Saturday, December 12, 2009

How to increase the PHP session timeout time in a shared host?

I found this link useful.

(In a shared host, you've got to have your own folder to store your session data; otherwise, the garbage collector (which is invoked with the probability session.gc_probability(default value is 1)/session.gc_divisor (default value is 100) based on the global session timeout time session.gc_maxlifetime) may inadvertantly erase your session data).

Here's what I have at the top of each php file (extracted from the above link):


<?php
$id
= session_id();
if (
is_null($id) || strcmp($id, "") == 0) {
$cookie_path = "/";
$cookie_timeout = 60 * 60; // in seconds
$garbage_timeout = $cookie_timeout + 600; // in seconds
session_set_cookie_params($cookie_timeout, $cookie_path);
ini_set('session.gc_maxlifetime', $garbage_timeout);

strstr(strtoupper(substr($_SERVER["OS"], 0, 3)), "WIN") ?
$sep = "\\" : $sep = "/";
$sessdir = ini_get('session.save_path').$sep."ek_sessions";
if (!
is_dir($sessdir)) {
mkdir($sessdir, 0777);
}

ini_set('session.save_path', $sessdir);

session_start();
}
?>



Friday, December 11, 2009

Can I know who’s viewing my FB profile?

FB Answer: (Merely browsing won't track you down (unless you consent to install an app that may track your moves). Good news for stalkers???)
Facebook currently does not provide an application that allows users to track profile views or statistics on the views of any specific user content. Third party developers, however, may offer applications that provide some of this functionality. Please keep a few things in mind for these applications:

Applications CANNOT track profile visits for users who simply go to another person's profile; Facebook has made this technically impossible.

In order to be tracked by an application, you will need to specifically agree to allow the application to track your actions.

Adding an application that provides this functionality is purely optional. If you do not want to participate, please do not add the application to your account.

Apparently, if you develop a such FB application to track users who visits your profile, it's a violation of terms.

I have seen claims about being able to track visitors your profile in FB, they simply seem to be incorrect. I have also seen claims about this ability in other social networks, but I don't know the truth behind such claims.

A question for social networks in general:
Is it good or bad for FB to provide the functionality to see profile stats to profile owners? pros/cons for FB? pros/cons for users (owner, viewers)? [IMO, this is a multi-faceted question; there is no definitive answer - need to consider many different aspects; and I am not in a position nor knowledgeable enough to answer this question.]
I, as a user, personally prefer if FB provides at least some anonymous statistics.

Monday, December 7, 2009

What others can collect from your browser?

BrowserSpy

Are we risking only privacy in social networks?

The answer is a clear no. In fact, I recently noted some possible security threats by just revealing your DoB alone. Some more simple layman thoughts on it..(in this post I am not talking about technical vulnerabilities of the social networs; there have already been several exploits)

We are kinda addicted to social networks such as facebook, twitter, myspace etc. Social networks are great to get connected with old friends and stay in touch with friends and families. And also to be up to date with technology, news, what's happening around us and know what others are upto. We love interacting with others and being connected. There is nothing wrong about it; but there is a limit, above which it could be harmful. The whole network works based on trust. Just one weak link of trust is sufficient to cause all sorts of troubles.

a couple of examples:
social networks - physical security??? an interesting combination!
We have seen people tweeting or facebooking, where they are, what their vacation plans, etc. This could be good information for burglers -- we invite and help burglers to break in.

one social network - and the rest???
There are so many social networks out there..chances are that you are only in a subset of them. Say you are in Facebook and not in Myspace. What does it prevent a bad guy from impersonating you in Myspace? Further, the impersonator can trick your friends to be her friends.

Sunday, December 6, 2009

United we stand divided we fall

(United we prevail divided we fail)
I am afraid to say that it is us, the ordinary citizens of SL, not them (who try to get into power or want to keep the power), who are going suffer due to on-going divisions in the country. Don't get me wrong; any country should have a strong opposition to have better governance (so that those who in power do not abuse it). But 50 years after independence we are unable to get rid of the narrow minded attitude to do whatever it takes to come to power or to continue to be in power.

Thursday, December 3, 2009

Why I don't have the DoB listed in FB?

If you noticed my FB profile, I only list the birthday (not the DoB). I am not listing the DoB, not because I don't want to reveal my age (of course, someone who is knowledgeable about the contextual information about the FB groups I am in (e.g. Saint Aloysius College - 1998 batch, UoM 1999/2000 batch, etc.) could infer my year of birth), but because of security reasons. DoB - Security??? do you see the connection?

The other day I went to my bank to withdraw some money, but I forgot to carry my bank card which has the bank account number. So I had to show/prove the possession of other credentials. After getting a photo ID of mine, the next thing the operator asked from me is my DoB. Imagine now someone faking my photo ID and having my DoB listed online, walk to the counter. What does it prevent that someone from withdrawing money from my account?

There are even greater consequences; There have been research suggesting correlation of public information to your SSN number. SSN number is confidential information; only certain service providers such as bank, rental office, insurance company, utility providers, know it; leaking it could be a disaster.


Recently, researchers from CMU have cleverly shown that one can narrow down the possible SSN numbers an individual can have using public information available. If the attacker knows your DoB and location, they can guess your SSN with high probability:

Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.


SSN has the format xxx-xx-xxxx (Area Number (AN) - Group Number (GN) - Serial Number (SN)); AN and GN are location specific and anyone can get the list of numbers assigned in each state. This reduces the entropy as some level of randomness is sacrificed. You might wonder why AN and GN are predictable? Well, one reason might be that it could be helpful to identify impostors by checking based on the location of the person that she provides.

Here's a pattern that they have discovered (from the paper):

The above figure shows the distribution of AN, GN and SN number (y-axis) in Oregon in 1996 for some publicly available records. The x-axis is the 365 days which represent the DoB's of those people in the records. Notice the correlations.

The paper also mentions about the dramatic reduction of entropy of the SSN numbers. (For better security you need to have higher entropy. If you can inject more randomness, you get higher entropy and it becomes less predictable.)

Without auxiliary knowledge, the theoretical entropy of an SSN can be estimated at 30 bits (in log2).
The more granular knowledge of the assignment scheme that we have shown to be inferrable significantly decreases that entropy (for some states, down to 11 bits).

The point is that one piece of information alone may not be an interesting asset to an attacker and hence you may think it is safe. However, it is the correlation of different pieces that makes attackers life easier. With social networks and other online web sites booming, different pieces of our personal information are available through different locations. These public information could be used by attackers to engineer attacks which we may not imagine in our wildest possible dreams. (In short, the more public information available about us, the less entropy for our confidential information.)

