General

The Quiet Earth

Friday, October 17. 2008

Policy-based routing on Linux Posted by Axel Eble in General at 23:18

Comments (0)
Trackbacks (0)
Geotagged: 48.02551, 7.85949

Policy-based routing on Linux

A customer system needed to be upgraded and for several reasons it was supposed to be moved from Windows server to Linux (more on that another time). The server was supposed to be moved from one IP range to another as we are moving from our old Provider Aggregatable (PA) IP addresses to our "new" Provider Indepedent (PI) addresses.

I set the system up and it was supposed to be a hard cutover on one day. It quickly turned out that this was not feasible (again, for several reasons, e.g. the amount of data to copy over was too big). So, finally, it was decided that the cutover was to be smooth: the majority of data was rsync'ed over from Windows in the days before the cutover date, then the rest on the cutover day. The SSL certificate was to be copied over on day X and the new server running Linux should take over the IP address of the old (Windows) server. As the system was now multihomed we needed to cope with asymmetric routing. First off, we thought it should be possible to hide all incoming traffic to the old IP addresses behind the internal IP address of the firewall - but it turned out our product does not allow for that.



The solution to this is policy-based routing: if the packet goes out on Interfacenew, a different routing decision needs to be taken than when it would go out Interfaceold. Fortunately, Linux does allow for this with the iproute2 package: you can have several routing tables glued together with a routing policy, i.e. a set of rules that controls the selection of the routing table. If a rule matches and a route is selected from a routing table the packet gets routed according to this route. If there is no matching route the rule traversal continues.

In our setup this means, that all packets from IPPI-Space should get routed to the PI-Space gateway whereas all packets from IPPA-Space should get routed to the PA-Space gateway. Currently, the default gateway is the PA-Space one, so we don't have to do much.

In Debian/Ubuntu syntax, the network is then setup through /etc/network/interfaces with a stanza like the following:


auto eth0

iface eth0 inet static

        address   A.B.C.D

        netmask  255.255.255.240

        network   A.B.C.128

        broadcast A.B.C.143

        dns-nameservers some.dns.serv.er

        gateway A.B.C.129


And for the Interface in the PI address space, the stanza looks like this:



auto eth1

iface eth1 inet static

        address   V.W.X.Y

        netmask  255.255.255.240

        network   V.W.X.128

        broadcast V.W.X.143

        dns-nameservers some.dns.serv.er

        post-up ip rule add from V.W.X.Y table PI-Space

        post-up ip route add default via V.W.X.129 table PI-Space


The two post-up lines are the magick in here: the first adds a rule to the routing policy that, for all traffic originating from the PI space interface, a lookup should be performed in routing table PI-Space. Then, we add a second default route to that very same routing table. Now, whenever a packet goes out Interface eth1, the kernel checks if there is a matching route in routing table PI-Space. As we have a default route, this will always match and the packet gets routed to the gateway in our PI space.
Obviously, all other traffic originates on eth0 so the "normal" routing table will be used, thus this traffic will go out via the gateway residing in the PA address space.

loose ends


Actually, the kernel does not check a routing table named "PI-Space". It will use a numerical identifier that is mapped in /etc/iproute2/rt_tables like this:



#

# reserved values

#

255     local

254     main

253     default

0       unspec

#

# local

#

#1      inr.ruhep

100     PI-Space
Bookmark Policy-based routing on Linux at del.icio.us Digg Policy-based routing on Linux Mixx Policy-based routing on Linux Bloglines Policy-based routing on Linux Technorati Policy-based routing on Linux Fark this: Policy-based routing on Linux Bookmark Policy-based routing on Linux at YahooMyWeb Bookmark Policy-based routing on Linux at Furl.net Bookmark Policy-based routing on Linux at reddit.com Bookmark Policy-based routing on Linux at blinklist.com Bookmark Policy-based routing on Linux at Spurl.net Bookmark Policy-based routing on Linux at NewsVine Bookmark Policy-based routing on Linux at Simpy.com Bookmark Policy-based routing on Linux at blogmarks Bookmark Policy-based routing on Linux with wists Bookmark Policy-based routing on Linux at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Thursday, November 23. 2006

The European Blackout on November 5, ... Posted by Axel Eble in General at 22:55

Comments (0)
Trackbacks (0)
Defined tags for this entry: , ,

The European Blackout on November 5, 2006

On November 5th, 2006, a power outage caught about 10 million people all over Southern and Western Europe unawares, half of them in France alone. The cause of the problem? Human error - and a cruise ship leaving its dockyard for the North Sea. From around 10pm CET to around 11pm Western Europe was black.

