A recent domain seizure, that was part of a post made on Techdirt yesterday, is the seizure of the domain names used for the Coreflood botnet. They seized the domains so they could legally use the domain names themselves to send their kill command. That has it's own controversy but I am pointing this out to show that all domain name seizures aren't for the same purpose.
I see two general security issues with this type of plug-in. Let's suppose we can trust MafiaaFire. They say the code will be open source, so that makes trust easy. Even so, MafiaaFire will need to stay constantly vigilant to protect against being used for nefarious purposes not actually related to intellectual property. Mozilla checks their plug-ins to make sure they don't do bad things. I spoke today with a manager at Mozilla who thought it was likely that their General Counsel would allow this plug-in to remain. However, Mozilla is not going to be checking the domain name replacement lists. Mozilla now has less control over ensuring their browser+plug-ins is secure. Additionally, if Mozilla allows this plug-in how can they be sure that a developer who offers a similar plug-in can be trusted? It's a general mechanism that basically introduces a security vulnerability.
I wouldn't say all domain seizures are pointless. As a way of eliminating access to a web-site it is not foolproof and so cannot be the central thrust of law enforcement. ICE's lack of due process is awful. Their use of domain seizure as a shotgun approach with resulting collateral damage is also awful. Finally, there is the very large issue of a single country mucking with a central component of the worldwide internet (DNS).
I was glad to see that in MafiaaFire's response to my comment, they said they were limiting what areas the plug-in supports. The following is a list (from Wikipedia) of ICE's responsibilities within "cybercrime" and are the categories for which ICE would use domain seizure.
* Possession, manufacture and distribution of images of child abuse.
* International money laundering and illegal cyber-banking.
* Illegal arms trafficking and illegal export of strategic/controlled commodities.
* Drug trafficking (including prohibited pharmaceuticals).
* General Smuggling (including the trafficking in stolen art and antiquities; violations of the Endangered Species Act etc.)
* Intellectual property rights violations (including music and software).
* Immigration violations; identity and benefit fraud
I assume that MafiaaFire is limiting their support to sites that only involve intellectual property rights. Is this true?
I think there is generally more support for domain seizures in most of those categories. Within each one there are controversial areas, however, with IP rights violations the entire category is controversial. Playing domain seizure whack-a-mole within the other categories might actually be useful but that won't be the case for IP rights.
That was my comment, I wasn't logged in at the time:
I believe your initial comment was a reference to DMCA. Circumvention deals with bypassing a technological measure put in place by the copyright holder. The technological measure in question, blocking the original domain name from being used to access an infringing website, was put in place by ICE. Bypassing that protection doesn't even get you to a website owned by the copyright holder. That technological measure is intended to benefit the copyright holder but I believe the circumvention can only qualify for measures put into place by the copyright holders themselves.
I am not arguing that DNS is a weak security measure. I am arguing that DNS can't be considered a security measure at all. It is just a convenience for humans and a level of abstraction allowing for IP addresses to change while the domain name remains the same. Both Linux and Windows have host files that can be used to map a domain name to an IP address. This also bypasses DNS but is intentionally designed into the OS. So, in no way could adding an entry to a host file be considered illegal circumvention. Similarly, filling in the browser's address bar with an IP address or using the Mafiaafire plug-in cannot be considered circumvention.
A couple of circumvention examples:
One of the weakest possible methods of content security is to not publish direct links to web-pages but still have those web-pages with the path name portion of the URL being sequential. Bypassing that could still be considered circumvention.
Another example concerns the NY Times paywall. Deleting cookies is one method of bypassing the paywall. It could be considered circumvention, and thus illegal under DMCA, to do that. However, most browsers all a user to deleted cookies. In fact, it is generally recommended that you delete cookies periodically. Given that, you couldn't consider it illegal to delete cookies.
