The Leirdal Blog - Security

The future, 2.0

nospam@example.com (Jon Leirdal) — Sat, 01 Nov 2008 16:00:31 +0100

As a follow up to my earlier fantasy of new possibilities regarding a documented generation I would like to blow out some steam regarding social software as well.

One of the problems we see today is that there are only a few people producing the information that is consumed by all the rest. Those reading are participating with tagging, bookmarking and rating of the content, but even this should be easier. The production of the content could also be easier.

So let us play with the idea of a documented world. On our way forward we have a few stops on the way. Some of them we are experiencing right now, among else by using Facebook, Linked-In, Plaxo or other social networking applications. By blogging and micro-blogging what we do and what interests us we are giving the world knowledge and information that can be used by other applications as what we often call value-added content.

Consider this, you are watching a video or listening to a podcast on the net regarding some information. The video or audio is tagged in such a way that as you play the content, different meta-information rolls by in tandem with the content, and the media player might then display related information based on automated searches as you watch. We are talking hypermedia that intelligently can give you information that you need or want. You will be able to decide where the information is gathered from.

In the next generation of social software I expect us to be able to increase the value for each other in even better and easier ways than today. And as always, the enabler of these features will always be technology.

So in the future, expect great things. Probably not some of the small ideas I present to you here. What we will see will probably be better.

And you will be a part of it. By easily producing content, and adding meta-information and grading what you see. The world will give you more of what you want and of what interests you.

Whether it is semantic technology or intelligent search engines, I bid welcome to interesting and feature rich social networks, in a documented world where you can have an even more enhanced life experience.

Soon, in a life near you!

Are you documented?

nospam@example.com (Jon Leirdal) — Fri, 31 Oct 2008 09:28:34 +0100

In the future: You will be able to rewind your whole life. Everything you have ever done, ever said, ever seen and ever heard will be reviewable, analysable, searchable and last, but not least, available.

We are getting closer to something a lot of people are calling the documented generation. Even today most of what we do is documented in some way or other. I myself have used my archive of digital images gathered over several years to remember when and where I visited some place. I’ve tagged all my images to simplify finding and searching, but I welcome the day this is an automatic process.

Most of your financial transactions are documented and traceable today when you use a debit or credit card for paying. Often you even use a membership card to get other benefits as well.

Most of your movements are traceable today, whether you use a car with an Autopass chip to pass trough highway toll boots, or you pass traffic cameras that watch the traffic. If you fill gas at a gas station you pay using a credit or debit card. When you go by train you use an electronic train ticket containing an RFID chip. When you go by plane you pay by card and you have to show a picture ID before boarding the plane.

Actually you are filmed by surveillance cameras almost everywhere, and most of what you do at work is logged on your computer.

All of your life is already stored on a plethora of computers all over the world and the internet.

These are known issues and something we have seen emerging over several years. Science Fiction authors have suggested this for years and the last decade these issues have been and are discussed in mainstream literature and media as well. And this is only the beginning.

What this will have to say for us personally, for our security against ID-theft and against the misuse of personal information is probably something a lot of people already have felt.
As long as our information is as available as it is, id-theft and misuse of information will become more and more common. The only way to prevent this is to change the routines and the systems available for those that need to verify our identity. They need a more secure way to verify that we are who we say we are, and they need to increase their efforts for protecting our data.

The way technology improves and evolves makes the possibilities for tracking and storing all kinds of information better each day. A new generation of people where everything they do is documented, from the day they are born until the day they die, is not that far away. The documented generation!

I would venture the guess that very soon we will see solutions in the consumer market that enables us to document events while they happen in new and exciting ways. Things like video-goggles that store everything you see, hear and say while attending a meeting or conference. The information might be stored on small, flexible, secure and large storage devices or directly on network storages units. This information may even be integrated with GPS-data and other environment information like weather or temperature, or with auto tagging features that adds other automatic metadata to the different parts of the recording. Face-, object and speech recognition will be automated and stored together with video and sound. And maybe not that much further in the future, this might be available in a 3D video with better than HD-quality.

The benefits that come with this kind of easily available information will of course be both a curse and a boon for us users. I often wonder where I met some people for the first time or what some customer said about some technical problem. Together with the stored information and multimedia we will probably be able to cross-reference our ”life-stream” with all other kind of information. With automated image and speech recognition everything we do, experience and say will be searchable and analysable.

What do you think? How soon will this be available? In 15 years? In 10 or 20 years? Will it be possible to rewind you whole life?

