Saturday, May 29, 2010

The half-life of a YouTube video is 6 Days

A very interesting chart from Business Insider which shows that a YouTube video gets half its views in the first 6 days of it being published, down from 14 days in 2008. By way of comparison, computer vulnerabilities have a half-life closer to 30 days, meaning that our video attention span is much shorter than our patching cycles.

The data is provided by TubeMogul.

Thursday, May 27, 2010

An advance in Encrypted Search

I recently posted in The Search for Encrypted Search an overview of the breakthrough last year made by Craig Gentry of IBM to search data while it is in encrypted form. The breakthrough was largely theoretical since the required computational overhead to support encrypted search is huge, which for example would increase the time for a Google search by roughly a factor of a trillion.

In such cases, it is always an open question as to whether the breakthrough will stand as an unimprovable milestone, or be the beginning of series of improvements towards a practical solution. We now have the first evidence that we are dealing with the latter case for encrypted search.

A press release from the University of Bristol in the UK reports that

Nigel Smart, Professor of Cryptology in the Department of Computer Science at the University of Bristol, will present a paper in Paris this week [Friday 28 May], which makes a step towards a fully practical system to compute on encrypted data. The work could have wide ranging impact on areas as diverse as database access, electronic auctions and electronic voting.

Professor Smart said: “We will present a major improvement on a recent encryption scheme invented by IBM in 2009.”

“Our scheme allows for computations to be performed on encrypted data, so it may eventually allow for the creation of systems in which you can store data remotely in a secure manner and still be able to access it.”

Together with Frederik Vercauteren, from the Katholieke University Leuven in Belgium, Smart has simplifed Gentry’s scheme so that it becomes more practical - not totally so, but an improvement. More information should be available after the paper is published.

Wednesday, May 26, 2010

A look back at posts in May 2009

This time last year I made some of my favourite posts. First I celebrated that I had reached about 1,000 visits and 2,000 page views a month, and now I am about double that.

Rethinking Thresholds for Account Lockouts was a simple post asking if the 3-strikes-your-out password policy makes sense. I posted my second Password Roundup #2, and reviewed from Qualys their study on The Half-life of Vulnerabilities is still 30 Days.

I also developed some thoughts why web app bugs don’t get fixed in The $28,000 Question: Project vs. Production Risk, after Jeremiah Grossman estimated that 28,000 well-spent dollars could fix the bugs at many sites.

On the crypto side I broke some news about The cost of SHA-1 collisions reduced to 2^{52}, and took a look at AES-256 and Reputational Risk. The AES post is now on the first page of a Google search for “aes 256” and has brought a steady flow of visits since last May, 1346 in total. I also asked if anyone could verify that the Total Internet computational power = 2^{85} operations, a statement I read in an ECRYPT report. I ended up contacting the authors and nope, no one knows where is came from. Sounds possible though.

I also posted The Sub-Time Crisis in Web 2.0, my thoughts on information overload in Web 2.0. I only used half the text I typed in from my written notes.

How To Password Protect Your Pen Drive

A nice how-to article on protecting USB drives with a password and encryption using Windows Vista or 7 and Bitlocker.

Do you carry sensitive data in your pen drive? Then you should carefully keep your pen drive. Oh! You mean you are not that careful too. Then I would suggest that you should password protect your pen drive. Yes folks, you can do this by a simple method. This is an added advantage to Windows Vista and Windows 7 users that they can easily password protect their pen drives with the help of BitLocker Drive Encryption. Its an inbuilt feature of both of these operating systems.



Reblog this post [with Zemanta]

iPhone, iPad, iBoard, iMat

This is just great.

Shark Fin Posts

I have been making daily posts this month, partly to see what people read on a given day, and what they keep on reading. Quite a few of the posts turn out to have a hit graph that looks like a shark fin. Here is the one for What is the LINPACK rating of Conficker?


What the graph shows is that there are no hits before the post is published (of course!), then a spike when it first appears and for a few days after, ending in just a few hits by a week later or so. After that it’s up to Google, industrious visitors or self-referential posting to raise the hits again.

Google could help enforce new German wireless protection law

A German court has ruled that home users are responsible for creating password-protected home wireless networks, and failing to do so could result in a fine a 100 euros. The rulings stems from a case where a musician sued the owner of a home WiFi network for illegally downloading his music, but since the network owner was away on holiday, the open network was being used by another third party.

The maximum fine of 100 euros (or about $120) is about the same as a hefty speeding ticket, and with 26 million WiFi enabled German households, that could add up. All those Google Street View spycars could help out with enforcement of the law, since they have been collecting wireless information anyway.


Related articles by Zemanta
Reblog this post [with Zemanta]

Tuesday, May 25, 2010

Whit Diffie does the Can Can

In Not so sunny for Whit Diffie I briefly posted on his unexpected exit from Sun soon after their acquisition by Oracle, and taking up a visiting academic position in the UK. Computerworld recently reported that Diffie has now landed a new position as vice president at ICANN, managing the security of their networks. 

It seems he was just a bit too late to give his blessing to the recent commissioning of DNSSEC on each of the 13 authoritative names servers of the Internet. However there will be a formal key ceremony in June which may require a cryptographic high priest, or he may yet bag one of the coveted 14 crypto officers roles, to whom key recovery shares will be entrusted. 

He also does a good impression of Gandalf the Brown.

Reblog this post [with Zemanta]

Monday, May 24, 2010

Security Bloggers Network under attack?

Update: This is a hoax mail leading to a rogue site, so please don't click it. Check out the Lijit blog for details (via Alan).

Just got this from Lijit, the hosting firm for SBN


Facebook juggernauts towards 500 million users has observed that, based on linear projections of current sign-up rates, Facebook will pass the 500 million user milestone by the end of June. Using population data published by the CIA, we will therefore soon have the situation where only China and India as countries will have more people than Facebook (1.33 and 1.56 billion respectively). Projecting further, Facebook will have twice as many people as the US by year end (around 600 million), and approximately a billion dollars in revenue as well.

It remains to be seen whether the current privacy backlash against Facebook introduces unpleasant non-linearities into these projections. A recent informal poll taken by Graham Cluley of Sophos, found that almost two thirds of the 1588 respondents are considering leaving Facebook. If we round up the respondents to an even 1600, and noting that Facebook has more than 320 million users currently, the survey represents a sample of less than 0.0005% of all users (that’s just 5% of 1% of 1% of the total). Even so, PC World has reported the survey under the headline Study: 60 Percent of Facebook Users Mulling to Quit which, I hope you will agree, is a bit grandiose. This is an example of how the non-linearities of reputational risk start accruing against a company with widespread and sustained bad press - and more will follow.

Privacy may yet be the Black Swan of Facebook.

Sunday, May 23, 2010

Password Strength Infographic

Interesting password graphic from CXO. I am not quite sure what the people axis is meant to show, or exactly what social class is represented by a Douche. In any case, the examples were verified by Google’s password strength meter, and give a good visual the password spectrum (click to enlarge).


Saturday, May 22, 2010

Y2Gay: gay marriage from the database perspective

This is a quite interesting post which the author describes as a “stream of consciousness about equal parts nuptial rights and Structured Query Language”. The author is actually taking a serious look at how to redesign your database to accommodate gay (same sex) marriages, with quite a few amusing digressions. After outlining 14 detailed steps to follow for the transformation, the conclusion is that
Perhaps the simplest solution would be to ban marriage outright. Or, better yet, to declare everybody as married to everybody else. But then what would the database engineers do all day?
There are 145 comments as well.

Friday, May 21, 2010

Why have there been so many Natural Catastrophes of late?

The Freakanomics blog reports that Foreign Policy magazine has responded to concerns that we are living in particularly harrowing times, experiencing more than our share of natural disasters. But FP reports that we are not. What we actually have is a heightened awareness that these events are occurring thanks to rapid and prolonged media coverage.

Based on U.S. Geological Survey records dating back to 1900, the Earth experiences 16 major earthquakes per year on average, where a major quake is one whose magnitude is 7.0 or more. There were only 6 major quakes in 1986 but 32 in 1943. And this year? 6 so far, so we might be headed for an above average year, but not an extreme year. However there is an increase in the loss of life from earthquakes (650,000 people last decade) due to the expansion of urban sites into fault zones. This is another factor which increases media coverage of these tragedies.

Thursday, May 20, 2010

Conficker, RSA and RC4

I was reading the excellent paper An Analysis of Conficker's Logic and Rendezvous Points from SRI and was surprised to learn that Conficker botnet updates are distributed at its rendezvous points as encrypted and signed binaries using RC4 and RSA (the “R” in both cases here stands for Ron Rivest). Both the A and B variants of Conficker use these checks to ensure that the updates have been created by the Conficker authors – just like any other software vendor issuing updates and patches. The paper depicts the update process as follows


So each Conficker client carries an RSA public key E for signature verification. A Windows binary file F is encrypted and signed as follows
  • Hash F to produce a 512-bit hash M
  • Encrypt F with RC4 using M as the key
  • Sign M using private key D
A Conficker client authenticates the encrypted binary as follows
  • Using the embedded public key E, compute the signature verification to recover M
  • Decrypt the encrypted binary using RC4 and M as the key
  • Verify that the hash of F is in fact M
For Conficker A, the RSA key is 1024-bits and 2048-bits for Conficker B, both of which are listed in the paper. That’s a large public key for Conficker B but it is dwarfed by the 512-bit symmetric key used in RC4. Yes RC4 can support such huge key sizes, and I will explain in a future post how this is possible.

