Category: "Counter-media"

About the Counter-Media category

  By Hagai Bar-El   , 92 words
Categories: Counter-media

One of the objectives of this blog is to put security related facts and events in their correct perspective, from an objective and professional point of view, clean of marketing and political biases.

The posts under the Counter-media category bring forward the other side of arguments, often the side that is least heard. They show a different perspective than that shown by most other sources. The goal is never controversy in its own right; it is to make the reader truly informed, by showing the angle that is out of the spotlight.

Pages: 1 2 4

  2009-07-24

Companies collect data on us --- so what?

  By Hagai Bar-El   , 865 words
Categories: Security Policies, Counter-media

It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of…

To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?

Read more »

  2009-04-04

On the Purpose of Security Standards

  By Hagai Bar-El   , 960 words
Categories: Security Policies, Counter-media

An interesting article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.

The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.

There are two questions that need to be asked:

Read more »

  2009-03-06

Right, the kernel can access your encrypted volume keys. So what?

  By Hagai Bar-El   , 717 words
Categories: Security Engineering, Counter-media

On January 15th, TechWorld published an article called Encryption programs open to kernel hack. Essentially, it warns that the key to encrypted volumes, that is, to volumes of software-encrypted virtual drives, is delivered by the encryption application to the kernel of the operating system, and thus may be captured by a malicious kernel.

“According to a paper […] such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called ‘DevicelOControl’.”


And they consider it as a threat:

“Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.”


Such “findings” occur often when the security model of a security system is ignored.

Read more »

  2008-01-26

The TSA Does Not Get It Completely Wrong

  By Hagai Bar-El   , 537 words
Categories: Security Policies, Counter-media

Many homeland security experts preach against the approach to airport security taken by the TSA. The TSA’s mitigation efforts focus primarily on specific tactics that terrorists may use, rather than on more generalized, more effective, measures, such as intelligence. Airline security, according to the ones opposing the TSA’s acts, shall be in effect long before the terrorist reaches the airport. All existing mechanisms, such as scanning shoes, banning liquids, etc., are a waste of time and money and punish only the innocent.

I generally agree, but I do so with mixed emotions.

Read more »

  2008-01-13

The iPhone Hack -- Security Done Wrong or Security Done Right?

  By Hagai Bar-El   , 552 words
Categories: Security Engineering, Counter-media

A while ago the iPhone was hacked so to make it usable on networks other than AT&T’s.

Since that moment, many opinions were sounded on how Apple could have done their security better and how the hack could have been eliminated. Moreover, some of the industries security experts went on to their desks to work out a stronger mechanism that can save the gigantic firm from such embarrassments in the future.

An obvious question comes up: couldn’t Apple, with its $167 billion market cap, afford to pay some good security designers to protect its assets on the iPhone?

Read more »

1 2 4


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.