Review: The Myth of Homeland Security

I just finished to read The myth of Homeland Security. This is a good book about homeland security; mostly concentrated on United-States homeland security post 9/11. This is an apolitical essay on the subject. He bases his thoughts mostly on the analysis of the PATRIOT acts and other governmental writings. A thing that I really don’t like is that he didn’t do a bibliography; he justified this by:

“I had to write whole sections of this book based on partial information. But this book is not intended to be a history text or a reference. I’m making some inflammatory observations; I don’t want you, the reader, to ignore the substance of what I have to say by getting bogged down in the details of my research. So I didn’t quo sources.”

This is a good introduction book on the subject of homeland security. He ask the general questions of the subject and explain his point of view on them. I think that this is an honest writing from the part of the author. Some times, he lacks some deepening of his subject but this is excusable.

There is a good quote that resumes the general mood of the book: “Last week a friend forwarded me one of those “quotable quotes” emails that circle endlessly on the internet. At the bottom, it read: “You read about all these terrorists – most of them came here legally, but they hung around on these expired visas, some for as long as 10 to 15 years. Now, compare that to Blockbuster; you are two days late with a video and those people are all over you. Let’s put Blockbuster in charge of immigration”.

By moment I had doubts on his researches for this book. For example, at the page 111 he says in a You should know section: “The National Security Agency (NSA) is a completely separate “turf” that focuses on cryptography, communication security, and signals intelligence.” The problem is that if you read “Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold War Through the Dawn of a New Century” you’ll see that the fall of CIA was mainly caused by the NSA who win the bureaucratic game for founds. The FBI probably not helped but to say that the NSA is completely separate turf this is two worlds. It’s possible that he is right, but I put a bémol here.

There is his home page: Marcus J. Ranum

This is my personal little review of the book, but you can have access to a full and complete review of the book by reading Robert M. Slade’s

Have a good read!

A9.com search engine
The consequences on your privacy

I just found a piece of news on Future Now blog that caught my attention. This talk about the new start-up of Amazon.com. This is a new kind a search engine. Basically it’s a sort of wrapper on other search engine, like google, with cool new features. You can get more information about the service here. Personally, I find these features really cool and interesting. You can use your Amazon account to log in at A9.com without any problem. Wow, thank Amazon for such cool things!

After a couple of minutes, I thought about it and I find that this cannot be done by magic. I remembered all books that Amazon proposed me when I logged in with my personal account, they were most of the time really interesting. Then I thought that this would probably be the same thing with the A9 search engine. There is the result of my little research, some tips and comments for your privacy about this search engine of a new kind. Personally I’m a big customer at Amazon, I buy approximately 30 to 40 books by years on there website. However, I’ll not use the A9 search engine because I don’t want that Amazon know not only my customer habits of reading but also all other subjects that I search for on the internet. I can deal with the fact that Amazon.com uses my customer habits to propose me interesting new books. I can deal with this because this can point me out some books that I never think of before. However, I don’t want that they propose me many others things. I need to control the pub that popup in my view. It’s what I do by doing the choice of not using this new search engine.

First, you need to know that they collect four type of information: [Source]

• Information You Give Us: We receive and store any information you enter on our Web site or give us in any other way. You can choose not to provide certain information, but then you might not be able to take advantage of many of our features. We use the information that you provide for such purposes as customizing the site for you, improving the site, responding to your requests, and communicating with you.
• Automatic Information: We receive and store certain types of information whenever you interact with us. For example, like many Web sites, we use cookies, and we obtain certain types of information when your Web browser accesses A9.com. If you would prefer not to be recognized on our site, we recommend that you use our alternate service located at generic.A9.com. On generic.A9.com, we will not recognize your A9.com or Amazon.com cookie. Information we gather on generic.A9.com will not be used in our data analysis (other than to detect abuse) and will not be used to personalize the services we offer you.
• E-mail Communications: To help us make e-mails more useful and interesting, we often receive a confirmation when you open e-mail from A9.com if your computer supports such capabilities.
• Information from Other Sources: For reasons such as improving personalization of our service, we might receive information about you from other sources and add it to our information.

What can be freaky are the definitions of “Information You Give Us” and “Automatic Information”:

• Information You Give Us: You provide most such information when you use A9.com to search or otherwise communicate with us. For example, you provide information when you enter search terms; set bookmarks; download and use our toolbar; communicate with us by phone, e-mail, or otherwise; and employ our other services. As a result of those actions, you might supply us with personally identifiable information or information about things that interest you.
• Automatic Information: Examples of the information we collect and analyze include the Internet protocol (IP) address used to connect your computer to the Internet; computer and connection information such as browser type and version, operating system, and platform; the full Uniform Resource Locators (URL) clickstream to, through, and from our Web site, including date and time; cookie number; and pages you viewed or searched for.

