| 25th Aug 2008 |
一般 | (357 Reads)
There’s more to selecting an enterprise second-factor authentication method than meets the retina scanner. As with any IT project, each dollar spent must produce business value. With M-F authentication, this translates to value beyond simply verifying an employee’s identity.
(閱讀全文)
| 21st Aug 2008 |
一般 | (367 Reads)
Novels
The first part of the list is of novels I have read in the last year that have a strong IT security focus, are well written, and can teach the security interested IT professional something about security. If you haven’t read them yet, they should definitely be on your reading list.
They’re listed in the order I read them, which is conveniently also alphabetical order.
Cryptonomicon
This Neal Stephenson novel is a trifle unique in that it is actually two tales, each with its own plot, in one. The narrative switches between these tales regularly, one set during World War II, the other in the modern world. Specific modern technologies are often fictionalized (e.g. Finux, a thinly veiled reference to Linux, and Ordo, an encryption system that doesn’t exist in the real world but very well could), while more general technologies (e.g. cryptographic technologies in general) are entirely real.
The story introduces the reader to concepts that, for most of us, may be new. It ends up being kind of accidentally educational in that respect, presenting ideas about cryptographic currencies, principles of cryptographic technology, and some of the history of modern computing and modern cryptography in forms easily digestible for the technically inclined reader. It even presents a rather unique demonstration of basic cryptographic principles in action in the form of the Solitaire cipher, a cryptographic system invented by Bruce Schneier specifically for Cryptonomicon that can be employed without a computer, via a normal deck of playing cards. It’s not a trivial, toy cryptographic system, however: it is meant to be a form of strong cryptography and, in fact, when Cryptonomicon was published with the Solitaire cipher algorithm printed within its pages in the form of a Perl script, saving that script in a file on a computer in the US and emailing it to someone in another country would have violated US munitions export laws because it qualifies as “strong encryption”.
Halting State
Probably the least directly educational of the three, this novel by Charles Stross is most interesting for its speculations on virtual currencies, virtual realities in meatspace, cyber-terrorism, and the social implications of all of the above. The primary characters are involved in the investigation of what starts out looking like the “robbery” of a virtual bank in a near-future MMORPG, but quickly spins out of control as they discover that all is not as it at first seems.
It is written primarily in the second person, reminiscent of old text based adventure games, which I found a little difficult to get into at first — especially with the switching between perspective characters in different chapters. It’s an engrossing tale, with a well constructed plot, however.
Little Brother
Cory Doctorow set out to write this novel for “young adults” (i.e. teenagers), with an intentionally educational thread throughout. The main character, a high school student with a perhaps more than healthy interest in learning what others don’t want him to know (and using that knowledge), is a hacker in the original sense who, written in the first person perspective, spends a fair bit of time explaining matters of IT security to the reader.
Little Brother is probably the best-written work of fiction that doubles as an educational text I have ever read, in part because it presents basic concepts within the context of the story and encourages the reader to pursue further knowledge on his or her own. If you read the entire novel and don’t find yourself inspired to read more on the subjects and concepts presented, you may just not be cut out to be a technologist at all. It’s the kind of book I wish I had in my hands when I was thirteen — but even now, about two decades older, it was a thoroughly enjoyable and inspiring read.
The plot surrounds the events following a terrorist attack on the Bay Bridge in San Francisco, in a future so near it was quite a while before I was sure it wasn’t written to basically take place in the present. Politically, it looks like it may take place around 2011 some time, though it is flexible enough that it might believably take place any time in the next decade. The technologies are essentially the technologies we know today, with a few specific additions that could well arise in the next few years.
Like usual, Doctorow’s challenges to the dominant paradigm go beyond the content of his fiction: this novel is not only available at bookstores and libraries, but also as a free download under the terms of a Creative Commons license. If you like reading full-length novels in digital file formats, you can get it there as a plain text, PDF, or HTML formatted file. I personally prefer having a physical book in my hands, so that’s the form of the novel I read.
For a more personal take on Little Brother, check out my brief review in my personal Weblog.
Related reading
The second part of the list is works that aren’t novels — in one case, a book-length essay on the development of operating systems, and in the other a collection of short stories.
In the Beginning was the Command Line
People who enjoy Cryptonomicon may also want to read Stephenson’s In the Beginning was the Command Line, a lengthy essay examining the history of operating systems. It was written in the late 1990s, and is a little dated now, but the lessons it conveys are no less valuable. While it doesn’t directly address security, it does provide some insights into the design philosophies and necessities of operating systems, the collective mindset of their users, and other matters that provide a basis for understanding the security characteristics of systems incorporating various OSes and real-life end users. It has been published as a short book, but is also available for download as a Mac Stuffit or Zip compressed plain text file, free of charge. Among the rest of the works in this list, this is the only one I read for the first time before 17 July 2007. I have read it several times, however, the most recent being a few months ago. It’s not only worth reading once — it’s worth revisiting.
