Category: "Counter-media"

About the Counter-Media category

  21:11, by Hagai Bar-El   , 172 words
Categories: Counter-media

One of the main objectives of this blog is to put security related facts and events in the correct perspective.  This is needed in cases where the traditional media has its own objective of blowing news out of proportion. The security media, often sponsored either by advertisers or by product vendors, has an occasional tendency of disseminating FUD (fear, uncertainty, and doubt) more than necessary. For example, they can take a single unattributed compromise of a web-server and shout that "cyberwar is here".

Without arguing who is right, many of the posts in this blog bring forward the other side of the coin. They show a different perspective than that shown by other sources. The goal is never controversy in its own right; it is to make the reader truly informed, by showing the angle that doesn't get the headlight.

The counter-media category consists of such posts that present perspectives, insights, and opinions, that may differ substantially from those typically presented by the media, and by that provide food for independent thought.

 

Pages: 1 3

  2009-09-02

A business model based on people making bad security trade-offs

  22:24, by Hagai Bar-El   , 483 words
Categories: IT Security, Counter-media

From time to time I am exposed to a new service, sometimes security-related, that promises something new. More often than not, the new security service is novel, but only because either no one really needs it, or because it does not form a good balance between security and other needs. The cases of the latter category are far more interesting.

Full story »

  2009-07-24

Companies collect data on us --- so what?

  22:22, by Hagai Bar-El   , 865 words
Categories: Security Policies, Counter-media

It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of...

To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?

Full story »

  2009-04-04

On the Purpose of Security Standards

  22:21, by Hagai Bar-El   , 960 words
Categories: Security Policies, Counter-media

An interesting article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.

The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.

There are two questions that need to be asked:

Full story »

  2009-03-06

Right, the kernel can access your encrypted volume keys. So what?

  22:19, by Hagai Bar-El   , 717 words
Categories: Security Engineering, Counter-media

On January 15th, TechWorld published an article called Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.

“According to a paper [...] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called 'DevicelOControl'.”


And they consider it as a threat:

“Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”


Such “findings” occur often when the security model of a security system is ignored.

Full story »

  2008-01-26

The TSA Does Not Get It Completely Wrong

  22:09, by Hagai Bar-El   , 537 words
Categories: Security Policies, Counter-media

Many homeland security experts preach against the approach to airport security taken by the TSA. The TSA's mitigation efforts focus primarily on specific tactics that terrorists may use, rather than on more generalized, more effective, measures, such as intelligence. Airline security, according to the ones opposing the TSA's acts, shall be in effect long before the terrorist reaches the airport. All existing mechanisms, such as scanning shoes, banning liquids, etc., are a waste of time and money and punish only the innocent.

I generally agree, but I do so with mixed emotions.

Full story »

  2008-01-13

The iPhone Hack -- Security Done Wrong or Security Done Right?

  22:06, by Hagai Bar-El   , 552 words
Categories: Security Engineering, Counter-media

A while ago the iPhone was hacked so to make it usable on networks other than AT&T's.

Since that moment, many opinions were sounded on how Apple could have done their security better and how the hack could have been eliminated. Moreover, some of the industries security experts went on to their desks to work out a stronger mechanism that can save the gigantic firm from such embarrassments in the future.

An obvious question comes up: couldn't Apple, with its $167 billion market cap, afford to pay some good security designers to protect its assets on the iPhone?

Full story »

1 3