While perusing the security blogosphere this week I came across a pretty amusing entry in the Worse than Failure blog from Alex Papadimoulis, principal member of Inedo, LLC, an Ohio-based company that sells productivity software to small and mid-sized businesses.
He presents a few job interview scenarios, including this gem about a job candidate boasting about how great he is at cryptography:
“Near the end of a technical interview, Paco H. was asked a rather blunt question from the candidate he was interviewing: ‘Hey, be straight with me. How am I doing?’ Paco replied with the truth: not too well. The candidate was a bit disappointed, so Paco gave him a chance of redemption.
Paco: So, tell me, what are you great at?
Candidate: What am I good at?
Paco: No, no. What are you *GREAT* at?
Candidate: Hmmm. (a few seconds pass) Cryptography!
“Fortunately, Paco knew a thing or two about cryptography, and knew where to begin a line of questions.
Paco: Ok. Well let’s just start with the basics. Tell me the difference between asymmetric and symmetric cryptography.
Candidate: Well, the way I see it is like this. The symmetric cryptography is like when you’re driving down the road and there’s a dotted line down the middle and cars are going both ways. Asymmetric cryptography is like when there’s a double yellow line.
“Paco opted to pass, after all.”
No big points to make about this one. I just had to share it.
Now for some items I do want to weigh in on…
The Chinese cybersecurity threat
The Darknet blog has an item about the recent reports of China hacking into U.S. military systems. Of course, Chinese Premier Wen Jiabao denies his country’s military would ever do such a thing because, after all, “the government has opposed and forbade any criminal acts undermining computer systems, including hacking.”
Darknet isn’t buying it and neither am I.
Darknet’s response: “Forbade eh? More likely to be encouraged. Cyber terrorism and cross border attacks for information gathering are not restricted to the realms of movies.”
My two cents: Evidence has steadily mounted in the last two years that China has been trying to hack into government systems. There has been plenty of speculation as to whether the military has been actively involved or whether the government has independent hackers doing the dirty work for them. But in the final analysis, everything I’ve seen makes it clear something sinister is afoot.
I’m reminded of how the U.S. government learned two years ago about ongoing attacks it eventually dubbed Titan Rain. In those attacks, Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information wasn’t taken, officials worried that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary’s strengths and weaknesses when pulled together.
I’m sure some Chinese hackers are doing some of these things on their own and not on behalf of their government. But it’s hard to believe, given the choice of targets, that there isn’t some government involvement somewhere.
The probability of government-backed attacks was the focus of a Financial Times article my colleague Dennis Fisher blogged about this week. According to the article, some people using IP addresses belonging to the People’s Liberation Army were able to penetrate a portion of the Pentagon’s network to such an extent that part of it was shut down earlier this summer.
Dennis wrote that the extent of government involvement is probably overblown, and that the talking heads will probably use the story to generate FUD about a coming cyber apocalypse. He’s right about that. We saw an example of that following the attacks against Estonia. He’s also right that virtually every major nation is conducting various scanning, reconnaissance and surveillance operations against the networks of its enemies–and perhaps some of its allies.
But this is an example of vulnerability in the U.S. IT infrastructure, and one hopes the cyber specialists in Washington are working to address it. And while there’s no justification for FUD, there is a lesson for IT professionals in the private sector. If the hacking community can punch holes in Pentagon systems, they can do it to any company, anywhere.
Making e-voting more secure
With the increased use of electronic voting machines, many in the security community have called for better ways to secure it all, including Ed Felten, professor of computer science and public affairs at Princeton University. Felten notes in his Freedom to Tinker blog that the U.S. House of Representatives is poised to vote on a bill that would push things in the right direction.
H.R. 811, Felten wrote, gets the big issues right, requiring a voter-verified paper ballot with post-election audits to verify that the electronic records are consistent with the paper ballots.
Felten continues: “The bill is cautious where caution is warranted. For example, it gives states and counties the flexibility to choose optical-scan or touch-screen systems (or others), as long as there is a suitable voter-verified paper record. Though some e-voting activists want to ban touch-screens altogether, I think that would be a mistake. Touch screens, if done correctly — which no vendor has managed yet, I’ll admit — do offer some advantages. Federalism makes sense here: let localities make their own choices, as long as basic standards, such as the paper-trail and audit requirements, are met. Down the road, we may be glad that we left room for better touch-screen systems to develop.”
However the House votes on this, I agree we need to move carefully on e-voting. It will ultimately be a major improvement over paper balloting, but there are still too many security holes to rely on the machines without a paper trail and some auditing.
The ballad of Zango
Erica George at StopBadware.org wrote a blog entry this week about Zango’s latest legal woes. She notes that Zango — a poster child for bad behavior in the eyes of many antispyware crusaders — recently struck out in its lawsuits against two anti-spyware software vendors. Zango, she notes, used the suits to challenge makers of security software that labeled its products as spyware. On one front, Zango dropped a suit against PC Tools after declaring that the company modified its software to warn against Zango software rather than automatically removing it. But, she wrote, PC Tools says it modified its software before Zango’s suit was ever filed and hails Zango’s decision to drop the suit as a vindication.
On another front, a federal judge ruled against Zango in a similar case against Kaspersky Lab. The ruling found that the federal Communications Decency Act, Section 230(c )(2), creates a “safe harbor” for producers of tools used to filter “objectionable content.” The judge noted that in the context of the safe harbor provision, objectionable content is not limited to content that is actually objectionable, but includes material that users and software providers consider to be objectionable. The court granted summary judgment for Kaspersky, effectively ending the case, George notes.
“In affirming the rights of security software vendors to classify applications based on the vendors’ own guidelines, the Kaspersky ruling sends a clear message that software producers cannot use lawsuits or the threat of lawsuits to challenge security vendors’ decisions,” George wrote.
Zango has been trying for years to shake off its reputation as a pusher of unwanted software, and the lawsuits against security companies are one way it chose to do that.
But the lawsuits backfired, and rightly so. When I talk to IT professionals about their spyware challenges, nobody jumps up to defend Zango. As far as they’re concerned, any unwanted program that bogs down their networks is evil and they want their security vendors to find and flag it.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.