Overclocked: Stores of the Future Present
Doctorow’s Overclocked: Stories of the Future Present is a collection of short stories by the author of Little Brother. Many of them, individually, seem tailor-made to challenge the comfortable preconceptions of the modern technologist, illustrating in science fiction prose the possible consequences of contemporary technology policy. Like Little Brother, and most if not all the rest of Doctorow’s fiction, it is available as a free download as well as in dead-tree hardcopy editions.
Recommendations
If you’re a technology enthusiast, and there’s anything in the above list of works that you haven’t read, you should rectify that oversight soon. They’re all well written, informative, and often inspiring. Three of them are even available for free online, so the excuses for failing to read them lie somewhere between slim and none.
| 18th Aug 2008 |
一般 | (324 Reads)
Defining public Wi-Fi
To make sure we’re all on the same page, let’s first define public Wi-Fi networks as those that allow unrestricted access. That’s a simplistic definition, but what’s typically available at venues like airports, hotels, and hotspots. Since unrestricted access eliminates the ability to encrypt Wi-Fi traffic, it also means there’s no real security.
Is there more risk at airports?
So, is there more risk to using public Wi-Fi access at an airport lounge when compared to an upscale hotel? I would say yes, but not for technical reasons. People who steal information and identities want to do so using the least amount of effort. That means airports, simply because there are more targets of opportunity. I certainly see this whenever I’m traveling. At any given airport, it’s very easy to capture copious amounts of unencrypted digital traffic.
I hope that explanation made sense, but I’m concerned that many people share DonnaKline’s viewpoint. With that in mind I would like to discuss some high level Wi-Fi security concepts. Theoretically, achieving information security and lowering risk is simple. If the information is undecipherable to everyone except the intended viewer, it’s secure. In real life information security is anything but simple. That’s why an informed Wi-Fi user is the most powerful security tool available.
Three distinct security zones
I find it helps to divide the path that digital traffic travels along into distinct security zones. By doing so, attention is focused on the entire connection, not just the initial Wi-Fi portion. To keep it simple, I use the three following zones:
Wi-Fi security zone: This zone is the one most people are aware of, as it is first step to gain access to the Internet.
Wired security zone: This zone is the in house infrastructure that acts as a go between for the Wi-Fi network and the Internet.
Internet security zone: This zone is the conglomeration of linked networks that can traverse significant geographical areas. OK, I should just say the Internet.
To many, realizing that all three zones are important for secure transmission of their information is a new concept. The following example clearly points this out. My financial adviser, who is near and dear to me, argues that Internet access at her favorite coffee shop is secure since she has to enter a new WPA passcode each time she visits. Using my security zone concept, we can see that the Wi-Fi security zone is covered, but how secure is my advisor’s information as it traverses the wired and Internet security zones?
To explain, that particular coffee shop could be capturing customer’s personal information as it passes through the wired security zone. I’m not saying that it’s being done, but it could be. It’s also possible for people who steal information and identities to setup capture equipment in the coffee shop without the owner’s permission. Now that my financial adviser understands that there are different security zones, it’s easier for her to make an informed decision about what security measures to use.
Proper tool for the job
Good news for road warriors is the availability of security tools that will protect information traveling across all three security zones or any combination thereof. From a security expert’s viewpoint, utopia would be everyone using an IPsec VPN (pdf) at all times. Nice, but let’s get back to the real world. Security does not come free and it’s the user that carries the additional burden created by increased security. Let’s continue using my financial adviser in the two following examples, which depict situations where both security and convenience are considered:
Highly sensitive traffic: My adviser needs to access the office database from the coffee shop. Since the data is very sensitive, the security tool used should produce the maximum amount of security. That would be some sort of VPN application. So she enables the computer’s VPN client, creating a digital tunnel that traverses all three security zones connecting to the VPN server at the office. Once the VPN tunnel is setup, digital traffic is encrypted and sent through the tunnel. If any of this traffic was captured by an attacker it would be complete gibberish and virtually impossible to decipher. That’s about as good as it gets and most security experts would be happy.
Anonymity and local security: Next, my adviser wants to surf the Internet. Checking out some vacations spots, now that April 15 has past. She’d rather not use the VPN, since it’s piped through the office’s Internet access and may create an unnecessary bottleneck. Only thing, there’s this rather odd looking guy using a notebook with a strange antenna attached to it sitting in the next booth. What if he’s snooping? Does he know the encryption pass-code? Wait a minute, I convinced her to get an “IronKey” for safe portable file storage. Luckily, it’s configured to connect to a SSL proxy server. Using that to access the Internet, my adviser has the Wi-Fi, wired, and a portion of the Internet security zones covered. No worries about that guy snooping and it’s simpler than a VPN connection to use.
