Phillip Hallam-Baker's Web Security Blog

Public Key cryptography is powerful because it allows someone to send us an encrypted email without having the ability to read our encrypted email.

We need something similar to solve the Internet messaging problem. According to Google my email address is published in 36,500 documents on the Web. Not surprisingly I get a lot of spam. If my home telephone was published as much it would never stop ringing. The problem is not just spam and other junk, even the legitimate calls can be overwhelming.

So here is the challenge for the next generation of Internet messaging: a system that combines text, voice, video, synchronous (e.g. Instant Messaging) and asynchronous (e.g. email) seamlessly using the same identifier for all modes of communication with built in filtering systems to direct contact requests to the most appropriate mode based on the state of the person being contacted (work, personal, sleeping), the content of the message (urgent alert, chit-chat) and the party making contact (personal friend, colleague, boss, junk marketer, student, fan, etc.).

We can consider the filtering system complete when Paris Hilton is able to post her personal contact identifier on her Web site so that her personal friends can find her without being inundated with calls from fans and paparazzi.

Posted by Phillip Hallam-Baker at 07:09 AM | Permalink

Like many security specialists I have been following the Blue Pill saga. Blue pill is essentially a rootkit inspired by The Matrix. Once the achine has swallowed the blue pill it is owned absolutely and there is no way for the suer to know that they are owned. The way Blue Pill works is that it burrows under the O/S and runs it in a virtual machine.

One feature of the Blue Pill debate caught my attention. Joanna Rutkowska is for the time being concentrating on the AMD platform. This brings the ususal security paranoia of 'must be paid by Intel' since if Blue Pill were to be released Intel platforms would become more secure.

Or would they? After all the Intel and AMD architectures are both equally vulnerable. The choice of AMD was made because the programmer was somewhat more familiar with the AMD chip. The Intel chips also support a virtual machine mode. On the other hand there is to date only a known exploit for one platform (albeit incomplete).

This illustrates the difference between tactical security and strategic security. Until there is a known (or suspected) Intel exploit then there is a tactical security advantage to using Intel. From a strategic security point of view there is no difference.

If you had a very short term project that you had to be absolutely sure was not compromised by Blue Pill (and this was the only concern) there would be an argument for making a processor choice on the basis of tactical security. Otherwise the difference is not worth bothering about. The answer is to develop a secure platform that is 1) capable of recognizing that it has swallowed a Blue Pill and 2) provides an always present Red Pill that allows the user to reverse the effects.

Posted by Phillip Hallam-Baker at 06:58 AM | Permalink

Two interesting papers for students of Internet crime. The first is an analysis of the Google Blacklist by Michael Sutton. Its interesting to note how the patterns of attack change over time, some targets are perenial others are a bit like the days when the Beatles and the Rolling Stones were duking it out in the singles charts, the same name dominates for a few months, is replaced but then returns.

The other interesting piece is a USNIX paper by the Cymru folks. This describes how the perpetrators interact. One interesting footnote here the prices of bots do seem to be sliding.

[Hat tips, Jean-Jacques Halans, Joe St Sauver]

Posted by Phillip Hallam-Baker at 08:23 AM | Permalink

When the Internet and OSI network protocol stacks went head to head in a standards war in the early 1990s many factors influenced the outcome.

Internet people usually cite the technical superiority of their specifications as the reason but besides being self-serving the sad fact is that such issues are rarely decided by which specification is 'best'. Betamax was technically superior to VHS in many ways but VHS was superior in one technical respect (longer playing time) but the main reason that people bought VHS recorders was that far more films were released on VHS than Betamax which in turn reflected the fact that more people had VHS which in turn...

One reason was that the Internet had an earlier start. The tipping point had already been reached by the time OSI implementations started to become available. The tipping point itself being the World Wide Web. However well a Web browser might work on the OSI network stack all the content was on the Internet.

Another reason was that participation in the development of OSI was much more difficult than participation in the IETF. The ITU is a UN agency steeped in the diplomatic culture. Issues such as allocation of radio spectrum or telephone dialing codes are usually tedious. But when the resources being allocated are limited they can easily lead to conflict. Wars have started for less.

Even implementation of the OSI stack was made more difficult. The IETF has always made its standards available free of charge. The ITU imposed steep charges. When I was implementing an X.509 parser library at CERN I found that it would cost hundreds of dollars to buy the specifications I needed for a relatively small project. The specifications for the complete OSI stack would cost tens of thousands of dollars. This might not be prohibitive for a large company but it certainly killed the possibility of any open source efforts.

The ITU is the guardian of many standards that we use every day. They describe the operation of the telephone system, broadcasting and much more besides. OSI is dead but even some parts of OSI live on (X.509 and ASN.1 in particular). Today's news that these standards will now be available for free is good news.

One company note, in bringing the news to the attention of the IETF, Brian Carpenter, the IETF chair recognized Carl Malamud and VeriSign VP Tony Rutkowski as the prime movers [1].

The standards are available on the ITU site in PDF format.

Posted by Phillip Hallam-Baker at 08:25 AM | Permalink