That a 'progressive' techie company with an admittedly geeky CEO will not protect its customers' best interests and privacy is indeed lamentable. Apple will not accept cash or even its own gift cards for the purchase of an iPhone.I know there are companies that will restrict the number of items sold to an individual buyer - that's fine, you want everyone to get a chance to buy the product - but explicitly forbidding cash and gift card transactions for a particular product is not only very unusual but very shortsighted as well.Let's hope they change their minds and do their part in protecting privacy (each cash-paying customer = one less credit card record to worry about!)
Be safe (and pay cash for the Zune!)
Just kidding, of course :-)
Wednesday, October 31, 2007
Friday, October 19, 2007
Counter to Intelligence
A top US counterintelligence executive says (http://www.cnn.com/2007/US/10/19/cyber.threats/index.html) that US networks are far too easy to hack into, and that nearly 140 intelligence agencies are trying to get in illegally.
First of all, how do they KNOW it's exactly 140? Maybe it's just the top 5 trying 28 different ways; possible isn't it?
Top 5 in my opinion? China, Iran, Pakistan, Saudi Arabia, Venezuela.
My wild guesses, needless to say. Most probably I'm wrong, or most probably I'm right. NSA is not talking.
Humor aside, the threat is very real - and not just to the US, of course. UK has also been reeling under similar threats. I blogged about this earlier on how China was using its extramilitary agency to do its dirty work. Conveniently you can then deny any responsibility for a 'renegade' organization's crazy plans. Too convenient.
What are the chances and what would be the impact/result of such an action taking an evil course, where the motive is not just to break in and snoop around a little but actually DO something?
Before we get into that, let's see what the current setup is.
a. Security awareness is pathetically low. People can be 'social-engineered' - if you have to Google the term to know what it means you're vulnerable already.
b. Security implementation is even worse; people pay very little attention (and respect) to physical security. If you have a sensitive server you want to lock it down OS-wise and physically as well so nobody can just push a button or disconnect cables.
c. Knowledge of key security concepts is woefully lacking. Most people wouldn't be able to tell you what encryption means (technical answers only).
d. Attitudes are also a problem -- people don't seem to appreciate what it means to be secure and what could happen in a non-secure environment in case of a threat. Further, they tend to treat security as an inconvenience than a safety measure (think seat belts in the 60s).
I'd like to stop here with the first part, and proceed to what connectivity means.
Connectivity means you place a call from your cell and turn on your microwave. It means watching a program recorded on a SlingBox-like machine, from across the world. It means paying your local Texas utility bills from Nigeria. It means logging in to work from an airplane. It also means the ability to get into someone else's computer without their permission. And do it anonymously, leaving no traces or leaving confusing, contradictory traffic patterns.
Therefore, when hackers penetrate a network and get into a sensitive machine they have the ability to shut down the entire water supply to/of, say, LA. They have the ability to shut down entire grids and freeze a country to death in the winter or boil a country alive in the summer. In essence, connectivity is a fantastic enabler of technology-based synergy, and it's also a huge liability when it comes to destructive ideas.
Like a row of dominoes, it's possible to take over all the computers of a company by logging on to the weakest one and going from there. As they say, a chain is only as strong...
What is the current threat level? Answer: VERY high.
Being ultra-secretive by nature, unnamed govt organizations that don't have an abbreviation or an address, and whose budgets are unlimited and oversight equally limited or nonexistent, but whose responsibility it is to protect the nation's security interests - may not always come clean.
A simple conjecture on my part with no facts: If they bet on security via obfuscation, everyone is in deep trouble. Security gets stronger by spreading knowledge of its existence and not by hiding it.
Consider an example: There are 2 houses, one with an electrified fence that says so boldly outside, and one with an ordinary fence that says "Beware of dog."
Honestly, which one would you pick if you were up to no good? I'd pick the one that says "Beware" because while I don't know what kind of a dog it is, it's a living thing, and all living things are mortal and also vulnerable to temptations of many kinds.
