You are here

policy

The Internet "Kill Switch" is Nonsense

ARE THEY KIDDING ME? DON'T THEY HAVE ANY REMOTELY INTELLIGENT ADVISORS IN THE WHITE HOUSE THESE DAYS? I THOUGHT PRESIDENT OBAMA WAS TECH SAVVY!

Okay, I got that off my chest. [see later post]

For those who came late to the party, here's how to think of the "Internet Kill Switch." Substitute "Internet" for any of these:

  • National highway system
  • National airspace
  • Nationwide broadcast system
  • Starbucks
You can't have an "Internet Kill Switch" for the same reason you can't have a "Starbucks Kill Switch." The things being controlled are thoroughly distributed and they operate independently.

Yes, the President can always declare a "Starbucks Emergency" and demand shutdown of all Starbucks (and Caribou and Dunn Brothers and other caffiene chains, to be fair). But there's no real control over such things. Someone won't get the word, or they'll ignore it.

Wordpress tag: 
Post category: 

The challenge of employee monitoring

Tam Harbert has posted a fairly even-handed discussion of employee monitoring in Computerworld. This is a difficult topic to address, since it treads on the fine line between employee privacy and a company's obligation to ensure efficient use of their resources. When Secure Computing bought Webster Webtrack, a web filtering product, back in the 1990s, the developers said that they'd see drops of 70% in web traffic when users knew they were being monitored.

It's a well known fact - people are more likely to behave if they think they're being watched. And it's easy to waste time surfing the web.

Post category: 

9-year-old hacks the school superintendent

Jeremy Epstein reported this terrific report to Peter Neumann's Risks List: a school kid logged in as superintendent of schools. This was in Fairfax County, where I grew up. They use Blackboard, just like the college where I teach.

And yes, we're talking about a nine-year-old. It turned out to be a security policy problem. A teacher can add a student to a class, and a teacher has the power to change a student's password.

The kid found out his teacher's Blackboard password. They don't say how in the news, but it may have been written on a post-it, or some other piece of paper, or it may be the same as a password the kid watched the teacher use somewhere else, or it could just be an easy-to-guess choice.

Wordpress tag: 
Post category: 

Security Versus Compliance: Old Guard Versus Digital Natives?

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs - you can't do much retail work unless you take credit cards - so it's hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don't make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot's title writers dramatically misread the report, summarizing it under the title "Compliance is Wasted Money." I tend to think of Slashdot as being edgy in a digital native sort of way, so I'm surprised they spun it that way.

I think the report reflects two things. First, companies don't want to spend money to assess their losses from leaked company data, unless they're already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don't want to collect such information: bad news makes management look bad, and there's no countervailing data to show a measurable benefit to being a more open company.

Post category: 

RockYou and Password Choices

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff - using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted - you can't tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn't share. They did share a list of the 20 most common: the most common word was "Password" while "princess" and "Nicole" were the most common names.

Post category: 

Bring-Your-Own-Computer

Paul Ardoin, a former colleague, has posted some comments on Bring-Your-Own-Computer, the notion that companies should rely on employees' personal laptops. My security-wonk-alarm went off when I read this, but I'm thinking the concept has some merit.

This is somewhat related to the question of using a company car versus the company paying you for mileage on your own car. People in general tend to take better care of their own car.

Wordpress tag: 
Post category: 

When is public data non-public?

If it's public information on paper, is the electronic version also a public record?

As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.

The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.

Post category: 

Thought provoking polemic on copyright

Apparently someone in the UK has proposed a sort of "three strikes" law - if your household is accused by a copyright holder of illegal downloading multiple times, then the holder can demand removal of the househ0ld's Internet connection.

Cory Doctorow, the author, wrote a polemic about how this reflects on the big media firms it tries to help.

He notes how copyright owners now use "takedown notices" as an extrajudicial form of censorship.

Managing Your Passwords

In 2009, another blogger posted an article on password problems that suggests 10 hard-to-follow rules.

The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.

Here's the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you're going to slack off, do it when registering to post a one-off blog comment.

Let me take a stab at my own list of recommendations.

Post category: 

Crypto bypass on the iPhone 3GS

Cousin Jon sent me this Wired link: how to bypass iPhone's 3GS encryption using jailbreaking tools. I haven't paid serious attention to the iPhone (AT&T hasn't had a strong signal in my town) but crypto bypass always gets my attention.

In fact, the weakness has nothing to do with protecting personal information on an iPhone. It's all about third parties: Apple, the cell provider, and possibly an employer who provides/manages the iPhone.

If you're not troubled by being limited to the iPhone Apps Store, then the threat's relatively small, especially compared to desktop systems. Moreover, I doubt we'll see real iPhone viruses as long as most people are happy with Apple's app restrictions.

Post category: 

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer