Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on social [...]]]> In this brave new internet world (as of about 1995), I’ve been thinking of my personal information sharing generally as public and private.

Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on social networks and things going horribly wrong are people who don’t make clear distinctions between the public, professional, personal, and social aspect of their lives. Getting into etiquette with social networks can be tricky. I find it best to, as a rule, separate business and pleasure.

Partial Disclosure

Public information is available for anyone in the world to read. I put it out there so that people can learn a bit about me.

The reason I started writing things in the public eye is because I realized that if I didn’t define myself and give people something to read who didn’t know me, someone else would. This is the same reason that I don’t publish raw slide decks of my presentations, but I put my speaking points intermixed with the slides in a blog posting. Text based communication loses a lot of intent and inflection, so I try to make up for it in this way.

I didn’t want to have a blog. Once upon a time, when I was younger (and even more naive), I thought that I could get by on merit alone; I believed that if I did good work, my work would be recognized for and stand on its merits. I read things like The Fountainhead (watch the movie) and took from it “Oh! If I do good work and work toward my own sense of excellence, I will triumph in the end!”

I don’t think so anymore.  I think success takes more than merit.

Not only do you have to do good work, but people need to know about it. You need to help people directly, impart lessons you’ve learned without being an arrogant jerk, and sell them on why a good solution is better than a thought-to-be-sufficient solution.

Blogging

When Livejournal came out, I thought that this was lame in the same way Jennicam was lame. My conclusion was that blogging was about media and attention seeking. I didn’t have a need to have a public blog for people who didn’t know me could learn tons about me without my knowing them.

More importantly, it wasn’t interesting.

I found it massively egotistical that anyone would want to know what I bought at the grocery store or ate for lunch. I didn’t understand sharing of the mundane. Clearly many people do not share this opinion today.

The stuff I put on my blog are my presentations, the way I manipulate data for my own uses when I haven’t seen it represented in my way previously, or my attempts to explain the poorly explained. The ideal that I aspire to is “I wouldn’t find it interesting to read, I don’t write it.” I imagine that might come off as rampagingly egotistical at times, but I really make an effort not to be. I laugh at myself and at life as much as possible. It’s pretty ridiculous a lot of the time. My work tends to be very serious and can effect, in a real appreciable way, the lives of others. I take it very seriously. When people do important work badly, I can take it as a personal affront.

I would like to post more, but too much of it is sensitive, under contractual obligations, or in personal confidence. Unlike many people that do not share my views, I can’t disclose in good faith.

Social networks

What I find interesting about social networks, and by that I mean mostly Twitter and Facebook, is that it can introduce a gray area between public and private information; a social periphery of information that busy people share in order to keep in touch with people they think are cool.

That’s pretty much how I view a friends list; “These are people I think are cool.” If I would invite you to an informal party is my general baseline for inclusion into my social network.

Twitter: Low attention span blogging and random link sharing.

Bad Penny: Informal writings, past sharable presentations, and general information sharing of things I find interesting.

Facebook: Fun people that I associate with socially.

LinkedIn: People I have done business with or know professionally that I would vouch for. Yes. I really do know all of those people and have had dealings in the past.

Be Cool

As any good rule, it is proven by its exceptions. Excessively cool people are allowed to break most rules.

My advice to everyone: be excessively cool and don’t take things seriously that do not merit being taken seriously.

Life is too short to be taken seriously. — Oscar Wilde

Work and play are words used to describe the same thing under differing conditions. –Mark Twain

In every real man a child is hidden that wants to play. –Friedrich Nietzsche

Humanity has advanced, when it has advanced, not because it has been sober, responsible, and cautious, but because it has been playful, rebellious, and immature. –Tom Robbins

Necessity may be the mother of invention, but play is certainly the father. –Roger von Oech

Related posts:

1. New Facebook private features
2. New Nettiqute: A simple guide to communicating with your favorite geeks.
3. I judge you: A social networks commentary

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product that [...]]]> After a few years of avoiding the cable industry, I went ahead and signed up for Comcast Highspeed2Go, a new bundled service where they resell Clearwire and combine it with conventional broadband home internet service.

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product that they could not support. I spent a few hours on the phone with them attempting to figure out why they disabled wireless cards they sent me. They sent me a total of three cards and then disabled each of them after about a week.

This last week I didn’t feel like giving Comcast another two hour free tech support call and sent all of their wireless gear back to them. Previously I spent a few hours talking to people in attempts to navigate their broken process in order to get home service installed and activated.

