Posts by Kratoklastes

Brandis' control-freakery knows no bounds: but don't worry, coz he's finished

I view the amendment that Brandis is proposing as the typical response of a second-rate government lawyer when confronted with evidence of government incompetence: make it illegal to expose government exposing incompetence. Job done, amirite?

This should come as no surprise to anyone who knows anything about Brandis 'QC' - a third-rate Brisbane barrister whose conniving to get 'silk' says more about him than pretty much anything else he has done.

And like all halfwits, Brandis thought that he could extend his control-freakery by fiat, enabling him to keep eyes on all requests for advice from the Soli-General: he took on someone several orders of magnitude smarter than him, and several more orders of magnitude more respected than he is... and he will pay for it with his political life. (Not for nothin', but Gleeson is also better-liked in the legal fraternity than Brandis, but that's a very low bar since Brandis is about as likable as haemorrhagic fever).

My point being: when the ALA calls for your scalp, you're finished as a participant in the legal community, irrespective of what political office you hold. That means that Malcolm "Parachuted Preselection" Turnbull is biding his time before sacking Brandis - literally everyone (including Brandis) knows he's toast.

And given that Brandis is a Dead AG Walking, nobody will support his proposed amendments in committee, so they won't get through.

"Your data is secure" should be the subject of a class action

One thing that you can sticky-tape to your fridge, is that the team responsible for datasec at ABS is comprised of 3rd quintile talent except at the very top (where it will be 4th quintile for datasec, but 1st quintile for brown-nosing and empire-building).

They will all be ASO5 or 6, getting $78k a year, tops - basically exactly in line with average weekly earnings for all-comers, and 25% below the average for full-time male employees in Information, Media and Telecommunications. So expect average intelligence (economy-wide) and average technical expertise (economy-wide), and average (economy-wide) understanding of how to properly implement decent data security.

And then consider how low a bar that is, when sector-specific attributes of all three of those things is low.

Consider that within the tech sector there are a shítload of people whose understanding of data security is woeful - including relatively well-paid, relatively highly-skilled people working at security firms or responsible for data layers at large firms (e.g., notice all the vulns found in high-exposure apps like DropBox, LastPass, etc).

Government does not pay enough too recruit talent, and its workplaces are actively toxic for talent (they are not remunerated well, and they are not recognised adequately, they are not resourced properly, and their feedback is not sought - because it's brown-nosers and triangulators all the way up to the Minister*).

If I am ever prosecuted for refusing to fill out this Orwell's-wet-dream snooping document, I will show the court in real time how easy it is to expose personal data from a government data repository. It won't get me off, but it might help the "failed barrister on the bench"** think a bit harder.

*: disclosure - my youngest sister was a Senior Adviser to the Prime Minister (Gillard). She plays no role in, and doesn't endorse, my view of bureaucrats (as Upton Sinclair quipped, 'It is difficult to get [your sister] to understand something, when [her] salary depends on his not understanding it.').

**: there are some judges who are very smart people and were very good advocates. My old mucker Michael Croucher (now Croucher J of the Vic Supremes) is a good example - we studied economics together and he and I both won RBA cadetships (and we both turned them down). While he has a very sharp mind, and would not be prone to Dunning-Kruger on matters of technical complexity, it remains that he is part of a machine that relies on mediaeval garb and faux-solemn set-piece theatrics to give the process undeserved gravitas, when the average person in the 'big chair' is a bit of a dullard, relative to the average practitioner. Maxim 237 applies*** even if not specifically in Croucher's case.

Smart judges who were good advocates are the exception: the run-of-the-mill judge makes Vosper, Graves and Oliphant JJ (from 'Rumpole') look like Denning by comparison.

**: Maxim 237 from "Réflections ou Sentences et Maximes Morales" (1664) by François, Duc de la Rouchefoucauld, which goes -

"La gravité est un mystère du corps inventé pour cacher les défauts de l'esprit." (Gravitas is a physical charade designed to conceal mental shortcomings).

I hinted at much the same thing myself...

In a comment on ZH - which is worth reprising here.