This is a very good point. Mafiaafire will find out that making a plug-in was the easy part, maintaining the lists will be an ongoing pain. What criteria will they use to determine which ICE domain blocks they will get around? Certainly websites that allow file sharing of music and video will be on the list. Websites that allow general file sharing should be OK, even if some files shared are clearly repugnant like child porn. Is a dedicated child porn site OK? What about a website that sells counterfeit items without telling you they are counterfeit? Maybe a website that is upfront about selling counterfeit items is OK. The problem here is that Mafiaafire have now placed themselves as an arbiter of what is good, separate from ICE. Unless, they want to be a supporter of a dedicated child porn website they will also be involved in censorship, just less censorship than ICE does.
They will also have to constantly investigate to make sure they don't include the malware installation sites or those that want to spoof a real site. How do they confirm that a request to register is from the domain's true owner?
Another problem that is introduced is how does a user decide who they can trust to download and install a plug-in?
Mozilla does check on plug-ins but if they allow Mafiaafire then why not others who look like they are legit at first. As a matter of fact my new Firefox plug-in, MalwareHelper, is much better than Mafiaafire.
Re: probably already posted but my time online is short today:
The FBI could have made an attempt to clean the system of the malware completely. That can be risky since it may include system files and Registry entries for WIndows. Killing a process or processes is fairly safe considering they were designed to serve the purposes of a botnet.
I agree with anonymous coward better the FBI does this with a critical system than letting the botnet owners maintain control.
The C&C could possibly use multicast addressing for the control of a botnet. I am not aware this has ever been done. A problem is that not all ISPs support multicast routing. There really isn't much of a problem having a single server control a large botnet using just unicast. I am sure the FBI is just using the same mechanism.
I don't know the Orrin Hatch pirate reference but one type of pirate is likely to be infected with malware and be part of a botnet. The pirate who isn't running a legal copy of Windows.
The following is what the FBI, along with ISC, needed to do:
-Allow a computer to be infected and the analyze the code via reverse engineering and by monitoring all the packets involved in communication.
-They apparently have actually seized, at least some of the C&C servers. This isn't strictly necessary. They do need to take over the domain names used by the botnet client computers to communicate with the C&C servers. The FBI seized those domain names by court order and now are using them for their own purposes here.
A lone hacker could have done the first step but not the second. Without having access to a C&C server, a lone hacker cannot even find out the IP addresses of the other botnet clients. There is a remote possibility that a vulnerability in the C&C servers will allow code injection by a botnet client. Otherwise, that teen hacker has no hope.
I don't think it is likely that the botnet program is listening for a command that would terminate itself (i.e. terminate all the running processes associated with the botnet on that computer). A software update is one of the available commands to the botnet. The likeliest scenario is that the FBI would be sending an update to the botnet program. That update would either terminate the program directly or listen for a separate termination command.
If the FBI can update the botnet program then it can write updates that can do anything that is permissible for the owner of the botnet processes. That might well be full administrative permission. This botnet program already has a keylogger component. It is not clear to me if the botnet is sending collected data along with it's beacons or there is simply a command for the C&C server to be send the collected data.
In the court filing, the FBI says they are not going to collect data from any of the infected computers other than the source IP address contained in the beacon packet.
He is a security researcher and so could have a valid reason to possess the following.
A thumb drive and cd containing a virus that infects in multiple ways; Autoplay, Autorun, containing a straightfoward executable, a self-extracting zip file containing a virus, containing a GIFAR etc. The virus could be written to identify and bypass a virtual OS and install a root kit, spread itself only to other ICE devices and erase the hard drive after a couple of days.
He could warn them before hand: "You shouldn't look at that!"
disclaimer: I am not suggesting he or anyone actually do this, I'm jus sayin.
- It looks like the design is already in place. It will take two years to fully deploy. The expertise is there, however those who have command authority may not understand computer security. The NSA, which is part of DoD, certainly understands security as well as anyone. The NSA is also tasked with protecting the federal government's computer networks. The DoD's approach to security has been lackadaisical considering they have some of the best experts on the planet. Manning's comment in the Manning/Lamo chat logs, shows the NSA was involved in monitoring SIPRNet for external attacks but looking for internal anomalies was not a priority. A Host Based Security System (HBSS) will be complete in June of this year. This was 40% in place (only in continental US) already on SIPRNet at the time of Manning's leak. This monitors transfers to removable media. The DoD will incorporate the NSA designed Audit Extraction Module (AEM) to HBSS.
