The Cloud and Windows 3.1

April 20, 2013 in Behaviour, External Services, Internet, musings, People with 0 Comments

win31logoWhat do Windows 3.1 and The Cloud have in common you ask?  To most people probably not much.  But for me, the last few months and ‘the cloud’ has been a deja vu back to my Windows 3.1 and DOS days.

Windows 3.1 was released when I started High School.  Prior to this, I had spent a great deal of time, learning to code on my own in Basic, then Pascal, and eventually C.  I was the resident ‘computer support guy’ for family, friends and neighbours.  One individual I supported was my uncle who was a Chartered Accountant.  He ran his own business (I am actually in what was his office as I write this post) supporting small and medium size businesses with Accounting services.  All his clients were running DOS with a accounting program called Bedford.  My uncle would set them up on this software.  Customers would use it to manage their accounting, and bring him updated backup files from Bedford on Floppy for him to provide the accounting services they required.  He was a very successful entrepreneur.  I held him in high regard and had much respect for him.  My uncle was not one for change however.  He would change, but only at the last possible minute when all other options were exhausted.

As soon as Windows 3.1 came out, I had it installed and was figuring it out, using it and working with it.  My uncle on the ohter hand wanted nothing to do with it.  He’d been using and known DOS for years. The idea of a graphical interface, a mouse, ‘clicking’ and ‘double-clicking’ were just silly when he could do everything from a keyboard (I agree with his mouse opinion though, I don’t like them to this day).  Eventually, Bedford came out with a Windows version and his clients wanted to upgrade their systems.  He kept as many of them as he could on DOS for as long as he could.  It was stressful for him.  He would often talk to me about it and I would try to convince him to be more open to it, showing him how to do different functions on Windows, helping him with issues, but for months he resisted.  One Saturday morning, he was in one of his moods, saying that DOS based was fine, and he “wasn’t going to Windows.”.  I tried a different approach.  I responded by saying “You are going to Windows Uncle Larry, it is not your decision.” Anger flashed across his face (To this day, I remember that look, where he was standing, what he was wearing.  Staring at his little ‘punk’ teenage nephew who was telling him what was going to happen).  “It is my decision!” he responded.  “No, Uncle it isn’t.  Microsoft and Bill Gates have decided everyone is going to Windows 3.1.  You have no choice.  You are going.  The only choice you have is how long you can resist, but you are going.”  I remember him being really mad at me.  The result was an argument.  It didn’t last long and a few days later, it was as if it didn’t happen.  Our relationship was pretty strong.  He eventually did migrate himself and all his customers to Windows 3.1.  When Windows 95 and Windows 2000 came along, he migrated his business and everyone much quicker.  I think DOS to Windows 3.1 represented a big change for him.  He didn’t like situations he couldn’t control and this was one of them.

So how does all this tie into the Cloud?  Many of my recent interactions around Cloud and platforms as a service have been reminding me of the Windows 3.1 interactions I had with my uncle.  I see four basic types of behaviours in response to virtualization and cloud services.  First are those that don’t want these changes period and view it as a threat.  I find they are not the majority, but there are many more than I would have guessed.  Next, there are the passive-aggressive types.  While the agree in principle, they throw up road blocks, and issues to try and stall or make the transition as unpleasant as possible.  This category seems to be the majority.  Third, are those who have accepted it sort of, but want to control it, keep it contained.  I find these are usually people that were originally in the passive-aggressive category and have realized that the changes are not stoppable.  As a result, they have softened their position but still do not like the change.   Finally, there are a few that actively embrace it and even promote the change.

I believe that virtualization, Software/Platform/Infrastructure/Security as a Service (*aaS)  is here to stay.  Like my uncle, we don’t have a choice of ‘if’, it is just a question of how long you want to resist.  If you are involved in these services in your organization, which category are you in?  Do you feel that they are a fad?  Ddo you embrace and promote, or are you somewhere in between?   What category does your organization fall under?

The rationalization for BYOD

March 1, 2013 in musings with 0 Comments

rsac_logo

 At the RSA Conference this year one of the top topics was BYOD.  It was discussed by many of the vendors.  This makes sense when you look at the number of companies considering or deploying a BYOD solution.  I have found the discussions typically revolve around how to secure, control, and support of these devices.   I have had several opportunities to discuss these aspects of BYOD with individuals as well as at a couple of briefings.  What is never really discussed or only touched upon is the drivers for BYOD.  I believe there are three: cost savings, flexibility, and increased functionality.

Cost savings is the driver that is least talked about, but the I believe the main reason.  Small, medium and enterprise all see BYOD as an opportunity to reduce the costs of mobility for their work force.  With mobility now common place, compared to a few years ago, companies can now take a look and adjust their policies.  Many that I have spoken to, are now coming out with policies to define not only who gets a device paid for by the company, but what type of device you can get.  For example a senior executive might have a choice of 5 or more devices that are paid for by the company.  Non executives would have a choice of only 2 devices with the option to bring in and use their own device under the BYOD program.  It is also an opportunity to define how much of a plan the company is willing to pay for.  Many companies simply pay for an employee’s monthly plan either directly or through an expense process.  BYOD brings the opportunity to open those discussions up.  Maybe sales people continue to get their plans paid for entirely, but non sales receive a monthly allowance for mobile and anything above that, the individual is responsible to cover.

With the number of devices now available on the market, people want the flexibility to choose the device they like.  This creates a support nightmare for a company to support the multitude of devices and different flavours of operating systems.  By introducing flexibility into the support organization,  BYOD allows the employee the option to choose whatever device they want and allows the company to define policies around that device from a support and role perspective.  For example, policies could be defined to ensure that the help desk would support the standard employee to determine that their configuration was correct, but any troubleshooting beyond that would be the responsibility of the individual.  A sales person on the other hand responsible for key clients might get help for their BYOD device beyond the simple configuration of the device.  This increases the flexibility of the support teams, and also allows some cost savings.

Everyone I have spoken to that has a company owned and managed mobile device from the senior executive levels down to the technical and sales folks all want the increased functionality BYOD can provide.  Companies, often lock down their devices, disabling and limiting functionality.  The reasons for this are usually around security and supportability.  While that sufficed in the past, the proliferation of functions and features you can get on a mobile device now is driving and internal want.  People want to be able to order a coffee or hire and pay for a cab all with their mobile device.  It offers such convenience to the owner.  Companies in all industries are starting to offer mobile options.  This increased functionality creates support and security issues for a company that owns and manages the devices.  By offering BYOD, a company has the option to divorce themselves from the support of these extra applications. 

Of course, from a data security perspective, the company can not divorce themselves from the risks, and the risks increase substantially, hence the many solutions and discussions around security of BYOD devices.

RSA Conference 2013 and relationships

February 27, 2013 in musings, Security with 0 Comments

rsac_logo

 

 

Getting ready for the third day of the RSA Conference in San Francisco.   It has been a great conference so far.  While the talks and vendors are all interesting and you always learn, this conference has been quite different for me this year. 

First, we have a bigger contingent down here this year.  There is representation from several departments, all having some tie into security.  The best part about the larger presence of our team, is the relationship bulding that has taken place within our own teams.  It has been great to see.  While we all know each other to one degree or another, it is challenging to build strong relationships, at least according to my definition of a strong relationship.  This is one big difference I have noticed coming to a large organization from small start-ups and botique consulting firms.  Big companies, while they often promote the value of relationship building within the organization, it is challenging to actually accomplish.  Everyone goes from meeting to meeting, email to email, and then home or off to other commitments.  Add to all this that people are geographically located in different locations in the same city and across multiple countries adds to the challenge.  While I believe everyone would agree that relationship building is important our actions typically say otherwise.  Our day to day choices say relationship building is not as important as the meetings, responses to email and other tasks, so it is always at the bottom of the priority list.  Physically sending all of us to a conference has allowed us to actually spend time together coordinating, discussing vendors, the talks etc.  The result intentional or not is a much better bond, that will help when we are all back rushing from meeting to meeting, email to email.

 Second, for me the relationship building with people is starting to change for the better. I’ve been in the security community for a while now, and as a result I have build up relationships with friends in many companies.  Some I have worked with in the past, some are people that I was introduced to years ago and we have kept in touch.  It is great to see many of them face to face again.  I have met some new people as I usually always do and will try to keep in touch with them.  The best situation so far was discovering that a really cool person I have been working with as her company does business with us is actually good friends with a friend of mine back home.  When we found out we all knew each other, she pulled out pictures of my friend and her on trips.  While I was surprised, it makes complete sense.  Both are really great people that I know and can see how they would naturally connect if brought into proximity of each other. 

This conference has had a strong relationship and network building component.  While that is always present for me, I feel it is changing. I am not sure how or why, but it is for the better.  I am enjoying and excited about where it is going.  I am off to get ready for day three of the conference.

Banking and the new competition. Are you ready?

January 7, 2013 in musings with 0 Comments

amazonMoney1Working for a large bank is challenging in many ways.  There are lots of people and personalities.  With a background working for  small start-ups and consulting firms, this has been a big change for me.  A very good change and one that I am enjoying immensely, but a big change.  The people I work with come with differing and diverse backgrounds and experiences.  Many are new to the bank, and many have been with the bank a long time.

All these views and experiences are both positive and negative.  Some of us embrace the future, some of us are fine with the way things are and do not want change.  For myself, I see so many things in security and the network that need to change.  When I look at the future of banking, I see lots of opportunity and in order to make these opportunities a reality, change is desperately needed.

I was forwarded this article called Global banking to be joined by ‘Google Bank’ and ‘Apple Bank’.  I could not agree more.  I find that when interacting with people throughout the day,  especially with those in involved in banking technology, many do not have these industries in their ‘sights’.  They talk in terms that describes our competition as other banks, credit card companies, insurance companies and similar industries.  For example, I often hear the question “What does <insert bank here> do to solve this problem?”.  A good question to start, but only the beginning.

Many feel that our competition is the other banks.  While there is some truth to that on the retail side, there is little truth to it elsewhere.  There is no security competition that is for sure.  We regularly share intelligence with many other Financial Institutions.  In the last while that information sharing has improved.  Most often it is now real-time or almost real-time.  The sharing helps everyone.  It helps us come together and protect our industry and each other.  I’ve noticed information sharing starting to happen on other teams as well.  It is a little slower, but network design concepts, technologies selected, how those technologies are used are being shared.  We are becoming more open with our peers.   Sharing where possible is great and wonderful too see.  I also believe this is a necessary step for us to compete with our new competition.

Google, Apple, SalesForce.com, Akamai, Paypal, I could go on.  This is our competition.   In 2 years, if you don’t move quickly enough, will you be able to take them on?  Think about their knowledge in data centre management, virtualization, security, workload management, mobile technologies to name just a few.  Think about the type of staff they employ and their experience.  Are you prepared to take them on if they launched a service that competes with your services tomorrow?  A month from now?  Next year?  Day to day, does your work move the company forward to be ready for them? Is your infrastructure and security ready?  Most importantly are you as an individual ready?

Photo courtesy of Google Images

 

 

 

Passion is a two way proposition

December 27, 2012 in Careers with 0 Comments

I recently read an article forwarded to me by a respected colleague called 5 Reasons Why Your Online Presence Will Replace Your Resume in 10 Years.  It is an excellent article overall.  When I read it, reason number 5 which was: Job seeker passion has become the deciding factor in employment got me thinking.  To support his point, the author explains how as a job seeker, you need to find and show your passion because in today’s world that is what employers want.

I firmly believe that you won’t be able to obtain and sustain a job without passion anymore. There is far too much competition and employers like to see people who are enjoying their work because they will be more productive and help foster a stronger corporate culture.

I couldn’t agree more.  Take myself for example.  I love security.  I love understanding the theory behind it, how it is applied.  I like understanding how the ‘bad guys’ think, and how they do the hack.  I like getting my ‘hands dirty’, learning about the hack, trying the hack in a lab.  I like understanding the motivation behind attacking systems, talking to people that have been hacked, and sharing with others how to manage and fix the exposure.  I am passionate about security!

My job search experience a few years ago opened my eyes to the issues with not just resumes but the job search process that is still forced upon candidates by many corporations (see here, here, here, and here).  Given this was over 3 years ago, I am hopeful that it does not take 10 years for organizations to realize that the resume is dead (at least the paper form).  As a result of my job search experience, I try as I have time to keep abreast of trends in the job search market to stay current.

