... "Maybe they'll ban markers."

Digital Lock? Try a Hairpin

... "We used duct tape to fix the photoflash lamp on the video port of a Wentworth Labs MP-901 manual probing station."

NYT's John Markoff reports on Ross Anderson's latest exploits. No sign yet of the academic paper on his web site.

Vulnerability Is Discovered in Security for Smart Cards

Many of the major IT zines are running a story on this, but none I read linked directly to the paper. Here it is.

Abstract: The current IEEE 802.11 standard is known to lack any viable security mechanism. However, the IEEE has proposed a long term security architecture for 802.11 which they call the Robust Security Network (RSN). RSN utilizes the recent IEEE 802.1X standard as a basis for access control, authentication, and key management. In this paper, we present two security problems (session hijacking, and the establishment of a man-in-the-middle) we have identified and tested operationally. The existence of these flaws highlight several basic design flaws within 802.1X and its combination with 802.11. As a result, we conclude that the current combination of the IEEE 802.1X and 802.11 standards does not provide a sufficient level of security, nor will it ever without significant changes.

Available online in Acrobat PDF, 236 KB, 12 pages.

I can't help but think that the IEEE's "RSN" will soon be recast by its critics as "Real Soon Now."

An Initial Security Analysis of the IEEE 802.1X Standard [PDF]

Summary from Scout Report: Research and Development in Advanced Network Technology (RADIANT) is a computer research division of the Los Alamos National Laboratory. The Web site offers many publications from the five research focus groups within RADIANT: High-Performance Networking, Monitoring and Measurement, Cyber Security, Network Architecture, and Robust Systems and Networks. This material is mostly beneficial to professionals and research students specializing in these areas. The site also has links to information about job opportunities available at RADIANT, as well as the Advanced Summer Curriculum for Emerging Network Technologies (ASCENT). ASCENT is a summer internship program that accepts both undergraduate and graduate students interested in networking research.

RADIANT Research | Los Alamos Nat'l Lab

"Security requirements for new eCommerce and Internet applications exceed the traditional requirements for network security and traditional software systems. Security requirements are more complex and increasingly critical. Informally stated and defacto requirements are often of critical importance in the design and operation of these systems, but are frequently not taken into account. The second symposium on requirements engineering for information security invites papers on a diversity of topics, particularly ones that point out new directions. Theoretical, experimental, and experience papers are all welcome."

Symposium on Requirements Engineering for Information Security

The U.S. House of Representatives today overwhelmingly approved a bill that offers $880 million in funding to government agencies for researching ways to improve U.S. computer and network security. ... "Security has to mean more than locking doors and installing metal detectors," said Rep. Brian Baird, D-Wash., speaking in support of the bill, which contains language he sponsored. "The virtual systems that are vital to our nation's economy must be protected." ...

House Passes Computer Security Bill | WashPost

"Featured seminars will include California Attorney General Bill Lockyer, US Federal Trade Commission Chairman Timothy Muris, Author James Bamford, John Perry Barlow, State Senator Jackie Speier, Author Bruce Sterling, Ed Felten, John Podesta, and others."

Session topics include: cyberspace law, biometrics, crypto, privacy, national ID cards, FOIA, USA PATRIOT, elections, tools for community, open source, medical privacy, digital divide, DMCA, intellectual property, ICANN, P2P, international security, anonymity, and more.

Get this: DoubleClick is a CFP sponsor this year! (And: MSFT and AOLTW are patrons!)

Computers, Freedom & Privacy | CFP 2002

Full text of this MIT Press book is available online (in draft form).

Trust is the critical variable in Internet Commerce. Trust requirements differentiate Internet from other forms of commerce. Trust has three primary components: reliability, security, and privacy.

There is trust in routing, trust in encryption, and trust in applications. The layers of trust, the areas of risk, the power of cryptography, and the limits to security are all explained for the general audience in this text.

When a business obtains customer data, the customer trusts that the data are used to improve service for her, and not used in a manner that harms her. The business is not necessarily violating privacy but is certainly requiring some extension of trust from the customer. This book carefully examines that trust relationship and examines the types of data that are most immediately useful but the least used.

This book contains detailed explanations of fault tolerance and the components of reliability. Most transactions today are not fault tolerant. If a transaction is not reliable (in the sense of being fault tolerant) someone is at risk when the transaction fails. It is therefore important to be able to read a transaction-based Internet commerce standard and understand from that the risks involved in using the standard.

_Trust & Risk in Internet Commerce_ by L. Jean Camp

by Gregory J. Rattray. MIT Press, April 2001, ISBN 0-262-18209-2, 480 pages.

Dorothy Denning says: "This excellent analysis is essential reading for anyone concerned with the defense posture of the United States. All those with a stake in the security of the information infrastructure should read it. There is nothing else like it."

In the "information age," information systems may serve as both weapons and targets. Although the media have paid a good deal of attention to information warfare, most treatments so far are overly broad and without analytical foundations. In this book Gregory Rattray offers a comprehensive analysis of strategic information warfare waged via digital means as a distinct concern for the United States and its allies.

Rattray begins by analyzing salient features of information infrastructures and distinguishing strategic information warfare from other types of information-based competition, such as financial crime and economic espionage. He then establishes a conceptual framework for the successful conduct of strategic warfare in general, and of strategic information warfare in particular. Taking a historical perspective, he examines U.S. efforts to develop air bombardment capabilities in the period between World Wars I and II and compares them to U.S. efforts in the 1990s to develop the capability to conduct strategic information warfare. He concludes with recommendations for strengthening U.S. strategic information warfare defenses.

Strategic Warfare in Cyberspace

As expected, self-described "longtime security expert" Bruce Schneier has responded to the recently published Microsoft internal memo outlining Bill Gates' new-found motivation for security.

Schneier gets it mostly right. He rightly points out that trust must be earned. He champions simplicity in design and implementation. He identifies as problematic the commingling of data and code, asks for "rigid separation", and wants scripting features removed. This sidesteps the issue of insufficient user understanding regarding security, which is something no one is likely to solve any time soon.

But he also wants to put a stop to SOAP and clarify blurred distinctions between local and remote resources. This runs counter to the promise of distributed computing and is increasingly irrelevant when users' data and applications are remote, anyway.

In short, Schneier wants Microsoft to make a lot of changes that will upset, frustrate, and alienate the average customer, at least in the short- and mid-term. Although the results may be long-term positive for users and industry, Microsoft will suffer for a while. There is no easy way to quickly deploy secure infrastructure and convince users to give up things to which they've become accustomed. Schneier briefly acknowledges the business cost of his recommendations. It's important to see that what works for Sun with Java may not be feasible for Microsoft with XP and .Net. Java is mostly free, and is ultimately intended to sell more Sun hardware. The code is all Microsoft has to offer; this fact necessitates a different approach.

Schneier asks Microsoft to open-source Windows and Office, but stops short of expressing an interest in reading the code.

"Making security Microsoft's first priority will require a basic redesign of the way the company produces and markets software. It will involve a difficult cultural transition inside Microsoft. It will involve Microsoft setting aside short-term gains in order to achieve long-term goals."

'Results, Not Resolutions' | Schneier and Shostack on Gates memo