As entire businesses migrate online, what happens if they start attacking each other?
I think we'll need some more lawyers who can understand tcpdump packet data.
How do you claim your product is more secure than an open source option? Counting vulnerabilities alone might not work as Window Synder aptly explains in this retort against a Microsoft IE vs. Firefox report.
If you care, you already know the iPhone's SIM has been successfully unlocked to work with carriers other than AT&T. GMSV has a good round up.
The blog "Finding JTAG on the iPhone" is a cool read into what it took to unchain the iPhone in hardware. The site's author, a soon to be college freshman, says each unlock takes about 2 hours of time, making it a fairly labor intensive process and thus a pretty solid hurdle to breaking the phone's SIM locks. If only there was a way to do it in software....
Which brings us to this Engaget post that verifies a software hack created by a group that reportedly had 6 people working full time since the launch to develop a way to free the iPhone from AT&T.
6 cheap consultants for 2 months = $800 per day x 6 people x 40 to 50 days = as little as $190k and more likely around $400k for leet folks sounds like a lot for a flakey device with unrealistic expectations. However, even at those cost levels and assuming a $100 charge per device, the breakeven is around 2 to 5 thousand devices. Assuming iPhoneSIMfree has a monopoly for even a month or two, they will probably do fairly well. The site is currently looking for people interested in buying 500+ unlocks which is a pretty smart way to get others to sell 3000 unlocked iPhones to internationally based Apple fanboys as fast as possible.
Finally, if you can't lock them out in software or hardware, call the lawyers, professional unlocking businesses like Unique Phones (who claim 2.9 million unlocks since 2002) are claiming they too have a software based method of unlocking the iPhone, but they had a tough weekend with calls from AT&T's lawyers.
Involving lawyers begs the question of whether or not the Carterfone decision applies to mobile networks (it should.) The DCMA legislation has already been rejected as an avenue for many things, including keeping phones locked to networks. Hush-a-phone v. FCC set another similar precedent.
Conspiracy theory: Apple wants Carterfone to apply to wireless networks and knew that this would force the issue?
Legal Update: Selling unlocked phones for fun and profit might not be kosher.
Update 2: iUnlock has gone open source - see full story at Engaget
From the "Add to blog bookmark folder..."
Business week has a series on a CNBC sponsored online stock picking contest where many cried foul when contestants figured out how to game the web app running the contest.
Dan Geer's testimony [mirror] from an April 23th hearing with the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology
is worth reading - especially if you want to understand how our security priories should stack up.
Dan recommends our government take steps to:
• We need a system of security metrics, and it is a research grade problem.
• The demand for security expertise outstrips the supply, and it is a training problem and a recruitment problem.
• What you cannot see is more important than what you can, and so the Congress must never mistake the absence of evidence for the evidence of absence, especially when it comes to information security.
• Information sharing that matters does not and will not happen without research into technical guarantees of non-traceability.
• Accountability is the idea whose time has come, but it has a terrible beauty.
Don't forget, even the bad guys need a way to drive traffic to their malicous web sites!
A bunch of people claim the coolest thing about the iPhone is that it runs OS X or at least a customized version... however the agreement with Cingular locks the OS to apps of Apple and Cingular's choosing.
$50 says it takes less than 3 weeks after the iPhone goes to GA that someone hacks the OS to run whatever they want.
iPod Linux (Yes, I know it's a different beast)
Update: An indepth look at third party apps and the iPhone.
Update 2: Let the iPhone hacking begin.
Update 3: Early iPhone Hacking Efforts
Update 5: Unlocking the iPhone Software, Hardware, and Lawyers! Yay.
Update 6: Apple finally launches an SDK and iPhone developer program. The catch, all apps must flow through Apple. Apple takes a cut and gets to assure AT&T that none of the apps will create odd network conditions. So long to the IT layer cake.
Update 7: Since technical methods of keeping the iPhone locked to AT&T failed, now you can't buy an iPhone without activating AT&T service. Score: Technology 0, Process 1 for now.
Data loss was a big topic of conversation at RSA this year. The number of these has been so repetitive that after a while we stop noticing... until, you see them all gathered in one place.
The market for quality assurance software development tools is huge. Performance, functionality testing, and more are at least a billion and probably more. (I could look it up, but...) However, the same market for security specific QA tools is miniscule in comparison.
Cnet has a decent article on the current state of the market for products that test for vulnerabilities in source code and binaries. Note: the article focuses on a few tools, but misses a some of the companies competing in and around the segment - most of whom have a least a tool or two to assist in secure app development.
