e l'Italia scoprì PRISM

Viaggiare in metropolitana è interessante per diversi motivi, da un lato scopri usi e costumi della gente, come cambiano le abitudini, il modo di vestirsi, la composizione etnografica, dall’altro puoi farti una idea di quanto la gente legga, cosa legga e, nel caso dei quotidiani, anche vedere le prime pagine anche se non hai avuto tempo di farti la rassegna in tv o non hai voglia di fartela online.

Oggi l’occhio mi è caduto, casualmente, sul corriere della sera che riportava in prima pagina la notizia che anche l’italia è stata spiata dagli americani. La cosa sfiora abbastanza il ridicolo se consideriamo che questa notizia è vecchia e decotta, l’affair PRISM ha riempito i giornali stranieri e la blogosfera per tutta questa estate.

Snowden ne è stato uno dei primi simboli, ma ben altro è passato sotto questi ponti: in questo ambito si sono distinti

• da un lato USA e UK (guarda che caso) per sostenere l’insostenibile leggerezza dello spionaggio ai danni degli amici e voler punire anche quei giornalisti che, facendo il loro dovere, hanno dato fiato alle trombe annunciando la lieta novella, Il Guardian in primis ovviamente.
• dall’altro gli spiati cornuti e mazziati: ambasciate europee, la sede dell’onu, cittadini USA e stranieri e cosi via.

Vogliamo aggiungere quelli che hanno ricevuto una NSL (National Security Letter) e, per coerenza verso i loro clienti, hanno deciso di chiudere la attività, come nel caso eclatante di lavabit, o quelli che per paura di ritorsioni hanno deciso di chiudere preventivamente servizi di email encryption per non cadere sotto le forche caudine di possibili ritorsioni governative.

 

Di fronte a tutto questo marasma, noi ci si continuava ad occupare delle operazioni mediatiche di Silvio Berlusconi ed i suoi accoliti, del governo che dopo un anno ci ha riportati al via passando da vicolo scuro.

Insomma nonostante tutto ancora una volta l’Italia arriva buon ultima al traino, per fortuna la cosa non ci sorprende neanche un poco. L’unico dubbio e sorpresa che mi sovviene al momento è: Ma come anche in italia sanno usare mail internet e robe del genere? perchè ad interfacciarsi con la pubblica amministrazione, le aziende e vedendo le statistiche di degli strumenti informatici non sembrerebbe, ma per fortuna anche qui ci supporta l’OCSE spiegando che non lo facciamo perchè siamo un popolo di bassa cultura. 🙂

ho spostato il mio blog in hosting in USA, mi spaventa più la nostra legge contro la diffamazione a mezzo stampa dell’NSA con PRISM…meditate

PRISM Lessons On Privacy, Cloud and US IT Companies

Should You Trust US Companies with Your Data? Tom’s Guide

Groklaw shuts down rather than risk feds snooping through e-mail

Groklaw forced to close, another piece of freedom is leaving internet | The Puchi Herald

is Free and investigative Journalism in danger?

Lavabit Threatened By Obama Admin For Shutting Down Email … Susan Duclos

Snowden’s email provider may face court rap after closing service Register

All change on the Internet The Telegram

Lavabit.com Owner: ‘I Could Be Arrested’ For Resisting Surveillance …

Don’t let US government read your e-mail CNN

Prism spying damaging web users’ trust, says Zuckerberg Computing

IT Security Leaders from Wisegate Discuss Impacts of NSA PRISM … The Herald | HeraldOnline.com

Kill U.S. web firms’ license to operate in Europe, German privacy … GigaOM

Britain asked to explain detention of Snowden reporter’s partner Los Angeles Times

UK ordered Guardian to destroy hard drives in effort to stop … RT

US denies seeking detention of Edward Snowden journalist’s partner The Australian

Partner of Edward Snowden’s interviewer Glenn Greenwald ‘halted … Evening

Partner of Edward Snowden reporter held for nine hours at Heathrow London24

NSA PRISM program taps in to user data of Apple, Google and others | World news | The Guardian

 

 

Related articles across the web

• Groklaw forced to close, another piece of freedom is leaving internet
• NSA spying leads legal blog Groklaw to shut down, in a post that will break your heart

Related articles across the web

 

TECHNOLOGY originally published on DaftBlogger.com

Wanted Dead or Alive: The Human Factor

By Antonio Ieranò on September 29, 2013 at 7:45 PM

Contents [hide]

• 1 From where should we start?
• 2 I said it all but…
• 3 Theory?

