I don't really like commenting here any more. I think TechDirt has gone off the deep end on a variety of topics. But it's good to see your response (as well as others) putting some actual real info out there containing research that SHOULD have been done before this article was ever published.
But you're dead on. I've been using Cisco ASA firewalls all the way back to the old PIX models as well, and this is something that I've had to deal with myself a few times over the years. SMTP fixup can be a bitch, and the moment I saw the screenshot with the telnet session, I knew what was up.
I've also seen configurations where they expect ANY TLS traffic to be submitted over 587, even though STARTTLS is just fine to use over port 25. But that doesn't seem to be what's going on here.
Where I live, my ISP forces me to use THEIR mail server for all outgoing mail. They will relay anything, from any source address, as long as it's in their IP space. If I try to connect to port 25 outside of my ISP's network, the connection is always blocked. They implemented this as an anti-spam measure a few years ago.
If you think through this to it's logical conclusion; some questions beg to be answered.
Who's responsibility is it to scour the Internet, world newspapers, TV broadcasts, etc. to try and identify what "Classified" information has been leaked?
What would the process be for taking marked classified documents on an unclassified system and identifying them as the specific documents that were leaked and suddenly should now lose their classification status?
How do you teach automated systems that look for classified data on unclassified systems how to determine if a particular document is still classified or not?
For me; it seems like the same argument that you make about Youtube trying to decide if a piece of content is infringing or not. You're asking me to spend all my time trying to research any classified documents I find to determine if they've been leaked and are now unclassified? That's an INSANE undertaking that would cost considerable amounts of taxpayer dollars to achieve.
I don't agree that an entire SITE should be blocked. I think that move is a bit lazy, but I don't agree that blocking access to classified content from unclassified government systems is a bad thing. The last thing I need to be doing on a daily basis is chasing my tail trying to figure out what's been leaked and what isn't. I have more productive ways of spending my time.
There's no "make pretend" going on here. It's simply maintaining compliance until such time that classified documents are unclassified by their originators.
The credit card analogy got twisted a bit. My point is that said unencrypted card data SHOULD NOT BE ON CC PROCESSING SYSTEMS because that creates an enormous amount of work for those who have the job of keeping said data secure. The said goes for classified data on UNCLASSIFIED systems. Blocking the URL that contains the content (in this case, the entire site) PREVENTS that content from being copied to a government system; wherein the issues of data classification arise. In both cases; the issue is with the protected data being on unprotected systems.
You can hear the excuse as much as you want; and it won't make sense to you until you CHOOSE to understand why the directives exist in the first place.
I saw a video a couple weeks ago about a study in pedestrian traffic management. The study (with testing) showed that putting something like a bollard in FRONT of a doorway actually makes the traffic flow in/out of said doorway far more efficient because it reduces the bunching that occurs when multiple people try to squeeze through simultaneously. Now, if someone who didn't see this video saw a bollard in front of a doorway; they would likely jump to the conclusion that it's completely idiotic to do as it will impede foot traffic. The key they are missing is the understanding of why it was put there in the first place.
Look, I love this site and really agree and enjoy about 99% of what you write here. It's good stuff and in many all cases it's well researched and understood. But I'm not a sheep; I go do my own research and try and understand BOTH perspectives of any given issue. I think it would be beneficial if you did the same with this instance. Reach out and try and understand the details behind the WHY. Don't just fabricate your own intent (to stop the Army from reading the TRUTH) and run with it to make everyone else look like idiots.
Have you read anything in the news that says it's NOT something they are worried about? There are certainly more than 1 or 2 people working for DoD that deal with these types of concerns and issues; and it's not necessary to have 100% of your staff focused on a SINGLE problem when you can have teams of people each working on different issues and tasks.
There actually are efforts underway to move towards virtualized desktops, so moving back towards "dumb terminals" is already happening in a 2013 kind of way.