Wednesday, May 19, 2010

Phishing and scamming in the new Top Level Domains

Earlier this month was the historic event of non-Latin domain names being introduced on the Internet by ICANN. While half the global internet population does not have a Latin language as their mother tongue, sites can now have Arabic names for example and eventually Chinese, Thai and Tamil.

At the blog of security company Sûnnet Beskerming they have a post which points out some security risks associated with the new non-Latin names
A risk, which isn't immediately obvious, is that this opens up a new world of opportunity for scammers and phishers to register domains that will visually appear very similar to legitimate sites in the address bar, but which will have a base address significantly different, thanks to being registered in a non-Latin script. By relying on alternate character rendering, this could cause problems for users who may not be able to determine the slight differences between otherwise similar looking characters. It also means that software and tools designed to help detect phishing or XSS attacks will have to expand their repertoire significantly to interpret and assess a much broader range of character and rendering sets.
The opportunities for typosquatting will probably multiply, and the Register recently reported this market to be worth almost half a billion dollars annually now. You can read more about this market in Measuring Typosquatting Perpetrators and Funders by Tyler Moore from Cambridge University.

Tuesday, May 18, 2010

Two universities rethink Gmail migration plans

The University of California at Davis (UCD) and Yale University were considering moving their email systems onto Gmail, but both have put those plans on hold for the moment. The CIO of UCD, Peter Siegel, said that he was not prepared to risk the security or privacy of the school’s 30,000 faculty and staff.

Yale has delayed a more general migration to Google apps, including Gmail, citing security and privacy concerns over cloud-based management of their data. Michael Fischer, a computing professor, said that
Google stores every piece of data in three centers randomly chosen from the many it operates worldwide in order to guard the company’s ability to recover lost information — but that also makes the data subject to the vagaries of foreign laws and governments, Fischer said. He added that Google was not willing to provide ITS with a list of countries to which the University’s data could be sent, but only a list of about 15 countries to which the data would not be sent.
So there is a concern that the personal data of students and faculty is being stored outside US jurisdictions. However neither UCD or Yale ruled out migrating to Google cloud applications once there was adequate transparency for the protection of data.

Monday, May 17, 2010

10 Reasons Why Microsoft's Internet Explorer Dominance is Ending

It has been widely reported recently that Microsoft’s share of the global browser market has fallen below 60% for the first time. If this trends continues then Firefox is forecasted to overtake IE by Christmas 2012. Don Resinger at eWeek has given his reasons why IE is losing market share (and also mind share) as follows
  1. The European Union
  2. Microsoft's complacency
  3. Internet Explorer's security
  4. Rebounding from IE 6
  5. The features aren't there
  6. The Google conundrum
  7. The united fight against Microsoft
  8. The educated user
  9. No-names are actually doing well
  10. Microsoft is still lost on the Web

Sunday, May 16, 2010

Numerical Palindromes

Someone at work put up the following pattern on a whiteboard

1 x 1 = 1
11 x 11 = 121
111 x 111 = 12321
1111 x 1111 = 1234321
11111 x 11111 = 123454321
111111 x 111111 = 12345654321
1111111 x 1111111 = 1234567654321
11111111 x 11111111 = 123456787654321
111111111 x 111111111 = 12345678987654321

So squaring a number that is all 1’s gives a numerical palindrome. Why?

Well there is a nice simple visual answer
More on such patterns here.

Saturday, May 15, 2010

Great Security white papers and briefs from Damballa

Security provider Damballa has a great collection of what papers and briefs for download. I have listed a few below, most of which have already been uploaded to Scribd
Also don’t forget the recommendation I made on the technical overview at Compass Security, a Swiss company, about a year ago.

6 Hot And Sought-After IT Security Skills

Dark Reading has reported a short list of desirable skills in IT Security, partly because the “IT security job market is booming”. Apparently you’re quite marketable (particularly in the US) if your resume includes
  1. Incident-handling/response
  2. Compliance know-how
  3. Risk management
  4. Business acumen
  5. Government security clearance
  6. Leadership experience
Frankly, I think if you had a sufficient quantity of skill number 4 you would not be in IT Security.

