Blayne Sucks

One of the biggest reasons that computer security is so lax across many private industries is that there is a serious lack of accountability. If a business has a massive data breach, currently the only major or direct consequence of that breach to the business is a public relations problem of some degree. Of course, for many of the people who just had sensitive personal information compromised irretrievably, the consequences are much more dire.

In light of this, I’m very please to have read about some promising recent state laws that are allowing businesses to recover costs related to data breaches by other businesses. This is a bit abstract so here’s an example: ABC Corporation has a data breach. This data breach requires XYZ Incorporated, who has many of the same customers, to spend a lot of time and money updating records and making sure that all their customers are once again legitimate. Under laws similar to the ones mentioned in the article, XYZ Incorporated can now recover costs from ABC Corporation.

This sort of financial accountability is critical to improving data security across industries. Bruce Schneier has talked about this before. It’s a fairly simple principle that for some reason has been particularly slow to catch on. Unless there’s a financial incentive to good data security practices, businesses won’t bother with them.

I also like that this is a business vs. business scenario because that should improve enforcement dramatically. HIPAA has been stuck in limbo because of a near complete lack of enforcement to this day. Other businesses are much more likely to take the time to sue companies with poor data security than the government.

Earlier this week the Sixth US Circuit Court of Appeals made an important ruling about the privacy of emails. This ruling basically states that a probable cause warrant would have to be issued for investigators to get access to your emails from an ISP. While you might have thought that something like this would already have been standard practice, the reality is that previous to this ruling investigators could have readily gained access to your emails from your ISP and you likely wouldn’t have known.

Another important thing to take from this is that anyone using an encryption protocol for their email would have been unaffected by a secret investigation. Investigators would certainly have been able to gain access to your emails, but they would have had no way to read them. I understand a lot of the arguments against using email encryption. It isn’t user friendly in most cases and there’s a lot of annoying overhead in setting it up right. However, in a world where almost every kind of communication from love letters to business deals are talked about in emails, which are stored on thousands of different servers for much, much longer than people realize, there’s certainly a compelling argument to biting the bullet and dealing with the overhead.

If you are using a webmail account, this could be more difficult. However, as I posted previously, there are some promising signs that email encryption can be done entirely through a web browser.

Well, the results are in and everyone predicting ZFS as the file system for the next version of Apple’s Mac OS X was only partially right. Turns out that ZFS won’t be the exclusive file system used in Leopard. Of course, this news has come by way of massive back and forth. Needless to say, there’s a lot of confusion about this story. Confusion is never a good thing. If you only wanted to read one article about the whole ordeal, this one summarizes everything pretty well.

Personally, I would be interested in using ZFS in two possible scenarios. The first would be on a Linux desktop / server, which is likely not going to happen because it is released in an incompatible license. To make a short story long: ZFS is released under the CDDL, which doesn’t really play nice with Linux, but there’s a movement to port ZFS to FUSE/Linux so that it runs in userspace under the CDDL. At best, it’s under investigation.

The other place where I would be interested in using ZFS is on a laptop. This is interesting because of the incremental remote backup facilities that it provides. I also like the built in compression features. However, I have to say that lack of file system encryption is probably a deal breaker for me on a laptop. It’s just too important to have on a laptop. There is a zfs-crypto project, but it’s still under development.

I know this was originally scoped out as a server file system, but I don’t understand why they didn’t want to include encryption at the file system level. There are certainly a lot of uses for file system level encryption in a server environment, not the least of which is to avoid the cloudy legal status of third party consent in computer searches. With an encrypted file system, you don’t have to worry about someone stealing your hard drive and using another tool to read it’s contents. Maybe I’m extremely biased, but it seems like any new file system that wants to take itself seriously at the server level and especially on laptops should be designed to at least allow encryption as an option.

One of my pet peeves with gmail is that it doesn’t have native support for GnuPG. I don’t think email encryption will ever achieve widespread adoption unless it’s built in to a major webmail client. Since Google’s philosophy of doing no evil seems at least somewhat close to doing something good, I was hopeful that they would find a way to get it to work. Of course, that didn’t happen. I suspect that it was and is because they want to be able to scan the text of your emails to provide you targeted advertising. I don’t really know because I don’t use gmail that often.

However, there was an article that caught my eye on Linux.com about a new Firefox plugin called FireGPG that allows someone to use GnuPG with their gmail client. I haven’t tried it yet, but it really looks legit. Also, I’ve been looking for something like this for so long that I couldn’t wait to announce that it does, in fact, exist. If only web-based email security wasn’t once again an afterthought…

I recently read Jennifer Granick’s latest column on Wired about the interesting legal case between Oracle and SAP. Basically, an Oracle customer wanted to switch to SAP and gave SAP their passwords to log into some Oracle systems. Now Oracle is claiming that SAP has broken some computer crime statues for accessing a computer illegally.

Granick’s column looks at this from the perspective of anti-competitive practices. While I agree that this has some implications in that area, my first thought about this case was that it was an information property issue. If I was a customer and I gave my information to a company, I would say that I still own that information and should be able to ask the company to remove it or authorize other people to access it.

This sort of thing crops up all the time in online privacy issues. Of course, I am not a lawyer and Granick is a very good one, but I thought it was an interesting issue that seems like it could be solved based on the simple question of who has more rights: the owner of the information or the owner of the place where the information is stored?

