Rejection Letter

Rejection Letter
By Charlie Stross

Dear Mr Stross

I’d like to apologize in advance, but after consulting with my colleagues in other departments at Reality Publishing Corporation, I’m afraid we can’t publish your book, “Zero Day: The story of MS17-010”, as things stand. However, I’d like to add that it was a gripping read, very well written, and we hope to see more from you in future!

Because the plot of your yarn is highly technical, we engaged a specialist external reader to evaluate it. And they had some unfortunate words to say on the subject of plausibility. I attach the reader’s report, in the hope that you might consider amending your manuscript accordingly.

Signed

E. S. Blofeld, Editorial Director

READER’S REPORT

Short version: while Stross can clearly write workmanlike, commercial prose, the plot of “Zero Day” does not hold up to scrutiny. In fact, it reads like a mash-up of popular conspiracy theories, alarmism, and bad Hollywood thriller cliches. Also, the characterisation is spotty: the shadowy villain remains off-screen for the entire novel (and apparently gets away with their crime), the hero who saves the day only appears in the last chapter, and the overall lack of thematic resolution at the end of the novel is painful. We suppose this is a side-effect of telling a story as a collage of blog entries and web news reports, in an update of the style pioneered by John Dos Passos: it’s innovative but ultimately unsatisfying. Also, the C++ code listings are a major obstacle for the non-technical reader.

Now, to the problems with the plot:

We start with a shadowy US government agency, the NSA, systematically analyzing the software of the biggest American computer companies in search of vulnerabilities. So far, so plausible: this is one of the jobs of an intelligence and counter-espionage agency focussed on information technology. However, instead of helping Microsoft fix them, we are supposed to believe that the NSA hoard their knowledge of weaknesses in Microsoft Windows, a vitally important piece of their own nation’s infrastructure, in case they’ll come in handy againt some hypothetical future enemy. (I’m sorry, but this just won’t wash; surely the good guys would prioritize protecting their own corporate infrastructure? But this is just the first of the many logical inconsistencies which riddle the back story and plot of “Zero Day”.)

Next, the plot takes a turn towards faceless anonymous parties (lacks drama!) as someone calling themselves “the Shadow Brokers” leaks a huge trove of classified NSA documents to WikiLeaks, who in turn dump it on the internet. These documents are the crown jewels of cyberwarfare, but they’re apparently just lying around on the NSA’s internal network for anyone to grab. WikiLeaks, we are led to believe, may be a front for the Kremlin (twirls evil moustachio villainously) but if this is the case and they’re acting for the KGB why would they disclose such vital American secrets? Spies just don’t do that sort of thing. Also, who is supposed to have smuggled these secrets out of the NSA headquarters, and how? Did they use a thumb drive? Email it to themselves? This is a huge missed opportunity for tension and plot development and it’s completely absent from the manuscript as reviewed.

Anyway, this preposterous intelligence leak shows up on the internet and includes details of a vulnerability in Microsoft’s file sharing system, codenamed ETERNALBLUE. This only really affects older Windows systems and can be blocked by simply switching off legacy file sharing support, so it’s no big deal, but Microsoft dilligently release security updates through March, including a fix for vulnerability MS17-010, as the NSA black ice is renamed by people who don’t get their ideas for codenames out of bad technothrillers. (ETERNALBLUE was part of a release of code that also gave us such interesting names as EDUCATEDSCHOLAR, ETERNALROMANCE, and ERRATICGOPHER. Oh to be a fly on the wall at the classified NSA committee meetings discussing the deployment of their weaponized ERRATIC GOPHER …)

Then, one day in May, all hell breaks loose.

Someone unknown—as noted, this novel is very short on identifiable people the reader can relate to—takes the code for a piece of ransomware usually distributed as an email attachment, and turns it into a payload for ETERNALBLUE, which is a worm—capable of directly infecting other machines on the same network without human intervention. And in a matter of hours, the new malware, known as Wanna Decryptor, infects the entire British National Health Service, a Spanish cellphone company, FedEx, and over a third of a million computers whose owners had lazily failed to enable automatic security updates from Microsoft.

