STE WILLIAMS

Two encrypted-email companies that shut down while struggling to keep metadata out of the US government’s hands have announced that they’re teaming up to create a new, open-source email protocol based on security and privacy and that they plan to help the world to hopefully ditch the old one: Simple Mail Transfer Protocol (SMTP).

The collaboration, dubbed the Dark Mail Alliance, between founding companies Lavabit and Silent Circle, will be focused on maintaining and organizing the open-source code for the new email protocol.

The companies announced the alliance at Wednesday’s Inbox Love conference, held at Microsoft’s Silicon Valley campus, saying that they hope to “change the world of email completely by putting privacy and security at its core.”

The two founding companies also plan to bring other members into the alliance and to assist future recruits to implement the new protocol.

Specifically, Lavabit and Silent Circle will work jointly to help email software developers and service providers proliferate what they’re calling Email 3.0, a “private, next-generation, end-to-end encrypted alternative.”

As it is, email is now “fundamentally broken from a privacy perspective”, Lavabit said in its press release:

What we call ‘Email 3.0.’ is an urgent replacement for today’s decades old email protocols (‘1.0’) and mail that is encrypted but still relies on vulnerable protocols leaking metadata (‘2.0’).

Our goal is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind.

Ars Technica’s Cyrus Farivar reports that the new protocol is set for a mid-2014 release.

Silent Circle CTO Jon Callas told Ars that it’s high time to boot the antiquated SMTP out the door:

This is just another transport – what we’re getting rid of is SMTP. We like to laugh at it, but there are reasons why it was a good system. We’re replacing the transport with a new transport. E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends.

The new protocol will be based on Extensible Messaging and Presence Protocol (XMPP), a set of open Extensible Markup Language (XML) technologies for real-time online communication, including instant messaging, presence, multiparty chat, voice and video calls, online collaboration, gaming, file transfer, Internet of Things applications including the smart grid, and social networking services.

As Cisco describes it, the core technology behind XMPP was refined in the Jabber open-source community in 2000 and formalized by the Internet Engineering Task Force (IETF) in 2002 and 2003.

Silent Circle’s Callas told the conference that the company’s existing Silent Circle Instant Messaging Protocol (PDF) was a rough “alpha” of the new Dark Mail protocol.

Dark Mail will be available as an add-on or an option to existing email providers, which means that companies such as Google could opt to use it with Gmail, for example.

That’s not an entirely unimaginable outcome, I would say, given how furious Google reportedly is over new documents from NSA whistleblower Edward Snowden that point to the US’s National Security Agency (NSA) having infiltrated links to Yahoo and Google data centers worldwide.

Lavabit founder Ladar Levison told Ars that he will soon launch – possibly as soon as Tuesday – a Kickstarter campaign to fundraise for the Dark Mail Alliance to open-source Lavabit’s code “with support for Dark Mail built-in.”

Farivar reports that the first 32 companies to donate $10,000 will get a pre-release 60 days before the public gets it and thus will be able to be the first companies to integrate it into their systems.

Lavabit, Snowden’s former email provider, shuttered its service in August following court orders demanding metadata about an unnamed user who many assume was Snowden.

Levison did, actually, end up giving the government Lavabit’s crytopgraphic key in digital form, after having first printed out and handed over a copy of the key in 4-point type that didn’t quite fly with the government’s judge.

Shuttering Lavabit’s service meant that even though the government had the key, they didn’t have anything to open with it.

Silent Circle, for its part, in short order followed Lavabit’s example, pre-emptively shutting down its Silent Mail service in anticipation of the government getting its hands on the metadata that is, for now, inevitably associated with email.

The goal of ditching SMTP is ambitious: it’s now used for almost all email that travels on the Internet.

But as Ars reader Major General Thanatos commented, the NSA’s vigorous surveillance propensities well might have provided the world with a good reason to put its shoulder to the task and make the switch.

Would switching to XMPP stop spying once and for all? If so, how painful would such a switch be? Can you imagine the world actually doing it?

Let us know your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vEFFtSzgqLE/

Facebook is testing data mining methods that would silently follow users’ mouse movements to see not only where we click but even where we pause, where we hover and for how long.

And holy mackerel, did somebody say something about there being the potential ability to track how long a user’s cursor hovers over an o-so-tasty, revenue-generating ad?

Why yes, and that somebody was Ken Rudin, Facebook’s analytics chief.

