You are here


Observations on information security.

RAID and Backups

A recent Handler's Log on the SANS Internet Storm Center spoke of the recent demise of an early blog site called "" Evidently their disaster recovery strategy consisted of maintaining a mirrored RAID system.

I've written quite a bit about how mirrored RAID is a fundamental part of my disaster recovery strategy. However, the Journalspace people apparently skipped an essential step: they relied solely on their on-line data and didn't keep an off-line (preferably off-site) backup.

Post category: 

Great talk on economics of distributed system security

Gunnar Peterson from here in St. Paul gave an interesting keynote at the "Quality of Protection" conference, called The Economics of Finding and Fixing Vulnerabilities in Distributed Systems. Gunnar also posted it on his blog.

His remarks talk very intelligently about information security investment and the challenge of iimproving security in exchange for money spent.

Post category: 

Recovering with Time Machine

Two things about my computer use over the past decade: 1) I've been moving all of our family mementos (mementi?) to digital form, and 2) I've become a total klutz about mass storage. A disaster in the making? Almost, but not quite. I've spoken earlier about using RAID on my Mac Pro, and now I'm using RAID with my Time Machine storage. I use my drive swapping trick to create backups, and keep the backup off-site.

While performing the drive swap, I managed to smash my working OS X system partition. Thus, I got to experience first-hand the process of recovering my system from my Time Machine backup. Here's the report.

[UPDATE: Since the original posting, I've found more brittleness in the restored Aperture directory and I've been negotiating a truce between Paragon's NTFS and my NTFS-formatted portable USB drive. Sides are still not quite on speaking terms.]

Post category: 

Setting file permissions

I've been working on tutorial material to explain file permission settings in general. This seems to be a topic that most textbook authors avoid like the plague.

Today, I was googling about file permissions and I found this blog entry at about the sad usability state of file permission setting functions in Windows and OS X. The author mentions some research at CMU on the usability of file permissions, and highlights several of the pitfalls in the Windows XP interface.

Post category: 

Professor Accused of Hacking Into Student E-Mail Account

This story, from a blog of the Chronicle of Higher Education, has a professor sleeping with a student and hacking into her e-mail. It is interesting on several levels: it happened at the University of St. Thomas where I teach, it involves computer hacking, and it's a classic 'inside job.'

According to news reports, the student (27) was induced by the professor (35) to open an e-mail attachment which installed a sniffer in her computer. He then used the sniffer to eavesdrop on her e-mail.

Post category: 

Interesting Summary of Data Breaches

Verizon's security blog has published a summary report of data breaches investigated by their security team. The report covers 500 security breaches they investigated between 2004 and 2007. There are a lot of graphs and tables summarizing threats and impacts.

The authors sensibly point out that this is based on a limited sample, but it's great to see this sort of report.

Post category: 

Computers don't work when you lie to them

Here is a terrific (but depressing) article by Saul Hansell explaining how the Wall Street meltdown was fueled by feeding nonsense to the risk management systems in the big investment houses.

The systems did not have models of those weird derivative instruments being traded, so traders would say they were trading a generic (safe, well-understood) loan instrument. So the systems did not really model the risk.

I find this really heartbreaking. I have to believe some people behind the scenes knew what was going on, and I can imagine them losing the argument with their bosses when they tried to fix things.

Wordpress tag: 
Post category: 

Revising OpenID for WordPress

Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well - I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities.
Post category: 

SSL with WordPress 2.6

This is more of a reminder to myself - you can enable SSL on WordPress, but it's essentially an undocumented feature. This afternoon all I could find was a forum posting on enabling SSL.

There doesn't seem to be genuine documentation on it in the Codex, at least, not documentation that pops out when you do a search.

Wordpress tag: 
Post category: 

Easily Reset Passwords and OpenID

It's no surprise that someone managed to reset Sarah Palin's password on a freebie e-mail account.  She's a public figure and the answers to her so-called "security questions" are on the public record. It's one thing to do personal and political e-mail on a Yahoo account but it's DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.

Large scale vendors like Yahoo and Google can't help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones.

Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer