The blog has moved   The present version of this blog will not be updated in the future.   Please visit Fred On Something at his new address at http://fgiasson.com/blog/   I hope that you will enjoy the new format and the future things I will write on it,   Salutations,     Frédérick 11:19:55 PM        [comment []]    [trackback []]

Police Technology by Robert E. Foster     Buying a book on internet can sometimes be painful. You don't know what he look like, you just have one or two resumes, no more information on the publisher's website. If you are lucky, there are some comments on Amazon. However, personally, I just buy books on internet now. Why? Because websites like Amazon have astronomical selection of books. You search for a book, you'll find it. Out of print since 20 years? Try Alibris or Abebooks. More and more books are searchable online and good resume are made. Soon, it will probably be the primary place where to buy books.   I have been contacted by Mr. Robert E. Foster. He sent me a really good resume and a lot of information about his new book. I post it on the blog because it's in direct relation with it: the union of security and technology; an introduction for students of colleges and universities. These 3 words (security, technology and education) are enough for me to post this information on the blog. Bellow I put the fact sheet wrote by Mr. Foster. You also can check the table of content, and four reviews [1][2][3][4] of his book. I didn't personally read it (if anyone want to send me a copy of it, leave me a message in my email box and I'll do a review of it with pleasure) but I think it worth his low 33.33$USD.          ----------------------   Subject:   The use of the text book Police Technology (Prentice Hall, July 2004) in colleges and universities.   Background:   An often asked question is How does Police Technology fit into current course curriculum? A cursory examination of university and college catalogs will review few that include courses that directly explore police technology such as computers in law enforcement or the management of public information systems.  However, nearly every criminal justice program includes a course similar to current issues, critical issues or contemporary issues in policing.    Analysis:   Issue      Police Technology’s Advantages   Terrorism and Homeland Security         Explains and discusses fragmentation and interoperability Chapter Seventeen is devoted to using the Unified Command Concept as a technology.  The development of the National Incident Management System (a January 2005 requirement for federal funding at the state and local level) is explored and thoroughly explained as the Standard Emergency Management System. The PATRIOT Act and technologies used in conjunction with tracking and surveillance such as traditional wire taps, Carnivore and Magic Lantern are explained and explored. Privacy, legal and practical issues related to surveillance are discussed throughout.   DNA    The science of DNA is explained, along with the development of DNA databases and the ethical and legal considerations.  Several states have had recent legislative changes (including a California referendum) relative to DNA.  DNA figures prominently in many recent and ongoing criminal prosecutions.   Community Based Policing        The text defines and traces the history. The text looks at technologies that may enhance the model. The text compares and contrasts how technology may actually reinforce the previous model of policing (professional) and not Community-based.   Crime Analysis The theory and science of crime analysis are explained and explored.  Advanced methods of analysis such as geographic profiling are explored.   Technology Basics        The text is designed for the computer novice and expert. All students will become better end-users   The Internet      The History and technology is explained. The use of the internet by law enforcement is explored. Numerous examples are used to show how the Internet may enhance community policing.   Hi-Tech Crime Computer Crime, Computer-related Crime and technology crimes are defined, explained and contrasted with traditional crime.   Liability            The impact of technology on situations wherein there is a tremendous amount of agency and personal liability, such as vehicle pursuits and the use of force is explored.   Summary   The book explores technology using traditional themes, issues and theories as a common, connecting thread.  The work is meant as a supplement to a traditional education in criminal justice.  Moreover, because technology has changed crime and the work place, an examination of technology better prepares the student for future studies and employment.   ---------------------- 12:13:23 PM        [comment []]    [trackback []]

Outsourcing to India What to be aware of before signing the contract   In some of my past posts I worried about some security treats with software development outsourcing. Today as I read my feeds I found a fascinating article on the subject. It was pointed out by a blog dedicated to the subject: The Outsourcing Times. You can read the article there: Outsourcing Contracts: Protecting Project Information.   I’ll not comment the article. It talks by itself. It give some good hints on how-to outsource software development in India and the things that you need to be aware of if you care about the security of your contract. 8:13:41 PM        [comment []]    [trackback []]

