Information Security Thoughts - Allen Baranov

Google's Next Big Thing

noreply@blogger.com (Allen Baranov) — Tue, 22 Nov 2011 13:55:00 +0000

[A company owned by geeks - its obvious what is next: KITT]

I think, after spending quite a while putting all the information I have together and filling in the blanks what Google's next big aim is.

So, from what I can tell the original founding members of Google - Larry Page and Sergey Brin put this list together as things to do with their lives:

Create cool geeky technology
Create company to spread technology
Get rich, famous, powerful
Take over the world
Create a car as cool as KITT

I figure the above is any geek's list. It certainly would be my list. So, having completed points 1,2,3,4 already it is time to work on point 5.

So, sub-points for this are –

It must talk
It must take orders
It must drive itself
It must come when I talk to my watch
It must be bulletproof
Turboboost!

So, point 5 has been done so let’s see about the other points:

Point 1 and 2 are done by Android already but Apple has taken it to the next level. I guess Google will take it even further. Naturally you’d need an android device embedded into the car. Guess who owns android technology? Google. The first commercial car radio was made by Motorola Mobility – Google owns them. But watch Motorola Mobility for a talking “box” that can also listen, chat and take orders. (So, I’ll check off points 1 and 2...)

Point 3 has been done by Google – and is on the way to be legal in Nevada (thanks to Google). Check off point 3.

Finally… a smart watch – check. It needs to be able to talk to the car – check. It needs to be able to pinpoint your position – check. (Actually, not sure if these have GPS but it is not unreasonable to expect that they do or will have soon). It also needs to be able to relay orders again – check.

So, put all this technology together and you have the ability to call your car via your watch and ask it to come to you and it will – all by itself.

The technology is all done… it is just a matter of putting it together. Take the car and make it bulletproof. Put run-flat tyres on it. (And cool black paint. And a funky red LED on the front.)

Now all the Google guys have to do is perfect Turbo-boost. And get Hoff-worthy hairy chests.

I wonder if Google will go into making helicopters that can fly faster than sound…? Maybe that’s next on their list.

A great loss to the IT world. One of its great inventors dies.

noreply@blogger.com (Allen Baranov) — Mon, 24 Oct 2011 13:40:00 +0000

[Dennis Ritchie died at the age of 70.]

He was one of the most influential computer engineers ever. I could go into details as to what he did but lets look only at how his work contributed to Steve Jobs becoming a household name.

Ritchie created the C programming language and with Ken Thompson, Ritchie created the Unix Operating System.

With out Unix, Jobs would not have had a basis for his NeXT language which Apple bought bringing Jobs back into Apple and ultimately back into the CEO position.

Without Unix, Pixar would never have had Linux (derived from Unix) to do massive and cheap rendering. This means there would have been no Toy Story and all the movies that followed and no buy out from Disney.

Without Unix there would have been no base OS for iOS so no Operating System for the iMac, iPod, iPhone and iPad.

C on the other hand is the base of almost every modern programming language from C (itself) to C++ to perl to java etc etc. No Java means no apps for the idevices. It also means no cross platform applications like itunes and no way to get Office to be on both Windows and iOS without having to write the entire program to work on each. Even worse - if programs like Office were written in Assembly (as was the norm before C) then you would have to get a totally new copy of the software for every device even if you upgraded your PC from one processor to another.

To be fair if Ritchie had not created Unix or C, someone would have probably jumped in and created something similar. Or one of the languages and operating systems around in the 70s may have been more successful and changed the world we live in like Unix has but this isn't the case. Ritchie's contributions to the world have radically changed it and we will miss the inventor of these tools. It may be that Jobs was tasked with making some genious idevices up in Heaven and he called up the one guy he needed to help him more than anyone else. A heaven without Unix.... doesn't make sense.

Ps. on the other hand... Jobs's biggest competition Android would also not have been possible without Linux (based on Unix) and Java (based on C).

What are your rights regarding personal email? [Extra Bit]

noreply@blogger.com (Allen Baranov) — Wed, 27 Jul 2011 07:55:00 +0000

[Are Facebook Saints?]

Just adding an extra point to my recent Blog post.

The question I posed in my last post about email sharing was triggered by Facebook stating that it is wrong for a person to mass move private details such as email addresses and telephone number etc to a new service provider without the person knowing. It is an interesting (and perhaps valid) argument which covers up what they would rather say which is "please don't move your Facebook contacts to our competition and set up an ecosystem (there must be a better word) there."

The point is that Facebook, through its partnership with Skype is forcing its users to do just what it is telling them they should not do with Google Plus.

I haven't used the Skype functionality in Facebook as yet so I'm not sure exactly how it works but from what I've read, once you use it once to chat through voice or video to a contact, it creates them as a contact in Skype. Essentially, by you chatting to someone over Facebook Video, you are creating a link to someone in Skype where one didn't exist before.

