Ben Laurie blathering

30 Jan 2006

Institute of Information Security Professionals

Filed under: Rants,Security — Ben @ 14:26

Computing reports that the UK is going to have an Institute of Information Security Professionals. According to the chairman, Paul Dorey:

“Current security certifications are based on individual knowledge. But with projects such as Sarbanes-Oxley we need people who can make decisions and ensure they are based on a solid grounding”

Ah, yes. Sarbanes-Oxley, that well known bit of UK legislation. I trust we’ll also get a solid grounding in the DMCA and the role of the RIAA. Anything less would be failing those that depend on us!

Another high point:

“IT security professionals who gain membership will need to adhere to a code of conduct and take part in a continual professional development programme.”

I look forward to the code of conduct with interest. No doubt it and the “continual development programme” will neatly exclude anyone who does this stuff for the good of mankind instead of for EvilCorp.

28 Jan 2006

The Identity Metasystem

Filed under: Identity Management,Rants — Ben @ 12:59

I had coffee with Luke Razzell a couple of days ago, and we talked about what, if you were really going to design a metasystem, it would look like.

What we came up with was this (I haven’t checked with Luke so any stupidity here is all my own)…

  • A description of the various actors: the person/entitity/group whose identity is being managed, the relying party, issuers of signed statements and so forth.
  • A description of the conversations these actors need to have for various purposes: specifying what information is required, getting statements signed, presenting information, referring to third parties, etc.
  • A definition of the semantics of identity information: name, address, credit card number…

To turn a metasystem into a system, you would then define how the actors map onto entities in the system, conversations to protocol exchanges and semantics to syntax.

What a metasystem should not include is concrete protocols or syntax (WS-*, for example). It should be possible to map any (or at least many) identity systems onto “the” identity metasystem.

So, Infocard isn’t a metasystem by any reasonable standard, it is a system. It may or may not be true (the jury is still out on this in almost all cases) that you can take some existing other identity system and figure out how to express an isomorphic system in Infocard, but that doesn’t make it a metasystem, it just makes it flexible.

A true metasystem would describe existing systems without modification.

27 Jan 2006

People Don’t Report Phishing (Or They Are Ignored)

Filed under: Rants,Security — Ben @ 17:52

I got email, allegedly from O2, today. All the links in the email claim to be to O2’s website (i.e., but actually go to Classic phishing stuff, you’d think.

But going to that site redirects to the correct page on the real site. So perhaps its not a scam after all. My next thought was to check whois data:

# whois

Domain name:


Registrant type:
UK Individual

Registrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

So, there’s a non-trading individual called “Vertis” is there? Somehow I don’t think so. Anyway, it seems to there’s only two possible explanations for this. Firstly, its a scammer, hiding their identity, or secondly, its a company who really do act on O2’s behalf who are just blatantly abusing the .uk registration process.

So, being a good chap, I reported it to O2. Somewhat to my surprise, they confirmed that it was not from them, and is spam. Exactly what the point of it is, I’m not sure, except perhaps to determine that I’m the kind of person that follows links in realistic looking emails.

They’ve said they’ll escalate the matter to their security team. They’ve also said they’ll inform me of the outcome. I’m not holding my breath on that one! They also said that they had not heard of this before (which is interesting, because I’ve had email involving these domains before), and said that this kind of report was “very unusual” – whereas for a genuine O2 mailing each customer service rep gets several calls a day, apparently. From which I conclude that people don’t report phishing – or if they do they are ignored.

Incidentally, the mail claims to originate from, which looks like this:

$ whois

Administrative Contact:
Mansell, Matt
1 to 2 Stafford Cross
Stafford Road
Croydon, Surrey CR9 4PD

26 Jan 2006

Sausage Soup

Filed under: Recipes — Ben @ 17:22

I cook a lot. And people ask me for recipes. So, I’ll write them up occasionally. Here’s one I did a couple of days ago. My Dad used to make it with frankfurters, but my kids don’t like frankfurters, so its been modified.