The time of a consumer seems to be a free resource according to Comcast. They have a robodialer calling me now asking me to call some number. No thanks. I’m already at my quota for time wasted talking to you guys this month. I’ll be happy to pay you when you send me a bill consistent with our agreements.

This is nothing new. Back when I managed leased lines from telcos, I eventually found a backchannel into their top tier of support to get recurring and completely preventable problems resolved. I monitored their uptime. I reported their outages. I gave them their remediation process. If I didn’t, the business that I worked for would suffer.

Usually I assume good will, but my experiences as a consumer and as a professional with Comcast in particular point in another direction.

My point here is that branding is considered more substantial than service. I’m sure this is a business decision that was made when they worked the numbers and determined that giving five 9s of uptime and quick problem resolution was more expensive than just running more commercials, forcing out competition, suing municipal projects designed to give an alternative, and having the illusion of support on Twitter.

In an upcoming white paper, some associates and I will be discussing some aspects of this issue. Sometimes quality of service and streamlined operational works matter. Occasionally a company makes a business case for giving good service and honest commitments. Invariably, they are purchased and wrapped under one of the huge brands to be forgotten after their customers are re-absorbed into the amoeba of near-monopoly mediocrity.

This seems to be the new model for innovators and people who are good at their jobs:

• Find an unmet market need to improve
• Do it better, faster, more reliably, or with pretty colors
• Get bought out and paid (mostly) in stock
• See your business die at the hands of the insiders that can’t improve themselves
• Move on to something else

Where does this leave the market? Large non-agile organizations who are prone to mismanagement buy all of the intellectual property and use political influence and bare-knuckle market pressures to keep themselves on top of the heap.

Result: the market and consumers suffer.

See also the current state of patents, software and otherwise.

Some services and systems should not be held to the minimum standard of MBA business sufficiency where any excess money spent past the point where the customer will not fire the vendor is waste. My experience tells me that the standard of five 9s is generally becoming a thing of the past. Huge websites turn themselves off for multi-hour maintenance routinely with no notice. Cell phone providers incur day-long nationwide outages. Cable companies turn down a variety of services without warning or notification for undetermined amounts of time.

No standard of service seems to be the preeminent emerging standard of service. The myth of the disposable worker is in full effect here.

I’m seeing this as a market opportunity for service providers. I would wager that consumers who can pay will pay to not talk to these people. That was the Speakeasy sales model when I was their consumer in the past:

We’ll provide you with DSL service and you won’t have to talk to any incompetent jerks. Pay a little more a month and it’s completely worth it.

Speakeasy could compete with Covad and Qwest offerings (even though they resell the both of them) because the big guys do such a bad job of taking care of their customers. Qwest and Covad are on board with this Comcast consumer model.

These MITMing businesses should increase as this continues since real competition is not currently allowed to occur simply because consumer time does have a value that is not being addressed.

The cable and other telcos had better watch out that they don’t kill their own markets. As soon as a fast data alternative comes along, be it from Google, a national broadband plan, or fast unlimited wireless, all of their business models are toast.

Keep it up, guys. We’ll see you in the technology deadpool soon enough.

Related posts:

1. Comcast Wimax
2. Phone followup (again)
3. BBB complaint: Vonage

This may be because there is about 300 guides written by out of work journalists whose’ exposure to technology was having played with an iPhone for about 5 minutes. I believe that they’re in the same place in my [...]]]> It’s been quite a while since I’ve seen an updated guide on email etiquette or netiquette in general.

This may be because there is about 300 guides written by out of work journalists whose’ exposure to technology was having played with an iPhone for about 5 minutes. I believe that they’re in the same place in my brain where banner ads and sponsored links land and are thus culled and ignored almost immediately. Ask the big geeks you know, and you will find that they have brain-based adblock enabled as well.

(I just spent 5 minutes trying to figure out if I should put an apostrophe there and where it would correctly belong in that sentence. I think I know too many grammar nazis.)

Oh.  Okay.  Thanks.  Fixed.

So really, what I mean to say is that there doesn’t seem to be one of worth lately, though I’m sure someone will add some in the comments to this posting eventually. The things like social networks and twitter, the places where one is really needed, are the places where a bunch of people write 500 horrible guides.

Here’s where nettiqute was when this whole internet thing happened. Notice how a lot of people you know don’t not-do these things. Notice how Eternal September will never end. This is why a lot of old school types have quit irc or have retreated to backwater +i or +k channels.