This really is very similar to what Facebook is arguing you shouldn't do by using automated ways of exporting Facebook contacts to create contacts in Google Plus.

Facebook is a business so one shouldn't be surprised when they choose profit over strange ethics but then expecting their users to abide by these ethics is a bit hypocritical.

What are your rights regarding personal email?

noreply@blogger.com (Allen Baranov) — Thu, 07 Jul 2011 13:41:00 +0000

[I'm not talking legally...just ethically]

So, someone gives you their business card with all their details. Can you load it on Outlook to make it easier for you to contact them. Can you add them to you phonebook on your phone? What if your phone gets stolen? Can you give it to a colleague? What if the colleague has some work for the person? What if the colleague is an annoying git? Can you give it to a salesperson who is selling selling something you think the person would want? Can you give it to a salesperson just to get them off your back?

Taking things further... Facebook argues that you do not have the right to take your 'friend's details off their network and use it on another network. Obviously Facebook have a vested interest in you not being able to move information off their network and tying you down but do they have a point?

Of course, they've never had an issue before with apps sharing users' details and downloading friends' information.

But this is not to judge Facebook on their new awareness of privacy, it is to ask the question. Should someone be confident to move your personal information including you email address to any system that they want to? Or should they ask first? Or should they just not do it at all?

Discuss. :)

ITWeb Security Summit - Wrap Up [Part One]

noreply@blogger.com (Allen Baranov) — Fri, 20 May 2011 10:56:00 +0000

[Some good stuff from the conference]

I really wanted to write something longer but this will do for now. I just want to get something out there that is not a tag-cloud.

Stuxnet and Spy Wars
Patrick Gray from Risky Business Podcast and Tony Olivier both spoke about a world that we are only starting to understand now where Governments are playing with Information and changing the world with their own Malware and hidden online activities. Stuxnet, Anonymous, and HBGarry are all the catchwords that made each of these presentations fascinating. Richard Thieme continued and asked the big question - what side are you on? Tony urged the attendees to spread the word about what is happening as it is the Information Security community that is best equipped to understand what the implications are. Very interesting stuff.

Online Auctions
Glenn Wilkinson did some interesting research into how online auctions can be gamed. It was very interesting and well done to him. However, I think he missed out on an important point which I would like to take further. On my way home on the first day, my head was buzzing thinking about this talk and it hit me while I was battling some traffic along Sandton Drive - our corporate information is on the Internet and is up for Auction. "Cyber-criminals" have an amount that they are willing to spend to get our information. Information Security is really just one big auction of information. APT was a term that was thrown around loosely at the conference but I think that Glenn's talk is the only talk where it wasn't mentioned (even in jest) and yet his talk would have had the best definition of APT - it is where Information Security and Cyber-Crime are locked in a "war of attrition".

Fig Leaves and Haroon's Hammer
Haroon Meer is a great talker and I enjoyed his Lessig style presentation at the end of the conference. It was great that both of the closing talks both had calls to action which makes sense. I agree wholeheartedly with the problem that Haroon builds in his talk. The one question he asked which was along the lines of: Hands up all those here who are willing to put $1000 down on the table that they can protect their CEO's Information. No hands were raised. He then went through some excuses that InfoSec professionals use and rips them apart. His one quote "Your management is one 0-day from the worst day of their lives" was re-tweeted across the world and was the most popular quote from the conference. The next bit was more important though - "... and they don't know it and you (Information Security Professionals) have a duty to inform them". The bit of the presentation that I didn't agree with was the answer that Haroon provided. Haroon is a researcher so by the law of the instrument (or Maslow's Hammer) his answer is more research. I disagree. I believe that two things are necessary to get us out of where Haroon correctly paints us - 1. A fundamental change of the Internet and 2. a realisation that Information Security is rapidly becoming less and less about technology and more about Business. More technical research is also needed but I think that it is not everything we need.

Strange Trends and New Networks
My talk was very heavily based on Information I pulled off the Internet from Blogs. If you are passionate about anything at all then you should be looking for Blogs about that subject and Information Security is no exception - there are some amazing sources out there. The talk itself went off well and I had some very positive feedback from delegates as well as some comments which is always appreciated and allows the conversation to be taken further. I started off my talk by saying that if I had all the answers I wouldn't be doing Information Security because I'd be bored. Due to time constraints, I did skip some parts of my talk that I would like to pick up in my Blog so watch out for that soon.

And so...
Another amazing conference - one that was very worthwhile and I look forward to ITWeb Security Summit 2012.

Disclaimer - you may think that because I spoke at this conference, I am biased toward liking it. The opposite it true - because I am biased to liking it, I spoke at it.

ITWebSec Tag Cloud part 2

noreply@blogger.com (Allen Baranov) — Mon, 16 May 2011 08:48:00 +0000

This is an updated to the previous post. I have cleaned up the data a bit. Again I left out the words "HTTP", "ITWebSec" and "RT" as these added nothing to the cloud and common English words such as "The" and "And". Including these words, there are 2307 different words. The top names (chosen by "@" in front) are: @itwebsec, @haroonmeer, @MushiD, @mattdoterasmus, @abaranov and @DeepPurple77.

