"I was walking along a path with two friends—the sun was setting—suddenly the sky turned blood red—I paused, feeling exhausted, and leaned on the fence—there was blood and tongues of fire above the blue-black fjord and the city—my friends walked on, and I stood there trembling with anxiety—and I sensed an infinite scream passing through nature." —Edvard Munch

Hold on, that was my stolen cell-phone screaming for help.

Synchronica is now offering a new "screaming" service that can remotely lock and wipe data from mobile phones as soon as their owners report the loss. If the phone has been stolen, companies can also turn on the Synchronica Scream Feature, causing an annoying and embarrassing high pitched wail to be emitted from the stolen device.

Download the Synchronica Mobile Manager Scream as MP3

Seagate Technology is about to release a HDD with hardware based encryption. These Full Disc Encryption (FDE) drives use 3DES algorithm in EDE (encrypt-decrypt-encrypt) mode using 3 different 64 bit keys. The effective key-length is 112 bit.

Before the operating system boots, the user will be prompted to enter a password that will unlock the drive. You can always use 2-factor authentication instead of static password. Seagate's FDE drives can use biometric, RSA token, or smartcards. This was demo at CeBIT using TiDoCoMi from Secude.

The FDE drives have a built-in Application Specific Integrated Circuit (ASIC) that performs the bulk encryption and decryption of the data on the drive platters. This frees the CPU from the performing these tasks. The ASIC also has the symmetric bulk encryption key. This encryption key is wrapped and sealed using the Storage Root Key (SRK) of the Trusted Platform Module on the motherboard. Keys wrapped and sealed using the TPM can only be decrypted by the TPM that wrapped and sealed them in the first place. This prevents disclosure of the key, and ties it to particular computer, thus preventing the FDE drive to be decrypted if installed on a different computer.

During the decryption process the ASICS sends the wrapped and sealed symmetric encryption key to the TPM. The TPM only unseals the key when the platform measurements have the same values that they had when the key was created. The ASIC then uses the key to encrypt and decrypt the bulk data on the disc drive as needed.

Wave System's EMBASSY Trust Suite can be used in conjunction with Seagate's FDE drives to provide key management and recovery. This provides the capability for key escrow and data recovery incase of accidental damage to the TPM. The Suite also provides multi-factor authentication capabilities.

Latest news and articles about the FDE drives (Updated daily)

A Discussion on University Security Operation Mailing List regarding FDE drives

Here are some quick tips to enumerate all the websites and Virtual Hosts on a IP address:

1) Using MSN Search
Use the search operator "ip:"
syntax "http://search.msn.com/results.aspx?q=ip:x.x.x.x" (ofcourse without the quotes)
e.g. "http://search.msn.com/results.aspx?q=ip:216.194.67.81"

2) Using whois DB
syntax: http://whois.webhosting.info/x.x.x.x
e.g.: http://whois.webhosting.info/216.194.67.81

3) Using Domain Tools (sign-up required)
syntax: http://www.domaintools.com/reverse-ip/?hostname=x.x.x.x
e.g. http://www.domaintools.com/reverse-ip/?hostname=216.194.67.81

Fabrik is a AJAX based web app for File Management on a WebServer. It allows for File Explorer like drag and drop capability through a browser, and DOES NOT require refreshes. It has built-in plug-ins for all major media formats. It is currently available for Beta Testing. The service will cost $30/year, or $799 to buy the product to host your own. This AJAX based application interact with your desktop just like the File Explorer would. It is perfect for web based file management, and is cross-platform compatible.
Read the full story....

A Live Online Demo!!!; or
Sign up for a Beta Account

Press Release
Features, Benefits and Specifications
Pre-launch site
Included AJAX based Weblication from Fabrik Inc.
Podcast covering this backup solution

Buy Now!

Looks like it....

Samsungs's i1310 phone comes with support for internal Hard Disk Drive. Combine that with Seagate's 120GB 1.8 inch drive and what you have is a iPod killer. It is a iPod killer with lot more storage space then the iPod itself.

"The i310 comes with the latest version of Windows Mobile 5.0 for Smartphone which allows users to view files and easily carry their music library with them. This Windows Mobile 5.0 enables users to sync the playlists, songs, and videos from their personal PCs so that the experience with the i310 is identical to the users' personal computer. It also offers USB 2.0 and Plug & Play feature which allows the phone to be utilized as a removable hard disk. Businessmen and students can easily store and transfer files to/from their computers in any format conveniently."

Samsung i310 Specifications

Standard: GSM / GPRS (900/1800/1900MHz) + EDGE
OS: Windows Mobile 5.0 for Smartphone
Camera: 2 Megapixel Camera with Flash
Display: 2.0” 240x320 65K Color TFT
Features: Hard Disk Drive; Video Recording & Messaging (MPEG4 / H.263); MP3 / AAC / ACC+ / ACC+(e) / WMA / WAV / OGG; Dual Speaker / Digital Power Amp / External Music Key / BT Stereo; Bluetooth® Technology / USB 2.0 / Voice Recognition; Document Viewer / TV-out / BT Printing;
Memory: Support for 1.8inch Hard Disk Drive, External memory (microSD)
Dimensions: 111.9 x 48.5 x 19.8 mm
Weight: 120 g



Related links:
Samsung's Press Release
MAcWorld's coverage of the 120 GB HDD
Seagate Technology

Tony Mobily of FreeSoftwareMagazine recently sent me a copy of the Down Under Map of the World. Just for fun, Gregory's has put �Down Under� on Top Of The World Map. i.e. Australia and whole Southern Hemisphere appears on the top of the World Map.

The Down Under map of the World is available at:
http://www.gregorys-online.com/index_html?page=productdetail&product_type_id=3&product_id=138 (BUY NOW)

Don't forget to support Free Software Magazine. They do a great job in covering Free / OpenSource Applications.

It all started with IBMs 5MB HDD that weighed 2,100LBs, and costed $35,000. Now the HDDs hold upto 750GB and is the size of sandwich and
cost less then $400.00. In future a 3.5 inch drive will hold 5 petabytes of data. In 1980s there were about 100 HDD manufacturers, and now there are only eight.

.... More (full story)

History of Al Shugart (The poineer of the world's first HDD)

MiniScribe once shipped bricks to fake customers to make the sales look good ....

IBM's first 5 MB HDD (RAMAC) with 50 platters (cost $35,000.00)

Seagate's 750 GB HDD with 2 platters (cost $365.00)

The symbol '@' is also known as:
chiocciola (snail) in Itlian;
apestaart (monkey tail) in Flemish;
arobas in French (and arroba in Spanish);
FULL STORY: http://www.art-bin.com/art/asignoftimes.html

Is someone stealing your wireless bandwidth? Don't stop them, just freak them out. See below for what one guy does to people who steal his wireless bandwidth.

> > > Upside-Down-Ternet (click here to see the proxy scripts and more screenshots.)

Essentially it is a proxy that that invert all the images.

e.g.

Who wants to pay for Stanfords Crypto Course, when University of Washington has made the whole Cryptography Course available online for free. Yes, all the presentations, videos (mp3, WMV), homework, quizes etc. are available online. The material seems pretty decent, and is intended for advance audience.

> Click here for the course page with Course intro, and Homework assignments

> Click here for Course presentations (PDF, PPT), videos, and homework solutions.

To be fair (and since I work for MIT), I should note that MIT also has their Crypto online:
http://ocw.mit.edu/OcwWeb/Electrical-Engineering-and-Computer-Science/6-897Spring-2004/CourseHome/index.htm
http://ocw.mit.edu/OcwWeb/Electrical-Engineering-and-Computer-Science/6-876JSpring-2003/CourseHome/index.htm
http://ocw.mit.edu/OcwWeb/Electrical-Engineering-and-Computer-Science/6-875Spring-2005/CourseHome/index.htm


Next Topic: Full Disc Encryption Explained

The Inquirer aticle, Flash cache memory puts Robson in the middle, covers the topic of caching technology supported by Windows Vista, which will use Flash based cache to speed up the data fetch, and speed the recovery from sleep mode. Windows Vista will also put frequently used bits of OS on the flash to dramatically reduce the time required to boot. Now Intel and Hard Drives manufacturers are in a heated debate on whether the Flash based cache should be on the motherboard or should it be shipped as part of the Hard Drive. If both options are available, it will only confuse the buyer, and make the Flash memory manufacturers twice as rich.

Looks like Intel MacBook may be first platform to include Flash based cache on the motherboard (see Related News Items section below).

Read the whole story:
- Flash cache memory puts Robson in the middle

Related News Items:
- Vista may require hybrid drive tech
- Readers: Thumbs Up and Down For Vista's Flash Speed-Up
- Much Ado About Flash
- Vista may require "unproven" drive technology
- Microsoft details performance of Vista's SuperFetch, ReadyDrive
- Laptop Vista Premium certification will require hybrid HDDs
- Vista Premium to Require Hybrid Drives on Portables
- Is Vista Heading for a Flash Nightmare?
- TechEd 2006: Microsoft preps flash-based "performance accelerators" for Vista
- Apple MacBooks with NAND SSD Eary 2007?

"I am a regular reader of Bruce Schneier's Blog, Articles, and Books, and I really like what he writes. However I recently read his book titled 'Secret and Lies' and I think he has done some in-justice to the security provided by the 'Code Signing.' On page 163 of his books, he (Bruce Schneier) basically states that: 'Code signing, as it is currently done, sucks.' Even though I think that Code Signing has its flaws, it does provide a fairly good mechanism for increasing security in an organization." What are your thoughts on the current methods of code signing in existence, today? If you feel like Bruce Schneier, how would you fix it? If you feel like Saqib Ali, what have you signed and how well has it worked?

"The following are the reasons that he (Bruce Schneier) gives:

Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.

My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not
tell the difference between Snake Oil and Citrix Corp.

Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.

My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.


Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.

My comment: Again Code Signing was was never designed to accomplish this.

Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.

My comment: I agree with this statement.

Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.

My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'

I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."

Seagate today announced Momentus HDDs with 256 MB of Non-volatile cache in the form of Flash memory. This is intended to speed up the boot up process, short file reads, and reduce the time required to recover from hibernation.

Read more at:

Momentus 5400 PSD Drive (seagate.com)
Seagate Launches First Hybrid Hard Drive (pcmag.com)
Seagate Powers the On-Demand World With 10 New Products Targeting a Full Range of Digital Content Needs (yahoo.com)
Seagate Unveils Hybrid Notebook Drive (dailytech.com)
Seagate announces new lines of drives (zdnet.com)


Digg This Story

Santa Clara, California, USA, May 27, 2006 – A deadly earthquake struck Indonesia this morning claiming more than 5,100 lives and leaving thousands more seriously injured. There is a massive disruption in the region as many buildings were flattened by the tremor, and countless people are trapped in the rubble. Additionally the nearby Mount Merapi volcano has become active, escalating the already enormous problem at hand.


Hidaya Foundation immediately released $100,000 for relief efforts and is requesting for more donations to help the victims of this catastrophe.


Hidaya Foundation is currently in contact with partner organizations on the ground, which include the Indonesian Red Crescent, and other NGO’s; Hidaya Foundation has been working with these organizations since the Tsunami of 2004.


Hidaya Foundation is appealing every one to come forward and donate generously to help reduce the pain and sufferings of the victims of this natural disaster.

Please Click here to Donate

Safe Browsing for Enterprise Users

The following is an interesting discussion on suggesting cryptographically strong passwords to users:
http://www.securityfocus.com/archive/107/396530/2005-04-19/2005-04-25/1

The original poster suggested displaying a list of randomly generated password for the user to choose from. This will ensure that usage of cryptographically strong passwords.

Some issues that were pointed with this concept:

i) Shoulder surfing, since the password will have to displayed on the screen for the user to select one.

ii) Randomly generated password are hard to remember, and users will just write them down, and stick on their monitors. Very Unsecure!!!. Use pronounceable randomly generated passwords instead, as they will be easier to remember.

Automated Password Generator: Defines an algorithm for generating random but pronounceable passwords. Three problems with this algorithm.
a) does not preclude dictionary words from being used as passwords.
b) the generated passwords are alpha-only. cryptographically passwords should contain numbers and non-alpabatical characters.
c) we still have a problem of transmitting these randomly generated password to the user. email is unsecure for transmitting passwords. passwords can NOT be displayed to the user on the screen, due to the problem of shoulder surfing.

Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords.

Protocom's Single Sign On product can also alleviate the need for the user to remember multiple complex passwords.

Dept of Defense Password Management Guide

Some other notes:

"Remembering long passwords can be difficult, but there are some basic
techniques users can employ to lessen the pain. First, choose a phrase that
you will remember. As an example, we will use the phrase "The pearl in the
river." You can then take a number that you are familiar with, such as a
birthday. For this example we will use 7/4/01. Next, you can take the first
letter of your phrase and interlace it with the chosen date to make
something similar to t7p4i0t1r. This method creates a password that won't be
found in any dictionary and is unique to the person who created it.
It is important to remember though, that any password can be guessed if
given enough time. Therefore, it is important to change your password within
the amount of time it would take an attacker to guess it. For example, with
the previous password it may take an attacker 60 days on a very fast
computer to guess what it is. In order to ensure your systems safety then, a
user must change their password before those 60 days come to an end."

And Bruce Schneier says in his blog
"Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security, the era of passwords is over."

DEATH be not proud, though some have called thee
Mighty and dreadfull, for, thou art not so,
For, those, whom thou think'st, thou dost overthrow,
Die not, poore death, nor yet canst thou kill me.
From rest and sleepe, which but thy pictures bee,
Much pleasure, then from thee, much more must flow,
And soonest our best men with thee doe goe,
Rest of their bones, and soules deliverie.
Thou art slave to Fate, Chance, kings, and desperate men,
And dost with poyson, warre, and sicknesse dwell,
And poppie, or charmes can make us sleepe as well,
And better then thy stroake; why swell'st thou then;
One short sleepe past, wee wake eternally,
And death shall be no more; death, thou shalt die.

"Save your servant who trusts in you, My God. Let him find in you, My Lord, a fortified tower in the face of the enemy."

1. Write the policy as high as possible. (at Domain or OU level)
2. Work with e-Security to define policy. Security policies defined at highest level.
3. Define Generic Policies as high as possible.
4. The policies do not affect default administrator accounts
5. Block inheritance at OU if needed. Can be Enforced at parent level. Enforced policies can not be blocked.
6. Higher Policy in list takes precedence. (order in the list is important)
7. Deny Apply Group Policy at Group level for IT Management Team
8. Staging environment for Group Policies. Good Idea!
9. You can NOT write policy at:
• Built in
• Computers
• Users
• Groups
10. You CAN write policies at:
• OU Level
11. Create an OU Design that requires least GPOs.
12. Site Level GPOs requires enterprise administrations permissions.
13. Domain Level GPOs requires domain administrations permissions.
14. OU Level GPOs requires appropriate permissions. Delegation of Administration.
15. GPOs take effect in the following order:
1. Local Machine
2. Sites
3. Domain
4. OU
16. Machine Based Policy take effect on Reboot
17. User Based Policy take effect on Logon

*.falkag.net
*.doubleclick.net
*.specificclick.net
*.peel.com
*.budsinc.com
*.maxserving.com
*.mediaplex.com
*.atdmt.com
*.advertising.com
*.casalemedia.com
*.tribalfusion.com
*.fastclick.net
*.specificmedia.com
*.qnsr.com
*.ru4.com
*.2mdn.net
*.ecrush.com

Audio Lectures on Tafseer of Surah Yusuf by Maulana Yusuf Islahi are now available at Silver Divan. These lectures are in Urdu Language. You can download a audio player at http://www.vorbis.com/

>>> Click here to access the Lectures <<<

How to manage digital certificates, Software Publishing Certificates and private keys for code signing

By Saqib Ali
This article looks at the management of the private key for the Software Publishing Certificate (SPC). SPCs are used to digitally sign binaries that are produced by software development vendors. Digitally signing executables proves the identity of the software vendor and guarantees that the code has not been altered or corrupted since it was created and signed. Signing the code requires access to the SPC and the Private Key (PVK) associated with the SPC.

Background
In cryptography, key management includes secure generation, distribution, and storage of keys. Appropriate and successful key management is critical to the secure use of every crypto-system without exception. Secure methods of key management are extremely important. Once a key is randomly generated, it must remain secret to avoid misuse (such as impersonation). It is, in actual practice, the most difficult aspect of cryptography, for it involves system policy, user training, organizational and departmental interactions in many cases, and coordination between end users, etc. Most attacks on public-key systems will probably be aimed at the key management level, rather than at the cryptographic algorithm itself.