When a piece of “ransomware” infects a computer, it starts by stealthily encrypting all the personal documents, pictures, and spreadsheets on the PC. Only when it has finished does it pop up a window to warn the PC’s owner, and issues a ransom demand. The bewildered human is instructed to go to a website and buy $300 worth of BitCoin, an electronic token called a “cryptocurrency” by some, and to pay the ransom in order to unlock all their files—if they don’t do so within three days, the ransomware will permanently delete them.

Normal ransomware spreads by attaching copies of itself to email messages and sending them to everyone in the victim’s address book. This means it won’t propagate unless someone is so foolish as to ignore their antivirus messages and click on the attachment. But Wanna Decryptor doesn’t need to do this—it uses the magic NSA code in ETERNALBLUE to scan the internet for targets. It’s a worm—a boringly old-hat idea first introduced into fiction by SF author John Brunner in his 1977 novel “The Shockwave Rider”. (To this extent, the plot of “Zero Day” isn’t even original.)

One is supposed to believe that evil genius hackers (unidentified) using code stolen from the most secretive of espionage organizations by some third party (also unidentified) and released for free on the internet, took someone else’s poor quality malware (author unidentified) and turned it into a cyber first-strike weapon that causes carnage worldwide because millions of responsible computer operators fail to apply vital software security patches for months after they’re released? This beggars plausibility.

But then it gets worse.

In the foreground, ambulance despatch systems are going down: clinical information systems are offline: hospitals are declaring major incidents and trying to revert to paper and pen: operations are cancelled except in case of life-threatening emergencies because doctors can’t review X-rays and medical records: the entire Telefonica cellphone network stops being able to handle billing and orders in Spain: FedEx’s parcel network is inaccessible: Deutsche Bahn train signaling is disrupted across half of Europe …

And a mild-mannered British computer security expert who is on his week off gets home from lunch with a friend, checks a work website (implausible! He’s on holiday!), sees something odd, and kills the world-threatening zero day exploit dead by registering a domain? And then takes a couple of hours to realize that the evil genius responsible for a global terror attack helpfully left an “off” switch that anyone could flip?

I’m sorry, this is just silly.

In fiction, we rely on the reader’s willingness to suspend their disbelief in the lies we are telling them. Willing suspension of disbelief can be abused if the story lacks plausibility, and this part is totally implausible! The WCry worm (as it is thankfully abbreviated) switches itself off if a random-seeming domain name has been registered and a web server exists to serve it. Why? The mastermind who wrote this weapon obviously knows about bitcoin, and by extension, how blockchain works; surely they could have contrived some sort of cryptographically secure way to protect their kill switch?

This is the digital equivalent of the James Bond movie where the evil mastermind’s lair from which the nuclear missiles are to be launched features a prominent red button labelled SELF-DESTRUCT, which, when pressed, does in fact cause the missile base to self-destruct. And which is not guarded, booby-trapped, or in any way concealed, so that when a Mr Bean figure walks in, slips on a banana skin, and happens to catch his fall on the wall switch, the evil plan for world domination is stopped dead in its tracks.

Come on, Mr Stross, you can’t expect us to believe that!

Summary: well-written, but short on characterization and the plot, while dense, makes essentially no sense and relies on a Deus Ex Machina ending to allow the hero (who only shows up at the eleventh hour) to triumph bloodlessly.

May 13, 2017 at 02:05PM
via Charlie’s Diary http://ift.tt/2qdWV3F

Over 128,000 fake comments against net neutrality have been sent to the FCC by bot

Over 128,000 fake comments against net neutrality have been sent to the FCC by bot
By Caleb Chen

The FCC is being bombarded with fake comments, over 128,000 at last count, that all say the same thing attacking net neutrality. All this after Ajit Pai admitted in an interview that the FCC has an open mind and will listen to your comments. The news was first reported and spread by redditor smith7018 on Reddit in /r/technology and /r/politics. One redditor even claims to have found a deceased family member’s name under her old address used to submit a fake anti-net neutrality comment.