The biggest ReTweeted phrase (by far) was: '@itwebsec: "Management don't know what security knows; that we're one 0day away from the worst day of their lives." #itwebsec' which is a quote from Haroon Meer's presentation.

As always - E&OE.

Previous tag made with TagCrowd and this one made with Wordle.

ITWebSec tag cloud

noreply@blogger.com (Allen Baranov) — Wed, 11 May 2011 01:42:00 +0000

There was too much information at ITWeb Security Summit for me to make a sensible post of all of it just yet.

So, I thought I would hack something together. I ran a search against the latest 100 twitter comments: http://search.twitter.com/search.atom?q=%23itwebsec&rpp=100 ,got the feed as XML. Grepped for "title", popped that into tagcrowd.com , fiddled the results a bit and:

Miscellaneous Ramblings - Irony, Security Summit etc

noreply@blogger.com (Allen Baranov) — Thu, 05 May 2011 09:43:00 +0000

I've been doing a lot of thinking recently about the last year. I basically run my professional year from ITWeb Summit to ITWeb Summit and around this time I think back over the last year about what has changed and what is new.

I find that InfoSec is cyclical and this year is the unexciting one. Last year we were dealing with iPads and their ilk and Cloud and SaaS and all that good stuff was starting to hit us. This year - we are dealing with iPads and their ilk and Cloud and SaaS and all that good stuff is starting to hit us - again.

I'm still looking very forward to the Summit and I always leave with at least one very worthwhile thought that will determine my next year. The international speakers are most worthwhile to see as they bring a perspective that we, at the bottom part of Africa don't usually get. The Internet makes the World smaller but seeing someone talk is so much more useful (powerful) than reading.

While looking through my blog list for some juicy nuggets for my talk I noticed two bits of irony that came through -

1. The DBIR was published with the first line mentioning how it seems that the hacker community has gone more underground and less big hacks with large amounts of data being stolen. Boom, a couple of weeks later and Sony is hit by just one such hack.
2. Brian Krebs publishes how it may be overkill but it is a good idea to use a non-Windows system to do online banking especially for small businesses because there are no trojans aimed at these systems. His next post is all about how someone is developing a trojan crafting tool aimed at these systems.

My speech this year is finally completed (albeit in draft for now) and is a mostly updated speech that I presented 2 years ago at a smaller conference. It is still very relevant and I will enjoy presenting my insights to a larger audience.

Please look for my talk in the program and support me if you are attending.

I have committed to the organisers to post at least 1 blog post per day of the event and 1 to sum up what good stuff I got out of the conference so look out for these.

Btw, Brian Krebs is at Krebs On Security , the DBIR is at Verizon Business Security Blog and the of course - ITWeb Security Summit 2011 . Reporting on Sony's Playstation Network hack is all over the Internet.

I cheated....

noreply@blogger.com (Allen Baranov) — Fri, 01 Apr 2011 11:21:00 +0000

[... at Sudoku]

When I first started with Sudoku puzzles my interest was "how do I reduce these to an algorithm?" I wrote some code that would solve the puzzles and then started to try do it in my head.

I got better and better and the simpler puzzles started to get very boring and the harder ones became easy. Then, recently I got hold of an advanced Sudoku book and I was hooked once again.

But there was one puzzle that I just couldn't do. I would stare at the thing like it was a novel I could not put down. Hours went by and I was starting to see blocks in my sleep. So I decided to re-visit some of the online Sudoku solver sites I had used to help build my Sudoku solver. (Why not use my own solver? Its on a disk, somewhere!)

I found a good site that shows "hints" (because after all, I want to know how to solve it. If I wanted the answer, I could have just flipped to the end of the book but then I would have learnt nothing from the experience)

I typed the puzzle into the site and *boom*... a hint... yay. I was well on my way to solving the puzzle. I actually just really wanted one number and the rest all fell into place.

[The actual point of this long blog is here ;) -] Once I knew what the next number of the Sudoku was then I could work out how I should have gotten to it. But the PC showed me how it would have gotten to it and it was a totally different method altogether. Its obvious but not always on top of our mind, Computers and Humans inhabit the same world but our world view is very different.

This is why Spam gets through. This is why passwords don't work. This is why brute force does work. This is why Web-filters don't work.This is why DLP is partially effective.

Using technical controls for human created problems is what Information Security is all about. Its also something doomed to fail. Whats better? I wish I knew.

[Slightly OT] Whats Your Number, Cucumber?

noreply@blogger.com (Allen Baranov) — Tue, 08 Mar 2011 08:46:00 +0000

I was doing some "research" (Google search for "Allen Baranov") and found a little nugget back from 2001 when I asked how long until phone numbers become redundant.