Invisible doesn’t mean non-existant       Is because you don’t see a thing that this thing doesn’t exist?   This question can be one of faith or observation. We know that some things exist without being able to see them but with experimentation we can demonstrate that the thing really exists.   Now, is this because you deleted a file on your personal computer that the file is deleted? Depending of your settings, he will be in the garbage bin. So, if you empty the bin, will the file always exist? Obviously not. The file will always be there; only his reference in the file system will be deleted. Okay, if you rewrite on the file’s old sector and/or perform a low format on the hard drive; will the file be finally deleted and not recoverable? Unfortunately not. It will not be easy to recover the file but it will always be there; entirely or partially. Am I crazy? No. It will get time and resources but it’s possible. How? It’s the product of a phenomenon called residual magnetism. The subject gets in the news by ComputerWorld.com some weeks ago.                         If my memory is right, I read in Body of Secrets by James Bamford that the NSA is able to recover data on hard drives until between 5 to 7 low level formats. Is this freaky? Not if you don’t have state secret to hide. Remember, they need resources to recover these data. This is not easily done but it’s possible.               Some years ago you would have had been able to get unformatted hard drive in a governmental overstock outlets. Yes, and? You are asking. Think about it, which type of information your government is manipulating? Yes, mostly personal information. I remember that around 5 years ago the government of Quebec had been in trouble because citizen records have been found on old computers’ unformatted hard drives in such a store. This is a real problem. Is the income of a couple of dollars worth the embarrassment? I don’t think so. Are they always doing it? I don’t know; I haven’t been in such a store since then.               The best thing to do is destroying the hard drive, not selling it. You’ll get rid of all related possible problems. Check the price of a gig of storage space. Is the possible resulting problems worth the incomes? Personally I don’t think so. 5:48:14 PM        [comment []]    [trackback []]

The operating system oriented security debate is restarted – Phase 2 Examples of what I was saying.     Some days ago I was saying:     "What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardware is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices"               As you can read, it was not really a great discovery. But today, while reading my blogs entries, I was amused by some of them. Let me point them.                 First, Google Desktop. As you can read in the New-York Times:                    "The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact. "When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Professor Wallach said"                 It’s probably one of the best examples of the phenomenon I was talking about two days ago. It’s sure that these problems are really hard to find and need imagination to discover them. But the point I want to bring is that the security of a program isn’t just in function of his code quality. Two programs can be without security flaws but together, security holes appear.               A post from Peter Torr also worth the reading. He was writing about Firefox and its appearance of security. Sure the code is probably not too bad, but some of the features (including the download and the installation) are obscures. So, my two pennies in the conversation is just to emphasis on the plug-ins point. I already said it before but please take care of smalls and cools plug-ins. As Peter said it, you don’t have any way to check their authenticity.               What’s cool with Firefox is that it’s a potentially slim browser, that you can change at will, with the features you want. The principle is great but also paradoxical when you have security in mind. Probably that Firefox is or will be well studied to upgrade and patch security, but will it be the case with all available plug-ins on their website? Let me doubts. The solution? Probably the certification of them. The feasibility? Near null for the moment.               Finally I don’t say to stop using it and not using the cool plug-ins available; but only to be aware of the situation when you are using these types of softwares. 7:06:57 PM        [comment []]    [trackback []]

The operating system oriented security debate is restarted. Please stop your child plays.               I read today an article on Wired News that restart the debate on Linux versus other operating system security issues. The conclusion is:   ·        0.17 bugs per 1,000 lines of code in the Linux kernel ·        20 to 30 bugs per 1,000 lines of code for commercial software   These statistics have been collected by the Carnegie Mellon University's CyLab Sustainable Computing Consortium. The problem with these numbers is that they tell nothing. Fine, theoretically I have less chances that my Linux kernel had bugs that cause security threats. It’s sure that there are chances that the core (open source) of an OS was more studied than the softwares he runs. It’s exactly the present situation.   What about all other things that come with all Linux distributions? Are they as studied as the Kernel? Let me doubts about it.   What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardwares is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices.   How can they resume computer security risks with lines of code? Is anyone can tell me this? 11:22:20 AM        [comment []]    [trackback []]