I'd avoid the electrified fence because while it's a known entity, it's also obviously dangerous. There are people that might say - you can cut off the power to the fence but you never know what the dog can do. However, which is easier: hunting for an electrical connection to mess with, or throwing a bone in the direction of the threat?
Anyway, I don't want to extend the example too much, but you get the idea.
In encryption technology, the key is the key and not the algorithm. The algorithm is public but the key is private, much like every home has a lock that is visible to the world but only the owner has the key to it. Therefore, security by obfuscation is a patently insane way to think about protection and safety.
What should the government do?
a. Hire the best security experts - with the highest clearances - and let them run amok. Get them to hack into whatever system they want (read-only activities, please) and document all moves. Identify with their help the best way to stop such threats
b. Hire white-hat hackers to do the same job in the most unorthodox ways possible - including social engineering - and again identify weak spots and fix them ASAP
c. Institute STRONG security measures throughout: No USBs, no portable drives, no cameras, no cell phones, no pagers, no electronic equipment at all in sensitive zones
d. Implement signal jamming - so that cell phones do not work inside and also no signal (such as keyboard/console) leaves the perimeter
e. Strong physical controls - use of biometric authentication methods for all systems
f. Auditing at every level for every phase of the working of the organization
g. Strong firewalls and private VPNs with absolutely no access to the Internet at any time
h. Logging of all incoming and outgoing packets for disassembly and analysis later on
i. Forbid the idea of remote office (no 'working from home' business)
j. No laptops - and if any issued, with self-destructing and beaconing software, with AES 256 or higher (it's the govt - they're bound to have the best already, unreleased) encryption
k. All desktops completely encrypted; all internal network communication also encrypted
l. Use of client certificates to be enforced
m. Multifactor authentication at remote sites also - syncing with the mothership for every change within a few seconds for maximum protection
n. Logging of all login/logout/download activities and cross-check immediately with employee if they are indeed performing this operation
o. Quadruple existing security budget, hire the best and pay them very well
p. Bonus based not just on performance but security proficiency and level of the department
q. Continual training on the latest threats, hacking methods, and countermeasures
r. Punish any lapse immediately, with severity going up exponentially with each recurring lapse (first probation, second suspension, third termination)
s. Reward good security practices by recognizing the person, and publicize as much as possible
t. Random deep-dive audits
u. Keep all software patched (incl and esp OS), and ban all external, uncertified software (glue up the CDROM, USB, and floppy drives if they exist)
v. Keep a record of all software deployments and have a plan B and a plan C in case deployment fails or a problem is found and so on.
I really doubt that foreign agencies will stop trying, and I really doubt the US is keeping quiet, either. I'm sure it's checking out the checkers as soon as it detects any penetration attempt and maybe does so even proactively.
Ultimately, security is not just about installing the latest patches or using the latest encryption techniques (like Quantum encryption methods used in Sweden for voting integrity), but it's about a mindset; it's an attitude that asks fearlessly, "What's the risk in doing this and how can it be done in a more secure way"?
Be safe!
First of all, how do they KNOW it's exactly 140? Maybe it's just the top 5 trying 28 different ways; possible isn't it?
Top 5 in my opinion? China, Iran, Pakistan, Saudi Arabia, Venezuela.
My wild guesses, needless to say. Most probably I'm wrong, or most probably I'm right. NSA is not talking.
Humor aside, the threat is very real - and not just to the US, of course. UK has also been reeling under similar threats. I blogged about this earlier on how China was using its extramilitary agency to do its dirty work. Conveniently you can then deny any responsibility for a 'renegade' organization's crazy plans. Too convenient.
What are the chances and what would be the impact/result of such an action taking an evil course, where the motive is not just to break in and snoop around a little but actually DO something?
