You are here

Security

Observations on information security.

Best New Security Technology

A while back, Popular Science asked me to identify the Best New Security Technology. At the time I simply couldn't think of anything, and they've long since published their issue filled with Best New ____ Technology.

I finally thought of something - self-encrypting mass storage. This can be anything from an encrypting USB drive - the IronKey if you like theatrics - to a self-encrypting hard drive like Seagate's Momentus line of laptop drives.

While I also rely heavily on software drive encryption (TrueCrypt) I wish that all my hard drives had full disk encryption (FDE). If all drives had FDE, I could recycle drives (i.e. give them to my kids) just by erasing the key. Instead, I have to hook each drive up to an idle machine for a day or so to run a wiping process.

So FDE isn't just for security paranoids and folks hogtied by compliance regulations. They're useful for everyone. That is, assuming that the vendors make it easy to use them.

Post category: 

Security Through Obscurity

Kodak is offering the Easyshare Wireless Picture Frame, which uses a wireless Internet connection to select and display its content.

According to a blog post by Casey Halverson, the wireless picture frame contents comes from a findable URL. It wouldn't take a lot of technology to build software to search for the contents of other random picture frames.

This poses an interesting question: when is Security Through Obscurity (STO) good enough to protect privacy? This is one of those technical weaknesses that professionals like to talk about, but lots of people won't understand. This can play out in one of several ways:

  • The product becomes popular, and it takes years for the security problems to bother the user community. This is what happened with analog cell phones.
  • The product's security problems become an issue that interferes with its marketplace success. This is what happened with early Web sites. Netscape solved the problem by introducing SSL encryption.
  • The product fails for other reasons.
Wordpress tag: 
Post category: 

Napolitano Blows It

Janet Napolitano has flubbed her first major event as Secretary of Homeland Security. First, she incorrectly claims that the bomber thwarted on Christmas Day was not on any of the screening lists. Someone manages to correct her, and then today she claims this is a "failure" of the US security system.

She still gets it wrong. The bomber boarded a plane in Nigeria and changed planes in Amsterdam. How are new - and more extreme - physical screening measures in the US going to reduce the risk of a poorly-screened passenger from overseas?

No matter how carefully we screen Grandma when she gets on the flight in Duluth, it's not going to catch a poorly-screened bomber in Lagos.

Wordpress tag: 
Post category: 

Blaze visits the Titan Missile Museum

Matt Blaze has posted a blog entry following a visit to the Titan Missile Museum that's just south of Tucson, Arizona. It's a well written summary of the place.

Blaze talks a bit about Titan, PALs, and the "butterfly switch;" mechanisms intended to prevent an unauthorized launch. The Titan system didn't have PALs. The butterfly switch, also known as the "Coded Switch System" (CSS), authorizes the launch. PALs were first required on overseas nukes starting in 1962. Titans were never overseas, and the system was already under construction in the continental US by the time the PAL idea arose.

Wordpress tag: 

A crashed off-site RAID drive

Here are some more observations on using RAID on the Mac OS X, particularly in terms of off-site storage, terminology, and upgrading. Here is a photo of my former off-site hard drive:

WD 7500 with the case opened

It's been sitting in an office desk drawer for a couple of months, and the time came to cycle it back into the RAID set. But when I tried to spin it up, I was greeted by a disappointing rattle, and the drive didn't come on-line. The drive, a WD 7500 AAKS, was 14 months old when it died. In the photo above, I've removed the case cover in preparation for an autopsy.

Wordpress tag: 
Post category: 

Computers and Health Care

David Himmelstein of Cambridge Hospital and Harvard Med School (with co-authors) recently published a paper on the effect of computerization of hospitals.

The results, as Computerworld put it: Computers don't save hospitals money.

Excellian Logo

This makes sense, especially when you look at the study. They focused on data collected reported by individual hospitals nationwide between 2003 and 2007. Computerization, especially at the clinical level, is incredibly disruptive. Thus, the efficiencies aren't likely to arise soon.

Pragmatic Security: the history of the Visa card

I've been looking at the evolution of electronic funds transfer (EFT) and payment systems recently. My research uncovered a gem: about two years ago, David Stearns completed a dissertation that looks at the early evolution of the Visa card (originally "Bank Americard") in the context of other evolving electronic payment systems. Stearns' work is both readable and filled with interesting information.

Old BankAmericard logo

What I find most fascinating is that the card systems followed the same security trajectory as cell phones. The first cards, like the early analog cell phones, were  vulnerable to fraud. In fact, the cards were absurdly vulnerable to fraud.

However, the promoters believed that the long term benefits of electronic cash were worth the risks. They also assumed without evidence that they could fix the fraud problems eventually.

Wordpress tag: 

Web Monetization

Here's a recent posting on "how the web makes money," focusing on the on-line gaming community.

The bottom line: successful game sites rely too much on questionable vendors. Game players like to acquire game currency to improve their experience, especially as new players. They can often either buy game money or they can "earn" it by clicking allegedly "free" links. These sometimes give them game currency for free, but too-often involve scams.

While this Cryptosmith site pays for itself through consulting leads, I've always been interested in  more direct methods (described here). I think it's fair to collect a commission if I directly encourage someone to buy something, and I gave them the link to buy it. The jury is still out on whether this is worth the effort of constructing the links. I'm also curious as to whether this opens me up to various forms of fraud.

LinkShare  Referral  Prg

When I do provide links with commissions, I limit myself to links that I might use myself. I hope that that provides adequate quality control for my visitors.

Wordpress tag: 
Post category: 

Vendor Linking

On occasion this web site refers to things available for sale. This includes books I've written, equipment I own, and things I know about.
Taxonomy upgrade extras: 

When is public data non-public?

If it's public information on paper, is the electronic version also a public record?

As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.

The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.

Post category: 

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer