Saqib writes "Recently, I was discussing the NIST's draft Presentation on Effectively and Securely Using the Cloud Computing Paradigm with my colleagues. The discussion ultimately evolved into a discussion about authentication and access control methods employed by various organization to access their Google Apps Standard/Premier/Education accounts. We started talking and comparing Multi-factor authentication, SAML based SSO, OpenId, native Google Authentication etc. I would like to query slashdot readers who use Google Apps about the authentication method their organization currently employees and why. Also please take 2 minutes to answer a brief survey.
The result summary of the survey is available here" Link to Original Source top
Spammers are becoming a nuisance. We have to constantly improve the technologies like Captcha to prevent abuse by spammers. As the these Captchas become more and more complex, visually impaired internet users have a tough time deciphering them for legitimate use.
"Men are not hanged for stealing horses, but that horses may not be stolen." George Savile a statesman, writer and a politician. Based on this famous quote by George Savile, should we be prosecuting and hanging the spammers as well?
I truly believe that in order to NOT punish often, we must punish severely. As Michel de Montaigne said, "One of the uses of our system of justice is to warn others... We are reforming, not the hanged individual, but everyone else."
The proportionality of punishment vs. the crime is not in question here. But as a society we have determined that spam is a nuisance and causes hardship for many. To deter this act of spamming, we need strict measures. Simply enacting laws against spam doesn't help if there no severe punishment associated with it.
And how come only criminals get human rights? What about law abiding citizens? What about their rights? Isn't it my right to live a life free of filthy spam?
Saqib Ali writes "If you haven't already heard, Data At Rest (DAR) Encryption Contract Awardees were announced today. The Office of Management and Budget, DoD and General Services Administration awarded multiple contracts today for blanket purchase agreements (BPA) to protect sensitive, unclassified data residing on government laptops, other mobile computing devices and removable storage media devices. Nine products were select to provide Full Disk Encryption and File Encryption." Link to Original Source top
QuantumCrypto writes "IRISA is reporting that Branch Prediction is NOT good for Security. Branch predictors allow processors to execute the next instructions without waiting for the previous ones to be resolved, which in turn allows the RSA key to be spied. Old news. Right? Well André Seznec at IRISA has independently verified the claims. "I've tried to validate the principle. It works! Beautiful case study by the way!" said André Seznec. Onur Aciçmez and his colleagues managed to grab 508 bits out of a 512-bit key on RSA encryption , at first shot, in just a few thousandths of a second. Quite a feat when compared to the endless three months and the line-up of 80-some 2.2 GHz CPU computers that the German Federal Office for Information Security (BSI) once poured in to crack a SSL 640-bit key (3).
Background from the Artikle:
Until not so long ago,processors were executing threads in a time shared mode: T0 was executing during a time slice, then T1 was executing during the next time slice, then T0 again,..."Each of these time slices lasts far longer than the processor execution cycle. Say a thread lasts around10 milliseconds, representing about 20 to 30 million processor cycles. As long as a spy thread and a cryptographic thread are not executed simultaneously, there is no way the former can grab very precise information on the latter." The impervious architecture keeps threads peep proof.
But things have changed with the arrival of Pentium 4 HT processor generation (7), a SMT processor in PCs and servers. These CPUs run two threads at the same time: on the very same cycle, instructions from the two threads are executed on the CPU. Why? "Mainly to squeeze performance from the processor, Seznec answers. The processor can execute several instructions per cycle, but generally a significant part of the resource is lost if a single thread executes. When two threads execute at the same time, the hardware is significantly better utilized." Unfortunately, running two threads in parallel on the same hardware CPU can lead to some information leakage. "One can manage to grab an indirect view on a thread execution from a spying thread that is executed simultaneously. This indirect information about its execution can allow to recover critical information such an encryption key."" top
Saqib Ali writes "Seems like VA has managed to lose another hard drive containing data on 48,000 veterans. The hard drive was stolen from a employees home. The good news is that hard drive was partially encrypted. So it is expected that no more then 20,000 records were impacted. Which is still a high number. My question, why the partial encryption? If you are going to encrypt, just encrypt the whole drive." top
SHA who? writes "In the light of recent attacks on SHA-1, NIST is preparing for a competition to select the next set of Hash Functions. The public competition will be much like the development process for Advance Encryption Standard (AES). As a first step in this process, NIST is publishing draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms, and requests public comment by April 27, 2007. P.S. NIST has ordered the Federal Agencies to stop using SHA-1 and instead use SHA-2 family of hash functions." top
Saqib Ali writes "It is Free. How come you are not using it? An article on how to use freely available Full Disk Encryption (FDE) products to protect the secrecy of the data on your laptops. FDE solutions helps to prevent data leaks in case the laptop is stolen or goes missing. The article includes a brief intro, benefits, drawbacks, some tips, and a complete list of FDE solutions in the market." top
My question is why so many online discussion forum require logon to post messages? Currently I have 20+ discussion forum account for the various vendors that I deal with (e.g. citrix, wise, altiris, active batch etc) . Why can't they be like mailing lists where the username+password is optional/not-required.
Discussion forums use username+password as mean to
1) control access,
2) tie the post to a email address; and
3) prevent anonymous spam.
Alternatively this can also be achieved by simply requiring email address along with post, and then sending a authorization email to the poster before making the post visible on the forum. This will achieve the same effect, and the user will not be burdened with remembering username+password for each forum where they contribute.
Why don't the discussion forums this strategy instead of requiring the users to create account???" top
Saqib Ali writes "According to 2006 Security Breaches Matrix, large number of the data leaks were caused due to stolen/missing laptops. The mobile devices will be stolen or lost. But one way to easily mitigate the harm is to use Full Disk Encryption (FDE) on all mobile devices. So why don't we encrypt all our HDDs? Cost, and performance impact are the usual arguments.
Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performace noticeably when the virtual memory is being used more often.
Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!