The following is a summary of the official report by e.on to the Bundesnetzagentur. Continue reading "The European Blackout on November 5, 2006"
Bookmark The European Blackout on November 5, 2006 at del.icio.us Digg The European Blackout on November 5, 2006 Mixx The European Blackout on November 5, 2006 Bloglines The European Blackout on November 5, 2006 Technorati The European Blackout on November 5, 2006 Fark this: The European Blackout on November 5, 2006 Bookmark The European Blackout on November 5, 2006 at YahooMyWeb Bookmark The European Blackout on November 5, 2006 at Furl.net Bookmark The European Blackout on November 5, 2006 at reddit.com Bookmark The European Blackout on November 5, 2006 at blinklist.com Bookmark The European Blackout on November 5, 2006 at Spurl.net Bookmark The European Blackout on November 5, 2006 at NewsVine Bookmark The European Blackout on November 5, 2006 at Simpy.com Bookmark The European Blackout on November 5, 2006 at blogmarks Bookmark The European Blackout on November 5, 2006 with wists Bookmark The European Blackout on November 5, 2006 at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Monday, June 26. 2006

Requiescat In Pacem, WinFS Posted by Axel Eble in General at 15:13

Comments (0)
Trackbacks (0)

Requiescat In Pacem, WinFS

Today, Heise Newsticker (German only) mentioned that Microsoft finally killed WinFS for good. Of course, they are going to call it differently (like: "[...] WinFS has always been about many things – a new model to enrich how users manage information, rich storage technology, and sometimes also a packaging of technology.[...]" according to Quentin Clark from the WinFS team). But, let's face it: there won't ever be a separate piece of software to install that will enable us to use advanced features and fast search procedures.

Why? Difficult question. Personally, I guess that they got overwhelmed by the complexity and the tight integration philosophy that is so deeply ingrained into Microsoft products. Trying to fit too much into it until they realized that pulling the plug is the only valid solution.

What does it mean? Well, it's a big deal for Vista (or, rather, a huge blow to Vista) as the only really useful advanced feature for Vista won't ever be available. Obviously, Microsoft miscalculated something quite important. While I won't go so far as calling it a Doomsday scenario for Microsoft, as an analyst I would be wary and start investing in other companies.

And the security linkage? Well, if you really want to have one - think for a bit about what something like this could mean to the security initiative and the overall state of Microsoft software. Will they ever be able to handle their boatloads of highly complex software? I doubt it, but then, I'm a heretic and a sceptic anyway.
Bookmark Requiescat In Pacem, WinFS at del.icio.us Digg Requiescat In Pacem, WinFS Mixx Requiescat In Pacem, WinFS Bloglines Requiescat In Pacem, WinFS Technorati Requiescat In Pacem, WinFS Fark this: Requiescat In Pacem, WinFS Bookmark Requiescat In Pacem, WinFS at YahooMyWeb Bookmark Requiescat In Pacem, WinFS at Furl.net Bookmark Requiescat In Pacem, WinFS at reddit.com Bookmark Requiescat In Pacem, WinFS at blinklist.com Bookmark Requiescat In Pacem, WinFS at Spurl.net Bookmark Requiescat In Pacem, WinFS at NewsVine Bookmark Requiescat In Pacem, WinFS at Simpy.com Bookmark Requiescat In Pacem, WinFS at blogmarks Bookmark Requiescat In Pacem, WinFS with wists Bookmark Requiescat In Pacem, WinFS at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Monday, June 26. 2006

Identity: Information, Theft, Cards ... Posted by Axel Eble in General at 13:12

Comments (0)
Trackbacks (0)

Identity: Information, Theft, Cards - Culture!

With the continuing theft of personal identifying information (PII) in the US the old question pops up all over: why is what Americans understand as "identity theft" not a problem in Europe? I think three main factors need to be taken into account here:


  1. European data privacy and data protection legislation forces companies to only collect as much data as they really need to process. That limits the amount of data that can be stolen (or, rather, illegally disclosed) in the first place. Besides, it is highly unusual for contractors to have private, production data on their personal systems.


  2. No "Easy Credit" culture like in the US. From what I've been told by quite a few US citizens by now, the US have a culture of buying things on credit - and thus rely on receiving credit fast and without hassle. In Europe, people tend to inquire for credit only for large sums and usually only for buying a car, a house, an apartment - or other larger investments.

  3. Europe (with the exception of the UK) has government-issued identity cards that uniquely identify the persion. There simply is no need for a social security number that can be shared easily without accompanying documents (and pictures. And whatnot).



These issues in combination make illicit information access much riskier in Europe than it is in the US. Oh, and it shows that identity documents don't have to be such a bad concept as many US and UK citizens make them out to be.

Over at the Identity Corner, Stefan Brands has an interesting series of articles about the UK identity cards:

  1. Final UK study on digital identity (Part I)

  2. Final UK study on digital identity (Part II)

  3. Final UK study on digital identity (Part III)

  4. Final UK study on digital identity (Part IV)



Bookmark Identity: Information, Theft, Cards - Culture! at del.icio.us Digg Identity: Information, Theft, Cards - Culture! Mixx Identity: Information, Theft, Cards - Culture! Bloglines Identity: Information, Theft, Cards - Culture! Technorati Identity: Information, Theft, Cards - Culture! Fark this: Identity: Information, Theft, Cards - Culture! Bookmark Identity: Information, Theft, Cards - Culture! at YahooMyWeb Bookmark Identity: Information, Theft, Cards - Culture! at Furl.net Bookmark Identity: Information, Theft, Cards - Culture! at reddit.com Bookmark Identity: Information, Theft, Cards - Culture! at blinklist.com Bookmark Identity: Information, Theft, Cards - Culture! at Spurl.net Bookmark Identity: Information, Theft, Cards - Culture! at NewsVine Bookmark Identity: Information, Theft, Cards - Culture! at Simpy.com Bookmark Identity: Information, Theft, Cards - Culture! at blogmarks Bookmark Identity: Information, Theft, Cards - Culture! with wists Bookmark Identity: Information, Theft, Cards - Culture! at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Monday, June 12. 2006

WTF - Apple's OS X is NOT As Secure ... Posted by Axel Eble in General, Meta at 14:18

Comments (0)
Trackbacks (0)

WTF - Apple's OS X is NOT As Secure As a Fortress?!

Oh holy Guacamole! OS X has lots of heap and buffer overflows! Quick, buy Vista and all will be well again! Oh, right. Vista isn't out yet. You've just switched to Apple because of all the exploits and dangers of running XP or some *gasp* older version of Windows. And now you're still insecure?!

Why, yes, of course. There is no such thing as a free lunch 100% security. Every reasonably complex piece or suite of software will. be. buggy - to some extent at least. Granted, there's lots of talk out there about how secure OS X is - and, actually, it still is. It's just not invincible, as it's cracked up to be. But, when Apple says it's products are the best, why would you believe them when you don't believe Microsoft? All vendors are alike in that regard.

And let's not forget that OS X is a revamped version of NeXTSTEP, the OS of the famous NeXT computer. That one was said to be riddled with local exploits, so don't expect OS X to be much better. As OS X is gaining market share, it will become more and more the target of choice for malware programmers.

What is different, though, is the use of administrative accounts (like on Windows where accounts by default are administrator accounts). On OS X, the only administrator account, root, is disabled, and to run administrative tasks one has to enter the password (this is a better-working equivalent to the runas command in Windows).

Moral of this? If someone tells you they are offering perfect security, chances are they are lying and only want your money. Be careful, always - it's a dangerous world out there.
Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at del.icio.us Digg WTF - Apple's OS X is NOT As Secure As a Fortress?! Mixx WTF - Apple's OS X is NOT As Secure As a Fortress?! Bloglines WTF - Apple's OS X is NOT As Secure As a Fortress?! Technorati WTF - Apple's OS X is NOT As Secure As a Fortress?! Fark this: WTF - Apple's OS X is NOT As Secure As a Fortress?! Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at YahooMyWeb Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at Furl.net Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at reddit.com Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at blinklist.com Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at Spurl.net Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at NewsVine Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at Simpy.com Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at blogmarks Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! with wists Bookmark WTF - Apple's OS X is NOT As Secure As a Fortress?! at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Monday, June 12. 2006

ESAG vanished Posted by Axel Eble in General at 13:36

Comments (2)
Trackbacks (0)

ESAG vanished

I've written twice before about the European Security Advisory Group. I thought I'd check up on them again - only to find they have gone as quietly as they appeared. telepolis guesses (I believe correctly) that it was just a smokescreen for the US DoD propaganda group called Office of Strategic Influence.

Good riddance - another open book closed.
Bookmark ESAG vanished at del.icio.us Digg ESAG vanished Mixx ESAG vanished Bloglines ESAG vanished Technorati ESAG vanished Fark this: ESAG vanished Bookmark ESAG vanished at YahooMyWeb Bookmark ESAG vanished at Furl.net Bookmark ESAG vanished at reddit.com Bookmark ESAG vanished at blinklist.com Bookmark ESAG vanished at Spurl.net Bookmark ESAG vanished at NewsVine Bookmark ESAG vanished at Simpy.com Bookmark ESAG vanished at blogmarks Bookmark ESAG vanished with wists Bookmark ESAG vanished at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Friday, February 3. 2006

"Nah, we don't need no ... Posted by Axel Eble in General at 09:47

Comments (0)
Trackbacks (0)

"Nah, we don't need no steenkin' study!"

As could be expected the European Commission "sees no need" for a study about the effects of the advance collection of data they have decided to enforce. Heise covers this yesterday (German only).
Bookmark "Nah, we don't need no steenkin' study!" at del.icio.us Digg "Nah, we don't need no steenkin' study!" Mixx "Nah, we don't need no steenkin' study!" Bloglines "Nah, we don't need no steenkin' study!" Technorati "Nah, we don't need no steenkin' study!" Fark this: "Nah, we don't need no steenkin' study!" Bookmark "Nah, we don't need no steenkin' study!" at YahooMyWeb Bookmark "Nah, we don't need no steenkin' study!" at Furl.net Bookmark "Nah, we don't need no steenkin' study!" at reddit.com Bookmark "Nah, we don't need no steenkin' study!" at blinklist.com Bookmark "Nah, we don't need no steenkin' study!" at Spurl.net Bookmark "Nah, we don't need no steenkin' study!" at NewsVine Bookmark "Nah, we don't need no steenkin' study!" at Simpy.com Bookmark "Nah, we don't need no steenkin' study!" at blogmarks Bookmark "Nah, we don't need no steenkin' study!" with wists Bookmark "Nah, we don't need no steenkin' study!" at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Friday, February 3. 2006

RFID Based Passports With BAC Vulnerable Posted by Axel Eble in General, Technology at 09:41

Comments (0)
Trackbacks (0)

RFID Based Passports With BAC Vulnerable

In a current news item Heise reports that the Dutch security company Riscure found a way to brute-force attack the encryption of the Dutch ePassports. Let's recap: the ICAO has issued a set of guidelines on "Machine Readable Travel Documents" that basically states that passports and other travel documents should use an RFID chip that can be used to read the individual's data contactless. Apparently the field strength is strong enough to be read from several meters distance. However, the transmission is encrypted by "Basic Access Control" (BAC) where the key is comprised of the serial number of the document itself, it's issue date and it's invalidation date. This gives about 56 bit of key length (which is not really that much and it's questionable if it will be safe to use on a mid-term timeframe. Now, the issuer of the Dutch ePassports uses sequential serial numbers and the number of documents issued is basically constant per time unit. This gives a linear connection between the issue date and the passport serial number, thus effectively reducing key length to about 35 bit - which is easily breakable in a few hours without special hardware equipment.
This attack vector is valid for every document that uses BAC and uses predictable serial numbers for the documents!
What hasn't been stated so far is the fact that once the key is known the RFID chip could theoretically be read everywhere. Consider a country that's gone off the deep end with hysterics about terrrorism and thus has installed RFID scanners throughout what they consider critical points. Now they only need those scanners hooked up to a central database where all keys to all passports ever seen entering has been stored and they can easily find out where a person goes (given they take their passport with them).
Bookmark RFID Based Passports With BAC Vulnerable at del.icio.us Digg RFID Based Passports With BAC Vulnerable Mixx RFID Based Passports With BAC Vulnerable Bloglines RFID Based Passports With BAC Vulnerable Technorati RFID Based Passports With BAC Vulnerable Fark this: RFID Based Passports With BAC Vulnerable Bookmark RFID Based Passports With BAC Vulnerable at YahooMyWeb Bookmark RFID Based Passports With BAC Vulnerable at Furl.net Bookmark RFID Based Passports With BAC Vulnerable at reddit.com Bookmark RFID Based Passports With BAC Vulnerable at blinklist.com Bookmark RFID Based Passports With BAC Vulnerable at Spurl.net Bookmark RFID Based Passports With BAC Vulnerable at NewsVine Bookmark RFID Based Passports With BAC Vulnerable at Simpy.com Bookmark RFID Based Passports With BAC Vulnerable at blogmarks Bookmark RFID Based Passports With BAC Vulnerable with wists Bookmark RFID Based Passports With BAC Vulnerable at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Monday, November 28. 2005

What type of RPG player are you? Posted by Axel Eble in General at 21:53

Comments (2)
Trackbacks (0)

What type of RPG player are you?

You scored as Method Actor. You think that gaming is a form of creative expression. You may view rules as, at best, a necessary evil, preferring sessions where the dice never come out of the bag. You enjoy situations that test or deepen your character's personality traits.

Method Actor

92%

Storyteller

83%

Tactician

67%

Power Gamer

50%

Specialist

42%

Casual Gamer

17%

Butt-Kicker

8%

Law's Game Style
created with QuizFarm.com

via kris
Bookmark What type of RPG player are you? at del.icio.us Digg What type of RPG player are you? Mixx What type of RPG player are you? Bloglines What type of RPG player are you? Technorati What type of RPG player are you? Fark this: What type of RPG player are you? Bookmark What type of RPG player are you? at YahooMyWeb Bookmark What type of RPG player are you? at Furl.net Bookmark What type of RPG player are you? at reddit.com Bookmark What type of RPG player are you? at blinklist.com Bookmark What type of RPG player are you? at Spurl.net Bookmark What type of RPG player are you? at NewsVine Bookmark What type of RPG player are you? at Simpy.com Bookmark What type of RPG player are you? at blogmarks Bookmark What type of RPG player are you? with wists Bookmark What type of RPG player are you? at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Wednesday, November 23. 2005

Airline Passenger Data Transmission ... Posted by Axel Eble in General, Meta at 10:28

Comment (1)
Trackbacks (0)

Airline Passenger Data Transmission To US May End

In 2003 the US ordered airlines to transmit flight passenger data for all flights ending in, stopping over in or just crossing US American territory. It was made clear that all data was to be stored in raw form and would be subject to further analysis, leading to profiling of passengers, all, of course, in the name of fighting terrorism. It is completely unclear what sort of profiling will be done and what else the US government will be doing with the data (e. g. handing it over to some commercial data brokers like gasp ChoicePoint for analysis). The Washington Post has a good summary as well.

The EU Commission and the EU Council caved in instead of taking a strong position against this practice and declared the US data handling processes as equivalent to European processes and, in general, good enough. This led to a huge outcry from the EU Parliament and several Civil Rights organizations (like the European Digital Rights Initiative) but both the Commission and the Council wouldn't budge.

Now, however, things start to look a bit brighter: the Advocate General at the Court of Justice at the European Communities recommends to annul the Council decision about the agreement. The Court will have to rule about a law suit by the Parliament against the Commission and the Council decisions. The recommendation of the General Attorney are not binding but in most cases the Court will follow advisory opinions.

References:
Heise Newsticker (German)
Washington Post
Bookmark Airline Passenger Data Transmission To US May End at del.icio.us Digg Airline Passenger Data Transmission To US May End Mixx Airline Passenger Data Transmission To US May End Bloglines Airline Passenger Data Transmission To US May End Technorati Airline Passenger Data Transmission To US May End Fark this: Airline Passenger Data Transmission To US May End Bookmark Airline Passenger Data Transmission To US May End at YahooMyWeb Bookmark Airline Passenger Data Transmission To US May End at Furl.net Bookmark Airline Passenger Data Transmission To US May End at reddit.com Bookmark Airline Passenger Data Transmission To US May End at blinklist.com Bookmark Airline Passenger Data Transmission To US May End at Spurl.net Bookmark Airline Passenger Data Transmission To US May End at NewsVine Bookmark Airline Passenger Data Transmission To US May End at Simpy.com Bookmark Airline Passenger Data Transmission To US May End at blogmarks Bookmark Airline Passenger Data Transmission To US May End with wists Bookmark Airline Passenger Data Transmission To US May End at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Wednesday, November 23. 2005

The City of Dis Posted by Axel Eble in General at 07:08

Comments (0)
Trackbacks (0)

The City of Dis

Well, what do you know? I've landed in Dis after taking the Dante's Inferno test:

The Dante's Inferno Test has banished you to the Sixth Level of Hell - The City of Dis!
Here is how you matched up against all the levels:
LevelScore
Purgatory (Repenting Believers)Very Low
Level 1 - Limbo (Virtuous Non-Believers)Very Low
Level 2 (Lustful)Very High
Level 3 (Gluttonous)High
Level 4 (Prodigal and Avaricious)High
Level 5 (Wrathful and Gloomy)High
Level 6 - The City of Dis (Heretics)Extreme
Level 7 (Violent)Moderate
Level 8- the Malebolge (Fraudulent, Malicious, Panderers)Very High
Level 9 - Cocytus (Treacherous)High

Take the Dante Inferno Hell Test

Thanks to Adam.
Bookmark The City of Dis at del.icio.us Digg The City of Dis Mixx The City of Dis Bloglines The City of Dis Technorati The City of Dis Fark this: The City of Dis Bookmark The City of Dis at YahooMyWeb Bookmark The City of Dis at Furl.net Bookmark The City of Dis at reddit.com Bookmark The City of Dis at blinklist.com Bookmark The City of Dis at Spurl.net Bookmark The City of Dis at NewsVine Bookmark The City of Dis at Simpy.com Bookmark The City of Dis at blogmarks Bookmark The City of Dis with wists Bookmark The City of Dis at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Thursday, November 17. 2005

Security Convergence Posted by Axel Eble in General, ISSA, Meta, Organizations at 20:30

Comments (2)
Trackbacks (0)

Security Convergence

"Security Convergence" is the subject of The Alliance between ISACA, ISSA and ASIS. Seeing what the focus of all the three groups is it really does make sense: ISACAs main operational field is Governance, especially IT governance; ISSA is "the global voice of information security" and ASIS is primarily concerned with physical security.
It's pretty clear that those three fields do converge more and more, so The Alliance is an important step in the right direction. It will help to open the eyes of security professionals worldwide to the other fields. It will, thus, help to raise a more business oriented security program in enterprises. We shouldn't expect too much in too little time, however: I don't believe that many companies understand at the moment that security is something that needs to be considered in a (I hate to use the term, but it does fit so nicely) wholistic way.
So, at the Network Security Conference/Security Management Conference of ISACA in Amsterdam last Monday the panel discussion was just about this: "Security Convergence". I was invited to represent ISSA at the panel. It was rather interesting to see the different points of view on the panel - and in the audience. Another member of the panel, Carl Thorp, stayed on for the day (I had to get back unfortunately) and reported that there were quite a few interesting discussions about the convergence thing. However, it seems to be of prime import to define what "Convergence" really means.
It will be interesting to see the discussions around the term in the near future.
Bookmark Security Convergence at del.icio.us Digg Security Convergence Mixx Security Convergence Bloglines Security Convergence Technorati Security Convergence Fark this: Security Convergence Bookmark Security Convergence at YahooMyWeb Bookmark Security Convergence at Furl.net Bookmark Security Convergence at reddit.com Bookmark Security Convergence at blinklist.com Bookmark Security Convergence at Spurl.net Bookmark Security Convergence at NewsVine Bookmark Security Convergence at Simpy.com Bookmark Security Convergence at blogmarks Bookmark Security Convergence with wists Bookmark Security Convergence at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Monday, November 14. 2005

