In Through The Out Door

TorrentSpy fighting the MPAA!:

TorrentSpy a torrent search engine who is in takedown war with the MPAA is not laying down, they are fighting back and I think they have a pretty good chance of getting the case dismissed. TorrentSpy is nothing more than a Torrent Search engine. They don’t create torrents they only track them. If you read the motion you will understand that they have some legal precedence on this one and are likening themselves to Google. The recent Supreme Court decision handed down on Grokster may end up being their deciding factor depending on how the judge interperts the higher court ruling. The MPAA has been getting sites taken down with their broad interpertation of that same ruling. We shall see where this leads but it is a good battle.

Interview: Theo de Raadt of OpenBSD:

Theo de Raadt is the project leader for OpenBSD, a Unix-like operating system. We spoke with Theo about the upcoming release of OpenBSD, 3.9, the financial state of the project, and about companies that profit from free software without contributing back.

An Interview With The Router Man:

Angry_Admin writes “For Network World’s 20th anniversary, they’ve published an interview with William (Bill) Yeager, the creator of the multiprotocol router, with some history on how Cisco came to be. As he says in the interview : ‘This project started for me in January of 1980, when essentially the boss said, ”You’re our networking guy. Go do something to connect the computer science department, medical center and department of electrical engineering.“’ 6 months later he had his first working 3MBit router shoved in a closet.”

Totally Random One Time Pads:

Scientists in Japan have come up with a way of harnessing a truly random datasource for generating one time encryption pads: Quasars. One time encryption pads are widely accepted as being the most secure form of encryption, but this new technology from the National Institute of Information and Communications Technology makes the pads even more secure.

Using Top More Efficiently:

Introduction to using the utility Top.“Among many monitoring tools that available, most people use ”top“ (a part of procps package). Top provide almost everything we need to monitor our system’s resource usage within single shot. In this article, all the information are based on procps 3.2.5 running on top of Linux kernel 2.6.x” Using Top More Efficiently: – The Linux Information Resource

Multiple live CDs in one DVD:

This is a very cool idea.“Live CDs do a great job of advertising Linux distributions. In addition to general-purpose live CD distributions, there are lots of task-oriented live CDs. Wouldn’t it be great if you could carry multiple live CDs on one DVD disc? Nautopia.net has put up a script that you can use to make a custom DVD to boot multiple live CDs.” Linux.com | Multiple live CDs in one DVD

DNS Hackers Target Domain Registrars:

Secure Your Linux Server:

Linux is a powerful and popular operating system kernel. That popularity means you might be running it even if you’re not a dedicated Unix administrator or high-powered programmer. That doesn’t mean that rock-solid security is out of your reach, though. Aaron Brazell shows how to make Red Hat 9 (and other Linux distributions) much more secure in a few easy steps.

LXer has an interesting look at the big three operating systems with some surprising results. From the article: “If you think that a Linux advocate cannot make an objective analysis of desktop operating systems, then you need to read this report. You may find yourself surprised with some brutal honesty that leaves out the free software philosophy.”

Forgotten Password Clues Create Hacker Risk:

Meet the Botnet Hunters:

The Washington Post is running a pretty decent story about ‘Shadowserver,’ one of a growing number of volunteer groups dedicated to infiltrating and disabling botnets. The story covers not only how these guys do their work but the pitfalls of bothunting as well. From the article: ‘Even after the Shadowserver crew has convinced an ISP to shut down a botmaster’s command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker’s control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.

DHS Privacy and Integrity Report:

Last year, the Department of Homeland Security finally got around to appointing its DHS Data Privacy and Integrity Advisory Committee. It was mostly made up of industry insiders instead of anyone with any real privacy experience. (Lance Hoffman from George Washington University was the most notable exception.)

And now, we have something from that committee. On March 7th they published their “Framework for Privacy Analysis of Programs, Technologies, and Applications.”

This document sets forth a recommended framework for analyzing programs, technologies, and applications in light of their effects on privacy and related interests. It is intended as guidance for the Data Privacy and Integrity Advisory Committee (the Committee) to the U.S. Department of Homeland Security (DHS). It may also be useful to the DHS Privacy Office, other DHS components, and other governmental entities that are seeking to reconcile personal data-intensive programs and activities with important social and human values.

It’s surprisingly good.

I like that it is a series of questions a program manager has to answer: about the legal basis for the program, its efficacy against the threat, and its effects on privacy. I am particularly pleased that their questions on pages 3-4 are very similar to the “five steps” I wrote about in Beyond Fear. I am thrilled that the document takes a “trade-off” approach; the last question asks: “Should the program proceed? Do the benefits of the program…justify the costs to privacy interests….?”

I think this is a good starting place for any technology or program with respect to security and privacy. And I hope the DHS actually follows the recommendations in this report.

Who owns the Internet pipes?:

Ben Worthen of CIO has an interesting post about who in the context of the Net Neutrality debate. He worked with Lumeta’s chief scientist Bill Cheswick to create a map of the North American Internet backbone, including 134,855 routers, colored by telecom company (Verizon, AT&T, Qwest, Level 3, Sprint Nextel, cable companies, smaller players).Worthen concludes that while AT&T and Verizon have [...]