The reality is that users are still using Windows 7 desktops and applications. It's just that the imaging process, and software install processes can be largely automated and made very efficient. All the base applications used by pretty much everyone are part of the image, other specific applications might be delivered as ThinApp packages and/or directly installed for that unique user as part of the imaging process.
In terms of wiping classified data off unclassified machines; the process can vary depending on what it is, where it is, and how sensitive it is. But yes; it can be a pain and rather depressing at times. That's why there's such a focus on keeping classified data off unclassified machines, PERIOD.
Some people are just choosing to miss the point here, AC... Can't do much about that until they decide to give the ego a rest and actually absorb some new information about why these blocks occur on unclassified systems (and similar reactions all across corporate and bank networks, albeit for different types of data) you're not going to get much traction in a rational discussion.
It's kind of like trying to talk about copyright infringement at a reasonable and rational level with the MPAA.
What's more amusing is that you believe wiping a computer and reinstalling is a difficult task.
If I need to wipe a machine to remove classified data, it takes a whopping 13 minutes to go from a machine containing spillage to a completely reimaged workstation ready for the user to log back in. And it's not a one at a time deal either; we can do dozens upon dozens simultaneously with no issues.
That aside; Nicholas didn't say that the Army was going to be "wholesale wiping all their computers", you did. Just more manufactured outrage.
Well, I question some of the facts in the story already. I have received no directives to block the Guardian's web site. Maybe it just hasn't gotten here yet, but to say that all of DoD has been directed to block the Guardian's web site does not appear to be true.
Visiting these sites that contain classified information from unclassified machines isn't a security risk in the traditional sense. Making the assumption that the point of these blocks is to "stop military personnel from reading the truth" or that it somehow is done in an effort to increase logical security is where the whole thing breaks down.
If you are WILLFULLY choosing to believe that the purpose of the block is for reasons other than what they really are; there's not much point in discussion. If you take the time to understand WHY blocks like this are put into place it makes a lot more sense.
The whole thing smacks of stupid desperation: it doesn't stop the leaks from happening, it doesn't stop anyone in the army from finding out about the leaks, it just seems petty and designed to alert more people that the Guardian is the source to follow on these leaks.
It might smack of stupid desperation of the PURPOSE of the block was to;
a) stop leaks
b) stop anyone in the army from finding out about the leaks
The reality of the situation is the point of the block is to keep classified documents off unclassified government systems. This is akin to a credit card company accidentally publishing a massive list of CC #'s, discovering the leak and then just leaving the information up because "it's public anyway" or leaving those files on their servers in plain text because "the accounts were cancelled anyway". When the automated systems, internal auditors, or external auditing partners look at those systems and find the dumps of plain text CC #'s it causes compliance issues. It's unrealistic to expect the auditors in these situations to have to then go search to find out if each occurrence of unencrypted CC #'s is "legitimate" because they are invalid or had already been made public.
I know it's really easy to make an assumption as to why certain directives are made. It's easy to take it down the worst path possible if you so choose. But doing either of the above is only useful if you're trying to push an agenda and not actually a fair assessment of what's going on and why some of these decisions are made.
Z-wave native master controller with available bridges to talk to X10, Zigbee and Insteon devices if you can't find what you want in a Z-wave flavor.
I'm still running the older Vera2, but the Vera3 is out now and is cheaper than when I purchased my Vera2! I will say; it's a bit annoying seeing individual stand-alone products billed as "home automation". Sure, you can buy a thermostat that can directly be controlled with your phone, and individual LED lights that use a different app to control, but those are all just individual automated devices vs. a fully integrated system.
When I get home from work, my system detects me pulling in the driveway and unlocks the doors. Based on light sensors inside the house; it turns on accent lighting to make sure I can see my way in. It then auto adjusts the termostats based on the areas of the house it detects as occupied. Additionally; phantom power use is all but eliminated by physically cutting the power at the outlets to those devices that don't need power if no one is home.