The crux of the problem is that SOME computers (12%) with access to SIPRNet have to allow data transfers to removable media (Sneakernet). This is needed to allow sharing of information with coalition partners, weapons systems, and other systems out in the battlefield that don't have access to SIPRNet. Their solution is to monitor and audit these transfers.
- They shouldn't have to do background checks. It may seem counter-intuitive to lay people, but the security design should be completely open. What is meant by the pejorative phrase "security through obscurity", is that keeping the design of a security system secret is false security. It shouldn't matter if Al Qaeda or the Taliban have full access to the blueprints of security. The real security is through maintaining the secrecy of passphrases, keys, or digital certificates. Being an open design allows important feedback from security experts outside of the US military and government. This is how AES was designed. Unfortunately, a lot of military and government officials (corporate as well) still believe in security through obscurity. However, it is needed in situations where there is not, and never will be, a good technical solution. Case in point, DRM.
- I am not sure if you are just being sarcastic here but I don't see this as at all likely. It is easy to have a cynical viewpoint about security having witnessed nearly two decades of horrendous security problems in operating systems, browsers and other internet applications. Doing security correctly to eliminate all vulnerabilities is very hard, but security software doesn't usually create new holes.
- I am not at all sure having 40 levels of secrets (and also compartmentalized by need to know) is a problem. Certainly most security infrastructure is capable of handling hierarchical access. So, 40 levels is no different than 2. It can viewed as a way to allow as much access as desired as well as a way of allowing only as little access as desired.
- Total agreement! Insider leaks are the hardest to prevent. The view that something in particular shouldn't be secret is the motivation for leaking. My gripe with Bradley Manning is that he (allegedly) released far more information than he could have possibly reviewed himself. Given that, I don't fully trust his motivation
- A malware infected flash drive was used to target US military computer systems in 2008. As a result, flash drives were temporarily banned. Malware can be controlled by disabling the AutoPlay function under Windows. I find it odd that writable CDs and DVDs weren't similarly banned. Yes, do it for the 88% of SIPRNet computers that don't need Sneakernet.
Wikileaks has 261,000 State Department cables. As of today, 6693 have been released. Ones assumes that Wikileaks and the 5 newspapers that have access to the full set, are releasing the most interesting ones first. This will be going on for months if not years.
I'm a technical person, so forgive me if I do not add in a bureaucracy requirement. I would assume that if the DoD felt there was an urgency to this, red tape could have been bypassed to put, at least an initial solution, in place. Authentication algorithms and software is not a new technology. Solutions have already been designed. The DoD could have adopted either Kerberos or RADIUS as a solution to gain access, at a rough grained level, to entire servers as a first step. This is done on top of an existing infrastructure. The only change for those millions of users is to use a RADIUS client program that has been installed on their computer. They log in with a passphrase and gain access to a subset of servers. In addition to some number of authentication servers, the existing servers have to add a top layer to check for authentication. Adjustments to access can be made on the fly without further involvement from the mass of users.
The cost for this would be a drop in a very large bucket taking into account the DoD's total budget. Scaling up is not a big problem. Facebook authenticates more than 500 million. This could be implemented as a temporary solution while the red tape unwinds and the endless details are discussed.
The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability
I have to disagree. They could have a system in a couple of weeks had they gone with password/passphrase based authentication. There a several types of authentication servers available. You can scale up by having multiple servers. Multiple classification levels can be implemented with group access. The time consuming part is assigning documents to groups. However, you could start with a crude mass assignment and make adjustments without bringing the system down. As long as everyone can remember their passphrase under the stress of warfare, this should work.
The article from Firedoglake misleads by summarizing SIPRnet as being either secure or not secure. There are three, somewhat independent, aspects of security at work here; ability to bridge the air gap between SIPRnet and the rest of the universe, authentication and finer grained access, logging and auditing capability. Each one will make the system more secure.
SneakerNet was and is still needed. They point out the malware incident in 2008 triggered by an infected thumb drive. Malware can be controlled by disabling autorun capability. I am not sure if that was addressed. The DOD apparently decided to restrict thumb drives but still allowed writeable CDs. After Wikileaks, they are restricting further, only allowing 12% of their computers Sneakernet capability and somehow(?) monitoring people and transactions on these. This is enough, in itself, to have prevented a Bradley Manning from leaking mass amounts of material. Someone else, a little more trusted, can still do a mass leak.
What they are ultimately doing is making multiple classification levels for info and assigning everyone a capability to access some subset of those levels. They are doing this by creating a PKI and issuing cards with digital certificates. DoD, apparently, did not want to do passwords. I am a bit dumbfounded if they don't do two-factor authentication. The State Dept. has already moved their cables over to JWICS (the top secret network). I think that is overreacting. Maybe it's temporary. Certainly, the vast majority of those don't deserve top secret listing.
The final part is to put in a logging and auditing capability to monitor data transactions. The threat of monitoring is supposed to deter leaking.
They recognize there is a need to share information, particularly after 9/11. From the outside, it looks like they just let anyone with access to SIPRnet full access to all information stored on it. The full system won't be finished till 2013, but that doesn't mean that there is no more security than there was a year ago. The algorithms needed to implement such a system are well known. There are several different authentication systems in use elsewhere. The card system means it will take time to deploy.
One of the NSA's responsibilities is developing computer and network security (e.g. SE Linux (Security Enhanced Linux) is derived from work done at the NSA). The DoD will be using an auditing system developed by the NSA. There is an interesting quote in the Lamo/Manning chat logs.
i even asked the NSA guy if he could find any suspicious activity coming out of local networks… he shrugged and said… “its not a priority”
Nobody expected a military insider would do a mass leak. That was naive.
An generic drug overview:
I think it is a good thing to have all medicinal drugs approved by the FDA. I also think it is a good thing to require a company to pass checks on it's manufacture of a particular medicinal drug (i.e. be approved by the FDA). The general public does not want drugs to be too expensive and, in particular, generic drugs should never be expensive. Once a drug is manufactured by at least two companies, the competition should keep prices low. So, what's the problem?
The cost of entering the market has to be low enough for at least two companies to be involved. I will not consider marketing because that is a variable cost determined by a company itself. Also, if your drug is, say, 1/4 of the cost of your competitor's then it will market itself. So, the main investment cost then is getting FDA approval and this has to be balanced against the total size of the market, This gives three categories.
1) Orphan drugs: No one wants to manufacture the drug so the government must supply some artificial incentive disrupting normal market forces. We've seen an existing problem concerning that with Diulatin.
2) Popular Drugs: These are all the existing generic drugs with approval given by the FDA to multiple companies.
3). Drugs with a small potential market. This category should not exist. The cost of getting approval should never be so discouraging that a second company will never attempt it. This is what I think the focus should be on.
We can assume that drug companies are greedy and are always looking to maximize profit. I cannot fault the FDA with deciding to bring all drugs under the approval process. Sure, it disrupts the market at this late date but things will equilibrate in the long term (not too long). This assumes influence of big pharma hasn't warped the process. The government should be making sure that safety is the criteria and not profit for any approval procedures. I still can't believe the ANDA procedure is all that costly.
This is really just a series of questions for the author, David Fuchs, (or someone else) to answer.
The FDA says the main problem for the unapproved quinine sulfate drugs is the labelling. It should only be used for malaria and "is known to have a very narrow margin of safety between doses that are therapeutic in the treatment of malaria and doses that are toxic".
1). Can't a drug company just make a label that is acceptable to be approved by the FDA?
2). Why would a company have to duplicate expensive clinical trials when all they should have to show is that their dosages fall into the known acceptable range and are correctly labelled?
3) How much does it cost to go through the approval process? Pharmaceutical companies have to do this to make generic drugs. How is quinine sulfate any different?
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re: Re:
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re:
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re:
I was glad to see that in MafiaaFire's response to my comment, they said they were limiting what areas the plug-in supports. The following is a list (from Wikipedia) of ICE's responsibilities within "cybercrime" and are the categories for which ICE would use domain seizure.
* Possession, manufacture and distribution of images of child abuse.
* International money laundering and illegal cyber-banking.
