Category Archives: ICT

How Not to Use Security Tools

Posted on by

Security is not an easy business, we all should know it quite well. Probably the main issue is that you have to implement security with a comprehensive approach (the term often used is “holistic”). In other words, you have to consider all possible sides of the issues at hand, both technical, procedural and human. And if you forget one side of your problem, then all the rest you did, could add up to nothing. Not easy at all.

And this is what an Harvad kid should be thinking right now (see here for example): he did use Tor and other anonimization tools to send an anonymous threat to his university in order to avoid taking a test, but he used his campus network and did not consider the fact that very few students did use such tools and that the fact of using them would attract attention to himself. So it was not so hard to find him after all.

More News About Authentication and Passwords

Posted on by

A couple of interesting news on authentication and passwords:

  • Telepathwords is a (Microsoft Research) website which tests passwords you digit into it, to verify their strength by checking how likely the next character in the password is to appear in common words and password checking tools; at first sight the idea seems nice, but I wonder to the usefulness of writing your passwords in a public website: obviously any password tested in the website cannot be used, so this should be taken only as an exercise to learn how to create good passwords (moreover, I tested it with pseudo-random generated password and the results were not completely clear to me)
  • “Nymi Is A Heartwave-Sensing Wristband That Wants To Replace All Your Passwords & Keys”: it is a wristband that measures your unique (but I have no idea how much “unique” that it is) heartwave and, via bluetooth, authenticates you to any (capable) device; it is the first time I hear of this kind of biometrics and I suspect that it shares with all other biometrics authentication approaches, good and bad points.

On D-Wave and Quantum Computing

Posted on by

I have been following at a distance since a few years the development of Quantum Computers. One of the more controversial approaches to Quantum Computing is the one proposed by D-Wave. D-Wave is also the only company which claims to have a specialized version of Quantum Computer ready to sell, and actually they did sell at least one Quantum Computer to a consortium made by Google, NASA, and the Universities Space Research Association.

What it is not yet clear is if it is really a Quantum computer, and even if it is, if it gives any advantages with respect to traditional computers. There are quite some different opinions about this, and this IEEE Spectrum article tries to understand where we stand now.

 

How to Abuse Your Customers

Posted on by

This is a 1 Million USD settlement in a consumer fraud against the on-line video gaming company E-Sports Entertainment, LLC. On top of its online gaming business, the company found quite profitable to use the customer PCs to mine for Bitcoins and to monitor the customers’ use of the PC even when they were not running the E-Sports’s program.

Managing a Large ICT Implementation is Hard

Posted on by

Recently there have been quite some news about failed large ICT projects, starting from the Obamacare rollout and so on. One of the latest news is that Bridgestone is suing IBM for fraud for $600 Million over a failed IT implementation (see here for details).

We know since at least 20 years that large ICT projects are hard and that quite often they fail, at least as far as they do not deliver what has been agreed at the beginning. (A very easy and often adopted way of guaranteeing that an ICT project is succesful, is to change the its requirements and goals at the end.)

What seems new to me is the fact that the news about these failures are becoming more and more public, probably because they affect more and more people, and that someone is starting to complain, in this case to the point that the customer thinks that there has been a fraud against him.

Actually this trend could help the ICT business in the long run, since it will force us to learn how to manage large ICT projects and implementations and to produce (at last) higher quality ICT software products.

Diverting and Tampering with Internet Traffic

Posted on by

This is really a disturbing news. Renesys has announced that this year there have been many cases of traffic redirection via BGP which look suspicious at the least.

Without entering in details of how BGP works, it suffices to say that BGP is (together with DNS) the hardcore infrastructure protocol which makes the global Internet working. BGP is used to build traffic routes so that the data can flow from one network to another. Each Internet provider (ISP) uses BGP to announce his own networks to the other ISPs and to learn where and through whom to send data to other destinations.

It is well-known that BGP has some weaknesses in particular due to its trusting that every ISP would not try to cheat. Indeed it possible in some particular situations that an ISP could announce the networks of another ISP and manage to receive all traffic for these networks. In this way, it could be possible to divert the traffic and possibly read it (if it is not encrypted) and tampering with it.

From the Renesys blog entry it seems that this has actually happened this year and that those involved claimed that these incidents have been due to “bugs” in some “vendor BGP software” and that there were no malicious intentions. Let’s just hope that this is true and that there will be introduced soon ways to prevent this to happen in the future.

A new way of authenticating yourself

Posted on by

We all know very well that username+password is a very weak form of authentication. Unfortunately alternative universal and more secure methods are not available.

Some researcher (see here for example) are proposing to use our mobile phones as pencils to draw our signature in the air and to use this movement as our password. This approach has many interesting characteristics, from the hardware-set used, to the movement itself which can be extremely difficult to replicate, much more difficult than a fingerprint, and a few drawbacks like the obvious need of space to do it.

There is already an App for Android that you can download here. In any case, more research is needed in particular in the full evaluation of the security features of this almost biometric authentication method.

Cyber Readiness Index of Countries

Posted on by

It has just been presented here a study about the “Readiness” of Countries with respect to all what is “Cyber”.

It is difficult to comment on the data presented, but it is surely of interest. Personally I love slide 21 which has just the following in it:

No Index Measures Security

Not much else to add.