Before we get into that, let's see what the current setup is.
a. Security awareness is pathetically low. People can be 'social-engineered' - if you have to Google the term to know what it means you're vulnerable already.
b. Security implementation is even worse; people pay very little attention (and respect) to physical security. If you have a sensitive server you want to lock it down OS-wise and physically as well so nobody can just push a button or disconnect cables.
c. Knowledge of key security concepts is woefully lacking. Most people wouldn't be able to tell you what encryption means (technical answers only).
d. Attitudes are also a problem -- people don't seem to appreciate what it means to be secure and what could happen in a non-secure environment in case of a threat. Further, they tend to treat security as an inconvenience than a safety measure (think seat belts in the 60s).
I'd like to stop here with the first part, and proceed to what connectivity means.
Connectivity means you place a call from your cell and turn on your microwave. It means watching a program recorded on a SlingBox-like machine, from across the world. It means paying your local Texas utility bills from Nigeria. It means logging in to work from an airplane. It also means the ability to get into someone else's computer without their permission. And do it anonymously, leaving no traces or leaving confusing, contradictory traffic patterns.
Therefore, when hackers penetrate a network and get into a sensitive machine they have the ability to shut down the entire water supply to/of, say, LA. They have the ability to shut down entire grids and freeze a country to death in the winter or boil a country alive in the summer. In essence, connectivity is a fantastic enabler of technology-based synergy, and it's also a huge liability when it comes to destructive ideas.
Like a row of dominoes, it's possible to take over all the computers of a company by logging on to the weakest one and going from there. As they say, a chain is only as strong...
What is the current threat level? Answer: VERY high.
Being ultra-secretive by nature, unnamed govt organizations that don't have an abbreviation or an address, and whose budgets are unlimited and oversight equally limited or nonexistent, but whose responsibility it is to protect the nation's security interests - may not always come clean.
A simple conjecture on my part with no facts: If they bet on security via obfuscation, everyone is in deep trouble. Security gets stronger by spreading knowledge of its existence and not by hiding it.
Consider an example: There are 2 houses, one with an electrified fence that says so boldly outside, and one with an ordinary fence that says "Beware of dog."
Honestly, which one would you pick if you were up to no good? I'd pick the one that says "Beware" because while I don't know what kind of a dog it is, it's a living thing, and all living things are mortal and also vulnerable to temptations of many kinds.
I'd avoid the electrified fence because while it's a known entity, it's also obviously dangerous. There are people that might say - you can cut off the power to the fence but you never know what the dog can do. However, which is easier: hunting for an electrical connection to mess with, or throwing a bone in the direction of the threat?
Anyway, I don't want to extend the example too much, but you get the idea.
In encryption technology, the key is the key and not the algorithm. The algorithm is public but the key is private, much like every home has a lock that is visible to the world but only the owner has the key to it. Therefore, security by obfuscation is a patently insane way to think about protection and safety.
What should the government do?
a. Hire the best security experts - with the highest clearances - and let them run amok. Get them to hack into whatever system they want (read-only activities, please) and document all moves. Identify with their help the best way to stop such threats
b. Hire white-hat hackers to do the same job in the most unorthodox ways possible - including social engineering - and again identify weak spots and fix them ASAP
c. Institute STRONG security measures throughout: No USBs, no portable drives, no cameras, no cell phones, no pagers, no electronic equipment at all in sensitive zones
d. Implement signal jamming - so that cell phones do not work inside and also no signal (such as keyboard/console) leaves the perimeter
e. Strong physical controls - use of biometric authentication methods for all systems
f. Auditing at every level for every phase of the working of the organization
g. Strong firewalls and private VPNs with absolutely no access to the Internet at any time
h. Logging of all incoming and outgoing packets for disassembly and analysis later on
i. Forbid the idea of remote office (no 'working from home' business)
j. No laptops - and if any issued, with self-destructing and beaconing software, with AES 256 or higher (it's the govt - they're bound to have the best already, unreleased) encryption
k. All desktops completely encrypted; all internal network communication also encrypted
l. Use of client certificates to be enforced
m. Multifactor authentication at remote sites also - syncing with the mothership for every change within a few seconds for maximum protection
n. Logging of all login/logout/download activities and cross-check immediately with employee if they are indeed performing this operation
o. Quadruple existing security budget, hire the best and pay them very well
p. Bonus based not just on performance but security proficiency and level of the department
q. Continual training on the latest threats, hacking methods, and countermeasures
r. Punish any lapse immediately, with severity going up exponentially with each recurring lapse (first probation, second suspension, third termination)
s. Reward good security practices by recognizing the person, and publicize as much as possible
t. Random deep-dive audits
u. Keep all software patched (incl and esp OS), and ban all external, uncertified software (glue up the CDROM, USB, and floppy drives if they exist)
v. Keep a record of all software deployments and have a plan B and a plan C in case deployment fails or a problem is found and so on.
