Hagai Bar-El on Security

Hagai Bar-El on Security http://www.hbarel.com/blog/ A must read for the security professional en-us Nucleus CMS v3.64 © Weblog http://backend.userland.com/rss http://www.hbarel.com/blog//nucleus/nucleus2.gif Hagai Bar-El on Security http://www.hbarel.com/blog/ I was appointed CTO of Discretix Technologies http://www.hbarel.com/blog/index.php?itemid=76 Hagai's news xml-rss2.php?itemid=76 Thu, 26 Jan 2012 20:33:00 +0100 OSMOSIS Online Event http://www.hbarel.com/blog/index.php?itemid=74 OSMOSIS online event, on October 4th, 2011, at 09:00 UTC.
]]> Hagai's news xml-rss2.php?itemid=74 Mon, 26 Sep 2011 10:35:00 +0200 Handling the Security Aspect of Smart Grid Product Purchasing http://www.hbarel.com/blog/index.php?itemid=72 ]]> Analysis: Security Engineering xml-rss2.php?itemid=72 Sun, 31 Jul 2011 22:59:00 +0200 The Difference Between Content Protection and Cyber Security http://www.hbarel.com/blog/index.php?itemid=69 What is the difference between Content Protection and Cyber Security? These domains of Information Security are so different and unrelated, that the difference in their definition is more or less the entire definition of both. This question, however, was asked in the context of the factors that make each of these problems hard to solve. Both problems are hard ones, and seem to require more than the state of the art in security can provide; yet they are hard problems for completely different reasons.]]> Analysis: Security Engineering xml-rss2.php?itemid=69 Mon, 20 Jun 2011 22:11:44 +0200 CAcert as a certification alternative http://www.hbarel.com/blog/index.php?itemid=67
Unexpectedly, this post, titled “The Inevitable Collapse of the Certificate Model”, quickly became the favorite post on my blog, pulling more views than all other individual posts.

One alternative that was suggested is by CAcert.org, a community based certification organization. Here are my thoughts on the ability of such a mechanism to solve the certification problem.
]]> Analysis: IT Security xml-rss2.php?itemid=67 Thu, 28 Apr 2011 07:33:50 +0200 Job: Information Security Architect in Israel http://www.hbarel.com/blog/index.php?itemid=66 Information Security Architect position in Netanya, Israel.
Please write me through the Contact Form or by e-mail if you would like to apply.]]> General: Jobs xml-rss2.php?itemid=66 Tue, 12 Apr 2011 21:24:53 +0200 Understanding the Impact of the RSA SecurID Breach http://www.hbarel.com/blog/index.php?itemid=62 here and here) that a hack into the network of RSA Security (the security division of EMC) has led to someone stealing something that is related to the SecurID token product.

We cannot determine the real impact of this security breach until RSA Security tells us what exactly got stolen. I believe that this information will be made available, as a result of legal or public pressure, if for no other reason. Until this data becomes available, let us examine the two most probable options, and how we may respond to each.]]> Analysis: IT Security xml-rss2.php?itemid=62 Sun, 20 Mar 2011 22:31:47 +0200 Book: The Myths of Innovation, by Scott Berkun http://www.hbarel.com/blog/index.php?itemid=60 The Myths of Innovation by Scott Berkun. This 248-pages book describes how the work on innovation, and innovation in general, deviate from how we often perceive it, and from how it is presented by the media. It essentially carries the message that innovation is not some “magic” happening, but rather it is a lot of hard work, often carried out by many people.]]> Endorsement: Sources xml-rss2.php?itemid=60 Sat, 5 Mar 2011 18:35:59 +0100 The Future of Content Protection on Open Platforms, Such as Android http://www.hbarel.com/blog/index.php?itemid=55 Analysis: Security Engineering xml-rss2.php?itemid=55 Tue, 15 Feb 2011 12:02:35 +0100 Tips for Submitting Proposals to EU FP7 and Others http://www.hbarel.com/blog/index.php?itemid=50 Framework Program 7 (FP7) of the European Commission. I review research proposals that are submitted in response to calls that are related to information security. Truthfully, this work is among the more interesting of projects I am involved with.

