Security :
Updated: 8/6/2002; 12:42:23 AM.

 

Note: Jon's Radio has moved to InfoWorld

storyList


security

Jon's homepage

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

 
 

Friday, August 02, 2002

Homeland Insecurity

The September issue of the Atlantic Monthly has a remarkable special report called Homeland Insecurity (not yet excerpted online). It features none other than Bruce Schneier. I am delighted to see Schneier's philosophical transformation -- from crypto-infatuated fortress builder to pragmatic watchguard -- detailed in a mainstream magazine. People who would never have read Secrets and Lies will read this excellent article, and I hope will ponder Schneier's message:

- Security technologies are brittle

- When they fail, they fail catastrophically

- Human judgment needs to govern the security process

The article concludes with a description of Counterpane's command center:

Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgement, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well.

Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier's view, is a really terrible idea.

 

5:58:44 PM    


Tuesday, July 23, 2002

OASIS and WS-Security

Under the OASIS umbrella, more folks are linking arms to support WS-Security:

The OASIS standards consortium has organized a new technical committee to advance the WS-Security specification. WS-Security provides a foundation for secure Web services, laying the groundwork for higher-level facilities such as federation, policy, and trust. Through the open OASIS process, providers and users will come together to extend the functionality of WS-Security, which was originally published by IBM, Microsoft, and Verisign. [OASIS]

I plan to attend a forum ("co-sponsored by OASIS and W3C") in Boston on Aug 26 to hear more about this. The picture is still quite fuzzy, frankly, but it does appear we're in a market-making let's-all-work-together phase.

PS: Maybe that shouldn't be surprising. According to today's NY Times, we are wired to cooperate, and doing so lights up the pleasure centers of the brain.

 

10:43:41 AM    


Tuesday, July 02, 2002

Web services security and XML pixie dust

It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up.

When I look at the proposed standards, though, I see a bunch of familiar stuff. Name/password authentication, Kerberos, access control lists, PKI certificates, signing, encryption. All this has been part of the web forever, though admittedly PKI and Kerberos haven't really gotten over the activation threshold.

I don't think its a bad idea to wrap XML around this stuff. But I'm not convinced that will solve the hard problem. What's hard is that security technologies are just a royal pain in the ass to deal with. I was sure, for example, that client certificates would be widespread by 1997 as a mode of authentication to websites, and as a single sign-on solution. Today I'm one of a handful of people who have ever bothered to acquire a client cert.

Are we just trying to XMLize Kerberos and PKI and ACLs because we hope the magic pixie dust of XML will make the pain go away?

11:14:48 AM    


Tuesday, June 18, 2002

Triangulating on k-logging for homeland security

Hey, this was top news in my own magazine. Cool!

Knowledge management offers hope for homeland security. Technology to facilitate people-based networks [InfoWorld: Top News]

Triangulation. Gotta love it. 

12:57:27 PM    


Wednesday, June 12, 2002

Blogging and homeland security: connecting the dots

Sunday's New York Times featured a disturbing story on the IT culture clash between Google and the FBI:

Data is compartmentalized so that case information compiled in Phoenix might not be accessible to agents in Minneapolis, and retrieval of the full text of case reports is not possible. Devised for the quick retrieval of the names of known suspects, the network can be searched for terms like "aviation" or "schools, " but not "aviation schools" -- in other words, precisely the kinds of phrases that may have made it easier for law enforcement agents to connect the dots and discern the patterns of activity leading up to Sept. 11 attacks.

Mr. Schmidt of Google said that government had characteristically been slower than industry to adopt new information technology and to link its multitudinous information networks. This leads to a condition that the industry calls "stovepiped" information, which means that data is warehoused in separate, unconnected silos. That is partly by design, Mr. Schmidt said, as a precaution against wandering hackers. "They don't want a network interloper to come in and do a lot of damage to other computers." [New York Times]

I'm sure it's true, though no-one can come out and say so, that the FBI are among Google's most intense users. I hope a private network of weblogs will be the next step. Valdis Krebs has a new paper that suggests how social network mapping can be used to thwart terrorists. He writes:

To gather the data for mapping these networks, individually and as a group, requires much cooperation between departments, agencies and countries. This requires vertical, horizontal, and diagonal links between all of the investigators on the case -- in other words, our network needs to be as good or better than enemy's! [Valdis Krebs]

Maybe I've just got blogs on the brain. But like all stovepiped IT organizations, the FBI's will not be rebuilt anytime soon. The way forward is a human awareness network layered on top of those stovepipes and connecting them.

Such an overlay network needn't, of course, intersect with public blogspace. But purely internal use of existing low-tech weblog software could reproduce the same effect: a knowledge network with human routers. Would it be perfectly secure? Of course not. But in the end, what's the greater risk? That the enemy might discover we had connected the dots and have to change its plans? Or that we have no hope of connecting the dots at all?

8:19:47 AM    


Saturday, May 18, 2002

Managing credentials with Counterpane's Password Safe

Seeing Bruce Schneier at ETCON reminded me that I've been meaning to mention Password Safe, a really simple and useful tool available for free from Schneier's company, Counterpane Labs. It's a GUI app you use to securely maintain a database of passwords.

The version I'm using, 1.7, runs on Windows. Version 2, an open source project, is apparently still also for Windows only, though I guess this could change.