I really doubt that foreign agencies will stop trying, and I really doubt the US is keeping quiet, either. I'm sure it's checking out the checkers as soon as it detects any penetration attempt and maybe does so even proactively.
Ultimately, security is not just about installing the latest patches or using the latest encryption techniques (like Quantum encryption methods used in Sweden for voting integrity), but it's about a mindset; it's an attitude that asks fearlessly, "What's the risk in doing this and how can it be done in a more secure way"?
Be safe!
Wednesday, October 10, 2007
TxDOT's Dumb Move
Spying on Motorists?
http://www.khou.com/topstories/stories/khou071010_jj_txdothiddencameras.158456566.html
It is one thing to send out surveys based on rough demographics, but it's totally another to send out surveys based on SPYING on your movements; and then have the gall to ask why you were where you were, and what your ultimate destination was.
In an ill-conceived move, TxDOT spied on motorists by taking pictures of their license plates, then mailed out surveys asking the recipients about their trip. Who cleared this idiotic project, which cost nearly $800K?
Apparently this has been going on for some time in other states; I wonder why nobody said anything. There is no information on what they'd do with the data (other than "plan" for the future in terms of highway construction and traffic patterns). How long is this data going to be stored, who will have access to it, and most importantly, what ELSE are they planning on doing with it (in the future)?
Is this information subject to discovery in case of a lawsuit against one of the travelers? What liability does TxDOT expose itself - and the travelers - to in implementing such projects?
It's obviously not sufficient that Houston has a ton of red-light cameras, cameras on streets, in malls - well, everywhere, but this particular move is more Orwellian than anything else I've heard. In my opinion this is a serious breach of privacy, even though the cars were traversing public streets. How many people do you identify based on their license plates? Either you know them or you don't.
Figuring out people's identities based on their license plates, then sending them surveys asking them about their travel that day: this constitutes nothing but a blatant disregard for privacy and security of an individual's lifestyle and movements within the country.
I strongly feel they should immediately stop any current project and scrap all future ones, destroy all data obtained via stealthy photography (The cameras were hidden inside orange drums!) and surveys, and finally APOLOGIZE to everyone that was affected.
I am not saying that the govt should stop surveying people for information on how best to plan future highways, but the methods can be easily much more civilized and respectful than the one being used right now.
Be safe!McAfee to Acquire SafeBoot
In a perfect fit, McAfee has announced its intent to acquire SafeBoot. SafeBoot provides encryption technologies that apply to end-users. Using this software enterprises can mandate that all files/folders be encrypted on all machines, including filservers.
As the risk of data loss via theft grows higher by the day (driven by the reduction in the size of computing leading to ultra-high mobility but in a highly insecure environment more than anything else), it's becoming more and more urgent for companies handling sensitive data to protect the users whose data it holds.
As the many headlines scream about how large companies are getting clumsier with their data, a movement among both users as well as the govt policy makers is gaining ground to punish such companies whenever they lose data on account of insufficient security, negligence, internal fraud, lack of audit control etc.
One other motivator for organizations to implement data encryption on all machines is that even in case of data loss, a disclosure to the effect is not needed as long as the data was encrypted. This can help them save face while they try to track the miscreants.
There are many companies offering solutions for disk encryption (including Microsoft, of course), but the differentiator will be not only cost but also ease of use. The harder a piece of software is to use, the more likely it'll become shelfware.