At the Strata and Hadoop World Conference in New York on Tuesday, Rudin told the Wall Street Journal that the already data-stuffed social network would have to purchase data pants with a stretchy waistband if it does decide to gorge itself on data about users’ cursor movements.

Rudin told the WSJ that the ongoing tests are part of a broader technology testing program.

Facebook should know in the coming months whether incorporating the new data collection makes sense for a slew of uses, be it product development or more precise targeting of ads, he said.

Facebook is looking at collecting data such as “did your cursor hover over that ad … and was the newsfeed in a viewable area,” he said.

You well might question whether cursor tracking isn’t in fact already a standard part of web analytics.

Back in 2011, Microsoft researchers looked at how to use cursor movement to understand and improve search results.

They came up with an easy way to track users’ gaze direction on a website using nothing but a standard web browser and a practically imperceptible Javascript of less than 1kb that could be run invisibly on any page without slowing its load time or a browser’s performance, as MIT Review described at the time.

It turns out that where we place our mouse cursor closely correlates with eye gaze – i.e., what we look at on pages – especially when looking at search results, the researchers found.

The researchers came up with (PDF) the ultralightweight gaze-tracking tool by examining mouse cursor behavior on search engine results pages, including not only clicks but also cursor movements and hovering over different page regions.

On page 5 of the Microsoft paper, images of heat maps of click positions vs. recorded cursor positions show that cursor movements provide far richer data about how frequently a user interacts with a given page.

Two years later, is Facebook ahead of the curve in planning cursor tracking, or is it playing catchup?

It turns out that Facebook well might be in the vanguard, given that advances in cursor tracking haven’t yet replaced, to any extensive degree, simple maps such as those for Google Analytics that merely show where we’ve clicked on a page.

In fact, such click maps, typical of most website analytics, don’t actually show where a user has clicked; rather, they show only which page the user ended up on and which links can go there.

Exceptions to the web analytics status quo of simple click maps include third-party services that do, in fact, offer cursor and hover tracking.

The WSJ reported on one such, Shutterstock, in March.

At the time, Shutterstock founder and CEO Jon Oringer said that his company – which is a marketplace for digital images – was looking at “every move a user makes,” including where site visitors place their cursors and how long they hover over an image before making a purchase.

Rudin, being Facebook’s data chief, is preparing the company’s infrastructure for the massive data binge that would come out of such cursor/hover tracking.

But as Rudin himself pointed out, the deluge of information isn’t going to help anybody unless Facebook can figure out how to make use of it:

Instead of a warehouse of data, you can end up with a junkyard of data.

He told the WSJ that he’s led a project to index the data in Facebook’s analytics warehouse, which is actually separate from its user data.

Javascript processing has relieved the strain on the browser for this type of tracking. Now, the only problem that remains is how to store and process all the resulting data.

What do you think: if Facebook does decide to collect the new behavioral data and actually does manage to to cinch its belt around its resulting bloated data belly, will users’ privacy be that much more pinched?

Or have we already been chewed up and digested to the point that it really doesn’t matter any more?

Let us know in the comments section below.

And not that we want to make you feel guilty or anything, but we think you should know that our feelings will be hurt unless you hover long and lovingly over everything posted on – where else? – Naked Security’s Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EAPLQ9SHT2w/

A number of readers have asked us, “What do you guys have to say about the BadBIOS story that’s unfolding at the moment?”

In a nutshell, it’s a story about a virus that is claimed to have some remarkable characteristics.

Sufficiently remarkable, in fact, to inspire Ars Technica’s Dan Goodin to describe it as not just “mysterious” but “omnipotent.”

What it does

Here are some of the claims that have been made about the BadBIOS virus:

• It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.
• It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
• It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.
• It is said to prevent infected systems being booted from CD drives.
• It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.
• It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.
• It is said to infect simply by plugging in a USB key, with no other action required.
• It is said to infect the firmware on USB sticks.
• It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.
• It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.
• It is said to block access to Russian websites that deal with reflashing software.
• It is said to render any hardware used in researching the threat useless for further testing.
• It is said to have first been seen more than three years ago on a Macbook.

By now, you may be thinking that this sounds more like a science fiction movie than real life.

In fact, if you’re a certain age, you may well be waiting for Jeff Goldblum to burst forth with a Mac, some mysterious and onmipotent file transfer software, and a countervirus that will save the planet.

You’re probably also thinking that with as many symptoms, twists, turns and apparent tell-tales as are listed above, we ought to know a lot about it after three years.