---------------------------------------------------

Told ya (that the talent-rich phyles are starting to understand the relative merit of uncorking .gov).

Is funny press release like written by Russian, da? Da.

Is lucky we not step in it.

The thing about national-level artificial monopolies - be they in 'justice', 'law enforcement', 'intelligence' - is that they are always <b>fragile</b> (in the NNT sense).

Firstly, they are entirely populated by second-raters: everyone above GS5 is either a 'True Believer' (i.e., gullible as a newborn, and therefore easily soc-eng'd) or a careerist bullshit-artist (i.e., useless for anything except toadying towards superiors and taking credit for underlings' work). At the very top, everyone is employed/installed based on their proximity to that most vile of pseudo-humans - politicians.

Secondly... think what it means when procurement is overseen by, and facilitated by, the types of people in 'firstly'. It means that tech procurement is done in an environment that contains nobody with the chops to evaluate the product.

So everything is acquired by a 'proximity model' - people get contracts because they're linked to, e.g., Chertoff... and once they've had one contract whose flaws didn't get exploited on 0-day, they are at the trough forever.

I fully support everything Snowden did after he left (except that he should have blasted half the entire corpus into cyberspace, and kept the other half as insurance, rather than installing 'curators' - be they never so well intentioned). But bear this right at the front of your mind: <strong>he is not that bright</strong>. Snowden was a high-school washout, and not because he was 'too smart to excel' (I know plenty of people who are like that, and he's not one of them). Yet he rose through the ranks of the alphabet soup agencies <strong>like a fucking boss</strong>.

The security-theatre industry is not staffed with the 'best and brightest'. 'Mudge' - always a nappy in hacker circles - is one of .gov's best, and he's fucking useless. Mudge is the hacker equivalent of Dumb Shitbird (Domscheit-Berg) - someone who tried to coddle up to a genuine talent, then betrayed them the moment someone turned up with enough pieces of silver.

Ask yourself who wants to work for NSA: they have to 'believe in the mission', which makes them obviously incapable of adult levels of cognition, let alone genuine talent.

It's the US corporate obsession with 'IP'

Quite apart from the retardedness of attempting to 'bolt-on' datasec because designers didn't think about it at the design phase, the carmakers' approach to their onboard systems is identical to banks' approaches to their client datasec (including, but not limited to, the security protocols for web interaction).

That approach centres on developing everything themselves, in order to have a proprietary system. That way, the expense is R&D and can be amortised (and/or marked up as an intangible asset).

In the software crypto world, one of the very first things that good crypto devs will tell you is "Do not try to develop your own crypto. P(you miss something critical)=1. Use an open-source library."

And yet time and time again, software firms have implemented their own versions of data encryption - the best example being Microsludge with NTLM (a really sick joke of an encryption protocol) - and it turns out that their 'roll your own' approach was vulnerable to a fundamental exploit (timing oracles, padding oracles, or any of the other shocks that crypto flesh is heir to).

Being crowd-checked isn't a guarantee, as the OpenSSL vulns from last year make clear... but it's a good deal better than having black-boxed code (often code that is badly documented - so if key members of the dev team leave, you can't make head nor tails of it).

Carmakers also know that most car buyers will never become aware of the vulnerability - journalists are stupid, power-craven and technologically illiterate, and so will repeat whatever talking points are being promulgated by the car manufacturer.

I can see it now... a 500-car pileup on a major turnpike, with cars' brakes failing to respond, and accelerators 'pedal to the metal' ; the TV news would say

<blockquote>"Tragedy today on the roads, as global warming caused electrical malfunctions in 500 vehicles. Witnesses say that cars rammed into the pileup - which began with a semi-trailer that had jack-knifed. ISIS immediately claimed responsibility, claiming that it had hacked the systems of the vehicles, however a spokesman for the White House said that this was 'clearly propaganda trying to exploit this climate-caused catastrophe' and that the event reinforced the need to ratify the Paris climate accord. Industry insiders agree: in Detroit is our Maggie BleachedTeeth with a spokesman for Ford. Over to you Maggie..."</blockquote>