McAfee has a great advantage here - its products are transparent to its users, and a deployment of its encryption solution could be made easily painless using its ePolicyOrchestrator software.
Overall, this is a very good purchase because the market for such solutions is not only nascent and growing, but the growth is expected to surge as more and more companies decide to go for data protection on all of their systems - both mobile (laptops, PDAs, mobile phones etc) as well as stationary (desktops, fileservers, storage systems, database servers etc).
Be safe!
As the risk of data loss via theft grows higher by the day (driven by the reduction in the size of computing leading to ultra-high mobility but in a highly insecure environment more than anything else), it's becoming more and more urgent for companies handling sensitive data to protect the users whose data it holds.
As the many headlines scream about how large companies are getting clumsier with their data, a movement among both users as well as the govt policy makers is gaining ground to punish such companies whenever they lose data on account of insufficient security, negligence, internal fraud, lack of audit control etc.
One other motivator for organizations to implement data encryption on all machines is that even in case of data loss, a disclosure to the effect is not needed as long as the data was encrypted. This can help them save face while they try to track the miscreants.
There are many companies offering solutions for disk encryption (including Microsoft, of course), but the differentiator will be not only cost but also ease of use. The harder a piece of software is to use, the more likely it'll become shelfware.
McAfee has a great advantage here - its products are transparent to its users, and a deployment of its encryption solution could be made easily painless using its ePolicyOrchestrator software.
Overall, this is a very good purchase because the market for such solutions is not only nascent and growing, but the growth is expected to surge as more and more companies decide to go for data protection on all of their systems - both mobile (laptops, PDAs, mobile phones etc) as well as stationary (desktops, fileservers, storage systems, database servers etc).
Be safe!
Monday, October 8, 2007
Google and DoubleClick
In a very interesting article, Jeffrey Chester (http://www.alternet.org/story/64214/?page=1) goes over how Google's well-publicized intent to buy DoubleClick could have serious ramifications for an individual's privacy, especially if that individual uses the web a lot: from random surfing to online shopping to playing online games to using sites such as Facebook/MySpace etc.
Consolidation: Impact on News Coverage
-------------------------------------------
Mr. Chester raises the specter of a few large conglomerates controlling not just 'benign' online content (such as 'fun, entertainment' sites) but also the 'serious' sites, such as those that deliver the news. That ideally should concern everyone - not just netizens - because online news in the near future will overtake physical media (such as newspapers, magazines) as the most common/popular way to getting to know what's going on around the world.
It's certainly not unusual for news channels to have a specific philosophy (politically), and the way they portray world events very strongly suggest that partisanship overrides any semblance of the truth. When such media are not large or do not have high penetration levels, they are usually ignored. However, it's when they become pervasive (via ownership of multiple channels) or become the only entities that have the breadth to cover large areas that they start to raise alarms. Unfortunately, by that time it'd be too late to do anything about it. Media behemoths could simply crowd out the smaller, independent channels using money power, advertising prowess, political connections, and lobbying for favorable laws (lobbying costs huge sums of money, something which smaller channels do not have).
Data Aggregation: Impact on Privacy
-----------------------------------------
The thought that a computer somewhere knows your 'secrets' and is quite capable of creating a psychological profile based simply on your mouse clicks and the places you visit on the web should be unnerving, but it's not to most people that use the web. And why would that be?
Simple: Lack of knowledge, education, and curiosity about how things work. As long as you're fed your daily fix of the news (Infotainment, really; when did you last see hard news on TV?), you're happy and satisfied. Why unnecessarily take the trouble to figure out WHY you read WHAT you read!
Imagine if your neighbor comes to know your deepest, darkest secrets; even what you think about or are capable of thinking about (Minority Report, anyone?) - will that be a source of unease/concern to you? It should be if it's not already.Now imagine if millions of computers (and very likely thousands of people) know about what you clicked, your intent in doing so, and maybe even what you'd do next - and why. Again, something to worry about when you can't sleep at night.