On account of this occupation of mine, for a few years already, I consider myself authoritative to bring up the following tips to whoever intends to submit a research proposal for European, or other, funding.]]> Analysis: Security Policies xml-rss2.php?itemid=50 Mon, 7 Feb 2011 14:34:29 +0100 Cyber-war Risk Exaggerated? http://www.hbarel.com/blog/index.php?itemid=48 Cyber-war risk is exaggerated, says OECD study, points to what seems as a thorough study that concluded with the stated result. I never read this study, but from the article one can point one point in which it is probably right and one point in which it is probably wrong.]]> Analysis: Security Policies xml-rss2.php?itemid=48 Fri, 28 Jan 2011 12:43:00 +0100 Car Automation. Me? Worried? http://www.hbarel.com/blog/index.php?itemid=46 Analysis: Security Engineering xml-rss2.php?itemid=46 Sat, 8 Jan 2011 12:55:45 +0100 The Effect of Wikileaks http://www.hbarel.com/blog/index.php?itemid=44 Analysis: IT Security xml-rss2.php?itemid=44 Sat, 18 Dec 2010 19:32:49 +0100 Overcoming Distrust in CAs Using External Quality Enforcement http://www.hbarel.com/blog/index.php?itemid=42 wrote about the inherent limitations of the certification model. This model cannot be expected to provide a solution to the binding of entities to public keys, primarily because Certification Authorities (CAs) have no financial incentive in performing thorough investigation on who they issue certificates to; and often on the contrary.

There is probably more than one solution to this problem. Let us examine one of them: External quality enforcement]]> Analysis: IT Security xml-rss2.php?itemid=42 Tue, 16 Nov 2010 22:17:25 +0100 Recommended Podcast: Security Now http://www.hbarel.com/blog/index.php?itemid=41
This podcast is called: “Security Now” and it is featured by Steve Gibson and Leo Laporte. Leo is a good host. He manages the show and its topics well, all in a healthy, joyful, spirit. Steve is a well-known security expert, and the creator of SpinRite — a disk maintenance and recovery tool.]]> Endorsement: Sources xml-rss2.php?itemid=41 Fri, 5 Nov 2010 12:50:46 +0200 Preventing the Evil Maid Attack on FDE http://www.hbarel.com/blog/index.php?itemid=37 PGP Blog, LWN.net, ZDNet, and the blog of Bruce Schneier.

Some people claimed that there are no feasible countermeasures against this attack, other than making sure your laptop is never left alone for too long. A while ago, I traveled to a place where laptops were not allowed; I had to leave it at the hotel every day for two weeks. This made me devise a practical solution which can be dubbed as: be the cleaning maid yourself.]]> Analysis: IT Security xml-rss2.php?itemid=37 Thu, 28 Oct 2010 23:33:27 +0200 The Inevitable Collapse of the Certificate Model http://www.hbarel.com/blog/index.php?itemid=36
In practice, it got all messed up. It is difficult to form authorization hierarchies on the global Internet, this is one thing. However, the model failed also due to the economics behind it.
]]> Analysis: IT Security xml-rss2.php?itemid=36 Fri, 22 Oct 2010 15:52:17 +0200 Understanding the security risk of SaaS http://www.hbarel.com/blog/index.php?itemid=34
The SaaS architecture promises lower cost of ownership, better scalability, and ease of maintenance. There are other advantages, and a few limitations as well. One of the key concerns regarding SaaS is about security. Corporate security officers claim that a security risk arises with the storage of corporate data off-site. This is probably true, but to be able to assess the risk accurately, the stakeholder needs to properly understand what the risk is exactly, and where most of this risk comes from. Following is my take on this.]]> Analysis: IT Security xml-rss2.php?itemid=34 Tue, 24 Aug 2010 10:00:00 +0200 Automobile hack: we should have known better http://www.hbarel.com/blog/index.php?itemid=33 here, and a similar essay titled “Car hackers can kill brakes, engine, and more”, which can be found here. In short, it describes how researchers succeeded in taking over a running car, messing up with its brakes, lights, data systems, and what not.

