Saturday, April 5, 2014

Internet of Things strikes back

The Internet Of Things is another big hype around the corner. Or ... right in your room already, if you have one of those consumer devices, which are silently powered by general-purpose (or wide-spread proprietary specialized) operating system like Linux or that Cisco OS that powers all their products. The devices include network appliances, smart (and some "dumb") TV sets, and also surveillance cameras and DVRs.

And all those "things" are part of Internet, either by incident (due to misconfigured and overly opened networks) or intentionally. 

What happens if the hacker finds a way to one of those things, is described in this article. In the article the malware (bitcoin miner) was silently installed over Telnet port opened by default (and properly not blocked on the nearest router/NAT). And the miner is a small evil, comparing to what can happen if hackers get to camera recorder, disable recording and then join some robbers to rob the protected house.


Wednesday, April 2, 2014

Important new security extension

There was a new security extension introduced in RFC 7169. Please check it for details.

Wednesday, January 15, 2014

Hardware attacks are still more effective

An attack was taken on victims computers, but in quite unusual way - by physically breaking into victims' room and installing spyware on their computers from the offline medium. This appeared to be much simpler, than trying to hack into the computer remotely.

More on http://www.f-secure.com/weblog/archives/00002647.html

Friday, November 1, 2013

The end of cryptography?

I've just now come across the words by Adi Shamir (one of fathers of modern cryptography) in February when he said, that "cryptography is becoming less and less important". He explained that recent attacks successfully penetrated even the strongest barriers. And from this fact he concludes that cryptography is becoming less important.

This is an erroneous and misleading judgment, and it becomes even worse when it comes from the cryptography specialist. The most obvious conclusion which could have been made from the successful attacks would be that stronger barriers are needed. There's more significant problem to be addressed though - quality of defense.

Current software developers and system integrators don't pay much attention to overall quality and to security in particular. Businesses demand the shortest possible time-to-market and this of course contradicts the goal of obtaining proper security level. In addition there's a shortage in supply of developers and IT specialists on the market, and it's even harder to find security-aware software developers.

So the right conclusion must be "we must educate more security specialists and create a dedicated industry of digital security services". That's what I would expect to hear from any security-oriented person.

Tuesday, October 1, 2013

Why not use phone in business communications

People are well-organized and sophisticated animals, where reflexes and habits (in opposite to thinking) play the major role. One of those habits is to talk, not to think. This approach is convenient for everyday communications, but when it comes to business negotiations or to technical questions, phone is not a productive option. And here's why.

The first delusion is seemingly fast resolution of the problem. Yes, a phone call is a fast method to make somebody do something in your favor (possibly the things which have been postponed or overlooked before). That's fine. However, if the problem needs time to work on, then the benefit of the phone call becomes void immediately. Moreover, distracting the specialist from his work brings nothing but frustration to both sides.

The second delusion is effectiveness in obtaining the information. Easy comes easy goes, it is. When you get some information, you ask for more details, and unless you write them all down immediately (and what was the sense for calling then if you need to write or type what you hear?), it's forgotten. When you have a written (typed) communication transcript, you can always get back to that transcript and clarify the things which were not clear. Moreover, the other party can do the same, so what you have agreed on is not forgotten by either party.

The last but not the least factor is possibility to think. Fast resolution of anything is almost never very effective. And while in everyday life a suitable but faster solution is preferred to the most effective but late one, in business it's different. By saving 5 minutes on typing you can lose hundreds of dollars on ineffective solution. So it's all simple math.

There exists one more factor, that acts in cases of various support and assistance channels. Written communication makes support personnel more accurate and attentive, because they know that the transcript can always be inspected and reviewed by management of both parties. Also if there's any debate initiated by either side, both parties can review the history of communications and work out the mutually satisfactory position.

To summarize the above, phone communication can save you 5-10 minutes but the long-term benefits of written communication outweigh that seemingly saved time significantly.