I think I was a bit ahead of my time - we are still waiting for a DNS for telephone numbers after all.

But seriously, how many telephone numbers did you used to know? And how many do you know now? From someone with a short-term memory of a Goldfish, thank you Cellphones!

Now... when can I register "allen.baranov.cell.phone.mtn.za"? I've been waiting 10 years!

The Hoff Asks Some Tough Questions

noreply@blogger.com (Allen Baranov) — Fri, 04 Feb 2011 07:53:00 +0000

[Must Read Article To Get You Thinking]

I usually don't repost blogs and articles that I find because I like this blog to my personal sounding post. The practice can also lead to a blogger feeling that he is accomplishing something but is really just posting links over and over. I have an RSS reader to do that for me, a Google to get the stuff I missed.

However, I was drafting an article on exactly this stuff (and I hate this) but the Hoff managed to beat me to it and put exactly what I was thinking on the Internet better than I could express it myself. (... and had a Douglas Adams reference too!)

So...

Past Life Regressions & Why Security Is a Petunia (Or a Whale) Depending Upon Where You Stand

The CIA, the lead box at the bottom of the ocean and the sacred cow.

noreply@blogger.com (Allen Baranov) — Fri, 14 Jan 2011 08:11:00 +0000

[Where does Availability sit?]

So, the first thing you'll learn when doing Networking is the OSI stack even though everyone uses TCP/IP which doesn't fit neatly into the OSI concept. The first thing you'll learn in InfoSec is the CIA triangle. This is our sacred cow even though we don't really work towards it. Or do we? Should we?

I really respect the guys at Securosis and admire the way they dust off the sacred cows and relook at them arguing first that availability is not for InfoSec to bother with, then that it is most important.

If you speak to those that know me professionally, you'll know my feeling of how Information Security should treat The A. I sit in the IT building and my favorite saying is "everyone else in the building is making sure availability happens. I look after the C and the I"

The problem is that protecting Availability is very broad. It is actually easier to define the opposite - lack of availability:

If a server disk crashes who gets called in? Its not me.
If a service stops on a server?No me.

If the Firewall blocks a business website? Yep, me.

If a virus crashes the mail server or slow it down? Me.

So, I do manage availability to a point but not all of it. And, in fact I seem to manage more Availability than I should. The point is that Availability is an easy sell. IT is full of it. Check you agreements with vendors - they all have something like "99.9...% uptime" SLAs. There are no "99.9...% integrity" or "99.9..% confidential docs will not be moved". Availability can be measured - its there or it is not. Integrity and Confidentiality - not so much. Another favourite phrase of mine is "The A in SLA stands (not for agreement but stands) for availability - where is the SLI and SLC?"

The problem is that because InfoSec is traditionally based in IT - some of the Need For Availability (NFA?) seeps into our area. The tools we find easiest to sell to business - firewalls, IPS, antivirus all are there to primarily protect availability. Tools like web-filters are also very easy to sell because they stop abuse of network (think availability) and time (same). Tools like DLP are a tougher sell because they don't touch availability (and can cause issues there). Backups and DR have been the cause for some really bad C and I episodes. Yet every company does them - availability. This is not to say that backups and the other software we have are bad. Backups are essential for one but availability is king. When last did you audit all of the excel documents that people use to make business decisions for integrity?

The thing is that that C and I are opposed to A. The safest network is one that is not connected to the Internet but what use that? The way to properly secure a document is to put it in a safe, cover the safe in lead and then in concrete, chain it up for good measure and then dump it at the bottom of the ocean. But, again, what use is that? So, there is an arm wrestle between C and I on one side and A on the other and that is a good thing.

IT will always fight on the side of the "A" and so should InfoSec but we also have to fight for the C and I and ultimately get a good balance between all three.

A WTF to the start the year.

noreply@blogger.com (Allen Baranov) — Wed, 05 Jan 2011 11:47:00 +0000

[Every once in a while a news story comes along that makes you wonder...]

According to TechCentral :-

Thieves steal Sim cards from Jo’burg traffic lights
"The Johannesburg Roads Agency (JRA) suspects that a syndicate is stealing Sim cards from the city’s hi-tech traffic lights, and using them to run up phone bills."

The article goes on to say "If all 400 traffic lights need to be repaired due to theft and vandalism, it could cost about R8,8m."

So, the big question is why the JRA used normal SIM cards in their traffic lights. It was probably a cost cutting method so they can just get them off the shelf but it is backfiring for them.

A comment in the article says to glue the SIM cards in place or use resin but this doesn't seem like a great idea as it would be almost impossible to replace a SIM card that is faulty.

Maybe the answer for the JRA is to react fast. As soon as a traffic light stops reporting to the central server (which is what these SIMS are used for) then move to disable the SIM immediately. Send a team to the light to assess and re-enable it if it is a false positive.