And as a small idea: When will we see the possibility for creating alternate experiences that makes it look like you have led a more exciting life than you really have? Will we see jamming equipment for jamming people from recording you on their life-streams? If you have an idea, please add a comment below.

PS: Yes I am aware of this little thing from the US, but I am saying that people are willingly going to do this just because they can.

Bruce Schneier: How to sell security

nospam@example.com (Jon Leirdal) — Thu, 29 May 2008 11:09:01 +0200

I guess most readers of this blog also check out Bruce Schneier once in a while. One of his latest entries discusses the different aspects of how to sell security. What is worst, the risk for a big loss, or the certainty of a small one? Read his blog post on How to sell security and wonder why we are what we are.

Schneier on Security: For a Safe Night's Sleep

nospam@example.com (Jon Leirdal) — Wed, 02 Apr 2008 08:35:33 +0200

This is just fantastic. Bruce Schneier has a blog-entry called For a Safe Night's Sleep that covers a product named Quantum Sleeper. I just can't shake the feeling this is published due to April first, but anyway. For a laugh check out some of the specs. Whether it's a joke or not it doesn't matter. It's still funny.

The Quantum Sleeper Unit is a high-level security system designed for maximum protection in various hostile environments

Quantum Sleepers can also be fitted to provide protection from destructive forces of nature such as tornados, hurricanes, earthquakes and floods.

The Quantum Sleeper is the ultimate in protection, entertainment and communications, “ ALL ROLLED UP IN ONE”

...

Features:

1.25" Polycarbonate Bulletproof Plating/Shielding

Bio-Chemical Filtered Ventilation

Rebreather

Control Panel Mode Selection (i.e., Basic System Ops., Intruder Setting, Energy Status, Lock Down, etc.)

Cover & Door Actuators w/ Emergency Release

One way see through head cover (reflective mirror on 2 sides and front)

Safety Features (Proximity Sensor, O2 Sensor, Smoke Det., Motion Det. Ect,)

Emergency Communication system (Cellular, Short-wave Radio, CB ect.)

Audio Amplifier (Amplify sound from out side unit)

Air/Water Tight Sealing

External Override Key Pad & Remote Control

Battery Backup Power

Toiletry system

A thing that makes it look real is the patent number. The USPTO web site actually shows a patent #7137881 for a protective bed unit. But all the typos makes it somewhat less real.

I leave you to make the decision for yourselves. Enjoy.

Wish for 2008

nospam@example.com (Jon Leirdal) — Tue, 08 Jan 2008 10:54:26 +0100

When you read the news from anti-virus companies and security advisors you get convinced that 90% of the software you find on the net is malware, and the last 10% have so many security issues that it turns out the same thing. At the same time a life seems to be worth less than the copyright interests of media companies.

I don’t know if you have noticed, but I feel that the whole world has been overrun by solutions and programs that want to harvest personal information about me. The products that don’t ask for the information grab it anyway.

Trusted computing is a much debated architecture, maybe rightfully so. That kind of architecture might limit the spreading of free/open source software. Microsoft has proven that they can offer this trough their HD-Video support. There they have signed code in all layers, and only approved hardware devices are allowed in the pipe from storage media to screen. I am not saying that it is impossible to bypass this pipe in some way, but the threshold to perform such a hack has been raised a fair bit.

So, when you consider the stack of components needed to display HD-Video, what do you need to have the same security/quality for our computers? Especially when you are connected to the Internet?

The question then is if we maybe should take a look at this “cursed” subject again. Financing solutions in order to secure that open source software can be verified and approved might become a reality. There is one thing that we have learned so far. It is impossible to count all evil. You cannot permit the execution of all software except the bad ones listed in a list. Such a list will never be complete. But you can allow all enumerated good software and block the execution of all other code. Anti-virus software tries to perform this enumeration on our behalf, but still they do not know everything and ask the users what to do when in doubt. When they do, the s**t hits the fan. Users do not know what to do. They do not realize the consequences of their choices.

Again, the driver is the money. It is somewhat of a symptom of the state of the world that it’s more important for Microsoft that a video is not copied than to secure the personal information of a user. If somebody steals all our personal details, all our money from our bank accounts and our identity, that is not as important for Microsoft as a video unlawfully duplicated and distributed.

So what is my wish for 2008?

My wish is that our lives and our identities will become more important to protect on the net than the economic interests of a few.