Windows XP SP2 will produce this warning message for unsigned binaries. The user can NOT verify the authenticity of the code

Many of these concerns are not limited to cryptographic engineering and are outside a strictly cryptographic domain. The responsibility of the proper key management falls on the upper management in an organization of any size.
Users must be able to store their private keys securely, so no intruder can obtain them, yet the keys must be readily accessible for legitimate use.
There are many solutions available for proper key management of private keys owned by single individuals. Verisign, Entrust, RSA, and Microsoft�s Active Directory all provide a good mechanism for managing keys owned by individuals.
However, the management of private keys owned by groups or organizations is an issue that lacks proper tools and guidelines. Examples of these types of private keys include:

• The private key for the SSL certificates owned by groups or organizations
• The private key for SPC owned by a software development vendor
• The private key for the root CA (certification authority)

1. Of the true identity of the publisher.
2. Of a place to find out more about the binaries.

1. What are the best practices for managing Code Signing Digital IDs and private keys?
2. What can be done to secure the private key for code signing?
3. Who should have the possession of the private key? Multiple people or just the project manager?
4. What key escrow (recovery) techniques can be used, if the private key holder is not available?
5. Who should be allowed to digitally sign the build?

1. The operating system contained on the DVD should be very minimal. It should restrict any file copying or displaying functionality. It should also restrict any access to the console. This way an attacker cannot copy the PVK and the SPC from the DVD.
2. The DVD should be encrypted, and the decryption key should be embedded into CSS2. This way any copies of the DVD will be useless, outside CSS2.
3. The DVD should be placed in a safe box, which requires three more or keys to open it.

Boson has Audio training CDs for CISSP. The media and content was actually produced by AudioWhiz. AudioWhiz's Bruce Gaetke (CEO) claims that the training CD is intended for intermediate audience. However after listening to 5 CDs, I think this particular training is aimed toward the beginners. The content is very basic, and only good for people who are starting in the e-Security field. People who have worked in the security field for at least 3 yrs (which is a requirement for CISSP) will find this audio training to be ineffective.
The question/answer format of the training is great. Each answer is explained. The five CDs contain 12 sections on each CD, and are easy to navigate. However I would only purchase this training media, if you have NO experience in e-Security field.

Boson offers Computer based Practice test for CISSP. These are great for testing your skills. The simulation interface that Boson provides is a lot better than what PrepLogic provides. Boson offers 3 Practice Test for CISSP. I would highly recommend that you buy all three. Practice Test I contains 400+ questions, and Practice II & III contain 200+ questions each.

Boson test are great, but the best CISSP practice exams are produced by Transcender. Transcender offers SecurityCert: CISSP Exam for hefty price tag of $249. But I think it is worth every cent. You get about 500 very realistic questions on the media. The test engine is very good as well. Best of all it comes with a pass guarantee. i.e. Transcender will return your money if you don't pass the CISSP exam. So you can't go wrong. However if you are not interested in the Pass Guarantee, and just want the practice questions, Self Test Software offers the same questions and the test engine for $169. But you don't get the Pass Guarantee with $169.

If you don't want to pay $$$ for practice test, try CISSP and SSCP Open Study GROUP Online Quizzer. It is a free online Quiz, that includes question submitted by various people. The questions are of good quality, but the user interface is not that great. I prefer to see one question per page. I also like the explanations provided with answers to each question. Since the questions are usuallly submitted by people, I sometimes doubt the validity of the questions. Some of questions in the online quiz would never appear in an actual CISSP exam.

Logical Security offers a Computer Based Training for CISSP by Shon Harris. This is an EXCELLENT alternative to live or instructor-led training. I didn't want to shove out $3000+ for instructor-led training offered by many vendors, so went ahead and bought Shon Harris' CBT. And it was money well spent. One problem with instructor-led is that, what you get out of the training mainly depends on the instructor you get. If you get an instructor like Shon Harris you are lucky. Not many people are lucky enough, and I have heard many horror stories about the instructors. With Shon Harris' CBT you CAN NOT go wrong. It is a self-paced learning environment, and you can repeat as many times as you want. This 24-hour course is the same class Shon Harris teaches around the world for large corporations and organizations including RSA, BMC Software, NSA, Depts. of Energy and Defense, Microsoft and Bank of America. Shon provides real-world scenarios, examples and explanations so that you can truly grasp even the most complicated concepts. The course includes 3-D animations that conceptually walk you through critical topics. Text highlights, illustrations and question and answer sessions ensure full comprehension. However a workbook along with the CBT would have been nice. It seems like Logical Security will be offering a companion workbook in the near future. So that will complete the package.
CCCURE.com sells this CBT for $499. It is the cheapest price that you can find anywhere on the net. Most resellers are selling it for hundreds of dollars more. This is the same package that Amazon.com sells for $900 dollars. See details at: http://www.cccure.org/modules.php?name=News&file=article&sid=527

CISSP Core Principles (must read)

XML-DEV Mailing List Archive

Spoofstick: http://www.corestreet.com/spoofstick/
Netcraft Toolbar : http://toolbar.netcraft.com/ (This one is the BEST)
Outfoxed : http://getoutfoxed.com/
TrustBar : http://trustbar.mozdev.org/
Google Safe Browsing : http://www.google.com/tools/firefox/safebrowsing/index.html

