Category: "Counter-media"

About the Counter-Media category

  By Hagai Bar-El   , 92 words
Categories: Counter-media

One of the objectives of this blog is to put security related facts and events in their correct perspective, from an objective and professional point of view, clean of marketing and political biases.

The posts under the Counter-media category bring forward the other side of arguments, often the side that is least heard. They show a different perspective than that shown by most other sources. The goal is never controversy in its own right; it is to make the reader truly informed, by showing the angle that is out of the spotlight.

Pages: 1 3 4

  2021-02-26

COVID vaccination certificates done almost right

  By Hagai Bar-El   , 2289 words
Categories: Security Analysis, Security Engineering, Counter-media

Israel is probably the most advanced to date in terms of COVID19 vaccination. With more than one third of the residents fully inoculated, life can almost get back to pseudo-normal. This, however, requires being able to tell the vaccinated people apart from those who are not. The green pass, or vaccination certificate, is made to achieve precisely that. Technically, this government-issued certificate is not substantially different than a driver’s license, just that it’s shorter lived, can be stored in a phone app, and most importantly: was designed in a hurry.

For something that was launched so quickly, it seems to be decently architected, but slightly better work could still be done to protect that piece of attestation that is so critical to public health.

What do we require of a vaccination certificate? Not much, really. It obviously needs to be as secure as it could be made under the strict cost and distribution constraints. The certificate has to also be easily renewable (it currently expires every six months), and it has to be verifiable by a wide range of checkpoints with varying capabilities. Finally, verification has to be both reliable and fast; entry into a shopping mall cannot resemble passport control, and people cannot arbitrarily be locked out of key facilities just because of simple IT downtime.

The certificate itself is sent to its holder by e-mail (or via a web-site), to be printed at home. There are no measures that could be taken to prevent anyone with Microsoft Paint from crafting fake such certificates. The digital part of the vaccination certificate, i.e., the QR Code printed on it, is the only part of the certificate that can practically be used against forgery.

See the following write-up as a quick guide to cheap-but-secure attestation certificates; for COVID or otherwise.

Read more »

  2020-09-26

Your Bitcoin wallet will never be your bank account

  By Hagai Bar-El   , 1399 words
Categories: Security Analysis, Security Policies, Security, Counter-media

Don’t get me wrong; Bitcoin and crypto currencies are a big deal, at least technology-wise. Bitcoin and blockchains taught us a lot on what can be done with security protocols, and at a lower level, it even taught us that computation inefficiency is not always a bad word, but something that can yield benefits, if that inefficiency is properly orchestrated and exploited. It was also the most prevalent demonstration of scarcity being artificially created by technology alone. As I wrote before, blockchains will probably have some novel use-cases one day, and Bitcoin, aside of being a mechanism for transferring money, also provides a target of speculation, which in itself can be (and is) monetized.

What I truly do not understand are the advocates who see Bitcoin wallets as the near-future replacement for bank accounts, and Bitcoin replacing banks (and other financial institutions) in the near future. I understand the motivation, as those are dreams easy to fall for, but for crypto-currency wallets to replace financial institutions much more is needed, and for the sake of this discussion I will not even delve into the many technical difficulties.

Read more »

  2020-09-13

An obvious limitation of machine-learning for security

  By Hagai Bar-El   , 726 words
Categories: IT Security, Security Engineering, Security, Counter-media

I recently came across this study titled “Unknown Threats are The Achilles Heel of Email Security”. It concludes that traditional e-mail scanning tools, that also utilize machine-learning to cope with emerging threats, are still not reacting fast enough to new threats. This is probably true, but I think this conclusion should be considered even more widely, beyond e-mail.

Threats are dynamic. Threat actors are creative and well-motivated enough to make threat mitigation an endlessly moving target. So aren’t we fortunate to have this new term, “machine learning”, recently join our tech jargon? Just like many other buzzwords, the term is newer than what it denotes, but nonetheless, a machine that learns the job autonomously seems to be precisely what we need for mitigating ever-changing threats.