A more complete list includes:
- Aspect Security
- Application Security Inc
- Core Security Tech
- Foundstone - aquired by McAfee
- Magnafire - aquired by F5
- Sabre Security
- Sanctum Inc
- Spi Dynamics
- Secure Software
- OWASP The Open Web Application Security Project
I'm sure I have left a few out, let me know who else should be added to this list. It's been a while since I was tracking this sector with any energy. Two companies conspicuously absent from this list:
- Rational Software (Now owned by IBM)
The insanity around poorly tested electronic voting continues. New Hampshire, however, is way ahead of the pack, passing a bill in 1995 requiring a paper ballot. A choice quote:
"People in other states talk about the unbelievable burden of recounts," said Anthony Stevens, New Hampshire's assistant secretary of state. "They don't realize the cost of restoring legitimacy is far greater than the cost of maintaining it."
Sign this petition:
The FUD around killing the policy analysis market is hysterical. Does the press really think the people running the policy analysis market were going to allow bets like "will world leader X get assassinated next week?" Sheesh.
The Blog at DefenseTech.org has a great round up of all the different articles and studies done on predicting political events with futures markets. Dan Gillmor also argues for the market. A paper by Andrew Leigh, Justin Wolfers and Eric Zitzewitz at Stanford looks at the market reactions to ousting Saddam.
The Foresight Exchange is another example of a market trading on future events.
Markets are powerful creatures. Despite getting slammed by the press all week, DARPA's Policy Analysis Market, or PAM was a good idea. It is too bad it was introduced poorly, there are few ways to consolidate and filter massive amounts of intelegence. This would have been a good start on identifying trends and places where our defense and policy types should pay attention and focus their limited resources. James Surowiecki, has written a must read article for anyone who has found themselves confused by the press hubbub surrounding PAM.
James doesn't mention it, but a market already exists to allow people to bet on political events here in the US, along with a market betting on the fall of Saddam and other current events. In fact, there is now a new market betting on Poindexter's ability to remain on the DARPA payroll! I'm betting no. Keep the market, dump Poindexter Go to Tradesports.com and click on Current Events to see each of these markets in action.
Two things stand out in this attack:
1. We now know a worm can disrupt a massive swath of systems not typically associated with the web. - ATM machines and 911 call centers took a hit this weekend.
2. The worm that wrecked havoc across the Internet this past weekend exploited a flaw that Dave Litchfield identified and Microsoft fixed last summer.
Despite Microsoft's efforts to provide a patch for this vulnerability, even security savvy IT shops like AMEX were hit. If IT shops like AMEX cannot keep up with patches, something is wrong with the system.
As a side note - one of the companies hit by the worm? Microsoft.
The New York Times today has an article describing the challenge of identifying names within a large database. In this case, the database is of known terrorists and the article does little to convince anyone that security agencies will be able to screen for terrorists based on names. This software has a long way to go before it can be used confidently to identify individuals in a multi-cultural society.
If you monitor a huge ecosystem over time, I believe your ability to identify anomalous behavior in real time decreases as the size of the ecosystem grows - especially if you can store more data than you can process. The data that you can not process, you can not monitor. Correct? Someone tell me if I'm nuts.
The NY Times reported today that the Bush administration wants to monitor the Internet. Perhaps they should just go buy Counterpane and then force every major service provider to provide hooks into Counterpane's monitoring devices - or perhaps provide some sort of standard data feed to Counterpane.
Aside from all the privacy noise on this one - I expect we will need to see some serious research into detecting anomalous behavior. Stay tuned, this one might get interesting.
Sprint is demanding secure software. I believe this will help them increase the reliability of their services. Security in the telecom industry used to be focused on fraud - preventing people from obtaining free telco services.
With packet-based networks, the telco threat model has shifted dramatically. Security is now a quality of service issue. Data communications hardware has long had to meet stringent reliability requirements. Security standards will augment those requirements.
I am currently aware of two major corporations with security requirements for software procurement: Sprint and General Electric. If you know of others, please comment.
As a side note - check out how dumb AT&T and Qwest sound in the article for not requiring vendors to deliever secure software.
Read the CNN article and then think about whether you really want government this Homeland Security Initiative. [NYTimes]
I smell a class action suit against the credit agency that let the fraud occur. The Homeland Bill will take years to sort out.
In other identity news, the General Services Administration has posted the presentations from a conference on identity. Good to know someone is paying attention. Thanks to Scott Loftesness for the link.