Another comment was about using PIN codes. But these would end up either being easy to guess "1234" "0000" etc; well known "Jack the JRA last week, now we need to redo all 400 PIN codes" or a mission to manage "Did anyone see the spreadsheet with PIN codes?" Even 1 PIN number is too much for some people to manage.

It seems that the SIM cards are well protected in the traffic lights because it takes the ~~scum~~ thieves a lot of destructive work to get to them so that is not a deterrent. The only option I can think of is to make the SIM cards useless to anyone but the JRA either by using special cards or by the above "react quickly" method.

Surely these SIM cards must be connecting to a private APN. (This is the gov. so this assumption is not a certainty). In which case they should have been disabled on the normal GSM APN. Problem solved.

One wonders how much the cellphone bills that were clocked up came to.

Information Classification Like Creative Commons [Part 3]

noreply@blogger.com (Allen Baranov) — Fri, 22 Oct 2010 13:18:00 +0000

So it seems that at least one person reads this blog.

I got email from Andrew Yeomans from Commerzbank AG about my ideas in my recent Blog posts - Information Classification Like Creative Commons. (Part 1 and Part2)

I came up with the idea myself but it seems that I was beaten to it by a group called SPIDER in a document available on the 'net here [pdf].

They discuss using graphics as opposed to words to describe what classification a document is. I just took it a bit further by using "creative commons" for icons. But my idea is a bit more important than that. For this to be truly useful the icons used must be instantly recognizable. Anyone who uses the Internet for some time and is involved in publishing even non-professionally will be able spot creative commons icons, know what they mean and know what it means to them. And then abide by them. It would be useful for us to have icons that can do the same for sensitive documents.

I also took it one step further. I proposed the idea of including direction of what technology could be used with documents. So, if it is a "top secret financial document" then you may/may not email the document and there will be an "email permitted/not permitted" icon as the case may be.

Andrew commented that this may be a problem the way that technology moves forward but I believe it to be a good start. It may be better (in future) to have some "meta-mechanism" that automatically adds the icons in as technology is adopted or documents change levels of confidentiality.

It is nice to get some serious comments and I hope to hear more. It makes me think through my posts and tweak them. Hopefully, somewhere down the line it will add to the world's knowledge.

I bought a Kreepy Krauly BullShark...

noreply@blogger.com (Allen Baranov) — Mon, 13 Sep 2010 10:25:00 +0000

[... and the documentation came on CD-Rom.]

I think this is totally missing the whole point. Why not just give me paper?

It can't be more environmentally friendly to make a CD, copy the information onto it and then print a pretty design onto the CD.

So my story is that on Sunday, I opened the box, took everything out. I decided to do the installation by the book. And there was no book. Just a CD.

So, I had to go inside, boot up my PC, load the CD, run the software, click through the options.

Then run outside, do some installation.

Run back inside read up some more, run outside, run inside.

Still no luck so I have to take some of the wet pieces of the unit inside, put them quite close to my PC. Run outside.

This is not a major complaint (unlike my last post) but it just shows how someone decided to use technology because it was cool but really it just makes life difficult.

Why #nokia gets a #brandfail from me

noreply@blogger.com (Allen Baranov) — Tue, 07 Sep 2010 11:06:00 +0000

It is with great sadness that I write this post. I love Nokia. Loved. When something that you really like so much disappoints you so badly then it takes a lot to gain that respect back.

The short story is that my Nokia E71 stopped working a few weeks back and I took into Nokia to be fixed. They refuse to fix it alleging that it is "liquid-damaged". I refuse to believe that the cause is Liquid-damage. And they refuse to listen to me and fix the device.

I have had a very long history with Nokia. The first cellphone I ever used was a Nokia 2110 (The Brick). I have had many different Nokia "candybar" phones of differing features and costs. My last one was a 6233 which I really, really enjoyed using even though it was a Symbian S40 device. It got stolen and I moved onto a phone I coveted for ages - the E71.

The E71 was everything I wanted in a phone and I used all of its features. When my car radio was stolen, my phone became my music player. It was my diary. It was my watch. It was my browser. It was my mail. My connection to my world. I downloaded all the Google services that I could and all the Ovi services. I even signed up for Nokia Music. The only issue I had with my phone was the expensive Maps software but when Ovi Maps became free for the E71 then my phone was completely perfect.

I actually talked 2 people into buying E71s, 1 person to get an E72 and 2 people into buying E62s.

Then my phone starting flaking out.

One day it just started switching off. Strange, because usually the battery life is great. But that was fine, I charged it and it came back again.

Then one day it just would not switch on.

I took it to a shop and tried a different battery and no luck. We tried another battery and still no luck. I took it to another shop and we tried another battery. Finally I borrowed a battery from a friend who also had an E71 and still no luck. It wasn't the battery.

So I took my phone into two MTN shops and they both said it would take about a month to fix my phone. I should have gone for it but the one lady did mention that a Nokia shop would be able to look at my phone within one hour and "probably fix it" right then.