Friday, May 14, 2010

Privacy degradation at Facebook

The EFF has an article on the changes to the privacy policy at Facebook over the last few years noting five significant changes (downgrades) since 2005. In short Facebook has flipped from a private social network to one where your data is largely public by default, mainly since Facebook can profit by selling this information to advertisers and business partners.

Here is the 2005 privacy language
No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.
and the April 2010 version
When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection
Quite a change. Matt McKeon has produced an interesting interactive infographic to depict privacy erosion on Facebook over the last 5 years


Thursday, May 13, 2010

1733 default vendor passwords now online has made 1733 default passwords for almost 400 vendors available online as a searchable database, complete with a FireFox plugin. Changing default passwords is security basics but its not always followed. Last year an Australian student wrote a worm which compromised jailbroken iphones with SSH installed where the default password had not been changed.

The Swan Song of Mark Curphey

About two months ago Mark Curphey (Security Buddha), in a confessional post, informed us all of his intentions to move on from IT Security, and reinvent himself 2.0-style into web technology, agile development, social software and user experience. He gave his reasons for moving on as follows
For the last few years I have grown increasing disillusioned with the security industry to the point where after nearly two years of thinking and talking about it I have decided that it’s time for me to move on. There is a long list of frustrations and I have seriously thought about a last detailed shot over the bow with some home truths as I see them. The reality is it will probably not be productive. I had commentary about the security circus and the clowns, ring masters and performance artists that play in the big top; commentary about the lack of genuine computer science that finds its way into security; commentary about the lack of business science that is being adopted (why aren’t security people obsessed by Freakonomics?); commentary about the sad fact that for the most part we are still doing “the same old shit” 15 years after I first started (the definition of insanity is to do the same thing twice and expect a different result); commentary about the farce of PCI (and related standards) and people caring about trivial issues (easy to understand and sensationalist in nature) when looming holes that could have major impacts go unnoticed …….I could go on. People thinking they need “purple dinosaur” features in their security software because some marketing spin says so and commentary about the sheer FUD being pumped out by the marketeers. I have watched an industry spin out of control largely paying lip service to the term risk and watched sectors of it become largely irrelevant outside of their own self-fulfilling set of prophesies. When things go right no one notices (at least outside of security) and when things go wrong everyone points fingers. That’s a tough place to be impactful and remain positive.
A tough place to be impactful and remain positive. Mark’s new blog is here, and he still seems to have a few comments to make on security yet.

Wednesday, May 12, 2010

Some quotes from my first 200 posts

My 200th post was sent the No Tricks blog yesterday, and to celebrate here are 30 or so quotes I quickly selected out of those posts.

The No Tricks Blog Name
The American basically asked "Why are you guys doing so much better than us?". The Japanese businessman is shown extending his fingers and counting off as he says "Your managers are greedy, your workers are lazy, and ...". But before he can finish even just the most obvious reasons, the American interrupts impatiently and says "I know, I know! But what's the trick?"
Excel is your new best friend
We can also stop beating ourselves up on the point that the weakness of IT Risk is the absence of data - the real weakness is poor modelling, and the decisions based on the output of such models.
Mr. Egerstad has stated that there is no security flaw with Tor - the real threat comes from user expectations that their message contents are being protected end-to-end by Tor, when in fact encryption is only applied to internal Tor network communication.
Flaws related to encryption always make good copy, and on occasion, strike at the heart of our fundamental beliefs in security. When encryption falters the whole edifice of security seems shaken.
This may seem an odd question given that since the mid 70's discussions about cryptographic keys have been mainly concerned about their potential shortness.
The Princeton team asked Nature the simple question of whether DRAM is cleared on power loss, and the simple answer is no.
A5/1 has operated unchanged for the last 21 years but it has now reached its cryptographic end-of-life, engulfed by the march of Moore's Law.
Intel's leading chip line, the x86, has steadily progressed from 286, 386, 486, Pentium and so on, but quantum computers will not be "1000-86" devices - unimaginably faster versions of what we have today.
Kapersky has decided to make AV scanning more efficient not by making it faster but by doing less, as determined by risk-based criteria.
It is common that once the torch of enterprise risk management is kindled in the higher corporate echelons, it is passed down the ranks and settles with IT Security people to assume responsibility for the management of IT Risk. And these people are ill-equipped to do so.
Perhaps this reasoning prevailed at Adobe when they recently upgraded their document encryption scheme from AES-128 in v8 to AES-256 in v9. However Adobe later had to announce that v9 in fact offers less security against brute force attacks as compared to v8. What went wrong? They forgot about the spin.
Risk management is about making decisions today that will protect us from the uncertainty of the future. We are not looking for one in a million (the expert) but rather a million and one (the power of many).
We feel more informed, more empowered, and more enamoured with the promise of the omnipotent web. The web 2.0 narrative has worked its magic and we tacitly commit into a seemingly virtuous circle of information inflation.
Navigation and search are just for people who don't have any friends.
Disconnect from Twitter when you are receiving more than one tweet per second.
The AV blacklisting industry has reached a point of diminishing returns - the marginal value of producing additional signatures is minimal, but the underlying model can offer no more advice than to simply keep doing exactly that.
It could be said that PageRank is one part brilliance and two parts daring.
Often business has the “snappy intuitively appealing arguments without obvious problems” - plus Excel … Snappy and plausible usually wins out over lengthy, detailed and correct.
The observation here is that the security function is no longer called upon to critically underwrite the security risks of a project, with the option to reject.
Compound this disconnect between management and technical people over hundreds of thousands of projects at the corporate, national and international levels, spanning the last 3o years, and you have the disaster Ranum is describing (and lamenting).
The worst case scenario for Web 2.0 is that we are heading for a singularity, precipitated by dividing our attention into informational units effectively rated at zero content.
Imagine you posed the following question to a group of top physicists. You asked them to present you with ideas for new research projects where they could assume that the budget included all the money that we have, all the money that has ever been, and the total financial assets of the world for the next 10 million years. Would the resulting proposals be credible?