I always look for passion when I interview candidates.  Does your body language and tone of voice indicate you are interested in the actual opportunity?  Do you have an online presence that corroborates your body language and tone of voice.  Do your references support what has been found online and in the interview.  Are the references qualified to make that judgement?  I will take a person that is passionate any day over someone who may be more qualified, but to them the opportunity is really just a pay cheque.

But in order to sustain passion it requires both the employee and the employer’s support.  Is your employer just filling a position or are they interested in ensuring that you keep that passion?  Do they limit your passion by not giving you the freedom you require?  Do they help you with your career goals and plans?  Do they keep their promises?  Do they promise at all?  You see, if you find someone with passion, they have that passion because they love what they do.  That most likely means they will be great at what they do.  If you want to keep a great employee, then as a company you have to invest the time, money, and energy to ensure that will happen — you have to feed their passion.  If you fail to feed their passion, eventually they will find a company that will and they will leave.

If you want the best, you have to be willing to do what it takes to keep the best.  In my experience managing teams, it is a lot of work but worth it if you have people that care about their career.  You need to consciously stay on top of it and your company has to support you in those endeavours to keep your team passionate and productive.

 

Photo courtesy of Ken Tudhope, who’s article I agree with.

How to secure your cloud data so only you can access it

December 24, 2012 in Data Management, Encryption, Information, Privacy and Anonymity with 0 Comments

Lately, I have been hearing from vendors that offer services to companies permitting them to use cloud services securely.  With the explosion of the cloud and the economics it provides, businesses that in the past refused to put their sensitive data on a third party provider are reconsidering.  The key is determining how to do so in a secure fashion.  What is considered ‘secure’ is by no means standard, rather it depends on the type of information, the regulatory policies that apply (if any), and the risk of the data being exposed either accidentally or maliciously.  In order to assess the risk, companies are starting to look at three main areas.  Technology that cloud providers offer to secure data, external providers that offer services to secure your data in the cloud, contractual discussions between parties and the responsibilities of all parties should a breach occur.

Solutions around cloud security have started appearing for the individual person as well.  Maybe you have a set of files that you want to place on GoogleDrive or Dropbox or some other cloud provider.   The information in the files may be private in nature.  Maybe you only want to share that file with a specific individual.   Dropbox and GoogleDrive all provide functions where you can share a particular folder or file with other individuals.  I share Christmas lists, to-do lists, and other files with people all via the cloud.  It is easy and works wonderfully.  What I realize is that when I place a file in the cloud, I am sharing it with the cloud provider.  Should the provider wish or be forced, they can read and view any file I have placed in the cloud.  They need not tell me, nor do they need to seek my permission (maybe legally they do, but technically they do not).  In short, I have given them technical control of the data I place in the cloud.  What if I want to place a file on a cloud provider that I want only me to be able to see?  What if I want to maintain technical control of the data?  Currently, I have been using Boxcryptor for this and it works well.

Boxcryptor does the encryption on your tablet, laptop, or personal computer, then places the file in the cloud.  When you request the file, it downloads the encrypted file and then decrypts it on your device.  Any party with access to your cloud files will be unable to view the contents of the files in a meaningful way.  With appropriate access they could delete it, but that is all. Anything else, and they would have to come to you to get the decryption key (or somehow steal it from you).

Boxcryptor works seamlessly with many of the major cloud providers.  It has clients for Android, iOS (Apple), Windows (Microsoft).  It also works with Linux.  The GUI is easy to use and very similar to using the actual Dropbox or GoogleDrive client.   You don’t have to encrypt all your data either.  You create a single directory in the cloud that will contain any files you wish to be encrypted.  Here are some screen shots of my setup.

This is the encrypted folder view via the Dropbox client. You can see that the file names and directories are obfuscated.

The same encrypted folder view from the BoxCryptor client.

The encrypted view of the file contents from the Dropbox client.

View of the file when decrypted via Boxcryptor.

You may notice I said works with Linux.  The reason is that they do not have a client for Linux.  However, for those that require it you can easily configure EncFS which will work seemlessly once configured.  I have linux, Android, iOS and Windows all working seamlessly.  Boxcryptor is not open source, which is a little concerning from a security review of the application itself, but if you are that concerned, then you can just use EncFS or a manual method to encrypt and place files in the cloud.  Boxcryptor just makes it easy to do with minimal knowledge of encryption required, yet you get a nice level of security for those files you deem necessary to protect.

