Cryptosmith

A SANS Handler Notebook entry by Toby Kohlenberg reports on data leakage in cloud computing, and links to a terrific paper from some UCSD/MIT people: Ristenpart, Tromer, Shacham, and Savage.

If we set the wayback machine to the early 1970s, we find a paper by Butler Lampson about something called the confinement problem. It’s the same thing. Ristenpart et al pick up some of the threads (like noninterference) though their paper doesn’t point all the way back to Lampson.

This is a hard problem to solve. The only defense right now is if attackers lack the motivation to exploit it.

Continue Reading »

Posted under History of Technology & Security | No Comments »

Marc Ambinder of the Atlantic recently blogged about alternative Blackberries that President Obama may carry. Some people might wonder why this is such a big deal. Ambinder notes that “Government Blackberries” can handle classified information “up to Secret” but that you need a Sectera Edge from General Dynamics to do anything (voice only) at Top Secret.

Words of the President are obviously valuable, whether voice or text. Even if we ignore spies, think about the interest they carry for news reporters, government contractors, political operatives, and other presumed patriots. So, to start with, we have to ensure that the President’s words are only released when he decides to do so.

The government has established several strategies for protecting information assets. While we don’t necessarily know what they’re doing in the White House, we can make some educated guesses. The problems, and solutions, revolve around multilevel security, also called MLS. Continue Reading »

Posted under Security | No Comments »

I have moved some material about multilevel security (MLS) and ‘cross domain systems’ (CDS) onto this web site from my old Cryptosmith site. I’ve also included some brief comments on CDS. There is also a link to my MLS Introduction, which I will be updating and migrating to this site over the next few months.

I’m not collecting comments on static pages if I can help it, so if you have the need to comment on my MLS or CDS materials, post the comment here.

Posted under Security | No Comments »

Over the years, Fred Cohen has probably written more about information security on a broader range of subjects than any 3 other experts. He’s posted a lot of it on his “all.net” web site, which he’s had since about the dawn of the World Wide Web. What the site lacks in pizazz it makes up for in content.

The only problem is that he doesn’t put much attention into navigation. It takes patience to poke around and find what you want. I know he’s had some classic papers on his virus work on-line, but I couldn’t find them easily. That led me to create the following collection of links.

• Fred’s home page
  • He’s been offering consulting services almost forever. One hardly hears from him any more, so I assume he’s too busy consulting to waste time with papers and conference talks.
• Introduction to viruses from the 80s
  • This is a version of paper he presented 2 or 3 times in the late 1980s. It’s sort of a subset of material appearing in his book  A Short Course on Computer Viruses.
• Encyclopedia entry on viruses from 1990
  • Actually, this is an important citation. It’s the only place I’ve seen him specifically refer to the ‘covert channel’ experiments he performed with viruses on multilevel systems. Ross Anderson refers to this work in his impressive Security Engineering book, but doesn’t cite this.
  • Cohen, Fred (1990). “Computer Viruses” in Computer Security Encyclopedia.
  • Unfortunately I haven’t been able to track down the original published source, “Computer Security Encyclopedia” (1990). It is so thoroughly out of print that not even Amazon lists it, and it doesn’t even show up on ABE Books.
• Peter Gutmann’s paper on hard drive wiping – a mirror
• Textbook outline for Intro information security
• Page of Technical Safeguards

Posted under History of Technology & Security & Tech Teaching | No Comments »