AES-256 puts cryptanalysts on the same research agenda.

So for complex decisions that potentially have the greatest impact in terms of costs and/or reputation, in exactly the circumstances where a thorough risk assessment is required, transparency rather than rigour is the order of the day.
Doctorow remarks that the surprising outcome of this process was the realisation that we are missing a well-known service for handling key escrow in an era of military grade encryption being available to home users.
I don’t really think that there is a cult in operation over Bruce Schneier, but rather a hero was found when security as an industry needed to believe in heroes.
When I look back at crypto now it seems of similar consequence to the proportions of the Sun and Antares - not merely because my professional interests have changed, but in the vast equation that constitutes ERM, crypto is a variable with minor weighting. Its gravitational force is largely exerted on specialists, and rapidly declines (much faster than the inverse square law) beyond that sphere. It's just a pixel on the football-field sized collage of ERM.
So that’s 1,000 years of computation by a cluster that would envelope the earth to a height of one metre.
There are many posts and news articles of late on the TLS Renegotiation Attack. I had hoped that just by skimming a large number of these that some process of web osmosis would magically transfer an understanding of this vulnerability to me.
In the short term (and maybe the longer term as well) Diffie sees the cloud as a matter of trust. He advises to pick your supplier like you pick your accountant.
For each of us the web is a noisy channel, which we express through the need to search, subscribe, aggregate, recommend, post, tweet – in short a great cull of what finds its way onto our screens.
And while the traits of detail, accuracy and correctness are necessary for IT activities, they are fundamentally at odds with the type of messages and opinions that senior managers are expecting.
Some articles and posts have focussed on verifying passwords in software as the culprit, which is partly true, but the real issue is not software but insecure programming of software.
Gentry has estimated that building a circuit to perform an encrypted Google search with encrypted keywords would multiply the current computing time by around 1 trillion.

Tuesday, May 11, 2010

The Tab Power Law for Firefox

Mozilla has released its 2010 Q1 analyst report on the state of the internet. The report was created to "provide a high-level view of key metrics on an ongoing basis and to share some interesting insights". Well, its a little short at 12 well-spaced pages, and the summary bullets are not that exciting
  • Firefox’s worldwide market share hovering near 30%
  • Firefox adoption is growing most dramatically in Russia
  • People start their work day earliest in Hawaii and Wyoming; latest start to the day is in New York
  • People in South American like applying Personas (themes) to their browser; people in Antarctica love add-ons
For me the most interesting observation was the number of open tabs people work with in FireFox, as shown in the graph below.

Most people use 2 to 3 tabs, however the maximum observed value was over 600! Also, since the median is 2.9, over half the people use almost 3 or more tabs. The graph above clearly has a power law structure, and in this case, quite a long tail.

Monday, May 10, 2010

Elliptic Curves in ASCII

There is a new Internet draft on Fundamental Elliptic Curve Cryptography Algorithms by D. McGrew of CISCO and K. Igoe of the NSA. The NSA author might seem out of character for that particular 3-letter agency, but it's no secret that elliptic curves are the NSA’s preferred form of public key system over RSA. It is somewhat impressive that the authors would even attempt to write up such a complex mathematical topic using the ASCII formatting that the Internet Society has insisted on for several decades now. ASCII used to be the lowest common denominator for formatting in the 70’s, but surely now it is HTML or PDF.

Be that as it may, the document is well written and builds up elliptic curves from the basics of modular arithmetic, groups, finite fields before defining elliptic groups. Of course not all types of curves are examined – the document would need to be much longer than 20 pages – but it is self-contained. The section on the security of elliptic curves is a quite short however. After developing the required terminology and background, the authors focus on defining a method for elliptic curve signatures based on the work of two Japanese researchers Koyama and Tsuruoka. This signature variant was probably chosen to avoid any intellectual property issues with more well-known methods that are heavily patented, particularly with respect to efficient implementations.

An interesting read as long as you can handle sustained Courier font. If you are looking for some more background on elliptic curves for security please take a look at Luther Martin’s posts at Voltage, and 4 are listed below ASCII girl

Reblog this post [with Zemanta]

Sunday, May 9, 2010

What are the CISO's most useful instruments?

Matthew Hackling, provider of outlandish security punditry from an Australian perspective, has posted a suggested list of artefacts that a CISO should have to act as the conduct of the information security symphony in an organisation,
  1. Audit issue register (lead violin, sometimes a bit too screechy)
  2. Enterprise risk register
  3. Significant business unit risk registers
  4. Compliance requirement register (the timpani)
  5. Mapping of compliance requirements to your Information Security Management System (ISMS)
  6. Control testing management reports and database
  7. Management reporting template
  8. Existing enterprise security plan and perhaps security plans of significant business units
  9. List of business units by criticality
  10. List of business processes by criticality within business units
  11. List of business applications by criticality with function descriptions
  12. Current security budget
  13. Business case template and submission procedures
  14. Document map of ISMS with status of documents within it (approved, under review, drafted, not started)
  15. Organisation chart
  16. List of security projects with budget and status
  17. List of business projects by criticality to business success
  18. Enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
  19. Data classification scheme
Reblog this post [with Zemanta]

Saturday, May 8, 2010

Infographic on Afghan scenarios with Prezi

I, like quite a few other people, posted on the recent NYT article which showed a horrendously complex PowerPoint slide created to depict the situation in Afghanistan, and the challenges facing US military decision makers.

Another more informative view of the Afghan predicament can be found at a German site called The Afghan Conflict, which appears to be the result of collaboration between Marc Tiedemann and several colleagues to produce a visual map of possible scenarios in the conflict. From the site
When we started researching this topic we very quickly saw, that the debate whether to pull out the troops, staying or even enforcing is not too much about arguments, it’s a battle of possible scenarios. Every side seems to have their own positive and negative visions of how things will happen in the future if certain steps are done. The resulting map The Afghan Conflict - A Map of Possible Scenarios is the attempt of a summary of the most popular possible scenarios around the afghan conflict, according to a pullout or stay of the Allied troops. And is based on interviews with journalists, politicians and political foundations.
The resulting scenario map is quite large and the authors have not tried to compress it onto a single PowerPoint slide for convenience of presentation (double click the image below to see a larger version).


The scenario map is available as a poster but also as a Prezi animation which allows you to navigate across the scenarios and zoom in and out of detail (I cannot find a way to link to the Prezi animation directly so you will have to view it from the The Afghan Conflict site). I will have more to say about Prezi in future posts, and it appears to be a good navigation tool for complex “infoscapes” like the Afghan situation. In the meantime please take a look at the showcase presentations at the Prezi site.

OpenSAMM Assessment Spreadsheet v0.4 available

OWASP has a project called OpenSAMM, or the Open Software Assurance Maturity Model (SAMM). There is an audit framework for OpenSAMM, implemented as a spreadsheet with about 80 questions, grouped into collection of business functions and security practices. You can get the spreadsheet here.


Friday, May 7, 2010

Cute Cloud Computing graphic


Projection: Firefox overtakes IE by Christmas 2012

It has been widely reported that the global market share for Microsoft’s Internet Explorer has fallen below 60%. While pundits, commentators and technologists discuss the future of IE, Zack Whittaker at ZDNet has done “a bit of maths” and produced the following extrapolation, showing FireFox passing IE market share around December 2012.

Assuming Zack has done his Excel sums correctly, the prediction is still pure data extrapolation. The last year has been extremely unfavourable for IE with its security flaws and the playing out of the European anti-trust case against Microsoft. Redmond may still be able to turn the prediction around.