* Illegal arms trafficking and illegal export of strategic/controlled commodities.
* Drug trafficking (including prohibited pharmaceuticals).
* General Smuggling (including the trafficking in stolen art and antiquities; violations of the Endangered Species Act etc.)
* Intellectual property rights violations (including music and software).
* Immigration violations; identity and benefit fraud
I assume that MafiaaFire is limiting their support to sites that only involve intellectual property rights. Is this true?
I think there is generally more support for domain seizures in most of those categories. Within each one there are controversial areas, however, with IP rights violations the entire category is controversial. Playing domain seizure whack-a-mole within the other categories might actually be useful but that won't be the case for IP rights.
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re: Re: Re: Circumvention Device
I believe your initial comment was a reference to DMCA. Circumvention deals with bypassing a technological measure put in place by the copyright holder. The technological measure in question, blocking the original domain name from being used to access an infringing website, was put in place by ICE. Bypassing that protection doesn't even get you to a website owned by the copyright holder. That technological measure is intended to benefit the copyright holder but I believe the circumvention can only qualify for measures put into place by the copyright holders themselves.
I am not arguing that DNS is a weak security measure. I am arguing that DNS can't be considered a security measure at all. It is just a convenience for humans and a level of abstraction allowing for IP addresses to change while the domain name remains the same. Both Linux and Windows have host files that can be used to map a domain name to an IP address. This also bypasses DNS but is intentionally designed into the OS. So, in no way could adding an entry to a host file be considered illegal circumvention. Similarly, filling in the browser's address bar with an IP address or using the Mafiaafire plug-in cannot be considered circumvention.
A couple of circumvention examples:
One of the weakest possible methods of content security is to not publish direct links to web-pages but still have those web-pages with the path name portion of the URL being sequential. Bypassing that could still be considered circumvention.
Another example concerns the NY Times paywall. Deleting cookies is one method of bypassing the paywall. It could be considered circumvention, and thus illegal under DMCA, to do that. However, most browsers all a user to deleted cookies. In fact, it is generally recommended that you delete cookies periodically. Given that, you couldn't consider it illegal to delete cookies.
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re: Win
They will also have to constantly investigate to make sure they don't include the malware installation sites or those that want to spoof a real site. How do they confirm that a request to register is from the domain's true owner?
Another problem that is introduced is how does a user decide who they can trust to download and install a plug-in?
Mozilla does check on plug-ins but if they allow Mafiaafire then why not others who look like they are legit at first. As a matter of fact my new Firefox plug-in, MalwareHelper, is much better than Mafiaafire.
On the post: FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers
Re: probably already posted but my time online is short today:
I agree with anonymous coward better the FBI does this with a critical system than letting the botnet owners maintain control.
On the post: FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers
Re: FUD storm
On the post: FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers
Re: Re: Orrin Hatch
On the post: FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers
Re: Is This A 'More Friendly' Problem
-Allow a computer to be infected and the analyze the code via reverse engineering and by monitoring all the packets involved in communication.
-They apparently have actually seized, at least some of the C&C servers. This isn't strictly necessary. They do need to take over the domain names used by the botnet client computers to communicate with the C&C servers. The FBI seized those domain names by court order and now are using them for their own purposes here.
A lone hacker could have done the first step but not the second. Without having access to a C&C server, a lone hacker cannot even find out the IP addresses of the other botnet clients. There is a remote possibility that a vulnerability in the C&C servers will allow code injection by a botnet client. Otherwise, that teen hacker has no hope.
On the post: FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers
Re: Re: All I can say is Holy Crap!!!
If the FBI can update the botnet program then it can write updates that can do anything that is permissible for the owner of the botnet processes. That might well be full administrative permission. This botnet program already has a keylogger component. It is not clear to me if the botnet is sending collected data along with it's beacons or there is simply a command for the C&C server to be send the collected data.
In the court filing, the FBI says they are not going to collect data from any of the infected computers other than the source IP address contained in the beacon packet.