First time to the Netherlands Posted by Axel Eble in General, ISSA, Organizations at 07:44

Comments (0)
Trackbacks (0)

First time to the Netherlands

I've been invited to represent ISSA at a panel discussion at the ISACA Network Security/Security Management Conference in Amsterdam. It's my first time to the Netherlands and, unfortunately, I won't have any time to do some sightseeing.
The panel discussion is about The Alliance between ISACA, ISSA and ASIS about the convergence of physical security and information security. The folks are great and I wish I had more time to spend here.
Bookmark First time to the Netherlands at del.icio.us Digg First time to the Netherlands Mixx First time to the Netherlands Bloglines First time to the Netherlands Technorati First time to the Netherlands Fark this: First time to the Netherlands Bookmark First time to the Netherlands at YahooMyWeb Bookmark First time to the Netherlands at Furl.net Bookmark First time to the Netherlands at reddit.com Bookmark First time to the Netherlands at blinklist.com Bookmark First time to the Netherlands at Spurl.net Bookmark First time to the Netherlands at NewsVine Bookmark First time to the Netherlands at Simpy.com Bookmark First time to the Netherlands at blogmarks Bookmark First time to the Netherlands with wists Bookmark First time to the Netherlands at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Thursday, November 3. 2005

The Dangers of Inference Posted by Axel Eble in General, Meta, Off-Topic at 01:47

Comments (0)
Trackbacks (0)

The Dangers of Inference

Here I am, taking a strong stance about government agencies that collect data and use inference to think about what it might possibly mean. There's no lack of wrong inferring to be done that way, starting from false assumptions about coherence of incoherent data or by simply interpreting too much into too little data.

And suddenly I find myself here, doing exactly the same: thinking F-Secure jumped on the bandwagon of Mark Russinovich's posting at sysinternals for their excellent work of analyzing the Sony DRM Rootkit. Independently, I should say, because that is what they did. They did not, however, manage to make it clear how they got wind of the thing (which they did earlier than Russinovich and were in contact with Sony to discuss the issue). After Mark published his findings, F-Secure thought it was now time to publish theirs, too.

Can't blame them, really. I blame myself, however, for jumping to unjustified conclusions. Ah well, as I said: inference is bad.
Bookmark The Dangers of Inference at del.icio.us Digg The Dangers of Inference Mixx The Dangers of Inference Bloglines The Dangers of Inference Technorati The Dangers of Inference Fark this: The Dangers of Inference Bookmark The Dangers of Inference at YahooMyWeb Bookmark The Dangers of Inference at Furl.net Bookmark The Dangers of Inference at reddit.com Bookmark The Dangers of Inference at blinklist.com Bookmark The Dangers of Inference at Spurl.net Bookmark The Dangers of Inference at NewsVine Bookmark The Dangers of Inference at Simpy.com Bookmark The Dangers of Inference at blogmarks Bookmark The Dangers of Inference with wists Bookmark The Dangers of Inference at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!

Tuesday, November 1. 2005

Ch-ch-ch-changes Posted by Axel Eble in General, Meta, Technology at 00:03

Comments (5)
Trackbacks (0)

Ch-ch-ch-changes

Jon Toigo is annoyed at the lack of progress the information security field has made since the Medieval. I feel his pain, too. But what are the alternatives? Or rather, why are we still using the same concepts? Are we just too stupid to come up with something new or are the concepts just so basic and so sound that there is no better way? Let's take a look at the items Jon mentions.

