WS Blogs

Shifting problems, rather than solving them.

I happened to be browsing CNN and noticed a story entitled, "Cameras that scold." The short description read:
"Residents and police say talking surveillance cameras reduce crime. CNN's Gary Nurenberg reports ( April 8 )"
Basically, the city of Baltimore has, at residents' requests, installed surveillance cameras that are activated by motion detection sensors. Upon activation, it alerts:
"Your photograph was just taken. We will use it prosecute you."
You can check out the video here. (Just to warn you in advance, it's a pop-up window, so you may have to adjust your pop-up blocker.)

The assumption, by the community – both residential and law enforcement – is that crime has been reduced since the implementation of these cameras. However, that's not what one can really conclude. The cameras are isolated security measures; that is, while they may deter criminals from the target they monitor, this says nothing about reducing the amount of crime that will actually take place.

What you have here isn't a way to solve the problem; it just moves the problem somewhere else. You see this a lot – protecting targets (especially those already hit). This isn't practical, nor does it make sense. Have you tried counting all the possible targets? Me neither. Suppose we have a front door and back door. A criminal comes in the front door, so afterwards, we install surveillance cameras above the front door. Does this reduce any crime? No, it just lets the criminal know that he'll have to use the back door next time.

There have been numerous reports on the ineffectiveness of sur

Justin Troutman’s blog

It is rather nice to have a cryptographer on board actually. Better yet, one with a blog to boot! Much as I am sure that Justin can attest to is the fact that for many people cryptography is a subject not understood in the slightest. On that note I shall beetle on over to Justin's blog and make a post asking him how say relate cryptography to the everyday person.

You may or may not know that Justin has actually spoken at several high end security conferences on matters of cryptography. That to me speaks volumes to not only his knowledge of the subject matter, but also his ability to convey a highly technical topic in terms that the layman can understand. Not bad for a Southerner :p

Questions for the Audience: Current Cryptographic Concerns

This question is aimed at both developers and consumers. The role I fulfil is strictly cryptanalytical; that is, when I work on a project, I conceptualize what the security infrastructure should look like, from a cryptographic standpoint, but the developers ultimately implement this conceptualization of mine. Oftentimes, when I'm brought onto the project, there is already an infrastructure in place, and nine times out of ten, it's insecure, because it's either missing something or doing something wrong. I'm in the process of writing a rather large series on this, but that's all the details I'm relinquishing for now. 😉

Anyhow, my question is this. As a developer, what types of goals do you try to achieve, cryptographically? I know this is context-dependent, but at the bare minimum, what do you feel is sufficient, for preserving confidentiality and integrity? As a consumer, what do you look for in a cryptographic solution? What characteristics are deciding factors?

Okay, so one question turned into four. Oh well. Hehe. I ask because I've noticed a lot of falsified stigmas and misconceptions that lead to developers falling short and consumers looking for the wrong things. An ongoing interest of mine is learning more about why cryptography fails so often at the implementation level, and why some bad cryptographic products are able to gather a large fan base. More importantly, I'm learning for the sake of suggesting ways to mitigate the effects of these issues, and in some cases, avoid them altogether.

Thanks in advance, and a great Thursday to y'all from the Carolinas!

Reverse engineering methodology

Reverse engineering is really a pretty cool area of computer security. You need not be frightened by it though if you have limited programming knowledge. That said, the more programming knowledge you have the better, especially so as it pertains to Assembly. There are certain things that you will be looking for in an executable that you are attempting to do RCE (reverse code engineering) on. The usual error prone functions such as the str* series is always a good start. Also you may want to go looking for any mathematical functions which could indicate encryption are always a good bet as well. There is some very interesting research being done as I believe I already mentioned by the Metasploit crew on a new tool that will help one do RCE. Anyhow, should any of you have some war stories you would like to share that Reverse Engineering related feel free to share them.

A new blog about matters cryptographic, and some other things.

Well folks, I have finally hopped on the blog bandwagon, which I am excited about. I have a personal weblog at http://www.justintroutman.org/blog/, but it's reserved for intense cryptanalytical miscellany only, such as the latest cryptanalysis from around the community, and my own research. Here, I'll discuss a variety of issues – some more cryptographic than others. Oh, and I cordially invite you – no, wait, I not only cordially invite you, but encourage you to pass along any questions or topics you may have, that you'd like to see elaborated on. Who knows; it may be the type of question or topic to devote an article to. I'll be on the look-out for some interesting security issues, of which I'll be posting soon. So, until then – bon voyadios!