 

The first time I was truly deceived

December 1, 2012 in Behaviour, People with 0 Comments

I came across a post by Stu Dunn entitled The First Time I Was Truly Deceived.   In his post, he states how most people can recall the childhood experience of the first time we became wary of what people would say and then tells about his experience.  I thought I would write about mine, as I clearly remember it to this day.  I was 5 or 6 years old and it was my dentist.  His name was Dr. King.

I was always wary of the dentist.  I found letting someone poke around in my mouth to be very discomforting regardless of their intentions, so right from the start, a hygienist or dentist had an uphill battle with me.  The first time I had a cavity and was going to the dentist to get it filled I was extremely nervous.  I remember the lady at the desk, the lady preparing the room where I was going to get my cavity filled all re-assuring me that it would be fine.  When I asked about the needle, I was told I would not feel a thing.  The whole procedure would be just like when I had a my check-up.  All good, till the Dr. King gave me the needle.  It hurt! I remember trying to punch him with one hand and grabbing his needle hand with my other to try and remove it from my mouth (at 5 years old my efforts were not effective).  I remember his face becoming angry that I tried to stop him.  He grabbed my head around my mouth and neck area with one hand to hold me down, and continued to give me the needle.

From that point on, I went begrudgingly to the dentist every six months as my mom would not have it any other way. I was always nervous and scared, always complaining about having to go.  We tried another dentist eventually, but I didn’t trust or like him either.  I don’t recall him doing anything to upset me.  I just didn’t know him and he was poking around my mouth.  As soon as I was old enough, I stopped going to see the dentist.  Pain was not the issue.  I have studied combat martial arts for years.  It is not child’s play, typically full-contact.  Most classes you come away with a bruise or two, especially in the black belt classes.  If someone asked me as a child if I would rather go to the doctor and get my arm cut open, or go to the dentist, I’d pick the doctor and open arm surgery hands down.  It wasn’t logical I knew, but logic didn’t apply here.  I hated and distrusted all dentists because Dr. King lied to me, and when I resisted he just forced me to comply.

It wasn’t until after university my relationship with the dental community started to changed.  My wife (girlfriend at the time) convinced me to try her dentist.  Both her dentist and  hygienist worked with my slowly and carefully over the course of 3 or so years.  They took extra time at each session and as time passed, I became comfortable with them.  They never deceived me, were always straight and honest, always concerned about how I felt and answered all my questions.  Now, I go every 3 months and have for years.   While there are multiple hygienist’s now at this office, I stay with same one.  She has completely earned my trust and I am not nervous with her at all.  I have complete trust with her and my mouth, teeth, and gums.  She is an amazing person.  She had no reason to put up with me, but she did.  She worked constantly to earn my trust.  The dentist was the same.  He has retired a couple of years ago, and the new dentist is okay – she still makes me a little nervous at times, but she tries, and her intentions are good.  In reality, I don’t see her much, as the hygienist is my primary care giver.

The deception at 5 years old, and the anger on the dentist’s face when I tried to remove his arm I will never forget.  While I know it is not the only reason, part of me wonders if getting into the martial arts and being interested in why people do and say what they do at such a young age is because of him and that experience.  If it is, I suppose I should thank him, but I won’t.  This was my first recollection of an adult and a professional deceiving me and not caring.

So you want to be anonymous: Ensure you are not traceable

November 22, 2012 in Privacy and Anonymity with 0 Comments

Anonymity and traceability are completely different concepts.  I can be anonymous but yet traceable.  What I mean by traceable in the context of this post is that should someone wish, and with the right level of authorization they could determine your identity, effectively negating any anonymity you created.  If you want true anonymity, then you have to also ensure there is no traceability.  This may seem like an obvious statement, yet I find that when it comes to the use of tools to enable privacy or anonymity, many people feel their identity could not be discovered when if fact it can.  Whenever you are being anonymous in the digital world, you have to look at all the technology involved and ask yourself if it would be possible for a 3rd party (criminal, company, law enforcement, government) to trace back and reveal your identify if they wanted to and had the appropriate resources.

