STE WILLIAMS

Four cryptography experts have backed a US Senator’s campaign to force the FBI to explain how exactly a Feds-only backdoor can be added to strong and secure encryption.

The four are: Stanford professor Martin Hellman, of Diffie-Hellman fame and who helped invent the foundations of today’s crypto systems; Columbia professor and USENET co-creator Steve Bellovin; top cryptographer Paul Kocher; and information security guru Bruce Schneier.

All four this week signed a letter [PDF] to Senator Ron Wyden (D-OR) applauding his “effort to find out with whom the bureau has been consulting and which cryptographic experts believe an exceptional access system can be built securely.”

Late last month, in response to a speech given by FBI director Chris Wray in which he argued that tech companies “should be able to design devices that both provide data security and permit lawful access with a court order,” Wyden sent a memo [PDF] to the bureau boss taking issue with his position.

Flawed

Calling the idea of introducing backdoors into software a “flawed policy that would harm American security, liberty, and our economy”, Wyden noted that “experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences.”

He asked Wray to produce a list of the eggheads the FBI was talking to about designing such a system, giving a deadline of February 23. The letter from the four cryptography experts is seemingly designed to bolster that request.

“The FBI is asking engineers to design a highly complex, yet secure, system,” the crypto-boffins noted in their missive. “Just because a non-technical person believes that such a system can be developed does not make it so. In fact, and as your letter notes, many experts have warned that security would be weakened by exceptional access mechanisms.”

Therefore, they argue, it is “extremely important” that the FBI reveal “which cryptographic experts believe an exceptional access system can be built securely.”

Vague

The letter also stresses that “instead of vague proposals that sound reasonable yet lack details, the FBI needs to present the cryptographic research community with a detailed description” of what is being proposed in order to allow it to be analyzed “in an open and transparent manner so that its advantages and disadvantages can be weighed.”

The FBI is unlikely to do so because it is a virtual certainty that cryptographers, mathematicians, and engineers will be able to find a flaw in any system that knowingly introduces a secret hole. The insistence that such a system is even possible while still remaining secure has its own term: magical thinking.

The FBI is also unlikely to release the names of those it has been consulting over fears that they would be ridiculed and come under pressure from their peers not to work on such an approach.

Here we go again… UK Prime Minister urges nerds to come up with magic crypto backdoors

READ MORE

However, Wyden’s refusal to accept the vaguely ridiculous impasse that exists between law enforcement and technology companies is to be applauded. For several years, technology giants have argued that they are not able to securely introduce a backdoor into encryption software without also making it potentially accessible to criminals, hackers, foreign spies and other malicious actors – a flaw is, after all, a flaw.

In response, law enforcement and some politicians – in Europe and the United States – have repeated the same argument almost verbatim: that they are sure that the “brilliant brains” at tech companies can come up with a solution that will work.

As we noted last month, the reality is that those in favor of backdoors are just treading water until something happens that causes a shift in public opinion – most likely a terrorist incident – and allows governments to insist on backdoored communications and file storage.

Until that happens, the FBI, Five Eyes intelligence agencies, and the UK’s Prime Minister will keep insisting that such a solution is possible in order to prevent the issue from being settled in people’s minds. The impasse is likely to stay in place for some time, despite Wyden’s best efforts. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/cryptography_experts_fbi/

Exploits are getting more sophisticated by the day, and cybersecurity technology just isn’t keeping up.

It’s almost like something out of Star Trek. Imagine an alien who can see you, but whom you can’t see — one who has violence on his/her/its mind. A punch coming from out of nowhere; a vase flung at your head with no one seemingly throwing it; a punch to the gut, then a karate chop to the neck, maybe a blast from an (also invisible) ray gun, and you’re down for the count. How would you fight it? How could you fight it?

Those invisible aliens may not have landed on earth just yet, but invisible malware — called fileless malware or in-memory malware — is wreaking havoc and bringing intergalactic war-style destruction to IT systems the world over. Like an invisible alien, fileless malware can strike from multiple directions, without victims even being aware they were targeted, until it’s too late. Fileless malware — in which hackers call malware routines remotely and load them into memory in order to compromise or steal data — is not new, but hackers increasingly have turned to that type of attack. According to McAfee, fileless threats with PowerShell malware grew by 119% in the third quarter of 2017 alone, and they have been such a rousing success that hackers plan to greatly expand their use this year, security experts are convinced.

But fileless malware is just one of numerous threats and attacks that are now in vogue; 2018 could see more and more challenging cyberattacks, experts believe. With cryptocurrencies so popular now, hackers have begun using botnets to create the computing power needed to mine coins. AI has helped hackers develop more effective social engineering messages, “weaponizing” big data and AI to convince hapless victims to open spear-phishing messages more frequently by matching the message with the personality of the recipient. And botnets that control infected devices, commanding them to infect even more devices — a “swarm effect” — will allow hackers to grow their networks of compromised devices and systems exponentially.

Add to all that the major security risks that come in the form of the Meltdown and Spectre exploits, which affect almost every person and organization that uses a computer, smartphone, tablet, or any other device, and you have the makings of what could be the most challenging year ever for cybersecurity. Attacks are likely to come fast and furious from all directions — and there’s little doubt that these new attacks, like fileless malware, will overwhelm any existing cybersecurity protocols.

Let’s take a closer look at fileless malware. How would an IT team fight it? Fileless malware actually does come in the form of a file — but it’s an innocuous file that for all the world looks like a legitimate Word or Excel file. It has no malware features that antivirus systems could catalog and blacklist; it has no suspicious profile that a sandbox could analyze and ban for improper behavior. All it contains is a link that, once clicked, allows for the remote loading into memory of remote malware, enabling macros that call the malware and install it via a PowerShell script.

The macro itself contains a link that is activated when the macro is activated, meaning that the macro will pop up and ask the user to click on a link. The macro calls this link remotely only when it is loaded into memory, so there is no suspicion of a security problem when the file itself passes through the sandbox. There is nothing for it to inspect. That, in fact, is exactly what South Korean researchers discovered in December, as they examined email messages that contained documents that loaded and installed malware in this manner.

Options Are Few
There is no way the current crop of cybersecurity systems — be they antivirus systems, sandboxes, or anything else — could possibly identify those files as a malware scam. The best they can do is allow documents only from verified sources (websites, email addresses) — but even that is no sure-fire guarantee; who’s to say that the sender hasn’t been compromised without his knowledge?

What’s left? Closing off the Internet altogether? Hand-vetting each and every file, document, link, or anything else that comes to the organization? Both those ideas, obviously, are impractical. The only solution is a system that can see “inside” these files — evaluating the file, the macro inside, and determining if it’s safe to send the file through as is. Even better would be if the system could remove the offending macros, and then passing on a clean version to users, who would be able to use the file without fear.

The bottom line is that in order to pull off an exploit, hackers have to be able to deliver their wares in some form — even in a “fileless” form. If there’s one thing that won’t be different about this year, it’s that, like last year and 10 years ago, hackers must have a hook on which to hang their exploit hats. Those exploits are getting more sophisticated by the day — and cybersecurity technology is just not keeping up. There’s only one way to confront and beat invisible aliens — using X-ray specs that let the wearer see exactly what she is up against. Where are the X-ray specs that will reveal the specialized tricks hackers are successfully using nowadays? That’s a question we need to answer — and soon.

Related Content:

• 7 Ways to Maximize Your Security Dollars
• 20 Signs You Need to Introduce Automation into Security Ops
• Ticking Time Bombs in Your Data Center

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Itay brings to Votiro more than 15 years of executive management experience in cybersecurity at global technology companies based in the U.S., Europe, and Asia. Prior to co-founding Votiro, he played a key role in managing the development of equipment for the lawful … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/fileless-malware-not-just-a-threat-but-a-super-threat/a/d-id/1331018?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.

Image Source: Adobe Stock (tippapatt)

Traditional perimeter defenses are having a hard enough time keeping up with the dynamic nature of cloud and mobile connections with corporate assets. Attackers are further working to diminish the efficacy of defenses like firewalls, IPS devices, and UTM appliances with their own bag of tricks.

One of the top-growing techniques today is the use of SSL encryption to hide malicious traffic in plain sight. SSL attacks aren’t new, but according to recent figures they continue on an upward trajectory of prevalence as the bad guys find them extremely useful to get around perimeter protections. 

Here’s a look at this trend.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/perimeter/encrypted-attacks-continue-to-dog-perimeter-defenses/d/d-id/1331038?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A 9.6% increase just in the past year, and denial-of-service attacks are partly to blame.

Financial services companies spend more on cyber incident response, on average, than any other industry, and the amount they spend per incident has swelled by 40% over the past three years, according to a new study. 

The Cost of Cybercrime Study, released Tuesday by Accenture and the Ponemon Institute, focuses on direct costs of incident response, not long-term remediation. According to the report, the finance sector’s average per incident cost increased from $12.97 million in 2014 to $18.28 million in 2017; well above the 2017 average of all other industries at $11.7 million.

Nevertheless, the financial services industry continues to lead the way when it comes to their cybersecurity programs.          

“While the cost of cybercrime for financial services companies continues to rise, our research found that these companies have considerably more balanced and appropriate spending levels on key security technologies to combat sophisticated attacks than do those in other industries,” Chris Thompson, a senior managing director at Accenture, said in a statement. “This is particularly true with regard to the use of automation, artificial intelligence and machine-learning technologies, which could be critical to future cybersecurity efforts.”

In fact, the types of attacks that caused the financial services industry the most trouble were those that are as yet difficult to solve with technology, or have recently made advances in sophistication. While malware attacks were among the least costly for financial services at $5.46 million per incident on average, malicious insiders cost $169 million, phishing/social engineering cost $196.6 million, and denial-of-service attacks $227.7 million.

For more information, see here. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/operations/cybercrime-costs-for-financial-sector-up-40--since-2014/d/d-id/1331059?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In today’s environment, a focus on cybersecurity isn’t a luxury. It’s a necessity, and making sure that focus is achieved starts with the company’s culture.

For IT departments — especially in large organizations — daily operations are complex, multifaceted, and often overwhelming. With so many different demands requiring attention, cybersecurity easily gets lost in the shuffle, particularly when it’s perceived to create more work or extra steps. But in today’s risk environment, keeping cybersecurity front and center is not a luxury — it’s a critical necessity. Like a reserve parachute or a water hydrant, cybersecurity is an organizational must-have, often forgotten until needed, but imperative to survival.

Ideally, your organization’s IT department focuses on preventing fires instead of putting them out post facto. Achieving this requires keeping cybersecurity central to your organization’s decision-making. But how do you make that happen?

1. Close the Skills Gap
There was a time when it was enough for cybersecurity professionals to train in a standardized protocol or two, monitor the system, and address problems as they arose. This approach is no longer enough, and it hasn’t been for years.

Software automation and the outsourcing of certain priorities (such as cloud storage) have resulted in the traditional role of the cybersecurity specialist to appear less imperative. To add value, cybersecurity professionals need to be more than just order-takers. Today’s risk environment requires creative decision makers — experts who are comfortable synthesizing information from a number of sources and choosing the best course for addressing an organization’s cybersecurity needs.

Unfortunately, there’s a significant shortage of such experts in today’s market. While earlier cybersecurity systems may have been simple enough for one or two specialists to manage, the complexity of the modern landscape means we need more people with constantly evolving skill sets to cover emerging concerns.

To keep up, organizations must assess any skill gaps on their IT teams and fill them. If immediate hiring isn’t feasible, bridge the divide by providing supplemental training, tools, and third-party resources to your existing personnel. There are many fronts to cover, and organizations should know their own weaknesses if they hope to overcome them.

2. Involve Your Security Team
As today’s cybersecurity experts evolve into tomorrow’s creative decision makers, they should also gain more influence in the boardroom. But that won’t happen overnight — and it won’t happen without proactive measures taken by cybersecurity professionals themselves.

