Transition to Feedburner

Like many people, in order to try and analyse the traffic to my site, I have signed up to Feedburner. Hopefully, the plug- in from Steve Smith will mean that the transition is painless. However, do let me know if you have any problems with the feed.

In case you want to update your RSS reader directly, my new feed is:

http://feeds.feedburner.com/IdentitySecurityMe

Technorati Tags: , ,

WordPress 2.1.2 Update

Following the release of WordPress 2.1.2 earlier this month, I have finally got round to installing the upgrade.

I have also upgraded and re-activated most of my plug-ins. The only one which currently isn’t configured yet is the “OpenID for Comments” plugin. Hopefully, I will get this done shortly.

I also plan on trying out a number of new plugins in the near future.

Please let me know if you have any problems with the site or the feed.

Technorati Tags: ,

Online banking passwords

Dave Kearns has published an article talking about online banking security and showing the results of a recent survey.

On a related note, I was surprised when I recently signed up to a new online banking service. After going through the usual registration process and waiting to be mailed my password etc, I finally went online.

Being the conscious security professional that I am, I immediately went to change my password. I was amazed when it appears I can only have letters and numbers in my password. I cannot have anything else such as punctuation.

Needless to say, the bank in question shall remain nameless. However, I have written to them to explain that they may want to consider expanding the password policy.

Technorati Tags: , , ,

FoxPro – Bringing back memories

Microsoft Puts FoxPro Out to Pasture

It was with a certain amount of nostalgia that I read today that Microsoft will be open sourcing the core of FoxPro, one of its DBMS that it bought some years back.

Whilst I haven’t used this database for about 15 years, it was the main database that I wrote an application on for one of my university modules.

I actually wrote a sunbed reservation system using FoxPro for Windows (I think it was version 2.0 on Windows 3.11). However, the app was so well written that it actually worked in FoxPro for DOS as well (more luck that design!)

Needless to say, it was about at this time that I decided programming wasn’t for me and my skills would be best served in another area of computing.

However, I can’t help thinking that I will probably have another look at it when it goes open source, just to see what it can do now.

Its just a shame that I no longer have my old university assignment on floppy disk anywhere. It would have been good to have a look back at my code and have a laugh.

Andrew Comins (you know who you are) – If you are still around and have the original code that we worked on together with Lucy, get in touch!

Technorati Tags: , , ,

Optimistic numbers of techno-savvy OpenID users

Jason Kolb recently posted his cynical view ( 🙂 ) of AOL and their announcement to support OpenID for all of their users. Whilst I can’t disagree with Jason’s thoughts around AOL’s motives, he does make one comment which I found quite funny.

“So AOL brings their 13 million subscribers give or take a few million (probably
take) to the table, MAYBE a million of whom will actually know what to do with
their OpenID.”

His optimistic assumption that a million users understand OpenID and what to do with it. Whilst it would be great for the Identity community if this was the case, I believe the actual number is probably far less.

Technorati Tags: , , ,

Steganography and plausible deniability

One of my good friends, Paul Squires recently posted an comment on steganography. The main thrust of his article was about the problems with encryption, in that it quite often easy to tell that there is encrypted data in the first place. Meaning that under the laws of RIPA  you could be forced to divulge your private keys and allow the authorities to access your encrypted information.

Paul goes on to point out that steganography can be used to hide the fact that you have any encrypted data in the first place and that images are a good medium for this purpose. This is where I have to disagree.

From a quick search around the web, it is apparent, that it is reasonably easy to discover if an image does indeed contain steganographic information. More information here. However, all is not lost. Steganography does indeed have a valid application that I have come across.

For some time now I have been using an open source encryption tool called TrueCrypt. This works like a number of other encryption products (e.g. PGPDisk) in which you create an encrypted volume which is essentially one big file on your disk (or whatever media you choose). When you want to read the information, you then ‘mount’ the file as a drive and the information is encrypted/decrypted on the fly as it is read from and written to disk.