At the end of the day, a $1200 investment in the Vera2 system along with a bunch of modules to control everything I needed paid for itself in 11 months in terms of energy savings.
I'm certainly going to take a look at the new projects on Kickstarter to see what they offer; but on the whole I've been largely disappointed with some of the new "home automation" offerings.
If the school district were to claim copyright on all content created by the students as part of their curriculum, and the student had ANY classes that had to do with computers, the Internet, video production, acting, etc, would the district also be able to file DMCA takedowns on YouTube videos, Facebook content, or anything else that they disagreed with?
If this goes through I'm sure the above will be tested VERY quickly.
Don't get me wrong.. I am NOT in favor of the Cybersecurity Act for a variety of reasons, most of which you already mentioned. I don't want to see the thing passed either.
My concern was more the approach to many of the cyber security articles that show up here. Many of them DO seem to question if these attacks are real, or just fabricated to justify poorly written laws. At least that's how I've been reading many of them.
When I read articles like this that basically say the work I perform day in and day out is nothing more than a political conspiracy, it tends to irk me a bit.
I love TechDirt and really enjoy the articles that you write with ONE exception: Cybersecurity. This is what I do for a living, and I do happen to work for an unnamed government that you focus on quite a lot in regards to these things....
With that being said; Let me just say that the level of cyber attacks on national infrastructure is *NOT* being oversold. Most people simply couldn't comprehend the amount of attacks that are happening on a CONSTANT basis nor do most people understand the mitigation process and how it works within certain government organizations. In addition to that; there seems to be some serious misunderstanding in how data classification is approached at this level and why some controls (such as restricting government workers from accessing sites that are leaking classified data) exist.
Let's assume that YOU are responsible for a team of people that tries to protect a network. Those networks contain different classifications of data and you need to make sure that people are NOT accidentally moving classified data to unclassified systems. How would you deal with vetting every piece of classified data on an unclassified system and determining if it's actually been leaked? That process would be a nightmare.
Within government systems, the rule is that classified data is not allowed on unclassified networks. Period. That allows us to leverage data classification tools to help ensure that this data stays where it belongs. Having to make ad-hoc exceptions when something is "believed" to be leaked simply isn't practical.
These rules are not about CONTROLLING users from accessing this data on the net that's been leaked, they are in place to prevent this data from ending up on unclassified systems no matter what it's source.
There's a lot more to know about this process than simply what shows up in a news article somewhere....
Similarly, he notes that merely broadcasting a TV show wasn't considered "publishing." So TV shows like the first episode of Star Trek don't have their copyright clock start until nearly a dozen years after it was first broadcast, because that's the first time it was "offered for sale" rather than just broadcast.
Does this mean that there is no effective copyright on a TV show UNLESS it's offered for sale to the public? IE: If a show airs on TV tonight but is not offered for sale, can it be copied because the copyright clock hasn't started yet?
I think the biggest flaw in Anderson's logic is he is assuming the IT costs for the ENTIRE process vs. just the necessary IT costs for the Entertainment industry.
Here's an example; Hollywood doesn't need to create huge datacenters for each movie they make to distribute it electronically, just as they don't need to directly procure and manage a fleet of trucks to deliver DVDs to customers.
Existing datacenters are there with more than enough capacity and he should only consider costs related to the production of content and server hosting/co-location costs. He doesn't need to worry about what it cost to build the facility, cool it, or anything else that's not in his own segment.
...Unless he's just trying to make a point that "It costs money to build datacenters with lots of disk drives that send and receive lots of data". That's kind of a no-brainer. But for people who produce content and need to leverage that infrastructure for distribution; it's painfully cheap.
The problem really isn't with certificates. If anything, it's the manner in which the various organizations protect their CA's and intermediates. The process is too forgiving.
Exploiting these weaknesses is a problem that should have the blame placed on the CA, not the technology.