The security team has to make itself heard. Security touches all aspects of the business, from hiring to operations, so the experts leading that charge need to clearly communicate their perspectives to business leaders. This should not only take place in the middle of a breach or other urgent challenge, but in all discussions. An organization’s technology experts have an invaluable vantage point thanks to their intimate knowledge of organizational structure, information flow, operational process, and so much more. Leadership has every reason to value their perspective.

The C-suite may take time to better leverage this expertise — and that’s OK. It will happen. By highlighting the dangers of security breaches and the efficiencies created by good security practices, cybersecurity professionals can prove the importance of integrating security measures throughout organizational decision-making and its powerful effect on the bottom line. And that’s a language everyone understands.

3. Create a Culture around Security
While a strong security approach needs leadership buy-in, that’s by no means the end of the battle. The best cybersecurity is preventative, and one of the main risks to mitigate is human error. That means keeping security top-of-mind for every user at every endpoint. It’s a daunting task, to be sure, but by no means impossible.

This can start as early as the hiring process. Make sure that human resources understands how to properly vet potential employees by showing them how to spot characteristics and details in the background check that may leave individuals open to being compromised by blackmailers. During the interview process, try to gauge whether the candidate grasps basic security best practices, whether they can spot phishing attempts or perhaps even whether they’re someone likely to leave passwords written on a sticky note by their computer.

For all employees, don’t let security training become just another checkbox. Ensure that staff are given regular and meaningful training on the latest scams. Better yet, communicate with them as threats arise and evolve. We all need regular reminders to remain vigilant against an ever-evolving world of security risks.

It takes a lot of hard work, and even so, a completely airtight cybersecurity culture is never 100% possible. But risk mitigation, as always, is the real goal here. Preempting risk requires cultural buy-in, not to mention an organization-wide commitment to making cybersecurity front and center.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

• 7 Ways to Maximize Your Security Dollars
• Thinking about a Career Move in Cybersecurity?
• An Action Plan to Fill the Information Security Workforce Gap

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3’s client base within both the public and private sector, and ensuring that customers properly align … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/3-tips-to-keep-cybersecurity-front-and-center/a/d-id/1331051?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

LoopX, the latest cryptocurrency startup/walk-out/up-in-smoke, has pulled an exit scam, leaving town with $4.5 million of investors’ money.

LoopX was pretty barebones, judging by a cached page of its web site as of Saturday and from the description of social media commentators who’ve been keeping an eye on it.

Here’s some scammy marketing blah-blah-blah from Saturday’s cached page, about having a team formed of “high-performance professionals” (without names, photos or bios) who had tested their algorithm for over half a year, with “great profits continuously every month” from its nebulous “Loop-Algorithm,” whatever that was supposed to be:

The LoopX Team was formed in September 2016 of a core group of high performance professionals to build a new kind of trading software based on our own Loop-Algorithm. After testing our algorithm thoroughly over half a year with great profits continuously every month, we can now finally bring all this advantages of our LoopX – Trading Software to the public.

We are here to help you make money in the emerging market of cryptocurrencies which is projected to grow up to 10 times the size of now until the next year. The LoopX System gives you guaranteed profits every week thanks to the most advanced Trading Software out there to date! We do not make daily payments since we consider that the margins are smaller. For us the priority is the safety of your investment. It took us little bit over a year to bring you the final product so you can benefit from the most advanced technology too.

The lights are now out at the LoopX site, its YouTube channel, its Facebook page, its Telegram, and on its Twitter account, which now shows only a link to The Next Web’s coverage of the scam, it having been the first media outlet to report on LoopX’s disappearance.

As Redditor ghostwxrk said in a discussion about the scam, “Hate to say I told ya so…”

…but they did anyway, since back in January, the Reddit user had written a post pointing out the exchange’s problems.

