ENISA just published a report with recommendations on the use of crypto algorithms, keysizes and parameters.
Crypto elements are classified in primitives, schemes, protocols ad key sizes and for each of them it is stated if it is:
Following the NSA saga and the state of uncertainty we are living in right now, this is a must read.
Some news of this week that caught my eye:
25 years ago was the Morris worm. I was there… time flies!
Linkedin has introduced a service called Intro for the moment for Iphone users. Here are some details about it.
I am very puzzled by the “How it works” details, and in particular for all possible kind of issues with the possible use of private, personal or company information. Here there are some relevant arguments against this new service which are worth reading and considering.
A few days ago IDC released (see here and here) a forecast according to which by 2017 87% of connected devices will be tablets and smartphones. Desktop PC sales will be down whereas tablets and smartphone sales will grow double digits.
This does not surprises me, most users do not need a full PC for browsing the web and access the few applications by now mostly “in/on the clouds” that they use. Easy of access, intuitive interfaces and great graphics are more important than the full power of a desktop PC with all possible kind of resident applications (which the user should then manage).
Security and all kinds of management should be done by the device provider, better if almost unknown to the user or with very limited user participation.
Privacy and personal information dissemination are the only issue which involves directly every user, and on this point we will need to improve quite a lot.
Obviously, work related PC requirements are different, and for this use desktop PCs will remain, albeit in reduced numbers.
The DNS provider Web.com has been subject to a Social Engineering attack which allowed a pro-Palestine hacking gang to successfully reset the password of a few important customers, and use the new password to change the resolution of their domain name to other sites. See for example here for a description of the attack.
Again and again, as of today the technical side does not look to be the weak side of ICT Security. In particular cryptography is sound and reliable, and many technical ICT security products deliver what the promise.
On the other side, username + password show another time how much inappropriate they are to support our current security needs. But what can we use instead?
The general problem lies mostly in our ability to make a system “secure” by including logical, physical and procedural measures to give a 360 degrees protection. Indeed, the security level of a system is that of its weakest point, which for most systems means that they are really insecure.
Lax physical security means access to hardware and the possibility to install and run what you want. This is just what happened to some ATMs in Mexico, see for example here.
It is just a reminder that logical security alone does not work. You always have to start from the hardware on which your software runs and have a comprehensive, eg. “holistic”, approach to security.
Il 26 settembre presento un intervento dal titolo “Fraud Management: affrontare la sfida dell’online banking attraverso la gestione in tempo reale dei Big Data” in collaborazione con HP, al Banking Summit 2013, a Milano.
Venerdì 4 e sabato 5 ottobre sono impegnato come docente per il corso 2013 per la certificazione CISA (Certified Information Systems Auditor) di ISACA,. per AIEA.
Recentemente mi è capitato più volte di leggere o discutere della relazione tra il gioco, in questo caso digitale (su console, PC o online) e l’apprendimento. In realtà ben sappiamo che il gioco è il principale mezzo di apprendimento, insieme all’esperienza, sia degli animali che di noi stessi nei primi anni della nostra vita.
“Giocando (e sbagliando) s’impara” diceva mio nonno…
In realtà, a pensarci un attimo, il nostro apprendimento è basato soprattutto sul nozionismo che poi si traduce in conoscenza a mio parere solo se integrato dall’esperienza. Si impara molto anche solo dall’esperienza diretta, ma è un procedimento lento e che non sfrutta quanto è già stato scoperto da chi ci ha preceduto e che possiamo facilmente e velocemente assimilare.
Ma l’esperienza Virtuale? Apprendiamo lo stesso giocando coi “balocchi” e un videogioco? Possiamo sostituire ed estendere il gioco reale con il gioco virtuale? Possiamo sostituire parte dell’apprendimento nozionistico con un apprendimento ludico virtuale?
Mi ha fatto anche riflettere il fatto che l’addestramento dei piloti dei famosi F-35 (se mai voleranno) è solo virtuale, non esistono modelli con doppi comandi per istruttore-allievo: dal gioco al volo senza paracadute?
Andrea Pasquinucci 