The thing is, all the facts above come from one observer on Twitter, @dragosr, the guy who runs the CanSecWest, Eusec and PacSec security conferences.

The abovementioned details have only come out in the past short while, so we can collectively be excused for not knowing an awful lot just yet.

What we know

One BIOS sample file has been made available; SophosLabs took a brief look and largely concurred with an already-public analysis published on Reddit. (For the record, our analysts didn’t see the Reddit story until after they’d looked at the file.)

The BIOS we saw seems all but identical to an official Dell Alienware BIOS, so it would be no use on a Mac, for example.

And even if a byte-by-byte analysis of the whole BIOS were to reveal a pre-planted backdoor, that would nevertheless only be one small part of the whole story.

Furthermore, the software defined radio and speaker-to-microphone infection vectors mentioned above, as a vehicle for jumping airgaps, sound highly speculative.

Not impossible, of course – never say impossible where malware is concerned, not least since Stuxnet appeared – but certainly very unlikely.

Spreading via USB sticks, like Stuxnet did, would surely be a satisfactory explanation on its own (though the part assuming automatic code execution via USB on multiple operating systems sounds highly speculative, too).

Imagine that you could reliably get an infected system to beam out radio waves in the absence of any radio hardware, for example by relying on some serendipitously-located internal circuit parts to serve as your transmitter and antenna.

Imagine that you could somehow turn on the speaker and produce reliably-decodable but inaudible sounds.

How would you persuade the uninfected computer to receive them at all, let alone to treat them as shellcode that would ultimately let you reflash the BIOS?

What we can predict

So the short answer to the question of what we have to say about BadBIOS is, “We can’t yet say.”

Based on @dragosr’s tweets, it looks as though additional information, including access to affected USB sticks, will become available at the PacSec conference in Tokyo in just under two weeks’ time; until then, says Dragos, he’s got to knuckle down to prepare for the event.

And, talking of the event, there are various papers about firmware and BIOS level attacks at PacSec 2013, so let’s hope that one or more of them will shed some light on what’s true and false about BadBIOS.

Until then, it’s a bit like the dilemma we faced nearly five years ago when the Conficker virus came out and stood poised to do something new on 01 April 2009.

Everyone wanted to know what it would do, but all anyone could say with honesty was, “We shan’t know until 01 April.”

What to do about BadBIOS

I don’t think there is any need for alarm over the BadBIOS story.

There isn’t an obvious threat to everyone (like there was with Stuxnet, even before we knew its inner purpose); it doesn’t seem to be spreading in the wild (like Stuxnet was, despite having a specific target); and there are plenty of clear and present threats we can usefully concern ourselves with in the interim.

So that’s about that for now, I’m afraid – it’s a question of watching and waiting.

NB. It’s possible, of course, that this is an elaborate hoax, intended as a combined publicity exercise and social engineering experiment that will be wrapped up at PacSec. If so, expect it to be aimed at outing anyone who jumped to detailed conclusions without having the details to go on!

Follow @duckblog

Image of funky looking chip courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kydogb48DeQ/

A new survey has discovered that out of the 1,909 executives questioned, 96% believe their business is unprepared for a cyber attack.

Ernst Young, who carried out the research, said in its report:

As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless and often politically motivated.

There are several reasons cited as to why businesses continue to feel vulnerable to attack.

The largest issue identified via the survey was financial, with 65% of respondents saying that budget constraints posed the biggest barrier to meeting security expectations.

In smaller businesses, with annual revenues under $10 million, the level of concern about budgets rose to 71%.

But with 68% of the respondents saying that their security function only partially meets the needs of the business, security professionals would seem to have much work to do in order to justify any increases in funding that they hope to acquire.

Of more concern, perhaps, was the finding that many businesses are struggling to acquire the required information security skills.

50% of those surveyed said that a lack of skilled resources was a problem within their organisation. Furthermore, 31% of businesses cited issues at executive level, saying that there was a shortage of support or awareness.

Another perennial problem, that of the growth in the number of threats, was also apparent. 59% of respondents said that their company had seen an increase in the number of external threats over the last year.

Some 31% said that the number of security incidents over that same period had increased by at least 5%.

Mark Brown, Ernst Young’s director of information security, said,

This year’s results show that while businesses are faced with a rising number of security breaches, budget constraints and talent shortages mean that they fail to put in place those systems that match their needs.

It’s not all bad news though. The survey also highlighted the fact that 70% of organisations said that their information security policies are now handled at the “highest level” within the business, with the person in charge of security reporting directly to the CEO in 1 in 10 companies.

In 35% of the businesses, the security team reported to the board on a quarterly basis, and just over 10% reported on a monthly basis.

Despite concerns over budget constraints, almost half of the responding firms said that the funds made available to the security team were actually on the rise.

Small businesses with a turnover of less than $10m saw the biggest budget increases in percentage terms.

Ernst Young say there is more still to be done:

Organizations are making good progress in improving how they manage the risks they already know. However, with only 17% of respondents indicating that their Information Security function fully meets the needs of the company, they still have a long way to go.

One area in which improvement could certainly take place is security awareness. I was shocked to see that only 23% of the companies in this survey placed it in their top two priorities and 32% considered it the least important part of the security mix.

As Ernst Young say:

Organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions. These efforts need to be championed by executives at the highest level of the organization, who need to be aware that 80% of the solution is non-technical — it’s a case of good governance.

Tellingly, the report ends by saying that:

Too frequently, information security is perceived as a compliance necessity and a cost burden to the business. Executives need to view information security as an opportunity that can truly benefit the company and its customers.

Follow @Security_FAQs

Follow @NakedSecurity

Image of city skyline courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p6r5v-XrtK0/

Free Regcast : Microsoft Cloud OS

UK-based Windows XP users were six more likely to actually be infected than their counterparts who use more recent versions of Windows, according to figures from Microsoft.

The company is likely trying to highlight the infection rates of the 12-year-old OS as a way to get customers to upgrade. It says that 9.1 of 1,000 XP (SP3) boxes scanned – which is just under one per cent – had been found to be infected.

The software giant’s latest annual “Security Intelligence Report” reports that, on average, 17 per cent of computers worldwide encountered malware during the first half of 2013.

Top threats facing the UK include HTML/IframeRef: – “specially formed” iFrame tags that point to remote websites containing malicious code; Sirefef: – a rogue security software family called Antivirus 2010 among other names; and BlacoleRef: – malicious JavaScript inserted into compromised websites that redirects browsers to the infamous Blackhole Exploit Kit.

From Microsoft’s report

The Microsoft Security Intelligence Report takes data from over one billion sources across the Windows landscape – data was drawn from Redmond real estate such as its Malicious Software Removal Tool, Exchange Online, Windows Defender and more (see page 134) – providing an overview into the threat landscape across Windows boxes around the world. The information was collected during the first six months of 2013.

The research also looks at software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software and security vulnerabilities in both Microsoft and third-party software.

“Vulnerability disclosures across the industry decreased 1.3 per cent from 2H 2012, and 10.1 percent from 1H 2012. An increase in operating system vulnerability disclosures in 1H 2013 largely offset a corresponding decrease in application vulnerability disclosures during the same period, resulting in little overall change,” according to Microsoft.

“Overall, however, vulnerability disclosures remain significantly lower than they were prior to 2009, when totals of 3,500 disclosures or more per half-year period were not uncommon.”

Microsoft doesn’t provide a reason but El Reg‘s security desk suspects that some combination of improved security practices among vendors and the growth in the exploit marketplaces (which naturally result in lower vulnerability disclosures) is behind the change.

Application vulnerability disclosures accounted for 63.5 per cent of total disclosures for the first half of 2013. Operating system vulnerabilities accounted for 22.2 per cent of total disclosures, while browser bug reports made up the remaining 14.3 per cent.

Redmond is urging laggard Win XP users to upgrade their machines before security updates for the OS end on 8 April 2014. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/31/security_intelligence_report_microsoft/

Free Regcast : Microsoft Cloud OS

NSA squealer Edward Snowden has offered to pop over to Germany to help investigate allegations that Chancellor Angela Merkel’s phone was tapped by US spies.

German Green Party MP Hans-Christian Stroebele met Snowden in Moscow, Russia for three hours on Thursday – the lawmaker said on his website [in German].

The two men discussed the possibility of the one-time US spy agency IT contractor-turned-whistleblower assisting a German parliamentary inquiry into whether Merkel’s phone had been snooped on by stateside spooks.

Snowden offered to come to Berlin, Stroebele said, but added that certain “conditions” would need to be considered to guarantee that Snowden – who is currently enjoying temporary asylum in Russia – would be granted a safe passage to Germany if such a visit is approved by the country.

Stroebele told Reuters that Snowden “made it clear he knows a lot and that as long as the National Security Agency blocks investigations… he is prepared to come to Germany and give testimony, but the conditions must be discussed.”