Who owns the Internet pipes?:

Ben Worthen of CIO has an interesting post about who in the context of the Net Neutrality debate. He worked with Lumeta’s chief scientist Bill Cheswick to create a map of the North American Internet backbone, including 134,855 routers, colored by telecom company (Verizon, AT&T, Qwest, Level 3, Sprint Nextel, cable companies, smaller players).Worthen concludes that while AT&T and Verizon have [...]

Nuts and Bolts of Net Discrimination: Encryption:

I’ve written several times recently about the technical details of network discrimination, because understanding these details is useful in the network neutrality debate. Today I want to talk about the role of encryption.

Scenarios for network discrimination typically involve an Internet Service Provider (ISP) who looks at users’ traffic and imposes delays or other performance penalties on certain types of traffic. To do this, the ISP must be able to tell the targeted data packets apart from ordinary packets. For example, if the ISP wants to penalize VoIP (Internet telephony) traffic, it must be able to distinguish VoIP packets from ordinary packets.

One way for users to fight back is to encrypt their packets, on the theory that encrypted packets will all look like gibberish to the ISP, so the ISP won’t be able to tell one type of packet from another.

To do this, the user would probably use a Virtual Private Network (VPN). The idea is that whenever the user’s computer wanted to send a packet, it would encrypt that packet and then send the encrypted packet to a “gateway” computer that was outside the ISP’s network. The gateway computer would then decrypt the packet and send it on to its intended destination. Incoming packets would follow the same path in reverse – they would be sent to the gateway, where they would be encrypted and forwarded on to the user’s computer. The ISP would see nothing but a bi-directional stream of packets, all encrypted, flowing between the user’s computer and the gateway.

The most the user can hope for from a VPN is to force the ISP to handle all of the user’s packets in the same way. The ISP can still penalize all of the user’s packets, or it can single out randomly chosen packets for special treatment, but those are the only forms of discrimination available to it. The VPN has some cost – packets must be encrypted, decrypted, and forwarded – but the user might consider it worthwhile if it stops network discrimination.

(In practice, things are a bit more complicated. The ISP might be able to infer which packets are which by observing the size and timing of packets. For example, a sequence of packets, all of a certain size and flowing with metronome-like regularity in both directions, is probably a voice conversation. The user might use countermeasures, such as altering the size and timing of packets, but that can be costly too. To simplify our discussion, let’s pretend that the VPN gives the ISP no way to distinguish packets from each other.)

The VPN user and the ISP are playing an interesting game of chicken. The ISP wants to discriminate against some of the user’s packets, but doesn’t want to inconvenience the user so badly that the user discontinues the service (or demands a much lower price). The user responds by making his packets indistinguishable and daring the ISP to discriminate against all of them. The ISP can back down, by easing off on discrimination in order to keep the user happy – or the ISP can call the user’s bluff and hamper all or most of the user’s traffic.

But the ISP may have a different and more effective strategy. If the ISP wants to hamper a particular application, and there is a way to manipulate the user’s traffic that affects that application much more than it does other applications, then the ISP has a way to punish the targeted application. Recall my previous discussion of how VoIP is especially sensitive to jitter (unpredictable changes in delay), but most other applications can tolerate jitter without much trouble. If the ISP imposes jitter on all of the user’s packets, the result will be a big problem for VoIP apps, but not much impact on other apps.

So it turns out that even using a VPN, and encrypting everything in sight, isn’t necessarily enough to shield a user from network discrimination. Discrimination can work in subtle ways.

RFID Tags Could Carry Computer Viruses:

Canon EOS 30D Preview

Security Flaws Could Cripple Defense Network:

An FCW.com article about the uninspiring future for the Missile Defense System’s software. The developers are apparently very worried about poor information security on the project. From the article: “The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement ‘was not in the contract.’ The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated. ”

Wired and Wireless At the Same High Speed:

Roland Piquepaille writes “The next generation of optical networks needed to satisfy our appetite for bandwidth is currently under development. And researchers from Georgia Tech have built a new architecture which delivers super-broadband wired and wireless service simultaneously. This hybrid system ‘could allow dual wired/wireless transmission up to 100 times faster than current networks.’ In fact, this optical-wireless network can carry as many as 32 different channels, each providing 2.5 gigabit-per-second service to your home or your office. And companies such as NEC and BellSouth are already working on such hybrid optical-wireless communications networks.”

Power Analysis of RFID Tags:

This is great work by Yossi Oren and Adi Shamir:

Abstract (Summary)

We show the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. While the specific attack described here requires the attacker to actually transmit data to the tag under attack, the power analysis part itself requires only a receive antenna. This means that a variant of this attack can be devised such that the attacker is completely passive while it is acquiring the data, making the attack very hard to detect. As a proof of concept, we describe a password extraction attack on Class 1 Generation 1 EPC tags operating in the UHF frequency range. The attack presented below lets an adversary discover the kill password of such a tag and, then, disable it. The attack can be readily adapted to finding the access and kill passwords of Gen 2 tags. The main significance of our attack is in its implications ­ any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the read range of tags.

My guess of the industry’s response: downplay the results and pretend it’s not a problem.