One example that I find is quite prevalent lately is the many available proxy and VPN services.  These services allow users to effectively hide your source IP address from your target.  Much of their popularity lately is due to the slow growth and death of two different markets – streaming movies and television resectively.  As online streaming of media content becomes more mainstream, many people use these VPN and proxy services to bypass restrictions where a particular program or movie is blocked in their Country (by providing an IP address of an allowed country, one can bypass geo-IP databases and appear to be in a country that is permitted to watch the program in question).  When you use one of these services, it provides an appearance of anonymity from the target (the website or streaming service you are trying to go to for example).  If an interested party was to investigate your visits to their site, you would appear to be coming from an IP owned by the VPN service.  Assuming you do not transmit any information or behaviours in the communication streams that would identify you, it would be challenging and for a third party to determine who you are.  Using a video streaming example, if I am using a service to hide myself on the internet so I can watch a movie that is blocked in my Country, it is hardly worth spending any resources trying to discover who I am and take me individually to court.  However, in other scenarios it may well be worth an entities time and money.  Lets use a fictitious example to illustrate the difference between using a VPN service an a truly anonymous network (well more anonymous anyway).

Background:
Alice is a Canadian citizen. She is also a successful lawyer who is representing her client Bob.  Bob is also a Canadian.  He is a lead engineer who works for a company called SecCo that develops state of the art security products.  SecCo has contracts with large corporations and governments around the world.  Bob was unhappy in his job and after discussing with his employer, decided to leave SecCo.  A few weeks after Bob’s departure from SecCo, he is arrested for breaching the Security of Information Act.  Bob had Level II, Secret clearance in order to do his work at SecCo.  Classified information was publicly disclosed and all the evidence points to Bob.  The case against Bob does not look good and in fact, secretly Alice is not even convinced Bob is innocent.  Suddenly, Alice gets an email from an anonymous individual.  The individual introduces himself as Charlie. Charlie knows Bob, performs a similar type of work as Bob, is in many of the same social circles as Bob and knows that Bob is being framed by an individual at SecCo.  He has proof, and he shares enough with Alice to convince her what he has is real.  Charlie refuses to be involved but wants to do the right thing.  Charlie will not meet Alice, testify in court, reveal his identity or allow an investigation to trace back to him that he provided any information.  Alice wants the information because she knows it will clear Bob, but if she presents this evidence, she knows that SecCo and potentially the government will go to great lengths to figure out how, where and from who she obtained the information.

Method to move information anonymously:
Alice and Charlie agree the best way to exchange the information is to use a public service and decide to use Dropbox.  Charlie connects up to the Internet anonymously.   Using this anonymous connectivity, Charlie connects to Dropbox.  He creates a Dropbox account that will be used for this single purpose only.  He provides no personal information to Dropbox and he will never use or connect to this account again.  He then places the evidence Alice needs on Dropbox and disconnects.  Finally he anonymously contacts Alice with the username and password for the Dropbox account.  Alice upon receiving the account information anonymously connects to the internet, logs into the Dropbox account, downloads the information and disconnects.  As agreed, neither of them will ever connect back to this Dropbox account again.

Anonymous connectivity:
With the method to move information above, the key is how Alice and Charlie choose to anonymously connect.  If Alice or Charlie connect by using a centralized third party VPN or Proxy service (Hide-My-IP, Hide My A**, Unblock-Us, …), then there is the possibilty they could be discovered in at least two ways.  Financially, they had to pay the company providing the service.  Most likely this is a credit card or Paypal account.   That payment service has made a link to their identities.   A third party, armed with the payment method used and enough resources could determine your identify.   The second way is a technical method.  The IP assigned from your ISP is traceable to you.  That is the IP connecting to the company running the proxy service.  This makes it possible for a interested third party that has enough leverage to force the proxy service to reveal the IP.  Then using that IP, repeat the same process with the ISP to determine the owner.

Compare the centralized service above, to a distributed anonymity solution  such as Tor, I2P, or Freenet.  Using one of these solutions makes traceability is much harder.  The IP that connects to the target (Dropbox in this example), will be an IP that is unconnected financially or technically to Alice or Charlie’s identity.  Going to the ISP and requesting the user of the IP, would lead you to a person who is running a instance of Tor, I2P or Freenet.  They will have no relationship or connection to Alice or Charlie.   Logs will not exist, and the information on the device running anonymity solution will be encrypted.  Since there is no central point of control, there is not an individual or business one can go after.  Effectively, there is no owner (similar to DNS).  At this point the trail is cold and traceability beyond here is next to impossible.  At a minimum, it is costly and challenging and has little chance of successfully identifying Alice or Charlie.

