Activism vs. Vadalism, Digitally speaking

Howdy sports fans (this is here to stay), I know I've been away but I'll try and be better. Having said that I realise how often I say that and don't fully go through. Please don't hate me *cute face*. Moving on, let's talk about the difference between digital activism and digital vandalism. Let's start off by talking about a term I hate, which you will know is a long list, if you have been reading my blog. More to the point todays hated word is "hacktivism."

Hacktavism is a portmanteau of "hacking" and "activism" and is basically "activism by means of hacking." Which basically a roundabout way of saying "the (perceived good) ends justify the (blatantly wrong) means." The basic idea is that you, as a hacktavist, hack somebody/something to make a point or a statement, but really you are pretty much doing this. Yes, that sketch does exaggerate for comic effect, but you get the point.

Of course, the very first thing that comes to most people's minds when they hear the word hacktivist is Anonymous. I have written about some of their activities before and as you may or may not know, I'm not really a fan. They started of playing pranks on people and general trolling, which was OK by me. They said we are doing just for lulz (yea LulSec also has the same kind of problem). Then they got a bit more political and most recently, but I still think that they are being a tad juvenile about it.

"But, then what is the grown up thing to do?" you may be asking, oh intrepid reader. Well, let me tell you. There was, and is still some, raging going on about SOPA/PIPA (yes, yes, I'm going to write more about this, after I've done more reading) and quite rightly so. People sent letters to their senators, congressmen/congresswomen and representatives and registered protests in the conventional way. And, then something magical happened - a proper online protest: the SOPA blackout.

Basically a large number of websites, big and small, replaced all their content with a black page explaining what they are protesting and why. Some people didn't get the memo, so this happened, but overall I think it was a success. Almost instantly a SOPA/PIPA lost a lot of support and were then shelved. Normal service resumed the next day and everybody was happy. In all of this, nothing illegal was done and nobody was harmed, inconvenienced maybe, but no real harm was done.


Compare that to the very next day when Kim Dotcom (Who goes and changes their surname to Dotcom? I mean really? Does he want to be mocked?) et al. were arrested and what Anonymous did. They took down the websites for , which is whole other kettle of fish. This is basically vandalism, even though it is not the standard defacement type of vandalism you may be thinking of, but the point still stands. Not to mention the fact that it is illegal, but well. 

Unfortunately, law enforcement really has no idea to deal with these kinds of digital vandals, due to several reasons. I'm not sure there is an easy solution to this, but who knows? So, in short, you can protest via digital means, but there is a right way and a wrong way to do it and sadly the wrong way is more prevalent.

When responsible disclosure is not the responsible thing to do.

Greetings sports fans! (I really like this. Yeah, this is going to be a thing from now on.) Today I want to fill you into one of the most asked question in the field of computer security: "Who should I tell about my latest discovery?" There are few possible answers to that questions, most commonly (in order of size): nobody, the people involved, the people affected, the research community, everybody and for completeness TeH I/\/t3W3bzzz!!1!! It's not always clear what the real answer is, or even if there is a real answer, as we shall soon see.

So, lets start of with the case I am most familiar with, as it is what I do, theoretical constructive cryptography. Sounds fancy, don't it? Basically, what I do is I look at existing schemes and try to make a better one, by either improving the extant scheme or creating a new one. In this case it's obvious that what you have now found should be shared with at least the research community and maybe the whole world if it has any real-world applications/impacts/etc. The same goes for the implementation side of cryptography.

one would assume advances in constructions or protocols are somewhat non-threating to the security of any other system. That is normally, the case, if we consider only the security of a system. A better version of a extant protocol may pose a financial threat to any parties selling the afore mentioned protocol, but it would not compromise it in any other way. The real difference is on "The Other Side of the Coin." (Heyooo!)

All silly self-referencing puns aside, what I am really referring to is cryptanalysis. These are the guys whose job it is to take cryptographic schemes and find ways to break them. They sound evil, right? Well they aren't. The idea behind cryptanalysis is to find out which schemes can and can not be broken by using a variety of techniques. If a given scheme, or indeed a class of schemes, is broken, it gives cryptographers insight to what they should not do. You may think of cryptanalysts as safety inspectors.

Now, here's the problem. Consider this, I make a new and particularly bad crypto scheme, let call it AVeryBadIdea or AVBI (C)(TM)(Pat. Pend.). I publish this scheme and I'm happy. A cryptanalyst has a look at it and breaks it completely within days of its publication. They publish the attack and life goes on. Number of people affected: 2. Doesn't sound like a problem? Well, consider the following scenario: I sell this very same cryptosystem to a couple of small time businesses to secure their data, blah, blah. Now when the attack comes out, number of people affected: 2 + all the people who bought AVBI.

Let's take this a step further. What is AVBI is used for something important, say credit cards. Well, then when if they system is broken, we have a problem. Now every credit card in existence is at threat of being used by malicious parties. Affected people: 2 + banks + credit institutions + everybody who has a credit card. Here the responsible thing to do is to tell the banks and credit institutions and they can try and find a remedy for it. The wrong thing to do is tell everybody else first.

Then you get into more complex issues. A large number of schemes have one "master secret." The gist of it is that if anybody knew this they could do whatever they wanted and not be found out. Suppose AVBI is now an industry standard of some description or the other. Somebody comes up with an attack that allows them to recover the master secret and indeed they do. What do they do? Tell the industry governing body? Sounds like a good idea right?

It is, if the concerned party/parties are not overtly hostile. The classical example of this is HDCP, as explained by Niels Ferguson. On the flip side you have the Stony Brook researchers who released the source code that allows you to do this. It's quite a grey area and I'm not sure there is a real right answer to this. There is a middle ground, which is publishing the idea of the attack, but not releasing the implementation. I believe this is what has been done by my colleagues at the Ruhr University of Bochum wrt their recent work on HDCP. However, this does also leave open the question: Could someone develop a similar attack on their own? It's possible, but then consider that the master secret is already out there, so is it really a bigger threat?

There is scope for even more potential pitfalls and possible permutations of the present problem regarding all participating parties (that's a lot of p's) and the water can get even more murky. Yes, there are clear cut consequences of cryptographic and cryptanalytic creations (and a few c's), but not always. There is so much room for error and personal judgment and it can be quite a burden trying to tackle such a dilemma. So in short, responsible disclosure can be an irresponsible thing to do.

