One of the main objectives of this blog is to put security related facts and events in the correct perspective. This is needed in cases where the traditional media has its own objective of blowing news out of proportion. The security media, often sponsored either by advertisers or by product vendors, has an occasional tendency of disseminating FUD (fear, uncertainty, and doubt) more than necessary. For example, they can take a single unattributed compromise of a web-server and shout that "cyberwar is here".
Without arguing who is right, many of the posts in this blog bring forward the other side of the coin. They show a different perspective than that shown by other sources. The goal is never controversy in its own right; it is to make the reader truly informed, by showing the angle that doesn't get the headlight.
The counter-media category consists of such posts that present perspectives, insights, and opinions, that may differ substantially from those typically presented by the media, and by that provide food for independent thought.
I usually agree with the opinions expressed by Bruce Schneier. Seldom do I think that he is dead wrong, and yet less often do I think that an essay of his is bluntly unsubstantiated. About a month ago, he published such a post, titled: How Israel Regulates Encryption. He quoted a research that sounds sensible, but ended up interpreting it entirely wrongly, in my opinion.
A few days ago, a critical bug was found in the common OpenSSL library. OpenSSL is the library that implements the common SSL and TLS security protocols. These protocols facilitate the encrypted tunnel feature that secure services -- over the web and otherwise -- utilize to encrypt the traffic between the client (user) and the server.
The discovery of such a security bug is a big deal. Not only that OpenSSL is very common, but the bug that was found is one that can be readily exploited remotely without any privilege on the attacker's side. Also, the outcome of the attack that is made possible is devastating. Exploiting the bug allows an attacker to obtain internal information, in the form of memory contents, from the attacked server or client. This memory space that the attacker can obtain a copy of can contain just about everything. Almost.
There are many essays and posts about the "everything" that could be lost, so I will take the optimistic side and dedicate this post to the "almost". As opposed to with other serious attacks, at least the leak is not complete and can be quantified, and the attack is not persistent.
When people discuss Bitcoin, one of its properties that is often considered is its presumable anonymity. In this respect, it is often compared to cash. However, it shall be recognized and understood that Bitcoin is not as anonymous as cash; far from it, actually. Its anonymity relies on the concept of pseudonyms, which delivers some (unjustified) sense of anonymity, but very weak anonymity in practice.
I attended CyberTech 2014 on January 27th-28th. CyberTech is a respectable conference for technologies related to cyber-security. The conference consisted of lectures and an exhibition. The lectures were most given by top notch speakers from the security space, both from the public sector and from the private sector; most being highly ranked executives. The exhibition sported companies ranging from the largest conglomerates as IBM and Microsoft, to garage start-ups.
I am easy to disappoint by cyber-security conferences. Simply put, there are more cyber-security conferences than what the security industry really has to say. This implies that for the security architect or practitioner, most cyber-security conferences lack sufficient substance. I take CyberTech 2014 with mixed emotions too. The exhibition showed interesting ideas, especially by start-ups, while the lectures left more to wish for.
There is an ongoing debate on the need for new regulations that protect individuals' personal data. Regulation is said to be required to protect the personal data of citizens, consumers, patients, etc., both against corporate service providers as well as against governments.
There is a growing concern about the implications of the data collection habits of social network operators, such as Facebook, as well as other service providers. Even those individuals who claim to not see any tangible risk behind the massive collection of data on themselves by service providers, still feel unease with the amount of data available on them, and on which they have no control.
On the state side, knowing that your government may monitor every single email and phone call reminds of George Orwell's book "nineteen eighty-four". It is largely agreed that this practice, if not outright eliminated, shall at least be better controlled.
This essay discusses the two possible domains for such better control: technology and regulation, arguing that the former is tremendously more effective than the latter.
The concept of "Cyber Security" is surely the attention grabber of the year. All security products and services enjoy a boost in their perception of importance, and sales, by merely prepending the word "cyber" to their description. But how is cyber security different than just security?
It differs, but it is not an entirely different domain, at least not from the technology perspective.
Security protects against malicious attacks. Attacks involve an attacker, an attack target, and the attack method, which exploits one or more vulnerabilities in the target. When speaking of cyber attacks, it is common to refer to a nation state attacking another, or to an organization attacking a state. Referring to unorganized individual hackers as executing "cyber attacks", while being a common trend, is a blunt misuse of the "cyber" term in its common meaning. And still, cyber security is not as dramatically different than traditional security.
I bet there are thousands of blog posts advocating privacy and explaining why people should resist governments and companies collecting personal data. I dare to write yet another one because I would like to make a couple of points that I have never seen made before. This post will discuss one of these two points: the unknown risk.