Bruce Schneier: Security in ten years

nospam@example.com (Jon Leirdal) — Tue, 04 Dec 2007 10:11:51 +0100

Bruce Schneier have this little gem available on his site today. Bruce and Marcus Ranum are discussing security issues and trying to guess where the field will be in ten years time. I've got to say that they are painting a somewhat bleak picture, and I sincerely hope that they are wrong in some of their assumptions, but I fear that they are probably correct.

Encryption and security

nospam@example.com (Jon Leirdal) — Mon, 19 Nov 2007 10:35:24 +0100

Maybe it's not as secure as you think. According it this article and the following post on Slashdot, Hushmail has been caught red-handed in backstabbing their own marketing.

"The only way to decrypt or unscramble Hush messages is by using your passphrase when you open up your Hushmail account. Carnivore cannot decrypt your mail, and is therefore, powerless against messages sent between Hush users."

Now it seems that they have handed over the private keys of users to the government, and thus voided their own technology. I would guess that they soon will have a few trust issues with their customers. I am not going to discuss the old saying, "if you are not doing anything wrong, why do you worry about the government reading your email".

At the same time some people within the U.S. government wants to redefine "privacy" so that it doesn't include anonymity, and that NSA seems to have included a backdoor to a random number generator for use in encryption programs.

Denial of Service attacks with a new twist?

nospam@example.com (Jon Leirdal) — Wed, 07 Nov 2007 15:00:31 +0100

BBC recently gave us a nice little story about electronic car keys. Bruce Schneier has covered the story as well. The gist of the story is that a lot of people had trouble opening and starting their cars in one particular parking lot. People started checking different causes for this and long suspected a rouge wireless broadband unit or something like that. It finally turned out to be another car, belonging to a commuter, with the same lock system that was sending out signals, and thus blocking the signals for all the other users.

This tells me two things.

It is possible to block the usage of electronic keys by jamming the frequency range
It seems that the frequency range for wlan and for car-keys are pretty close and maybe even the same.

If they use the same bandwidth I suspect that we will see a lot of young boys with laptops blocking frequencies in a car park near you, soon.

It seems that the car industry has avoided the attention of hackers so far. Or just touched the borders of them. One of the comments from Bruce Schneier's blog put it quite well.

"I had an interesting "debugging" session a few years ago when my car battery went flat if the car was parked outside my house for more than 36 hours. Anywhere else, no problem. It turned out my new weather station transmitted on the same frequency as the keys and kept the computer awake!!

There's lots of other car-related problems: when Land Rover first introduced the latest shape Range Rover, the tyre pressure monitoring system got confused if another identical vehicle passed you in the street.

I've also heard of a radio signal based fuel level monitor. Combined with an engine management system that would stop the engine before you run out of fuel to prevent expensive catalyst damage, that suggests some interesting car-jacking opportunities.

Press the remote key on someone's 1999 Range Rover 100 times and they won't be able to open the car.

Renault Megane's can be unlocked and started with a MiFare 4k card - trivially clonable if you look at rfidiot.org.

The car industry hasn't begun to feel the pain of poor security yet.

Andy Cunningham"

Fingerprints as identification

nospam@example.com (Jon Leirdal) — Fri, 26 Oct 2007 09:22:34 +0200

Bruce Schneier had a blog entry about the security of partial fingerprints yesterday. His main point is that there has been a ruling in an US court recently that partial fingerprints cannot be used in a murder case. He links among else to the news-article describing this ruling.

Now this seems to me to be an effect due to sampling frequency. Research has shown that the fingerprints of two different individuals are different. The problem is that law agencies don't seem to check the whole fingerprint. They check only a few different spots of the fingerprint. In other words they have a sampling frequency algorithm when they enumerate a fingerprint. Now, I am no expert on fingerprints, but I do know the weaknesses of a sampling frequency. If it is too loose you might get wrong data. To different objects can be identified with the same sampled key. (You might call it the same hashing key if you like.)

The article references among else two other cases where the fingerprint have been wrongly identified, and the judge "criticized the common method of fingerprint as overly subjective and lacking in standards". Now the reason I am blogging about this is that we are now seeing the utilizing of fingerprint readers in a lot of devices. From laptops to airline check-in points.

As everybody that has seen the Mythbusters episode where they are trying to hack fingerprint readers know, such technology is not 100% secure. They only have to be secure enough. I have been alerted to wrongly identified airline passengers due to electronic fingerprint readers (in Norway). I would like to know if this was caused by software or hardware malfunction, or if the product did not use a "sampling frequency" capable of handling enough different passengers.

Anyway, we have to be aware of the weaknesses of a technology we are using and if there are problems we have to address them accordingly.

Link to entry on Digg