Click here for the complete discussion thread
Click here for Slashdot discussion on this topic

or for utilimate phishing-free web browsing and e-mailing use Lynx and Pine

Step 1) Authentication Server to Client
Ticket Granting Ticket : [client, address, validity, Key_{(client, TGS)}]Key_(TGS)
[Key_{(client, TGS)}]Key_(client)

Step 2) Client to Ticket Granting Server
Ticket Granting Ticket : service, [client, client address, validity, Key_{(client, TGS)}]Key_(TGS)
Authenticator : [client, timestamp]Key_{(client, TGS)}

Step 3) Ticket Granting Server to Client
Ticket _{(client, service)} : service, [client, client address, validity, Key_{(client, service)}]Key_(service)
[Key_{(client, service)}]Key_{(client, TGS)}

Step 4) Client to Service
Ticket _{(client, service)} : service, [client, client address, validity, Key_{(client, service)}]Key_(service)
Authenticator : [client, timestamp]Key_{(client, service)}


What follows is a simplified description of the protocol. The following shortcuts will be used: AS = Authentication Server, TGS = Ticket Granting Server, SS = Service Server.

In one sentence: the client authenticates itself to AS, then demonstrates to the TGS that it's authorized to receive a ticket for a service (and receives it), then demonstrates to the SS that it has been approved to receive the service.

In more detail:

1. A user enters a username and password on the client.

2. The client performs a one-way hash on the entered password, and this becomes the secret key of the client.

3. The client sends a clear-text message to the AS requesting services on behalf of the user. Sample Message: "User XYZ would like to request services". Note: Neither the secret key nor the password is sent to the AS.

4. The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client:
* Message A: Client/TGS session key encrypted using the secret key of the user.
* Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.

5. Once the client receives messages A and B, it decrypts message A to obtain the client/TGS session key. This session key is used for further communications with TGS. (Note: The client cannot decrypt the Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.

6. When requesting services, the client sends the following two messages to the TGS:
* Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service.
* Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the client/TGS session key.

7. Upon receiving messages C and D, the TGS decrypts message D (Authenticator) using the client/TGS session key and sends the following two messages to the client:
* Message E: Client-to-server ticket (which includes the client ID, client network address, validity period) encrypted using the service's secret key.
* Message F: Client/server session key encrypted with the client/TGS session key.

8. Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages:
* Message G: the client-to-server ticket, encrypted using service's secret key.
* Message H: a new Authenticator, which includes the client ID, timestamp and is encrypted using client/server session key.

9. The server decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client:
* Message I: the timestamp found in client's recent Authenticator plus 1, encrypted using the client/server session key.

10. The client decrypts the confirmation using its shared key with the server and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server.

11. The server provides the requested services to the client.

Spector CNE
TraumaZero Network Sniffer
eTrust Network Forensics
WebSense
iPrism� Internet Filter
SurfControl
Misc.

Click here for full discussion thread and here.

"Wrong must not win by technicalities" Aeschylus

"Men are not hanged for stealing horses, but that horses may not be stolen"

"Law cannot persuade, where is cannot punish". Thomas Fuller

"One of the uses of our system of justice is to warn others... We are reforming, not the hanged individual, but everyone else." Michel de Montaigne

"It is justice, not charity, that is wanting in the world." Mary Wollstonecraft

"The art of policing is, in order not to punish often, to punish severely" Napoleon

Bruce Schneier wrote in his book:

"Many security awareness programs are considered to be worthless by security professional, and I'm inclined to agree with that assessment. In researching the problem, I've discovered that far too many so-called awareness programs are nothing more than speeches informing employees of the consequences of illegal activities. The focus is on employees' misbehaviour and on penalties.

Threatening to to fire people caught stealing secrets is not only a waste of time, it's counterproductive. It's no wonder that "security" has such a negative connotation for so many. People learn to fear the word, and they report incident to the department only as a last resort - and sometimes only when they believe they are being set up..........

Programs that focus on penalties do nothing to educate, and that should be the primary purpose of any awareness program."

Buy the book Security and Lies for Bruce's recommendation for creating a Security awareness program.

See also:

R.U.N.S.A.F.E @ jmu.edu
When I grow up ... At University of Virginia
Warriors of the Net official web site
Security Poster Campaigne @ The University of Auckland, New Zealand
DoD's Information Assurance Series on DVD

Click here for the complete discussion thread

"When it comes to simplicity improving security think of the application as a house. The bigger it is, the more windows and doors it will have."

There exist two types of systems:
1) those which are so simple that they are obviously correct, and
2) those which are so complex that it is not obvious even when they are incorrect.

Simplicity is the ultimate sophistication.

*"There are two ways of constructing a software program:
one way is to make it so simple that there are obviously no deficiencies;
the other is to make it so complicated that there are no obvious deficiencies"
C.A.R. Hoare


"I repeat: complexity is the worst enemy of security. Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity. Unfortunately, simplicity goes against everything our digital future stands for. " Bruce Schneier

"A more complex system is less secure on all fronts. It contains more weaknesses to start with, its modularity exacerbates those weaknesses, it's harder to test, it's harder to understand, and it's harder to analyze." Bruce Schneier

LDAP directories have the capability to define Roles. Roles becomes a topLevel OU, similar to OU=People or OU=Groups.

Once logged in, a web application can check to see if the user has the proper Role assignment to perform a given a action.

Java, PHP, ColdFusion provide methods like isUserInRole("{RoleName}") to check logged-in user's Role assignments. Based on the Return Value of this function, the web application can determine whether to display content or restrict it from the logged-in user.

