Fuck this. I better find some way to go off the grid.
Or find a way to hack and destroy all these databases.
Hats off to Maine, too. They won't even apply for an extension, because that implies that they will eventually do it, and they have said that will NEVER happen.
I told my mother that this may be the last time I can go see her in AZ. I am sure the jackbooted thugs are putting in for a large supply of rubber gloves for those **enhanced**searches. "Let me see zee papers, Fraulein..."
Jesse:
I see you've either read Bruce Schneier's take on this, or come to the same conclusions independently. But your use of the term "security theater" makes me think you've read Schneier. Feed
"real id" site:schneier.com inurl:/blog/
into Google and you'll probably recognize one of the Page 1 hits.
You could do a LOT worse. Schneier has his head screwed on right this time, as he almost always does. This is exactly the sort of bullshit you can expect of complete amateurs who are out of their depth, flailing around, and asking for the contents of the entire kitchen sink + the cesspool out back. Without ever for a moment considering how this will fail both (1) directly (through identity fraud, as you noted) and (2) through failure to scale.
Scaling failure has been the proximate cause for the fall of entire civilizations, so it isn't hard to imagine that it can quite easily bring down any possible positive results from RealID.
NEVER fail to consider scaling failure as a possible root cause flaw for a human systems failure. It's common as chickenpox virus, but much more easily overlooked. And arrogant amateurs in positions of power never, ever consider this problem for a moment.
wengler: You wrote ...
Or find a way to hack and destroy all these databases.
Have you read about last year's Pentagon espionage hack, perhaps? LOL. I'll tell you something you have probably guessed already. The Pentagon is GOING to get hacked again.
Read the last paragraph of Joel Hruska's Ars Technica piece, Pentagon attack last June stole an "amazing amount" of data. That will tell you why.
The Pentagon has stepped up its network protection since the intrusion, and added additional protection in the form of smart cards and digital signatures. Such security measures are the ultimate example of closing the barn door after the horse is gone, but should at least make further intrusions more difficult.
They are still not grasping the nettle.
If you have an Internet-visible network of Windows systems, and they have outbound access from standard Windows client software, they WILL be penetrated if the attacker feels what's on that network is valuable enough.
The more Windows systems on the internal network, the shorter the "time to penetration" will be. Because this is a numbers game: somebody is going to be late getting patched, or visits a site that has been "landmined" in the way Dancho Danchev talks about in his blog.
(1) Your content filters can work 100% of the time, and your network can be hermetically sealed from every single last pr0n site on Planet Earth, and you will still be vulnerable.
The attack vector can be malware hosted at legitimate sites. I've seen these kinds of traps for myself. Nearly two years ago. All you need do is poison the "comments" section of a blog with links to sites hosting automated attack tools.
(2) Or the attack vector can be email, as in this case.
If you are using "one-off" attack code in your crafted emails that has not yet been studied and analyzed, defending antivirus proxy servers WILL NOT detect it. Because it will have neither exact attack code signatures nor approximate attack heuristics to go on.
(3) Whatever the technical vector is, "social engineering", the manufacture of trust by the attacker, will almost certainly be a key factor. It amplifies the power of your chosen technical method enormously.
Hruska's piece cites OSD CIO: Network configuration, scanning softened cyberattack blow. The title of that piece attempts to reassure, but give the article a careful read and you WON'T feel vey reassured.
To contain the attack, they had to partially shut down the network of the Office of the Secretary of Defense, which affected 1,500 users.
Read this priceless gem from Mary Mosquera's piece at Federal Computer Week. Note my italics.
The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.
First point: A Microsoft operating system on a writable device.
You DO NOT put sensitive data on Internet-visible Microsoft systems if they have standard client software which is capable of seeing outbound to the Internet.
Nearly all of the modern for-profit cybercrooks target Windows systems. Windows is the dominant OS by 10 to 1 or more, so it is a tenfold more attractive target just by virtue of hit probability.
A given amount of skull sweat is going to get you 10 or 20 times the payback if it's devoted to cracking and exploiting Windows than it will if you target Macs or Linux systems. And this assumes equally secure "typical" systems, which is NOT the case.
Second point: The attackers spoofed internal email addresses in order to manufacture trust. They had to jump through a few hoops to be able to spoof internal email addresses.
But they were willing to do that, because the information they sought was deemed worth the effort.
Third point: The "names and passwords" business was local administrative level system compromise, plain and simple.
Once the target user opens the attack email (and, presumably, unwisely opens a Word doc or a PDF or clicks on the wrong link), the attack payload is put home and compromise is achieved. When Joe User has an email on his own system, the attack it can deliver is now local, not remote.
And for every "remote" attack that can be feasibly put in across a network wire, there are five or ten that can be put in to equal or greater effect if the threat agent (or the threat agent's proxy, such as a weaponized email) is LOCAL to the system under attack.
Where are all the State's rights/gun-toting militia fanatics when it is revealed that is was their boys who they needed to be afraid of all along?
*crickets*
Same as it ever was.
More like Unreal ID. More Vaterland Govt. BS! (see recent data 'losses' in the UK).
Good for Montana, Maine, etc.
Just another way for the government to illustrate the point that they can fuck with us anytime they want to.
as the human operators start relying on the real id for identification we will get compromised...
this type of crap makes us less safe
US Blues:
Where are all the State's rights/gun-toting militia fanatics when it is revealed that is was their boys who they needed to be afraid of all along?
In Montana! Where else?
Really, this shows how unfair people (like me) have been in calling it a state full of gun-toting fascists. Gun-toting libertarians is more like it, now showing the merits of their position.
Stormcrow -
Well said. Good work.
Anyone reading this thread, I strongly suggest you read Stormcrow's comment at least twice.
Well done.
I'd also suggest you follow his recommendation and read Schneier. He has a monthly email newsletter.
Everyone knows only the people born after 1964 are the real terrrrist threat anyway. Its one of those things they thought of in their kneejerkery, only when they said it out loud, it made sense to them. That's the real problem. Stupid fuckers. There are no "tamper proof" id's.
I posted about this back in January and its not just Montana. That's when the gov sent a letter to states to join the "rebellion".
http://blog.wired.com/27bstroke6...na-
governo.html
I know how we all like maps here, so here we go:
http://www.realnightmare.org/news/105/
Thanks Jesse, this is one to watch. Loved the audio rather than just reading about it.
On the teevee this morning they were reporting some citys will have fingerprint id to board a plane very soon. Everyone is a criminal I guess.
"Nothing can bring adequate signal out of the noise of trillions of transactions."
It depends. Adequate for what? You can very easily extract quite a few signals from trillions of transactions.
The number of transactions I would need to make on a new grocery club card before they could link it to my old one if I didn't change my diet is low.
With a low number of anonymous movie ratings a person who has a public profile of movie ratings can be identified, breaking anonymity.
They can't tell if terrorists will attack from this, but they can extract quite a bit of scary stuff.
On the teevee this morning they were reporting some citys will have fingerprint id to board a plane very soon. Everyone is a criminal I guess.
The new terminal at Heathrow Airport (Terminal 5) will require fingerprinting for embarkation. This 'sekurity' crap is way, way out of hand. Airline travel, or doing business in some government building has become a case of herding potential 'criminals'. Jeez, what have we come to!
............ I'm to the point where I'm seriously thinking of getting a t-shirt made with something along the lines of "I'm NOT a f****** criminal!!"
Bollox Ref - They would tase you for trying to board a plane with that shirt dude.
Myrtle June,
Yeah I know.............. but isn't that the point?.......... a loop of ever increasing negativity.
Sigh.
This is mostly about money. The 17 states that have opted out of Real ID have mostly done so not out of any sort of "state's rights" principles or any concern for civil liberties but because there are no Federal dollars for implementing Real ID. Also because the Real ID legislation short circuited the commission the states had set up to come up with uniform ID standards and granted all of the implementation authority to the DHS (including who would get the all-important database contracts).
If the Feds relent and provide some money and throw the states a bone on implementation details expect most of them to cave.
Otherwise I do hope all 17 join Montana and Maine in telling the DHS to take a long walk off a short pier.
BTW in addition to requiring "Real ID" for airline travel and entry to Federal property the DHS is floating the possibility of requiring "Real ID" for buying medicine or proving eligiblity for employment.
Have any of the candidates addressed this issue? To ask is to answer, yes one did. The one who did will be returning to congress this fall.
The Dept. Of Homeland Insecurity: your taxes at work & play.
As somebody who's currently working in Security, I can tell you - without exception, ALL modes of security relying on something other than a living human being are weak. Alarms, gates, cameras, barriers, you name it. They can ALL be hacked &/or neutralized without detection.
ID may be one of the weakest of all.
I recall reading in James Bamford's "The Puzzle Palace" how an employee proved the utter uselessness of NSA's nametag ID by going through their entry checkpoint repeatedly, unchallenged - with a picture of Mickey Mouse taped over his photograph on the tag. Guards were waving people through without checking the stupid tags, knowing the staff by face. This at the central HQ of an agency considered the most sensitive & ultra-paranoid intelligence-complex on the planet.
This isn't security - it's the nuts-&-bolts of fascism.
Patriot Act III: coming soon to a Junta near you.
Wow. Americans with balls. The Bushies must be losing their cool like Dean Wormer in Animal House at the rank insubordination.
classic cardy uggs grey
cheap ugg boots cardy
ugg boots classic cardy greyasddddddd
Commenting by HaloScan
