So, SOPA is the news of the day, in terms of the Internet and security; it has been for well over a month now. In case you’re not familiar, SOPA is the Stop Online Piracy Act. It will “authorize the U.S. Department of Justice to seek court orders against websites outside U.S. jurisdiction accused of infringing on copyrights, or of enabling or facilitating copyright infringement.” I won’t bore you with the typical arguments about how it’ll infringe on free speech, or weakens safe harbor, etc. These arguments have been made, and they may have some validity, but let’s talk technology. SOPA is the most recent in a long line of legislation intended to regulate the internet. Such legislation is doomed[…]

I’ve mentioned Whole Disk Encryption in the past. There are a number of products, both free and paid, which will allow you to encrypt your entire hard disk, or the hard disks on your servers. In a recent study whole disk encryption (referred to as FDE in the study) has been shown to significantly hamper investigation. Basically, the encryption is too good. Even with techniques like cryogenic RAM freezing it’s often unlikely that the encryption can be bypassed. But there’s a huge, gaping hole in such protection: you can’t USE encrypted data. For it to be accessible and usable, it has to be decrypted. (In other news, it is not possible to open properly locked doors, nor to pass through[…]

I am currently experimenting with my smartphone, to see if its Mobile Access Point Functionality allows it to function as a wireless router independent of Internet connection. In theory, it should – it is capable of providing internet access to four attached devices, and that suggests that it should have router functionality, meaning that the attached devices should be able to talk with each other, rather than simply to the Internet. In practice, I know that sometimes seemingly important parts of networking implementations are, well, not implemented. The most egregious example, in my experience, was a commercial-grade firewall which was unable to pass UDP traffic under certain circumstances. The lesson I learned then was that just because the hardware and[…]

A few years ago, a friend of mine served in Afghanistan. It was, as he described it, a long and mostly dull duty. When not busy with soldierly duties, he wrote on his blog and took pictures, often of the rather picturesque – to those who didn’t have to traverse it – scenery. At one point, however, he was informed that these landscape pictures were, in fact, an operational security violation. Not the ones taken in-camp, but the gorgeous panoramas of Afghani mountains and valleys. The theory was that, using those pictures, insurgents could find their position. My friend’s response was succinct: “I think they already know about the mountains, sir.” In a previous job, I was charged with creating[…]

When contracting with a data center, we ask plenty of questions. We ask about their security posture. Do they monitor entrances and exits? Do they police building parking? How is their alarm system monitored? How secure is their network? Are the cages secure? Who can get into the building? We ask about their ability to handle disasters. What kind of fire extinguishers do they have? Do they use fire-resistant doors? Slab-to-slab construction? Can they handle flooding? Power outages? But we need to start asking another set of questions: what is their legal posture? A couple of months ago, an FBI raid at a data center in Reston took out “tens” of the data center’s customers, in spite of the FBI[…]

I just recently bought a new netbook. Now, I know that netbooks are supposedly on the way out, but I love the low price, long battery life, and massive portability. But there’s a problem with netbooks and security. They’re massively portable – whether the person doing the porting is me or a thief. I do my best to keep my netbook safe, but being realistic I’ll admit that it could happen. Now, the biggest loss from someone stealing my netbook is in data; the hardware really isn’t all that expensive. My netbook doesn’t just contain personal information; it’s also full of important business data. I can and do perform regular backups to make sure I don’t lose any of the[…]