# sample LDIF to add Roles OU to LDAP:
dn: ou=Roles,o=xml-dev.com,o=CORP
ou: Roles
objectClass: top
objectClass: organizationalUnit

# Define a Role
dn: cn=ReportView,ou=Roles,o=xml-dev.com,o=CORP
objectClass: top
objectClass: groupOfUniqueNames
cn: ReportView
uniqueMember: uid=123456,ou=People,o=xml-dev.com,o=CORP

I am a regular reader of Bruce Schneier's Blog, Articles, and Books, and I really like what he writes. However I recently read his book titled "Secret and Lies" and I think he has done some in-justice to the security provided by the "Code Signing".

On page 163 of his books, he (Bruce Schneier) basically states that:
"Code signing, as it is currently done, sucks".

Even though I think that Code Signing has its flaws, it does provide a fairly good mechanism for increasing security in an organization.

The following are the reasons that he (Bruce Schneier) gives:

Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.

My comments: True. However in an organization is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp. Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.

My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.

Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.

My comment: Again Code Signing was was never designed to accomplish this.

Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.

My comment: I agree with this statement.

Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.

My comments: I am not sure what this statement mean. I think this type of attack is outside the realm of Code Signing. if you can compromise the system, you can do much more harm then just modify the executable.
"It is like saying host based IDs or anti-virus are useless, becuase if you can compromise the system you can turn them off."

Click here for the full discussion on Slashdot

SPNEGO provides SSO in a KERBEROS enabled environment. Basically it allows web applications to automatically authenticate clients who have valid Kerberos credentials.

SPNEGO page on Wikipedia
SPNEGO description on Microsoft.com
SPNEGO module for Apache
SPENGO module for Java based apps
Another SPNEGO module for Apache

Kerberos explained visually

RSS: beyond news sites and weblogs (Full Article)

RSS (Really Simple Syndication) is an XML based web content syndication format. RSS has become the defacto feature on weblogs and many news sites. Almost all major news sites and weblogs provide an RSS feed for their audience. An RSS-aware program (aka RSS reader) can check these RSS feeds for changes and display the updates in a human readable format.

RSS has become the de facto feature on weblogs and many news sites

Almost every computer geek visits Slashdot.org once a day. But UberGeeks, like me, prefer to be always up to date with the latest articles on Slashdot.org. So instead of visiting Slashdot.org every 5 minutes, I have subscribed to the Slashdot RSS feed. As soon as there is a new article on Slashdot, my RSS reader notifies me of it. This allows me to logon and make the �First Post� (reply) to the Slashdot.org article. I have to attribute many of my �Slashdot First Posts� to the power of RSS. This power of RSS has been utilized on other news sites as well. NPR, CNN, and Wired all provide RSS feeds.

URLs to RSS feeds from some popular weblogs and news sites:

* Slashdot
* National Public Radio

However there are other areas where the power of RSS has not been fully realized. Wikis, Usenet and web based discussion groups come to mind. But this is changing fast. In this article I would like to go over some of the free software that allows web-content distribution and republication in the areas of Wikis, Usenet and discussion groups. I�ll also go over a powerful RSS Reader that is freely available.
Firefox: a powerful RSS reader

An RSS Reader is an application that polls RSS feeds and displays them in a human-readable format. The reader allows you to browse the newly available items in the RSS feed. RSS readers come in many flavors.

As soon as there is a new article on Slashdot, my RSS reader notifies me of it

One powerful RSS reader, that often goes unused by many, comes built-in with Mozilla Firefox browser. It is called the Live Bookmark. Live Bookmarks is a new technology in Firefox that lets you view RSS news and weblog headlines in the bookmarks toolbar or bookmarks menu. It enables you to quickly see the latest headlines from your favorite sites. Clicking on any of the live bookmark will take you directly to the page referenced by that RSS item.

Firefox�s Live Bookmark lets you see the latest headlines from your favorite sites. Clicking on any Live Bookmark opens up the full article in the browser window
Firefox�s Live Bookmark lets you see the latest headlines from your favorite sites. Clicking on any Live Bookmark opens up the full article in the browser window

You can download Firefox from the Mozilla web site. Some other Freely available RSS readers:

* RSS OWL (Java based)
* FeedReader (Windows)
* DSSBandit (windows, written in C#)
* LifeArea (GTK/GNOME)
* Straw (Python/GNOME)
* Syndigator (Perl/GTK)
* Blam (Mono: C# and Gtk#)
* Snownews (Console based, ncurses)

Chronological web sites?

Wiki is a web site that allows users to add, edit or modify web site content, by merely using a web browser. Wiki provides a fast and easy way to collaborate and collaboratively create documentation on the web. Not surprisingly, Wiki comes from the Hawaiian term for �quick� or �super-fast�. A Wiki engine also serves well as a Departmental or a Taskforce web site, which the team members can use to share ideas and publish content, without messing around with HTML editors. PHPWiki, as the name suggest, is a PHP based Wiki, while Twiki is PERL based. Both of these Wiki engines, with their aim to foster information flow among the users, provide RSS feeds of the latest content and updates in chronological order. The RSS feeds from these Wiki engines provide an easy way for the users to keep up to date on the latest updates to the content of the web site. This is especially useful when the Wiki is being used to track bugs or features in a product. The subscriber of the RSS feed will be notified as soon as an update is made to the list of bugs or the feature.

All of the changes made to the content on the Wiki are shown as RSS items in the order they were made (chronological)
All of the changes made to the content on the Wiki are shown as RSS items in the order they were made (chronological)

Clicking on any Wiki Page Title (RSS item), will take you directly to the modified page. Only the pages that changed/edited show up as RSS items
Clicking on any Wiki Page Title (RSS item), will take you directly to the modified page. Only the pages that changed/edited show up as RSS items

* Twiki (requires Apache and Perl)
* PmWiki (requires Apache and PHP
* MediaWiki (requires Apache, PHP and mySQL)
* MoinMoin (requires Apache and Python)
* usemod (requires Apache and PERL)
* PHPwiki (requires Apache, PHP and mySQL)
* ChiqChaq (requires Apache and PERL)

Die hard usenet fan?