Combine Google's power of serving advertising to nearly all (including physical) media with its knowledge (thanks to DoubleClick) of your exact behavior when you are online. If you cannot see what's coming, you need a stinging splash of cold water on your face.
The next step, in my opinion, will be the creation of something like a 'life-model' - a model that constitutes EVERYTHING that is you, for EVERYONE on this planet, and this model will keep growing in intelligence and get closer to the real you with every click of your mouse and every tap of your keyboard. By now the reference to 'Big Brother' is redundant. Google is already on your computer via its toolbar and search utility, and it's also in your office via its web-based productivity software. It knows about your pictures - via Picasa, about your outpourings on any and all topics - via Blogger, your search patterns - via its all-powerful search engine...and so on.
This information is WAY more than enough to construct a halfway-decent model of you (powered by a well-populated database, which GOOG already has, and data mining software, which is not rocket science). So, as it stands today, GOOG knows more about you than anyone else (assuming you use Google services frequently), and DoubleClick is going to help it connect the dots where the data is patchy or missing. Of course, this is not to say that other companies do not have the dirt on you -- they do. Any search engine website that you use is perfectly capable of storing such information on you forever.
I am not one for conspiracy theories, but recent developments involving large companies (such as News Corp's acquisition of MySpace, the rumored - potential - investment in FaceBook by MS, rapid buyouts by GOOG of various tech companies, YAHOO's purchase of Zimbra, MSNBC's purchase of NewsVine etc etc etc) have me thinking about the eventual direction of everything that makes up the Web, the most visible part of the Internet.
Yes, it's true that smaller companies will either go under or get bought, and that as large companies become slower in innovating as time goes on they must purchase new technology outright, mainly from small companies since they are much more nimble and not restricted by any shareholder of investor pressures.
This wave of consolidation, fueled by - among other factors - a most favorable market where:
* interest rates were/are low,
* intense competition rage[sd] to capture eyeballs and dollars,
* money velocity was high,
* shareholders didn't care as long as their holdings appreciated,
* governments have been revolving doors for bureaucrats-turned-lobbyists,
* apathy and lack of concern by the general masses reigned supreme,
* lawmakers, some of whom in my personal opinion may not be very tech-savvy, create unsound tech-related laws that affect us profoundly,
* lawmakers, some of whom in my personal opinion are beholden to corporate interests, do right by them and hurt the general public,
* and, the leaps in technological accomplishments far outstrip any little jumps in laws serving to keep their uses legal and legitimate
will change the direction of how we view the world, and how the world will view itself - and maybe how the world will develop, too.
My first concern (as is the author's) is not only that the pipeline of news will be controlled by a handful of coroporate monsters dedicated to making profits and keeping investors sated, but also the idea that the news can also be easily MANIPULATED by the same guys. If you have but one source, how will you verify what you see?
In the ancient Indian Scriptures - the Vedas - it's said that doubts should be/can be cleared via either your Guru (the spirtitual master), a Sadhu (a learned person who's not your Spiritual Master), or the ultimate authority - the Scriptures themselves. That way a doubting mind can make sure it's free of all doubts when/before it learns something new.
In these times, the ultimate authority is missing, and the rest don't even matter since they're tainted by their bias and assorted illicit relationships. Where's a truth-seeking person to go!
My second concern stems from the privacy aspect. SO MUCH information in SO VERY FEW hands is a great cause for worry. As the cliche goes - Power corrupts...It's not that these data brokers and analysts WILL misuse the data (of course, they easily could) but that hackers and criminals will truly rejoice: it'd be like a pack of bank robbers in an unguarded bank. I am not saying that these monstrosities will leave their data unprotected, but that the temptation is extremely high to hit once, hit hard, and spirit away as many GBs of data as possible. Needless to say, every record that's stolen could cause a new case of identity theft, blackmail, or worse crimes.
More likely than not, the threat will come from insiders rather than complete strangers. Therefore, extremely strict rules and policies should be enforced when it comes to handling sensitive information, and very severe penalties should be levied both by the company on the employee and by the govt on the company.