As alerting and serious as this is, it should not come by as a surprise.]]> Analysis: Security Engineering xml-rss2.php?itemid=33 Wed, 19 May 2010 10:00:00 +0200 InZero provides some security http://www.hbarel.com/blog/index.php?itemid=32
I think the InZero device is cool. I think it protects against some attack vectors, at some usability costs. It may even make a worthwhile trade-off for some people. But to consider the protection granted by this device as something that is revolutionary, or to claim that it is “giving hackers, criminals, and spies the middle finger” is an exaggeration, even when it comes from marketing guys.]]> Analysis: IT Security xml-rss2.php?itemid=32 Wed, 24 Mar 2010 10:00:00 +0200 A business model based on people making bad security trade-offs http://www.hbarel.com/blog/index.php?itemid=31 Analysis: IT Security xml-rss2.php?itemid=31 Wed, 2 Sep 2009 10:00:00 +0200 Companies collect data on us --- so what? http://www.hbarel.com/blog/index.php?itemid=30
To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?]]> Analysis: Security Policies xml-rss2.php?itemid=30 Fri, 24 Jul 2009 10:00:00 +0200 On the Purpose of Security Standards http://www.hbarel.com/blog/index.php?itemid=29 article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.

The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.

There are two questions that need to be asked:]]> Analysis: Security Policies xml-rss2.php?itemid=29 Sat, 4 Apr 2009 10:00:00 +0200 Right, the kernel can access your encrypted volume keys. So what? http://www.hbarel.com/blog/index.php?itemid=28 Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.

“According to a paper [...] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called 'DevicelOControl'.”

And they consider it as a threat:

“Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”

Such “findings” occur often when the security model of a security system is ignored.]]> Analysis: Security Engineering xml-rss2.php?itemid=28 Fri, 6 Mar 2009 10:00:00 +0100 My new patent on secure boot using embedded flash http://www.hbarel.com/blog/index.php?itemid=27 trusted state using a cryptography-enabled code storage device, without the need for a cryptography-enabled host processor. In other words, the technology allows to securely boot a platform that has a security module that is coupled with the storage medium (e.g., embedded Flash memory) that stores the software, instead of a security module that is coupled with the host processor.]]> Hagai's news xml-rss2.php?itemid=27 Wed, 17 Dec 2008 10:00:00 +0100 Twitter Terrorists -- Come On... http://www.hbarel.com/blog/index.php?itemid=26 this one in Wired.com.

Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, “Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention,” the report notes. “The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time.”

It seems as people are making an effort to ring the bell on just about anything.]]> Analysis: Security Policies xml-rss2.php?itemid=26 Sun, 26 Oct 2008 10:00:00 +0200 Firewire threat to FDE http://www.hbarel.com/blog/index.php?itemid=25
As if the latest research (which showed that RAM contents can be recovered after power-down) was not enough, it seems as Firewire ports can form yet an easier attack vector into FDE-locked laptops.

From TechWorld: Windows hacked in seconds via Firewire

The attack takes advantage of the fact that Firewire can directly read and write to a system's memory, adding extra speed to data transfer.

The tool mentioned seems to only bypass the Win32 unlock screen, but given the free access to RAM, exploit code that digs out FDE keys is a matter of very little extra work.

This is nothing new. The concept was presented a couple of years ago, but I haven't seen most FDE enthusiasts disable their Firewire ports yet.]]> Analysis: Security Engineering xml-rss2.php?itemid=25 Tue, 18 Mar 2008 10:00:00 +0200 The TSA Does Not Get It Completely Wrong http://www.hbarel.com/blog/index.php?itemid=24
I generally agree, but I do so with mixed emotions.]]> Analysis: Security Policies xml-rss2.php?itemid=24 Sat, 26 Jan 2008 10:00:00 +0100 The iPhone Hack -- Security Done Wrong or Security Done Right? http://www.hbarel.com/blog/index.php?itemid=22
Since that moment, many opinions were sounded on how Apple could have done their security better and how the hack could have been eliminated. Moreover, some of the industries security experts went on to their desks to work out a stronger mechanism that can save the gigantic firm from such embarrassments in the future.