If you are die-hard fan of Usenet, like me, you can never stop pressing the refreshing key to retrieve the latest newsgroup postings. Refresh button (F5), on my keyboard, has worn out due to overuse. Worry not, Google + RSS has come to our rescue. A few years back Google acquired Deja News, the largest collection of web accessible Usenets.

All of the latest postings to a Usenet newsgroup are shown as RSS items in the order they were made (chronological)
All of the latest postings to a Usenet newsgroup are shown as RSS items in the order they were made (chronological)

PHPWiki and Twiki are two popular Wiki engines that are freely available under the GNU Public License. Both of these Wiki engines, in their aim to foster information flow among the users, provide RSS feeds of the latest content and updates in chronological order

After the acquisition, Google made some very cool enhancements to the Deja News Network. But that wasn�t good enough, Google went on to develop a whole web based collaboration platform based on the NNTP protocol. A powerful feature of this collaboration platform is ability to generate RSS feed of the latest newsgroup postings in a chronological order. This allows an avid Usenet fan to keep up to date with the newest post on the groups of interest. As soon as a new Usenet posting is made, the RSS reader on my desktop notifies me of it.

You can subscribe to the RSS feed of a Usenet newsgroup by simply adding the following URL to your favorite RSS reader: http://groups-beta.google.com/group/{name.of.newsgroup}/feed/msgs.xml. Replace {name.of.newsgroup} with newsgroup of your choice. Some examples:

* http://groups-beta.google.com/group/comp.text.xml/feed/msgs.xml
* http://groups-beta.google.com/group/microsoft.public.visio/feed/msgs.xml

Do you Yahoo?

Ok, so you are not an old timer like me. Instead, you are from the new generation and instead use Yahoo Group to communicate with your peers. Worry not, Yahoo Group also provides a RSS for the groups.

You can use the following URL syntax to subscribe to an RSS feed of the Yahoo Group: http://groups.yahoo.com/group/{group_name}/rss. Replace {group_name} with the Yahoo Group of your choice. Some examples:

* http://rss.groups.yahoo.com/group/apache-user-group/rss
* http://rss.groups.yahoo.com/group/citrix/rss
* http://rss.groups.yahoo.com/group/ssl-talk/rss
* http://rss.groups.yahoo.com/group/xml-doc/rss

Conclusion

RSS is a fast and powerful way to get news out to an audience. RSS readers inform their users of any new postings on news sites, newsgroups and weblogs. If you need to keep up to date on the latest news articles, or you need to track the postings on Wiki or your favorite weblog, then you really need to use an RSS reader.

This might be interesting for authors and editors who use XML:

I am covering VEX and ButterflyXML in the article. Both of them are very powerful "OpenSource" editors.

http://www.freesoftwaremagazine.com/free_issues/issue_03/practical_applications_xml/ (HTML version)

http://www.freesoftwaremagazine.com/free_issues/issue_03/pdfs/FSM_issue_03_practical_applications_xml.pdf (PDF version)

Comprehensive list of XML authoring applications:
http://www.freesoftwaremagazine.com/free_issues/issue_03/practical_applications_xml/xml_editors.jpg

ActiveGrid's new open source Grid Application Server based on the LAMP (Linux, Apache, MySQL, PHP/Python/Perl) stack.

ActiveGrid Grid Application Server
ActiveGrid Application Builder
ActiveGrid Application Builder Screenshots

A review of XML editors has just been published by the Arts and Humanities Data Service.

The article is at
http://ahds.ac.uk/creating/information-papers/xml-editors/

It looks at 23 different editors and benchmarks them against various features (eg, Multilingual text input and display, Support for different schema languages)

It also presents the results of an evaluation exercise where different user groups tried a number of the editors.

The Cascading Stylesheets provide a way to directly view a styled XML document in software that supports XML styled with CSS2 (e.g. a recent Mozilla)

The following is a list of interesting CSS for displaying XML content in browsers:

1) CSS for DocBook XML document: http://www.badgers-in-foil.co.uk/projects/docbook-css/

If you have CSS for displaying XML documents, please feel free to add them to this list.

Buy these books:

1) Introduction to Linux

2) Bash Guide for Beginners

My Inner demons would like to meet you, outside in the parking lot! . This is the title of my new upcomming book

SSL Based VPNs
1) PortWise - Secure Application Access
2) Array's VPN Solution
3) f5's FirePass
4) Nortel's Alteon SSL VPN
5) Netscreen's SSL VPN
6) Permeo SSL Remote Access
7) NetScaler
8) Aventai SSL VPN
9) NetSilica
10) OpenVPN (OpenSource)
11) HOB VPN (+NAT, etc)
12) WhaleCommunication's e-Gap Remote Access SSL
13) Symantec Clientless VPN
14) AEP SureWare A-Gate


Slashdot Discussion on SSL based VPNs

From Dr. Kay Redfield Jamison's book titled "An Unquiet Mind"

- "We all move uneasily within our restraints."
- "but of course they had no idea how I felt, although they were certain that they did."
- "The morbidity of my mind was astonishing: Death and its kin were constant companions."
-"Within psychiatric circles, if you kill yourself, you earn the right be considered a "successful" suicide.....
- There is an assumption, in attaching Puritan concepts such as "successful" and "unsuccessful" to the awful, final act of suicide, that those who "fail" at killing themselves not only are weak, but incompetent, incapable even of getting their dying quite right.