Note: It would be much better for me from the security PoV to completely hide my birthday in FB. You might be wondering why I am not doing so; privacy is a strange thing; it is an economic good; it has trade-offs. I currently perceive that the benefits over-weighs the threats :-)
(Maybe I'll write about the privacy economy in a future blog; there has been a lot of research in this topic for quite some time.)

Friday, November 20, 2009

Thought of the day

Just get started! (From one of the blogs I regularly read; I love to know the psychology behind how we act/react/perceive, etc.)

Thursday, November 19, 2009

Thought of the day

"A man who has one finger pointing at another has three pointing towards himself" ~ A Nigerian proverb


We are not perfect; we make mistakes; sometimes things don't work out the way we want; they simply go wrong. Think about a team work that didn't work out. We usually have the tendency to look outside of ourselves to put the blame on something or someone, don't we? Couldn't the outcome be different had you played a different role? Most importantly is it going to help pointing at something or someone? Probably not. Think about the above proverb before you point your fingers next time.

Wednesday, November 18, 2009

Thought of the day

"Great minds discuss ideas. Average minds discuss events. Small minds discuss people." ~Eleanor Roosevelt


You have a great mind if you don't make fun of or thrash others (for your own petty advantage).

Monday, November 16, 2009

Clouds and Storms [Part 1]

Decoded title: Security/Privacy issues in the Cloud (from the PoV of utility computing)
The objective of this post is to raise awareness about possible privacy/security issues that may arise in cloud computing paradigm - if you are a security researcher, where you may want to focus on; if you are a cloud provider, what you need to safeguard against and what customers would be expecting, if you're a cloud user (technical/non-technical), what you can expect and what you can do about it in order to minimize the risks.

(Note that there could also be security benefits of moving to the clouds, as opposed to maintaining your own infrastructure. For example, the clouds may provide more secured infrastructure and also can afford to provide expertise in security which may not be a viable option especially for small-medium businesses. Also, the virtual machines deployed may be better configured and virtualization inherently provides a certain level of security.)

As we all know, there is, in general, a gap between the research solutions and the industry implemented solutions; it is partly due to the fact that some elegant theoretical solutions (published even in top conferences or journals) are not practical. However, there are very many useful research that could well be utilized; they are not implement for one reason or another. One of the main reason is that most of businesses/agencies/users don't see a ROI on having security/privacy because the effect is not immediate. I'd also like to encourage in this post to think about security/privacy up front, no matter which stakeholder you are.


It is not a secret that cloud computing is getting a lot of attention these days. I think that the economies of scale (or the on demand elasticity) is the biggest drive for this compared to conventional IT outsourcing - money matters!. You can pay for the amount of storage you use or the amount of computational power you use. Not only businesses but also government agencies are moving to what appears to be the current big thing. (wonder what the next big thing might be?)

If you can relate to, for example, Amazon EC2, S3, Google Apps, free email services, chat serivies, Yahoo pipes, flickr, facebook, youtube, hulu, Zoho, 3Tera Applogic, etc. you are living in the cloud! irrespective of whether it's free, consumption based or subscription based. It's pretty much everything we currently do (I am not a big fan of cloud defintions; further there are disagreements about the origin of clouds [4] which I am not going to look at here).


Quote:
The Pew Internet & American Life Project released survey results in September 2008 reporting that 69 percent of Americans who are online use Web-based e-mail, store data or use software applications over the Internet. In October 2008, the market research firm IDC forecast that spending on IT cloud services would reach $42 billion by 2012
[2].

Let me start the $subject with the following quote:
"Privacy and security are the number one concern of organizations that are thinking about going into the cloud space." said Brendon Lynch, senior director of privacy strategy for Microsoft's trustworthy computing group [1].

What are these privacy/security concerns? The rest of the post aims to look into them. As we know,
privacy/security can only be as good as its weakest link. The goal is to identify those weakest links.


In all cloud arrangements (SaaS, PaaS or IaaS), your data end up being in someone else's hand outside of your security perimeter.
(I am still a free cloud user; I use gmail a lot, upload my documents to Google Apps, occasionally share some photos in Yahoo Flickr, share in Facebook - I don't know where all my online data, including sensitive data, physically reside - but my desire to have the data available from anywhere and to connect with people, has overridden the perceived risks.) Is the issue new? Not really. Well before the current clouds, there have been services to outsource network storage, databases, host web sites and IT services which also move your data out of your organization. What's different here? I see the following differences.

1. In clouds, we know that the data reside in one or more data centers, but we don't know which ones - not limited by space or geography. What are the legal/privacy/security implications?
2. Oursourcing has never been this cheap; an incentive to use the cloud which is not the case with the traditional outsourcing. What could go wrong, if it becomes perversive?


Does the locality of the data in the cloud matter? No physical boundary is an interesting outcome of the cloud. Note that different countries have their own legal framework. For example, data protection laws in US are very different from those in european countries (EU is more strict). In other words, depending on the locality of your data, you'll have different expectation of privacy. If a company X resides in a EU country, but their customers are mainly from USA. Due to differences in legal protections, I am not sure if X (consumer of the cloud) can ask the cloud provider to host their data/service in USA. Even if it is allowed, does X make an informed decision? Since the data resides closer to customers, it would be fast to access them; but what about security/privacy protection? If there's a data breach, in USA there will be less protection compared to EU. [On a positive note, inability to trace to a specific location is good thing from the security PoV; this provides some level of anonymity; if the attacker does not know where the target is, they have nothing to attack at]

How can a cloud provider efficiently identify if a consumer sticks with the terms of service (e.g: AWS ToS prohibits illegal uses)? Further, if a consumer uses the cloud services in a way that threatens, say, national security, but the cloud provider is unaware of it, who is held liable for the threat? Consumer or service provider or both? Extensive work on anomaly detection in the IDS research area could be very useful in this regard. Even if there are good anomaly detection techniques available, how do we define anomalous patterns in the cloud?

Can misbehaving consumers affect the benign ones? AFAIK, many cloud providers use Xen virtual machines. However, unless you pay extra, you, as a consumer, have to share the same physical machine or even same virtual machine. Virtualization techniques provide certain level of insulation, but I am sure there is an increased interest in this area as way of improving security in the context of cloud computing.

How long can a cloud provider retain my data after deleting? Also, once you put your data in someone else's facility, can you ever be sure of that they removed it completely? Deleting data once you indicate to the provider the intension is trivial if the provider manages only a few consumers. However, with the exploding use of the clouds, this has become a challenging problem. The report by
Joseph Bonneau backs up this with the results from real applications [6]. For performance reasons, most of the providers delete them just like how the recycle bin works in your computer. For example, facebook retention policies say that "When you update information, we usually keep a backup copy of the prior version for a reasonable period of time to enable reversion to the prior version of that information". Like facebook, most of the vendors do not give a specific time about how long they retain your data in order to prevent legal actions against them. Clouds are increasingly used to store PII (Personally Identifiable Information) and the failure to delete them promptly could violate user privacy when the PII is available long enough for an attacker to obtain. It is a challenging task for cloud providers to balance performance and privacy/security in this regard - architecture/design should consider these concerns together, not in isolation. For consumers, it is better to choose a provider that provides quantitative/better claims about data retention period in their policies.