An obvious question comes up: couldn't Apple, with its $167 billion market cap, afford to pay some good security designers to protect its assets on the iPhone?]]> Analysis: Security Engineering xml-rss2.php?itemid=22 Sun, 13 Jan 2008 10:00:00 +0100 An Interview on Secure Content Distribution http://www.hbarel.com/blog/index.php?itemid=23 Analysis: Security Engineering xml-rss2.php?itemid=23 Sun, 13 Jan 2008 10:00:00 +0100 Airport Security: Israel vs. the United States http://www.hbarel.com/blog/index.php?itemid=21 Airport Security: Israel vs. the United States. It discusses the difference between airport security in Israel and in the U.S. The post quotes evidence showing that the airport security in Israel is based more on interrogation and less on mechanical scanning. Mr. Schneier commented:

Regularly I hear people talking about Israeli airport security, and asking why we can't do the same in the U.S. The short answer is: scale. Israel has 11 million airline passengers a year; there are close to 700 million in the U.S. Israel has seven airports; the U.S. has over 400 “primary” airports — and who knows how many others. Things that can work there just don't scale to the U.S.

I do not generally buy this.]]> Analysis: Security Policies xml-rss2.php?itemid=21 Sat, 12 Jan 2008 10:00:00 +0100 Last Major Label Plans to Ditch DRM Restrictions http://www.hbarel.com/blog/index.php?itemid=20 Report: RIP DRM, as Last Major Label Plans to Ditch Restrictions:

In a move certain to rock the distribution of digital music, Sony BMG is in the midst of finalizing plans to begin offering at least part of its downloadable music catalog DRM-free, according to BusinessWeek.com. This makes Sony BMG the last of the Big Four record labels to cave on digital rights management schemes designed to restrict the distribution of music via peer-to-peer networks.

I was asked more than once: What can prevail, if DRM cannot?]]> Analysis: Security Policies xml-rss2.php?itemid=20 Wed, 9 Jan 2008 10:00:00 +0100 Making Standardization Committees Build More Secure Products http://www.hbarel.com/blog/index.php?itemid=19
There is a problem with security systems that are standardized by committees. Perhaps not every committee, but those committees that are democratic in nature. Democracy is good, all in all, but it doesn't serve the design of security products well; at least not when it comes to design done by many individuals with different agendas.

It is easy to see why.]]> Analysis: Security Policies xml-rss2.php?itemid=19 Thu, 8 Nov 2007 10:00:00 +0100 File Wiping and Disk-on-Key http://www.hbarel.com/blog/index.php?itemid=18 wiping (often called shredding) from the removable medium. This feature allows the user to erase sensitive files that are no longer needed, in a way that (presumably) prevents them from ever being recovered; even if forensics gear is involved.

I find file wiping to be a useful function. Software that permanently destroys files is available on PCs since the early 80's and has always been handy. File encryption utilities also use file wiping to remove the original plaintext file after encrypting it.

The one concern I have is about the reliability of these tools when they run against particular files that are stored on flash memory, such as USB DoK or SD cards.]]> Analysis: Security Engineering xml-rss2.php?itemid=18 Wed, 12 Sep 2007 10:00:00 +0200 Survey About DRM Acceptance http://www.hbarel.com/blog/index.php?itemid=17 news item about a survey that results in a conclusion that people are finally getting used to DRM.

Among other things, it says that:

The overall messages from these studies are: higher-priced DRM-free downloads resonate with a percentage of consumers but not a very large one; ...

and specifically that:

... the EMR/Olswang study found that only 43% would prefer “paying a little extra” for DRM-free tracks; and the In-Stat study found that only 19% would be willing to pay 30% more for a DRM-free track, as opposed to 29% who would not (44% said that it depends on other factors).

So, on the face of it, it seems as people start to not care much if their content is DRM-crippled; at least that's what the article implies. It also compares these statistics to those of a survey done years ago that presumably reflected more hostility towards DRM.