Thursday, May 6, 2010

When we understand that slide, we’ll have won the war

The title is a comment reported in the NYT by Gen. Stanley A. McChrystal, the leader of American and NATO forces in Afghanistan, when shown the PowerPoint slide below (see a larger version here)


The slide was meant to depict the complexity of American military strategy in Afghanistan, and it seems to have over-succeeded. Apparently PowerPoint is not just an obsession with business managers but also with senior military commanders as well. But behind all the PowerPoint jokes are "serious concerns that the program [PowerPoint] stifles discussion, critical thinking and thoughtful decision-making”. The following observation is quite insightful
[PowerPoint] slides impart less information than a five-page paper can hold, and that they relieve the briefer of the need to polish writing to convey an analytic, persuasive point. Imagine lawyers presenting arguments before the Supreme Court in slides instead of legal briefs.
But even with mounting reservations over the ability of PowerPoint to usefully represent military situations, no one is forecasting any change – it is just too embedded in the military, as it is elsewhere. And while “no one is suggesting that PowerPoint is to blame for mistakes in the current wars”, it takes a great deal of time with PowerPoint to keep a war going, let alone end it.

Wednesday, May 5, 2010

The power limit of Cloud Computing

In February I posted on Lew’s law, a prediction by former SUN CTO Lew Tucker stating that IT expenses will increasingly track to the cost of electricity. Tucker gave a keynote presentation on The Ultimate Cost of Computing at the recent Cloud Connect conference, where he gives some more insights into his views on the evolving cost model for cloud computing.

Tucker begins by stating that the driving forces of cloud computing are technology and the market, symbolised by Gordon Moore and Adam Smith (the author of the invisible hand of the market). He shows that Moore’s law, the doubling of computing power every 1 – 2 years, continues to be achieved by the microprocessor industry as a whole, with computing power increasing by a factor of one million over the last 40 years.


In the last few years these gains have been supported by multi-core processors, issues with power consumption, chip cooling and production costs invalidate the assumption that smaller components are the most cost effective strategy to increase processing capability. The future probably then lies with more chips of a given complexity rather than with chips of increased complexity. So Moore's Law may actually be maintained but not for the reasons that Moore predicted (increased chip density).

A key question for Lew is whether cloud service providers can pass on the benefits of Moore’s law to customers. Already the cost per hour of a CPU (instance) has dropped from $1 to less than two hundredths of a cent over the last 15 years.


But what are the real costs of cloud computing? Are faster computers the deciding factor? Apparently not - it's administration and power consumption.


Cloud computing wins by leveraging automation, virtualization, dynamic provision, massive scaling and multi-tenancy, which all lead to power becoming the dominant cost (mainly for scaling and cooling). And data centre power consumption has already doubled in the last 5 years

So Lew’s law can now be started as
In the cloud, the cost of computing will continue to fall bounded only by cost of energy
Being an ex-SUN man, Lew must take some delight in this final slide


Reblog this post [with Zemanta]

Tuesday, May 4, 2010

Conficker and your health

A USB stick inserted into a terminal in one of its car parks is being blamed for a massive Conficker infection of Waikato hospital in New Zealand that broke out last December. Over a 3 day period this incident infected 3,000 computer on the hospital network, impacting around 5,000 hospital staff. A full report on the incident is still forthcoming, but a USB-borne strain of Conficker is expected to be named as the culprit. A similar incident occurred in the server of the NHS in Leeds earlier in the year.

Monday, May 3, 2010

A look back at posts from April 2009

As April has just passed by, let’s take a quick review of what I was blogging about in that month last year

There were a couple of posts on entropy, the first NIST, Passwords and Entropy a review of NIST’s approach to specifying password policies based on entropy and the second On the Entropy of Fingerprints, which found some research to indicate that password entropy is much lower than fingerprint entropy.

I also had a bit to say about a “rant” in Marcus Ranum and the Points of No Return where Ranum stated that the cumulative effect of many business-driven IT decisions taken over the last three decades have rendered a grand IT failure all but inevitable. I followed that post up with The Relegation of Security to NFR Status which examined the weakened position of security, and IT in general, in decision-making processes.

There was a wonderful post by Julian Sanchez on his Climate Change and Argumentative Fallacies blog where he coins the term “one way hash” arguments, by which he means the asymmetric amount of effort required to pose a plausible argument as opposed to the effort required to debunk it. I think we face the same problem in IT risk and security as I said in “One Way Hash” Arguments.

I also reposted The Data Centric Security Model (DCSM) with a link to the full document on Scribd, as the old link stopped working. The document remains very well read with about 3,000 views in total today. Some security documents on Scribd gave links to other documents I uploaded, and you can see all the categories here (called collections by Scribd).

I announced in ENISA and Security Awareness that I would be speaking at an upcoming ENISA conference, which was a very successful get together. My slides can be found here and let me point you to a great awareness presentation from Robert Hadfield of British Airways, which has just over 1700 views on Scribd.