I’m afraid I don’t measure things much when I cook, so you’ll have to guess…

Chicken Stock
Bacon (I like smoked streaky)

Dice the spuds, about 1/2″ cubes. Fry them gently for 5-10 minutes in butter. Chop the leeks into 1/2″ rings, add leeks and chicken stock (enough to cover them plus the leeks and then an inch or so), and simmer.

While this is going on, chop bacon into 1/2″ bits, and fry with crushed garlic in oil until crispy. Remove the bacon, leave the oil, chop the sossies into 3 or 4 bits each, then fry those until lightly browned.

By this time the spuds should be soft. Add the bacon and fried sausages and cook for another few minutes. Salt/pepper/herbs to taste. Eat with crusty bread. Warning: the spuds tend to burn your mouth.

A bowlful and a half is usually enough for a whole meal.

25 Jan 2006

IT Conversations Podcast

Filed under: Security — Ben @ 9:42

Podcasting isn’t something I’ve really got to grips with yet, but it seems to have got to grips with me. I did an interview with IT Conversations while I was at ApacheCon in San Diego.

I haven’t been brave enough to listen to myself yet, but apparently I “exude quiet confidence”.

23 Jan 2006

OpenSSL FIPS 140

Filed under: Crypto,Open Source — Ben @ 14:13

It has been reported here and there that OpenSSL finally has its FIPS 140 certification. I haven’t actually seen the certificate, and seeing is believing. Nor has it shown up on NIST’s validation list.

But anyway, assuming its actually true, and people keep assuring me it is, its taken us three years to get to this point. Also, its the first validation of source rather than binary, so it is something of a landmark.

Good news, despite the tortuous processs and astonishing delays.

22 Jan 2006

Brain Function a.k.a. Abusing Kittens

Filed under: Brain Function — Ben @ 13:39

As I get the hang of this blogging thing, I realise there’s all sorts of things I talk about that I’m not blogging. Brain function is one of my so-far-unblogged obsessions, and there’s all sorts of fascinating experiments that prove scary things about our brains. For example, the one that shows that women prefer more masculine men when they’re fertile, or the gorilla/basketball experiment, or the sweaty t-shirt experiment (women prefer unrelated men, and can tell by smell). But I won’t bore you with those, because I’m sure you all know about them already (email/comment if I’m wrong, and I’ll write them up).

So, here’s one I read about today that is quite fascinating. You need a body to make your eyes work properly.

Take two kittens. Set up a turntable in an ordinary room and harness one kitten to one side. Put the other in a clear box on the opposite side. The harnessed kitten can wander (OK, only in a circle, but its in charge), whereas the boxed kitten is passively moved, getting the same 3D experience as the harnessed kitten.

Only the harnessed kitten develops depth perception.

Why? Well, the theory is your brain needs the feedback generated by linking what you see with what you’ve told your muscles to do in order to understand what its seeing.

An interesting question: is this vital to learning 3D vision or is it just a deficiency of brains?

21 Jan 2006

David Byrne on DRM

Filed under: Digital Rights — Ben @ 13:28

At least the entire mainstream music industry isn’t nuts. David Byrne writes:

Happy New Year. Don’t Buy CDs from the Big 5.

CDs from the big five run the risk of damaging your computer, opening you up to security risks, and you can’t rip the music onto your iPod. Stop buying CDs now. At least until they guarantee us that they will never try this shit again.

18 Jan 2006

Why I Won’t Be Upgrading Any Time Soon

Filed under: Rants,Security — Ben @ 10:43

So, WordPress 2 is out. And there’s a 3-day old security advisory that isn’t even mentioned on the WordPress website.

Enough said.

Is there blogging software out there that does care about security?

16 Jan 2006

Tipping Point’s Business Model

Filed under: Rants,Security — Ben @ 18:29

One of the great things about Shmoocon is that I get to hang out with my fellow Shmoo, who have extremely diverse backgrounds and interests (errr, given that we’re all obsessed with security, that is). So, last night, at the Shmoo decompression, several of us were discussing responsible disclosure, and in particular the business model of companies that buy exploits, such as Tipping Point.