The signs that LoopX would turn out to be a fraud were a lack of transparency around its purportedly proprietary trading algorithm, including holding off on proof of code until after the final in a series of five initial coin offerings (ICOs). An ICO is an unregulated fundraising technique with a dodgy reputation that’s used by blockchain companies where cryptocurrencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup: if the company takes off, they’ll theoretically be worth something.

Nor did LoopX ever offer up details about its supposed team members or developers. And then there’s that bit about the promise of consistent financial returns, as ghostwxrk pointed out:

Though they claim to have tested their “algorithm thoroughly over half a year with great profits continuously every month”, … they offer, as far as I can tell, no proof of this whatsoever.

Having yet to reveal any concrete information about the miraculous algorithm that will allow them to master crypto trading, with very little transparency regarding their dev team, and with a relatively tiny digital footprint, they’ve allegedly sold ~8.2 mil coins valued at ~$7mil USD. My question is, does this math make sense?

Those are just some of the problems the Reddit user pointed out. But as TNW noted, not everybody got the memo.

According to the cached version of its now-darkened site, investors pledged a total of 276 Bitcoin and 2,446 Ethereum into LoopX’s ICOs, which took place last month.

By TNW’s calculations, LoopX’s vanishing act marks at least the fifth time that a cryptocurrency firm has exit-scammed (or simply deflated, losing all its coin) since the beginning of 2018. The others are BitConnect, crypto-investment platform Davor, BitGrail (which blamed hackers for its $195 million loss), and perhaps one of the most memorable, the fruit and vegetable blockchain cryptocoin startup Prodeum, which left in its wake nothing but the word “penis”.

A deflating message, that.

Who are the poor, hopeful souls who pump their hard-earned money into such outfits? All without verifying any of the people supposedly behind the project, or the technology?

As Redditor wakeupalice notes, all you have to do, at the very, very least, is to check out their names on social media. What kind of cryptocurrency whiz doesn’t have a social media presence?

Researching some names on the team (even summarily through social media) is like due diligence 101. You can do that in 5 min.

Five minutes, versus a total of $4.5m in ICO gone up in smoke. I don’t know cryptocoin algorithms, but I do recognize that five minutes – far more, realistically – is worth the investment.

Be careful out there: there be snakes in these cryptocoin waters.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wfIrBNPQa8c/

The UK Home Office on Monday unveiled a £600,000 artificial intelligence (AI) tool to automatically detect terrorist content.

The Home Office cited tests that show the new tool can automatically detect 94% of Daesh propaganda with 99.995% accuracy. That accuracy rate translates into only 50 out of one million randomly selected videos that would require human review. The tool can run on any platform and can integrate into the video upload process to stop most extremist content before it ever reaches the internet.

The tool was developed by the Home Office and ASI Data Science. It uses advanced machine learning to analyze audio and visuals of a video to determine whether it might be terrorist propaganda.

ASI’s Dr. Marc Warner told BuzzFeed News that the tool’s algorithm works by spotting “subtle patterns” that exist in extremist videos:

We’ve created an artificial intelligence algorithm, which is highfalutin words for a sophisticated computer program to detect extremist content online. It works by spotting subtle patterns in the extremist videos that distinguish them from normal content, from the rest of the internet.

ASI has been reticent about sharing details about how the algorithm works. They want to get the details right first, Werner told the BBC.

What we do know is that the model has been trained using over 1,000 Daesh videos and that, being platform-agnostic, it can be used to support the detection of terrorist propaganda across a range of video-streaming and download sites in real-time.

We can look to bigger platforms that are already working on their own extremism-focused machine-learning projects to make some educated guesses as to what the tell-tale “subtle patterns” might be that Dr. Werner said the algorithm picks out.

