Sunday, August 31, 2014
This Just In
For all you fans of cloud computing and Apple products: iCloud just got royally hacked, and the hacker is posting many, many nude photos of various celebrities whose intimate photos had been stored there. I've always been skeptical of cloud computing because of the security that users must cede to their service providers. I've also thought the alleged security of Apple devices has been grossly overstated for years. It's poor form to use an event like this to say "I told you so", but this situation is obviously awful, and should have been prevented both by the celebrities themselves, and by Apple's security folks.
Tuesday, August 19, 2014
Carriers, Amphibs, and American Naval Strength
Following up on this post (and this linked article from that post, which I'll plug one more time), James Holmes has an excellent piece at War on the Rocks. Holmes' article deconstructs War is Boring proprietor David Axe's recent article on American naval strength. Axe, who's a legitimate and accomplished journalist in his own right, nonetheless parrots two common mistakes regarding the United States Navy: the one-for-one comparison with amphibious assault ships with aircraft carriers, and the claim that America's navy is "stronger than the next [X] navies combined". It's worth the read.
Late Breaking Addendum: Following up on previous posts about USNS John Glenn, it's passed final contract testing to include LCAC interface tests. (UPI, IHS Jane's)
NIST Network Security Risk Management Framework
Most of my career has been spent supporting military customers, but my current work has me supporting a non-DoD customer. Although I've been exposed to NIST Special Publications before (and even blogged about them), I find myself getting intimately acquainted with some of these publications. In particular, I've been going through SP 800-53 with a fine-toothed comb, with additional attention to SP 800-37 and SP 800-53A. (I'll probably wind up going through SP 800-30 as well.)
To some degree, the NIST Risk Management Framework outlined in these documents mirrors the DoD's DIACAP framework, the idea being that system administrators can ensure the confidentiality, integrity, and availability of their data by implementing a set of standard security controls based upon the criticality of the network and the sensitivity of the data it's processing. The system can then be reassessed as necessary. It's a pretty standard concept, but I'm enjoying learning the ins and outs of it, to include going through the security controls with a fine-toothed comb.
Some organizations would do well to implement a system similar to the DoD's DIACAP system; for most organizations, however, the NIST Risk Management Framework is a more realistic option, particularly if a responsible cost/benefit analysis precludes said organization from investing in the infrastructure and manpower required to meticulously document and monitor every last item in excruciating detail.
To some degree, the NIST Risk Management Framework outlined in these documents mirrors the DoD's DIACAP framework, the idea being that system administrators can ensure the confidentiality, integrity, and availability of their data by implementing a set of standard security controls based upon the criticality of the network and the sensitivity of the data it's processing. The system can then be reassessed as necessary. It's a pretty standard concept, but I'm enjoying learning the ins and outs of it, to include going through the security controls with a fine-toothed comb.
Some organizations would do well to implement a system similar to the DoD's DIACAP system; for most organizations, however, the NIST Risk Management Framework is a more realistic option, particularly if a responsible cost/benefit analysis precludes said organization from investing in the infrastructure and manpower required to meticulously document and monitor every last item in excruciating detail.
Tuesday, July 15, 2014
Recent Analysis of the Snowden Leaks
A year later, Edward Snowden's leaks remain controversial. There have been two good articles in the last week that are worth reading, and they do a good job of outlining some of the intelligence challenges involved with the NSA's controversial data collection efforts. First, from Mark Stout at War is Boring publishes a great piece in WOTR's (w)Archives series, with the following money quote:
Finally, Benjamin Wittes at the Lawfare Blog analyzes the latest round of Snowden links. Wittes' money quote:
Reasonable debates can be had—should be had—about how aggressively NSA and other intelligence agencies should collect and how long they should retain useless material. But we should have this debate in full knowledge that the problem of incidental collection can never be solved.Second, another WOTR (w)Archives piece by Stout unravels the comparisons between Snowden and Pentagon Papers leaker Daniel Ellsberg, who's enjoyed a refreshed public podium in the wake of Snowden and Manning's leaks.
Finally, Benjamin Wittes at the Lawfare Blog analyzes the latest round of Snowden links. Wittes' money quote:
Finally, I want to say a word here about the ethics of this leak. Snowden here did not leak programmatic information about government activity. He leaked many tens of thousands of personal communications of a type that, in government hands, are rightly subject to strict controls. They are subject to strict controls precisely so that the woman in lingerie, the kid beaming before a mosque, the men showing off their physiques, and the woman whose love letters have to be collected because her boyfriend is off looking to join the Taliban don’t have to pay an unnecessarily high privacy price. Yes, the Post has kept personal identifying details from the public, and that is laudable. But Snowden did not keep personal identifying details from the Post. He basically outed thousands of people—innocent and not—and left them to the tender mercies of journalists. This is itself a huge civil liberties violation. And we should talk about it as such. I suspect, alas, that we won’t.One of my former instructors used to refer to this as the "Vacuum Cleaner Problem": in the course of "hoovering up" all of the bits that add up to actionable intelligence, the intelligence practitioner will necessarily "hoover up" a lot of information that's incidental and irrelevant. Thus far, the NSA has done a fairly good job of protecting that data so that people who may have ancillary connections to terrorists don't find their lives disrupted. The same can't be said for Edward Snowden, whose conduct from the outset has been far less conscientious.
Saturday, July 12, 2014
Controversy with Facebook's Algorithm
Following up on this post from a few weeks ago about Buzzfeed collecting data about its users, it's been revealed that Facebook experimented on its users by altering its newsfeed algorithm. The metadata issue is a big one, and it's one about which the average user has very little control except to not use services which are necessary for everyday living. (Another corollary to this: smartphones and the services they offer. I've touched on this one before.) In many cases, the best approach may be to simply limit the amount of information you post online, while recognizing that if a major website isn't charging you for its services, it's you and/or your data that it's selling.
Saturday, June 28, 2014
Rethink Those Quizzes...
You know all of those quiz results that have been inundating your Facebook news feed lately? You know how many of them are through Buzzfeed? Regardless of where you're taking them, you ought to reconsider them - they're aggregating data about you.
Tuesday, June 3, 2014
Update
For those who may be dismayed at my lack of recent posts, I've accepted a position and am in the process of relocating. Once I'm settled, regular posting will resume.
Subscribe to:
Posts (Atom)