My thoughts exactly.. Next time I'm in DC I need to make sure I eat there and "complete" my digestion cycle in the restaurant to make sure I'm not infringing on any of their IP.
On the post: Revealed: ISPs Already Violating Net Neutrality To Block Encryption And Make Everyone Less Safe Online
Re: Re: Re: Re: Re: Re:
But you're dead on. I've been using Cisco ASA firewalls all the way back to the old PIX models as well, and this is something that I've had to deal with myself a few times over the years. SMTP fixup can be a bitch, and the moment I saw the screenshot with the telnet session, I knew what was up.
I've also seen configurations where they expect ANY TLS traffic to be submitted over 587, even though STARTTLS is just fine to use over port 25. But that doesn't seem to be what's going on here.
Where I live, my ISP forces me to use THEIR mail server for all outgoing mail. They will relay anything, from any source address, as long as it's in their IP space. If I try to connect to port 25 outside of my ISP's network, the connection is always blocked. They implemented this as an anti-spam measure a few years ago.
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: It's getting old, Mike
Who's responsibility is it to scour the Internet, world newspapers, TV broadcasts, etc. to try and identify what "Classified" information has been leaked?
What would the process be for taking marked classified documents on an unclassified system and identifying them as the specific documents that were leaked and suddenly should now lose their classification status?
How do you teach automated systems that look for classified data on unclassified systems how to determine if a particular document is still classified or not?
For me; it seems like the same argument that you make about Youtube trying to decide if a piece of content is infringing or not. You're asking me to spend all my time trying to research any classified documents I find to determine if they've been leaked and are now unclassified? That's an INSANE undertaking that would cost considerable amounts of taxpayer dollars to achieve.
I don't agree that an entire SITE should be blocked. I think that move is a bit lazy, but I don't agree that blocking access to classified content from unclassified government systems is a bad thing. The last thing I need to be doing on a daily basis is chasing my tail trying to figure out what's been leaked and what isn't. I have more productive ways of spending my time.
There's no "make pretend" going on here. It's simply maintaining compliance until such time that classified documents are unclassified by their originators.
The credit card analogy got twisted a bit. My point is that said unencrypted card data SHOULD NOT BE ON CC PROCESSING SYSTEMS because that creates an enormous amount of work for those who have the job of keeping said data secure. The said goes for classified data on UNCLASSIFIED systems. Blocking the URL that contains the content (in this case, the entire site) PREVENTS that content from being copied to a government system; wherein the issues of data classification arise. In both cases; the issue is with the protected data being on unprotected systems.
You can hear the excuse as much as you want; and it won't make sense to you until you CHOOSE to understand why the directives exist in the first place.
I saw a video a couple weeks ago about a study in pedestrian traffic management. The study (with testing) showed that putting something like a bollard in FRONT of a doorway actually makes the traffic flow in/out of said doorway far more efficient because it reduces the bunching that occurs when multiple people try to squeeze through simultaneously. Now, if someone who didn't see this video saw a bollard in front of a doorway; they would likely jump to the conclusion that it's completely idiotic to do as it will impede foot traffic. The key they are missing is the understanding of why it was put there in the first place.
Look, I love this site and really agree and enjoy about 99% of what you write here. It's good stuff and in many all cases it's well researched and understood. But I'm not a sheep; I go do my own research and try and understand BOTH perspectives of any given issue. I think it would be beneficial if you did the same with this instance. Reach out and try and understand the details behind the WHY. Don't just fabricate your own intent (to stop the Army from reading the TRUTH) and run with it to make everyone else look like idiots.
Information is powerful.
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: Re: Re: It's getting old, Mike
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: Its necessary for them to do...
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: Re: Re: Its necessary for them to do...
The reality is that users are still using Windows 7 desktops and applications. It's just that the imaging process, and software install processes can be largely automated and made very efficient. All the base applications used by pretty much everyone are part of the image, other specific applications might be delivered as ThinApp packages and/or directly installed for that unique user as part of the imaging process.