However, before I got the chance to be amazed enough at the outcome, I bumped into a seemingly unrelated observation of that same survey...]]> Analysis: Security Policies xml-rss2.php?itemid=17 Fri, 7 Sep 2007 10:00:00 +0200 Countermeasures That Can't Be Modeled http://www.hbarel.com/blog/index.php?itemid=16
What took more than two minutes was my discussion with my wife about whether or not this sort of “examination” is worth anything. She believes it is probably a waste of tax payers money, to stop people just to ask them how they're doing. I happen to think that not only that this is not a waste of money, but it's probably one of the most effective uses for this money; at least for the money that is devoted to security.]]> Analysis: Security Policies xml-rss2.php?itemid=16 Thu, 6 Sep 2007 10:00:00 +0200 Rights Management Systems Versus "Simple" Data Encryption http://www.hbarel.com/blog/index.php?itemid=15
Question:
Why not just deploy a Enterprise Right Management solution instead of using various encryption tools to prevent data leaks?

Answer:
The “encryption tools” function according to simple, well understood, and more-or-less enforceable security models. Their assumptions are well understood and, most importantly, match the environments they run on. They solve a simple problem, and solve it effectively.

Rights management solutions have complex security models, and run in environments that do not always satisfy the assumptions. They aim at providing complex functionality, but they often (always?) fail to deliver due to their over-complexity and unrealistic assumptions.

If your security needs can be met by the simple functional model of the “encryption tools”, then you will prefer to enjoy the assurance and thereasonable robustness they provide, which is the most desirable feature after all.]]> Analysis: Security Engineering xml-rss2.php?itemid=15 Thu, 10 May 2007 10:00:00 +0200 DHS wants DNSSEC keys -- so what? http://www.hbarel.com/blog/index.php?itemid=14
Homeland Security grabs for net's master keys
Department of Homeland and Security wants master key for DNS

It caused quite a lot of fuss. I agree with the political feeling of discomfort, but I somehow cannot understand the threat that some people attribute to this. ]]> Analysis: Security Policies xml-rss2.php?itemid=14 Thu, 5 Apr 2007 10:00:00 +0200 Is more security always better? http://www.hbarel.com/blog/index.php?itemid=13
I guess it can be told by my tone so far that I disagree. Making a system or a network more secure is sometimes worthwhile and sometimes it is not. ]]> Analysis: Security Policies xml-rss2.php?itemid=13 Sat, 6 Jan 2007 10:00:00 +0100 PDAs in highly classified environments http://www.hbarel.com/blog/index.php?itemid=12 Risks of Losing Portable Devices”.

Information security officers are not unaware of the risk and attempt at finding solutions. The most immediate solution that comes to mind is password-protecting the PDA. Realizing that these mechanisms can be hacked, encryption is put to use, enciphering all or some of the PDA databases using a key that is entered by the user. This method carries notable inconvenience for the user, who is forced to enter a key each time he is looking for a phone number, an e-mail address, or a meeting time. It is clumsy, but it solves the problem. However, does it solve all problems?

No; at least not for everyone, to my opinion.]]> Analysis: IT Security xml-rss2.php?itemid=12 Mon, 11 Sep 2006 10:00:00 +0200 The toughest part of designing secure products http://www.hbarel.com/blog/index.php?itemid=11 Bruce Schneier has written a good essay called: Why Cryptography Is Harder Than It Looks. This essay refers to cryptography, but touches on the subject as a whole. It is still not always clear, however, where the hard-core of security analysis work is, and where exactly the difference from QA, and from other system engineering domains, lies.