As you can read, they store many information about you and your search habits. It can be freaky. This information is gold. They have your entire profile. The have your name, your address, you postal code, your buying habits and your searching habits. If this information is not gold, what is it then?
Another thing is that this information can be accessible not just by Amazon but also by some type of police because “[they] release account and other personal information when [they] believe release is appropriate to comply with the law”.
You can always use the generic.A9.com server. They are not collecting any information on you. The only problem is that you don’t have access to the cool features. Instead, use Google; it’ll be more productive I think.
You can use the service if you can deal with the possible risks. The only thing that I’ll tell you is: be aware of your privacy on the internet. This is just an example among many others.

Security consequences of possible proof of Riemann’s hypothesis

Security consequences of possible proof of Riemann’s hypothesis

I’ll not resume the news here, it’s was widely done these days: [4], [5], [6], [7], [8] and [9]. There is the proof of the theorem [2] of Louis de Branges [3]

The problem is that we don’t know if his proof is right. Mathematicians have doubt if Louis de Branges is able to prove the hypothesis. It’ll take time to peer review the proof by the most important mathematicians of Riemann’s hypothesis. If finally the proof is counter verified and became true, it’ll probably take time to know the consequences of the proof and how to use it.

In the case that he is right and that we can find how to use the hypothesis to make many one-way functions with prime numbers not one-way anymore, what will be the consequences? For now, no one; in the future, probably many with asymmetric encryption algorithms. If the dream to prove this hypothesis comes true, you’ll can forget electronic commerce, certification, digital signatures, TCP/IP security, secure telephones, just to tell some. You’ll not be able to rely on public-key encryption anymore as a easy to use method for encrypted distant transmission. We’ll live a boom of “The new most secure ecommerce solution with our new full proof proprietary public-key encryption algorithm”. Think about it, it took thousands years and many brilliant ideas to be where we are now. Don’t think that it will take 2 weeks or 2 months to make a new leap in the field of public-key encryption. When we’ll find a solution, it’ll need months and years to analyse and harden algorithms.

There are some questions like: Why there is not enthusiasm for the discovery? Why the proof is not yet published for peer reviewing? Is this because other mathematicians of the field don’t want it confirmed? Is this because there is a price of 1 million in US dollars on the proof of this hypothesis? Is this because they get pressure by commerce and governmental agencies? There is too many questions, we’ll probably know the answer to these questions in a near or far future.

There are some of my reactions and toughs about what come up in the news:

From [4] it’s written: “Gartner research director Ray Wagner said recent flaws in encryption methodologies would take years of research to develop and exploit for, something hackers are less likely to do while other security flaws are easier to take advantage of.” Yeah sure but is there just hackers in the networked world? What about government? Industrial spies? Well funded terrorist groups? (Don’t forget, terrorists aren’t stupid, many have university studies being there necktie. This isn’t an argument to not take the possibility in count.
Always in [4] : “”This is one area where we can stay ahead of the thieves,” said Alan Canton, president of security consulting and software firm Adams-Blake Company. “It does not take nearly as long to come up with a new code or encryption methodology as it does to crack it.” Hummm, I think that Mr Canton needs to read The Code Book. Does he know how it took time to arrive where we are? Yeah, for the moment cryptographers are ahead of cryptanalysts. For how many time if the hypothesis is proved true? Refer to history Mr Canton, it can teach us many things sometimes, specially in the filed of cryptography.
Mr Canton also said: “”No matter what happens,” he added, “it will always be safer to enter your credit card in an e-commerce transaction than to give it to the waiter at the restaurant or to a mail-order company via phone.”” He is right, but I don’t think that he got the point. This is not only a problem of credit card number that travel plain text over the internet, but for the rest, for private communication over a cell phone, to keep our state secret safe of the view of other countries when they communicate. Really, plain text credit card number over the internet is probably on of my last worries. Why? Because the worse thing that can append if someone get my credit card number and buy something with it is that I’ll need to pay 50$CAN for my reclamation to Visa or MasterCard… what a deal!
Just another thing that I wish to point out: check the curriculum of this so-called president of security consulting and software firm. Check his publications, etc. Personally, I cannot find out where you can find his realisations as a security consultant. Therefore, you get his words for what it is. I just say this to remember you that it’s always interesting when you do research on what is said in an article. Be critic!

Come back with our sheep. What’s interesting with this piece of news is that if he is right, we’ll have work for the next years. If he is not then it remembers us that the possibility exists and that we need to get an eye on the situation. It’s not because his proof is wrong that his idea is.

It’s a privilege to have this piece of news. It’s essential to think about news like this. Is the proof of Louis de Branges true? Personally, I don’t care. I know that the possibility exist, it’s what I care of. It’s like UFO, do they come on earth with there flying saucers? For now, I don’t really care, but I know that the possibility exist and this is what make it really interesting. The possibility! Can international terrorism can shutdown our telephone systems by hacking them? The possibility exists. Will they be able to do it? If so, will they do it? It’s another question. What I know it’s that the possibility exist and that we need to take this in count when telephone corporations will build security policies and extend there networks, and try to build security systems. It’s what we care of.