Cheers,

Justin

[STICKY] Weekly Permutation: News and information on happenings within the cryptographic community

The Weekly Permutation's focus shifts from happenings in the cryptographic community, to general computer security, to the politics that affect it all.

Cryptographic coverage includes everything from the latest cryptanalysis of block ciphers and hash functions to the use of cryptography in a malicious context, such as cryptoviral information extortion.

In regards to general computer security and the politics surrounding it varied topics, ranging from the legal ramifications of full disclosure to just plain rotten security decisions and products.

Are you compliant?

Well we have all heard about the various pieces of legislation that have been passed in the States. Quite a few of them I am sure affect you in the corporate world. That plus the now mandated disclosure of database breaches in certain States in the US makes for some interesting times. Not every corporation has the in-house expertise to get these audits done. Not only that but do you really want your in-house staff doing it to begin with? It is sometimes a good idea to have this type of compliance work done by an outside contractor. No, this is not a advert from me to you, but rather it is always a good idea to get an objective third eye view of your network as it impacts legislation passed. How many of you guys actually do have contractors audit your networks? Anyone care to share some stories? I for one think it is a good idea that such legislation as HIPAA and others have been passed. Anyhow your thoughts if you have any would be good.

Reverse engineering

Reverse engineering is one of those topics that when discussed few people have anything to add to it. Why? Well simply because it is such a high-end, and niche skill that not too many people practice it. There are a lot of programmers out there, but that said not too many of them debug their code with IDA Pro, SoftICE, or Ollydbg. In other words I don't think there are a ton of programmers out there who have a good familiarity with Assembly. I for one don't consider myself a programmer for I am not. When time permits I continue to attempt furthering my skills in it, which are lame at best in my opinion. But back to revese engineering for a minute. Bruce Potter I think hit it on the head in an interview he did for Security-Forums when he said he knows people who can rev-eng but not necessarily program the exploit for the bug that may be found. A very astute observation I would say. Any of you have any thoughts on this? Oh yes! I almost forgot. The guys over at Metasploit (skape) are working on an automated reverse engineering tool that would automate certain things that you would normally have to do by hand. Looking forward to seeing the tool once Skape has time to finish working on it. For all those of you who do use the Metasploit Framework you may wish to send the crew down there a buck, or two to help them out. The money goes towards the project, and perhaps some pizza and beer. Every dollar helps!

Kids and the Internet

The Internet is something that will have always been there for our children. Unlike myself I was actually around to see the Internet evolve into what it is today. It is a really wondrous creation, and has turned into something that is truly fantastic. That said, there are always those sick, loathsome people who for one reason or another put up extremely offensive content.

Question is what the heck can you do about it. Reality is that nowadays kids need the Internet for school, and for simple email amongst other things. Do you want you 10 or 11 year old seeing explicit sexuality on your computer? I know that I don't. There are no real good solutions. Many software programs exist which take a lot of that undesirable content out of the picture for you, but pornographers are a crafty lot. The most innocent Google search will invariably turn up some hardcore ponography sites.

One of the better solutions is to install something like Squid, and manage things from there. Not everyone though is computer savvy enough, or for that matter has the time to do so. For those who do not have the time or knowledge then s/w programs like netnanny plus some parental supervision should do the trick. Do any of you have some home solutions?

Web application security

Web application security is always never far from the headlines in the computer security world. Makes sense really as the Internet is largely based upon websites. Those very same websites are more often then not the focal point of many attacks from various miscreants, both skilled and unskilled. Not just the websites themselves either, but often the back-end databases that support them. There is an incredible array of skills, and knowledge that one needs to be good at before you can competently practice web app security.

You need not only know all about PHP, ASP, PERL, Python, SQL, amongst others, but also the protocols that these transactions rely upon. This area of computer security can no longer really be called a niche area. It is becoming larger and larger every year as websites become more attuned to the online threats facing them. You would be a wise person indeed if you began to move your skillset in this direction. Doing web app security is not only fun, it can also be a very lucrative career. Any of you guys do it for a living?

Scroll to Top