Snowden, who now has an IT support job at a major, unnamed Russian website, leaked evidence of mass surveillance being carried out by operatives at the National Security Agency in the US and in Britain’s listening nerve centre – GCHQ.

He is wanted by US authorities over espionage charges.

Germany’s parliament will convene a special session on 18 November where the alleged surveillance of Merkel’s phone will be discussed. Some MPs want Snowden to give evidence at the inquiry – but it’s possible that he could do so via a video link from Moscow. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/edward_snowden_wants_to_investigate_merkel_phone_tapping_in_germany/

Free Regcast : Microsoft Cloud OS

RSA Europe 2013 The US can’t complain about Chinese cyber-espionage in the wake of the ongoing revelations from Edward Snowden, according to a leading US cyber-intelligence expert.

Bill Hagestad, a US Marine Corps lieutenant colonel turned cyber conflict author and researcher, takes the view that all countries spy electronically and we should just “get over it”.

“China is becoming an economic powerhouse and its strategy of stealing intellectual property is contributing to this,” Hagestad told El Reg. “However, it was the US that first militarised cyber-space by creating a Cyber Command, so it’s no surprise that China followed with its own version – or that Russia and Iran followed afterwards.”

During the RSA Conference in Amsterdam this week, Hagestad presented a session featuring a comparative analysis of Chinese, Russian and Iranian cyber-capabilities. All three countries share the common aim of maintaining their cultural identity and protecting against so-called Western influence in cyberspace.

Hagestad’s presentation (PDF, 91 pages) took place on Wednesday, a day before US Secretary of State John Kerry admitted the US might have overreached in aspects of its dragnet surveillance programme.

Although he didn’t go into specifics, Kerry is the first to admit that aspects of the strategy were counterproductive, though he did defend electronic surveillance as being vital in the fight against terrorism. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/snowden_effect_us_china_cyberespionage/

Free Regcast : Microsoft Cloud OS

The Dark Mail Alliance has revealed more details of plans to build a secure, encrypted email system that’s surveillance-proof, provided the user’s machine isn’t already pwned.

Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, told The Register that the idea for the service came when he met up with Ladar Levison, founder of the now-defunct encrypted email service Lavabit, at a conference last month – and they started discussing the current state of government eavesdropping and what to do about it.

“It’s got to be better to start from a position of near total security and then work down as needed, rather than starting with no security and then add on code to try and make it more secure,” Callas said.

Both have the skills needed to set up such a system. Callas, and fellow Silent Circle partner Phil Zimmermann, were members of PGP, the firm that brought encryption to the masses in the early 1990s, and recently set up secure communications biz Silent Circle.

For nearly a decade Levison ran Lavabit (formerly Nerdshack) to make sure that email users could encrypt their messages and store them safely, before shutting the service down rather than compromise his users’ security.

The full details on the Dark Mail Alliance system will be published in a white paper shortly, but in a nutshell the system uses SMTP and Extensible Messaging and Presence Protocol (XMPP) systems. The user generates a private key on their device and has public keys on an open server; sent emails are encrypted and stored in the cloud for pickup as needed.

‘It’s as secure as it can be, we think’

“Anyone monitoring the email would be able to see the size of the message but that’s about it,” Callas explained. “Of course, if the owner’s device has already been subverted by malware then the private key can be found, but it’s as secure as it can be, we think.”

The team will open source all of the code and invite the community to poke holes in it and find weaknesses. The first version of the basic code will be out next year, Callas said, but the team also wants to build components that would allow companies and email providers to easily add the technology to their systems.

So far interest in the system has been high, Callas said, with many people in the security industry getting in touch wanting either more details or offering to help. However, no one from the government has been in contact at this time.

Services such as this are bound to bring up the accusation that the Dark Mail Alliance is aiding the four horsemen of the infocalypse: terrorists, organized crime, pedophiles, and drug dealers. Callas refuted this, pointing out that there are already many existing laws for getting access to an individual suspect’s emails that would work just fine and that the group is “not fond of bad guys.”

He pointed out that in the case of Lavabit, Levison was happy to help with law enforcement requests for assistance. But he shut down the email service because federal investigators looking into Edward Snowden’s account wanted full access to everyone’s email on the site, not just their target’s.

As for the name of the group, it has been reported that the inspiration for Dark Mail Alliance is somewhat Star Wars-based. But Callas pointed out that “dark” also means hidden or secret, as well as complex and rich, as in “a dark voice.”

“We had a discussion among ourselves about what to call Dark Mail, and we one of the reasons that we decided we liked it was that it is a complex word,” he said.

“Moreover, one of the the major corrosive effects of mass surveillance is that it causes people self-edit, to fear to do things unseemly, to be safe. We didn’t want to call it ‘Shiny Happy Mail.’ Dark Mail for us reflects our dark humor as well as the dark humors that surveillance puts us in,” he said.

“I think it’s sad that there’s been a flutter over ‘dark’ because it can mean only some things to some people. That is, however, the sort of thing that isn’t unexpected. These are dark times, and it’s hard to have a dark laugh.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/dark_mail_alliance_promises_nearly_nsaproof_email_next_year/

Free Regcast : Microsoft Cloud OS

NSA squealer Edward Snowden has offered to pop over to Germany to help investigate allegations that Chancellor Angela Merkel’s phone was tapped by US spies.

German Green Party MP Hans-Christian Stroebele met Snowden in Moscow, Russia for three hours on Thursday – the lawmaker said on his website [in German].

The two men discussed the possibility of the one-time US spy agency IT contractor-turned-whistleblower assisting a German parliamentary inquiry into whether Merkel’s phone had been snooped on by stateside spooks.

Snowden offered to come to Berlin, Stroebele said, but added that certain “conditions” would need to be considered to guarantee that Snowden – who is currently enjoying temporary asylum in Russia – would be granted a safe passage to Germany if such a visit is approved by the country.

Stroebele told Reuters that Snowden “made it clear he knows a lot and that as long as the National Security Agency blocks investigations… he is prepared to come to Germany and give testimony, but the conditions must be discussed.”

Snowden, who now has an IT support job at a major, unnamed Russian website, leaked evidence of mass surveillance being carried out by operatives at the National Security Agency in the US and in Britain’s listening nerve centre – GCHQ.

He is wanted by US authorities over espionage charges.

Germany’s parliament will convene a special session on 18 November where the alleged surveillance of Merkel’s phone will be discussed. Some MPs want Snowden to give evidence at the inquiry – but it’s possible that he could do so via a video link from Moscow. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/01/edward_snowden_wants_to_investigate_merkel_phone_tapping_in_germany/

Last week I spoke with a firm to discuss compliance strategy for data privacy protection of personally identifiable information (PII). A number of state laws were potentially in play, including Massachusetts 201 CMR 17. We discussed what applications and databases were in use, how information moved, and some specific in-house issues. Then I discussed the different technology options for each platform that were available, mentioning which threats the products addressed and the relative cost of implementation and maintenance.

Even over the phone, I could hear heads spinning on the other side of the line. Too. Much. Information. And far too complex for them to come away with any coherent strategy or action plan. Forget running — we needed to get to a crawl. It was clear the firm did not have the time, manpower, or budget to go through the full analysis process. And even if it did, it would have ended up with a half-dozen separate and distinct projects, each with its own learning curve, each with a different product to obtain, and each with a different skill for management.

That’s where I simply cut to the chase: I advised a single technology, in two specific implementations, that provided basic security across all of the platforms for all of the use cases.

Why? Because it was going to address most of the issues the company had — it was not even fully aware of the issues it needed to address — and it was within its capability to implement. I hate to do this because sometimes it feels like compliance for the sake of compliance. Personally, I like to pick tools and technologies that best fit my category of need, be it compliance, security, or whatever. That said, sometimes best of breed is not possible. Selecting “the best” technical solutions app by app creates project and operational complexity that would simply never work in this case.

I’ve talked a lot on this — here and on the Securosis blog — about how complexity makes it harder to do security. Certainly guys like Bruce Schneier and Dan Geer have covered this in great detail as well. Examples I’ve witnessed firsthand, such as security settings being difficult to check, made it more likely people will make a mistake or skip the process entirely. If code is hard to read, then code reviews are less effective. Complexity makes things hard to understand and, in turn, results in less effective security — in this case, complexity from an implementation and management perspective. Getting 90 percent of the way home was better then outright failure.

Does this sound cliche? Sure, it does. Do companies still bite off more than they can chew? Absolutely. The person who wants the work done is a specialist and wants things done to his or her standards, often beyond IT’s capabilities. It’s a reality for many IT organizations that the best choice is often the simplest to implement, or the simplest to use.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading.

Article source: http://www.darkreading.com/database/simple-security-is-a-better-bet/240163405