In terms of wiping classified data off unclassified machines; the process can vary depending on what it is, where it is, and how sensitive it is. But yes; it can be a pain and rather depressing at times. That's why there's such a focus on keeping classified data off unclassified machines, PERIOD.
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: Re: Re: Re:
It's kind of like trying to talk about copyright infringement at a reasonable and rational level with the MPAA.
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: Its necessary for them to do...
If I need to wipe a machine to remove classified data, it takes a whopping 13 minutes to go from a machine containing spillage to a completely reimaged workstation ready for the user to log back in. And it's not a one at a time deal either; we can do dozens upon dozens simultaneously with no issues.
That aside; Nicholas didn't say that the Army was going to be "wholesale wiping all their computers", you did. Just more manufactured outrage.
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
Re: Re: It's getting old, Mike
Visiting these sites that contain classified information from unclassified machines isn't a security risk in the traditional sense. Making the assumption that the point of these blocks is to "stop military personnel from reading the truth" or that it somehow is done in an effort to increase logical security is where the whole thing breaks down.
If you are WILLFULLY choosing to believe that the purpose of the block is for reasons other than what they really are; there's not much point in discussion. If you take the time to understand WHY blocks like this are put into place it makes a lot more sense.
On the post: Defense Department Blocks All Web Access To The Guardian In Response To NSA Leaks
It's getting old, Mike
It might smack of stupid desperation of the PURPOSE of the block was to;
a) stop leaks
b) stop anyone in the army from finding out about the leaks
The reality of the situation is the point of the block is to keep classified documents off unclassified government systems. This is akin to a credit card company accidentally publishing a massive list of CC #'s, discovering the leak and then just leaving the information up because "it's public anyway" or leaving those files on their servers in plain text because "the accounts were cancelled anyway". When the automated systems, internal auditors, or external auditing partners look at those systems and find the dumps of plain text CC #'s it causes compliance issues. It's unrealistic to expect the auditors in these situations to have to then go search to find out if each occurrence of unencrypted CC #'s is "legitimate" because they are invalid or had already been made public.
I know it's really easy to make an assumption as to why certain directives are made. It's easy to take it down the worst path possible if you so choose. But doing either of the above is only useful if you're trying to push an agenda and not actually a fair assessment of what's going on and why some of these decisions are made.
On the post: Awesome Stuff: The Future Is Finally Coming To Home Automation
It's already here!
http://www.micasaverde.com
Z-wave native master controller with available bridges to talk to X10, Zigbee and Insteon devices if you can't find what you want in a Z-wave flavor.
I'm still running the older Vera2, but the Vera3 is out now and is cheaper than when I purchased my Vera2! I will say; it's a bit annoying seeing individual stand-alone products billed as "home automation". Sure, you can buy a thermostat that can directly be controlled with your phone, and individual LED lights that use a different app to control, but those are all just individual automated devices vs. a fully integrated system.
When I get home from work, my system detects me pulling in the driveway and unlocks the doors. Based on light sensors inside the house; it turns on accent lighting to make sure I can see my way in. It then auto adjusts the termostats based on the areas of the house it detects as occupied. Additionally; phantom power use is all but eliminated by physically cutting the power at the outlets to those devices that don't need power if no one is home.
At the end of the day, a $1200 investment in the Vera2 system along with a bunch of modules to control everything I needed paid for itself in 11 months in terms of energy savings.
I'm certainly going to take a look at the new projects on Kickstarter to see what they offer; but on the whole I've been largely disappointed with some of the new "home automation" offerings.
On the post: Irony Alert: John Steele Denies Uploading Anything Ever Despite Growing IP Evidence
Re: The location of that IP adress
Try it. Go put in your own IP address and see where it thinks YOU are. It puts me about 18 miles away from where I actually live.
On the post: Campaign Launched To Stop School From Claiming Copyright On Student Work
Copyright used to stifle student criticism?
If this goes through I'm sure the above will be tested VERY quickly.
On the post: White House Conveniently Confirms 'Cyberattack' Story Just As Its Pushing Cybersecurity Exec Order
Re: Re:
Don't get me wrong.. I am NOT in favor of the Cybersecurity Act for a variety of reasons, most of which you already mentioned. I don't want to see the thing passed either.
My concern was more the approach to many of the cyber security articles that show up here. Many of them DO seem to question if these attacks are real, or just fabricated to justify poorly written laws. At least that's how I've been reading many of them.
On the post: White House Conveniently Confirms 'Cyberattack' Story Just As Its Pushing Cybersecurity Exec Order
Re: Re: Re:
When I read articles like this that basically say the work I perform day in and day out is nothing more than a political conspiracy, it tends to irk me a bit.
On the post: White House Conveniently Confirms 'Cyberattack' Story Just As Its Pushing Cybersecurity Exec Order
I love TechDirt and really enjoy the articles that you write with ONE exception: Cybersecurity. This is what I do for a living, and I do happen to work for an unnamed government that you focus on quite a lot in regards to these things....
With that being said; Let me just say that the level of cyber attacks on national infrastructure is *NOT* being oversold. Most people simply couldn't comprehend the amount of attacks that are happening on a CONSTANT basis nor do most people understand the mitigation process and how it works within certain government organizations. In addition to that; there seems to be some serious misunderstanding in how data classification is approached at this level and why some controls (such as restricting government workers from accessing sites that are leaking classified data) exist.
Let's assume that YOU are responsible for a team of people that tries to protect a network. Those networks contain different classifications of data and you need to make sure that people are NOT accidentally moving classified data to unclassified systems. How would you deal with vetting every piece of classified data on an unclassified system and determining if it's actually been leaked? That process would be a nightmare.
Within government systems, the rule is that classified data is not allowed on unclassified networks. Period. That allows us to leverage data classification tools to help ensure that this data stays where it belongs. Having to make ad-hoc exceptions when something is "believed" to be leaked simply isn't practical.
These rules are not about CONTROLLING users from accessing this data on the net that's been leaked, they are in place to prevent this data from ending up on unclassified systems no matter what it's source.
There's a lot more to know about this process than simply what shows up in a news article somewhere....
On the post: What Public Domain? Why A Letter Written In 1755 Is Still Covered By US Copyright Law
Serious Question
Does this mean that there is no effective copyright on a TV show UNLESS it's offered for sale to the public? IE: If a show airs on TV tonight but is not offered for sale, can it be copied because the copyright clock hasn't started yet?
On the post: FBI Denies That Hacked Apple Info Came From FBI
Re:
On the post: The Warehousing And Delivery Of Digital Goods? Nearly Free, Pretty Easy, Mostly Trivial
Mixed Vertical Markets
Here's an example; Hollywood doesn't need to create huge datacenters for each movie they make to distribute it electronically, just as they don't need to directly procure and manage a fleet of trucks to deliver DVDs to customers.
Existing datacenters are there with more than enough capacity and he should only consider costs related to the production of content and server hosting/co-location costs. He doesn't need to worry about what it cost to build the facility, cool it, or anything else that's not in his own segment.
...Unless he's just trying to make a point that "It costs money to build datacenters with lots of disk drives that send and receive lots of data". That's kind of a no-brainer. But for people who produce content and need to leverage that infrastructure for distribution; it's painfully cheap.
On the post: Flame Malware Signed By 'Rogue' Microsoft Cert, Once Again Highlights Problems With Relying On Certs
Re: Re:
Exploiting these weaknesses is a problem that should have the blame placed on the CA, not the technology.
On the post: Is Photographing A Meal 'Taking Intellectual Property Away' From A Chef?
Re: Re:
Next >>