Cryptosmith

I had avoided upgrading to Snow Leopard for several months, and finally completed the upgrade a few weeks ago. It went mostly without trouble, though there were a few minor things that needed to be fixed.

However, I was greeted with “new and improved!” RAID support which, as usual, provides only the most terse of directions. I rely on mirrored RAID to construct off-site backups. When I went to apply my procedure to Snow Leopard, I had to figure out the difference between “Delete” and “Demote” in order to get my backups rebuilt.

Continue Reading »

Posted under Household Tech & Security | No Comments »

‘Way, ‘way back in the 1960s, computer designers tried out different techniques to limit how a computer executed its programs. Some should be pretty well known, like storage protection and the distinction between “kernel mode” for the operating system and “user mode” for applications. Another was data execution prevention (aka “DEP”), where the computer distinguishes between RAM that stores instructions and RAM that stores data. If the program tries to jump into instructions stored in data RAM, the CPU aborts the program.

Fast forward to 2010. Most microprocessors were supporting DEP in the mid 1990s; a few supported it before that. OS support came more slowly. Windows as been using one form or another of this since 2004 in XP Service Pack 2. However, it doesn’t matter for most major applications, because they didn’t fix their code to take advantage of it. So, if they suffer a buffer overflow, there’s nothing to prevent the computer from trundling off to la-la land.

Continue Reading »

Posted under History of Technology & Security | No Comments »

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs – you can’t do much retail work unless you take credit cards – so it’s hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don’t make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot’s title writers dramatically misread the report, summarizing it under the title “Compliance is Wasted Money.” I tend to think of Slashdot as being edgy in a digital native sort of way, so I’m surprised they spun it that way.

I think the report reflects two things. First, companies don’t want to spend money to assess their losses from leaked company data, unless they’re already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don’t want to collect such information: bad news makes management look bad, and there’s no countervailing data to show a measurable benefit to being a more open company.

Continue Reading »

Posted under Security | No Comments »

I recently migrated from my venerable Palm Treo 700 to a Blackberry Storm II. In between I had a brief fling with a Droid, but jettisoned it after about a day. There were two problems. First, it’s too much like having a laptop instead of a phone, IMHO. Second, I don’t like the security model.

When we talk about the “Droid security model” we’re really talking about the Android operating system and not about any particular phone. The exact phone I had isn’t as important as the mechanisms that are undoubtedly common to all Droids.

The basic problem is that it’s too vulnerable to malware like viruses, worms, or Trojan horses. This is a feature of its openness, but not a feature I personally crave on my cell phone. My phone serves a little as an electronic wallet, and I don’t want malware in there, even if it limits my choice of apps.

Continue Reading »

Posted under Household Tech & Security | No Comments »