The InfoSec Blog

Purpose unclear. Why are the FBI *really* trying to subvert encryption?

Posted by Anton Aylward

Tim cook says Apple will fight a federal order to help the FBI hack an iPhone.  

An earlier version of this page has a paragraph which seems to have been deleted later;

It was not immediately clear what investigators believed they might find on Farook's work phone or why the information would not be available from third-party service providers, such as Google or Facebook, though investigators think the device may hold clues about whom the couple communicated with and where they might have travelled.

Is that "Whom" grammatically correct?

This does raise a 'why' in my mind.
Cant the other service providers (who would it be, AT&T, Verizon?) supply the 'traffic analysis of who they communicated with? Isn't this the sort of "metadata" that the government spies are supposed to be collecting?

Opening the phone won't give the content of the messages past, they are gone like the snows of yesteryear[1]. Dead as the author of that famous quote.

So what are the FBI looking for? The address book? I'm not sure how helpful that will be and its likely to cast suspicion on innocent parties.

The 11 tiniest, most powerful computers your money can buy

Posted by Anton Aylward

I have my doubts about many things and the arguments here and in the comments section loom large.

Yes, I can see that business sees no need for an 'arms race' escalation of desktops once the basics are there. A few people, gamers, developers, might want personal workstations that they can load up with memory and high performance graphics engines, but for the rest of us, its ho-hum. That Intel and AMD are producing chips with more cores, more cache, integrated graphics and more, well Moore's Law applies to transistor density, doesn't it, and they have to do something to soak up all those extra transistors on the chips.

As for smaller packaging, what do these people think smart phones and tablets and watches are?

Gimme a brake!
My phone has more computing power than was used by the Manhattan project to develop the first nuclear bomb.

These are interesting, but the real application of chip density is going to have to be doing other things serving the desktop. its going to be

1. IoT
2. Servers
3. backbone/communications

And for #1 & #3 Windows will become if not an impediment, then irrelevant.
Its possible a very stripped down Linux can serve for #1 & #3, but somewhere along the line I suspect people might wake up and adopt a proper RTOS such as QNX much in the same way that Linux has come to dominate #2. It is, however, possible, the Microsoft will, not that Gates and Balmer are out of the scene, adopt something Linux like or
work with Linux so as to stay relevant in new markets. The Windows tablet isn't the success they hoped for and the buyout of Nokia seemed more to take Nokia out of the market than become an asset for Microsoft to enter the phone market and compete with Apple and Samsung. many big forms that do have lots of Windows workstations are turning to running
SAMBA on Big Iron because (a) its cheaper than a huge array of Windows Servers that present reliability and administrative overhead, and (b) its scalable. Linux isn't the 'rough beast' that Balmer made out and Microsoft's 'center cannot hold' the way it has in the past.

14 antivirus apps found to have security problems

Posted by Anton Aylward

Let us pass over the "All A are B" illogic in this and consider what we've known all along. AV doesn't really work; it never did.
Signature based AV, the whole "I'm better than you cos I have more signatures in my database" approach to AV and AV marketing that so bedazzled the journalists ("Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the 'human firewall' or whatever the buzz-word is that appears in this month's geek-Vogue magazines, whatever the latest fashion is. What's that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they've tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven - yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn't convinced and didn't buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by 'lines of code per day' metrics, feature driven popularity and the 'first to market' imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I'm not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a 'risk-based' approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. "It was too expensive" - until it was more expensive not to have implemented it.


Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The

Posted by antonaylward

Perhaps The Woz isn't the influence he once was, and certainly not on Wall Street and the consumer market place.

Woz and I at dinner

The unbounded RAH-RAH-RAH for the "Cloud" is a lot like the DotComBoom in many ways. No doubt we will see a Crash rationalization.


Enhanced by Zemanta

Control objectives – Why they are important

Posted by Anton Aylward

Let us leave aside the poor blog layout, Dejan's picture 'above the fold' taking up to much screen real estate. In actuality he's not that ego-driven.

What's important in this article is the issue of making OBJECTIVES clear and and communicating (i.e. putting them in your Statement of Objective, what ISO27K calls the SoA) and keeping them up to date.

Dejan Kosutic uses ISO27K to make the point that there are high level objectives, what might be called strategy[1], and the low level objectives[2]. Call that the tactical or the operational level. Differentiating between the two is important. They should not be confused. The high level, the POLICY OBJECTIVES should be the driver.

Yes there may be a lot of fiddly-bits of technology and the need for the geeks to operate it at the lower level. And if you don't get the lower level right to an adequate degree, you are not meeting the higher objectives.

If Customers Ask for More Choice, Don’t Listen

Posted by Anton Aylward

Customers are Ignoring You

Customers are Ignoring You (Photo credit: ronploof)

Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice.

That being said, 'competitive advantage' can lead to paralysis.

In the auto world, each badge, each product line has an 'advantage'.
But what many customers want is a blend.

Suppose you had

  • the hydropnumatic suspension of Citroen
  • the crash survivability of Volvo
  •  the fantastic new six speed high efficiency automatic gearbox that Chrysler is soon to release
  •  the BOSE sound system of a BMW
  •  the capacity of a Dodge minivan
  •  the fuel efficiency of a Prius
  •  the twin camera automatic following/crash avoidance system of a Subaru

all rolled into one ....

The problem is that you can't.

For a while, the IBM-style PC chassis offered that kind of 'blend'.
As the saying went ...