I was sold so I drove to the Nokia shop with my E71.

This is where the wheels fell off the cart.

I spoke to a lady who told me that if a non-Nokia-approved technician had worked on the phone then the warranty would be void and I would have to pay for their time. No worries there. She also told me that if the phone had suffered any liquid damage then the same would apply. No worries there.

Or so I thought.

At this point let me get it clear:

I have NEVER dropped my phone in water or any other liquid.
I have NEVER spilt coffee or any other drink on my phone.
I have NEVER lent my phone to anyone who wasn't in my general vicinity.

I would swear to the above in a court of law and sign an affidavit that says as much. I have even offered to do so for Nokia.

What I can't promise is that my phone has never come into contact with water. There is water in the air. I can't promise that I have never walked in the rain with my phone in my pocket although it hasn't rained for a long time in Johannesburg.

So, knowing the above, I handed in my phone. Signed the documents. The E71 has a known issue in that it picks up pocket fluff and some of that can get into the area between the screen and the glass over the screen so I asked that they clean that. I then went for a walk around the shopping centre for about an hour.

When I returned I was informed that the phone could not be fixed because the motherboard was no longer working and it is too expensive to replace the motherboard. Apparently its actually cheaper just to replace the whole phone.

I was also told that there was "liquid damage".

The blood drained from my face. How could there be?! It was like I had walked into an alternate reality like a Lewis Carroll novel.

They pulled up a screenshot of the back the inside of my phone where the battery lives. They showed me the damage and told me that it looks like "liquid damage". The picture was taken very zoomed in and close up it seems that two places on the motherboard have something the looks like rust.

The one thing they confirmed is that they were not able to find any moisture in the phone itself at all - not in the speakers (which are usually the worst parts for water damage) and not in the screen (which has dry fluff in it). But tucked away behind the battery is some sort of "rust" that "proves" liquid damage and hence according to Nokia this lets them off the hook from their warranty and they are therefore not liable to repair the phone.

When the shop people started telling me that my phone could have gotten the damage from water in the air or "sometimes you sweat and your phone in your pocket could have absorbed it" was when I decided that I should leave.

Nokia phones.

So, I left the store fuming. I left my phone there because now, not only did I not get my phone fixed and not only would they not fix it but I had to pay a "consulting fee" for them trying to fix a phone that was not fixable and they would be keeping my phone until they got that money.

I did sign that I would pay the consulting fee if there was water damage. I don't debate that. But I was shocked to find out that there was allegedly liquid damage. Two shops had swapped out batteries without noticing anything wrong with the motherboard but then they didn't have a magnifying glass to hunt for signs of possible "liquid damage" and I *knew* that I had never caused liquid to get into the phone.

I was cross but I figured that a simple call to Nokia head office would sort everything out. They are a very switched on firm and would like to help me out once they hear my story. So I spoke to a very kind, sweet woman and told her the whole story above including the bit about being willing to sign an affidavit and the "water in the air". To her credit she told me the water in the air story is junk. However, the Policy is the Policy and if the shop said it was "liquid damage" then there is nothing that Nokia can do. Can do or would do?

She suggested that I take it to another Nokia shop and get a second opinion. This means I risk another "consulting fee" of R250 in the hopes that another Nokia store may decide that the damage is not water damage. She suggested that I take it to MTN which means she is just passing the buck.

WTF?! Can she not just admit that the phone is defective and get it sorted out? No - there is the Policy.

Can I get someone independent to check the phone out? No, only a Nokia authorised repair person can open the phone or the warranty is gone anyway.

So here I am without a phone and feeling totally let down. My insurance will cover my phone for water damage and I'll be able to replace it but I guess I just wanted Nokia to come to the party.

Actually, I guess I had too much respect for the Nokia brand and wanted reality to reflect my perception.

I'm not an Apple person but I'm surrounded by happy Blackberry users. I guess my next phone will be a Blackberry ... something I've been fighting for a while now but I've been let down.

Information Classification Like Creative Commons [Part 2]

noreply@blogger.com (Allen Baranov) — Fri, 27 Aug 2010 13:59:00 +0000

[Part 2 - A picture is worth a thousand words]

Following on from my last post on Information Classification - I think that this concept would be better shown by using examples. I guess that the irony of the last Blog is that I was trying to say "Using pretty pictures is better than using text" but I tried to do that in a Blog post which lacked pictures totally. Still, I did get some good feedback on the post even though my coments don't work.

I have done a little bit more research and tried to find some pictures to show what I am aiming toward.

These pictures are all from an icon pack I found here but I'm not sure what pack I would use when it is finished or even if I should make my own. These are just for demonstration purposes. Please don't steal these graphics (they are free so just follow the link).