I would like to take a shot at explaining the fundamental difference between assuring functionality and assuring security, and pinpoint the toughest part of security analysis.]]> Analysis: Security Engineering xml-rss2.php?itemid=11 Fri, 28 Jul 2006 10:00:00 +0200 Is E-mail encryption really too complex? http://www.hbarel.com/blog/index.php?itemid=10 here. Whenever the debate is raised about how come e-mail encryption is so seldom used, we hear the common opinion that e-mail encryption is just not easy enough for the commons; yet. It is not intuitive enough, it is not user-friendly, it is too intrusive to the typical work-flow, and so forth. Indeed, e-mail encryption for the masses is with us for more than a decade already, and other than a few geeks and a few privacy-savvy individuals, people just don't use it.]]> Analysis: IT Security xml-rss2.php?itemid=10 Sun, 7 May 2006 10:00:00 +0200 Evaluating Commercial Counter-Forensic Tools http://www.hbarel.com/blog/index.php?itemid=9 Evaluating Commercial Counter-Forensic Tools" by Matthew Geiger from Carnegie Mellon University. The paper presents failures in commercially-available applications that offer covering the user's tracks. These applications perform removal of (presumably) all footprints left by browsing and file management activities, and so forth. To make a long story short: seven out of seven such applications failed, to this or that level, in fulfilling their claims.]]> Analysis: IT Security xml-rss2.php?itemid=9 Sat, 12 Nov 2005 10:00:00 +0100 Anonymity -- great technology but hardly used http://www.hbarel.com/blog/index.php?itemid=8 zero-knowledge scheme or on another untraceable digital cash I am amazed by the amount of knowledge that the security community has gained and by its arsenal of mechanisms that can buy us any sort of anonymity or pseudonymity we want to deploy. But do we? In spite of our having the ability to establish anonymous surfing, have untraceable digital cash tokens, and carry out anonymous payments, we don't really use these abilities, at large.]]> Analysis: IT Security xml-rss2.php?itemid=8 Mon, 24 Oct 2005 10:00:00 +0200 Today's Credit Card Fraud Prevention -- Throwing The Baby With The Bathwater? http://www.hbarel.com/blog/index.php?itemid=6
However, trying to make an online purchase recently made me lose any respect I had for the so-called anti-fraud mechanisms that are used today.]]> Analysis: Security Policies xml-rss2.php?itemid=6 Tue, 21 Jun 2005 10:00:00 +0200 Trojan-Horse Espionage in Israel -- A Tip of an Iceberg http://www.hbarel.com/blog/index.php?itemid=5 Globes article.

Obviously, the topic made it to the national news primarily because it involved high-profile companies in Israel, companies that "everybody knows", and because it led to the arrest of several top executives. It's the first time such a large scale espionage act is discovered in Israel, and this is new, but the rest is not.]]> Analysis: IT Security xml-rss2.php?itemid=5 Sat, 4 Jun 2005 10:00:00 +0200 Watermarking for DRM? Maybe one day http://www.hbarel.com/blog/index.php?itemid=3
That's nice, but for this we need a watermarking scheme that can be detected by a non-secret mechanism (called Public Watermarking) and for this mechanism to be such that makes it impossible, or at least very difficult, to peel the mark off. Unfortunately, these two requirements are known to be contradicting. The schemes being public implies that anyone can form an oracle that will tell him as soon as the mark was rendered useless. Once such an oracle is available there is a simple iterative process to be followed by which changes are introduced to and removed from the original content until the result is another piece of content that on one hard is not too different from the original and on the other hand does not contain a usable mark.

This is not to say that watermarking for DRM is doomed to failure - this is just to say that a breakthrough is needed to make it happen.]]> Analysis: Security Engineering xml-rss2.php?itemid=3 Sat, 14 May 2005 10:00:00 +0200 Open Source Disk Encryption http://www.hbarel.com/blog/index.php?itemid=2 TrueCrypt, and it provides functionality that resembles that of DriveCrypt from SecurStar. Some basic features are still missing such as the option to use a key file or multiple phrases. However, TrueCrypt has two benefits that are very unique to disk encryption products under Win32: It is open source, and it is free. I therefore see it as an appealing alternative to DriveCrypt and to PGPDisk in some environments.

One major issue about it that was not yet resolved is, of course, security. An in depth review of TrueCrypt was not yet published (to the best of my knowledge), and was never requested, but the products being open source makes one assume that if there is a deadly flaw to it, it will one day be found - hopefully by the good guys first.]]> Analysis: IT Security xml-rss2.php?itemid=2 Fri, 29 Apr 2005 00:00:00 +0200 Worms Using Search Engines http://www.hbarel.com/blog/index.php?itemid=7
Latest Mydoom shows hackers using search engines for attacks

It's about Internet based worms making use of search engines to spread out. ]]> Analysis: IT Security xml-rss2.php?itemid=7 Mon, 28 Feb 2005 10:00:00 +0100