Be very glad that your PC is insecure --it means that after you buy it,
you can break into it and install whatever software you want. What YOU
want, not what [content providers] want.
-- John Gilmore of the EFF

But the majority of consumers are the "lemmings". In reality its like the stage magician fanning a pack of cards and saying "pick a card, any card you want". You don't really have freedom of choice, you can only pick what's offered to you, by the stage magician or the vendor.

And sometimes the constraint of choice, as Apple is doing, says "focus, focus, focus" and play to the Big Brother Knows What's Best For You.
Sometimes it nice not to be stressed by having to make decisions, decisions that might not be optimal (even if the optimization curve is flat and the risk/return ratio is close to zero).


Enhanced by Zemanta

Naval War College uses Russian software for iPad course material

Posted by Anton Aylward


The Navy's premier institution for developing senior strategic and
operational leaders started issuing students Apple iPad tablet
computers equipped with GoodReader software in August 2010,
unaware that the mobile app was developed and maintained by
a Russian company, Good.iWare, until Nextgov reported it in February.

OK so its not news and OK I've posted about this before, but ...

Last week I was reading another report about malware and it stated that most malware yamma yamma yamma had it origins in the USA. No doubt you've seen reports to that effect with different slants.

So the question here is: Why should software produced in the country where there are more evil-minded programmers be superior to software produced in Russia?

Why would anyone choose Linux when they already have Windows?

Posted by Anton Aylward

I could go through a litany of complaints I have about Linux. I could
complain about the confusing number of distributions. I could complain
about the propensity of Linux proponents to cause unnecessary confusion
by abbreviating or using acronyms for Linux-only functions. I could
complain about the silly confusing names they give applications.

How come Linux gets berated for this?
There's a plethora, a confusing plethora, of Microsoft products, since, compared to Linux, that world is unbundled.

But Microsoft aside, look at the auto industry; it was once said that you could order over a quarter of a million different variations given the options on some Chrysler models. There are still many distributor/vendors, and different dealers/outlets offer different deals, trade-ins, offers and options. The auto industry has more acronyms than the computer industry and lots of special functions and tools.

For example, the spring inside my seat-belt buckle slipped out of place so that the buckle wont lock the clip in place. The way the buckle is built you can't take it apart, so the whole assembly has to be replaced. The bolt that fastens it into the seat assembly (remember, the seat has to be able to gyre and gymble without altering the tension of the belt, so the belt is bolted to the seat, not the frame of the car) is a special one, the only one (except for the other seat belt) in the car. Of course it take a special tool. As it turns out, the tool costs more than the over-priced replacement seat-belt assembly. And since it is for that purpose only on that model series (apparently it was changed for another equally unique bolt and matching tool in later models) my mechanic did not have that tool in in his toolbox. He tells me that this is normal, that the auto manufacturers have any twists and turns like this that serve to lock out the independent mechanic by forcing up the cost of operations.

I look at the computer industry and think how easy it actually is to move between vendors of hardware and software. I really can't see why if you are an office worker familiar with MS-Word you will be unable to do any work if faced with OpenOffice - or WordPerfect or WordPro. Once upon a time both Apple and Microsoft "sold" the GUI interface as being something that was "obvious" and wouldn't need training and thick documentation. Whether or not that's so, moving from one word processor to another, one mail user interface to another, has nothing to do with the underlying OS or the names and acronyms used.

As the article says:

An operating system exists only to create an environment for
applications; nothing more, nothing less. Most people sit down at a
computer and just start using it without worrying about what operating
system it is running.

So why the fuss? Gnome and KDE have "skins" that can make them look like OSX or any of the Microsoft Operating systems. The various distributions of Linux are more like the various offerings of the auto industry, they mostly resemble each other and copy ideas from one another. If you can drive a Ford - sorry, SUSE - you can drive a Chrysler - sorry, Mandriva. Or even a Volvo/BSD. And since I've seen Americans cope in England after just a few minutes, I'll add MGB/LinOS.

So Why Linux?

The article has a theme about moving from Windows to Linux. What it doesn't touch on is why one might want to move.

The reason for most people is that they get a new computer. They are probably going to have to change OS - from W/95 or W/XP to Vista. This is likely to be even more traumatic than if they changed to Linux with an appropriate skin. I've certainly seen many reports of application-only users who had their system "regressed" from a Vista they didn't like to to their "old" system which was actually Linux looking like XP. The reality is that most users see the applications and neither see nor want to see the OS. The same applies for most car drivers. They just want to drive.

When Mark Kaelin says that John Sheesley can crash Linux over and over - so what? The issue isn't that someone with John's background and expertise can crash Linux, its how stable Linux is for an ordinary user. And compared to Windows, it seems to be about 15 years further down the road. Windows seems to emphasise 'dressing'. Perhaps that's why Mark Shuttleworth wants to address the image of the desktop.
Its worth reading some of John's articles - he's not rabidly anti-Linux. Or rabidly anti-Microsoft.

When Mark points out that viruses and malware exist for Linux he omits to note that these are 'proof of concept' things that neither exist nor could exist in the wild. The underlying architecture of Linux makes it more resilient to whole classes of malware. The idea that its 'immune' because it doesn't have the market share is a myth.

I've asked many people in the business world why they don't use Linux, and all in all their reasons tend to be emotional not logical.

But to be fair, if security and reliability and security are deciding issues, as many Linux enthusiast claim, then why aren't they using BSD? I ask that of them and I get an emotional response similar to the one I see when I ask Windows enthusiasts about Linux.

Reblog this post [with Zemanta]