How can the cloud live up to the perimeter security expectations of consumers? Nico Popp at VeriSign raises the interesting question "what does perimeter security mean when the perimeter extends beyond the familiar boundaries of today's corporate network?" [7] In the current conventional setting, enterprises have their perimeter security controls (firewalls, IDS, etc.) placed in-premise either managed by themselves or outsourced; they protect the enterprise infrastructure, data from malicious traffic, malwares, unauthorized accesses, etc. With cloud computing, enterprises mobile users will be accessing organization's resources without going through the in-house perimeter security controls. It should be clear that the cloud computing create the need to have a some kind of proxy sitting between the cloud and the mobile users. Who should provide this proxy service? One approach is to have cloud providers, such as Google App engine, Microsoft Azure or Amazon EC2, themselves provide a security layer over the cloud. This may require them to go beyond their core competencies. An attractive solution is to provide Security-as-a-Service by third party who already has expertise in conventional perimeter security. In fact, Gartner predicts that by 2013 cloud-based services in messaging security controls will account for 60 percent of revenue [9]. For example, Zscalar does exactly that. The following diagram shows how it works:

(Courtesy: Zscalar)

Can enterprises let go of in-premise perimeter controls? They will still need to have some control in place. This brings the burden of having two sets of security controls in place (cost, management, etc.). Can we combine these two together? What are the challenges in doing so?
[On a positive note, there have been some research indicating that computers can be better protected against viruses if the anti-virus software is move to the cloud [10]].


In Part 2, I am hoping to discuss about the ownership of data, the control, what you can expect from free and commercial cloud services and some generic issues such as confidentiality and integrity (in light of insider attacks). So stay tuned. And feel free to comment/criticize/correct anything I have mentioned here.

References:
[1] http://www.informationweek.com/news/windows/security/showArticle.jhtml?articleID=221600544
[2] http://www.govtech.com/gt/727301?topic=117671
[3] Privacy in the Cloud Computing Era - A Microsoft Perspective
[4] http://www.cerias.purdue.edu/site/blog/post/a_quick_note_about_cloud_computing/
[5] http://blogs.cisco.com/security/comments/data_security_and_the_cloud/
[6] http://www.lightbluetouchpaper.org/2009/05/20/attack-of-the-zombie-photos/
[7] http://blogs.verisign.com/innovation/2009/06/are_clouds_of_change_looming_o.php
[8] http://www.technologyreview.com/computing/21303/
[9] http://www.gartner.com/it/page.jsp?id=722307
[10] http://www.eecs.umich.edu/fjgroup/cloudav/

Sunday, October 18, 2009

Fixing "font not embedded" issue to pass the IEEE PDF eXpress check

We recently had to make the format of a paper complaint with the IEEE PDF eXpress format. The paper did not pass the check in the first few attempts. Hence this blog post. I'd like to thank my colleague Ning Shang who did the most of the fixes to get it working. I am listing the fixes here so that anyone else who encountered similar issues may find this post useful.

Before that, I work on Ubuntu 9.04, kile 2.1 (the IDE), use the tools latex, bibtex and dvipdf to generate pdf files from tex/bib/cls files. (i.e. latex file.tex; bibtex file; (to attach the ref.bib file) latex file.tex; dvipdf file.dvi to finally get file.pdf)

The tex file uses the IEEE conference style. Additionally we used the following packages initially:
times, epsfig, graphicx, url, verbatim, amsmath, amsfonts


Issue #1: Document contains bookmarks
Fix: We had to remove the url package from the included packages lists and convert \url{address} to {address} in ref.bib.

Issue #2: Font Times-Italic, Times-Roman, Times-BoldItalic, Times-Bold, Helvetica, Courier is not embedded.

You can see what fonts are embedded and what are not, by using "pdffont file.pdf" and looking at the "emb" column. In our case, it did show that some fonts are not embedded.

Fix: We searched the Internet [1, 2]and found that in order to fix this (i.e. to embed all the required fonts) we need to do the conversion from tex to pdf in two stages. This is a dirty hack; but it works.

latex file.tex
bibtex file
latex file.tex
latex file.tex (Now we have file.dvi)
dvips -Ppdf -G0 -tletter file.dvi (Now we have file.ps)
ps2pdf -dCompatibilityLevel=1.4 -dPDFSETTINGS=/prepress file.ps file.pdf (Now we have file.pdf)

Thursday, October 15, 2009

Accountability or anonymity or can we have both?

This blog post was prompted from the question "what is important accountability or anonymity when it comes to online activities?" (short answer: it depends :)

Accountability is all about holding an individual accountable for what (s)he does; it's about identification. Anonymity, on the other hand, is about de-identification and the privacy of individuals.

From the PoV of on-going research, I find three main areas under which anonymity is being considered (am I missing any other ones?)

1. Anonymous access to resources
Here the goal is to allow users to access some service or resources anonymously - without revealing their identity. It's mainly about unlinkability - no two transactions can be linked to a single transaction. Bob buys a T-shirt from JC Penny and a denim from Old Navy; he used the same Chase credit card for both transactions. Bob may not want his bank, Chase, to know how he spent his money for privacy reasons - if it works like this, it provides unlinkability for Bob at his bank. However, unlinkability, in this case, may be undesirable due to security reasons; if the transactions cannot be linked to Bob, it would be really hard, if not impossible, to identify fraudulent activities by bad users. If Bob really wants to prevent his bank from knowing how he spent his money, the safest way is to use cash - that's the price Bob needs to pay to remain unlinkable! Note that are many cryptography based e-cash scheme to achieve the same objective.

As you can see, the decision to go anonymous has a cost. The issue is to decide if the benefits weighs higher than the cost. Take another example. You may not like, for example, Marsh or Pay Less, tracking all your transactions - you loose your privacy apparently without any gain for you. What if the loyalty card from Marsh or Pay Less, gives you a discount on most of the items you buy? Most of us (at least graduate students) will go for the loyalty card. The problem here is that there is no way for us to quantify the cost of loosing privacy (shopping history) and further the effect of loosing privacy may not be immediate.

What about online services? Would you be comfortable if a digital library service records all your moves? Think about it; when you go to a public library in your area, you can read whatever books, newspapers, magazines you want and whatever sections you want without being noticed/recorded. Anonymization techniques may come into your rescue and protect your privacy (i.e. your reading habits). But what do you loose for your privacy? If you are not being anonymous (unlinkable), the digital library service may offer you a better service by recommending books, magazines that are closely related to your reading habits. Same goes with online shopping web sites. Another related note, your online access traces could be a valuable source of income for free services such as youtube, hulu, etc.