Here’s ten four things to keep in mind

1) If it is important, it’s not something that should be sent in a text message. Text messaging is for 14 year old girls and introverts who don’t mind taking 5 minutes to communicate what they could have talked about in 30 seconds. Perhaps what they really need to make is a subvocalizing phone. Then like one half of the female population will be on confs with each other most of the waking day.

On second thought, please don’t. Please do not make those.

(Did you know that Google Voice already had confs built in?)

2) If you are having an issue with your computer or technology and want to talk to me about it, send it from an IM client that can screen share so that you can demonstrate it and I can fix it. ^{[Only close family and intimates eligible. Offer void when I am busy or already frustrated.]}

So anyway.

3) Twitter. If you can avoid it, do. If you find that you have to use it, is painful enough already without having to look at stuff like this:

But he’s not like that all day and night, right?

Wrong.

I hear you’re cool and all in person, but I can’t do this anymore, Chris! Argh!

This came in while I was writing this:

Quoting fictional characters? Picard is someone’s role model? Gah. It’s like this all over Twitter. It’s horrible.

Additionally: No Mom, I will not teach you to use Twitter. It was bad enough an idea when I taught you to text message. I learned my lesson.

4) Don’t touch my phone. I’m serious.

Related posts:

1. Twitter, Defcon, Geotaging
2. Big Tech Wins: Addressbooks
3. Public and Private

Since my German language skills have eroded into near-worthlessness, I’m only going to mention presentations available in the English language.

Many videos are not yet up, but of those that are, these are [...]]]> Here is my list of the most important talks of the 26th Chaos Communication Congress [26C3] held in Berlin, Germany that was held last week.

Since my German language skills have eroded into near-worthlessness, I’m only going to mention presentations available in the English language.

Many videos are not yet up, but of those that are, these are my picks in order of interest and significance.

It is really great that there are videos up so quickly and without all of the capitalist headaches that we see here in the US. Yes, selling things is important, but kicking out some video to your community is a great thing. Information is supposed to be free, right hacker conferences? Eat your own dogfood, guys.

A Part Time Scientists’ Perspective of Getting to the Moon

Day 2: HTTP / Torrent [ All English language ]

Hacking government

With the premise that government data is the property of the people and disclosing pdfs on a government website is insufficient, so they’re going to scrape, gather, manipulate data, develop applications, and present (they hope) interesting uses of this data to the public@opendatahack

FCUK: MiFare Classic Universal Toolkit

Updated RFID card toolkit

Cryptostick

The German Privacy Foundation

An OpenPGP v2 card (a smartcard) and a reader

Supports keys up to 3072 bit

Free Rainbow Tables

uses BOINC

http://rcracki.sourceforge.net/

Free Rainbow Tables forum

OWASP favicon enumeration

Nmap 5.10 beta has favicon scanning built in

FOAF

Decentralized social networking with web of trusthttp://esw.w3.org/topic/foaf+ssl

NLNet Foundation

They give away money to projects.Focused on privacy and making the internet a better place and they may give you some.

Friend2Friend economics

Day 3: HTTP / Torrent

8:30 Plug and play sensor input

No drivers needed

26:30 Open RFID

Different from other RFID haxing kits because it works with low frequency tags. Most are 13MHz, this one can do 125KHz as well.

Board is size of a cc, no battery required, firmware upgradable, GPL, Active attacks; emulation/brute force

₡12

Schleuder: Yet Another Crypto-mailinglist Manager

OpenPGP encrypted mailinglist

Written in Ruby

GNU GPL v2

MTA agnostic

Relieves users from key management

Users managed by signature, not email address

41:45 ClockTamer: Universal clock source

Open source hardware/software highly accurate clock source

50:30 Some cool audio demo thing

56:30 Hackable:1 mobile gnome initiative

1:01:30 WAFP: Web Application FingerPrinter

Written in Ruby

Fetches static files from web applications and compares checksums to a database

1:07:30 libcpu

An anything-to-anything recompiler

1:11:00 libhomebrew

Examples: The Homebrew Channel

1:15:45 Yet Another XMPP Instant Messenger

1:19:45 Hackable Devices [ccc wiki]

1:26:00 Atari Coldfire Project

Objective: To build a new Atari compatible computer

Open hardware: PCB schema is free

Open source as much as possible

₡600

1:31:30 NLnet

1:35:30 Cheating at Flash Games

[ The rest are in German ]

Day 4: HTTP / Torrent

Unauthorized access to “secure” flash drives live demo

Interesting defacements using RF or Wifi controlled lighting devices

13:00 The OpenBTS Project

Very few fixed phone lines in the undeveloped world

Looks like GSM to a phone and SIP to a network

Open Source

Low power and encourages lightweight architectures on GPRS and 2G networks.

