check out japanese for nerds. if you're a nerd. or japanese. or something.
no really, im serious. or at least, the govt is.
reading Object-Level Security Through Accountability by Phil Windley. its pretty good, it gives a good argument that accountability is more effective than control. but to assure accountability requires positive identification and authentication to provide trustworthy audit trails.
while some people get scared off at the idea of identity cards with strong encryption, etc. i think it will be necessary in any environment with a reasonable sense of security. give people tokens that will identify themselves to systems and you can keep track of what information passes through what people. that way if something gets lost/stolen/leaked, you positively know who did it. more importantly, the potentially "bad" employee who knows this mechanism is in place is far less likely to steal/leak if they know they can be tracked down.
for some reason that brings me to an episode of "24" i saw (i think in terms of "24" these days): some devious character tries to cover up their tracks and remove their trace from a video log (think of it as an audit log). this fools everybody except for the boss guy (the main character, Jack) who pulls up "hidden" copies of the logs. what the devious character didn't know is that the video is copied to the database in two locations, one known by people at her clearance, the other only known by people at a higher security clearance. a pretty cool trick.
Sony and Validian have come up with what i consider the first cool use of PKI. a fingerprint reading USB stick with a self-contained IM client. you can plug this into any computer anywhere (no drivers needed on most modern machines) and have secure conversations with anyone. unplug and the computer has no record of the conversation (assuming there aren't any keyloggers, etc)
very cool.
in case you were wondering, the mars rover freaked out because it ran out of storage space. details here. i guess that problem is not limited to the labs i manage, but is actually interplanetary.
a new worm is out there. don't bother scanning your inbox, don't update your antivirus definitions (you do update them, right?). this one comes hidden as a URL from your best friend over ICQ.
techweb reports on the new worm, describing its payload's ability to log keystrokes, search for financial info, etc. by watching keystrokes, secure protocols such as HTTPS are essentially negated, as any passwords that are transmitted safely to your bank are totally in the clear for this trojan which has likely already netted its author a bundle of money.
the worm works by sending you to a site that exploits common browser flaws to install a program (the trojan) onto your machine. that program then sends messages to all your ICQ buddies with the bad URL and the process continues.
the trojan-feeding site for this particular strain is down now, so you can relax a little. but not much. as Ken Dunham is quoted in the article: “All ICQ and instant messaging users should be careful to avoid hyperlinks sent to them by others ... It's very likely that similar attacks will be launched in 2004 through such mediums.”
so be sure to stop communicating with your friends entirely this year, that way you'll be safe. maybe.
so this article over at k5 is pretty cool. discusses how the military has set up the world's biggest PKI (Public Key Infrastructure) and has issued over 6 million smart cards that employ it. pretty impressive. be sure to read the linked pages. (use a tabbed browser ;) )
i did a paper on PKI in my first-ever security class. its a pretty cool idea, but really only possible in a context like the military. the whole chain-of-command thing suits PKI very well. all attempts at trying to do this in a corporate environment seem to have problems and don't seem to be all that well-supported by the execs.
so my thoughts are that this is very similar to the SSL CA problem facing the internet these days. right now, if you want to get a secure internet site (i mean officially secure with valid CAs and all), you have to pay for a CA for each site you want to lock down. every subdomain, everything. so what do people resort to? only buy one certificate and have the server identified in that cert host all secure transactions. sure, it works. its not even that big of a deal. but why?
there should be a hierarchy of CAs beyond the corporate monoliths (verisign, thawte, etc). there should be a US CA which assigns national-level certs. there should be state-level CAs, signed by the national ones, which give out regional certs and University certs. the hierarchy of public servers is obvious. this way, when a University student needs to host a secure webpage, he doesn't have to spend $90 for a single-server cert. instead, he can be issued a cert by his Department, which is signed by the University, in turn by the State and the US CA. what about end-users? browsers will have to add the US CA certificate as a "root-level" server. too much trust in the government? well why do you trust the 10 Verisign root-certificates already installed in every browser on your computer? why not add one for the government. allow free, public network security.
the same infrastructure could be used for a PKI. every government employee (or student, or whatever) should be able to use public-key-crypto without any effort. i should be able to email my mom securely and she should be able to read it. she shouldn't have to build a PGP web-of-trust or buy a certificate from Verisign. when she pays her taxes, or gets her drivers license, these things should just happen too. why not?
a government is built in a hierarchy: nation, state, region, person. why not take advantage of that? i understand that politics will always get in the way of developing these ideas, that the NSA (or whoever) will try to block individual encryption, but ignore that (please). suppose the NSA gives up and realizes that encryption is coming to the masses and that it is actually a good thing. in order to serve the people best, the government would take what they've learned with the guinea-pig military and apply it to the nation (see GPS, etc). maybe im a big security-nerd and none of this is that important, but hey. i think its possible.
call me a commie, but i think that people shouldn't have to pay some arbitrary company for secure communication and publishing, we already have a hierarchical infrastructure in place called the government. its how roads and schools are built. why not use it?
dvorak on how ibm can bring linux to the market, and why they should:
"Windows XP should sell for $29 not $299. This is why Linux has to be put on the fast track. Users cannot pay never-ending forced tributes to Microsoft as if it were the Roman Empire and we its slaves. Right now, the Linux alternative needs some consolidation. To continue my History Channel analogy, there needs to be a Genghis Khan of Linux uniting the warring tribes into one unstoppable force. IBM has the potential to do this."
smcgheek: burning a CD with iTunes' smart playlist functionality. very cool
smcgheek: random 80 minutes of music downloaded in past week
dem0nh00d: ah, cool. i still have money on my gift certificate for the music store. need to find some good tunes
smcgheek: ah
smcgheek: stupid. i just said "78 minutes" and it gave me 1.2 hours. so i cancelled it. then i realized im an idiot.
dem0nh00d: hehe
i definitely notice trends in my productivity. i think im on a two-week cycle. all of a sudden, im busting out scripts to automate lab imaging, fixing things that aren't my problem, volunteering to go to meetings (well its security-related stuff, which i dig, woulda done that any day of the week).
shoot, even my non-work-related activities are getting more productive. i noticed a new course offered by my old prof that looks appealing, so i set up a wget session to get all the docs, etc. also figured out a way to find good music: iTunes Music Store. before you say "duh" i mean, i go there to find out what's "hot" these days, then i look for that music elsewhere. (in a physical store, of course, right?) i always find myself pouring through all this music saying "now what was that band i heard recently? that one tobin likes? or maybe it was bud.. or maybe i just saw them on mtv..."
shoot.. maybe ill even start training again. hmm.
a paper linked to by a recent post at the openbsd journal does a very good job at describing a (hypothetical) corporate network setup, that looks quite secure and then describes how it could be broken into. the author takes a few leaps (assuming the insider-attacker happened to get a trusted internal IP address is the biggest one) but it is all very plausible.
he elaborates on the (again, hypothetical) response by the company's internal security team, going into nice details.
anyone who thinks that even one of the most (if not the most) trusted Operating Systems in the world is unhackable, think again. everything can be broken. the point is to minimize potential opportunities, potential damage, and "be prepared" by keeping up with patches, using a secured loghost, deploying nIDS', educating users, and finally never simply trusting internal networks (don't forget Troy ;) )
go straight to the paper.
from the plastic article describing:
The lyrics brag about the attack on the World Trade Center, claim that Bush and Blair will be "thrown inna fire," condemn a range of Arab and Western leaders as "dirty infidels" and generally exhort Muslims to battle.
apart from the obvious concerns raised by music that exhorts anyone to battle, my inner, paranoid, privacy/security-advocate cringes at the sentance:
My apologies for being unable to find the actual website where you can order the video, but if I had, would you really want to take a chance on clicking the link?
take a chance? like, are we scared to be labeled terrorists for watching that video? well, im scared that im expected to be scared of watching a video, thats for sure. think about it.
i really haven't taken advantage of living on the california coast too much in quite a while. when i first moved here, i surfed all the time and regularly went to the beach, but not anymore.
last night we did a very costal thing, we joined andria's sister-in-law Ellen and some of her coworkers at a bonfire at the beach. it was one of those beaches you can drive up on (near Pismo) and just park on the sand and light a fire.
we mostly just sat around, eating awesome clam chowder (in breadbowls, plus i had a corndog, yum) from the Splash Cafe in Pismo. we rolled into a few games kinda similar to "Six Degrees of Kevin Bacon" and kept it rockin with some Marley and even a bit of A Tribe Called Quest.
very mellow, very cool time.
i just heard a good 5 seconds of continuous thunder. i dont think ive heard thunder like that in years. not in santa barbara, thats for sure. its raining pretty hard now, i can see the grey concrete of the library is streaked with near-black wet lines. one gutter is broken and a river is gushing from the bottom rail of a 5th story window in a waterfall to the ground. the trees are all drooping, looking sad. i know they're happy though.
just below the window is my bike. that i have to ride home on. whoops. i can't believe that i wanted to ride this morning instead of taking the bus. didn't bother to look at the weather report, serves me right. on the irony front, andria and i had a bit of a tiff this morning on the very topic of riding bikes or taking the bus. if i had only thought to watch the weather this morning, all of that could have been avoided. ok, not really, but it makes ya think.
the rain does strange things to one's mood. lots of people get depressed, many get excited. i seem to just introvert (is that a verb?) a bit more. maybe its the "downtempo musique" ive got on iTunes radio right now, or maybe its the self-conscious entry i just read at WWdN, but it got me writing. and thats always a good thing.