I spend a lot of time talking to people about information security. I find that even when they’re interested in protecting their information from theft or misuse, they’re not always focused on the complete security picture.  Today’s case in point is the report [via Gizmodo ] that thieves spent NINE HOURS stealing laptops from a government contractor, loading up two semi tractor trailers with computers before making their escape.

It does little good to pay attention to digital security if your physical security is weak. Security needs to be treated in a holistic fashion in order to be effective.

I was out on a web site today, it doesn’t really matter which one, and was forced to create a profile for the (mis)use of the site’s owner.  I found their password standards to be, well “stringent” would be a good word, especially considering the information (my profile) that I was securing. Their standards for passwords were, and I quote: Read more

Wow, it’s months I spend not saying anything about computer security, and then there are two in a row.  Technology Review reports today that engineers at Intel have come up with a way to put a true random number generator on the processor die.  This has implications for a number of cryptographic techniques that rely on random numbers to function.

Finding randomness in computers is surprisingly difficult, and over the years people have tried everything from dedicated hardware-based random number generator hardware to using a webcam with the cap left on, to lava lamps of all things as a source of randomness.  In the past, the National Security Agency went so far as to use white noise from space to generate their random numbers, capturing the noise using radio telescopes.

The inclusion of this sort of random number generator strengthens protocols such as RSA, and HTTPS/SSL with the introduction of true, rather than pseudo-randomness. With the advances in quantum  cryptography in the last few years however, we may soon see the end of this class of cryptography, as quantum computers would theoretically be able to break these protocols instantly.

This is cool, in a “people spying on my country” kind of way: Gizmodo reports that the recent break-up of a supposed Russian deep cover spy ring included the FBI discovering their use of Steganography.  As a security and crypto guy, this is very interesting.

Steganography is the hiding of information in plain sight, much like the lemon juice you used to use to write secret messages when you were a kid. Digital steganography alters computer files, usually pictures or audio files, to hide information within them. This is the first case that I’m aware of that uses real stego as part of real espionage. Assuming it’s really espionage that is.

For the technically minded, one way that digital steganography works is by altering the low-order bits of photos or music files. If we change the least significant bit of a pixel in a digital photo, the difference between it’s original value and the new value that encodes information is likely unnoticable by the human eye. The same can be said of digital photos.

Detecting steganography is difficult: you need to know the program used, or you need to perform complicated statistical analysis to stand a chance of detecting it. It’s remarkable to me that we’ve at last seen this technology in the wild.

I’ve come to suspect that my blog is the victim of spambots that have decided they might be able to do something interesting if they sign up for an account. Maybe they think they get author privileges once they have an account, but I restrict that role to myself (at least for the moment).  I’ve put up with it for a while, since I believe there’s no harm in them signing up, the only new superpower registered readers get is “subscribe,” I believe.

It’s been making me uncomfortable however, because I’ve not spent much time keeping up with any security concerns in WordPress (the underlying blogging platform), and since I get an email every time a new user registers, it’s never too far from my mind…

As a result, I decided today to turn off the “anybody can register” feature. I’m also debating going through my user rolls and deleting the obvious spambots (anybody in .RU for starters, since I can’t imagine I’m much interest to someone in Russia…)

In the event I do decide to start going all Stalin on the registered user rolls, I put up another post, so people can let me know if I delete them and they really were interested in having an account.

We now return you to your regularly scheduled web surfing, already in progress…

Have you ever looked at your address book and seen an entry for someone you haven’t talked to in years? I usually think to myself “I wonder if that phone number is still good.” Sometimes I even wonder if people are still alive.

A Dutch information security researcher wants to use a concept similar to that to try to protect all that information about us that’s stored on line, according to an article at the BBC.  The idea would be to have your information “degrade” over time, just like your confidence in whether that email address for Joanne is still any good.

At initial use to secure a transaction or get useful information from a search all relevant details might be stored. Subsequently details would slowly be swapped for more general information.

It’s an interesting concept. I’ve always been intrigued by the idea of looking to the physical world for solutions to problems in the digital one. I’ve frequently thought it would be interesting to look into mimicking the animal immune system for a computer anti-virus system, for instance.

Of course, Europe has better controls, and a different view, of information security than the US. It’s likely that any system like the one outlined by Dr. Heerde could be mandated here, because unlike Europe, in the US businesses own the information they collect about you, rather than you owning your own information. Still, it’s an idea to feed to the grist mill, and perhaps something interesting will come out the other side.

I’m happy to announce the availability of the first two courses in my series of agile training courses, a one-day agile overview course, and a two-day course called Agile for Data Professionals. There are a number of other courses in the works, but if you find yourself with a burning need for one of my courses, just let me know and I’ll see what I can do to move it to the top of the queue.

For information on the classes visit the new Training Page!

Project managers will sometimes refer to the “iron triangle” of time, resources and scope for a project. The idea here is that each of these facets of a project are the leg of some theoretical triangle, and you can adjust your project by making one of the legs shorter if you need to.  How does that relate to software projects? Read more

Over the few years, I’ve worked for or as a consultant for three different start-ups, and they’re a roller coaster. Two of those have gone out of business, and the third is my current client.

This morning, my client told me they are planning on managing their cash flow problem by making it at least partially mine: I’m back in the market looking for a new engagement, starting basically immediately. It’s the consultant’s life, I realize, but it really doesn’t make it that much more comfortable.

So, if you or someone you know is looking for a first-class Java architect (very hands-on), agile coach and/or application security specialist, please get in touch.

Last year, I retired my Palm Treo 755. It was a sad moment for me, but I felt that, with the new WebOS on the Pre and Pixi, PalmOS was a dead platform, and I needed to move on. I’d been using PalmOS for a long time, having originally carried a Palm V way back when they were new.  I feel like I’m missing a friend now. Read more