The comment says:

“The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation,” the comment says. “I urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.”

Which is not that great of a comment from many angles. If you’re curious whether or not your name or the name of a relative has been used to submit a fake comment to the FCC, you can use their search function (which is currently suspiciously down).

Who is behind the fake comments supporting the FCC’s takedown of net neutrality?

We don’t know who exactly is running the bot; however, the fact that someone, thought that it’d be a good idea to bolster the anti net neutrality argument with blatantly fake comments, should really tell you how out of touch those seeking to destroy net neutrality really are. Additionally, the fact that they name the orders and potential rules such that they can claim to be “Restoring Internet Freedom,” tells you how out of touch they think the voters are.

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

The post Over 128,000 fake comments against net neutrality have been sent to the FCC by bot appeared first on Privacy Online News.

May 10, 2017 at 08:14PM
via Privacy Online News http://ift.tt/2r0Zuno

US gov’t proposes heightened social media vetting of visa applicants

US gov’t proposes heightened social media vetting of visa applicants
By David Kravets

(credit: Jorge Díaz)

The State Department is opening the public comment period for a proposal that seeks to inspect social media accounts and other data of visa applicants the government believes may pose a danger.

The new vetting, the State Department said, likely will only impact about 0.5 percent of visa applicants per year—roughly 65,000 people. The new vetting being proposed would apply to applicants “who have been determined to warrant additional scrutiny in connection with terrorism or other national security-related visa ineligibilities,” according to a notice in the Federal Register by the State Department.

Those deemed to warrant the heightened vetting would have to disclose all of their previous passport numbers, five years of social media handles, telephone numbers, and e-mail addresses. The plan also calls for US-bound travelers to supply 15 years of biographical data. Passwords are not required to be divulged in this proposal, though an earlier plan included requiring visa applicants to hand over their social media credentials.

Read 4 remaining paragraphs | Comments

May 6, 2017 at 05:31PM
via Ars Technica UK http://ift.tt/2pRRhT9

UK government seeks expansion of mass surveillance “technical capabilities” via the Investigatory Powers Act

UK government seeks expansion of mass surveillance “technical capabilities” via the Investigatory Powers Act
By Caleb Chen

The UK government is seeking an expansion to their mass surveillance powers on the Internet. The plans were leaked and released by the Open Rights Group. The draft rules were only officially circulated to a short list of companies, mostly telecommunication companies and internet service providers (ISPs) according to The Register. The proposed bulk surveillance rules will force telecoms and ISPs to provide “real-time access” as well as all “secondary data” related to any named individual. Secondary data includes encrypted data, which means that (in order to comply) no UK organizations will be able to offer truly encrypted services.

The Investigatory Powers Act and its mass surveillance regime are both being expanded

These are updates to the Investigatory Powers Act, which passed became law in late 2016. The expansion of mass surveillance capabilities is happening under Section 253 of the Act, which can be used again and again to expand capabilities with these technical capability notices.

The details are outlined in a technical capabilities notices draft paper. The two main points will oblige telecommunication operators to certain tasks:

– To provide and maintain the capability to ensure, where practicable, the transmission of communications and secondary data in near real time to a hand-over point as agreed with the person to whom the warrant is addressed.

– To provide and maintain the capability to carry out the interception of communications or the obtaining of secondary data and disclose anything obtained under the warrant to the person to whom the warrant was addressed, or any person acting on that person’s behalf, within one working day, or such longer period as may be specified in the technical capability notice, of the telecommunications operator being informed that the warrant has been issued.

The Investigatory Powers Act already forces telecommunication service providers to store internet connection records for a whole year. It’s true that many telecoms and ISPs already do this; however, in many jurisdisctions such as the United States, it is becoming expressly legal for corporations to sell that stored information for profit. Now the mass surveillance powers granted by the Investigatory Powers Act’s are being extended and the government has revealed that their path to doing so, which can be used again and again.