2. Anonymous publishing
Here I am talking about publishing content without revealing your real identity. Most of the time it is a pseudonym under which one publishes. Publications could be writing a comment, blog post, news article, a paper, posting photos/videos, tweeting, etc. A pseudonym hides your real identity but does not prevent linkability. There are system such as FreeNet, Publius that even make it difficult, in not impossible, to censor what is published; once you publish, no one can take it out. There are good and bad things about anonymous publishing. It is a good thing if some one wants to voice their political opinion or something similar without having to face any repercussions. We make a very important implicit assumption here; the society we live always act good and whatever they do falls under what we perceive as 'acceptable'. It'd be naive to think we can always assume this to be true. We do have bad guys - true - it's only the minority - but this minority could do major damages. A simple example is to defame others hiding behind the screen for personal, political, business etc. advantage. Isn't it a cowardly act? No question about it.

Here's an example about a defamatory blog (in the own words of the victim - let's call him "Joe"):
There is someone who, for complicated psychiatric reasons, developed a severe dislike of me. This is an extraordinarily vindictive and immature girl whom I have NOT wronged in any remotely substantial way. She created an anonymous blog and posted alleging falsely that I'm gay and saying a number of inaccurate and very negative things about my character. (Basically, name-calling.) I'm concerned that this will affect future job prospects since the post appears within the first couple of pages of search results for my name. She confirmed to a mutual friend that she wrote the blog but refused to take it down. Google/blogspot says they don't take down defamatory posts without a court order.

(I am not sure what exactly is legally considered as defamatory. Let's assume it's considered defamatory. What actions can Joe take? IMO, hiring a lawyer for not so grave an incident like this may cost Joe. If he's worried about his online reputation, first thing he should do is to increase the online presence by posting/blogging true facts out, writing about topics of interest, etc. )

Now apply this to a business, corporate level or a popular person or even a major religion. The problem comes when we allow people to freely publish incorrect/falsified information without being accountable. Censor resistant systems makes the problem worse.

3. Data anonymization of statistical analysis
Here we talk about modifying existing records such that sensitive/private information about individuals cannot be inferred from the published data. For example, Alice is doing a survey of cancer patients in Indiana. A good source for her survey is medical records and patient information in the hospitals in Indiana. However, hospitals may not be willing to give Alice row data as it would violate patient privacy (and in fact not allowed under law). Since this study could be beneficial (e.g. correlating cancer to location, public facilities, living habits, etc.), hospital can anonymize the data such that Alice cannot link what is provided to her with individual residents of Indiana. In the research literature, there have been many work done in this area; k-anonymity, l-diversity, t-closeness are just to name a few. A key issue here is the trade-off between privacy and utility. The data can be completely anonymized providing the highest level of privacy but without any utility all or the data can be published as it is providing the highest level of utility but without any privacy. On-going research tries to strike a balance between these two parameters - sufficiently protect individually identifiable data and still able to perform statistical analysis. I don't have any problem with this type of anonymization; in fact, this type of anonymization is encouraged before releasing data for studies.


As we all know, if you take any real user base, a vast majority of them are good users and only a few of them are bad users. So whatever solution we provide should be beneficial to the vast majority. Since anonymity helps good users in certain scenarios, should we focus more on anonymity over accountability? There are consequences.


As per the first two types, a bad effect of anonymity is that it may reduce the accountability one perceives to have for their actions. This could be an incentive for good people to turn bad and bad people to worse. My mother used to tell us that too much of any thing is not good. The same applies here. We need to define an 'acceptable' level of freedom of speech and censorship resistance. IMO, there should be a way to identify bad people in anonymous systems while good people continue to remain anonymous.


Another bad side of anonymity is related to trust. We trust a publication that explicitly mentions the authors than an anonymous publication, don't we? Of course, there are other ways to increase the level of trust we place. For example, many people like it, if the author goes under a pseudonym and that pseudonym has a good history of publication, if it backs up the facts with citations or if it is a shared content management system (like wikipedia) and there is less dispute by other users, etc.

Here's another interesting point raised by Sarah Hinchliff Pearson in her blog:
The National Fair Housing Alliance (NFHA) has been fighting a defamation lawsuit brought by a real estate company that was the target of its fair housing testing. (Disclosure: I helped defend NFHA in this litigation at my prior firm.) NFHA conducted months of well-documented fair housing tests and then reported its results to the media. Despite NFHA’s due diligence, it has been subjected to the burden of ongoing litigation. Yet under amici’s proposed standard, it would likely not have faced this burden if it had reported the results anonymously on the Internet. By giving better protection to anonymous speakers, the heightened standard reflects an implicit judgment that anonymous speech should be valued more highly than regular speech. It also produces a perverse incentive for all speakers to withhold their name from reports, comments, and opinions online.

She argues that we should not place a premium on anonymous contributions. I agree with her when the anonymity is related to publishing. Further, anonymous access may not be desirable for access to restricted materials or when there is a legal requirement to audit. However, for routine tasks such as accessing a digital library (any other content that has a economical value but innocuous in nature), echoing your political opinion, it is desirable to have some degree of anonymity.

In conclusion, ideally I would like to see systems where good guys remain anonymous but bad guys are identified. Anonymity in certain cases is a good thing; but there are situations where it could lead to unpleasant consequences - that's where we need some level of accountability. In certain other cases, you may have to pay a price for remaining anonymous. It is likely the issues mentioned in this post will take time and effort to solve. You are more than welcome to provide your thoughts on this.

Update: 12/1/2009
Here's a good article about the dark side of Internet and it is related to the topic discussed above.

Tuesday, October 13, 2009

Thought of the day

I saw the following quote in a friend's feed:

"The saddest failures in life are those that come from not putting forth the power and will to succeed". ~Edwin P. Whipple

I cannot agree more with this quote. Personally, I don't mind failing. However, I feel bad when I fail knowing that I didn't put enough effort to succeed. The more I think about this quote, the more do I feel certain that it's not just the skill/talent that matters, determination/willingness to prepare yourself plays a bigger role.

I try to keep my game simple; there are no short cuts - you've got to practice hard every cricket shot you want to master - you've got to prepare even harder if you are to innovate a new shot. Now apply that to whatever game you play in life. What's your game plan?

Monday, October 5, 2009

Overcoming hibernate/mysql connection reset issue

One of the projects I have been working on uses Java1.6/JSP/Servlet/Hibernate3.2/Tomcat/MySQL5. Since it is just a prototype, I initially used the Hibernate's native connection pool management mechanism (which is not recommend for a production level deployment).

