Infosec: October 2002 Archives
This article presents a technical analysis of the TCPA hardware system and the Palladium operating system. Palladium and TCPA have been covered in some depth on slashdot and various FAQA. Unfortunately, much of the information available from these sources is highly subjective and confusing (for example, TCPA and Palladium are presented as if they were the same thing). Reliable and objective technical information on Palladium and TCPA has been hard to come by-and the actions of Microsoft has not made obtaining such information any easier.
An interesting technical overview of how the TCPA/Palladium platform will work. There are some interesting comments on this paper in a thread on Kuro5hin.
[via Kuro5hin]
"That having been said, I'm happy to announce that I'm going into the certification business. If anyone cares to send me $500 and copies of their alphanumeric passwords, I'll return to them a diploma conferring on them the title "Certified Strong Password-Using Professional" (CSPUP) that's good for four years from the date on their check or money order."
Richard Forno on the paradox of rising marketplace values of increasingly useless Info Security certifications.
[via ISN]
So here's a Cyber Security strategy that would work. It's as anti- competitive as you can get and has a snowball's chance in hell of being adopted. It's downright Machiavellian. Or, perhaps, Napoleonic:
- Make it illegal to sell a PC that doesn't come with a fully-licensed Antivirus product and personal firewall pre-installed on it.
- Standardize government Infosec products in use on a best-of-breed basis like any FORTUNE 500 company would - across all federal computers.
- Terminate federal employees and their supervisors if they are proven responsible for security breaches due to their negligence.
- Spend a few million dollars (or use some internal resources) to code a government-issue personal firewall and anti-virus product. Give it away. Standardize on it. Make it available to ISPs. Writing firewalls isn't hard. I've written two single-handedly.
- Establish a standard firewall configuration policy (e.g.: a site security policy) for all internet-connected federal agencies and adhere to it rigorously. 99% of the government's security problems result from incompatible policies and lax enforcement. FORTUNE 500 firms get this right; the taxpayers' employees should do no less.
So it's anti-competitive and Machiavellian. National defense always is.
Don't sweat consensus. Lead.
Marcus Ranum, the man behind SEAL - the first commercial firewall, Gauntlet - another early commercial firewall, and NFR - the first commercial intrusion detection platform, comments on the lack of teeth in Bush's Cybersecurity Plan, and offers a plan of his own.
"For some reason, Richard Clarke continues to believe that he can increase cybersecurity in this country by asking nicely. This government has tried this sort of thing again and again, and it never works. This National Strategy document isn't law, and it doesn't contain any mandates to government agencies. It has lots of recommendations. It has all sorts of processes. It has yet another list of suggested best practices. It's simply another document in my increasingly tall pile of recommendations to make everything better. (The Clinton Administration had theirs, the "National Plan for Information Systems Protection." And both the GAO and the OMB have published cyber-strategy documents.) But plans, no matter how detailed and how accurate they are, don't secure anything; action does.
And consensus doesn't secure anything. Preliminary drafts of the plan included strong words about wireless insecurity, which were removed because the wireless industry didn't want to look bad for not doing anything about it. Preliminary drafts included a suggestion that ISPs provide all their users with personal firewalls; that was taken out because ISPs didn't want to look bad for not already doing something like that.
And so on. This is what you get with a PR document. You get lots of varying input from all sorts of special interests, and you end up with a document that offends no one because it demands nothing.
The worst part of it is that some of the people involved in writing the document were high-powered, sincere security practitioners. It must have been a hard wake-up call for them to learn how things work in Washington. You can tell that a lot of thought and effort went into this document, and the fact that it was gutted at the behest of special interests is shameful...but typical. "
From today's Crypto-Gram. Bruce Schneier wasn't too impressed with Bush's Cybersecurity Plan.
"The United States Copyright Office is launching a rare round of public comment on rules that bar people from breaking through digital copy-protection technology on works such as music, movies, software or electronic books. Regulators aren't looking to change the law, but they are looking for public suggestions on what kinds of activity should be legalized in spite of the rules."
The public gets another chance to provide comment on the types of material that should be immune from the DMCA's effects.
"This time around, the office is again asking for specific examples of cases where the law's restrictions cause "actual instances of verifiable problems occurring in the marketplace." Inconvenience or "theoretical critiques" are not enough, the office warned."
The Computer Security Division (CSD) of NIST has been quite busy lately producing a lot of surprisingly useful (for government work) papers. You can keep tabs on their new publications through their mailing list. Just email listproc@nist.gov with "subscribe compsecpubs FirstName LastName" in the body. If you work in info security, you should definately familiarize yourself with their publications.
Some of their more recent draft publications:
- Guide to Selecting Information Technology Security Products
- Guide to Information Technology Security Services
- Security Considerations in Federal Information Technology Procurements
[Edited: I mispelled compsecpubs as comsecpubs, my bad]
"Two bills introduced this week in the House sought to redefine consumer rights in the digital era, a departure in a congressional session during which more attention has been paid to protecting copyrighted works from computer-aided piracy. "
A short review of the two "anti" DMCA bills (here's the text of one, the other hasn't been published online yet) introduced this week. It also presents some comments from Jack Valenti who, surprisingly to me, admitted "[...] that 100 percent protection is not possible."
ps. I had to edit this because thomas.loc.gov sucks. It generates all sorts of temporary links which stop working over time.
"Although some will accuse Mitnick of creating a handbook that teaches crooks how to break into organizations, the truth is that we all need to understand these con games to protect against them. To stress this point, his last two chapters contain policies, procedures, and training that companies can implement to further protect themselves. In keeping with his premise that the most damaging security penetrations are the result of deceit - not technical penetration - almost none of Mitnick's suggestions is technical in nature."
A good review by Simson Garfinkel of Kevin Mitnick's new book, "The Art of Deception". Now I'm not big on the whole "Free Mitnick" schtick and hoo-ha - the kind of thing that leads to this sort of silliness. Sure, his case was handled badly, but he is a crook. However, his insights into social engineering are probably more useful than 90% of the computer security books on the market today, as he is an acknowledged master of the art. I haven't seen the book yet, but its on my wish list.
On Thursday Rep. Rick Boucher (D-Va.) and Rep. John Doolittle (D-Calif.) introduced the Digital Media Consumers Rights Act to preserve specific fair-use rights to copy digital works as well as "circumvention" rights to bypass copy protections. With no chance of passage this year, the bill's introduction prepares the ground for battle in the next session of Congress.
Another bill introduced to give us digital consumers some rights and roll back a bit of the DMCA.
"Congresswomen Zoe Lofgren introduced THE DIGITAL CHOICE AND FREEDOM ACT OF 2002 and it's frighteningly well balanced. If it passes, it will groundbreakingly establish that fair use applies in the digital realm. It will allow for the development of tools to permit legitimate users to act in non-infringing ways (such as copying to a MP3 player or playing a CD on Linux)."
Looks like some folks are willing to stand up for consumers. A good summary of this legislation, as well as a press conference being held today is available at The Register. Also, a ZDNet story here.
"After careful review, Salon's editors have decided to take down from our Web site an article titled "Tom White played key role in covering up Enron losses" that we published on Aug. 29. We took this unusual step because we have come to the conclusion that we can no longer stand by the story in its entirety. Though we have corroborated most of the reporting in the article, some unanswered questions remain. "
I assume this is why Scott is busy today. I know basically nothing about journalism as a art/business, so I'll let others comment further, but its good to know Salon is responsible, and openly brings to light this issue on the front page, instead of it getting buried somewhere. This is why I've supported Salon with subscriptions and this weblog, and you should too.
If you don't, who will?
When I started this weblog, I wasn't sure what I'd use it for. I was mainly concerned with supporting Salon in any way I could to keep it around. I subtitled it "Security, Music, and Movies" because these are three things I enjoy a lot, and figured I could comment intelligently on.
However... I've always enjoyed talking and reading about politics, world affairs and such. I just didn't feel a need to burden you, the weblog readers with it. That changed however, when the "War on Terrorism" became the "War on Everyone With Oil." So, now, rather than just reading the articles I used to read, I'm sharing them with all of you, along with commentary where I might have something intelligent to say (not too often thankfully ;) ) Besides, I get bored waiting for something interesting to happen in the Music/Movie/Security world ;)
As such, since I've noticed some grumbles from readers that they aren't getting what was advertised, I've changed my subtitle a bit.
Just in case you were wondering...