BBM and Siri outages, a failure in more ways that you think.

Morning sports fans! Yes, I've missed you too, but I'm having a super perfectionist phase and none of my posts seem good enough to publish. This should all blow over and there will quite a few post some time in the future. So, let's wind the clock back a smidge and remember one of the biggest fails of the year: The Great BlackBerry Outage of 2011! (Yeah, I'm expecting more to come.)

So, cast your mind back to October 10th-ish when the first reports of a RIM server crash came in. Millions of people were left without access to BBM and some Internet services, such as Facebook. Ah, the many jokes we made that they didn't see. Well it quickly spread to North America and then other planets! (BONUS QUESTION: How many of these planets do you know?) It was somewhat fitting that BlackBerry users who were fairly vain about BBM had it ripped from them for a couple of days. It was a good thing.

Eventually, RIM apologised, service and the status quo were restored. There was still the great debate of BlackBerry vs. iPhone, (as explained here by Jimmy Carr and Sean Locke on 8 out of 10 Cats) but the iPhone users had a little chip on their shoulder that said "We never have service outages." This was compounded by the fact the release of the iPhone 4S, and with it Siri, was imminent. Just to catch you up, Siri is the voice activated personal assistant that comes with the iPhone 4S. (For further details see this)

Anywho, Siri is now here and people are enjoying asking it silly questions, demonstrating which accents it can't understand and showing that it's only fully functional in USA. What I was, until recently, unaware of is that Siri runs in the cloud. I have no love for cloud computing, but will ignore that at this juncture. A couple of days a ago a failure caused Siri to be unable to connect to the Apple servers and thus not work. Wait, you mean Apple has service outages as well? *le gasp*! Well of course they do! The reason is simple,they seem to have overlooked a very basic principle of computer security: critical infrastructure.

What is critical infrastructure you ask? Good question! Critical infrastructure is an old-ish field which studies an setup and sees what it would take for that to stop working. The classical example is a very nice graph theoretic problem, which is quite nicely demonstrated by the London Underground map. Assume this your only means of transport. Pick any station and/or section of the map. The problem is can you make a single cut and isolate that station/section from the rest of the map? There are variants, such as the minimum number of cuts needed to isolate a station/section and also on other things such as electricity, water and gas supply. You get the gist of it all, right?

The same can be done for communication and telecommunication networks. This is normally done, but it can be a bit tricky. With wired communications, it's easy to draw up a graph-style map, with each wire as an edge and each node as a vertex. However the same is not really true of wireless communications. To stop wired communications between point A and B, you need to sever the wire joining them. It's not as clear what the equivalent for wireless communication is. There is also the issue that unlike wired devices, which are immobile, wireless devices by definition are mobile.

So, now do we consider simply the connection between the devices or do we also have to consider the location? Can we only consider one or do we have to consider both? If I go into a lift and lose wireless connectivity is that a failure of the network or the device or both or neither? If you are thinking such distinctions are a moot point, then you are pretty much correct. Yes, it's not a major issue, but it should not be completely overlooked. There are a lot more examples of this, but that would mean delving into technicalities, which I would rather not do.

And there is the issue of time. These things take time, quite often a lot of it. There are so many contingencies to consider, such as the classic CTO chokes on sushi, rest of the department is killed in a meteor strike and the only other guy who knows the password gets retrograde amnesia. Yes, that is a tad far-fetched and one should probably stop when retrograde amnesia is the most likely event in your scenario. The digital market thrives on speed. You need to get the next product out there 2 weeks before the previous one is launched.

So, as you can see, owing to several issues, the critical infrastructure analysis is possibly not done as well as it should be, which can cause these kinds of issues. On the other hand, you can do the most thorough analysis and the worst case scenario may still occur, thus causing an outage. So basically it's all a roll of the dice and remember "God doesn't play dice!"

Privacy? Is that a vegtable?

So, here we are opening this can of worms. Yeah I know there are other stories that going on, but I'm working on a couple of posts, which should surface sometime soon. OK, so let's talk about privacy on the Internet. It's the one thing you will hear over and over again "There is no privacy on the Internet." Which is part of the truth, but not the whole truth.

This is normally the cry of the anti-social narwhal (not an actual meme, yet!) against social networks, but it is a smidge unfair. The main complaint people have is that all your information is out there and anybody can see it and so on and so forth. Well, yes because you put it out there. It's like complaining that your diary contains all these personal and embarrassing things about you. Yes, in this case the diary is actually owned by somebody else, but you knew what you were getting into. There really is no way around, except you know not posting stuff like that on social networks.

Another issue regarding matter of posting stuff is visibility. People seem to be unable to comprehend the very basic fact that stuff you post will be visible to other people. You can control who those people are, granted it is not always in the most obvious way. There always exists some mechanism to limit the visibility of your post. There are countless stories of students putting up statuses about teachers they added and employees doing the same with employers.

Well, let's say you mastered all the above, there is still one small problem. The people you are sharing this content with may not be so discerning. This is especially true for "amusing" content, exemplified best by the sites Lamebook and Failbook. Both these sites allow users to post screenshots of post on Facebook, or any other social network in the case of Failbook, that they found amusing. The best are then shared on these sites for consumption by the general public.

Even as I write this I can hear the anti-social narwhal (this should totally be a meme) bellowing in my ears "BUT WHAT ABOUT THE PRIVACY!!!" Well these sites do apply some discretion and redact names and profile pictures so as the preserve the identity of the posters. This does not always work. The trouble is that most posts get submitted to both sites. The really good ones show up on both. And well if you mess up the redaction then it gets a bit hinky.

A perfect example of this is the following post on Lamebook and Failbook. Lamebook redacted the surnames and Failbook redacted the forenames. The end result is that you found the original people and the original post. In all fairness this post is public so there is not really much of an issue of privacy at this point, but try tell that to a narwhal (don't ask, I'm just going with it now).

So, in conclusion children: be aware of what you post on the Internet, for there are no secrets. Also, always brush your teeth before going to bed.

Hackers = Mobsters? Redux

So, I earlier wrote a post about how they want to try hackers under organised crime laws. Well, I must admit, must to my chagrin, that I may have overlooked some details. Well, not so much details as scenarios and/or types of attackers. My previous post focused primarily on the "breaking and entering" breed of hacker, specifically the kind without any financial motivations. There in, lies my folly.

The attacker I described was the kind that will break a system, to quote the famed LulzSec group, "just for lulz," or with some form of activist agenda, a la Operation Payback. Here the attacker(s) main objective was to point out a weakness in a system, cripple a system as a form of protest, or simply to entertain themselves. Well, in any case, here the idea of organised crime does fall a tad flat, as explained previously.

Now, we move to something a colleague pointed out to me today. If we consider fiscally motivated crimes, then we begin to see the motivation for this kind of approach. Consider the case of identity theft via phishing, for argument's sake. Although this kind of attack can be done alone, there is essentially a mafia that controls large parts of this trade. It is very reminiscent of the classical mobsters, to the extent that there is large speculation of them being linked. Of course I know no knowledge beyond the rumblings of their existance, but I am convinced.

Although there are other, and arguably more sophisticated, ways of committing digital identity fraud, they all do have the same mafia-esque touch to them. Here, the idea of treating these in the same manner as organised crime is not a far fetched idea at all. In fact, I believe it is the right idea.

So, in summary, this idea is not all bad and in fact is very good for certain classes of digital criminals, but not so much for others. Hopefully, the law all over will catch up to all the crazy types of security threats in our crazy world.

Hackers = Mobsters?

Ok, so as promised: post number 2 of today (just to be pedantic, my today). So, I recently read this in which President Obama said that he wants hackers will be treated, for the purposes of the law, in a manner similar to that of organised crime. Yes, people, that means mobsters, as in Tony Montana or Al Capone. That does make hackers sound so much cooler now that we are imagining them in pinstripe suits and not nerdy T-Shirts, but we must question the validity of this.

My main objection to this is the term "organized", not only due to the fact that I prefer British spelling, but mainly because, it's not always true. Yes, one could say that LulzSec is/was somewhat akin to the famed "Cosa Nostra," but they do indeed prove to be the exception to the rule. The next closest thing is Anonymous, but they are at best a loose collection of similar-ish minded individuals, who got together for one job and then disbanded. Of course some members will carry out attacks in unison after that, but it would almost certainly not be the whole group again.

Further more, there is a somewhat implicit assumption of some form of heirarchy amongst hackers. There may well be "senior" and "junior" member of the group and there may well be some people with more influence or more authority, but no really chain of command, so to speak. To the best of my knowledge there is no Godfather in hacker communities. So, here again the organised argument breaks down.

Of course, the previous is in the case where there is actually more than one person involved. It is neither  impossible nor uncommon, for a single hacker to mounts attacks on a fairly large scale. Yes, I know that the article states that "complex and sophisticated electronic crimes are rarely perpetrated by a lone individual," but there have been reports of single attackers mounted somewhat complex attacks. Granted, they may have obtained resources from other individuals/groups, but they did mainly act alone.  In the case of this single perpetrator, the term organised seems to be a dash irrelevant. I can imagine that the lawmen would be well pressed to somehow fits such a scenario into these laws.

Furthermore one would assume that the Racketeer Influenced and Corrupt Organizations (RICO) Act would be the basis for this new version of the Computer Fraud and Abuse Act (CFAA). I am not a legal expert, but I can imagine that this would be quite challenging. You see, these two classes of criminals live and operate in very different environments, thus making any sort of an analogy difficult. However, this idea is not without merit.

Recently, this story emerged. An Australian blogger wrote about domain-name fraud and found himself in a spot of bother. He was, and still is from what I gather, being DDoSed. The thing is that the log files show the traffic coming from non-existent websites, which are actually death threats to him. One example is “http://lastwarning-shutdown-yourblog-or-die-withyourparklogic.com”. This does seem to be very much like old school mafia behaviour, which lends great credence to this new idea.

So, although it may not be IMHO the best way to go about, it is not without its merits. As this develops further, it may even become an excellent law. Until, all we can do is wait and see.

(Distributed) Denial of Service attacks, intentional or otherwise.

So, I have been away for a bit and thus the lack of posting. So to make that up, there will be two posts today and at least one more this week. Right, lets get into its shall we? Today's topic is (Distributed) Denial of Service attacks and how they can be inadvertently caused. So, first off, what exactly is is a Denial of Service (DoS) and indeed a Distributed Denial of Service (DDoS) attack.

A Denial of Service (DoS) attack involves sending an excessive amounts of data/requests/pings to a server with the aim of overloading the server so that legitimate users can not access the server. Imagine the following scenario: there is an office with an information counter. Normally, people would walk up tot he counter, get the information they need and then leave. After this the next person does the same and so on and so forth. A DoS would essentially be one person standing at the counter and asking so many questions that nobody else can get up to the counter.

A Distributed DoS (DDoS) is the same thing, except with one minor difference. In a standard DoS, there is only one attacker and one attacking system. In a DDoS, there may still be one attacker, but there are several systems that involved in the attack. For all intents and purposes, DoS attacks really only exist in textbooks, so we will only consider DDoS attacks.

So, now that we know what DDoS attacks are, let's look at how they happen. The normal scenario is that our attacker(s) pick a target and then bombard them with request. At a technical level, there are several ways to this in an intelligent ways, but the simplest is just overwhelming the server with requests. I would rather not get into the details, because to be quite honest, I find them inane and boring. SO, let's just say there are many ways of doing it.

Now, if you recall I did say we were going to discuss how one may inadvertently perform a DDoS. First off, we need to realise that different websites require different levels of hardware. Right at the top you have the likes of Google, who require server farms of sizes that are difficult to fathom. Then you go down to the bottom, where you have tiny websites that get a couple of hits a week, which probably run on a single machine. Obviously, the smaller the server, the easier it is to DDoS.Now, the unintentional DDoS attacks happen to theses smaller sites. How you ask? Well simple, they get very popular, very fast.

There a few ways you can achieve this. Firstly, start off a small website and then becomes popular. Then when you post new content, number of people accessing your site goes through the roof and your site becomes temporarily unavailable. Don't think this is possible? I refer you to a delightful webcomic (in a manner of speaking) The Oatmeal, run by Matthew Inman. He even says something about it on his Facebook page. He does somewhat DDoS himself, by being awesome!

Another way is best explained by using Stephen Fry as an example. Stephen had built up quite a fan base as an entertainer and television personality over the years, so when he ended up in Twitter, well naturally he had a smattering of followers (myself included). He is quite an avid user and apart from the usual tweets of his current activities (and of course his tweets for charity), he does tweet links to amusing content from time to time. The moment that tweet hits the net, there are thousands of people clicking that link and well it has caused more that one site to go down.

As we can see in both cases, neither party had any malicious intent towards the sites that they inadvertently DDoS'ed, but it did happen. The unfortunate part of this is that there is no way to defend against it. Well, there is the no practical way to defend against it. Of course, everybody could use industrial size server farms, but that is not really practical. There may be some sort of gains made if everything was hosted in the cloud, but I'm not sure how feasible that is.

Black Hat and the constant accompyning headlines!

So, recently there was the Black Hat conference in Vegas. For those of you who are less informed, this is basically a large gathering of security researchers presenting their latest findings. And by findings I mean what they have recently broken. Most people dub this a "hacker" conference which is not to unreasonable, but I have one issue with it. The media coverage of it.

The only reason the term "hacker" is used is to sound sexy to the media. They hear that word and they are doing backflips through rings of fire to get the story. And as we are aware the media doesn't always get it right when reporting computer security related issues. Black hat presentations are geared to getting the media attention and causing a bit of a frenzy.

A prime example of that is Don Bailey's presentation which was entitled "War Texting: Identifying and Interacting with Devices on the Telephone Network" which does raise some valid points about connectivity of critical devices (details in another post) but it was also well marketed. He showed that he could unlock cars just by sending a few text messages. When normal people hear something like "vulnerability in FPGA-based control systems" or something similar they do not really know what it means.


Say "I can unlock your car with my phone" and they are scared. Don did say (quote in this article) "I could care less if I could unlock a car door. It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat." Which is basically my grievance. As security researchers, we have to sexy up our ideas and then present them to the general populous. Which in turn leads to what I would deem to be an inconvenience.

If you want media attention, then you research on topics that you can sell with a little bit of FUD. Which does restrict your scope quite a lot. This then has a further effect that people view security researchers as only doing this kind of research. This leaves the more theoretical people, like myself, out in the cold, so to speak. Which may or may not be a bad thing, I am not really sure, but I am very sure that it does grind my gears a smidge.

Quick post on how I may be kind of wrong.

If you know me at all, you will know that I have strong opinions on some things. If you don't know me, you now know that I have strong opinions on certain things. Now that everybody is caught up, let's all sit back and enjoy me being wrong-ish. I had a post earlier, which really is based on the fact that access to the Internet is a privilege, that some people abuse. Well now the United Nations has declared it a human right. My argument falls flat on it's face. I'm a big boy and I am willing to admit that in light of this, those arguments no longer hold water. Things change, people's ideas are made to be wrong, that's life.

Also, just a minor side-note: read this article!

Cyberwarfare Part 2 (No more lazy me, for now)

Alrighty then, we had a basic intro to cyberwar in my previous post. In between then and now, the clever chaps at the SIS, commonly incorrectly referred to as MI6, told us about this little gem. This has to be one of the funniest things in existence... EVER!!! But minor state-sponsered hacktivism aside, back to the crux of the matter: the issues arising from cyberwar.

One of the main problems is that you may not even know that you were attacked. If somebody blows up a building the sound, and the lack of building, would alert you pretty quickly to the fact that there was an attack. The attacker may have installed some malicious software on your system or copied some data and you would be none the wiser. Yes, there are ways to detect this, but it is very possible that you wouldn't even notice.

Not only is it the lack of physical evidence, but also the time scale. Normal wars tend to take a long time. If you don't notice you are at war, well then you have bigger problems than the army barrelling down you front driveway. A cyberwar or cyber attack can be executed and completed within a matter of hours, if not minutes. It is really that fast. Yes there is a lot of prep time required but this is analogous to training your army, building your tanks etc.

Then there is the last (I promise, well for now) issue arising in cyberwar: non-interactivity. To take a touch of a cryptographic twist onto the whole matter war is an interactive protocol. Sure if you surprise the enemy they won't know they are at war right away, but they will pick up pretty quickly and then return in kind. The thing with cyberwar is that not only is the decision to go to war unilateral, but in some sense so is the war. One party decides to attack another party and does so. The other may or may not discover this and may or may not respond in kind. But again the whole thing is done very non-interactively (despite what pop culture (couldn't find anything for that, sorry) and video games may tell you).

So, to sum up: cyberwar is confusing, unclear, hard to track, pinpoint and blame the perpetrators and is inherently non-interactive. And if that wasn't bad enough, the actual definition of cycberwar is pretty fuzzy and very much up in the air right now. Most likely I may revert back to lazy me. Unless something cool happens.

Cyberwarfare Part 1 (A post I have been procrastinating on)

Well this post has been in the works for a couple of week now. I have been procrastinating on a epic level about finishing this off. However the universe decide to give me a kick in the backside in the form of these related recent articles (all links to separate slashdot stories)

So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?

So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?

Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.

Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"

Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.

Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?

The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.

And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.

Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).

More irony

So, after this post went up this story surfaced pretty soon. I never got round to writing about it, because I have just moved from my old flat to a new one. So, I've kinda preoccupied. There really isn't more to say about this than how ironic it is. I may be tempted to do a post on Cross-Site Scripting soon, but we'll see how that goes

Location, Location, Location! What you don't know that they know!

Alrighty then folks, I have been away for about a month. Between my holiday, work and trying to write another post which I hope to publish some time soon, you have seen zero in terms of output from me. This is me correcting that. So, as I was browsing through the magical interwebz, I happened upon this article. This set of all kinds of crazy alarm bells in my mind. So, let's look at this issue in a bit more detail.

Historically, your mobile provided has always known where you are to some extent. With GSM (I believe there is a difference with CDMA, but I am not to familiar with it, so I will skip it) the service would know what the nearest base station to you was. With this information, they would that you were in a certain area. The reason they need to know this is so that when you make a phone call, they know which base station to forward the authentication information to.

One little point to make here is that one  can tell approximately how far you are from a base station based on signal strength. If you can find out the distance from several base stations, you can use a method called multilateration to calculate an more accurate location. The more distances you know, the more accurate the location is. This is how location-based services, such as Google Maps, work on a handset with no GPS.

Now, it would be very very very easy for an service provider to obtain the location of any customer and store it, but it may be ILLEGAL!!! Under the European Data Protection Directive (and analogous legislation in other countries) no company may collect any personal data about you without your explicit consent. Now we need to clear up two points (in the simplest case):
1) Is your location personal data
2) Did the company have your consent

So, let's start with point 1. The defintion of personal data is as follows in Article 1 Clause 2 Sub-Clause a:

'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

I think we can safely say that a person's location and their movements would definitely qualify. So that's one point out of the way.

Next, we need to know if this information was collected legally. I'm going to go out on a limb and say probably. Most companies have you agree to a Terms of Service, which nobody ever reads. This is because it tends to be dozens of pages written in legal parlance. It's enough to make any sane non-lawyer cry tears of sheer anguish. We all sign our consent to it having read the summary and hope we haven't signed away one of our kidneys.

In this case, it's not really the end of the world if our cellphone provider knows where we are. The problem arises when they decide to share that data. In the Terms of Service it may say that  they can share this information with certain 3rd parties for any reason. This means that marketing companies could potentially track your every move and learn a lot about your preferences. This could be a problem. 

This is an example of why privacy experts complain bitterly about the loss of privacy in the digital age. And they have every right to, with things like this, less and less information is becoming private. However, their constant and sometimes annoyingly repetitive rants tend to fall on deaf ears. Unfortunately, some people release this information themselves using applications such as Foursquare. It's a classic case of taking a horse to the river and the horse drowning itself scenario.

Although despite this, people such as Malte Spitz (link is in German) still have concerns about the privacy of their data. I would not recommend that anybody try and get their hands on what locational data they have, as it would probably not go down well. According to the article it took 6 months of legal wrangling for Herr Spitz to get this data. It would be at least as for you.

Now to sum up I would say "Big Brother is watching you!" but that is trite and cliché. And frankly a tad more alarmist than I would like to be at dark-and-scary-o'clock in the morning. So, I will go with the slightly milder "Be careful what you share on the Internet!"

Passwords/phrases and client side storage

So, after we discussed this, we now move onto the promised post on where and how you should be storing your passwords. But before we get into that, we need to define the importance of passwords and password strength. But, we first need to discuss the term password, mainly the word part. People think, quite intuitively, that a password should be a single word, which is not the best idea. I prefer the term passphrase, implying multiple words and/or numbers and/or symbols. I will use the term passphrase from now on. With that out of the way, I think the next logical step is to discuss password strength.

Password strength is defined by 3 characteristics. The simplest is length, which is fairly obvious. The longer the password the harder it is to guess. I recently stumbled onto these figures, but take them with a grain of salt. They do not specify what kind of hardware was used to make these figures, so its all a bit iffy. Next is complexity, which is illustrated in the afore mentioned figures. (but just the general trend, the actually figures are still questionable). Simply put, if you have more complex passwords, with a combination of lower case, upper case, numbers and symbols, you increase the search space hugely. The third is memorability. There is no point of having "ASddeu43548&^&^ßß" as your password, because you will never remember it. A good password should be easily recalled.  The higher each of these characteristics are, the stringer the password.

Now we move on to the classification of passwords. People have varying opinions on what the exact classifications are, but I use a 4-tier system, detailed below. For each tier we define the suggested password strength wrt the 3 characteristics using the terms High(H), Medium(M), Low(L). We express these as a 3-tuple of the form {Length, Complexity, Memorability} e.g. High length, medium to high complexity and low memorability is written as{H,M-H,L}

TIER I: The big guns; these are passwords for your financial accounts. Online banking, online shopping, or any account which has you financial details, PIN numbers for your ATM/debit/credit cards. These must be very memorable, hard to guess and very strong. You lose one of these, you will lose all your money.
Strength: {H,H,H}

TIER II: These are next in line in terms of importance: Login credentials. This is your school/university/office login name and password. This is how you login to systems at work (wlog) either when you are on the premises or remotely. If you lose these, then you can kiss your professional life goodbye.
Strength: {H,M-H,H}

TIER III: The mid-level identity theft type passwords: email and asocial networking. So your Facebook, HI5, LinkedIn, MySpace, GMail, Y!Mail, Hotmail, thismail, thatmail, and so on and so forth. Depending on how many e-mail addresses you have and what kind of emails you receive on them, the effects of the loss vary. If you lose your primary account's password, then the likelihood of identity theft is significant.
Strength: {M-H,M-H,M}

TIER IV: The throwaways. This is all the stuff you couldn't care less about. Logins for sites that you created just so that you could read certain articles for example. These do carry some risk, but there is a very small risk involved. This depends on several factors, which we will get into in a moment.
Strength: {M,M,L-M}

Now, we need to lay down some ground rules. No passwords should be shared across tiers. This is based on the principle of least privilege. Secondly, passwords from one tier are never stored with passwords from a lower tier. Thirdly, realisability limits; Tier 1 passwords should be unique, tier 2 & 3 should be reused sparsely, Tier 4 can be reused infinitely. Finally, each tier's passwords should be of similar strengths, as explained above. These rules and system in general are a guideline, which I try to follow, but there are grey areas. When in doubt, go for the safest option.

Now that we know how to classify our passwords, we now move onto storage of said passphrases. For tier 1 passwords, we need a highly secure storage, i.e. a password locker. These are programs that will store all your passwords for you in an encrypted form. To decrypt these, you need a master passphrase, which you define when you setup the locker. This passphrase can be thought of as as a tier 0 passphrase, which a mild abuse of notation. This master passphrase has to live in your head and must be of high length, complexity and memorability.

Next we go onto tier 2. These can be stored in programs, but need to be encrypted or locked with another master pass phrase. These should not as a rule be stored with the tier 1 passwords, but that rule tends to be broken for practicality's sake. It is quite annoying having multiple password lockers and it wouldn't be the worst thing if your most important passwords were kept together. If we do have a second password locker, we should treat the master passphrase as tier 1 password.

Now for tier 3, it you can save them in your browser, BUT, they must be encrypted with a master passphrase under all circumstances. Also you should avoid the use of cookies storing the session, caused by checking the "Remember me" check box. This is a big no-no. It's convenient, but it's not really secure. Alternately you could have a third password locker and store them there, encrypted with a tier 2 passphrase (I'm sure you can see the general trend here). If you have your tier 1 and 2 passphrases in a single locker, then this would be a second locker.

And now, tier 4. We all have a billion passwords for a billion sites that we that we use once a month or even less frequently. Theoretically, you could create a new password for each, but you will never be able to remember them all. These you can have your browser remember for you. This way you can have a unique arbitrary password for every single account. There is no real need for a master passphrase encryption, but it is recommended. As you may have guessed, this master passphrase would be a tier 3 passphrase.

These rules are quite rigid, but they are designed from a security point of view rather than a usability point of view. What is an acceptable loss of usability is very much a personal preference and that is up to you. You are welcome to bend and even break some of the rules, to make life easier for yourself. But, remember, you sacrifice security for usability and only you can strike the right balance for yourself. (I avoided saying "you have the power" because it sounds really cheesy) And so, there you have my guidelines for password storage. If in any way this makes the web just that much more secure, then I will have done my job.

Computer Security Experts; The Doctors of the Digital Age?

So, there's a lot going on and I really need time to compose my thoughts. And by that time, more will have happened. Loop infinitely. But until the end of time or death, whichever comes first, I will try and keep up. While I do that, I have a not so significant post on a random train of thought from my brain.

So, this idea struck me while watching an episode of House MD. If you are not familiar with it, I will give you the overview: Dr. Gregory House is a genius and an ass of the highest order. He diagnoses and cures patients with conditions that have baffled and/or escaped other physicians. They use a method know as "differential diagnosis" (DDx), which is basically saying "the patient has the following symptoms, therefore they must have the following condition." While watching one of these, I realised that there is only one kind of human body. Yes, there are differences from person to person, such as eye colour, height, weight, allergies, etc, but the basic abstract framework, if you will, is the same. Arguably there are two, one for each gender, but there really aren't more than that.

Then I thought if any parallels could be drawn between computer security and medicine. Here's where I drew a blank. There were some superficial comparisons, but those were a stretch of the imagination at best. It dawned on me that the level of complexities in the systems we deal with are so high, that the human body looks like a wind-up toy in comparison. In no way do I mean to trivialise medicine, which is a very complex field in its own, but all that complexity is constrained to at most two basic frameworks. In computer science in general, there are an near infinite number of potential frameworks.

If we begin at the most basic level and just examine the hardware. Right there you have so many components to consider and several of them with potential security issues. First off, the components have to compatible. Next we need to insure that none of these components, on their own or in combination, will cause a security threat. This is easier said than done, as components from different manufacturers can behave differently and have side-effects that others don't. At this point we have so many ways we can fail, and yet we only have a box that does nothing. Zilch! Without any software to run the hardware, you just have an expensive and oversized paperweight. Which takes us to the next point software.

Even in software, we have two basic groups: operating systems (OS's) and application software. Well first you need an OS to run your computer. There is a HUGE potential location for security holes here. Every OS available has security holes, every one of them. Yes, every single one, that especially includes MacOS. I am sick and tired of Mac users sanctimoniously claiming that there are no viruses from Macs! This is often swiftly followed by a comment on how Macs are more secure than Windows. I have one word for that:

NONSENSE.

Seriously, every operating system has security issues. Some have more that others, some have more critical ones than others. Now another concern is which operating system are you using? Which version of it? Which patches and updates are installed? Is there any issue arising from the hardware/software combination? These are just some of the questions you have to ask. At this point we have a computer that can switch on and let you log on and not much more.

I know you must be thinking, but when I installed my operating system it had all these programs installed already. I could play games, connect to the Internet, and so on. Yes, that is true, but the software that enabled you to do so was not part of your OS, generally speaking. It was bundled in and included with your installation media, but it is technically not part of the OS. Now we come on over to application programs. This anything you install on your computer, no matter how small or large, it all matters.

The thing with most software is it does a lot of stuff that you never see. Most of the time it's stuff you want it to do, but you really have no way of knowing. There are two scenarios here, where the software is doing what you asked, but as a side-effect has made you vulnerable to certain attacks and where the software is deliberately making you vulnerable. In either case you are vulnerable. This is assuming just one program, it gets even more fun with multiple programs. Some applications connect to each other, such as your PDF reader and your web browser. Here it becomes really fun!

It may turn out that on their own the programs pose no threat, but when combined they are potentially lethal. A sort of the reverse of salt, whose components are lethal, but the combination is not. I think you can see where this is leading to. If your head is spinning trying to imagine the countless possibilities of interaction between programs on your computer and/or that you know of, well then my job is done.

Now, I would like to point out that the same applies for smart phones. Have fun running over that one. Then consider when you connect your smart phone to your computer. This whole path leads you to a really messed up place where you are building a house of cards, using cards of different shapes and sizes. It's almost like you want it to fall down, just so you can stop building.

But enough gloom and doom, silver lining time. Here you go! Seriously, although there are a plethora of threats to your computer and its safety, if you are smart and keep your wits about you, then you should be fine.

IPv4 and 6

Right, last post for today, making it a record 3 in a day. I have a couple of other topics to post on, but seeing as how its 2am, I'm going with the easy one. So what is IPv4? Glad you asked!

If you are reading this, you are connected to the Internet. But what you may not have ever given any thought as to how this is possible. You may know that you plug the LAN cable from the router into your Ethernet port or connect to your wireless network, but what really goes on?

The Internet (capital 'I') came out of the concept of internets (small 'i'), which is a network of networks. So how do you know who is who and who is on which network? Simple assign them all a unique identifier. Then the question arises as to how you do that, because we now have the problem that everybody needs to understand how these identifiers work, so we need a common language, if you will.

And thus was born the Internet Protocol version 4, aka IPv4. Defined in RFC 791, the Internet Protocol is how all devices connected to the Internet identify each other and communicate to each other. So, what's the problem?

IPv4 address are 32-bit address broken into 4 8-bit groups called octates. Now this means there is a finite number of these addresses, approximately 4 billion, which we are now out of. Certain ranges of addresses are restricted for specific purposes, but it is just a small portion. As of February 3rd, all IPv4 addresses had been assigned by the Internet Assigned Numbers Authority (IANA) to the Regional Internet Registries (RIRs), when they assigned the last 5 remaining /8 blocks, which is a set of addresses with the first octate fixed.

This is a real problem, as at some point, new devices will not be able to connect to the Internet. There does exist a solution: IPv6, as defined in RFC 2460 & RFC 2373. Version 6 addresses are 128-bits, broken into 8 hexates or 16-bit groups, as compared to the 32-bit version 4 addresses. This gives us a hugely greater number of addresses and would solve this problem of address exhaustion. Well, there is a small catch.

Despite IPv4 essentially having being exhausted, IPv6 is still not implemented fully. So we are currently in a weird transition period where things are a bit muddled. Almost everybody has implemented support for both IPv4 and IPv6, but there is no strict adherence to IPv6.

My issue with this is that the existence of a parallel legacy system has almost always created some kind of security threat that the new system can not deal with. To my knowledge, there is now such security loophole in IP, yet. I'm sure somebody, somewhere will find something and start exploiting it. It may not be a big hole, but it will probably be there. I would truly be happy to be proven wrong and hopefully we will transition over to IPv6 without incident.

On that note, that is all from me today. I will try and get as many of the latest stories, but they seem to be cropping up faster than I can handle.

*******EDIT*********
So, I may have said I will be catching up on stuff, which I totally am! But, also this came to my attention.

I've had about enough of Wikileaks

Well, I've been off silently fuming every time I hear the name "Wikileaks," which is why I haven't posted anything recently. But as promised in my previous post, this post will cover the blame part of the whole Wikileaks issue. (However, as this topic continues to annoy it will not be as lengthy as promised.)

So, here we go. The scenario is simple: Person X (I use an an anonymous name as I have no idea who actually did the leaking, but there are some suspects) had access to the US Diplomatic cables. I think its a safe assumption that X had some sort of clearance and/or was told not to share these cables with any unauthorised person(s). Another safe assumption would be that unauthorised persons includes me, possibly you and of course Wikileaks. Despite this, X decided to give the cables to Wikileaks.

We can see that this is obviously wrong, as in you will go to jail wrong. Blatantly illegal. Now the exact legality depends a few factors, such as if they had access to all the cables or some. If it was one person or many., the post the person is in, if the cables were classified and so on. Knowing now of these we cannot say much more and that is where I will leave it.

Moving on to Wikileaks, the law becomes a bit more grey. There are several issues involved here, the greatest of which being what jurisdiction does Wikileaks fall under? Which nation state's laws apply to them? This is quite a complex issue and still needs some resolving and legal catch up. Countries tend to be very cooperative on certain matters pertaining to the Internet, but there is still no really good legal framework. I still maintain that they are giving away stolen data, so intuitively that is wrong. See previous post for the whole whistle blowing or not issue.

Seeing as how they are now back in the news concerning the release of certain records from Julius Bär or Julius Baer Group. These records where leaked by former employee Rudolph Elmer. Elmer has since been detained and is being extradited to Switzerland to stand trial. Wikileaks has yet to publish the records, so we shall wait until they do so.

And on that note, I will leave this whole mess. I may or may not post something about any further revelations by Wikileaks. It all depends on how I feel about it at the time.

Wikileaks

So, I've been away for a while. Between having minimal to no Internet and having no electricity, I have been less than connected to the Internet. That and I am fairly lazy, but still TIA. Now on to business.

I'm sure you have all heard of Wikileaks, the purported whistle blower website. It provides people with an anonymous "drop boxes", where they can submit documents detailing any wrongdoing. The site then goes on to state "our accredited journalists assess the submission. If it meets the criteria, our journalists then write or produce a news piece based on the document." It goes on further to describe ways of ensuring your anonymity when sending it via post and so forth. In theory this has provided whistle blowers with a way to expose wrongdoings. In theory.

I say purported as I do not believe it is a whistle blower site. Firstly, let us examine the concept of whistle blowing. It derives from the practice of policemen blowing a whistle to alert people around of the commission of a crime. It refers to a person who highlights something wrong that is happening, most in an organisation. Now, when I say wrong I mean illegal, but some people consider it includes immoral wrongdoings. So the site first came to prominence when it published Iraq/Afghanistan War Diaries. These gave details of operations and on the ground realities of the wars. They did bring to light some, for lack of a better term, disconcerting revelations. These could be considered whistle blowing, but there are many grey areas, which we overlook for the sake of argument and say this is valid whistle blowing. That, my friends, is where it all ends.

The next major publication was swiftly dubbed Cablegate (hate that name, cf.this post for the explanation). This was the leak of several secret diplomatic cables between Washington DC and diplomatic missions in several countries. Here's where we go from the legally ambiguous to outright illegal and the legitimacy of these leaks as whistle blowing is a little more than questionable.

To explain, let us detail the job of a diplomatic mission to another country. Most of us are familiar with the consular services, that is issuing visas, passports, etc, but that is only their public facing role. Diplomatic envoys are representatives of their sovereign government in a, presumably, friendly nation. It is their duty to not only represent their country, but also provide their country with information about the people, mainly politicians, of that country. As part of this duty, they send back profiles, if you will, on politicians to their government. These are sent in cables, which are private communications.

Notice the emphasis on private. Not only are these communiques private, but some of them are even classified. Granted, they may not be highly classified, but classified all the same. Only a limited number of people have access to these cables and presumably such access comes with a "do not tell anybody about this" clause. This is where the illegality comes in.

Whomsoever gave these cables to Wikileaks is guilty of a few crimes, depending which way you spin it. These range from the banal mail fraud to my personal favourite espionage. It's not even debatable if what these people did is wrong, it just is. Most of these cables do not expose any sort of wrongdoing at all.

As stated before diplomatic envoys report on local politicians. Although I would like to believe that these people are trained for and/or good at judging people, most of what they report is still personal opinion and conjecture. It is just inherent in this type of data. This is essentially office gossip at an international level. I'm pretty sure that someone somewhere has called their new Head of PR an "mistake-prone control freak" (my personal favourite quote out of all of the cables) and that is considered to be normal. Hence, no wrongdoing and thus no whistle blowing.

Furthermore, some of the "data" sent in the cables in nothing more than well crafted misinformation (this is completely ignoring the false cables that were released). Governments are aware that diplomats report back to their capital, as they have their own diplomats doing the same. So they may choose to feed a diplomat false information in the hope that their parent country will believe it and thus be manipulated into behaving a certain way. I will swiftly avoid any ethical or political debate by saying that all of that falls outside my purview.

Yes, I agree that there may be some cables whose leaking may have proved beneficial, but they are a minority. There is a saying in the security industry: "Even f you secure 99% of the system, you have still failed." The cables that potentially have a detrimental effect, though small in number, will have the greatest impact. Barring these, most of the cables' leakage and then release lead to nothing more than embarrassment for the governments involved.

And thus we see that the recent Cablegate (*shudder*) was basically neither legal nor legitimate whistle blowing. Effectively, Wikileaks are just fences for stolen digital data. Now this leaves us with the question of where the blame/responsibility lies. For that, I will put up another post, as it is quite a lengthy matter. That and you are probably really bored of reading this by now.

***SIDENOTE***
Just found this. No real relevance, but it's funny!

The Digital Economy Act (it's not a Bill anymore, get your facts straight)

I will apologise straight that this post is disjointed, but I am slightly annoyed and really don't care at this point in time.

Right, I have had it up to here with people whining and complaining about the "draconian", "oppressive", "suppressive", "unrealistic" and "unreasonable" UK Digital Economy Act (full text of the Act available here). I have two words for you:

SHUT UP!

No really, STFU. As far as I'm concerned it' about time something was done. If you do not support the Act, you are welcome to skip to the last few paragraphs.

Basically as I said in my post about the Nobel Peace Prize Fiasco, the Internet quickly evolved into something that it was not intended to be. People have grown accustomed to it and assumed that it is their right to have free access to everything. Sadly, that's not how reality works.

The P2P programs of yesteryear, such as Napster, Kazaa, etc, are gone. These basically allowed users to share files with anybody on the Internet. In theory a good idea, but the problem was they were sharing illegal copies of music, movies, TV shows etc. Now that is blatantly illegal. There is no two ways about it, it's ILLEGAL.

ILLEGAL as in IT'S A CRIME as in 5 YEARS IN PRISON OR $100,000 FINE. Now I'm sure all of you have some music/movies/TV shows/whatever that you downloaded from the Internet. Well good for you, now STOP.

For too long people have just assumed that it is fine for you to download content from the Internet instead of paying for it. People think that it is their right. People think that the Internet is a place where no rules apply and they can get away with everything. Well guess what, it's NOT.

Fine we've had a good run till now, but the honeymoon period is over. The Internet needs to be regulated. It's not up for debate, it has to be done. Most of the problems caused by the Internet could be solved with simple regulation. As a security professional I welcome this Act, in the essence of it.

This is a fairly comfortable middle ground. Now all you nay-sayers out there, consider this: security experts (as in real experts) have said that no person should be allowed to connect a computer to the Internet without having due cause and having being ascertained to be capable of doing so in a secure manner. You would need to apply for some sort of Internet User Certificate, which would allow to go online. Still think the DEA is "draconian"? Really things could be worse.

Whether you like it or not, there needs to be regulation and oversight of the Internet. Until now, it has mostly been governed by mob rule and good faith. Well we've just about run out of that and there's a new sheriff in town. You may not like it, you complain about it till the horses come home, but he's not going anywhere. The sooner you accept it, the better.

Yes, lots of ISPs have opposed it and complained. In fact TalkTalk has said it will not comply with the provisions of the act (cf this article). Now as most people may cheer this, they may soon find that TalkTalk will change its tone. If they do not comply they will be shut down. It's a statutory requirement. You don't have to like it, you just have to do it.

Now the actual text of the Act is not quite perfect. They was a large lack of technical expertise when creating the Bill, which shows in its text. And, yes it was rushed through Parliament, but I watched part of the debates, there were a handful of MP's present. So anybody who complains it wasn't given enough debate, ask them where they were during the reading of the Bill.

It is not a perfect legislation, nor is it ideal, but it's a start. As with most Laws, it will be revised and revisited and amended, hopefully with more technical oversight. f course the interesting thing is with a General Election less than a month away, it means any sort of debate/modification of this Act may be done under a new Government, but that remains to be seen.

More complaints about the iPhone (from other people this time)

As anybody who knows me will tell you right away, I abhor the iPhone (cf. my previous post). Now it has emerged that security professionals rank the iPhone as the "worst workplace risk." Essentially all "smartphones" are a risk in a secure environment, however some are more so than others. The iPhone came 1st with 57%, followed by the Android phones at 39%, BlackBerry at 28% and Nokia Symbian smartphones in last with 13%. (Please note these figures are straight from the article and I am not exactly sure how the

Apple's constant "bare-minimum" approach to security is what has landed them in this position. This philosophy of "just enough security to keep us afloat" is actually the worst idea ever. Throughout its relatively brief history, Information Security professionals have realised one thing very quickly: The weakest get attacked the most.

Its simple, if your system is constantly being attacked, you should then upgrade your security. This means, if you did it right, there is now somebody who is less secure than you are. No prizes for guessing who the most attacked person is. Theoretically, by being the least secure and then upgrade should eventually push everybody up to a decent threshold level of security and the world would be a better place. Of course, not every sees it that way or don't care.

As far as I am concerned, all mobile devices should not be allowed to enter a secure environment. There is a plethora of possible security risks involved there (which I will cover in another post). As it says in the end some companies are discouraging or even banning iPhones in the workplace. It's a start, but I think that all smartphones should be discouraged or banned. Just in case people are thinking I don't like smartphones, I own a smartphone. Even so they are still a security risk.