Free WiFi or Secure WiFi

I wasn't a big fan of free WiFi. Don't get me wrong, I love having free stuff, but when it came to WiFi, free almost always meant it was unencrypted. And that meant that my security was basically at the mercy of everyone else sharing the connection with me.

This is because, every time you browsed on an open WiFi connection (except when it was a https page), anyone could easily see what you are browsing. There are a number of powerful tools that allow you to snoop on everyone else. To make matters worse, recent news indicates that even having https was no protection. FireSheep is a Firefox plugin that makes taking over other people's connections almost trivial.

The one protection against this form of security holes is, well, having an encrypted WiFi connection. Chester Wisniewski, a Security Advisor at Sophos, has a potential solution. To encrypt all free WiFi connections using a default password - "free". That way the connection remains just as accessible, but it also puts security high up on the agenda. And maybe, people like me would not be so wary of free WiFi connections anymore.

Article on Security

I hate to make this a blog where I drop in links from around the world and feel happy at having put something on it. I definitely wouldnt want to do that. Anyways, came across this link on email today.

If you are reading it, dont read it as the six dumbest ideas in Computer Security. Rather read it as the One reason why Computer Security is all screwed up. The first one. Most of the others are a form of the same idea. Read about the description of Default Permit strategy. Think about it.

That is probably one of the biggest things that is causing havoc with having to run an ever-losing race with vulnarabilities, hacks and other evil in the networked world.

And to think all one had to do was ask

-- ravi

Data Integrity Certification Service

There has been a big hullabaloo around EVMs and electronic voting. And one of the main requirements that has been consistently missing is what is called a "paper-trail".

Many detractors of electronic voting have cited lack of a paper trail is the main reason why electronic voting is being called unreliable. What is it about paper that makes a paper-trail that is more dependable than an electronic trail.

One of the main reasons is that a paper-trail is physical meaning that it is constrained in space and time. And therefore security authentication and authorization mechanisms have been built taking this constraint into account.

What if data were to be provided this type of constraint. If there was a means of constraining data in space in time - prevent duplication and correctly identify the time of entry for a data item, it might be possible to identify the integrity of any given data point.

Consider a mechanism, called the DICS mechanism. This is an based around an online trust that provides time-based data integrity mechanism. Each client of the mechanism has a two-way relationship with the trust. The client asks for and has a tie-up with the service provider.

Lets assume that the client stores data in a relational database. Lets also assume that there is a row of data to be filled in at any time. In order to do this there needs to be another column in the table that stores a data element that is a sum total of all the information stored in the row and is encrypted in a way to prevent its tampering.

The simplest way of doing this would be to concat the data in the row and use a publc key to encrypt the data and store it in the column. The problem with this approach is two-fold. First, there is no time-information, and secondly it is possible for the single entity having access to the system to also have access to the private key, rendering the entire process unviable.

To overcome this, we introduce the entity called the DICS.



DICS <-----------------------------> Client



Assume that there is a row of data that needs to be protected. Call this data as the variable x. (assume that the data in the row is either concatenated or otherwise combined to get this single entity)

Other data variables used are

d and d' which are the private and public keys of the DICS trust while

c and c' are the private and public keys of the Client

f() and f'() are the encrypt and decrypt functions used in the two key algorithm. (data = f'(f(data,c), c') )

The process starts with the client that starts and calculates the values of 'a' given by var_a = f(x, c'). This data is sent across the the DICS server.
The DICS service calculates var_b = var_a + t, where t is the time-stamp. The '+' is a defined combination functions with a simple inverse defined.

The service then returns var_c = f(var_b, d') to the client, while storing var_c and t with itself. The service does not return 't', though as you will see, that is not an issue.

The client stores var_c in the column of his database.

The service opens a simple functions to the client checkData().

Now checkData() sends across the value x recalculated using the same concatenation function and data from the client database along with the var_c stored. The service can then recalculate the value of the var_c from the given x and the time_stamp stored to verify the authenticity of the data.

Now time value is stored with the data, and hence in case of errors with data authenticity, further tests can be performed. Also time-reports can be taken for various requests to detect if there has been any descrepancy in the usage reported by the DICS service and actual usage done by the client.

Secondly any person changing the data needs to get the data re-authenticated by the DICS server showing up as discrepancies between the number of data entries and the number of data authentications. Also if there has been no access to the DICS service during the update/change then the data is directly found to be wrong.

sounds good?

