about how voice synth improvements, lately, will destroy non-repudiation? There’s another twist. Not only as noted, contra voice authentication for mere authentication (banks, of all, would they really have been in the lead, here, without back-up-double auth?), but in particular now that your voice has also become much more important again [after voice had dwindled in use for any sorts of comms, giving way to socmed typed even when with pixels posts of ephemeral or persistent kinds; who actually calls anyone anymore ..?], we see all sorts of Problems surfacing.

Like, mail order fraud. When hardly anyone still goes on a shopping spree through dozens of stores before buying something in store but rather orders online, of course Alexa / Home/Assistant / Siri / Echo / Cortana are all the rage. For a while; for a short while as people will find out that there was something more to shopping than getting something — but recognising the equilibrium that’ll turn out, may be in favour of on-line business, with physical delivery either at home, or at the mall.
The big ‘breakthrough’ currently being of course some half-way threshold / innovation speed bump overcome, with the home assistant gadgets that were intended to be much more butler first, (even-more-) mall destructor second. But that second … How about some fun and pranking, by catuyrig just some voice snippets from your target, even when just in line behind ’em at Wallmart, and then synthesizing just about any text? When a break-in on the backside of your home assistant (very doable; the intelligence is too complex and voluminous to sit in the front-end device anyway [Is it …!? Haven’t seen anything on this!] so at least there’s some half-way intelligent link at the back) may be feasible per principle but doing a MiM on the comms to some back-end server would be much more easy even, and much easier to obfuscate (certainly qua location, attribution), a ‘re’play of just any message is feasible.

Like, a ‘re’play of ordering substances that would still be suspicious even when for ‘medicinal purposes’. Or only embarassing, like ordering tools from the sort of fun-tools shop you wouldn’t want to see your parents order from. Of course, the joke is at delivery time [be that couriers, DEA/cops, or just non-plain packages] — oh wait we could just have the goods delivered to / picked up at, any address of our liking and have the felons/embarressed only feel that part plus non-repudiability.

This may be a C-rated-movie plot scenario, hence it will happen somewhere, a couple of times at least. Or become an epidemic. And:
[No mall, but a fun place to shop anyway; Gran Vía Madrid]

Notnews

Remember it’s a two weeks flashback already
Monday morning’s watercooler discussion: Did you hear about this WannaCry attacks all around the world? The sky is falling! And what a hypecycle the ‘solutions’ vendors piled onto it immediately and oh hey look cat pics how cute oh now it’s Friday again how time flies CU on Monday for more cat pics.

So true it’s sobering; appropriately. And:
[Will never learn. NY]

Having a Coboll

Just when you thought that some problems had come and gone to be never heard from again, it turns out that it’s not that easy but big-time help is here.
Got tipped by a peer that flagged one particular company for help. No endorsement outright, no financial or other interest whatsoever [maybe I should, for the odds are with them], just plain ol’Hey Look That’s Interesting.

Because you didn’t get it; they help converting COBOL (and other mummyfied LoC) to New stuff.

On that note, I leave you with
[Images of volcanic activity keep blubbering out of your new systems infra, too; Zuid-As Ams]

Golden Oldie Pic of the Day

Yet again …:

[Yes I, this refers to your infosec arrangements – wouldn’t deride the terms ‘management system’ or ‘practices’ by attaching them to what you do…]
[Yes II I did not include a dropcap style in his post on purpose. Thanks you noticed.]

Note to self: GDPR scrum with or without the r

Just to remind myself, and you for your contributions, that it’s seriously time to write up a post on Agile development methods [OK, okay, I mean Scrum, as the majority side of the house]; how one is supposed to integrate GDPR requirements into that.
Like, we’re approaching the stage where the Waterfall model of security implementation, will be Done for most organisations. Not Well Done, rather Rare or Pittsburg Rare, at your firm [not Firm …]. But then, we’ll have to make the wholesale change to Maintenance, short-term and long-term. And meanwhile, waterfall has been ditched for a long time already in core development work, hence we have a backlog (huh; the real kind) qua security integration (sic; the bolt-on kind doesn’t work anyway) into all these Agile Development methods of which word has it everyone and their m/br-other seems to make use these latter days.

But then, the world has managed to slip security into that. Which is praiseworthy, and needs more Spread The Word.

And then, there’s the GDPR. May we suggest to include it in ‘security’ as requirements flow into the agile development processes ..?
As said, I’ll expand on this l8r.
If only later, since we need to find a way to keep the DPOs out of this; the vast majority (sic) of them, with all due [which hence may be severely limited] respect, will not understand to a profound level they’ll try to derail your development even without the most basic capability to self-assess they do it, in ways that are excruciatingly hard to pinpoint, lay your finger on.

But as written, that’s for another time. In the meantime, I’d love to see your contributions (if/when serious) overflowing my mailbox… Plus:
[Lawyers lurking next door…; Zuid-As Ams]

Nutty cryptofails

Considering the vengeance with which cryptobackdoors, or other forms of regulation into tautological-fail limitations, are pursued over and over again (case in point: The soon luckily carved out surrender (to Monay) monkeys [case in point: anyone who has seriously tried an invasion, succeeded handsomely]), it may be worthwhile to re-consider what the current situation is. As depicted in the following:

In which D is what governments et al can’t stand. Yes, it’s that big; pushing all other categories into corners.
Where C is also small, and probably shrinking fast. And B is known; maybe not empty but through its character and the knowledge of it as cracked-all-around part, hardly used if ever, by n00bs only.
And A is what governments want for themselves, but know they can’t have or it will quickly move to B — probably without governments’ knowing of this shift…

And all, vulnerable to the XKCD ‘hack’:

Against which no backdoor-for-governments-only policy will help.
I’ll rest.

What you said, doesn’t matter anymore

Yet another proof class busted: Voice being (allegedly) so pretty perfectly synthesizable, that it loses its value as proof (of identity). Because beyond reasonable doubt isn’t beyond anymore, and anyone venturing to bring voice-based evidence, will not be able to prove (beyond…) that the sound heard, isn’t tampered with i.e. generated. Under the precept of “whoever posits, proofs”, the mere remark that no madam Judge we honestly did not doctor this evidence, is insufficient and there can be no requirement for positive disproof for dismissal from the defense as that side is not the one doing the positing. What about entrapment, et al.?

So, technological progress brings us closer to chaos. “Things don’t move so fast”-believers must be disbarred for their demonstrated gross incapacity — things have moved fast and will do so, ever faster. Or what ..?

Well, or Privacy. Must the above ‘innovator’ be sanctioned severely for violation of privacy of original-content-sound producers ..? Their (end) product(s) is sold/leased to generate false identity or doctored proof, either for or against the subject at hand, <whatever> party would profit thereof. Like an equipment maker whose products are targeted at burglars, or worse e.g., guns. Wouldn’t these be seriously curfewed, handcuffed ..?

[Edited to add, after drafting this five days ago: Already, Bruce is onto this, too. Thanks. (Not my perspective, but still)]

Oh, or:
[Apparently so secure(d), ‘stormed’ and taken practically overnight (read the story of); Casa Loma, Toronto]

Mixing up the constitution

When your state secretary is mixing up all sorts of things. When at the official site, at last email (and other ‘telecomm’) is listed to be included as protected on the same footing as snail mail has always been, qua privacy protection.

Which raises the question: Does that include the right to use (uncrackable) encryption, because that is what is equivalent to a sealed envelope ..? When the same government wanted to ban that, or allow simply-crackable [i.e., with bumblinggovernment means – the most simpleton kind or ‘too hard’] encryption only?
Why would this have to be included so explicitly in the constitution no less, when just about every other tech development isn’t anywhere there, and in the past it has always been sufficient to interpret/read the constitution to automatically translate to the most modern tech without needing textual adaptation ..? [As has been the case in every civilised country, and maybe even in the US too.]
And where would GDPR impinge on this; is the rush necessitated by GDPR (with all its law-enforcement exemptions, pre-arranging the ab-use of those powers GDPR will give), or is this an attempt to pre-empt protection against Skynet overlords (pre-pre-empting GDPR protection for citizens), – recognising that anything so rushed will never be in favour of those citizens – or what?

One wonders. And:
[So many “unidentified” office buildings in NY, NY …]

Pitting the Good against the Others

When the recent rumours were, are valid that some patches were retracted — and this was because they accidentallt disables other exploits not yet outed in the stash, this would bring a new (?) tension to the surface or rather, possibly explains some deviant comms of the past:
Where some infosec researchers had been blocked from presenting their 0-day vulns / exploit-PoCs, this may not have been for protection of the general public or so, but to keep useful vulnerabilities available for the TLAs of a (variety of?) country(-ies).
Pitting the Ethical researchers against the bad and the ugly…

No “Oh-oh don’t give the bad guys valuable info and allow even more time to the s/w vendors to plug the holes” but “Dammit there go our secret backdoors!”
Makes much more sense, to see the pres blocking in this light. And makes huge bug bounties by these TLAs towards soon to be a bit less ethical researchers, more possible and probable. Not as yet better known, though. Thoughts?
[Takes off tinfoil movie-plot security scenario hat]

Oh, and:
[All looks happy, but is looked upon from above …; Riga]

Collateral (un)patching; 0+1-day

Is this a new trend? Revealing that there had been a couple of exploitables, backdoors in your s/w when you patch some other ones and then have to roll back because you p.’d off the wrong ones since you accidentally also patched or disabled some hitherto secret ones.
At least, this is what it seems like when reading this; M$ stealthily (apparently not secretly enough) patching some stuff in negative time i.e., before-zero day. When later there’s rumours about this patch(ing, possibly parts of) is retracted.

For this, there appear (again) to be two possible reasons:
a. You flunked the patch and it kills some Important peoples’ system(s);
b. You ‘flunked’ the patch and you did right, but the patch effectively killed some still-not-revealed (in the stash) backdoors that the Important peoples (TLAs) still had some use for and were double-secretly requested to put back in place.

I’m in a Movie Plot mood (come to think of it, for no reason; ed.) and go for the second option. Because reasons (contradictory; ed.). Your 2¢ please.

Oh, and:
[So crowded and you’re still much less than a stone’s throw from a Da Vinci Code (was it?) big secret — I may have the pic elsewhere on my blog…; Barça]