P.S. Skied Killington today - love pre-season weekdays - no lines and great snow.
Paying for port scans? You might be if you are connecting to the net via a wireless GPRS network that bills by bandwidth usage. It's bad enough GPRS network infrastructures are full of holes - to make customers pay for traffic because the service provider has not had the decency to install a firewall between the net and the wireless infrastructure is irresponsible.
Wired attacks have alread migrated to the wireless world. If a journalist can tell, shouldn't a the service provider be able to tell too?
The major papers all agree - Mr. Ashcroft is going too far... and for some reason still appears to be getting what he's asking for.
Tech News - CNET.com: Secret U.S. court OKs electronic spying
NY Times: A Green Light to Spy
Craig Mundie marked the first year of Microsoft's Trustworthy computing intiative during the Silicon Valley Speaker Series. The transcript of Mundie's speech provides an interesting insight into how far Microsoft has come and some of the hurdles ahead.
The biggest question I have of Microsoft's security strategy is whether they have done enough soon enough.
Mr. Mundie says the right things when he speaks of building software that is
"secure by design, secure by default and secure in deployment." He equates security and reliability and he is aware of the cost the company's numerous privacy gaffes over the last several years.
The products receiving the most security attention either hit the market in late 2001 to 2002 or are still in development. The installed base is where the danger lies. Out of an estimated 400 million people on Windows, the vast majority are on Windows 95. I would like to a breakdown of what the server world looks like and the speed the installed base adopts the XP server OS. If Microsoft cannot convince the world to upgrade to newer versions, the company will find themselves in a marketing catch-22.
Best Case vs. Worst Case:
In a best case senario, MS products should become incrementally more secure as Microsoft's internal training adopts increasing amounts of security content, developers begin to innovate in a secure fashion, and products presently in the design state are actually designed secure from day 1. (Products that were in the design stage two years ago and coming to market in 2002 and 2003 will propably recieve security testing and design reviews.)
A worse case senario would be if Mr. Mundie's speech is all hot air and the organization has not found the religion, Mr. Mundie professes.
The impending catch-22:
In order to actually improve the security of the electronic infrastructure, and renew trust in Microsoft products, the company needs to migrate the installed base off of old products and onto new ones in the middle of a recession. From a marketing and perhaps a liability? point of view Microsoft must make the case to upgrade beyond "it's more secure because the last product that we told was secure really was not."
Or "we convinced you to buy the last product when times were good, but the quality was really bad and probably left you vulnerable to numerous attacks, so buy this new one and that won't happen again - trust us."
Even if products coming to market today have recieved world-class security reviews, they were designed two years ago when security was not a priority. Somehow Microsoft will have to convince the installed base to trust them again. I imagine they will get outside consulting companies to write white papers describing how much "more secure" product X is over the the last version.
In the security world, if you can not prevent someone from exploiting something, you build a level of accountability into the system, so that you can track them down after the fact. Trust is for sissies.
I wonder to what extent the market will hold Microsoft accountable for the security of their products?
1. "Trust is for sissies." is an original line from Dr. Daniel Geer or Bob Blakley - I'm not sure which one of them stole it from who.
At least 10 surveys over the last five years have asked executives how important certain qualities are to their business. Security consistantly appears in the top five. However, when queried on budgets and spending, security falls dramatically.
An article in Slate today examines a similar problem with our President's priorities. Talk is cheap.
Defending a perimeter or boundary of any type is expensive and often a poor allocation of resources. In the physical world is occassionally makes sense to defend a perimeter, in the digital world perimeter defense is a tough place to get a return on investments. Here are several examples and relevant bits of data...
1. The first goal of an external attacker is to obtain the privileges of an insider. Check out Honeynet.org for more.
2. Depending on which survey you examine (FBI/CSI, IDC, Gartner, Meta, etc…) roughly 70% of all major intrusions are committed by an insider. (See Computer Associate’s “Rose in Benefits” campaign.)
3. Lumeta, the network mapping company, estimates their average customer (think BIG corporations) knows where 70% of their network goes. If you don’t know where that other 30% is – how can you possibly defend it?
4. The big technology news in Panama this week comes from an attempt to block telephone calls that travel over the Internet instead of the traditional voice network (VoIP vs. POTS at C&W Panama) the slashdot bookies have 2:1 odds on VoIP) – check out the Politech post from Cisco.
5. As for #4 - digital music, IM chat over port 80, and wireless LANs everywhere simply prove that technology beats law in almost every case.