Using a third party service to watch a movie or view a website so that you are anonymous is most likely a ‘good enough’ solution.  If you are dealing with scenarios where reputation, large amounts of money, or secrets that could harm people are involved, you need to take enough steps to reasonably protect you from someone with enough motive and resources to determine who you are.  In those cases, you need to take extra steps to reduce the potential exposure of your identity.

For those interested, here are a few real world examples of where an identity that was thought to be anonymous was revealed:

In the cases above I am personally stuck.  Looking at each case individually, I feel the identities of the individuals should be revealed.  However, if I look at these cases as a whole, I worry about what each individual decision means to privacy and anonymity as a society.

I live in a world where I know, and a world where I believe …

November 17, 2012 in musings, Privacy and Anonymity with 0 Comments

Mike McConnell was the keynote speaker for Palo Alto Network’s Ignite 2012 conference at The Wynn in Las Vegas.  Near the end of his talk, one of the attendees asked him a question about how he was so certain in his belief about the source of a set of recent Internet attacks.  He started his response with “I live in a world where I know, and a world where I believe …”.  He went on to answer the question, but he was not able to answer specifics, due to intelligence classification of the information, hence his response above.  I really liked his opening statement to this answer.  Most of us live in two worlds, one where we know and one where we believe.

Often there are individuals within an organization that are aware of information that can not be divulged to others that are in the same organization.  We might be aware of information in external organizations that has been shared with us that is secret in nature.  It could be a competitor, a vendor, or another organization you are working with.  In some cases we may rightfully know this information because it was consciously shared with us.   In other cases you have found out about a piece of information and facts that you are not suppose to be aware of.   Maybe you may have stumbled upon it accidentally.   Maybe someone felt they could trust you and shared. Or you may have gone looking for it because you were suspicious.  Maybe it was a set of actions or statements made by one or more people over time.  While these statements or actions seemed coincidental and innocuous, you start to sense something is different, a very slight change, just enough to cause you to investigate further.

The same holds true in our personal lives.  We all know things about our partners, our children, other family members, our friends and neighbours that we don’t share.  Even in our own lives, everyone has skeletons, things we wish we did but did not, or things we wish we did not do or say but did.  Typically, we would rather forget these events and not discuss them with anyone.  I learned the importance of trust at a very young age, and I learned it from Dad.  He didn’t sit down and teach me it or tell me about it.  He just did it.  What should be quiet, he kept quiet.  It was his nature and as a result I saw many examples of this growing up.  Family, work, or personal issues.  If you didn’t need to know, he was not about to tell you.  This was a very consistent behaviour.  He always tried his best to maintain trusts.

We all have and keep secrets.  Some of these secrets we are suppose to know, some we are not.  For me, the ability to trust that an individual will keep private information that is private is a key attribute I look for in all my friends and work relationships.  Everyone does this on some level and to differing degrees.   Mike McConnell lives in a world where he has to keep secrets, but he is really no different from anyone else in that regard.  He is respected not because of the secrets he knows.  He is respected because of the secrets he keeps.

Protocol Level Hidden Server Discovery on the Tor Network

November 3, 2012 in Privacy and Anonymity, Profiling, Security with 0 Comments

A recent paper entitled Protocol Level Hidden Server Discovery, by Zhen Ling, Kui Wu, Xinwen Fu and Junzhou Luo.  Paper is starting to be discussed in the Tor community.  From my perspective, it is a nice attack to reveal the IP address of a hidden service.  It would require resources to actually implement effectively, but for Law enforcement trying to shutdown and arrest owners of illegal websites selling drugs, weapons, or child pornography and are hiding behind Tor, it is an option.  Of course that also means the capability to find anyone that might be doing something a government or large entity does not agree with. The paper is here.

This stuff reminds me of a statement a professor said to a class I was in once:  “Guns are not good or bad.  It depends on who is holding the gun and which end is pointed at you.”

 

Page 1 of 2512345»1020...Last »