Every now and then, when we try to connect to the database server, it threw a connection reset exception. This happens because MySQL drops connections after every configured wait_timeout. But when I try to connect the second time, it works. It is not acceptable to have a piece of software that works in the second attempt! So, I tried different fixes.

I added the following property to hibernate.cfg.xml:

<property name="hibernate.connection.autoReconnect">true</property>

However it did not solve the connection reset problem. Still the first attempt failed. Apparently, the Hibernate's connection pooling library does not support this property.

From Hibernate (Jboss):
Hibernate's own connection pooling algorithm is, however, quite rudimentary. It is intended to help you get started and is not intended for use in a production system, or even for performance testing. You should use a third party pool for best performance and stability.

(It would be helpful for people to inform what is working and what's not. But can't complain these are free stuff.)


There are three possible avenues:
1. modify mysql.cfg to have a longer wait_timeout
2. use Tomcat managed connections
3. use a third-party connection pooling library

The first two options are out of my control and we only have limited privileges to mysql and tomcat instances. So, the only option was to look into #3.

I downloaded c3p0 and added the following configurations to hibernate.cfg.xml file have a basic setting (I did not try to optimize these figures just used the numbers that worked for others since the objective is not performance tuning, but to get it working.):


<!-- Min pool size -->
<property name="c3p0.min_size">5</property>

<!--Max pool size -->
<property name="c3p0.max_size">20</property>

<!-- Max idle time -->
<property name="c3p0.timeout">1800</property>

<!--Max statements - size of the prepared statement cache -->
<property name="c3p0.max_statements">50</property>

<!-- Set the pooling implementation to c3p0 -->
<property name="connection.provider_class">org.hibernate.connection.C3P0ConnectionProvider</property>


Those are the basic pool settings. Still, the problem of first time failure is not solved. We need to tell c3p0 swallow the first failure and transparently connect in the second attempt. This does have a performance issue - every time when you want to connect, it does this.

You have to set an extra c3p0 property using c3p0.properties file. Add the file c3p0.properties to the root of the class path (in classes or WEB-INF classes for example) and turn on the c3p0.testConnectionOnCheckout property in that file.

c3p0.testConnectionOnCheckout=true

Note from Hibernate:
Don't use c3p0.testConnectionOnCheckout, this feature is very expensive. If set to true, an operation will be performed at every connection checkout to verify that the connection is valid. A better choice is to verify connections periodically using c3p0.idleConnectionTestPeriod.

As you can see, they do recommend a polling based approach where Hibernate periodically checks for idle connections. But I guess this also depends on the how frequently the hibernate layer is accessed. In our case, it is not that frequent. I didn't try that option but it should work.

Other pooling libraries such as Apache DBCP, Proxool should also work. But I didn't have time to check them out.
 

References: 1, 2, 3, 4, 5

What DHS knows about you

If you just wonder what DHS collects about you from travel agents, read on.

It is a good idea to use cash or use a one time credit card number (like the one Citi bank issues - which allows you to set exp. date, credit limit and have multiple numbers) if you are booking through a travel agent (and concerned about security/privacy) (assuming your PNR is passed to DHS upon booking?).

Or, we need ways to fly under the radar. Anonymous booking?

You can request your PNR's and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS). I haven't tried this. This link shows how to.

Both travel agents and airline reservation staff:
The CBP eventually admitted that their records include information about travel agents and airline reservation staff...

They collect information from other sources as well:
In February 2009, the DHS admitted that Amtrak and bus companies "voluntarily" provide the DHS with information on bus and train passengers travelling between the USA and Canada and Mexico.

Your travel data may be shared with other parties in addition to DHS:
If you traveled on an airline based in the European Union, or made your reservations or bought your ticket in the EU or from an airline office or travel agency or tour operator in the EU, you can also request your records (including an accounting of what information they passed on directly to the DHS or outsourced or transferred to Computerized Reservation Systems (CRS's) or other commercial entities in the USA), from the airline, travel agency, tour operator, or CRS. Even if they claim that you "consented" to data sharing, EU laws require that they disclose, on request, exactly what data about you they have "shared", and with whom. Note that you can make such a request of a USA-based airline if you bought your ticket from them in Europe. EU data protection law is applicable whenever data is originally collected in the EU, regardless of your citizenship or where the company is based...By subscribing to CRS's based in the USA, and by participating in code-sharing and other marketing (and data sharing) "partnerships", most airlines, travel agencies, and tour operators based in the EU have effectively outsourced and offshored the storage of all of their PNR's and customer data.

Reference: 1, 2

Saturday, October 3, 2009

Open decentralized microblogging

I recently wanted to access twitter updates through facebook. I clicked on the add twitter application, but after seeing the authentication anti-pattern they are using I backed off (yet, many of my friends have added it; looks like their perceived risk is less than the benefits they expect).

If an imaginary dude added twitter in to their FB profile, the conversation would have been as follows.
Dude: hey FB, I want to access Tweets.
FB: sure dude, give me your Twitter username and password. (domain - facebook.com)
Dude: my Twitter username and password.
FB: hey twitter, I am (pretending to be) the dude with this user name and password.
Twitter: hey dude (actually FB pretending to be the dude - which Twitter does not know), you are authenticated and welcome back to Twitter.
FB: dude, now you are all set.

Do you want to allow FB (or any other third-party service provider) to predend like you to some other service you are already using (e.g. Twitter)? What are the possible risks/benefits of doing it?

At least there are some positive signs, Twitter already has an OAuth API (They would also like to drop the basic authentication API that uses the above conversion pattern; I guess they continue to keep it due to migration/usability issues). I would feel little safer (but not completely) if the FB folks the following conversation using a delegated authentication mechanism.

Dude: hey FB, I want to access Tweets.
FB: No problem dude, I am sending you to Twitter (open ups a new browser window - domain twitter.com).
FB: hey Twitter, a dude wants to connect to Twitter.
Twitter: hey dude, FB (or any other third-party dude) wants to access your tweets; you cool with that?
Dude: yep, I am. (Dude type his/her username and password and give approval)
Twitter: hey FB, use this token to access Dude's tweets.
FB: dude, now you are all set.

Notice that the dude did not have to give private information such as twitter password to FB. In other words, the twitter password is still under the control of the dude. Nabeel's dilemma: should I wait till FB provides such an application or should I sacrifice my private information and go ahead with the current application?

It may appear I have derailed from the $subject of this blog post, but I was telling all this to motivate you about the need to have an open decentralized microblogging (aka the $subject). There has been some research work in this area. I found the following paper interesting in this regard.