- ravi

Rant time again

Hey, it is back to my favourite activity. Microsoft issued five more security warnings, all at once, at a time when system administrators are still reeling form the effects of MSBlaster. Then hopped over with 5 mod points over to the discussion forum for the article on slashdot. There I found this which accurately describes what I really feel about the issue. Funny, someone made a AC post, and it already had a mod-up. I splurged on it too, though I strictly dont encourage AC posts.

I mean, i seriously dont understand that Microsoft has the nerve to compare its security / performance with something as rag tag as Linux. I dont see why Microsoft should not commit suicide in a drop of water. Look at the start difference between the setups of the biggest computer company in the world and the biggest collaborative setups in the world. One has all the resources in the world to make sure that the software is the best in the world. It has the beta testers which is probably bigger than the installed base of the other. It has the power to seek 'advice' of the best of the best in all fields - usability to security. And then it has the nerve to stand up and say its security is 'just as good'?

lord is watching, he will punish,

~!nrk

And more does

I know I cannot make those long posts anymore.

That is because, I sit in this corporate outfit, and I have to be all corporat-ish. So God help me.

Well, I had to write this. So I remembered this. I am in corporate, but I still /. and google.news a lot. In the technology section, I found this article.

I dont know if you have been reading the news recently, but the Blaster worm has been doing the rounds. And then they "caught" this blaster worm writer. A script kiddie. An 18 year old who is just spending some spare times, grepping old scripts to change strings and replace then with his own names. And do you know what they called him?

Mr McKay would not elaborate beyond the allegations against Mr Parson, but said, "Is he dangerous? Yes, he's dangerous. ... There is serious harm to individuals, businesses, Microsoft Corp. being only one of them."

Oh my gawd. Gimme a break. I mean, they say the same thing against everyone. He is a dangerous deranged criminal. He is the reason I am going to miss my profit targets. Big valuations of possible problems, and then big flashes of photographers in the press conference.

I dont know if you know about another guy called Kevin Mitnick. I think i wrote about him earlier. The same with him too. I can understand the desperation of the media for these poor script kiddies. I so feel sorry for them. Most of the bigger fish are probably doing all they want to do, and making sure neither the media not the courts find anything against them. And then there are these kids, who know a little, have an attitude and in the end be those who have take the fall.

And to top it all, people act as if they were the persons to cause the trouble to begin with. The article acts as if 18 year old script |<1dd133 is the bad person and Microsoft is the victim!! How pathetic can journalism get.

I dont know if journalists will ever look beyond the obvious and reach out for the truth. And I hope that one day, people will understand the difference between hackers, crackers, virus authors and script kiddies. And one day, I hope, Microsoft is secure enough that script kiddies are mere kids and unable to cause 7.7 million dollar worth of trouble.

No, let me change that. And one day, I hope, there wont be enough of M$ left for script kiddies to do 7.7 million dollar worth of trouble.

Amen to that.

warm regards,

~!nrk

Security?

"Typically with these types of issues it will be six to nine months until we see a massive attempt to start exploiting it," Cooper said, adding that a preemptive patch was critical.

This is from an article, that discusses yet another *sigh* security disclosure by MicroSoft. It is incredible, what this guys cannot do. I mean they teach you this at school. "How-to-code-sensibly-101". And these guys come up with pathetic code, time after time. They are simply amazing. I never knew they had so much of code which could give rise to so many critical bugs.

But that is more irrevelant. What i felt more about was the above statement by Russ Cooper, head of security at TruSecure Corp. What a hell load of crap. How long does it take for a CR4c|<3r to take a vulnerability and mount an attack you said? 6-9 months. WOW. get real. I'd say something like 6-9 hours is more like it. Does the guy know anything about the current state of security? Mebbe he ought to read of a project called the honeynet. Ask them. The script kiddies take that long to get easy to use GUI tools to launch attacks. Not crackers. Atleast not the talented ones.

The only thing we can bank on is that no one does serious work on Office anyway, so it does not matter what crackers do. Yah I was just joking. There is no solace. Those people at Redmond keep churning bad code. These guys at security agencies keep tracking them. Those people keep playing down the seriousness. And cracking continues to be done by kids with ready to use tools. It is sad. Wonder what happened to M$'s trust initiative. Remember sometime back, Bill Gates asked all his programmers to stop coding and sit around fixing bugs. Wow, I mean look at the nerve of the guy. He produces sloppy code, then he is under pressure and asks his own programmers to do what they were supposed to do better, and gets mileage out of it, and establishes M$ as a security focused company because of his initiatives. Simply, pathetic.

Have my end terms starting from next week. Sad. I have eight subjects and five days. Lets see how it goes.

50 10n6 & 7|-|4nk5 f0R h4x0R-5p34|<
~!nrk