When Facebook announced its own project in June, Monika Bickert, the company’s director of global policy management, and Brian Fishman, its counterterrorism policy manager, gave some concrete examples of what the technology was already doing:

• Image matching. Just as internet services use hash values to automatically detect known child abuse images without having to actually read message content, Facebook’s systems automatically look for known terrorism photos or videos in uploads. If Facebook has ever removed a given video, for example, this automatic hash value matching can, and sometimes does, keep content from being reuploaded.
• Language understanding. Facebook has experimented with analyzing text it’s removed for praising or supporting terrorist organizations. As of June, it was working on an algorithm to detect similar posts based on text cues.
• Removing terrorist clusters. When Facebook identifies Pages, groups, posts or profiles as supporting terrorism, it uses algorithms to “fan out” to try to identify related material that may also support terrorism. For example, whether an account is friends with a high number of accounts that have been disabled for terrorism, or whether an account shares the same attributes as a disabled account.
• Recidivism. Facebook said in June that it was getting “dramatically” faster at whacking moles.

Twitter, for its part, has been ferociously attacking extremist content: its most recent Transparency Report released in March, said that between July 1 2016 and December 31 2016, a total of 376,890 accounts were suspended for violations related to promotion of terrorism. Twitter emphasized at the time that 74% of those suspensions were accounts surfaced by its internal, proprietary spam-fighting tools. Government requests to shutter accounts represented less than 2% of all suspensions.

But while the larger internet platforms have resources to put into these projects, smaller platforms are on their own. That makes them the target for the UK-funded AI tool, the Home Office said: it wants to put machine learning technology into the hands of online companies such as Vimeo, Telegra.ph and pCloud to remove terrorist content from their platforms.

The Home Office said that such smaller platforms “are increasingly targeted by Daesh and its supporters,” yet they often lack the resources to develop sophisticated technology to weed out the content.

The technology was announced a day before Home Secretary Amber Rudd was heading to Silicon Valley to meet with communication service providers on the subject of tackling terrorist content online.

This is only the latest in the UK’s ongoing battle to get technology providers to stop the spread of extremist material. Last year’s terrorist attacks in London added to what was already a years-long war between Silicon Valley and multiple governments over fighting terrorism, including battles over encryption and proposed curbs on hate speech videos on social media.

While she was in Silicon Valley on Tuesday, the home secretary told the BBC that the AI tool proves that the government’s demand for the tech giants to clamp down on extremist activity is a reasonable one:

The technology is there. There are tools out there that can do exactly what we’re asking for. For smaller companies, this could be ideal.

And as for the bigger companies, if they don’t figure out this problem on their own, Rudd said, the UK government could well force their hands:

We’re not going to rule out taking legislative action if we need to do it.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/luztUcOzFtw/

As far as Bitcoin miners are concerned, Iceland is starting to look like the best place in the world to run a business.

Perched on the edge of the Arctic Circle, datacentre capacity is plentiful, renewable energy affordable, and the reliably chilly climate helps with cooling.

According the BBC, Bitcoin mining is growing so fast here that the 840-gigawatt hours of electricity the industry is predicted to consume in 2018 will exceed what the country’s population needs to power their own homes.

This sounds like crazy demand but a caveat is that Iceland’s population is only 340,000. Another is that individuals use only around 5% of the country’s energy with much of the rest guzzled by its large aluminium industry – Bitcoins are unlikely to drain Iceland’s energy grid.

What’s still striking about Iceland’s mining boom is the incredible speed with which demand is growing.

Compared to 2017, it has doubled, and it keeps coming. AP quotes the manager of one datacentre:

Just today, I came from a meeting with a mining company seeking to buy 18 megawatts.

And it’s not just Iceland: reports of “coin rushes” are being reported in other parts of the world too, which act as reminders of the controversial and power-hungry economics on which Bitcoin mining depends.

Bitcoins are made when miners compete to solve and confirm mathematically-challenging problems in return for a reward. Significantly, as more miners or resources take part, the problems get harder to solve to ensure the rate of mining stays the same.

As well as consuming large amounts of electricity this design is incredibly wasteful because a lot of computing power ends up achieving nothing simply to take part.

This has long since driven the computational power far beyond desktop computers and into the realms of specialised ASIC chips and centralised datacentres that can house the resources needed to make a profit.

Contrast this with the recent cryptomining craze to create a currency called Monero which, unlike Bitcoin, can still profitably (and anonymously) be mined using PC CPUs or GPUs.