However, as Paul quite rightly points out this poses a problem since, if I created a 1GB encrypted volume, anyone browsing my hard drive (assuming that is where I put it) would spot this rather obviously large file and could probably guess it was an encrypted volume. Then, under RIPA, I would be forced to reveal my password and big brother would be able to gain access.

This is where TrueCrypt comes into its own. The software has the concept of hidden volumes which are basically encrypted volumes within encrypted volumes. Using this technique I use one set of credentials to open the standard encrypted volume and a different set of credentials (when opening up exactly the same file) to access the hidden volume. Therefore, under RIPA, if I was forced to reveal my private keys, I could provide the keys to the outer volume without the authorities ever knowing there was a hidden volume with the actual sensitive data in it. There is no way (that I know of) where it is possible to tell whether an encrypted volume contains an extra hidden volume or not (it would sort of defeat the object if there was).

If you haven’t looked at Truecrypt I recommend it. It has all sorts of really neat features such as the ability to require a keyfile (any file you specify) as being present and untampered when unlocking the volume, in addition to a standard password/passphrase.

Technorati Tags: , , , ,

A rollercoaster of emotions

Last Friday night was the Red Nose Day in the UK. As usual the BBC ran Comic Relief on BBC1 for pretty much all of Friday night.

It took the usual format of:

1) a comedy sketch
2) a depressing report on poverty etc
3) repeat 1 & 2

The reports were particularly depressing with celebrity after celebrity publicising the plight of the less fortunate both in the UK and the third world.

Take one example of a woman in Africa who was looking after 13 kids. 3 were her own whilst the other 10 were her two sister’s children. Both sisters had died of AIDS. 3 of the children also had AIDS. The family of 14 slept in a single ‘tin roof’ hut with half of the children sleeping on the floor on a plastic sheet. The slum that they lived in had open sewers running through it.

It makes me realise not only how lucky I am (and the majority of people in the developed world) but also how insignificant any problems I might have actually are in the big scheme of things.

Technorati Tags: , , , , ,

“photographic memory” or a “memory of photographs”

Last week, as part of a discussion thread that I was following on the Identity Gang, someone pointed out Passfaces.

I feel like I have had my head in a bucket as this technology is not something I have come across before. I think the idea behind it is very interesting and potentially very useful. As well as the extra level of authentication (although arguably not much extra) you also get the added anti-phishing protection.

It is common knowledge that the brain can remember images better than anything else. If you have ever done any memory management training courses, you will testify to this.

Technorati Tags: , , , ,

Second Life update – Whats the attraction?

You may remember on 20th January I posted a comment about my new entry into the world of Second Life.

Well, after that post i’ve spent a few days on and off, logging on and looking around. I realise I probably haven’t touched the surface of the things that are available. However, on the surface, I really don’t see what the attraction is.

My first couple of hours were spent being shown around by a very kind female from Germany. I was definitely a passenger as she was transporting me to all these different places. After giving me a change of clothes, being a novice, my guide asked me:

“What do you want to do?”

“What is there to do?” I replied (not really knowing what was available)

“Depends on what you want to do”….

The conversation continued back and forth like this for some time. In the end we ended up dancing in a bar.

What’s the point??

If I wanted to dance, I would go to a nightclub. Why would I want to watch a virtual character dancing on my behalf using pre-defined moves.

After leaving my guide, I decided to have a look around myself. What better place to start then the “Top 50” most popular places.

As with so many other things on the web, a large proportion of these locations were “sex rooms” where you can indulge in virtual sex with someone. Again, what is the point?

From what I have seen of Second Life so far, it just seems to be another, somewhat wacky channel for porn.

I see that a lot of IT manufacturers have started using Second Life for product briefings and seminars etc. With my cynical hat on I can’t help but think that this is just a gimic. Great, so you can see virtual people walk into a room and sit down for a briefing instead of just hearing them dial in to a phone conference.

I’m sure i’m missing the point of Second Life. I will give it another go and see if I can find something other than virtual dancing and porn but at the moment I am somewhat disappointed.

If anyone has any suggestions, i’m all ears……..