*deep breath* Here goes:

If a document contains anything to do with someone's medical condition or some such - it gets labled "Medical" and has the following graphic printed on it:

If a document is confidential - it gets labeled "Confidential" and has the following graphic:

Then what you can do with the document is listed - so you can copy it to CD, email it, move it on the network and take it home:

If you are not allowed to do any of these things then a little circle with a cross through it will be added to the image.

Putting it all together again - you have a piece in the footer of the document that says:

This document is classified as "Medical-Confidential". You may do the following: burn to cd, transmit internally, email outside of the network, take the document home.

Then under that, you have the images to re-enforce. The important thing is that the images must be a standard set so that users across companies, regions, businesses, etc all can look at them and at a glance know what is expected from them regarding the document.

For bonus marks it would be nice to have a tool that can automate this process.

Quick Thought: Information Classification Like Creative Commons

noreply@blogger.com (Allen Baranov) — Mon, 21 Jun 2010 14:30:00 +0000

[Stealing the CC Ease of Use Icons for Info Classification]

When something is complicated then it usually is quite wrong. I learnt this lesson with Firewall Rules. Usually when something was twisted around and not easy to understand it was because the Firewall was being used for a purpose ti was not designed for.

Information Classification is usually pretty easy to understand. It is logical. There is stuff you want the public to know about, stuff you don't mind them knowing about, stuff that you don't quite want them to know about and stuff they most certainly shouldn't know about.

There is also stuff that can't be shared outside of the company with out breaking the law or some "governance" and stuff that can't be shared overseas.

Finally, there is stuff that shouldn't be shared outside of a department such as "strategy stuff" or "HR stuff".

What you call these is just semantics and what you do to keep these where they should be is where the fun comes in.

Information Security is accused of being overly complex and it really shouldn't be. Much like copyright is (generally) complex. So, the good people of the Creative Commons worked out just how to separate the tricky-to-understand bits from the easy-to-understand stuff and get people using CC without having to read law at Harvard or some such. You choose the pretty pictures that show you what you want and voila.

So, can we do the same with Information Classification?

[OT] Cutest Vuvuzela Player Ever?

noreply@blogger.com (Allen Baranov) — Sun, 13 Jun 2010 21:00:00 +0000

I'm Cool Like That...

noreply@blogger.com (Allen Baranov) — Fri, 21 May 2010 13:10:00 +0000

So, it seems that I am following the trend with Blogging which is somewhere I am not proud to be but it is interesting just how closely I have followed this trend.

Statistics (when they are not manipulated) are ugly things. Sometimes they tell the truth like a little kid with no idea of how to be "nice". So here goes - my statistics of Blogs published on my site:

2007 - 78

2008 - 32

2009 - 34

2010 - er... 3

I had a lot to say in 2007 and a lot of time to say it. I accept that. 32 posts a year is not great, but it is not bad... 3 is pathetic.

Its not that I have been busy.. I have been busy but not way way way more busy than in 2008/2009. I haven't moved my online conversations onto Twitter either. Twitter has impacted on my time a bit... but not that much that 1 blog post a week would break me.

I just haven't blogged. And other people have stopped too. Rich of Securosis seems to think that Twitter is the reason but I think it is more about two other things -

I belive Information Security Bloggers (maybe other blogs too) have just emerged from the Trough of Disillusionment (go, go Gartner, go).
Blogs tend to be mostly a one-way conversation but really are about gathering the ideas of what is floating about in the world and forming an opinion about it then writing about it. So technically its like a general conversation and if everyone has left the conversation then there really is not very much to discuss.

But we are coming back and most of us (me included) are just really blogging about how we have stopped blogging and are now back. But we'll get there... it has been a bit of an awkward silence but its ended.

I am a hacker - whether I like it or not

noreply@blogger.com (Allen Baranov) — Mon, 17 May 2010 12:21:00 +0000

[... and not the bad cyber criminal type.]

For the latest ITWeb Security Summit (which was amazing) I was chosen as a speaker.

I had the following challenge -

talk about the different InfoSec Standards available
do it at 3:40pm
do it straight after the tea break
make sure that the attendees don't fall asleep

Needless to say - it took a lot of thought but I eventually managed to keep them interested according to some positive reports I got after the talk.

I'm not going to go into the details of the talk here but after quite a bit of re-assessment I realised that I had basically "hacked" the standards. Hacked - in the good sense. There was no "piracy" involved (me maytee) and everything was above board. (and above plank.)

But to keep the attendees interested in the talk I basically took the standards and applied them in ways they were just not designed to be used. And that is the true definition of hacking.

In the past 4-ish years or so I have tried to model myself as a serious Information Security Professional. I have tried to put away the "hacking" part of me and concentrate on "working for the Man" but it seems that, without me trying, that part of my brain will find a way out.

So, I will set my aim for the next year to nurture the "hacking" side of my brain and mold it into something I can use as an Information Security Professional.