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.
Disclosure: Private Internet Access is a sponsor of Open Rights Group

 

The post UK government seeks expansion of mass surveillance “technical capabilities” via the Investigatory Powers Act appeared first on Privacy Online News.

May 5, 2017 at 02:07AM
via Privacy Online News http://ift.tt/2pLHXQx

Reckon you’ve seen some stupid security things? Here, hold my beer…

Reckon you’ve seen some stupid security things? Here, hold my beer…
By Troy Hunt

Sponsored by: Protect your Mobile and Web Apps from Attacks – Let Gold Security Pentest your Business.

Reckon you've seen some stupid security things? Here, hold my beer...

My mate Lars Klint shared this tweet the other day:

Naturally, I passed it on because let’s face it, that’s some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here’s the thing – it’s feasible. No really, I’ve seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don’t believe me? Here, hold my beer…

Remember me

Let’s say you want to build a “remember me” feature, you know, the one where you tick the box and then when you come back to the website next time, you’re already logged in. Here’s how Black and Decker did it:

Reckon you've seen some stupid security things? Here, hold my beer...

Yes, that’s just a Base64 encoded version of your password in a cookie and yes, it’s being sent insecurely on every request and also yes, it’s not flagged as “secure” therefore it’s being sent in the clear.

Reckon that’s bad? Try Aussie Farmers direct who I mention in that same post:

Reckon you've seen some stupid security things? Here, hold my beer...

Oh wow, it’s secure! But it’s still a password in a cookie and it’s still not HTTP only and they had reflected XSS risks on the site. And how did they respond once advised? That brings me to the next point…

Corporate responses

I did the dutiful thing and let Aussie Farmers know about the risk all the way back in 2013. I also suggested that maybe they shouldn’t be emailing passwords around (amongst a raft of other very nasty things) to which I received the following explanation from someone with “Marketing Manager” in their title:

To date we’ve not had a single security issue stemming from new customers being emailed their password, and I know for a fact 90% of the sites I personally sign up to online also follow that same process.

That reminds me of this comment by Oil and Gas International I referenced just the other day in the post on my new HTTPS course. This is where they got cranky because Firefox is now warning users when a login form is loaded insecurely:

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

Their website kinda, uh, stopped working not long after that (the SQL injection risks probably didn’t help). They’re back now, although it’s unclear whether or not they’ve reset the clock on the whole “15 years” thing.

While we’re talking about nonsensical security comments, British Gas have struggled a bit in the past too:

And while we’re in that corner of the world, it’s hard to look past Tesco for an example of corporate lunacy on the Twitters:

Reckon you've seen some stupid security things? Here, hold my beer...

But hey, secure password resets are hard! No really, check this out…

Password reset

It all started with this:

Now you may be thinking – “Oh, your username is your email address and Betfair would just send you an email and you’d reset the password via a unique link” – but by now you know that thinking would be too logical to make an appearance here. But amazingly, Betfair didn’t actually believe Paul, so I made a video explaining it:

And it was exactly what it sounds like – if you knew someone’s email address and birth date, you could reset their password to whatever you’d like it to be. But the pièce de résistance came with this exchange where, with what I assume was a straight face, Betfair kindly advised that Paul would be breaching their terms if he gave his email address and birth date to anyone else:

You know what they really need here? Security questions…

Security questions

I’ll just leave this one right here:

What? Too general? Try this one instead:

Because security questions are nuts! I mean those ones are extra nuts but in general the whole idea of taking either immutable pieces of data like your mother’s maiden name or enumerable questions like the make of your first car or transient ones like your favourite movie… just the idea of security questions deserves a place in this post! Let’s try something more sane…

Logon

You know what’s hard? Passwords. If only there was an easier way:

And before you go “but this is just a tweet and it may not even be real”, it was real and here’s the archive.org snapshot of it:

Reckon you've seen some stupid security things? Here, hold my beer...