My appeal to the government would be that they should step in, investigate ALL such deals (targeting any one company for political reasons would be most deplorable), and evaluate:
* the types of data being collected,
* the big picture when all data are combined,
* and finally the impact on users if such data were stolen.
Further, there's a desperate need for stronger consumer protection laws against misuse and abuse of such sensitive information both by the holders of the data as well as by hackers.
I'd urge the government to institute a technically adept panel (with no members having any vested interests in seeing results go a way specific way) to research the data aggregation and advertising industry, and recommend reforms and strategies to protect users from this stealthy onslaught of the information merchants.
Be safe!
Friday, October 5, 2007
DomainKeys
Recent news has YAHOO and eBay (among many others, I'm sure) announcing that they will now use DomainKeys to counter phishing and other such scams.
DomainKeys, a technology developed by YAHOO, is based on PKI. When a mail server implements DK technology, all of its validated outgoing messages are signed by the private key part of the public-private keypair, and the public key lives on its DNS.
The received, if DK-aware, will check the DNS, extract the public key and then validate the message as being that from the sender. If the keys do not match or if the DNS does not have the keys then the message can be dropped. Combined with whitelists, and maybe other technologies such as SPF, CSV etc, it will be possible to cut spam.
It is always possible that spammers will sign their messages using DK, but then they cannot hide themselves and can be easily traced. On the other hand if they do not sign their message then it's likely their messages can be dropped (assuming all mailservers/ISPs go to DK eventually).
DKt is backward compatible, so it won't break existing systems. One other thing that DK ensures - other than non-repudiation - is integrity. That's because the message body is signed, and if the receiver detects that the message has changed (by comapring the hash *of* the message to the hash *in* the message header) it can flag/drop it.
There are some concerns with DK -- it won't stop SPAM, it will simply help out in determining the sender of the SPAM. Secondly, it can exploited to create message reply abuse. And that can damage the reputation of a valid sender. That's where technologies such as SPF can help.
In any case, this is a good beginning and much more publicity is needed for this nearly 3-year-old technology.
Be safe!
DomainKeys, a technology developed by YAHOO, is based on PKI. When a mail server implements DK technology, all of its validated outgoing messages are signed by the private key part of the public-private keypair, and the public key lives on its DNS.
The received, if DK-aware, will check the DNS, extract the public key and then validate the message as being that from the sender. If the keys do not match or if the DNS does not have the keys then the message can be dropped. Combined with whitelists, and maybe other technologies such as SPF, CSV etc, it will be possible to cut spam.
It is always possible that spammers will sign their messages using DK, but then they cannot hide themselves and can be easily traced. On the other hand if they do not sign their message then it's likely their messages can be dropped (assuming all mailservers/ISPs go to DK eventually).
DKt is backward compatible, so it won't break existing systems. One other thing that DK ensures - other than non-repudiation - is integrity. That's because the message body is signed, and if the receiver detects that the message has changed (by comapring the hash *of* the message to the hash *in* the message header) it can flag/drop it.
There are some concerns with DK -- it won't stop SPAM, it will simply help out in determining the sender of the SPAM. Secondly, it can exploited to create message reply abuse. And that can damage the reputation of a valid sender. That's where technologies such as SPF can help.
In any case, this is a good beginning and much more publicity is needed for this nearly 3-year-old technology.
Be safe!
Monday, October 1, 2007
GAP in Data; New Algorithm to Keep 'em Guessing...
Two things caught my eye(s) today.
a. News that a third-party vendor of GAP had a laptop stolen; it contained personal details of almost 800,000 job applicants. No, my fingers did not hit too many zeroes. Really: 800,00.
Read it here: http://deseretnews.com/article/1,5143,695214147,00.html
Further, to make things worse, the data were not encrypted - contrary to the contract. Yes, good old plaintext so that even a 5-year-old can learn the numbers from 1 thru 800,000. There's that pesky number again!