Final thoughts
The two examples are only meant to show what’s possible, not to advocate specific devices or methodology. That’s unrealistic, since each encountered situation is unique. It is my goal to help enlighten and make it easier for road warriors to determine the best security option for a given situation. I hope that this post and the information in “10 Wi-Fi security tips for the road warrior” will be good additions to the road warrior’s security tool kit.
| 13th Aug 2008 |
一般 | (250 Reads)
Replication helps protect your data and files by producing a duplicate copy at a second site, server, or storage array. I covered host-based replication in a previous blog.
In this blog, I’ll cover two other types of replication — array-based replication and network (or fabric) based replication.
Array-based replication
Array-based replication requires a central data storage unit (SAN or NAS) and a partner unit. With array-based replication, the SAN or NAS processes the data and the commands to process and validate the data being replicated.
Advantages of array-based replication
The work is offloaded from the servers to the storage device.
You only need one location to control many replications of multiple servers.
Hosts (Servers) are not required at the second site or to be attached to the second SAN/NAS.
A central SQL server can be set up to replicate with the servers that actually present applications to users, such as order tracking applications.
The right software can queue databases to ensure that transactions and the database are in a recoverable state.
Disadvantages of array-based replication
Cost per device can be high, especially when you’re not replicating all of the data on the SAN.
Only SAN or NAS based data can be replicated or controlled.
A second SAN or NAS is required, increasing the cost for the solution.
There could be compatibility problems of replication technology/software between SAN/NAS hardware and vendors.
Examples of array-based replication software
HP StorageWorks XP
EMC SANCOPY - Supports EMC and some other vendor arrays
EMC MirrorView - EMC only replication
NetApp SnapMirror
Network-based replication
The last type of replication is network (or fabric) based replication. This type of replication works separately from the hosts (servers) and the storage devices. A device on the network intercepts packets being sent to and from hosts and arrays and copies them. These copies are replicated to a second device that then replays the packets at a second location. The devices are, in essence, splitters. The data goes in and then it’s split out to different sources.
Advantages of network-based replication
It’s a separate component from the SAN/NAS or the hosts.
Processing is independent to the host and SAN/NAS.
It allows replication between multi-vendor products.
Disadvantages of network-based replication
The cost of implementing devices to support this kind of replication is high.
Newer technology for the data center, standards, and process are still being worked out.
There are a limited number of “players” in this area of replication.
| 6th Aug 2008 |
一般 | (227 Reads)
What’s the first rule of using a computer? I’d wager that nine out of ten support staff would agree on this one. We might all think it’s a no-brainer, but for as long as I’ve been in this business (20+ years), rule number one was to save often. I’m amazed at how many people don’t. Here are some of the things I see.
I recently upgraded a bunch of computers in the office, and to accommodate busy work demands, I would swap the boxes after hours. More times than not, I would find that people went home for the day leaving any number of files open. Of course, when I closed them, I was asked if I wanted to save the changes. That can only mean that it wasn’t saved before that person went home. Some of them didn’t even have a proper file name, since I was asked if I wanted to save Document1, or Workbook1, or some other default name. Personally speaking, I never even walk away from my computer without saving, much less go home for the night without doing it. In fact, I seldom leave anything open when I leave for the day.
Someone approached me recently with a gripe about how Microsoft will sometimes automatically reboot his computer after an upgrade. I have these computers scheduled to check for upgrades late at night so people aren’t interrupted with it during the day. Of course, his gripe wasn’t really about the automatic reboot, but rather how he lost some work because of the files he left open — without saving. One question will put an abrupt end to that gripe: Didn’t you save your work before you went home?
Another person called me over not too long ago because, for some unknown reason, our primary application software, AutoCAD, threw a rare hissy fit and displayed an unrecoverable error message. Nothing was responding, and the only way to proceed was to end the task. Of course, this meant the file couldn’t be saved. When was your last save, I asked? The three-hours-ago answer she gave was a tough one to hear. However, all might not have been lost, I thought, since AutoCAD has a nice auto-save feature. But for some reason, the file created by that auto-save was incomplete. I’m not sure why, but it probably has something to do with how AutoCAD references different files and such. But for whatever reason, it just wasn’t there.
Okay, maybe this is all a minor rant, but after repeating rule number one — save often — over and over (probably into the thousands of times over the years), it’s still something a good number of people obviously don’t do. I have to wonder why, but the answer remains elusive.
Okay, one more minor rant: Someone asked me today why his e-mail was not getting out of his outbox. Just a hunch, I said, but perhaps it’s the 47 MB file attachment you’re trying to send!
P.S. I’ll be on vacation for the next week, so I’ll look forward to replying to any comments after I get back.
| 4th Aug 2008 |
一般 | (149 Reads)