Birds of a FETHR: Open, Decentralized Microblogging by researchers at the Rice university.
Abstract:
Microblogging, as exemplified by Twitter, is gaining popularity as a way to exchange short messages within social networks. However, the limitations of current microblog services—proprietary, centralized, and isolated—threaten the long-term viability of this new medium. In
this work we investigate the current state of microblogging and envision an open, distributed micropublishing service that addresses the weaknesses of today’s systems. We draw on traces taken from Twitter to characterize the microblogging workload. Our proposal, fethr, connects
micropublishers large and small in a single global network. New messages are gossiped among subscribers using a lightweight http-based protocol. Cryptographic measures protect authenticity and continuity of updates and prove message ordering even across providers.

Wednesday, September 30, 2009

Too much trust is not a good thing

In any organization, you won't disagree that we need to have some level of trust in order to have a healthy working environment. Project managers trust developers to meet deliverables and develop according to the specification. System/network administrators are trusted not only to keep the infrastructure functional but also safe-guard from outsiders. Hospital employees are trusted not to misuse patient records. Bank employees are trusted not to misuse/illegally modify financial records. This very own trust could be a negative factor. I found this interesting report which explains three traps. The report is a result of a workshop of 25 research from various disciplines in 2004 to come up with a systems dynamic model in order to better understand insider threats/attacks.

The following diagram shows a simplified version of the full systems dynamic model. '+' indicates a proportional relationship and '-' indicates a inversely proportional relationship.


Detection trap:
Have you ever wondered, most of the time when an organization comes under an attack, they are usually under-invested on security control or they don't have any security controls at all? The detection extracted from the above diagram is a good explanation of this observation.

When the organization's perceived risk increases, the management is willing to invest on detection measurements (in the hope that the perceived risks will lower). With better detection mechanisms, it is likely to detect more insider attacks/attempts for such attacks. When the number of cases go up, it is natural to perceive that the organization is under higher risk. See, this loop feedbacks. At the same time the inverse is also true! At some point in time, the organization may perceive that the perceived level of risk is low (due to better education, better controls in place, better management, etc.). This motivates the management to invest less on detection capabilities. With a few measures to catch wrong doing, it is like that not many cases are caught. Now the organization may perceive even less risk as not many cases are detected. Notice the loop feedbacks in this case as well. Hence the detection trap.

Trust trap:
Sometimes, good intentional measurements from the management may themselves lead to attacks. The following digram shows how it unfolds with the level of trust the management has on its on employees.


When the management perceives a higher trust on the employees, they may decide that they don't need to have extensive security controls to monitor their employs in the belief that there will be hardly any employee who will turn an enemy of the company. With less detection capabilities, it is natural to see that there will only be a few detected attacks while many go unnoticed. With fewer reported attacks, the managerial trust goes even higher. This loop also feedbacks and hence creates the trust trap. Why does it happen like this? One possible reason, as the loop feedbacks, the perceived level of risk by the employees of getting caught falls down.

Unobserved emboldening:
While those two pitfalls continue to feedback, the following shows how the perception of risk by the employees/insiders change and then lead to full blown attacks.


When an insider attempts to do something wrong and it goes unnoticed, their perceived risk of doing that falls down. Hence, they they tend to do more probing. Notice that this loop also feedbacks, lower the perceived risk each iteration. (This scenario is true with other situations. When a person does something that is not acceptable by the society and it goes unnoticed, that person may tend to even bigger crimes. It does not always need to be a crime. The intention could innocuous. For example, a person may speed for fun. If that person is never copped, they may be tempted to go even faster.) When the perceived risk goes below a certain threshold, the insider may carry out the actual attack.

It should be noted that not all insiders act like this. In fact, this is only the minority. (Security controls are there to protect against a few bad people while making sure the good majority is not negatively affected by these measurements) This happens only when things go wrong, when things don't work out the way the employees want - for example - no recognition for work, no bonus/salary increase or less pay, possibility of being laid off, etc. In any case, in order to have a healthy and safe working environment, the management need to show a certain level of trust while keeping the perceived level of risk (as perceived by insiders) at an acceptable level (e.g. by training, by legally prosecuting wrong doers, security controls, etc.).

Ref: Preliminary System Dynamics Maps of the Insider Cyber-threat Problem, 2004.

Insider Threats: People-Process-Control


I recently did a presentation on the $subject. You can access the slides from here. I used to think that if you have nearly perfect security control in place, you have a higher probability of surviving from malicious attacks. But the more I work in this area, the more I am convinced that technology plays only a partial role; People and Process play a bigger role. It is more evident if you look at insider attacks; these are carried out by people who have legitimate access to the systems/resources.

Saturday, September 26, 2009

The power of wikipedia :)

Softball rules.. (credit PhD comics)

Yesterday, we wanted to double-check the wallyball (not volleyball) rules.

Thought of the day

We all have ability. The difference is how we use it.
~Stevie Wonder

This is very true. I always believe that each and everyone of us can do almost anything that others have done/have been doing and more! It is just that some people need some guidance/direction to figure out their abilities and put them into good use. For example, as a kid, I was terrible in math and didn't like it much at that time. (my early school records indicate this). However, with time (different people triggers at different times), good guidance (will never forget a few very special people) and self-motivation (encountered a few incidents which made me think hard), I turned math into one of my favorite subjects.

On a related note, I know some people who are really talented but are unfortunate in one way or the other (mainly due to factors out of their control - only the God knows why). They deserve our help who are blessed with many things in life. Making a difference is harder than earning money which comes and goes..

Thursday, September 24, 2009

My personal information at your business is not safe!

I was surprised to see the following results from a recent survey.

(Credit: Impreva)

This is a good example about the fact that many organizations do not view security as a top priority. The management is not willing to invest extra money to comply with security standards - especially true for small companies. They don't see the ROI (unless the security is breached). It is interesting to see more than half don't have faith in standards (PCI DSS); is it due to lack of knowledge about the standards or is it perceived to be more costly to have security measure in place compared recovering from a security breach? On second thought, I shouldn't be surprised about these results considering the large-scale breaches (1, 2, 3, 4, 5) we continue to see.

Thursday, September 10, 2009

OLPC reaching SL students

It is good to see OLPC reaching underprivileged schools in Sri Lanka. These XO laptops are equipped with local languages as well. I personally prefer if students are taught to use in English language; this will not only shink the gap of IT skills in urban (mainly in and around Colombo, and some other main cities) and rural areas, but also English language skills.

Our ICDE 2010 paper

Our paper "A Privacy-Preserving Approach to Policy-Based Content Dissemination", Ning Shang, Mohamed Nabeel, Federica Paci, Elisa Bertino is to appear in the upcoming ICDE (International Conference in Data Engineering) 2010 conference. The acceptance rate for full papers is around 12.5%.