All in all, machine-learning is good for security, but yet in some cases it is a less significant addition to our defense arsenal. Why? – Because while you learn, you often don’t do the job well enough; and a machine is no different. Eventually, the merits of learning-while-doing are to be determined by the price of the resulting temporary imperfectness.

Read more »

  2020-08-16

Blockchains: useful or not?

  By Hagai Bar-El   , 976 words
Categories: Security Engineering, Counter-media

One of the biggest technological controversies of the decade are blockchains. There is no debate on how brilliant the technology is. It is very clever, if not genius. The only debate is on how useful it really is. Crypto currencies like Bitcoin are a strong use-case for blockchains, but how many other real use-cases are there? Some people claim that blockchains will change the Internet for good, while others consider it as a clever solution still seeking a problem. Reality is probably somewhere in between, as it usually is.

Blockchains often appear to be more useful than they really are, because their proponents bring up uses for blockchains which could also be facilitated using other, simpler and traditional techniques. Most of those uses, which could also be attained without blockchains, are indeed better off without them. As clever as blockchains are, they always add complexity where they are deployed. In other words, I have not yet seen a single problem that could be solved by either blockchains or other technical means, and where the blockchain-based approach was the simpler one. It follows that if we want to discuss the true merits of blockchains, then we shall identify those problems that could be solved using blockchains, and which could not be solved by simpler existing technologies.

Read more »

  2020-04-17

The Fake News problem will not be solved by technology

  By Hagai Bar-El   , 903 words
Categories: Security Analysis, Security Policies, Counter-media

One reason we struggle with finding a solution to the fake news problem is that we have never defined the problem properly. The term “fake news” started as referring to publications that look like news but are entirely fabricated. It then migrated to consist also of news articles that are just grossly inaccurate, to later expand further into consisting also of news one doesn’t like and tries to dispute.

It is amusing to see how we seek technical mitigation towards a problem which is entirely semantic. Just like a lie detector does not detect untruths but only the artifacts of a lying person, all technologies that are considered for fighting fake news do not detect untruths but mostly willful propaganda. However, just like plain deceiving, publishing propaganda also consists of many shades of grey, implying that whatever solutions we find, we will never be happy with them.

We should recalculate our route.

Read more »

  2020-02-22

What will artists do when AI makes art? ...Same as security architects

  By Hagai Bar-El   , 1024 words
Categories: Security Analysis, Counter-media

Computers today already know how to draw great paintings using artificial-intelligence (AI) algorithms, after analyzing many real-human paintings. A sales house just sold one machine-generated portrait painting for $540,000, and by now there are startups that produce AI-generated portraits for $40 a piece. On the musical front, there already are algorithms that, after analyzing compositions made by Bach, compose “Bach” symphonies that even avid listeners cannot tell apart from the real thing. This brings up the question of what’s in the future for artists, now that machines create art that is indistinguishable from that produced by humans.

The same question (at a lower scale) has also been asked about security professionals. Now that machine learning algorithms can tell good from bad when looking at any type of event data, what would human security analysts be left to do? Traditionally, machines used to only sort through records using rules that humans wrote for them, but as it seems, machines are constantly getting better at writing those rules for themselves as well.

So should both worry for their jobs? It is my stance that not at all, and for surprisingly similar reasons.

Read more »

  2017-10-13

For and against security checklists, frameworks, and guidelines

  By Hagai Bar-El   , 636 words
Categories: Security Engineering, Security, Cyber Security, Counter-media

We have seen many of those by now. Starting with old ones like FIPS 140, and concluding with more recent additions as the NIST CSF (Cyber Security Framework). The question is: are whose worth my time? What are they good for? Do we need to adhere to them? In a nutshell, I think they have their value, and need to be consulted, but not worshiped.

Read more »

1 3 4


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.