Terrorism Snake Oil

February 22, 2011

Dennis Montgomery, a programmer from California, was the principal software engineer for at least two companies who appear to have defrauded the US government. His software, originally designed for colorizing movies, failed to generate any interest. At least, until he started claiming that its image-processing capabilities could find secret terrorist messages in Al Jazeera broadcasts and isolate images of evildoers in Predator drone videos.

Security is, unfortunately, a hot item these days – there’s a lot of money being thrown around, and that means a lot of snake oil salesmen trying to get their hands on a bit of it. Millions of dollars later, I’m sure that the feds wish they had done their due diligence. Their response has been to lock down the story in the interests of “national security” – more likely, they’re just hoping the story quietly dies and spares them some embarrassment.


IT Turf Wars

February 14, 2011

An interesting taxonomy of some of the common turf wars in corporate IT departments. Clearly, we are not a socially deft people.


The Google Two-Step

February 11, 2011

Google has announced that two-factor authentication will be available for users to log into their Google Apps / GMail accounts. Essentially, the account holder’s mobile phone is used as an authentication token; once the number is registered, the user can opt to receive a numeric authentication code via SMS or voice call, or generate it with a local application. Both the traditional password and the authentication code from the phone must be used to access the account.

This is a tremendous step forward in security, especially for a free online service. Passwords have historically been the weak link in most network security schemes; they are often easily guessed or acquired through social engineering techniques. By requiring users to not only have a password but also have a physical token like a designated mobile phone, Google can render phishing and brute-force attacks completely impotent.

Excellent.


Facebook and Tunisia

January 25, 2011

A fascinating story in The Atlantic about the cat-and-mouse game between the Tunisian government and Facebook during the recent political unrest. Ammar, the governmental security apparatus, strongarmed the ISPs that Tunisian citizens were using into running domain-level keylogging. Essentially, they were stealing an entire country’s worth of passwords.

The Facebook developers responded with an ingenious technical hack to get around the key capture. All password submissions were pushed over an encrypted channel, and also required the user to identify a friend from his or her accounts. Ingenious – the passwords as a single authentication token were rendered useless.


Facebook Mining

January 21, 2011

A young man in Sacramento is facing up to six years in prison for using Facebook profile information to hack into email accounts, then searching the “sent mail” folders for compromising photographs.

It seems that the “security questions” that are intended to be used in the event of a forgotten password are often much, much easier to guess the answers to than the password they are equivalent to. As I recall, Sarah Palin’s email hack was the same sort of thing.