Zero Knowledge Proofs was a longish non-technical introduction to this complex topic, and it has remained one of my posts that has a steady number of readers. I also started Password Roundup #1, with my intention to create a series of posts on password issues, which always figure regularly in security news. I got around to a second round-up about a month later but have stalled since then – not due to lack of material. Instead of waiting for me, please take a look at the Reusable Security blog by Matt Weir which is devoted to password issues and analysis.

Finally, I started to post some of the FreeMind maps I create to gather my thought son more detailed posts in Three Security maps in FreeMind and Flash. Since then I have published all my FreeMind maps, including some that don’t relate directly to articles.

Sunday, May 2, 2010

Crowdsourcing CAPTCHA cracking

The NYT has reported on the practice of outsourcing the breaking of captchas to people in Bangladesh, India and China. The work is neither glamorous nor well-paid at 80 cents to $1.20 per 1,000 solved captchas, however there seem to be enough takers nonetheless. The work is farmed out through online exchanges like, where for example an operator in Bangladesh runs an operation turning out captcha solutions 24 hours a day, seven days a week.

Macduff Hughes, an engineering director at Google says that “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.” So we should see captchas as a deterrent rather than a foolproof way of distinguishing people from malware. In fact if people are being employed to break these little authentication puzzles then they are working as intended – to make sure that a person is behind the answer – unfortunately malware is masking a mechanical turk. The inventors of captchas probably did not expect that solving these puzzles could be farmed out so easily using Web 2.0 technology.

The bigger threat probably comes from the direct computer solution to captchas, which can be scaled and provide solutions in real time. I recently posted on the very thorough analysis of the Koobface botnet at, including a section on its captcha breaking network. The captchas are broken in at most 3 minutes, and in many cases just a few seconds. There is also evidence presented by Webroot that audio captchas are also being broken in real time by automated means.

Reblog this post [with Zemanta]

Saturday, May 1, 2010

1-in-300 Facebook accounts hacked, and now for sale

There are several reports stating that one and half million Facebook accounts are for sale on an underground forum by a hacker calling himself Kirllos, which equates to about 1 account in 300 being up for grabs. VeriSign's iDefense group estimates that almost half of the accounts have been sold already.

Kirllos' is asking $25 for 1,000 users with less than 10 friends or $45 for those with eleven or more. This is quite cheap given that e-mail IDs and passwords typically go for between $1 and $20 per account, and credit card and bank account credentials can go up to $30 for credit cards and $850 for bank accounts.

As usual, Facebook users should check their passwords.

What is the LINPACK rating of Conficker?

Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar, gave a keynote presentation on Cloud Computing for Criminals at the recent Cloud Connect conference. Joffe presents some figures which show that the computational size of the Conficker botnet dwarfs the current commercial offerings, based on measuring the number of systems, the number of CPUs and available bandwidth. For Conficker these values are given (estimated?) as

  • 6,400,000 systems
  • 18,000,000+ CPUs
  • 28 Terabits of bandwidth

These corresponding measures for Google are 500,000 systems, 1,500,000 CPUs and 1,500 Gbps of bandwidth, with Amazon and Rackspace providing significantly less resources. So Conficker is a massive ad hoc computational structure. But is Conficker really like a cloud service? Joffe says yes because

  • It’s available for rent
  • Choose your geographies
  • Choose your networks
  • Choose your bandwidth
  • Choose your OS Version
  • Choose your specialty (DDoS, Spam, Data Exfiltration)

and further the vendor has good qualifications

  • Much more experience (1998)
  • Larger footprint (Millions of systems)
  • Unlimited new resources (New malware)
  • No costs
  • No moral, ethical, or legal constraints

This all reminds me of a mail post by Peter Gutmann from 2007 called, World's most powerful supercomputer goes online, referring to the Storm botnet

This doesn't seem to have received much attention, but the world's most powerful supercomputer entered operation recently. Comprising between 1 and 10 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system, BlueGene/L, with a mere 128K CPU cores. Using the figures from Valve's online survey

for which the typical machine has a 2.3 - 3.3 GHz single core CPU with about 1GB of RAM, the Storm cluster has the equivalent of 1-10M (approximately) 2.8 GHz P4s with 1-10 petabytes of RAM (BlueGene/L has a paltry 32 terabytes). In fact this composite system has better hardware resources than what's listed at

This may be the first time that a top 10 supercomputer has been controlled not by a government or megacorporation but by criminals. The question remains, now that they have the world's most powerful supercomputer system at their disposal, what are they going to do with it?

And I wonder what the LINPACK rating for Storm is?

And I wonder what the LINPACK rating is for Conficker?

Reblog this post [with Zemanta]