Archive for December, 2004

Story of an English traveler in Delhi

Published December 27th, 2004 in Security. Comments Print This Post Print This Post


Story of an English traveler in Delhi
Psychology or awareness problem? The outcome is the same, he was rubbed.

I came around this interesting story of an English traveler in India.

The guy was trying to get a rickshaw that spoke English at the door of his hostel. Soon he gets one and an Indian English speaking lad of a certain age intercepted him:

Sorry Sir, can I go with you? Will share the price of the run.”
It’s rare that I saved money on such a deal. “Yeah sure.”

Then they get in and drove down in Delhi’s streets and alleys. Our traveler, we’ll call him John, had remarked that the rickshaw was always stopped. The causes were always rickshaw malfunctions.

Soon they were in a dark alley of the old Delhi. One of the wheels had problem and forced the rickshaw to stop. All around there were just beggars, wearing drab and dusky clothes, sleeping near pestilential smelling detritus.

I was checking for the situation; no one was moving, my rickshaw companion was waiting after the driver, smiling. I get out of the rickshaw; I give 10 rupees to the driver.
I’ll check for another rickshaw, thank for the run.”
No, No!! I’ll repair the rickshaw soon; it’s just a little problem. No, don’t leave! Everything will be okay soon. Please!”
I tried to get another rickshaw; I seen no one; I was alone, with two Indians and a broken rickshaw in an somber alley of Old Delhi. I had nothing to do other than waiting and hoping. I seated back into the rickshaw.
My companion had just got out of his bag a bottle of water.
In India, it’s in our tradition to share our food with our fellows. Take.”
No thank, I’m not thirsty; thank a lot
No, no, take it, it’s in our traditions.”
No, I don’t want it, thank a lot, but I don’t need it, thank
Then he leaved me alone with his water.
I saw him getting cookies out of his dam bag.
In our country, we are not rich, we don’t have many food, but we share our food with our fellows, take this cookie, it’s in our tradition to share.”
No thank, I really don’t want this cookie, thank.”
No, get it, it’s in our tradition! You can’t offend it like this!
Then, knowing that it was not the thing to do, I don’t know why but I got the cookie and putted it in my throat. I knew that I was in trouble when the cookie was in my stomach. I feel asleep, my head had fallen on a metal bar on my side, and I was KO.
Some times later, I was lying in a ruin; dry blood in my hairs and sores all around the body. I didn’t know where and what was the time. I wasn’t in pain… I was… in another world…

The story is talking by itself. Everybody knows that they need to be aware of drugged food. Don’t take food from strangers; my mother said to me when I was young. This advice is good anywhere in the world even in your neighborhood.

What is interesting in this story is the cultural side of it. You are a foreigner; you travel to a new country to meet new people and cultures. Then what you do in this situation? You don’t want to obfuscate them. You are here to learn their habits. You started with this minding, then, going against it is not coherent. You know that you can be in troubles, but your mind seem to bypass your awareness. This situation is more a question of psychology then a question of awareness; you need to be consistent with your thoughts. It can seem stupid but it’s the reality. Many of these tricks can be used by marketing peoples. An excellent book on the subject is Influence: Science and Practice by Robert B. Cialdini.

Read the story, ask you what would be your reaction in this situation and hope that it will really be your if the situation arise.

What’s the cost of a nuclear weapon? – Get back the field agents

Published December 26th, 2004 in Security. Comments Print This Post Print This Post


What’s the cost of a nuclear weapon?
Get back the field agents

When I read this article I was thinking of a post that I wrote some months ago.

This article restart the question: Why field agents are essential in information gathering? There was a shift in the nineties to cut off field agents and put efforts of information gathering on airwaves or wires taping. As I said, it’s probably a big mistake decry by many CIA agents. Hopefully the CIA had infiltrated the ground in 1990. They had been able to get prime information on the network; they used it and put down Khan’s network around the world. Some expert critic the delay of the intervention. I’m not in position to put an opinion on that fact but my point is that without well trained field agents I don’t think that the modus operandi of the network was ever discovered. Don’t forget that other such networks can exists or can emerge from the ashes of Khan’s network. There is probably money to do and power to get.

This rise a question: how can cost a nuclear bomb? This question is interesting when you consider some things. First, it’s a very specific type of traffic with quite few clients. The risk is greater than narco-traffic and narco-traffickers can do billions of dollars. Then how can cost a nuclear bomb?

Rogue states can afford it. Big criminal groups can probably too. What’s the real danger of such a situation? I don’t think that anybody know the answers to such questions. We can only guess the threat by analyzing the short know history of it.

The operating system oriented security debate is restarted – Phase 2

Published December 20th, 2004 in Security. Comments Print This Post Print This Post


The operating system oriented security debate is restarted – Phase 2
Examples of what I was saying.

Some days ago I was saying:

What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardware is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices

As you can read, it was not really a great discovery. But today, while reading my blogs entries, I was amused by some of them. Let me point them.

First, Google Desktop. As you can read in the New-York Times:

The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw – a security weakness that emerges when separate components interact. “When you put them together, out jumps a security flaw,” said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. “These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw,” Professor Wallach said

It’s probably one of the best examples of the phenomenon I was talking about two days ago. It’s sure that these problems are really hard to find and need imagination to discover them. But the point I want to bring is that the security of a program isn’t just in function of his code quality. Two programs can be without security flaws but together, security holes appear.

A post from Peter Torr also worth the reading. He was writing about Firefox and its appearance of security. Sure the code is probably not too bad, but some of the features (including the download and the installation) are obscures. So, my two pennies in the conversation is just to emphasis on the plug-ins point. I already said it before but please take care of smalls and cools plug-ins. As Peter said it, you don’t have any way to check their authenticity.

What’s cool with Firefox is that it’s a potentially slim browser, that you can change at will, with the features you want. The principle is great but also paradoxical when you have security in mind. Probably that Firefox is or will be well studied to upgrade and patch security, but will it be the case with all available plug-ins on their website? Let me doubts. The solution? Probably the certification of them. The feasibility? Near null for the moment.

Finally I don’t say to stop using it and not using the cool plug-ins available; but only to be aware of the situation when you are using these types of softwares.

The operating system oriented security debate is restarted.

Published December 18th, 2004 in Security. Comments Print This Post Print This Post


The operating system oriented security debate is restarted.
Please stop your child plays.

I read today an article on Wired News that restart the debate on Linux versus other operating system security issues. The conclusion is:

  1. 0.17 bugs per 1,000 lines of code in the Linux kernel
  2. 20 to 30 bugs per 1,000 lines of code for commercial software

These statistics have been collected by the Carnegie Mellon University’s CyLab Sustainable Computing Consortium. The problem with these numbers is that they tell nothing. Fine, theoretically I have less chances that my Linux kernel had bugs that cause security threats. It’s sure that there are chances that the core (open source) of an OS was more studied than the softwares he runs. It’s exactly the present situation.

What about all other things that come with all Linux distributions? Are they as studied as the Kernel? Let me doubts about it.

What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardwares is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices.

How can they resume computer security risks with lines of code? Is anyone can tell me this?

Security saw by the History – Quotes that pass the time.

Published December 14th, 2004 in Security. Comments Print This Post Print This Post


Security saw by the History
Quotes that pass the time.

I was playing around with quotations websites. I searched for the term “security” and found interesting results.

This exercise is interesting in the point of view of history; how historical characters saws security in their everyday life. By knowing their history you?ll learn more on their thoughts, at this time, about security.

—–

Quote that describes the state of security. Knowing that security and safety are not immutable will possibly preserve you from many unsolicited situations:

The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved.

Confucius

Chinese philosopher & reformer (551 BC – 479 BC)

—–

Overconfidence can lead you to many unsolicited situations:


Better be despised for too anxious apprehensions, than ruined by too confident security.

Edmund Burke

Irish orator, philosopher, & politician (1729 – 1797)

—–

Is opportunity creating your security?

There is no security on this earth, there is only opportunity.

General Douglas MacArthur

US WWII general & war hero (1880 – 1964)

Too many people are thinking of security instead of opportunity. They seem more afraid of life than death.

James F. Byrnes

US jurist & politician (1879 – 1972)

—–

Will you miss things of live if you paranoid with security measures? There is a comfortable zone where it worth it but there is also a gap to not cross.

Life is either a daring adventure or nothing. Security does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than exposure.

Helen Keller

US blind & deaf educator (1880 – 1968)

Security is mostly a superstition. It does not exist in nature…. Life is either a daring adventure or nothing.

Helen Keller

US blind & deaf educator (1880 – 1968)

Security is a kind of death.