  1. Access Control: moats and stockades then, firewalls now. Access control is still one of the soundest principles of information security. Control who may access information when and how and you have removed several vulnerabilities and reduced your risk dramatically. However, the technologies being used for access control change considerably over time. Up until the 1980s to 1990s access control meant control of physical access. Computers were large and heavy and access to them could be controlled pretty strictly and fairly easily. Enter The Network - and things shift completely. Or, to be fair, they get expanded. Physical access control is by then pretty much a commodity: people just do it anyway. What's new is that access to the computers is not only available by physical access but by network access as well. While the Light Side had control for an enjoyable while it was only a matter of time until the Dark Side jumped on the bandwagon and started to use the Net for their sinister purposes. So well, Marcus Ranum writes the DEC SEAL and it starts to get a success quite fast: companies hire firewall administrators to take care of these arcane beasts that are tough to tame (alliteration not intended but gladly taken). Fast forward to today: every simple DSL router for home use has a NAT firewall included; the network guys do the firewalls on the side and up come web services with the nice side effect of tunneling "stuff" across HTTP (yes, and other protocols, but HTTP really is ubiquitous by now and a nice example of the ever changing technologies, thank you). So now we have web application firewalls which really are nothing else than application layer proxies. And so it goes, goes round again. (Kudos to Joe Jackson)

  2. Signet Rings and Trusted Certificates - now there you've hit a sore spot, Jon. I don't trust the PKI model with a commercial head - much less even if said head is Verisign. The last piece in the puzzle was their Sitefinder "service" which accidentally broke half the Internet. But really, why do we trust signatures, signets or certificates at all? Chances are, the signature is illegibile anyway so a cursory glance of similarity is all we get. Same with certificates (without even the added benefit of Verisign). No solution there, I'm afraid.

  3. Edicts and Policies - good point, Jon. However, I consider them to lay out the rules by which we play. We agree upon a set of rules to be able to note deviant behaviour and sanction it. Thus, policies and edits are rather useful tools as they prepare the ground for legal skirmishes or, in some cases, provide the opportunity to find out unwanted behaviour in the first place. I wouldn't want to live without them.

  4. Codes and Encryption are powerful tools, too. Unfortunately, many people tend to forget that encryption is a temporary safeguard at best. Even if the encryption algorithm has no known weaknesses it still will fall given enough time. There's the rise in computing power and the change to other technologies (can you say Quantum Encryption? I knew you could!). As long as people recognize this, they are quite secure. All they have to do is select an algorithm that will possibly keep the information secure as long as it has to be classified.



Interestingly enough, the bad guys don't seem to have learned either how to circumvent the safeguards we set up. Either they are as caught in our ways of thinking or there simply Is No Better Way at the moment.

What do you think?

All of this, however, has nothing to do with vendors coming up with new products all along instead of listening to what the customers want - just like in the storage market. Thanks for the eye-opener, Jon!
Bookmark Ch-ch-ch-changes at del.icio.us Digg Ch-ch-ch-changes Mixx Ch-ch-ch-changes Bloglines Ch-ch-ch-changes Technorati Ch-ch-ch-changes Fark this: Ch-ch-ch-changes Bookmark Ch-ch-ch-changes at YahooMyWeb Bookmark Ch-ch-ch-changes at Furl.net Bookmark Ch-ch-ch-changes at reddit.com Bookmark Ch-ch-ch-changes at blinklist.com Bookmark Ch-ch-ch-changes at Spurl.net Bookmark Ch-ch-ch-changes at NewsVine Bookmark Ch-ch-ch-changes at Simpy.com Bookmark Ch-ch-ch-changes at blogmarks Bookmark Ch-ch-ch-changes with wists Bookmark Ch-ch-ch-changes at Ma.gnolia.com wong it! Bookmark using any bookmark manager! Stumble It!
« previous page   (Page 1 of 6, totaling 76 entries)   next page »
Frontpage
View as PDF: Category General | This month | Full blog

Calendar

Back September '10
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      

Quicksearch

Statische Seiten

Blog Administration

Open login screen

Archives

Kategorien



All categories

links



Getaggte Artikel

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Top Exits

Blog abonnieren

Map

flickr photostream

Wohnzimmer OG
14.12.07 20:26
Wohnzimmer OG
14.12.07 20:26
Wohnzimmer OG
14.12.07 20:25
Wohnzimmer OG
14.12.07 20:25
Bad OG
14.12.07 20:25
Flur OG
14.12.07 20:24

Powered by