Thomas E. Noonan
Chairman, President and Chief Executive Officer, Internet Security Systems
The Cyber Security Paradox: National Security, Economics and Privacy in the 21st Century

The video is an hour long. Its the first time I've heard a credible connection made between Al'Q and computer crime, specifically phishing scams. Noonan also says that "privacy is dead" which reminds me of Scott McNealy. I don't think privacy is dead. I think there is a massive backlash in the works, but its going to take a disaster before people do something about the problem.

Tom Noonan on Computer Security

Dagmar wrote: It is Clue.

Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.

1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.

2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!

He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to hire someone to custom configure it for you, and they are going to charge you a hell of a lot more then $30.

His Enumerate Goodness anti-virus system sounds somewhat reasonable until you realize that decent worms and viruses disable things like that, but if you want to live in a world where you absolutely must get permission from the IT department in order to run anything, its coming, and its called palladium, and I will conceed that people are going to do it, and it will prevent some security woes. It will also prevent a lot of work from getting done, and smart people won't use it.

3. Penetrate and Patch. If people simply wrote software that didn't have vulnerabilities, there wouldn't be any need to patch things! WOW! Brilliant! The inevitable result is going to be that some hapless admin somewhere is going to need to patch a critical flaw and he'll be told by his boss's boss that he has a "penetrate and patch" mentality. Wonderful. The fact is that no one has designed a vulnerability free computer, and while we do appreciate systems that are more failure tolerant, such as OpenBSD, and wish businesses adopted them more often, until such time it is foolish to fault researchers for continuing to look for flaws and ... [ Read More (0.1k in body) ]

RE: The Six Dumbest Ideas in Computer Security

Xiaoyun Wang, one of the team of Chinese cryptographers that successfully broke SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, announced new results against SHA-1 yesterday at Crypto's rump session. (Actually, Adi Shamir announced the results in their name, since she and her student did not receive U.S. visas in time to attend the conference.)

Shamir presented few details -- and there's no paper -- but the time complexity of the new attack is 2^63. (Their previous result was 2^69; brute force is 2^80.) He did say that he expected Wang and her students to improve this result over the next few months.

Schneier on Security: New Cryptanalytic Results Against SHA-1

My name is Dan Kaminsky, and I am a security researcher focusing on applied mechanisms for analyzing and understanding very large scale networks.

Interview with Dan Kaminsky on Microsoft 's security

The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle.

Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.

"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."

Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.

Lots of links to interesting stories here...

Microsoft meets the hackers | CNET News.com

Security experts familiar with the cards' radio frequency identification (RFID) technology, described by Chase as "contactless functionality," expressed some concern over the devices' security strength. Some have suggested that they may make it easy for perpetrators to commit fraud or identity theft.

Saw an add for ChaseBlink tonight. This ought to be interesting... Contactless credit card purchases. No signature. No pin. Just waive it over the reader. I can tell you how I'd have designed it, but I would be suprised if there were no vulnerabilities here.

While this is rather elaborate, a computer controlled rfid device connected to increasingly common cellular wireless internet systems relays the transaction to another reader, maybe taped to a chair in a shopping mall foodcourt.

CRM News: RFID : Chase Bank Rolls Out Contactless Credit Cards

] Bank of America (Research) will require Internet clients
] to register their computers and assign a digital image,
] such as a photo of a pet, to their accounts in an effort
] to cut down on fraud, the bank announced.
]
] The image will appear on the site every time a customer
] has to enter a password.

I think this is a pretty good idea, and quite simple.

An interesting approach to phishing scams

] A ransom note left behind included an e-mail address, and
] the attacker using the address later demanded $200 for
] the digital keys to unlock the files.

It was inevitable that someone would finally actually try cryptovirology. It doesn't work too well when you don't have a way of picking up the money...

CryptoVirus

] One widget, he says, will automatically install itself on
] users' desktops when his "Zaptastic" Web site is visited
] using Apple's Safari browser.

Why would I want Safari to allow web pages to do stuff without asking me?

Link: (This will install a widget if you open it in Safari)
http://stephan.com/widgets/zaptastic/

Mac malware door creaks open | CNET News.com

] Police in Malaysia are hunting for members of a violent
] gang who chopped off a car owner's finger to get round
] the vehicle's hi-tech security system.

Biometrics are dumb.

BBC NEWS - Malaysia car thieves steal finger