I just bought a Dell laptop. I generally buy from vendors I know, and St. Thomas has been buying Dell systems for the past several years. I might have bought an Apple, but their lowest base price was $1,000. I knew I could do a little better. In any case, I wanted to run both Windows and Linux. Running OS-X would have been a plus (I'm addicted to Aperture) but not worth the extra dollars.
The hardware seems solid - an XPS 1330 - and it's comfortably compact. It has thumbprint authentication that seems tolerably robust. The major size limiters, the RAM and hard drive, are easy to replace. So is the 802.11g network card. It came with "Windows Home Premium." I'm astonished at the amount of Dell-branded software you have to trim back. And I'm appalled that the default search engine, "Live.com," directs you away from OpenOffice.org when you go looking for it.
Recently I was skimming through the NSA's "classified history of COMSEC" (posted at governmentattic.com). This "history" is a transcription of lectures by David G. Boak, who liked to explain NSA-related topics from a historical perspective. He clearly inspired a generation of NSA's employees. The last "real" page of the document contains a humorous story and a crypto puzzle (link to pdf).
The NSA had an incinerator in their old Arlington Hall facility that was designed to reduce top secret crypto materials and such to ash. Someone discovered that it wasn't in fact working. Contract disposal trucks had been disposing of this not-quite-sanitized rubish, and officers tracked down a huge pile in a field in Ft. Meyer.
How did they dispose of it? The answer is encrypted in the story's text!
I'm always amazed at how long a piece of apparently obsolete equipment can remain in service, especially in government service. Bruce Schneier's blog listed a link to NSA's 1991 video catalog at governmentattic.org. The catalog grants us an interesting if spotty view into the world of crypto gear and classified data collection systems.
I was particularly astonished to see inclusion of a video about the Pluribus - a long-obsolete Arpanet-era packet switch. I worked on the beast: it was overbuilt and underpowered. And unreliable (more on that another time). In the ideal world of tech, such obsolete junk should have been recycled by 1991. I was optimistic.
Ivan Lucas of "Lockdown.co.uk" has posted an interesting summary of Password Recovery Speeds. These are scaled on the assumption that the attacker will do trial-and-error attempts of all possible permutations.
The election may have been last year, but the race for Minnesota's US Senate seat drags on. Back in January, Minneapolis techie and consultant Adria Richards went to visit the web site belonging to former Sen. Norm Coleman's campaign - he's shy about 200 votes and hanging on through court challenges.
What Richards found was a mess. Especially bad: the site did not prevent browsers from listing site directories - a huge security snafu. Richards navigated through the directories and found one with the intriguing title "db" - suggesting database. Sure enough, the directory contained a database that apparently lists Coleman's political donors.
Richards documented her visit via photos and screen captures and has posted a tour of Coleman's web site on her blog.
Bruce Schneier's blog commented recently on Teaching Risk Analysis in School. He linked to a London Times article on teaching risk. Actually, the article was more about teaching probability and statistics as a way to understand risk, which isn't exactly the same thing as what we call risk analysis these days. In practice, risk analysis is a qualitative process in which we apply numerical estimates to risk factors. If you look at even the most applied statistics work, you find very little that's truly qualitative, except perhaps in the choice of survey questions, if you're doing a survey.
I've been trying to teach risk analysis to undergraduates. It is a very tricky topic. Some risk elements fit into a formal mathematical model, but others don't. Instead of ejecting the misfitting elements from the model, typical risk analyses incorporate estimates that try to match the structure and behavior of the formal elements. While it's important in some fields (like security) to understand and apply this technique, there's no way to prove the correctness of this type of model. It is, ultimately, an opinion.
I've been trying to get these two to play nicely together for a while, and it looks as if Will Norris may have finally slain this here dragon. Will is the principal author of the Wordpress OpenID plugin.
In an ideal world, people never, ever disclose passwords on unprotected Internet connections. In general this means the server has to provide SSL support. However, you can sort of sidestep the problem by using OpenID. It's not perfect, but it addresses that particular vulnerability. (Revised 1/28)
In a recent Security Fix, Brian Krebs looks at cyber criminal communities that are centered in Eastern Europe. A fundamental feature is that these communities discourage attacks on their own community. For example, a site that trades in stolen credit information refuses to use data from the Commonwealth of Independent States (CIS, the former Soviet empire).
While Krebs' article points out that such attitudes don't really prevent attacks on CIS citizens, it is interesting that the criminal community sees it that way. Krebs suspects it's because local law enforcement is more tolerant. I also suspect local citizens are more tolerant. No doubt it looks clever and respectable to fleece people on the other side of the planet using modern technology.
Marc Ambinder of the Atlantic recently blogged about alternative Blackberries that President Obama may carry. Some people might wonder why this is such a big deal. Ambinder notes that "Government Blackberries" can handle classified information "up to Secret" but that you need a Sectera Edge from General Dynamics to do anything (voice only) at Top Secret.
Words of the President are obviously valuable, whether voice or text. Even if we ignore spies, think about the interest they carry for news reporters, government contractors, political operatives, and other presumed patriots. So, to start with, we have to ensure that the President's words are only released when he decides to do so.
The government has established several strategies for protecting information assets. While we don't necessarily know what they're doing in the White House, we can make some educated guesses. The problems, and solutions, revolve around multilevel security, also called MLS.