I’ve always been somewhat uncomfortable about organisations like CERT or NISCC, which don’t actually pay for exploits, but nevertheless are in the business of encouraging people to give exploits to them first. Once they have the exploits they first give them to “critical” stakeholders, and, later, the rest of the world gets to hear about them.

Tipping Point and friends simply take this model and commercialise it: pay the exploit writer for the exploit, then sell it to your subscribers. For a lot of money. But don’t make the mistake of thinking CERT or NISCC are not in it for the money – they are, of course, but in their case its called “budget” instead of “profit”.

So, what’s wrong with this picture? Well, my original objection to CERT and NISCC was that they obviously have to choose who gets the early announcements, and there’s no fair way to do that. Even worse, if you’re going to claim to protect criticial infrastructure, then you have to include the vendors who supply that infrastructure. Of course, these vendors then get to exploit that information commercially – it gives them an edge on their competitors. And since you don’t get to supply criticial infrastructure unless you are huge, this creates an artificial bias towards huge companies.

Is commercialisation any better? Well, at least its a little more honest: anyone with enough money can play, not merely those who are best at shmoozing. But it still biases towards the well-heeled.

However, that’s not the worst of it, and this is what became clear to me last night. What’s worse is that many of those subscribed to these early announcement services have an interest in using these exploits. In the case of the CERT/NISCC model it will be the military and TLAs that will be in the market for useful exploits. Of course, they will still have access in the commercial cases, perhaps even at reduced rates (never hurts to keep the government happy, right?) – but worse still, commercialisation of the exploit market gives easy access to criminals (I’m sure that some do even in the CERT/NISCC model, but it must be harder to get that than by simply forking out money).

Of course, this is not a good place to be. Is there anything to be done? I think so, but more on that later.

I don’t mean to single out Tipping Point particularly, they just happen to be the first I thought of. If people send me links to others I’ll compile a comprehensive list.

The Open Rights Group

Filed under: Civil Liberties,Digital Rights — Ben @ 17:27

Towards the end of last year I was approached to serve on the board of the Open Rights Group, an organisation set up to campaign for digital rights and civil liberties in the digital world.

In the face of increasingly draconian laws, both here in the UK and in the rest of Europe, this seems to me to be a very important cause.

Anyway, I haven’t blogged about it before because its taken us a while to get ourselves set up to allow supporters to support us. I’m pleased to say that you can now do so.

13 Jan 2006

Department of Homeland Security Funds Open Source Security

Filed under: Open Source,Security — Ben @ 15:22

I was asked to comment on DHS’ funding of Coverity (who make a not bad, as they go, static code analyser), Stanford (where Coverity’s founder is a professor, so no surprises there) and Symantec (why?) to apply Coverity to various open source projects.

Of course, the article stresses the negative points I made, omitting the fact that, despite its shortcomings, I welcome the move. I just think it could be done better.

In particular, the right way to use static analysis tools is routinely, as part of the build process, every time a developer changes a single line of code. Waiting until the poor guy thinks he’s finished and saying “hah, but we found these hundred issues with your last 3 months of work” is not efficient.

5 Jan 2006

Crypto Amateurism

Filed under: Crypto,Rants,Security — Ben @ 16:59

I discovered today that the latest port of Digest::SHA256 (0.01b) on FreeBSD doesn’t work – it produces incorrect digests.

Now, I don’t know whether this is because the underlying implementation is broken, or because the port is broken. But that’s irrelevant – I expect my favourite operating system to at least check test vectors when implementing cryptographic algorithms. Apparently they don’t, and that’s a disgrace.

It should, in my opinion, be a part of the install process that test vectors are checked for every cryptographic algorithm. Anything less exposes users to potentially extremely serious security issues.


Filed under: Where I'm At — Ben @ 12:02

Yep, ShmooCon is in its second year, and twice as big this time. I’ll be there, but you won’t, unless you’ve already registered.

Always ready for a beer, as usual.

For the click-impaired: its in DC, Jan 13-15.

Powered by WordPress