Urban Legends on security What technology neophytes can think Last week a came around an interesting "study" done by Secure Computing. What is interesting is to see what people can think about things that they don't really understand. In many cases it's probably the Arabic telephone effect that create such monstrosity. If I have one suggestion to say; it's to read them and discuss about them with persons in your entourage that may think that these urban legends can be true. Remind that one of the best security practice is education; anybody can do it. There is the list published by Secure Computing: Hackers can legally break into web sites that lack "warning" notices. Some Windows system files are really malicious and should be deleted. Hotel card keys secretly record personal information, which could be maliciously taken advantage of without the person knowing. Including a fake entry in your e-mail address book will prevent e-mail Trojans. A digital cell phone can be infected with a virus merely by answering a phone call. Search engine "crawlers" perform security checks and notify you of vulnerabilities. Thieves are using lists of "out of office" auto-replies to target homes for burglary. Free patches e-mailed to you will protect your PC from the latest worm or viruses. Signing up with a "Do Not Spam Registry" will stop you from getting spam. Elf Bowling and Blue Mountain Greeting Cards contain viruses. Enjoy them, laugh at yourself and think that many people can think that they are real possible treats. Just keep in mind that the situation is normal, otherwise urban legend wouldn't exists. Then if you're not sure about a thing that a person tell you; just do some research on a trusted web site and you'll be able to assess the treat by yourself. 10:12:49 PM        [comment []]    [trackback []]

Do not give power to your foes The principle of information pipeline     Many say that information is power. Then, why do you give power to your foes? Is that your wishes? There is the idea being this article: cut the information pipeline of to your enemy to prevent you greater harm.   Do not help your attackers gathering information about your network. The first step of an attack is the reconnaissance of the playground. It’s done by social engineering, physical site reconnaissance, internet search, network mapping and DNS reconnaissance. After they map their target by war dialling, network mapping (ICMP), port-scanning and vulnerability scanning. ... Read the full story... 3:35:36 PM        [comment []]    [trackback []]

Articles published by Microsoft this week All on computer security   This week many interesting articles about security have been published by Microsoft. I just write this little post to let you know about them. The most important publishing was the MSDN magazine issue of November 2004. All articles are about computer security. Articles cover a wide range of subject from cryptography to .NET technology. After this, there was another really interesting article called The Security Risk Management Guide. It was written to help Microsoft’s client to type, build and maintain a security risk management program.   Always on the computer security subject but on another topic: passwords and pass phrases. There are 2 articles written by Jesper M. Johansson: Part 1 and Part 2, and another to come soon.   Finally there is the Security Application section of the .NET framework on MSDS that is always a good reading. It include Role-Base Security, Secure Coding Guidelines, Code Access Security, Security Policy Management, Security Policy Best Practices and Security Tools.     This is all I have to say on this today. Then good reading on Microsoft! 10:10:06 PM        [comment []]    [trackback []]

Information Gathering Get an eye on your teckies   You are an IT department administrator? You have people to supervise (teckies, developers, etc)? Take an eye on them. The problem is that they need information to do their work. Sometimes they don’t find it and ask for it. Sometimes they ask for opinions, review and tips to their pair. There is several ways to ask for this information. Occasionally they use Usenet or Webforums. The problem with these technologies is that all their content is logged. By example, Google get an archive of most of the Usenet groups since ~1997. Most of the times they need to detail their problem to get valuable answer from other users. If he have a problem with the topology of your enterprise’s network, he’ll probably write things about the hardware used, the subnets used and the technologies in place inside your enterprise. At last, most of the time, he’ll ask these questions during is working hours. There isn’t any problem with this fact, but who say working hours also say company’s computer and company’s computer settings like company’s email address and identification. Then they will use their enterprise email to get answers to their questions. If you understand the problem, you’ll see that you have a post on a Usenet group, sent by one of your teckie or developer, where you have sensitive information about your enterprise’s network infrastructure tagged to it by the email of the so helpful employee. What you can do? Educate them. The only thing that they want is doing their job. But sometimes they don’t see that they can harm the enterprise by doing this type of things. They only need to be educated to the problem. They only need to be aware of the problem. It’s your job, not necessary their. If you don’t believe what I say in this post, try it. You’ll be astonished by the results. 9:58:42 PM        [comment []]    [trackback []]