On the post: Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
Re: Re: Re: Re:
On the post: ICE Redefines Detainment For Wikileaks Helper: You're Not Being Detained, You Just Can't Leave
Re: don't feed the animals
A thumb drive and cd containing a virus that infects in multiple ways; Autoplay, Autorun, containing a straightfoward executable, a self-extracting zip file containing a virus, containing a GIFAR etc. The virus could be written to identify and bypass a virtual OS and install a root kit, spread itself only to other ICE devices and erase the hard drive after a couple of days.
He could warn them before hand: "You shouldn't look at that!"
disclaimer: I am not suggesting he or anyone actually do this, I'm jus sayin.
On the post: Lionsgate Claims That Reviewing A Fake Script Is Copyright Infringement
retreiving original post
1) Search on Google for:
http://www.foreveryoungadult.com/
2) click on:
more results for: http://www.foreveryoungadult.com/
3) click on cached for:
Forever Young Adult Presents: A Highly Intellectual Discussion of ...
This includes the comment from Lions Gate
On the post: Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
Re:
- lol, I hadn't heard that Palin bumper sticker
- It looks like the design is already in place. It will take two years to fully deploy. The expertise is there, however those who have command authority may not understand computer security. The NSA, which is part of DoD, certainly understands security as well as anyone. The NSA is also tasked with protecting the federal government's computer networks. The DoD's approach to security has been lackadaisical considering they have some of the best experts on the planet. Manning's comment in the Manning/Lamo chat logs, shows the NSA was involved in monitoring SIPRNet for external attacks but looking for internal anomalies was not a priority. A Host Based Security System (HBSS) will be complete in June of this year. This was 40% in place (only in continental US) already on SIPRNet at the time of Manning's leak. This monitors transfers to removable media. The DoD will incorporate the NSA designed Audit Extraction Module (AEM) to HBSS.
The crux of the problem is that SOME computers (12%) with access to SIPRNet have to allow data transfers to removable media (Sneakernet). This is needed to allow sharing of information with coalition partners, weapons systems, and other systems out in the battlefield that don't have access to SIPRNet. Their solution is to monitor and audit these transfers.
- They shouldn't have to do background checks. It may seem counter-intuitive to lay people, but the security design should be completely open. What is meant by the pejorative phrase "security through obscurity", is that keeping the design of a security system secret is false security. It shouldn't matter if Al Qaeda or the Taliban have full access to the blueprints of security. The real security is through maintaining the secrecy of passphrases, keys, or digital certificates. Being an open design allows important feedback from security experts outside of the US military and government. This is how AES was designed. Unfortunately, a lot of military and government officials (corporate as well) still believe in security through obscurity. However, it is needed in situations where there is not, and never will be, a good technical solution. Case in point, DRM.
- I am not sure if you are just being sarcastic here but I don't see this as at all likely. It is easy to have a cynical viewpoint about security having witnessed nearly two decades of horrendous security problems in operating systems, browsers and other internet applications. Doing security correctly to eliminate all vulnerabilities is very hard, but security software doesn't usually create new holes.
- I am not at all sure having 40 levels of secrets (and also compartmentalized by need to know) is a problem. Certainly most security infrastructure is capable of handling hierarchical access. So, 40 levels is no different than 2. It can viewed as a way to allow as much access as desired as well as a way of allowing only as little access as desired.
- Total agreement! Insider leaks are the hardest to prevent. The view that something in particular shouldn't be secret is the motivation for leaking. My gripe with Bradley Manning is that he (allegedly) released far more information than he could have possibly reviewed himself. Given that, I don't fully trust his motivation
- A malware infected flash drive was used to target US military computer systems in 2008. As a result, flash drives were temporarily banned. Malware can be controlled by disabling the AutoPlay function under Windows. I find it odd that writable CDs and DVDs weren't similarly banned. Yes, do it for the 88% of SIPRNet computers that don't need Sneakernet.
I would like my 100 million as well.
On the post: Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
Re:
On the post: Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
Re: Re: Re:
The cost for this would be a drop in a very large bucket taking into account the DoD's total budget. Scaling up is not a big problem. Facebook authenticates more than 500 million. This could be implemented as a temporary solution while the red tape unwinds and the endless details are discussed.