24:20 tikzgraphicx

29:00 The Future of Hacker Meetings

Large CCC events are over capacity

Greater number of smaller events

Use hackerspaces.org wiki to publicize events

34:00 [German] Droid Army

DROIDARMY is about the idea to push the development of a robot control based on android phones. Machines, robots and new devices with the interoperability of the google services and other off the shelf solutions can lower the costs of product development significantly and shorten time to market. Collaboration capabilities of cloud computing tools could let multiple robots work on one issue together.

46:00 OnionCat [and here]

P2P VPN network for anonymization based on I2P network and Tor.

Creates anonymous network layer where both client and server are anonymous to each other.

Any kind of IP data supported; frees protocol restrictions from Tor hidden nodes

50:00 Free Art and Technology Lab

The Free Art and Technology Lab is an organization dedicated to enriching the public domain through the research and development of creative technologies and media. The entire FAT network of artists, engineers, scientists, lawyers, musicians and Bornas are committed to supporting open values and the public domain through the use of emerging open licenses, support for open entrepreneurship and the admonishment of secrecy, copyright monopolies and patents.

Basically a bunch of trolls, so naturally the crowd loved it. Apparently trolling is now established art.

1:11:30 Remuco: Wireless remote control for Linux media players

1:17:00 Breaking Verilog-2005 Obfuscation: The DRM of digital design

1:25:30 Formica swarm robots

Kit now for sale and shipping in February for ₡30

25mm x 25mm in size.

1:38:30 What happens at the expiration of database protection

Talk of database and copyright law in Sweden and the EU

Proposes a Project Gutenberg for databases that copyright protection has expired

1:57:00 Student Robotics

Robitics kit design for primary schools

Runs an autonomous robotics competition

Students code their robot controls in python

Related posts:

1. Bored on a plane: Gogo wireless on Virgin America
2. Snort resources
3. SEO blog defacements

Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal [...]]]> Tired of reading yet another cloud security article? This is really the only one you need to read. If you don’t have the attention span to read it all, read my excerpts.

Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.

In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it. They hired some virtual machines to serve as targets and others to serve as attackers–and tried to get both groups hosted on the same servers at Amazon’s data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars.

[...]

Gmail, Twitter, and Facebook are all cloud applications, for example. Web-based infrastructure services like Amazon’s–as well as versions from vendors such as Rackspace–have attracted legions of corporate and institutional customers drawn by their efficiency and low cost.

[...]

“Today you have these huge, mammoth cloud providers with thousands and thousands of companies cohosted in them,” says Radu Sion, a computer scientist at the State University of New York at Stony Brook. “If you don’t have everybody using the cloud, you can’t have a cheap service. But when you have everybody using the clouds, you have all these security issues that you have to solve suddenly.”

[...]

Cloud computing actually poses several separate but related security risks. Not only could stored data be stolen by hackers or lost to breakdowns, but a cloud provider might mishandle data–or be forced to give it up in response to a subpoena. And it’s clear enough that such security breaches are not just the stuff of academic experiments. In 2008, a single corrupted bit in messages between servers used by Amazon’s Simple Storage Service (S3), which provides online data storage by the gigabyte, forced the system to shut down for several hours. In early 2009, a hacker who correctly guessed the answer to a Twitter employee’s personal e-mail security question was able to grab all the documents in the Google Apps account the employee used. (The hacker gleefully sent some to the news media.) Then a bug compromised the sharing restrictions placed on some users’ documents in Google Docs. Distinctions were erased; anyone with whom you shared document access could also see documents you shared with anyone else.

Andin October, a million T-Mobile Sidekick smart phones lost data after a server failure at Danger, a subsidiary of Microsoft that provided the storage. (Much of the data was later recovered.) Especially with applications delivered through public clouds, “the surface area of attack is very, very high,” says Peter Mell, leader of the cloud security team at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD. “Every customer has access to every knob and widget in that application. If they have a single weakness, [an attacker may] have access to all the data.”