There are the links to Louis de Branges’s website and proof.
[1]http://www.math.purdue.edu/~branges/
[2]http://www.math.purdue.edu/ftp_pub/branges/apology.pdf

There is an interesting article by Karl Sabbagh on the character of Louis de Branges:
[3]http://www.lrb.co.uk/v26/n14/sabb01_.html

There is the proof in the news:
[4]http://www.ecommercetimes.com/story/Mathematical-Solution-Might-Undermine-Data-Encryption-36427.html
[5]http://news.bbc.co.uk/2/hi/science/nature/3794813.stm
[6]http://www.guardian.co.uk/life/science/story/0,12996,1298812,00.html
[7]http://www.vnunet.com/news/1157891
[8]http://www.theaustralian.news.com.au/common/story_page/0,5744,10706836%255E30417,00.html
[9]http://timesofindia.indiatimes.com/articleshow/846888.cms
[10]http://www.math.columbia.edu/~woit/blog/archives/000035.html

The Cellular
The way of con artists

I just saw the movie: The Cellular. This is an entertaining film for sure. Don’t be worry, I’m not a film critic. Why am I writing on the film then’ Because there is some interesting things to say about it!

I’ll not resume the film here, it’s why I talk to people that saw it. For person that doesn’t know what I’m talking about, you can always refer here for more information.

One thing stroked me particularly: the bad guys was working in the LA police, they shot at people a couple of times during the film and the only thing that they needed to say was: ‘I’m from the police [leave me alone then]’. Are people naïve’ Some yes, others no’ In the film, they were police officers, but what if they were not and wore false badges’ How people can know, in few seconds, if it’s a false or not’ There is no way. The only way is to call at the police station and ask them. The second problem, whom will do this’ Probable no many people, me included. It’s exactly why con artists use this old trick, because people have respect in anybody that wear uniform and badges. Just to tell few, it was the strength of legend con artists like Kevin Mitnick or Frank W. Abagnale. Think about it, if you were at them place and had some doubt, would you ask for his badge number and call at the police station’ The only thing that I can say is: be alert.

Just another interesting thing that I saw is the way Jessica killed the first man; she cut his brachial. If I refer to Get Tough! this is a medium size artery at ½ inch of the surface, he will have a loss of consciousness in 14 seconds and death in 1 minute 30 seconds. Personally, I think that this is a realistic way (possibly lucky) to get rid of this man.

Finally, I wish you enjoyed the movie 🙂

Change mentalities
Beware old school administrators.

I was talking with the network technician of a Canado-American enterprise that works in the field of technical didactic materiel like didactic aeration systems, radar system, etc. This is a small size enterprise of approximately 215 employees and exists for more than 45 years.

I was stupefied when I learned that every employees of the enterprise shared the same email password. There was only one password know by some key peoples like administrators and network technicians. The password is saved by the email client software for future email retrieval. If you have some problems with your email client and need the password to get your emails, you only need to ask a technician to come at your workstation and let him enter the global email password.

After this astonishing exposé, I was asking to myself, ?Why?? Why are they using a single password to retrieve emails of every employee, from the secretary to the chef of software development? I was not able to answer to this question; it?s why I asked it to the tech. His answer was unbelievable: ?I know Fred, its crazy, but the answer is simple: it?s because the administrators says that it always worked in this way and it will always work like this the time they will be here?.

This situation can lead to two important threats: privacy of employees and crucial information gathering by insiders. First you need to have in mind that in both cases, an insider can easily get the password by crashing is email client software, installing a key logger on the computer and calling the tech to let him enter the password. You can also simply look the tech entering the password by watching the keyboard while he is typing it.

When the insider has the password, he can now retrieve the emails of any employees of the enterprise. There is the threat to the privacy. He can easily retrieve the emails of the beautiful blond secretary and learn more on her to know how to woo her.

He can also send emails with the email address of any employee, boss included. There is the threat on the critical information gathering. Think about it, the insider is working as an industrial spy for a concurrent enterprise. He needs to have the latest and most crucial fiscal information of the enterprise. He just has to log on the mail server as the president of the enterprise (who have same password as him) and send an email to the chief of fiscal division and ask him this information. After, he just has to wait and check emails on this account (of the president) every minute to retrieve the requested information.

The source of risks is clearly the administration?s old habit and refusal to change. Nevertheless, how can we change the mentalities of administrators? You need to have in mind that they are not IT security gurus and can have lack of security concern by interest or simply by the lack of knowledge in the domain. The best way is probably by educate them to the problem, show them to which threats the situation can lead.