The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability
On the post: Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
Re:
On the post: Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013
SneakerNet was and is still needed. They point out the malware incident in 2008 triggered by an infected thumb drive. Malware can be controlled by disabling autorun capability. I am not sure if that was addressed. The DOD apparently decided to restrict thumb drives but still allowed writeable CDs. After Wikileaks, they are restricting further, only allowing 12% of their computers Sneakernet capability and somehow(?) monitoring people and transactions on these. This is enough, in itself, to have prevented a Bradley Manning from leaking mass amounts of material. Someone else, a little more trusted, can still do a mass leak.
What they are ultimately doing is making multiple classification levels for info and assigning everyone a capability to access some subset of those levels. They are doing this by creating a PKI and issuing cards with digital certificates. DoD, apparently, did not want to do passwords. I am a bit dumbfounded if they don't do two-factor authentication. The State Dept. has already moved their cables over to JWICS (the top secret network). I think that is overreacting. Maybe it's temporary. Certainly, the vast majority of those don't deserve top secret listing.
The final part is to put in a logging and auditing capability to monitor data transactions. The threat of monitoring is supposed to deter leaking.
They recognize there is a need to share information, particularly after 9/11. From the outside, it looks like they just let anyone with access to SIPRnet full access to all information stored on it. The full system won't be finished till 2013, but that doesn't mean that there is no more security than there was a year ago. The algorithms needed to implement such a system are well known. There are several different authentication systems in use elsewhere. The card system means it will take time to deploy.
One of the NSA's responsibilities is developing computer and network security (e.g. SE Linux (Security Enhanced Linux) is derived from work done at the NSA). The DoD will be using an auditing system developed by the NSA. There is an interesting quote in the Lamo/Manning chat logs.
i even asked the NSA guy if he could find any suspicious activity coming out of local networks… he shrugged and said… “its not a priority”
Nobody expected a military insider would do a mass leak. That was naive.
On the post: FDA Suddenly Bans Drugs That Have Been On The Market For Decades
Re: Re: Quinine Sulfate
I think it is a good thing to have all medicinal drugs approved by the FDA. I also think it is a good thing to require a company to pass checks on it's manufacture of a particular medicinal drug (i.e. be approved by the FDA). The general public does not want drugs to be too expensive and, in particular, generic drugs should never be expensive. Once a drug is manufactured by at least two companies, the competition should keep prices low. So, what's the problem?
The cost of entering the market has to be low enough for at least two companies to be involved. I will not consider marketing because that is a variable cost determined by a company itself. Also, if your drug is, say, 1/4 of the cost of your competitor's then it will market itself. So, the main investment cost then is getting FDA approval and this has to be balanced against the total size of the market, This gives three categories.
1) Orphan drugs: No one wants to manufacture the drug so the government must supply some artificial incentive disrupting normal market forces. We've seen an existing problem concerning that with Diulatin.
2) Popular Drugs: These are all the existing generic drugs with approval given by the FDA to multiple companies.
3). Drugs with a small potential market. This category should not exist. The cost of getting approval should never be so discouraging that a second company will never attempt it. This is what I think the focus should be on.
We can assume that drug companies are greedy and are always looking to maximize profit. I cannot fault the FDA with deciding to bring all drugs under the approval process. Sure, it disrupts the market at this late date but things will equilibrate in the long term (not too long). This assumes influence of big pharma hasn't warped the process. The government should be making sure that safety is the criteria and not profit for any approval procedures. I still can't believe the ANDA procedure is all that costly.
On the post: FDA Suddenly Bans Drugs That Have Been On The Market For Decades
Quinine Sulfate
The FDA says the main problem for the unapproved quinine sulfate drugs is the labelling. It should only be used for malaria and "is known to have a very narrow margin of safety between doses that are therapeutic in the treatment of malaria and doses that are toxic".
1). Can't a drug company just make a label that is acceptable to be approved by the FDA?
2). Why would a company have to duplicate expensive clinical trials when all they should have to show is that their dosages fall into the known acceptable range and are correctly labelled?
3) How much does it cost to go through the approval process? Pharmaceutical companies have to do this to make generic drugs. How is quinine sulfate any different?
Next >>