The book is available at Amazon. Definitely a must read.


Try some, Chocolate Bone Marrow instead.

Nothing to turn back to,
everything turned to rose.
Try some,
Chocolate Bone Marrow instead.

Sept. 9, 2003

Open letter to Darl McBride -- please grow up.

Dear Darl,

Thank you so much for your letter.

We are happy that you agree that customers need to know that Open Source is legal and stable, and we heartily agree with that sentence of your letter. The others don't seem to make as much sense, but we find the dialogue refreshing.

However, we have to sadly decline taking business model advice from a company that seems to have squandered all its money (that it made off a Linux IPO, I might add, since there's a nice bit of irony there), and now seems to play the US legal system as a lottery. We in the Open Source group continue to believe in technology as a way of driving customer interest and demand.

Also, we find your references to a negotiating table somewhat confusing, since there doesn't seem to be anything to negotiate about. SCO has yet to show any infringing IP in the Open Source domain, but we wait with bated breath for when you will actually care to inform us about what you are blathering about.

All of our source code is out in the open, and we welcome you point to any particular piece you might disagree with.

Until then, please accept our gratitude for your submission,
Yours truly,

Linus Torvalds

SCO smear campaign can't defeat GNU community


By Richard Stallman, Tech Update
June 23, 2003 12:08 PM PT


SCO's contract dispute with IBM has been accompanied by a smear campaign against the whole GNU/Linux system. But SCO made an obvious mistake when it erroneously quoted me as saying that "Linux is a copy of Unix." Many readers immediately smelled a rat--not only because I did not say that, and not only because the person who said it was talking about published ideas (which are uncopyrightable) rather than code, but because they know I would never compare Linux with Unix.

Unix is a complete operating system, but Linux is just part of one. SCO is using the popular confusion between Linux and the GNU/Linux system to magnify the fear that it can spread. GNU/Linux is the GNU operating system running with Linux as the kernel. The kernel is the part of the system that allocates the machine's resources to the other programs you run. That part is Linux.

We developed GNU starting in 1984 as a campaign for freedom, whose aim was to eliminate non-free software from our lives. GNU is free software, meaning that users are free to run it, study it and change it (or pay programmers to do this for them), redistribute it (gratis or for a fee), and publish modified versions. (See
http://www.gnu.org/gnu/the-gnu-project.html.)

In 1991, GNU was mostly finished, lacking only a kernel. In 1992, Linus Torvalds made his kernel, Linux, free software. Others combined GNU and Linux to produce the first complete free operating system, GNU/Linux. (See http://www.gnu.org/gnu/gnu-linux-faq.html.)
GNU/Linux is also free software, and SCO made use of this freedom by selling their version of it. Today, GNU runs with various kernels including Linux, the GNU Hurd (our kernel), and the NetBSD kernel. It is basically the same system, whichever kernel you use.

Those who combined Linux with GNU didn't recognize that's what they were doing, and they spoke of the combination as "Linux." The confusion spread; many users and journalists call the whole system "Linux." Since they also properly call the kernel "Linux," the result is even more confusion: when a statement says "Linux," you can only guess what software it refers to. SCO's irresponsible statements are shot through with ambiguous references to "Linux." It is impossible to attribute any coherent meaning to them overall, but they appear to accuse the entire GNU/Linux system of being copied from Unix.

The name GNU stands for "GNU's Not Unix." The whole point of developing the GNU system is that it is not Unix. Unix is and always was non-free software, meaning that it denies its users the freedom to cooperate and to control their computers. To use computers in freedom as a community, we needed a free software operating system. We did not have the money to buy and liberate an existing system, but we did have the skill to write a new one. Writing GNU was a monumental job. We did it for our freedom, and your freedom.

To copy Unix source code would not be ethically wrong, but it is illegal; our work would fail to give users lawful freedom to cooperate if it were not done lawfully. To make sure we would not copy Unix source code or write anything similar, we told GNU contributors not even to look at Unix source code while developing code for GNU. We also suggested design approaches that differ from typical Unix design approaches, to ensure our code would not resemble Unix code. We did our best to avoid ever copying Unix code, despite our basic premise that to prohibit copying of software is morally wrong.

Another SCO tool of obfuscation is the term "intellectual property." This fashionable but foolish term carries an evident bias: that the right way to treat works, ideas, and names is as a kind of property. Less evident is the harm it does by inciting simplistic thinking: it lumps together diverse laws--copyright law, patent law, trademark law and others--which really have little in common. This leads people to suppose those laws are one single issue, the "intellectual property issue," and think about "it"--which means, to think at such a broad abstract level that the specific social issues raised by these various laws are not even visible. Any "opinion about intellectual property" is thus bound to be foolish. (See
http://www.gnu.org/philosophy/words-to-avoid.html.)

In the hands of a propagandist for increased copyright or patent powers, the term is a way to prevent clear thinking. In the hands of someone making threats, the term is a tool for obfuscation: "We claim we can sue you over something, but we won't say what it is."

In an actual lawsuit, such ambiguity would make their case fail, or even prevent it from getting off the ground. If, however, SCO's aim is to shake the tree and see if any money falls down, or simply to spread fear, they may regard vagueness and mystery as advantageous.

I cannot prognosticate about the SCO vs IBM lawsuit itself: I don't know what was in their contract, I don't know what IBM did, and I am not a lawyer. The Free Software Foundation's lawyer, Professor Moglen, believes that SCO gave permission for the community's use of the code that they distributed under the GNU GPL and other