OK I confess I am quite bored to listen to all those knowledgeable IT security experts talking about what is needed to secure a system. Everyone has his own point of view; of course they’re right when they say we need end-point security, mobile protection, anti-malware, anti-hacking, dlp, advance threat defense and protection. We all know we need firewalls, IPSIDS, cypher encryption systems, SSO, 802.1x, strong authentication, anti-virus, anti-everything, application and context aware systems but what is the point? Seems to me that beside all the technicality we are losing sight a focal point: security, even within the IT sector, is a matter of human behavior.

I do not dispute that a patched system is harder to hack than a not patched one, but the point is where was the careful planning before? We can, of course, employ dlp, sim, advanced threat defense system firewalls and so on but how can they save us if we do not understand what we need to protect? And, even worse, how we can even think to implement any security measure if we do not know what to protect?

From where should we start?

Probably we should start form the basic trying to consider what we need to protect starting from the very beginning. And at the beginning there is a human being that want to interact with another human being through a process.

Of course we filled our systems with great security garbage all around the process box and also we put in place all those great barriers to make the user harder to use the process’ instruments itself.

And keep adding and adding we realized we need siem to monitor all this crap, and control systems, and dashboards and smart whatever and….

I said it all but…

Wait a moment are we missing something here? Here are some considerations :

1. Who is the guygirl that wants to “communicate” with the other guygirl to do something that both value “valuable” for some unknown reason?
2. How do they want to “communicate”?
3. What do they want to “communicate”
4. Why do they want to “communicate”?
5. Why they need to “communicate” in that specific way?
6. …

Isn’t it funny that those considerations are still the key points for any successful security project? The 3 main subjects of ANY security implementation should be: human sender, human receiver and the process involved. Therefore there is no such thing as a successful security implementation without entering deeper inside those 3 aspects. Of course, this requires a careful interaction between the so-called security expert and all the players involved in the security process: because human and technical aspects are strictly connected.

There could not be security if security is not perceived as a value from the stakeholder of the process; you can put in place all the rules you want, but it will eventually fail. The worst scenario is that people will stop using the process to build a parallel one that is more suitable for their needs. This is the main cause behind security project and implementation failures; it is not a matter of technology but of not carefully evaluating the human factor.
Things like planning and training are not naïve requirements in an implementation but the most valuable asset of the project.

Theory?

Funny enough all the statistics and literature we find on the internet state that the biggest threat of all is always the user, no matter whether skilled or not. Bad guys already know it, and social engineering is not a recent invention when as far as hacking is concerned. It can be done on purpose, or by mistake, or by simply looking for a way to avoid a crazy close policy. Eventually though a user will breach your security.

Alas doors are slammed in our faces when we try to explain that security is only in part a question of how I encrypt a disk or how I make server hardening. At the end of the day, what should a CSO worry about? Basically speaking, that rules and processes are built to be secure, among others, through the use of technology but not because of the technology implemented.

All we do is related to our interactions with others human beings, the rest are “tools” to implement a process. Changing human behavior and technology we change the tools, we discover more needs we create new processes so security needs to adapt, and IT people should drive the change from the process point of view. Or we will continue to have security breaches, PRISM and Snowden cases, Anonymous groups and we will again be forced to live unpleasant surprises due to humans bypassing all those so carefully implemented security systems.

Go on, buy your firewall

Related articles

• Spikes Launches Anti-Malware Browsing System AirGap Enterprise
• Japan Needs 80,000 More IT Security Experts
• Malwarebytes Anti-Malware Mobile Now Available for Android
• OWASP Israel 2013 Presentations
• Security Costs and Security Budgets
• OWASP Romania InfoSec Conference 2013
• Softpedia Exclusive Interview: Digital Defense CTO Gordon McKay on SEA Attacks
• Self-defending networks: We have the technology, but no customers
• Corporate Supporter Bios