Over spring break I went to San Francisco to be a tourist. I know that as a computer engineer or software engineer I would likely be visiting San Francisco several times over the course of my career, but there are so many touristy things to see and do there that I am sure it would be disappointing to be in San Francisco for a conference and not be able to do any of them.

It was in this mindset that I went to visit. Of course, the day before I got there San Francisco experienced a magnitude 4.2 earthquake. Having something like this happen put it into perspective for me that I really don’t know much about what I would do if they had an earthquake while I was there. As a tourist, it’s probably not really worth planning too much in that department. The chance that the next big earthquake will happen while you are there is very low.

However, if I were to consider moving to an area that is known to suffer from a particular natural disaster, it would be prudent to plan for the natural disasters that are common in the area. Growing up in Indiana, we learned about what to do in case of a tornado. There were tornado drills in school. We saw it on the news with some regularity. It was a part of our lives. I feel comfortable that I know how to best protect myself in a building when there’s a tornado in the area, but I’m not nearly as well versed with earthquakes.

Of course, that’s pretty much the case with most Americans. I remember reading this Time magazine article back when it came out, but the combination of the earthquake right before the trip and the fact that it was mentioned on Bruce Schneier’s blog brought the concept back to the forefront of my thoughts. I really recommend the Time article, but if you are at all interested in computer security or security issues in general, I really recommend Schneier’s essay on the psychology of security.

Unfortunately I didn’t get to see any of the advertisements in this campaign, but I really love the idea. There are so many things to like about it, particularly in light of the Time article. Americans and people in general really aren’t good at planning for natural disasters. It’s such a great investment idea for so many reasons. Most of the time the preparation is very similar regardless of what kind of disaster you’re preparing for, but people just don’t do it.

Anyhow, to move full circle, the picture I have included in this post is a good view of some of the construction efforts they have going on the south end of the Golden Gate Bridge to make it ‘earthquake-proof.’ Obviously, this is a cultural landmark as well as an important bridge, but it’s nice to see that the folks in charge are investing in what time will likely prove to be an extremely worthwhile investment. Anyone who reads Bruce Schneier’s blog will see that this may be a more rare occurrence than the average person would hope.

This weekend I finished reading Blink by Malcom Gladwell. I first heard about this book from Bruce Schneier’s writing about it. It’s a fascinating book that was very easy to read. I highly recommend the book to anyone interested in high speed decision making.

In some ways it is difficult to describe what the book is really about and “high speed decision making” isn’t really all that accurate. I think the primary thing that I took away from this book is that despite the current trend in thinking more information about a problem does not always result in the best decision. In fact, it’s quite possible to have too much information about a problem to solve it correctly. This applies to all kinds of problems from crime fighting to computer programming.

Of course, Blink is about much, much more than just information overload issues. It discusses all aspects of how the subconscious mind makes decisions quickly and how we can learn to understand when those “hunches” are accurate. I think some of the implications of this in the security business are just as breathtaking as the ones that Bruce Schneier mentions.

This sort of reasoning might also apply to the design of just about everything. Ask any designer about what makes a truly “good” design and invariably you’ll find out that there’s an aesthetic quality to it. This aesthetic quality is likely best analyzed, at least initially, by the subconscious mind. Most people have an initial “Blink” impression of an iPod that just screams to them about the quality of the product overall. If this was taken into account during the design of other systems, then perhaps the quality of all designs would be improved.

All in all, Blink is an excellent book. I’m definitely interested in reading Tipping Point now. Almost everyone I talked to about Blink asked me if I had read Tipping Point and recommended it when they found out I hadn’t.

I haven’t been using Windows as my main OS for years, but I’ve still been tasked with helping friends and family members with their Windows machines from time to time. Now, I’m a graduate student studying computer security and I find it incredibly difficult to clean up a windows machine that’s been infected with an unknown number of malicious programs. I can’t imagine that it’s much easier for anyone who doesn’t spend the amount of time studying computer security.

A few years ago, I simply gave up and started recommending re-installing Windows as the first course of action. Until now, it’s been difficult to find much in the way of expert opinion to justify this. My mom in particular finds it truly exasperating that I refuse to try and save her from re-installing all her programs and data from backups. Of course, we all should be backing up our data regularly anyhow, right?

Now I have a place to direct my friends and family to justify this advice. There’s a fantastic article by Brian Krebs of the Washington Post about whether or not you should attempt to clean-up a Windows machine bogged down with viruses, spyware and other malware or simply re-install. I highly recommend this article both to people who are in my situation and those who don’t understand why they are being advised by computer savvy folks to simply reinstall.

Virtual machines have been a big thing for the last several years, particularly in the server environment. They also have some interesting implications from a security standpoint. For example, with a virtual machine it would be possible to get more data on malware, viruses and security breaches as they run. This could be done regardless of what they do to hide themselves to the host operating system. Virtual machines would also increase the ability to recover from attacks. It would be possible to save an image of a system that was up and running fine as a backup and then cut over to it as soon as something went wrong.

Of course, as with any new technology, there are potential security problems. For example: The Blue Pill. Maybe I am a little late to the party in finding out about this, but it’s the first one I’ve found. I’m not entirely familiar with AMD’s SVM technology, but it’s probably something worth learning more about. I’m interested in seeing how virtual machine based malware is addressed. What happens if the system is already running on a virtual machine? Is there really any way to detect the Blue Pill on a running system in which it resides?