Tennessee Williams

US dramatist (1911 – 1983)

Security is when everything is settled. When nothing can happen to you. Security is the denial of life.

Germaine Greer

Author (1939-today)

—–

Think about the weakest link. If he is present, the whole chain will break.

There is no security for any of us unless there is security for all

Howard Koch

U.S. screenwriter (1901-1995)

—–

Is security a brake to progress?

He who is firmly seated in authority soon learns to think security, and not progress, the highest lesson of statecraft.

James Russell Lowell

American poet, critic, and editor (1819-1891)

—–

Security over freedom?

Those who desire to give up freedom in order to gain security, will not have, nor do they deserve, either one.

Benjamin Franklin

American statesman, scientist, philosopher, printer, writer and inventor. (1706-1790)

—–

Innovation in insecurity?

It’s an old adage that the way to be safe is never to be secure. Each one of us requires the spur of insecurity to force us to do our best.

Harold W. Dodds

American educator (1889-1980)

—–

Finally for the paranoids.

Security gives way to conspiracy.

William Shakespeare

British dramatist, poet. (1564-1616)

The Survivor Personality by Al Siebert, Ph.D – Are you a survivor?

Published December 12th, 2004 in Security. Comment Print This Post Print This Post


The Survivor Personality by Al Siebert, Ph.D
Are you a survivor?

As you can see in my last posts, I’m more oriented on personal security and physical world security posts these days. There is another post on the subject. Are you computer security oriented? Then read these posts. You can learn things that will be applicable in your security domain. Security is a process, most people know it. Personally I don’t think that security is domain oriented. Security is a graph where each domain is nodes. You can travel each node but principles will follows in each of them. Technicalities are node dependant but principles apply to the whole graph.

A month ago I read a passionate book on survival personality wrote by Al Siebert, Ph.D. It’s a really interesting read. I wrote an excerpt of the book that resumes it in a couple of points. If you don’t understand some of them I encourage you to buy and read it.

“What you can do is create self-managed plan for acquiring qualities and skills that will improve your ability to handle change, unexpected developments, and disruptive crises that come your way. In you personal plan you may want to include some of the following:

  1. Ask questions! Respond to change, new developments, threats, confusion, trouble, or criticism by asking “What is happening?” Develop a curiosity reflex. Practice reading each new reality rapidly.
  2. Increase your mental and emotional flexibility. Tell yourself “It is all right to feel and think in both one way and the opposite.” Free yourself from inner voices from your past that say you shouldn’t feel or think a certain way. Develop many response choices for yourself.
  3. Assume that change and having to work with uncertainty, ambiguity, and unknowns are way of life from now on. Learn to handle these with self-confidence. Practice making new developments work out well. In today’s world getting good results counts more than working hard.
  4. Become useful quicker and in more ways than other people. Ask yourself, “How can I interact with this so that things get better for everyone?” You ability to find ways to be useful makes you valuable. In every situation make it valuable than anyone thought it could be. Consider such efforts an investment in yourself.
  5. Develop empathy skills, especially with difficult people. Put yourself in the other person’s place. Ask “What do they feel and think? What are their views, assumptions, explanations, and values? How do they benefit from acting as they do?” Govern your actions not by your good intentions, but by the actual effect you have on others.
  6. Learn how to learn from experience. That way you are always becoming more capable, effective, and employable. Practice thanking people who give you unpleasant feedback. Consider viewing difficult people as your teachers in the school of life. Instead of trying to get difficult people to change, ask yourself “Why am I so vulnerable? What are my blind spots? How could I handle myself better with such people?”
  7. Resist labeling others; Practice observing and describing what others feel, think, say and do. Use negative nouns when you want to swear and positive nouns when you want to put someone on a pedestal, but recognize that the labels you put on others reflect your emotional state.
  8. Pause occasionally to silently observe what is happening. Take several deep breaths. Scan your feelings. Be alert to fleeting impressions. Notice little things. Be alert to early clues about what might be happening.
  9. Take time to appreciate yourself for the helpful things you do. Appreciate your accomplishments. Feelings of positive self-regard help blunt the sting of hurtful criticism. Your self-esteem determines how much you learn after something goes wrong. The stronger your self-esteem, the more you learn.
  10. When hit by adversity, no matter how unfair it seems, follow the survivor sequence: regain emotional balance, adapt and cope with your immediate situation, thrive by learning and being creative, then find the gift. The better you become, the faster you can convert disaster into good fortune.”