Back.

noreply@blogger.com (Allen Baranov) — Fri, 14 May 2010 13:49:00 +0000

Someone (who shall remain anonymous) took me to task about not blogging. Which is fair enough since I haven't done a blog post since the end of last year - nearly 6 months ago. And it was my aim for the last few years to be the most prolific Information Security Blogger in South Africa (which really means writing more posts than that particular person). And I have been losing the race quite badly recently.

On the other hand that person fell asleep while chatting with me. Which is actually more a comment on how much sleep he had had the night before rather than how exciting the conversation was. I hope.

But.... that someone had an interesting point which I think is quite right - my excuse that I have nothing to blog about is wrong - I should blog and things to write about will come to me. Thats sounds very Zen. Or Xen.

So, I am starting up the blogging again and I hope that all my faithful readers will forgive the lack of posts and come back to be challenged again. (I'm watching you - both of you!)

So, see you soon.

I stand by Gears!

noreply@blogger.com (Allen Baranov) — Mon, 07 Dec 2009 12:53:00 +0000

So, no sooner had I posted the last post on my blog when I saw that Google are seriously considering dropping Google Gears at all.

Google are dropping support for the most important piece of software in the last 10 years?
Yes, and no.

Google introduced the world to the idea of offline applications by creating Gears. But maintaining it in all the different browsers and all the different Operating Systems (and variations of each) is painful. And was necessary until HTML5.

But HTML5 is a standard way to implement offline applications, it will be implemented in all browsers soon enough and it will be implemented in a standard way. And Google doesn't need to maintain it.

Google gets what they want and they don't need to support it.

One of the new features in Chrome that separates it from other browsers is the speed that it runs javascript. This became a major feature and forced Mozilla to speed their javascript up to compete. IE will do the same. (Mozilla had a faster javascript engine but they released it sooner than they would have otherwise done.)

So Google don't need Gears but it has already changed the world.

The most important piece of software this decade

noreply@blogger.com (Allen Baranov) — Mon, 07 Dec 2009 07:57:00 +0000

[and most people don't even know what it is!]

I've spoken about this software before, I think, but it deserves its own blog post.

And what piece of software is the most important for the last 10 years?

*drum roll*

Google Gears!

"Oh yes of cour- eh, what?!" I hear you say.

Google Gears is a silly little piece of software that merely allows one to run javascript offline. It tricks the browser into thinking that changes are going to the net but are actually stored locally. When an Internet connection is available, the databases are synchronised. Very technical stuff.

But what it really allows is a PC to run only web applications and allows web applications to be feature rich as desktop ones. What is really allows is GMail to compete with Outlook and Google Apps to compete with Office. It not only allows Google to compete directly with Microsoft head-to-head but gives them a slight lead.

Since Google's applications are designed with sharing in mind and Microsoft's are not, Google is ahead in this respect. And since Google's applications are on the Web, you can get to them pretty much from anywhere.

And since Google are driven by a policy of "good-enough as fast as possible" their applications are sleek and ready to be used online - Microsoft have some way to go if they want to compete in this area.

In the mid-90s I remember a whole host of companies decided to take on Microsoft directly and all of them came off second best. Netscape (with navigator - remember that?) , SUN (SunOffice, Java, Net-PC) , IBM (OS/2), Apple (pre-Jobs, iPod).

Netscape is no longer but they did spawn Firefox which is eating into IE's market share in a big way. SUN has some amazing software like Java and SunOffice (or OpenOffice) but they never really impacted on Microsoft's dominance as they looked like they might have. The less said about OS/2 - the better. And Apple reached their lowest point when Microsoft invested in them to keep the company alive.

SUN's vision for a NetPC is coming about again with Google's ChromeOS. The only difference really is that SUN's vision had lots of pretty blue SUN Servers being the central store for all data and apps while Google's vision has lots of ugly grey and black Internet Servers being the central store. (Internet being the important part). Google are making true what SUN never could - "The (Inter)Network is the Computer".

Whether Google will succeed where many have failed remains to be seen but they have lined up some interesting tools to get themselves with at least a chance and at the heart of each of these tools is Google Gears making it all possible.

SANS Confirms

noreply@blogger.com (Allen Baranov) — Fri, 18 Sep 2009 11:13:00 +0000

So, when SANS comes out with a document - The Top Cyber Security Risks then it is time to sit up and take notice.

And especially when their findings pretty much agree with what the rest of the industry is saying.

The interesting thing is that there are really only two major risks highlighted and one observation.

The observation is that Companies are being good with patching Operating System level vulnerabilities. I guess this is well-done to Microsoft and the other OS creators. However, if you are not fully patched on an OS level then you are the low hanging fruit. And you will be in trouble.

"Hackers" are moving to hacking applications these days - both pre-packaged ones which you will be more likely to find on the desktop and custom built ones which will more likely be hosted on a website.

So, companies now need to look at patching applications quicker.

They must also have a good solid web application plan in place and stick to it before exposing themselves online.