To all this, the general response of the cloud industry is: clouds are more secure than whatever you’re using now. Eran ­Feigenbaum, director of security for Google Apps, says cloud providers can keep ahead of security threats much more effectively than millions of individuals and thousands of companies running their own computers and server rooms. For all the hype over the Google Docs glitch, he points out, it affected less than .05 percent of documents that Google hosted. “One of the benefits of the cloud was the ability to react in a rapid, uniform manner to these people that were affected,” he says. “It was all corrected without users having to install any software, without any server maintenance.”

Think about the ways security can be compromised in traditional settings, he adds: two-thirds of respondents to one survey admitted to having mislaid USB keys, many of them holding private company data; at least two million laptops were stolen in the United States in 2008; companies can take three to six months to install urgent security patches, often because of concern that the patches will trigger new glitches. “You can’t get 100 percent security and still manage usability,” he says. “If you want a perfectly secure system, take a computer, disconnect it from any external sources, don’t put it on a network, keep it away from windows. Lock it up in a safe.”

But not everyone is so sanguine. At a computer security conference last spring, John Chambers, the chairman of Cisco Systems, called cloud computing a “security nightmare” that “can’t be handled in traditional ways.” At the same event, Ron Rivest, the MIT computer scientist who coinvented the RSA public-key cryptography algorithm widely used in e-commerce, said that the very term cloud computing might better be replaced by swamp computing. He later explained that he meant consumers should scrutinize the cloud industry’s breezy security claims: “My remark was not intended to say that cloud computing really is ‘swamp computing’ but, rather, that terminology has a way of affecting our perceptions and expectations. Thus, if we stop using the phrase cloud computing and started using swamp computing instead, we might find ourselves being much more inquisitive about the services and security guarantees that ‘swamp computing providers’ give us.”

[...]

Amazon announced plans to offer a “private cloud” service that ensures more secure passage of data from a corporate network to Amazon’s servers. (The company said this move was not a response to the research by the San Diego and MIT group. According to Adam Selipsky, vice president of Amazon Web Services, the issue was simply that “there is a set of customers and class of applications asking for even more enhanced levels of security than our existing services provided.”)

[...]

The problem of how to manipulate encrypted data without decrypting it, meanwhile, stumped researchers for decades until Gentry made a breakthrough early in 2009. While the underlying math is a bit thick, Gentry’s technique involves performing calculations on the encrypted data with the aid of a mathematical object called an “ideal lattice.” In his scheme, any type of calculation can be performed on data that’s securely encrypted inside the cloud. The cloud then releases the computed answers–in encrypted form, of course–for users to decode outside the cloud. The downside: the process eats up huge amounts of computational power, making it impractical for clouds right now. “I think one has to recognize it for what it is,” says Josyula Rao, senior manager for security at IBM Research. “It’s like the first flight that the Wright Brothers demonstrated.” But, Rao says, groups at IBM and elsewhere are working to make Gentry’s new algorithms more efficient.

[...]

“Clouds are systems,” says NIST’s Peter Mell. “And with systems, you have to think hard and know how to deal with issues in that environment. The scale is so much bigger, and you don’t have the physical control. But we think people should be optimistic about what we can do here. If we are clever about deploying cloud computing with a clear-eyed notion of what the risk models are, maybe we can actually save the economy through technology.”

Copyright Technology Review 2009.

The full article here talks about the expense (in computational power) of encryption churn, future interoperability concerns resembling the 90s between competitors, and other anticipated challenges along the way.

Not a bad attempt at a future and failures in-a-nutshell article.

Like the current thinking on carbon-based fuels, added costs of risk exposure and additional governance needs to be baked into so called cloud and virtualized offerings.

The threat landscape has exploded exponentially in internet applications from where it was only a few years ago with the advent of visualization, massively increased distribution of assets, explosion of wireless access, and quick-to-market applications that have unprecedented amounts of software flaws that pose risks of disclosure of private data.

I say this not to overly criticize innovation and more aggressive and fast-paced development, but to clarify to those that do not realize that reigning in and controlling access at inception of these services is required to control them.

Without foresight in building infrastructure in secure ways, the risk of difficult systematic problems creates the space for unintended commerce in leaked or stolen information. Nature abhors a vacuum and in highly complicated systems there will invariably be backwaters where this will occur.

The trick here is to make modular systems that guard against inappropriate disclosure at each step using the defense in depth model. Once actual costs are assigned to risk by means of open data and metric information, market forces should make this a reality.

Posted via web from Technical Adversary

Related posts:

1. Amazon EC2 cloud service hit by botnet, outage
2. Agile Infosec
3. USB malware on OSX