Abstract:
We propose a novel scheme for selective distribution of content, encoded as documents, that preserves the privacy of the users to whom the documents are delivered and is based on an efficient and novel group key management scheme. Our document broadcasting approach is based on access control policies specifying which users can access which documents, or subdocuments. Based on such policies, a broadcast document is segmented into multiple subdocuments, each encrypted with a different key. In line with modern attribute-based access control, policies are specified against identity attributes of users. However our broadcasting approach is privacy-preserving in that users are granted access to a specific document, or subdocument, according to the policies without the need of providing in clear information about their identity attributes to the document publisher. Under our approach, not only does the document publisher not learn the values of the identity attributes of users, but it also does not learn which policy conditions are verified by which users, thus inferences about the values of identity attributes are prevented. Moreover, our key management scheme on which the proposed broadcasting approach is based is efficient in that it does not require to send the decryption keys to the users along with the encrypted document. Users are able to reconstruct the keys to decrypt the authorized portions of a document based on subscription information they have received from the document publisher. The scheme also efficiently handles new subscription of users and revocation of subscriptions.

I am planning to make slides and other materials related to this work available to everyone soon.

Wednesday, September 9, 2009

Meditation..

The geek way of meditation :)

(Source: The joy of tech)

Wednesday, September 2, 2009

Flu trend

Now that Purdue has increased the awareness on H1N1 Influenza, I just wanted to see how it is being treated in rest of the world. I used Google Trends assuming the volume of search is roughly proportional to what I am after (there may be better tools for this?). Looks like Asians are more obsessed with H1N1 Influenza (aka swine flu). Also checked the trend in USA..people in USA have also started to search on H1N1 again from last month; there's a similar tend in Indiana state (looking at the cities it appears to be mainly by people in universities P, IU, IUPUI) .

H1N1
- All regions in 2009 for the term H1N1
Swine flu - All regions in 2009 for the term "swine flu"

Monday, August 31, 2009

Thought of the day

"Our intentions and goals alter the information that the brain pays attention to." (ref)

Cybersecurity awareness sessions at Purdue

This could be of interest to those who would like to be aware of the data security policies and procedures at Purdue.

Wednesday, August 19, 2009

Thought of the day

From Kung Fu Panda animation which I have watched many times:

Master Oogway (MO): Yesterday is history, Tomorrow is a mystery, But today is a gift. That is why it is called the "present".

...

MO: There are no accidents..you just need to believe.

...

And one of my favorite scenes is..

Master Shifu (MS): No one knows..But legend says you will be able to hear a butterfly's wings beat.
Po: Wow! Really? That's cool.
MS: Yes! And see light in the deepest cave..You will feel the universe in motion around you.
Po: Wow! Can I punch through walls? Can I do a quadruple back flip?
MS: Focus. Focus. Focus!

Saturday, August 15, 2009

Thought of the day

We tend to LIKE people who mostly talk GOOD about others. We tend to DISLIKE people who mostly talk BAD about others. I don't know why we feel like this way but this is the way it is. Ever thought about which category of people you fit into?

Lack of natural resources is not a barrier

I recently visited UAE; spent most of the time in Dubai and Sharjah. I was simply amazed by the rate of economic growth in this country given that the country is basically a barren land. (Unlike other middle east countries, here only 7% of the economy is made up of oil) Even with the harsh weather conditions they have, they have been able to attract people all over the world to invest in their developments & trades and make up for what they don't have.

We in Sri Lanka sometimes complaint that we cannot grow since we don't have natural resources, mainly oil. Comparing to UAE, SL has a far better landscape but still we are way behind in development or as a tourist destination. IMO, we as a country don't have a vision what it will look like in, say, 10 years; the government is not committed to have such a vision.

Why is that brain drain is so common in SL? I have many educated friends who have migrated to different countries..it's true we get foreign currency but the damage caused by that is far greater; the government does not have a plan to retain educated people in the country.

It is time we as a country realize these weaknesses and have an action plan to overcome them.

(I am no expert to comment on the economy; this is what I feel about it).

Friday, August 14, 2009

Thought of the day

Do what you want and be REAL.

There’s no reason to want everybody to like you. Do what you want and let whatever happens happen. Some people will love you. Others will hate you. That’s fine.


Reference: here

Wednesday, July 15, 2009

I'll be there

Jackson five - I'll Be There, Show 1972

Lyrics:

You and I must make a pact, we must bring salvation back
Where there is love, I'll be there

I'll reach out my hand to you, I'll have faith in all you do
Just call my name and I'll be there

I'll be there to comfort you,
Build my world of dreams around you, I'm so glad that I found you
I'll be there with a love that's strong
I'll be your strength, I'll keep holding on

Let me fill your heart with joy and laughter
Togetherness, well that's all I'm after
Whenever you need me, I'll be there
I'll be there to protect you, with an unselfish love that respects you
Just call my name and I'll be there

If you should ever find someone new, I know he'd better be good to you
'Cause if he doesn't, I'll be there
Don't you know, baby, yeah yeah
I'll be there, I'll be there, just call my name, I'll be there

(Just look over your shoulders, honey - oo)

I'll be there, I'll be there, whenever you need me, I'll be there
Don't you know, baby, yeah yeah

I'll be there, I'll be there, just call my name, I'll be there...

Will you be there

Artist: Michael Jackson (from the Dangerous album, 1991)

One of my favorite songs by him..

Lyrics:
Hold Me
Like The River Jordan
And I Will Then Say To Thee
You Are My Friend

Carry Me
Like You Are My Brother
Love Me Like A Mother
Would You Be There?

Weary
Tell Me Will You Hold Me
When Wrong, Will You Skold Me
When Lost Will You Find Me?

But They Told Me
A Man Should Be Faithful
And Walk When Not Able
And Fight Till The End
But I'm Only Human

Everyone's Taking Control Of Me
Seems That The World's
Got A Role For Me
I'm So Confused
Will You Show To Me
You'll Be There For Me
And Care Enough To Bear Me

(Hold Me) show me
(Lay Your Head Lowly)
told me
(Softly Then Boldly)
(Carry Me There)
I'm Only Human

(Lead Me)
hold me
(Love Me And Feed Me)
ye yeah
(Kiss Me And Free Me)
yeah
(I Will Feel Blessed)
I'm Only Human

(Carry)
Carry
(Carry Me Boldly)
Carry me
(Lift Me Up Slowly)
yeah
(Carry Me There)
I'm Only Human

(Save Me)
need me
(Heal Me And Bathe Me)
lift me up lift me up
(Softly You Say To Me)
(I Will Be There)
I Will Be There

(Lift Me)
i'm gonna care
(Lift Me Up Slowly)
(Carry Me Boldly)
yeah
(Show Me You Care)
Show Me You Care

(Hold Me)
whoooo
(Lay Your Head Lowly)
i git lonly some times
(Softly Then Boldly)
i git lonly
(Carry Me There)
yeah yeah carry me there
yeah yeah yeah
[Spoken]
In Our Darkest Hour
In My Deepest Despair
Will You Still Care?
Will You Be There?
In My Trials
And My Tripulations
Through Our Doubts
And Frustrations
In My Violence
In My Turbulence
Through My Fear
And My Confessions
In My Anguish And My Pain
Through My Joy And My Sorrow
In The Promise Of Another Tomorrow
I'll Never Let You Part
For You're Always In My Heart.