Finally, I’ll resume another thought of the book with an excerpt of Children of Dune by Frank Herbert:

“Muad’Dib’s teachings have become the playground of scholastics, of the superstitious and the corrupt. He taught a balanced way of life, a philosophy with which a human can meet problems arising from an ever-changing universe. He said humankind is still evolving, in a process which will never end. He said this evolution moves on changing principles which are known only to eternity. How can corrupted reasoning play with such an essence?”

MSN Spaces – Another star in MSN’s space

Published December 2nd, 2004 in Blogging. Comments Print This Post Print This Post


MSN Spaces
Another star in MSN’s space.

Yesterday a new MSN service has been released. I take the time to talk about it because it opens many new possibilities for every body. Don’t worry, I’ll also talk about some security and privacy features of the new service (Is not the purpose of this blog?)!

Yeah, you are right, me too I’m talking about MSN Spaces. It’s the frenzy on Microsoft’s weblogs; everybody is writing posts about it. I didn’t take the time to check on the rest of the blogsphere but it’s probably the same frenzy there.

What is MSN Spaces? Basically it’s just another blog editing and publishing tool. What make it interesting? His interface and his simplicity. What make it really interesting? His integration with other MSN services like MSN search (eventually the beta version will be released), Hotmail and MSN Messenger (7 Beta).

MSN Spaces is a place where 140millions MSN messenger users can share their thoughts to their close circle of friends and/or the rest of the world. They can easily publish their posts on their blog with the MSN Space’s web interface or by email. There are pretty cool features like integrated photo albums and integrated music list. It’s a fully working blog system with permalinks, trackbacks and comments.

Now that you have an average view of what’s MSN Space, I’ll write some thoughts that come up in my mind at the moment.

It can seem crazy but I think that this is a good test to check if blogs can be a spam free communication system that will eventually replace emails. This idea was already discussed on the blogsphere before but I think that this new innovation will be a good testing zone for the idea. The integration with MSN Messenger makes it an elegant replacement to mass IM messaging or mass emailing. It’s permanent and you have the possibility to change your entries anytime. Your friends will be alerted that you have changed your blog and they will have the possibility, not the obligation, to read your new mass message. You’ll have the whole control of the information that other people will read. It’s a really interesting possibility of the system. You’ll tell me that blogs already do it, etc, etc, etc… But there is why this system different from other blog publishing tools:

The new feature that is only present in this blog system and that is only possible with the integration of MSN Spaces and MSN Messengers is the access control that you have on your personal MSN Space blog. You can literally choose who will be able to look at your blog. You can publish it on the web or make it only available for people on your contact list. This is a really interesting and essential privacy feature. It’s why I said that it can replace mails for some tasks.

Microsoft is taking security seriously with this new web service. It’s specifically why MSN Spaces is not compatible with other blog services APIs such as the Blogger API or MetaWeblog API. There is the answer of Dare Obasanjo (check out his blog; we have access to up-to-date information about MSN Spaces and his integration with other MSN services) of Microsoft:

” listed the problems with the current crop of blog posting APIs such as the Blogger API and MetaWeblog API in my post from a year and a half ago What’s Wrong with the MetaWeblog API? . The main issues for us working on MSN Spaces are

1. Security: The MetaWeblog API has no concept of security. Passwords are sent in plaintext as parameters to XML-RPC functions (i.e. they are sent in plain text on the wire as part of the XML message).
2. Limited Functionality: The MetaWeblog API only allows one to either post and edit blog entries, fetch information about a specific user or change the website template. This is a drop in the bucket considering all the things one would like to do with a weblog engine which can be supported by the engine.

The security issue is a big problem and we do not plan to compromise on it. Although it may be satisfactory for certain services to exchange user’s passwords in plain text where they can be sniffed by malicious third parties we don’t want the Passport accounts of our user’s exposed in such an insecure manner. This basically means we can’t plug into the ecosystem of tools and services built around blog posting APIs today.”

Finally, the best think that you can do is to test it and start your own MSN Spaces blog. Blogging is really a revolution in the small world of the Internet and a new way to distribute and access information.






This blog is a regularly updated collection of my thoughts, tips, tricks and ideas about my semantic Web researches.


RSS


Categories

Latest blog posts

Recent comments






structWSF