Not sure how many times I've noted on this blog about the importance of encrypting disk drives, but I'm sure unless there's mass action against careless and negligent data owners not much will come out of any amount of outrage.
b. LAX is utilizing a thesis by a USC Ph.D. student Praveen Paruchuri to randomize vehicle inspection schedules and locations.
http://www.latimes.com/technology/la-me-airport1oct01,1,5185510.story?coll=la-headlines-technology
The thesis studied the impact of random police patrol schedules on home burglaries, and similar logic is being put to use to contain/check terrorism. The idea is that terrorists will have no dependable or predictable way of knowing when the next check will occur, or more importantly, where it will occur. Definitely one way to keep them guessing, but without human intelligence, all of this can easily come to nought.
It is my strong opinion that no technology or innovation can replace simple, direct human intelligence (or 'humint'). If you have ever read up on how Israel guards her airports, one thing you'll note is that the commandos are also expert psychologists, trained very highly in the art of reading posture, body language, gait, eye movements etc. Essentially the human element is brought in a frank manner, and any suspect is sure to know he's being watched. That'll only make him/her more self-conscious, rendering the task of catching them easier. Needless to say, Israel also supposedly deploys a lot of 'regular-looking' experts so they can observe people more inconspicuously. Easier looking at a person than the business end of a machine gun, no?
Needless to say, nobody's belittling the fantastic effort from this student, but one should also get priorities right in terms of what works (well). People affect people more than technology can ever hope.
Example -- What would a hypothetical terrorist be more wary of and seek to avoid: a strict-looking police officer or a camera that reads faces and does biometric analysis? No question - both are terribly important in these times and are quite indispensable in preventing 9/11s, but then each has its own place, and say what you will - the flesh-and-blood person in uniform is infinitely more unnerving than a whirring lens.
Be safe!
a. News that a third-party vendor of GAP had a laptop stolen; it contained personal details of almost 800,000 job applicants. No, my fingers did not hit too many zeroes. Really: 800,00.
Read it here: http://deseretnews.com/article/1,5143,695214147,00.html
Further, to make things worse, the data were not encrypted - contrary to the contract. Yes, good old plaintext so that even a 5-year-old can learn the numbers from 1 thru 800,000. There's that pesky number again!
Not sure how many times I've noted on this blog about the importance of encrypting disk drives, but I'm sure unless there's mass action against careless and negligent data owners not much will come out of any amount of outrage.
b. LAX is utilizing a thesis by a USC Ph.D. student Praveen Paruchuri to randomize vehicle inspection schedules and locations.
http://www.latimes.com/technology/la-me-airport1oct01,1,5185510.story?coll=la-headlines-technology
The thesis studied the impact of random police patrol schedules on home burglaries, and similar logic is being put to use to contain/check terrorism. The idea is that terrorists will have no dependable or predictable way of knowing when the next check will occur, or more importantly, where it will occur. Definitely one way to keep them guessing, but without human intelligence, all of this can easily come to nought.
It is my strong opinion that no technology or innovation can replace simple, direct human intelligence (or 'humint'). If you have ever read up on how Israel guards her airports, one thing you'll note is that the commandos are also expert psychologists, trained very highly in the art of reading posture, body language, gait, eye movements etc. Essentially the human element is brought in a frank manner, and any suspect is sure to know he's being watched. That'll only make him/her more self-conscious, rendering the task of catching them easier. Needless to say, Israel also supposedly deploys a lot of 'regular-looking' experts so they can observe people more inconspicuously. Easier looking at a person than the business end of a machine gun, no?
Needless to say, nobody's belittling the fantastic effort from this student, but one should also get priorities right in terms of what works (well). People affect people more than technology can ever hope.
Example -- What would a hypothetical terrorist be more wary of and seek to avoid: a strict-looking police officer or a camera that reads faces and does biometric analysis? No question - both are terribly important in these times and are quite indispensable in preventing 9/11s, but then each has its own place, and say what you will - the flesh-and-blood person in uniform is infinitely more unnerving than a whirring lens.
Be safe!
Subscribe to:
Posts (Atom)