And before we all lose out minds going “the password must die”, nobody has yet figured out how to make that happen! There are lots of technical solutions that nobody actually wants to use, the simple fact is we’ve got more passwords then ever and they’re not going anywhere. But hey, I’ve seen worse…

Physical security

There’s not really a way to position this without it seeming any more absurd than it already is, so let me just throw it out there:

Reckon you've seen some stupid security things? Here, hold my beer...

You know the thing that really gets me here? Think Thank about your non-techie friend and relatives who are just trying to get the TV and the DVD player working together. They go into the shop, pick up two HDMI cables and flip to the back of the boxes. They’re comparing the specs – one of them has anti-virus protection and the other doesn’t – what are they gonna do?!

Now, just one more thing…

Account enumeration

I wanted to save the best until last. It’s the best because it’s still an active stupid security thing and it’s inconceivably stupid but hey, at least they’re fixing it:

Except that as of the time of writing, that was 8 months ago. And what is this stupid security thing? Well imagine this: you go to Strawberrynet and chuck some tonifying lotion or dry teasing dust or other thing I have little concept of into your cart then hit the checkout button. You’re now presented with this:

Reckon you've seen some stupid security things? Here, hold my beer...

So you enter an email address – any email address with an account on the site – after which you’re presented with, well, someone else’s personal data:

Reckon you've seen some stupid security things? Here, hold my beer...

Wait – what?! It’s exactly what it looks like in that they’ll hand over the personal data of anyone with an email address on the system. There’s plenty of people on there too because they’re within the top 5k largest websites in the world so you can head on over, enter a female name (they’re largely selling cosmetics) then a popular email service and there you are! And in case you’re thinking “well this is just terrible”, no, it’s actually a feature:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security.

No it’s not! And no they don’t! I wrote about website enumeration insanity back in August which is what promoted their earlier tweet and they appear to be completely oblivious to the problem. I even created an account myself just to check how it works:

Reckon you've seen some stupid security things? Here, hold my beer...

I think I need another beer…

https://platform.twitter.com/widgets.js

April 28, 2017 at 10:50AM
via Troy Hunt’s Blog http://ift.tt/2oDTJiF

Reckon you’ve seen some stupid security things? Here, hold my beer…

Reckon you’ve seen some stupid security things? Here, hold my beer…
By Troy Hunt

Sponsored by: Protect your Mobile and Web Apps from Attacks – Let Gold Security Pentest your Business.

Reckon you've seen some stupid security things? Here, hold my beer...

My mate Lars Klint shared this tweet the other day:

Naturally, I passed it on because let’s face it, that’s some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here’s the thing – it’s feasible. No really, I’ve seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don’t believe me? Here, hold my beer…

Remember me

Let’s say you want to build a “remember me” feature, you know, the one where you tick the box and then when you come back to the website next time, you’re already logged in. Here’s how Black and Decker did it:

Reckon you've seen some stupid security things? Here, hold my beer...

Yes, that’s just a Base64 encoded version of your password in a cookie and yes, it’s being sent insecurely on every request and also yes, it’s not flagged as “secure” therefore it’s being sent in the clear.

Reckon that’s bad? Try Aussie Farmers direct who I mention in that same post:

Reckon you've seen some stupid security things? Here, hold my beer...

Oh wow, it’s secure! But it’s still a password in a cookie and it’s still not HTTP only and they had reflected XSS risks on the site. And how did they respond once advised? That brings me to the next point…

Corporate responses

I did the dutiful thing and let Aussie Farmers know about the risk all the way back in 2013. I also suggested that maybe they shouldn’t be emailing passwords around (amongst a raft of other very nasty things) to which I received the following explanation from someone with “Marketing Manager” in their title:

To date we’ve not had a single security issue stemming from new customers being emailed their password, and I know for a fact 90% of the sites I personally sign up to online also follow that same process.

That reminds me of this comment by Oil and Gas International I referenced just the other day in the post on my new HTTPS course. This is where they got cranky because Firefox is now warning users when a login form is loaded insecurely:

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

Their website kinda, uh, stopped working not long after that (the SQL injection risks probably didn’t help). They’re back now, although it’s unclear whether or not they’ve reset the clock on the whole “15 years” thing.

While we’re talking about nonsensical security comments, British Gas have struggled a bit in the past too:

And while we’re in that corner of the world, it’s hard to look past Tesco for an example of corporate lunacy on the Twitters:

Reckon you've seen some stupid security things? Here, hold my beer...

But hey, secure password resets are hard! No really, check this out…

Password reset

It all started with this:

Now you may be thinking – “Oh, your username is your email address and Betfair would just send you an email and you’d reset the password via a unique link” – but by now you know that thinking would be too logical to make an appearance here. But amazingly, Betfair didn’t actually believe Paul, so I made a video explaining it:

And it was exactly what it sounds like – if you knew someone’s email address and birth date, you could reset their password to whatever you’d like it to be. But the pièce de résistance came with this exchange where, with what I assume was a straight face, Betfair kindly advised that Paul would be breaching their terms if he gave his email address and birth date to anyone else:

You know what they really need here? Security questions…

Security questions

I’ll just leave this one right here:

What? Too general? Try this one instead:

Because security questions are nuts! I mean those ones are extra nuts but in general the whole idea of taking either immutable pieces of data like your mother’s maiden name or enumerable questions like the make of your first car or transient ones like your favourite movie… just the idea of security questions deserves a place in this post! Let’s try something more sane…

Logon

You know what’s hard? Passwords. If only there was an easier way:

And before you go “but this is just a tweet and it may not even be real”, it was real and here’s the archive.org snapshot of it:

Reckon you've seen some stupid security things? Here, hold my beer...

And before we all lose out minds going “the password must die”, nobody has yet figured out how to make that happen! There are lots of technical solutions that nobody actually wants to use, the simple fact is we’ve got more passwords then ever and they’re not going anywhere. But hey, I’ve seen worse…

Physical security

There’s not really a way to position this without it seeming any more absurd than it already is, so let me just throw it out there:

Reckon you've seen some stupid security things? Here, hold my beer...

You know the thing that really gets me here? Think Thank about your non-techie friend and relatives who are just trying to get the TV and the DVD player working together. They go into the shop, pick up two HDMI cables and flip to the back of the boxes. They’re comparing the specs – one of them has anti-virus protection and the other doesn’t – what are they gonna do?!

Now, just one more thing…

Account enumeration

I wanted to save the best until last. It’s the best because it’s still an active stupid security thing and it’s inconceivably stupid but hey, at least they’re fixing it:

Except that as of the time of writing, that was 8 months ago. And what is this stupid security thing? Well imagine this: you go to Strawberrynet and chuck some tonifying lotion or dry teasing dust or other thing I have little concept of into your cart then hit the checkout button. You’re now presented with this:

Reckon you've seen some stupid security things? Here, hold my beer...

So you enter an email address – any email address with an account on the site – after which you’re presented with, well, someone else’s personal data:

Reckon you've seen some stupid security things? Here, hold my beer...

Wait – what?! It’s exactly what it looks like in that they’ll hand over the personal data of anyone with an email address on the system. There’s plenty of people on there too because they’re within the top 5k largest websites in the world so you can head on over, enter a female name (they’re largely selling cosmetics) then a popular email service and there you are! And in case you’re thinking “well this is just terrible”, no, it’s actually a feature:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security.

No it’s not! And no they don’t! I wrote about website enumeration insanity back in August which is what promoted their earlier tweet and they appear to be completely oblivious to the problem. I even created an account myself just to check how it works:

Reckon you've seen some stupid security things? Here, hold my beer...

I think I need another beer…

https://platform.twitter.com/widgets.js

April 28, 2017 at 10:50AM
via Troy Hunt’s Blog http://ift.tt/2oDTJiF