I've been holding my breath for a long time waiting for single sign-on. After a while I started turning blue, and writing down passwords, which felt incredibly stupid but was unavoidable. Password Safe makes that necessary evil feel a lot less stupid.

The database is Blowfish-encrypted. Each entry has a title (e.g., "Amazon"), a name, a password, and a comments field which I find quite important for recording the context of a given credential (e.g. "3rd sample user for test system version 5"). Copying a username or password to the clipboard, for subsequent pasting into an authentication dialog, is easy. There are some thoughtful details: you can have the app clear the clipboard when it's minimized, and it won't ever display any passwords on the screen unless you override a default.

The whole kit -- executable, data file, and helpfile -- amounts to under 400K, and since there are no registry dependencies it can easily be moved back and forth between your desktop and laptop.

Nothing earthshaking about this. Just a simple and practical tool, from the most pragmatic security pro in the business.

3:50:56 PM    


Wednesday, May 15, 2002

Security, insurance, and hard realities

Here are some notes from Bruce Schneier's talk. Hard, cold realities. Microsoft and its peers don't care about security, he argues, because it's not rational for them to do so. As businesses, they shouldn't, because they're not liable for their practices. Schneier is running out of options, he says, and what he's left with is a two-pronged strategy. One, require businesses to use insurance to manage risk, just like businesses use it to manage all other risks. Two, beef up prosecution of computer crime.

I'm sure he is right. If we change the economic incentives governing security practices, like we've done in the case of environmental protection, then there will be change. Otherwise not.

Suddenly a company choosing an operating system gets handed two insurance policies -- here's what it costs if you use Linux, here's the policy for Microsoft. The math gets much more interesting now. Security will improve because the CEO will now care.

This has disturbing implications for small software companies. Is there another way? He doesn't see one.

 

8:23:52 PM    

PKI: no silver bullet, but not worthless either

John Robb's comment -- certification isn't worth doody -- overstates the case. Despite exploitable flaws in the PKI/SSL infrastructure, I would rather transact business with a company that has identified itself to some third party than with a company that hasn't.

I'd also much prefer to transact business with individuals who take the trouble to identify themselves to some third party. The assurance offered by my Thawte freemail cert, while minimal, is far more than what's available in typical email discourse.

Just because PKI has been oversold doesn't mean it should be underestimated. Groove shows us just how seamless the exchange of trust can be for users. Although it presumes a PGP-like model, it was built to be -- and in version 2.0 has become -- a system than works with enterprise and cross-enterprise PKI-based trust. The issues addressed by PKI aren't going away, and the technologies woven into PKI will play out in our lives one way or another.

 

 

2:35:08 AM    


© Copyright 2002 Jon Udell.



Click here to visit the Radio UserLand website.

 


Top 10 hits for "limits of transparency" on..
Google
1.
2.
3.
4.
5.
6.
7.
8.

9.
10.

Help link
 8/6/2002; 12:04:03 AM.

currently subscribed to:

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link 80211b News

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link ARTS & FARCES internet

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Blogging Alone

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Blogzilla - a blog about Mozilla

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Blur Circle

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Brian Jepson's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Business 2.0 - Technology

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Clemens Vasters: Enterprise Development & Alien Abductions

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Content Wire - Digital Copyright

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link decentralization

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Digital Identity

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Digital Identity World

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link DJ's Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Economist: Books

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Free XML tools

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link IBM DeveloperWorks: XML News

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Industrie Toulouse

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link InfoWorld: Top News

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link internetnews.com: Internet Advertising Report

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link jDance

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Jeremy Bowers: Jabber

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Jeremy Zawodny's blog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Jeroen Bekkers' Groove Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link John Burkhardt

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link John Patrick's Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Jon Schull's Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Jon's Radio

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Jon's Radio (full-length descriptions)

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Kevin Altis' Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Kimbro Staken: XML Database JuJu

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link klogs

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Larry Welkowitz's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Latest RFC:s

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Liftoff

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Line56: B2B News

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Linux Magazine

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Loosely Coupled weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Macromedia Resource Feed

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Matt Pope's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link matt.griffith

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link McGee's Musings

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Meatball Wiki

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Meerkat: An Open Wire Service

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Michael Helfrich's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Nature: Human Genetics

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link New Scientist

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link New Web Services from SalCentral

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link New York Times: Business

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link New York Times: Science

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link New York Times: Technology

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link News Is Free: Recent Additions

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link O'Reilly Network Articles

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link O'Reilly Safari

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Patrick Logan's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Peter Drayton's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Privacy Digest Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Python News

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Ray Ozzie's Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link ResearchBuzz

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Russ Lipton Documents Radio

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link s l a m

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Salon: Arts & Entertainment

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Sam Ruby

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Scientific American

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link search.cpan.org

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link SearchTools News for 2002

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Security Focus

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link sellsbrothers.com: Windows Developer News

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Simon Fell

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Sjoerd Visscher's weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link snowdeal.org > {bio,medical}informatics

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Steven Vore: KM

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link syndication

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link The GrooveLog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link The World Wide Web Consortium

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Tony Bowden's Radio Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link toolbox

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Voidstar

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Web Services Articles from The Stencil Group

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Web Voice: internet business models and technical marketing - a blog by Olivier Travers

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link weblog-devel

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Werblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Windley's Enterprise Computing Weblog

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link WriteTheWeb

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link xmlhack

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Yahoo News Headlines - XML

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Zope Products

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RSS link Zope.org

Here's how this works.