National Park Service on the verge of blocking most White House protests: comments due by MONDAY! / Boing Boing

Monday is the end of the comment period for a sweeping National Park Service proposal that will have a dramatic effect on the ability of Americans to protest in sight of their government.

Under the proposed new rules, protests around the White House and the National Mall would require permits, protestors would be barred from the sidewalk north of the White House. The proposal also seeks public comment on charging protesters fees for permits to gather.

You can and should comment.
— Read on boingboing.net/2018/10/13/trumplethinskin-3.html

I submitted my comment. It took about 5 minutes.

We should all vote, and we should provide candid feedback to government about things like this proposed rule change.

I don’t know or care about your politics. If your party or politicians you agree with are in power, just remember that someday they won’t be. Anyone trying to take your freedoms away should be a red flag to all.

Also on:

Fear and Emotion in Politics

Hi

Please take a deep breath.

Take another. Let things, whatever twists you up, go a little bit when you exhale. Repeat until you feel good and unwound.

Hi

Don’t be a single issue voter. The men and women that sit in local, state, and federal roles don’t have one issue regardless of what they may say in a campaign. They vote on many.

Take a Breath

Look at your personal landscape, threat and/or opportunity. Find the candidates who, as far as you can tell, come closest to your landscape. You might assess wrong. They might disappoint you.

Don’t know your personal landscape? It’s ok. Breathe. Take a little bit of time to think about it. Take more time if you need it. Come back. This’ll be here.

Breathe

Others will advise, coach, bully, coax. That’s ok. Those people won’t be in the voting booth with you. Your vote is yours. You vote you. Say whatever you want after.

Inhale

Maybe a candidate voted against your belief one time but otherwise met your expectations. Or mostly met your expectations with a few no votes. Or did they act counter to your personal landscape.

Exhale

Is that worth voting them out of office? Will the new person be any better?

Inhale

Stay tuned to this post for suggestions for more information.

Also on:

Global Cybersecurity Norms

www.cyberscoop.com/cyber-norms-united-nations-gge-state-department/

Fresh off the release of its national cybersecurity strategy, the Trump administration gauged interest at the United Nations in restarting talks on global cybersecurity norms. The negotiations, which collapsed last year amid reported acrimony among the U.S., Russia and others, aim to set limits on government-backed hacking at a time when offensive operations are abundant.

At a meeting Friday with representatives of more than 20 countries, Deputy Secretary of State John J. Sullivan raised the prospect of restarting the norms dialogue at the U.N. Group of Government Experts (GGE), according to a State Department statement.  Sullivan told reporters the department hopes to reconvene the GGE “to define norms of behavior that states will abide by and, if they don’t, to impose consequences.”

Worth a read. I remain skeptical governments, especially the U.S., can achieve anything meaningful.

Also on:

The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20 Changes

The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20 Changes:

DOD’s 2018 Cyber Strategy document is drawing attention because of its reference to “defense forward.” What does that mean? Let’s have a close look, in context with the recently-enacted NDAA and recent changes to PPD-20.

(Via Lawfare – Hard National Security Choices)

Dive into the article for a breakdown of the 6 page official summary (the actual document has not been released) and what defending “forward” probably means.

Also on:

Asean countries to establish framework for cybersecurity collaboration

Asean countries to establish framework for cybersecurity collaboration:

The 10 Asean member states have agreed on the need for a formal framework to coordinate cybersecurity efforts across the region, outlining cyber diplomacy, policy, and operational issues. 

… The Asean members concurred that a formal framework was necessary to decide on inter-related issues and recommended the mechanism be flexible and take into consideration various factors, such as economic conditions.

(Via Latest Topic for ZDNet in security)

Singapore is heading up the initial work but it is a collaborative effort.

The group further underscored the importance of “a rules-based cyberspace” to drive economic progress and improve living standards. It also agreed that, “in-principle”, internal laws, voluntary, and non-binding norms of state behaviour, as well as practical “confidence-building” measures were essential to ensure the stability of cyberspace.

My chief concern with this is the “security by committee” approach governmental organizations take. However, coordination across these countries will allow for consistency across a large geography.

Also on:

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.:

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes — 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.

To be clear, the TSA has put forth no concrete proposal. The internal agency working group’s report obtained by CNN contains no recommendations. It’s nothing more than 20 people examining the potential security risks of the policy change. It’s not even new: The TSA considered this back in 2011, and the agency reviews its security policies every year. But commentary around the news has been strongly negative. Regardless of the idea’s merit, it will almost certainly not happen. That’s the result of politics, not security: Sen. Charles E. Schumer (D-N.Y.), one of numerous outraged lawmakers, has already penned a letter to the agency saying that “TSA documents proposing to scrap critical passenger security screenings, without so much as a metal detector in place in some airports, would effectively clear the runway for potential terrorist attacks.” He continued, “It simply boggles the mind to even think that the TSA has plans like this on paper in the first place.”

We don’t know enough to conclude whether this is a good idea, but it shouldn’t be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency’s willingness to explore changes in the screening process.

There is already a tiered system for airport security, varying for both airports and passengers. Many people are enrolled in TSA PreCheck, allowing them to go through checkpoints faster and with less screening. Smaller airports don’t have modern screening equipment like full-body scanners or CT baggage screeners, making it impossible for them to detect some plastic explosives. Any would-be terrorist is already able to pick and choose his flight conditions to suit his plot.

Over the years, I have written many essays critical of the TSA and airport security, in general. Most of it is security theater — measures that make us feel safer without improving security. For example, the liquids ban makes no sense as implemented, because there’s no penalty for repeatedly trying to evade the scanners. The full-body scanners are terrible at detecting the explosive material PETN if it is well concealed — which is their whole point.

There are two basic kinds of terrorists. The amateurs will be deterred or detected by even basic security measures. The professionals will figure out how to evade even the most stringent measures. I’ve repeatedly said that the two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn’t worth it.

It’s always possible to increase security by adding more onerous — and expensive — procedures. If that were the only concern, we would all be strip-searched and prohibited from traveling with luggage. Realistically, we need to analyze whether the increased security of any measure is worth the cost, in money, time and convenience. We spend $8 billion a year on the TSA, and we’d like to get the most security possible for that money.

This is exactly what that TSA working group was doing. CNN reported that the group specifically evaluated the costs and benefits of eliminating security at minor airports, saving $115 million a year with a “small (nonzero) undesirable increase in risk related to additional adversary opportunity.” That money could be used to bolster security at larger airports or to reduce threats totally removed from airports.

We need more of this kind of thinking, not less. In 2017, political scientists Mark Stewart and John Mueller published a detailed evaluation of airport security measures based on the cost to implement and the benefit in terms of lives saved. They concluded that most of what our government does either isn’t effective at preventing terrorism or is simply too expensive to justify the security it does provide. Others might disagree with their conclusions, but their analysis provides enough detailed information to have a meaningful argument.

The more we politicize security, the worse we are. People are generally terrible judges of risk. We fear threats in the news out of proportion with the actual dangers. We overestimate rare and spectacular risks, and underestimate commonplace ones. We fear specific “movie-plot threats” that we can bring to mind. That’s why we fear flying over driving, even though the latter kills about 35,000 people each year — about a 9/11’s worth of deaths each month. And it’s why the idea of the TSA eliminating security at minor airports fills us with fear. We can imagine the plot unfolding, only without Bruce Willis saving the day.

Very little today is immune to politics, including the TSA. It drove most of the agency’s decisions in the early years after the 9/11 terrorist attacks. That the TSA is willing to consider politically unpopular ideas is a credit to the organization. Let’s let them perform their analyses in peace.

This essay originally appeared in the Washington Post.

(Via Schneier on Security – emphasis above is mine)

Bruce knows at least as much about this as anyone outside of TSA, and one can argue more than most inside. I always appreciate his analysis.

Also on:

EU Screws Up Copyright Ruling on Student’s Presentation

EU Screws Up Copyright Ruling on Student’s Presentation:

It would seem obvious to me that educational use should be a valid exception from copyright law. After all, copyright exists for the benefit of society, and educating the next generation is to our collective benefit.

The concept of fair use is clearly established in US copyright law, and in fact Germany has a similar law. Furthermore, the EU copyright directive states that EU members can pass laws granting a copyright exception for education purposes.

But this court went against both common sense and existing policies to rule that because the student’s presentation was posted online, the copyright was infringed.

That is a terrible ruling, with a frankly nonsensical justification. It is based on the assumption that putting the photo online was a unique and special thing, when in fact everything is put online these days. It is 2018, and I am surprised the school hadn’t required the kid to put the presentation on Slideshare, Google Docs or some other online service because they wanted to the student to learn how to use the online tools.

The fact the court can’t see that is evidence of just how out of date they are and how little they know about modern times.

(Via The Digital Reader)

Also on:

DHS vulnerability scanning program offline after Virginia office loses power

DHS vulnerability scanning program offline after Virginia office loses power:

Two cybersecurity programs the Department of Homeland Security offers both states and the private sector have been temporarily knocked offline due to a power outage, while other services have been shifted to backup locations, multiple sources tell CyberScoop.

The National Cybersecurity and Communications Integration Center (NCCIC), the 24/7 hub for monitoring cyberthreats across the government and critical infrastructure, has shifted operations to a backup location in Florida. The move was made after the Arlington, Virginia, building that houses NCCIC lost power last week due to heavy rains.

Additionally, two other programs under NCCIC’s National Cybersecurity Assessments and Technical Services (NCATS) — Cyber Hygiene vulnerability scans and Phishing Campaign Assessment — have been offline since July 26.

The Cyber Hygiene program remotely detects known vulnerabilities on internet-facing services. The Phishing Campaign Assessment program is part of a remote penetration testing service. Both programs are used by hundreds of customers across the country. Thirty-four states have received vulnerability scans through the Cyber Hygiene program, according to a DHS presentation given at the National Association of State Election Directors summer conference.

DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra told CyberScoop that the disruption to Cyber Hygiene is temporary, and that election systems will be the first to resume service once the program comes back online. Officials expect scans to resume Aug. 6.

The building housing NCCIC suffered heavy damage on when portions of the façade ruptured due to the volume of rain that fell in the Washington, D.C., region. The roof of a restaurant on the building’s ground level failed during business hours on July 26.

… A number of DHS offices are in that building.

CyberScoop has learned that due to the water damage, the building completely lost power, which prevented server rooms used by DHS from staying cool. Once the room reached a certain temperature, a sprinkler system was activated. Those sprinklers damaged servers supporting the Cyber Hygiene and Phishing Campaign Assessment programs.

On Sunday, the NCATS office sent an email to its customers informing them that Cyber Hygiene and Phishing Campaign Assessment were offline and that contingency plans have been put in place.

“In order to minimize the operational impact, we immediately implemented our contingency plans and transferred functions to other sites, including NPPD’s facility in Pensacola, Fla.,” the email, obtained by CyberScoop, reads. “We are working to restore these services as quickly as possible. We will let you know when the service and reports will resume.”

NPPD is the National Protection and Programs Directorate, which oversees NCCIC.

The power outage has had a “minimal impact” on DHS’s cybersecurity operations, Krebs said. The incident has not, for example, affected the department’s ability to respond to cyber incidents or issue warnings to the private sector.

DHS has been at the center of the federal government’s efforts to fortify U.S. voting infrastructure following the 2016 presidential election, when Russian hackers probed systems in 21 states. Last week it was revealed that the same outfit of Russian hackers that meddled in the 2016 election appears to have targeted  Sen. Claire McCaskill‘s office.

(Via Cyberscoop)

With the DHS looking to create a central Risk Management program, seeing stories like this does not instill confidence that the U.S. Government, and the DHS in particular, are up to the challenge.

This slays me:

Chris Krebs, the undersecretary of NPPD, told CyberScoop that the department is “taking this opportunity to get some efficiencies into the system, but also to build resilience and redundancy.”

Those are the words uttered after every such event.

By the way for those not in the know, there is a well-known process call Disaster Recovery and Business Continuity Planning (DR/BCP) that has been around for decades to plan for just this sort of event.

Also on:

Maybe the National Risk Management Center Will Combat Critical Infrastructure Hacks

The National Risk Management Center Will Combat Critical Infrastructure Hacks:

At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.

“We are reorganizing ourselves for a new fight,” Nielsen said on Tuesday, who described the new center as a “focal point” for cybersecurity within the federal government. Nielsen also noted that DHS is working with members of Congress on organizational changes that can be mandated by law to improve DHS’s effectiveness and reach.

(Via Security Latest)

Based on the recent news from the Boston Globe about TSA wasting resources on zero value “security”, I am skeptical of how useful this will be in the U.S. Government’s security efforts. I seem to recall something similar was in the works over a decade ago.

However, Secretary Nelson seems to have said the right things in her talk:

  • Risk-based approach
  • Threat evaluation versus threat chasing
  • Focused on specific critical industries
  • Taking an agile development approach to building out capabilities
  • Working with Congress
  • Being the focal point for government

There are unanswered questions. We will get more answers as the process moves along.

I sincerely hope this isn’t another Security Theater opportunity to waste time and taxpayer resources.

Also on:

A Spectre is Haunting Unicode ←

A Spectre is Haunting Unicode:

In 1978 Japan’s Ministry of Economy, Trade and Industry established the encoding that would later be known as JIS X 0208, which still serves as an important reference for all Japanese encodings. However, after the JIS standard was released people noticed something strange – several of the added characters had no obvious sources, and nobody could tell what they meant or how they should be pronounced. Nobody was sure where they came from. These are what came to be known as the ghost characters (幽霊文字).

(Via dampfkraft.com)

Ohhh … I like this kind of mystery! Thx to @InfoSecSherpa for the heads up!

UPDATE: & thanks to @polm23 for the original write up!

Also on: