Ασφάλεια

Απόσπασμα διαλόγου στον οποίο ήμουν ωτακουστής:

– Τι σε πειράζει αν πάθουν κάτι τα μηχανήματα; Αφού είναι ασφαλισμένα και θα πάρεις καινούργια!

Κάποιοι πρέπει να μάθουν να διακρίνουν τις ένοιες safety, security και insurance.

Internet Worm – 20th anniversary

It has been 20 years since the Morris Worm hit the Internet. David Alan Grier writes:

“Even though Morris had violated the network community’s standards, he found a fair amount of sympathy among his peers. “I don’t know of too many who want to see this kid rot away for the next few decades in a jail,” commented one computer scientist. The researchers acknowledged Morris as one of their own, an individual who had demonstrated bad judgment and seemed to be aware of his error.”

and some lines below he observes:

“De Guzman found no sympathy from computer scientists, business students, or the computer industry. Even though he made a few statements about the freedom of the Internet, these ideas found no sympathetic ears in the US. Most network users were disappointed when de Guzman did not have to face prosecution on charges of disrupting the Internet.”

It only took ten years for the suits to take over the Internet and (with the help of spammers, virus writers and botnet herders) to change our mindset on people’s mistakes. Then again, Morris took down a research network, while De Guzman’s pet was released on a commercial platform…

The simplest privacy breach

Baby monitors.

The Tokeneer Project

Fresh from my INBOX:

The National Security Agency has released a case study showing how to cost-effectively develop code with zero defects. If adopted widely, the practices advocated in the case study could help make commercial software programs more reliable and less vulnerable to attack, the researchers of the project conclude.

The case study is the write-up of an NSA-funded project carried out by the U.K.-based Praxis High Integrity Systems and Spre Inc. NSA commissioned the project, which involved writing code for an access control system, to demonstrate high-assurance software engineering.

With NSA’s approval, Praxis has posted the project materials, such as requirements, security target, specifications, designs and proofs.

The code itself, called Tokeneer, has also been made freely available.

Applied Cryptography

Όταν αγόρασα το Applied Cryptography υπήρχε σε ισχύ ακόμα ο ITAR, αυτός ο περίεργος νόμος που απαγόρευε την εξαγωγή από τις ΗΠΑ κρυπτογραφικού software επειδή θεωρούνταν όπλο, αλλά όχι εάν ήταν τυπωμένος κώδικας σε χαρτί(!) πράγμα που επέτρεπε την κυκλοφορία του βιβλίου και έξω από τις ΗΠΑ.

[ Εκείνα τα χρόνια για παράδειγμα η RSA είχε αναπτύξει ένα πακέτο με την ονομασία RSAREF, το οποίο δεν επιτρεπόταν να κυκλοφορεί εκτός ΗΠΑ λόγω του ITAR. Για το λόγο αυτό είχε αναπτυχθεί το API compatible πακέτο με την ονομασία RSAEURO. ]

Το βιβλίο αυτό συντήρησε ένα ελάχιστο ενδιαφέρον μου για τα Μαθηματικά, κάτι που δεν είχαν καταφέρει για χρόνια οι καθηγητές του Γενικού Τμήματος (σημερινό ΣΕΜΦΕ). Όχι δεν το διάβασα όλο, ούτε έγινα κρυπτογράφος. Το βιβλίο είναι εξαιρετικό reference (κι ας μην έχει π.χ. το AES), αλλά υπήρξε περίοδος που το διάβαζα σελίδα-σελίδα και το έφτασα μέχρι το κεφάλαιο 14 (GOST). Αυτή είναι μία χρήσιμη διαδικασία, γιατί συνήθως ο κόσμος αντιμετωπίζει το κρυπτογραφικό software είτε σαν κρυπτογράφος (“καταλαβαίνω τι κάνει”), είτε σαν μη κρυπτογράφος (“υπάρχουν κάποιοι που καταλαβαίνουν τι κάνει, άρα είναι καλό”). Τουλάχιστον έμαθα να έχω σωστές ερωτήσεις και τι να ψάχνω για τα κομάτια που δεν καταλαβαίνω.

[ Για όποιον ενδιαφέρεται να διαβάσει γιατί έχει σημασία η ενασχόληση με τη θεωρία, έστω και σαν διάλειμα μετά από χρόνια “πραγματικής” εργασίας, παραπέμπω σε αυτό το post του Mark Burgess. ]

Έτσι όταν τον Μάιο κοίταγα το site του Schneier, χάρηκα πολύ που έδινε σε CD-ROM τον κώδικα του βιβλίου για US $40. Το παράγγειλα αμέσως.

Αρχικά αυτό το post ήταν χεστήριο προς τον Schneier, αλλά την Παρασκευή το CD με περίμενε στο σπίτι.

on user friendliness

Interesting stuff from “How Sarah got her hack on“:

“The reason that Gov. Palin was using Yahoo mail to begin is probably because she found it inconvenient using the VPN software to logon to her office e-mail. We see that a lot in business: people use private e-mail services like Yahoo and Gmail to carry out corporate activities because they are annoyed with how their own computer staff have things set up. Yet, your computer people set things up this way precisely because there are obvious things that hackers can do to break into your data“

Greek Hackers attack CERN – What if?

By now most of the media has covered the attack over at CERN by the Greek Security Team. Ethics aside, it is an impressive hit (and carries a most interesting manifest, which I believe only a few besides the actual receivers can actually understand). However, the preamble of this post by Thanasis K. got me thinking:

Suppose that you are an organization that runs the most high profile experiment on the planet. Add to the fact that you distribute information “live” via the Internet. You know that you are begging to be attacked!

Even if you do not anticipate the attack, I think the security research community should. Which means that at least some research groups should have approached CERN in order to develop at least a honeypot (among other methods?) to observe behavior and attack patterns (and even defacement news propagation before it is captured by the media – now that could be a nice SNA dataset). Has this been the case? I do not know. Could it be? I think so. After all, this has not proved to be a PR disaster.

The above scenario being real or not, this is the most impressive defacement I have seen in years.

The MD6 hash function

17 years or so after the MD5 hash algorithm was designed, Ron Rivest and a team of researchers presented the MD6 hash in CRYPTO 2008 (56 slides in .ppt). Highly interesting presentation, especially on what has changed all these years and nice animations showing how the hash works. I really liked that they say that since even the smallest computer has at least 1KB of RAM, MD6 uses 512 bytes (bytes not bits) for message block size.

[via cryptography]

Social Network Analysis and Cyberwarfare

From “Social Network Analysis and Cyber Warfare: An Open Source Project“:

“We’ll be looking not only at network data involved in past cyber warfare attacks (Chechnya, Estonia, and Georgia), but incorporating semantic analysis of Russian hacker blogs in an effort to uncover connections that may not be readily apparent. If this model proves efficacious, we’ll launch a second effort examining Chinese cyber warfare/espionage activities.”

Given the fact that it is not entirely clear whether the cyberwar between Russia and Georgia was the result of a cyberwarfare capability or a civilian effort triggered by the non-cyberspace warfare and nationalistic reflexes, this sounds like a very interesting (and dangerous one may think) project for people with strong background on both graph theory (and its use in sociometrics) and network data analysis. I suppose that people at the “proper places” have already deployed resources on this issue, but it is always interesting to openly read about such efforts.

Some serious questions do arise, though.

[I have to make time and read “Unrestricted Warfare“]

[via SOCNET]

Privacy Awareness Week

Privacy Awareness Week 2008: 24th August – 30th August

Privacy Awareness Week is an annual promotion by the Asia Pacific Privacy Authorities (APPA) group. APPA members participating in PAW 2008 are; Australia (including New South Wales, Victoria and the Northern Territory), Canada (including British Columbia), Hong Kong and New Zealand.

The week is an opportunity for governments, business and individuals to promote privacy awareness.

I can only hope that we see similar initiatives in the EU region.

[via IAMEMS]