Smile

Artist: Michael Jackson, 1995 ( originally from the 1936 Charlie Chaplin film Modern Times)

Lyrics:
Smile though your heart is aching
Smile even though its breaking
When there are clouds in the sky, you'll get by
If you smile with your fear and sorrow
Smile and maybe tomorrow
You'll find that life is still worthwhile

If you just
Light up your face with gladness
Hide every trace of sadness
Although a tear may be ever so near
That's the time you must keep on trying
Smile, what's the use of crying?
You'll find that life is still worthwhile

If you just
Smile though your heart is aching
Smile even though its breaking
When there are clouds in the sky, you'll get by
If you smile through your fear and sorrow
Smile and maybe tomorrow
You'll find that life is still worthwhile
If you just smile

that's the time you must keep on trying
Smile, what's the use of crying?
You'll find that life is still worthwhile
If you just smile


"A day without a laugh is a wasted day." ~Charles Chaplin


Tuesday, July 14, 2009

HMAC truncation vulnerability in XML signature

This blog post nicely explains the HMAC truncation security vulnerability in XML digital signature specification. In short the specification allows to truncate the signature to any length. If this length is too small, an adversary can guess the correct truncated HMAC with a high probability and hence the security vulnerability. Specifically, this leads to authentication bypass or forging.

I am not sure if there exists any security proof about truncation (reduces to birthday attack?). Generally speaking, smaller signature provides a higher entropy and hence less information to the attacker. But at the same time, attacker has to guess only a fewer bits. In any case, the truncation should not be less than 80 bits, since below this length is considered to be vulnerable to brute force attacks with the current computational capabilities of adversaries. What if the truncated length is less than half of the length of original MAC output? Then it is succeptible to birthday attacks.

Are you as an application developer vulnerable to this attack?
If you are using an XML digital signature library that allows to set any arbitrary truncation length, you'll need to enforce a minimum safe length depending on the algorithm you are using. The good news is most of the libraries including XML security library have already provided pathes for this. If you are a library developer, you probably want to release a patch to users.

Tuesday, June 30, 2009

The road not taken

Two roads diverged in a yellow wood,
And sorry I could not travel both
And be one traveler, long I stood
And looked down one as far as I could
To where it bent in the undergrowth;

Then took the other, as just as fair,
And having perhaps the better claim,
Because it was grassy and wanted wear;
Though as for that the passing there
Had worn them really about the same,

And both that morning equally lay
In leaves no step had trodden black.
Oh, I kept the first for another day!
Yet knowing how way leads on to way,
I doubted if I should ever come back.

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.
- Robert Frost

(literal interpretation, but not ironic [1])

Monday, May 25, 2009

5 simple steps to minimize insider threats

Insiders who have the trust can abuse this trust. I recently listened to an interview with one of my favorite security experts, Bruice Schneier, on this subject. Every organization can/should take the follow 5 steps to minimize/mitigate insider threats.

1. Have only a few trusted people.
By limiting the number of trusted people, you limit the possible threats.

2. Ensure that the trusted people are trustworthy.
For example, background checks, limiting to citizens, bonding employees, etc.

3. Limit (compartmentalize) the trust each person has.
For example, give the key to her cubicle only not to other cubicles, give only user passwords not root password.

4. Give overlapping sphere of trust (Make it compulsory to require two or more people to get the task (usually very sensitive and can have profound consequences) done).
For example, co-signers, secret sharing schemes, if you are a Knight Rider fan, you must have seen that to activate the self-destruction mode on KIT two people's finger prints are required.

5. Detect breach of trust and prosecute. Auditing is used for this purpose. Having an audit system in place may deter people from breaching trust as well as provide evidence if breached. Whatever system in place should be tamper resistant and provide sufficient details of user actions/behavior.

As you might have noticed, these 5 steps are nothing new, but you'll be amazed that many organizations don't have these basics right.

Wednesday, April 15, 2009

Some thoughts..Winning the war is only the first step to win peace

With the LTTE terrorists (Tamil tigers) being defeated militarily, Sri Lankan government still needs to take considerable actions to restore the faith in Tamil and Tamil-speaking civilians. Terrorism in any form is not acceptable. LTTE is one of the most dangerous terrorist organizations in the world [FBI 0,1,2]. They carried out many atrocities and most of the time innocent civilians have to suffer [3]. There is no question they should be defeated and wiped out of the Sri Lankan soil. The SL government has rightly done so.

Military solution alone will not solve the problem we are currently facing; a political solution should be implemented to correct the issues including the root cause of this whole issue. IMHO, the language is the root cause. 1956 Sinhala only act was a key contributor for Tamils and Tamil-speaking civilians to feel discriminated. This was corrected later; after 1987, India-Sri Lanka accord, Tamil language was accorded the same official status as Sinhala language. Even after 20 years making both Sinhala and Tamil as official languages, we don't seem to have got it right. It is natural to feel that you are not one of them if you don't speak their language or if they don't speak your language; or you feel neglected; language divide people. I have a lot of personal experience to back up this fact. Perhaps, the issue is more visible to me as I speak both languages. So, what should be the way forward? The government has to genuinely commit itself to bridge this language gap and we, as citizens, have the responsibility to do our parts. (There have been already some measures to make both Tamil and Sinhala languages compulsory for public service positions and to add to the school curriculum; but that is not sufficient.)

It is time we, citizens, take every possible action to heal the wounds that have been around for decades. Sometimes, I feel offended by the arguments made by both parties [1]; "Sri Lanka is the homeland of Sinhalese", "(Some parts of) Sri Lanka is the homeland of Tamils". Unless we get ourselves rid of such mentality, we will continue to have divisions. Sri Lanka is the homeland of all ethnicities. One ethnicity is not superior or inferior to another. We will have the real peace in our country on the day we start to treat everyone equally and with dignity. I sincerely hope that this day is not far away.

We, as educated people, can use our ability to bridge the language gap and improve the trust between differnet ethnicities. I don't think it is too much to ask from my fellow Sinhala-speaking friends/readers to learn the basics of Tamil and my fellow Tamil-speaking friends/readers to learn the basics of Sinhalese. There's a lot in common between these two languages.

I studied in Sinhala medium, speak in Tamil at home and stared learning to write in Tamil on my own with some help from my mother a few years ago. I am glad I did that. Now, I have more reasons to polish up my writing skills. Believe me, it is not that hard and you will enjoy the feeling of getting to know/being able to understand another language - a language that is spoken by fellow Sri Lankans!