Archive for the ‘crypto’ Category

Digg Digs In After Backlash

May 2, 2007

Digg has given in to a crippling volume of user demand (as in site crash) that the popular site stop removing content. Digg had intended to comply with a cease and desist letter from AACS asking the site’s operators to remove information related to a DVD encryption key. Then the floods started: Diggs against censorship, Diggs against DRM, Diggs for the key.

After crashing, Digg founder Kevin Rose blogged:

After seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company.

The question is, how does AACS seek to put the toothpaste back in the tube? Google has thousands of hits for said key.

Data Protection For Armageddon!

April 30, 2007

Have you ever wondered if you portable data storage could handle submersion up to 200 meters and survive crushing physical compression/destruction? Wonder no more. Try the Corsair Survivor. Available in 4GB ($60) and 8GB ($130) versions, 256-bit AES encryption app included.

Take PC Security Seriously

April 30, 2007

This post was entered yesterday but blogsavy was down (again).
This article repeats Webroot Software’s finding last year that nine out of ten computers are infected with some form of malware and Consumer Reports’ claim that individuals and businesses spent $2.6 billion in 2006 trying to block or remove spyware. It also points out:

Criminals now have more incentive to crack into computers and steal information than they did only a few years ago.

People are increasingly accessing information such as bank accounts and stock portfolios online and are using credit cards to make purchases from Internet retailers. During tax season, more than 20 million submit tax forms full of personal information from a home computer.

Most criminals attack Windows because it’s so pervasive. While the article says that “most tech experts consider operating systems like Apple’s OS X and Linux more secure than Windows,” neither is without vulnerability. Cross-platform threats can and do affect non-Windows systems, particularly from vulnerabilities in certain applications (Open Office, Java, Flash, QuickTime, etc.), over the Internet (phishing and other scams are OS-neutral), and gullible trust when using unencrypted wireless connections.

Infosecurity Europe 2007

April 25, 2007

A new survey by PGP Corporation finds that 9% of UK corporations have enterprise-wide data encryption policies, while 55% of respondents have some form of encryption strategy in their companies. The survey also found that just over half of respondents said that protecting their own brand — not protecting consumer privacy — is the most significant factor in their decision to use encryption.

Wifi Insecurity

April 22, 2007

The Chicago Tribune has an article about the insecurity of wireless browsing at hotspots. Five minutes running a sniffer led Humphrey Cheung, senior editor of TGDaily, to accurately predict that one coffeeshop patron was thinking of starting a business and a couple were about to get married.

As convenient as hotspots are, wireless is not a secure medium. There are steps that can be taken to minimize dangers (link is to a software sales page but it has legitimate advice in addition to sales pitches), but public wireless points should be avoided for critical communications and data transfers.

USB Data Leakage

April 21, 2007

Read an article yesterday which discusses some startling endpoint security survey results. Senforce Technologies conducted the survery, which is set for release on Monday. It found that 73% of respondents say their companies store critical data on removable devices including laptops, USB thumbdrives, and even iPods.

With nearly weekly reports of data loss and/or theft related to poor data security policies, one would think companies would be moving more quickly to limit data access and the way in which data are stored. Critical data, such as that containing customer data (e.g., SSNs, credit card numbers), should never be stored on laptops or USB devices.

The article notes how two companies solved the potential problem of employees copying data to USB removable media: one plugged their USB ports with epoxy and the other cut the connections to the ports.

Latest TJX Theft Developments

April 18, 2007

It now appears the TJX data theft was likely an inside job. I didn’t think that was very likely given the duration of the crimes.

This article notes that the theft of data stopped at the same time it was detected by company officials. This was about a month before the public were notified and a period during which company and law enforcement were monitoring to catch the thief in action.

Here’s why I think it could still be an outside job. If the criminal or criminals were able to (1) secure TJX’s keys, (2) install code to steal data, and (3) remove the same code without detection, then it would also be very possible to capture communications data tipping off about the detection. While I don’t think it’s likely for all those cards to fall into place, I’d be even more deeply troubled if it were an inside job.

An undetected inside operation of that duration — now believed to be a year and a half — means TJX had lax in-house audit procedures and, most likely, no outside audits (or grossly incompetent ones). Regardless, the folks at TJX weren’t on the ball in protecting their customers.

IRS to Encrypt All Laptops

April 10, 2007

After a recent audit discovered unencrypted sensitive taxpayer data on 44% of tested IRS laptops and hundreds of missing laptops, the IRS now announces they will in the coming weeks.

“What the report showed, which was correct, was that we weren’t taking the proper steps to protect some laptops,” [IRS Commissioner Mark] Everson said. “We’ve worked to encrypt all of the laptops, and that’s just about done. We’ve got a couple dozen more we’ve got to finish up in the next few weeks.”

It would’ve been more reassuring if he’d said they were taking the proper steps to protect taxpayers’ private information, since encryption is only as strong as its weakest link. But it is the IRS after all.

Reporter Finds Free WiFi… Almost Citywide

April 8, 2007

Robert Warner of the Battle Creek Enquirer writes that he rode through Battle Creek, Michigan, testing out WiFi signals off home networks. His article is amusing — especially some of the network names (“one of Barbie’s pals,” AhBwambaZah, Bearcats, Canibalstew, Taylorville, Swahili, Martiantimespacenetwork, madben, quotabuster, narnia, ronbaby, and hello) — and unsettling because so many people are so careless. Warner found less than half the home wireless networks on one street alone had any form of encryption.

Canadian Net Neutrality

April 8, 2007

Michael Geist writes that Rogers’ policy of packet shaping is leading to reduced speed of e-mail transfer, among other issues. Rogers has admitted to the practice of reducing packet size for certain services, including P2P sharing via Bit Torrent. With the adoption of encryption by P2P services, apparently Rogers has extended their policy to other “basic” internet services like encrypted e-mail. Writes Geist:

…[T]here is now speculation at my own university that the packet shaping is making it very difficult for University of Ottawa users to use email applications from home. The University of Ottawa uses a persistent SSL encryption technology for the thousands of professors and students who access their email from off-campus. There is speculation that Rogers is mistakenly treating the email traffic as BitTorrent traffic, thereby creating noticeable slowdowns. Indeed, I have been advised that the University computer help desk has received a steady stream of complaints from Rogers customers about off-campus email service.

This issue isn’t merely one which affects power-users who take up tremendous bandwidth. ISPs are careful about not guaranteeing bandwidth rates to customers, but this is about them intentionally reducing it. Throttling down anyone’s connection rate for any reason is no different than being given a partial meal for full price at a restaurant. If your ISP systematically reduces your basic service quality, why can’t you concomitantly reduce the amount you owe them for the service?