Archive for 2010

Nice privacy policy

Thursday, December 9th, 2010

Too true – especially for consumer-facing sites:

http://www.itworld.com/print/129778

Enjoy.

WikiLeaks – what do you think?

Monday, December 6th, 2010

What do you all think of the latest WikiLeaks disclosure? To be more specific:

  1. The leak itself – do you think it’s actually meaningful or damaging?
  2. Do you buy the US government’s claims that it puts people at risk?
  3. Do you think the leaks harm US interests?
  4. Do you think this is a failure of internal controls in the US government?
  5. What sort of controls do you think the government should have had in place to either prevent this from happening or to prosecute the people who leaked it?
  6. Do you think the WikiLeaks organization did anything wrong and should carry liability, or only the person who leaked information, or nobody at all?

Here are my views … I’d love to hear yours:

  1. Meaningful or damaging?
    Not at all meaningful — did you read any leak that did anything more than put in some diplomat’s own words something everybody already knew?
  2. Puts people at risk?
    I think the US government is over-reaching here. Really? Put who at risk? Give a single example. That goes for all past wikileaks too – if you’re going to claim that people are harmed, then give at least one example!
  3. Harms US interests?
    It’s a bit of embarassment, but really — there was no new information in the leaks. For example, I would think that citizens of Arab countries already knew that their government was scared of the Iranian nuclear threat and wanted the Americans to act. Can they really be so stupid as to think otherwise? To think so is at least condescending. I think the US reputation was harmed somewhat, but only by the fact that the data leaked, not by the content of the leaks themselves. i.e., damage from “How could you let so much of this data leak out? How incompetent are you?” rather than “Wow, I didn’t know that about your internal policies!”
  4. Failure of internal controls?
    If you don’t want something leaked, clearly you don’t share it with thousands of people! Clearly, this was a failure of controls, but arguably someone looked at the data and classified it as very low risk even if it leaked, and consequently didn’t protect it. That decision may have been reasonable, while the government effort to hush it up afterwards is more of an embarassment.
  5. What sort of controls are needed?
    Well – if they limited document downloads to one at a time, if they authenticated users who search for and download these documents, if they logged access and if they watermarked documents with the ID of the user who grabbed them, they would force users to take personal, legal and possibly criminal liability for their use of these documents. That seems to me to be the right balance between open information sharing and accountability. Now that the leaks have happened, I think it’s almost inevitable that the (useful) data sharing program will be replaced with some sort of draconian controls, due to government over-reaction.
  6. Did WikiLeaks.org do anything wrong?
    The person who leaked the data certainly did break the law. I doubt WikiLeaks.org did anything unethical or illegal, but I am not a lawyer.

I would add to this that the American government response to this whole incident has been nothing short of embarassing. I’m embarrassed for the US government — for making wild claims about the harm caused by these leaks (what harm? seriously?) and about the strong-arm tactics they seem to be using to suppress further distribution (shutting down WikiLeaks’ DNS service, Amazon web hosting and most recently PayPal account).

Latest WikiLeaks: watermarks and IAM?

Thursday, December 2nd, 2010

The main buzz around the latest dispatch from WikiLeaks is about the content – and I have to agree with most people who have commented on it – the response amounts to “Yawn, really, that’s what all the fuss is about?”

The process of the leak itself is more interesting. This was a mass download of a bunch of data that various US government agencies were intentionally sharing. Sharing is good, especially for low-risk data such as this. On the other hand, the US government didn’t actually want the data to leak outside of itself, and given the thousands of people with access, that’s a tall order.

So how do you share something with thousands of people while still minimizing the chances that one of them will release it?

Well …. first, you should change the access method to be “one document at a time” rather than “all at once.” I have to assume they actually did do that – but someone scripted a bulk download of these documents.

The second step is to impose some sort of economic cost on anyone considering a breach of protocol by releasing the content. This is where some people jump up and yell “Digital Rights Management!” and where I claim “No! DRM Sucks!” 😉 Actually, I think a much more benign solution is to apply a hard-to-detect, hard-to-remove watermark to individual documents downloaded from this sort of database. Basically, if I download a file from this database, the file should be marked up in some way to indicate that it was me who downloaded it. Anyone can read it – but at least people in authority should be able to figure out that it is my download they are reading.

That’s watermarking, and it has lots of applications. I think Apple is using this approach when they offer unencrypted MP3 downloads on their music store – you can download an MP3 and play it on any device, but somewhere in the data stream is an indicatino that it was you who downloaded it. If they find the same MP3 on BitTorrent later, they know that you shared it. If you know that they will know that, you are much more likely to violate their terms of use, because you bear some legal and possibly financial liability.

Same thing with the WikiLeaks documents – if the feds had used a file format that allows for watermarking and had marked up downloaded documents, then legitimate users, including whoever actually leaked the content, wouldn’t have been so eager to let the cat out of the bag.

Technologically, you need some sort of watermarking system and, of course, an identity and access system — users have to identify themselves and authenticate before they can download this stuff, else the central server wouldn’t know what to put in the watermark.

In fact, this raises another question – don’t they log who downloads content? If they don’t, then they deserve the outcome they got. If they do log, then they should already know who downloaded all this content.

That’s my $0.02 for today.

— Idan

How to guess your password…

Thursday, August 26th, 2010

Interesting post at
lifehacker.com
about how John Pozadzides would go
about hacking someone’s password.

While it’s nothing new, it does revisit good advice that everyone should
follow: avoid passwords that are based on names of people close to you,
don’t think that sticking a digit at the end of your password makes it secure,
etc.

What it does do is make the same mistake that lots of “password security”
advice does – which is to assume that an attacker can test millions
of guesses per second. That’s only true if the attacker has access to
the password hashes, which usually means that he’s already got physical
access to your computer or has compromised the security database of an
application you sign into.

That’s a big assumption and I would venture that it’s almost always false.

If an attacker has to test passwords by trying to sign into one of your
accounts using a script, he’s unlikely to get more than about 1 guess
per second and he’s quite likely to trigger a lockout after a few tries.
Moreover, many on-line login systems now use CAPTCHs, so he can’t even
script the attack.

In short: protected and inaccessible password hash databases, slow
interactive login screens, intruder lockout mechanisms and CAPTCHAs
make brute force attacks, even optimized with good dictionaries, pretty
much useless, unless your password is *really* bad.

John also suggests that your bank account is linked to your e-mail
address, so a compromise of your e-mail could also compromise your bank
security. That’s a bit of a stretch, in my mind. I can’t comment about
all banks, but none of the financial institutions that I do business
with even know any of my e-mail addresses.

So here I’m just curious: does your bank use your e-mail address as an
out-of-band authentication factor?

Developer access to production systems? Sure! (sometimes)

Wednesday, August 25th, 2010

Interesting blog entry on

serverfault.com about whether and when to grant developer access to production systems.

It’s a good read – if you’re a developer or an admin – go read it.

The one thing I can add to the discussion is simply this: it’s not an all-or-nothing question. It’s reasonable, for example, to grant developers admin-level access to a production system in the context of resolving an emergency outage, or troubleshooting a hard-to-find problem, or performing a complicated version upgrade, or even as backup resources if all the normal admins are unavailable (home sick, etc.).

Operationally, it’s pretty straightforward to do that using a privileged password management system. That’s because PPM systems randomize passwords regularly (e.g., daily or even more often), so giving a developer the admin password to a production system does not imply that he’ll still know it tomorrow, or even that he’ll know the admin password for some other systems. A PPM system can also be used for workflow authorization of the temporary access grant, audit logs, etc.

the unpleasant intersection of government, security and privacy

Sunday, August 22nd, 2010

A couple of unrelated but similarly themed stories making the rounds:

  • Seems that someone is trying to intimidate Julian Asange (of wikileaks fame) by fabricating and quickly withdrawing criminal charges: skunkpost.com.
  • Seems like the Elections Commission of India is trying to muzzle a security researcher who pointed out that their electronic voting machines are vulnerable to tampering: indianevm.com and usenix.org

In both cases, the uncomfortable theme is that governments can use their coercive power to try to silence critics, and that especially includes critics who try to shed light on uncomfortable truths…

12 character passwords required?

Thursday, August 19th, 2010

An interesting write-up at
technology-science.newsvine.com
and elsewhere. The original content for this appears to be here:
www.gtri.gatech.edu.

Sounds like the good folks at Georgia Tech have worked out how fast they can
crack passwords (i.e., validate whether a guessed password matches the hash
from a password database) using a GPU. They don’t seem to mention which
password hashing algorithm they are attacking, but they do point out,
in the way that responsible journalists never would, that an attacker would
of course have to have a copy of the password hashes first.

The first line of defense in most password systems is to prevent attackers
from getting the hashes. So long as that works, this whole class of attack
is irrelevant. Something sensationalist journalists (hey, that rhymes!)
fail to point out.

So what have we learned?

  • GPUs can be used to more quickly brute-force passwords, if you have
    managed to compromise the password database.
  • In cases where the password database remains inaccessible to attackers,
    this is irrelevant.
  • Take any sensational claims about security with a grain of salt.
  • Passwords are insecure! Passwords will be gone soon! (Yeah, right.
    We’ve heard that for 20 years, and it just doesn’t seem to come true).

Good corporate citizenship…

Tuesday, August 17th, 2010

Wow – we used to think of Microsoft as a scary company.

In just one week Oracle has promised to eliminate live source code repositories for OpenSolaris, effectively making it “not quite open” (blogspot.com) and filed a lawsuit against Google over its use of the Java programming language (www.computerworld.com).

Nice to see that they are putting Sun’s assets to good use.

To the folks at Oracle: is this the sort of behavior that your customers ask for?

E-mail, social media passwords the same: who cares?

Monday, August 16th, 2010

Two blog posts in one day – that’s a first! 🙂

Interesting read at securityweek.com (OK, I first found it on slashdot).

The gist of it is that many users have the same password on social media sites and web-based public e-mail systems.

My first impression is …. so? Those are low-value assets, and users choose convenience over security because their (correctly) think that “well, if someone hacks any or all of these accounts, I really don’t care much about it.”

Just because we *can* make things secure doesn’t automatically imply that we *want* to make *everything* secure. Some things are basically sacrificial in nature.

Full disk encryption – costs and benefits

Monday, August 16th, 2010

A nice write-up about deploying full disk encryption to client devices:
computerworld.com

A couple of interesting tidbits:

  • Key recovery is key (pun intended)
  • Deployment rate seems to be about 10-25 PCs/IT staff/day. Brutal for enterprises.

A good read, in any case!