It’s easy to exaggerate power usage, for example the recent Newsweek story which suggested currency mining was growing so fast it might “consume all the world’s energy by 2020.”

This seems unlikely. Either demand would raise electricity prices, making mining unprofitable, or governments would talk down the market with threats of regulation.

In Iceland, the solution might be to tax cryptocurrency miners. Tweeted Pirate Party member, Smari McCarthy:

Cryptocurrency mining requires almost no staff, very little in capital investments, and mostly leaves no taxes either.

The thinking is clear: Iceland is still a great place to mine Bitcoin but it might also end up as the country that teaches the world how to tame their insatiable demands.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6jf43KCcguA/

Many of you asked – and waited very patiently, we must admit – for a Naked Security podcast.

Wait no more, because Episode One is here!

In the Naked Security Podcast, we’ll be taking recent security news stories and turning them into advice – instead of just revisiting the news angles, we’ll dig into what happened, explain how it happened, and help you learn from it.

In our first episode, we had the very good fortune to get Fraser Howard of SophosLabs in front of the microphone to teach us about cryptojacking – where crooks mine for cryptocurrency, but someone else pays the electricity bills.

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yfd78s37XRE/

A British warship has set sail for the South China Sea, paving the way for aircraft carrier HMS Queen Elizabeth to do the same thing in three years’ time.

HMS Sutherland, a Type 23 frigate, will sail through the disputed region on her way home from Australia, as much to fly the flag in foreign climes as to carry out a dry run ahead of the nation’s flagship doing the same thing in 2021.

The South China Sea is one of the world’s naval choke points. Very high values of trade (the total value was estimated by the Daily Telegraph as £3.8tn) either originates in or passes through the sea. The region is under dispute chiefly because of China, which is trying to extend its territorial limits (and thus the area it can directly control) by building artificial islands to embiggen its borders.

Sutherland will be carrying out a freedom of navigation exercise, which is where a warship sails through a disputed bit of sea to send the message “you can’t stop us doing this”. The idea is to reinforce the notion that international waters, where anyone has right of free passage, can’t be unilaterally claimed by one country.

The South China Sea, as marked on Google Maps

“She’ll be sailing through the South China Sea (on the way home) and making it clear our navy has a right to do that,” Defence Secretary Gavin Williamson told The Australian newspaper.

The US Navy has been carrying out its own freedom of navigation exercises (FONOPs) in recent years as a direct challenge to China, including aircraft carrier battle groups sailing through the region.

What is less well known is that the UK has signed up to do that exact thing on new aircraft carrier HMS Queen Elizabeth’s first operational deployment in 2021. The ship, which will have finished her sea trials and flight trials, will be sent to the region along with a combined UK-US Marine Corps air wing of F-35B supersonic stealth fighter jets. It seems likely that the air wing will consist of 24 jets: two squadrons of 12, one each from the UK and the USMC.

New British aircraft carrier HMS Queen Elizabeth seen approaching Portsmouth for the first time in August 2017. Crown copyright

It seems plausible that this is effectively a thankyou to the Americans for keeping British carrier operating skills alive in the ten years (as it will be by 2021) since Britain last had an operational fast jet carrier. The skills to operate these ships, ranging from flight deck operations to maintenance to fast turnarounds, are highly perishable unless practised regularly. British “Seedcorn” personnel have been embedded with the US Navy and US Marines to learn and maintain these crucial skills. The return on investment for America seems to be the chance to get an allied aircraft carrier covering for one of its own regular deployments.

Naturally, China does not appreciate FONOPs in the South China Sea. Geng Shuang, a spokesman for the nation’s foreign ministry, told The Telegraph, in response to news of Sutherland’s mission: “Currently the South China Sea is calm and tranquil. We hope other countries won’t begin stirring up trouble.”

Meanwhile, Chinese state propaganda publication the Global Times demanded that the RN should “behave modestly” while transiting the South China Sea – and said that the MoD is “trying to validate its existence and grab attention”, as translated by Channel News Asia. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/14/britain_south_china_sea_warships/