| |
Current Topic: Computer Security |
|
Security Engineering - A Guide to Building Dependable Distributed Systems |
|
|
Topic: Computer Security |
11:26 pm EDT, Aug 30, 2006 |
While you're waiting for Acidus to finish his book, read this one. "If you're even thinking of doing any security engineering, you need to read this book" -- Bruce Schneier "Even after two years on the shelf, Security Engineering remains the most important security text published in the last several years" -- Information security Magazine
Security Engineering - A Guide to Building Dependable Distributed Systems |
|
Topic: Computer Security |
11:23 pm EDT, Aug 13, 2006 |
"I met my wife on your captcha!!!" -- Steve, from New York
OK, this is funny... Hotornot captcha. Captcha Mashup |
|
CIA.gov changes its address |
|
|
Topic: Computer Security |
8:10 am EDT, Jul 18, 2006 |
CIA.gov is now encrypted, except for our Electronic Reading Room, to assure visitor confidentiality.
Hrm ... Mrs. Krabappel invites Abe to come up front and "give someone else a chance to interrupt" over Bart's protests. "About time, knothead," Abe grumbles. The storyteller comes in front of the class, and urges everybody to shut up. Abe: Now, my story begins in 19-dickety-two. We had to say "dickety" 'cause that Kaiser had stolen our word "twenty". I chased that rascal to get it back, but gave up after dickety-six miles... [children laughing] Martin: "Dickety"? Highly dubious! Abe: What're you cackling at, fatty? Too much pie, that's your problem! [children laughing] Abe: Now, I'd like to digress from my prepared remarks to discuss how I invented the terlet. Mrs.K: "Terlet"? Hah! [children laughing] Abe: Stop your snickerin'! I spent three years on that terlet! -- The Curse of the Flying Hellfish"
CIA.gov changes its address |
|
Academic freedom and the hacker ethic |
|
|
Topic: Computer Security |
12:23 pm EDT, May 27, 2006 |
Hackers advocate the free pursuit and sharing of knowledge without restriction, even as they acknowledge that applying it is something else.
Tom has been published in the current issue of CACM. His article is currently number one of only 7 references to Francis Fukuyama in the ACM Digital Library. There is a report about Internet voting, two about trust in electronic commerce, an excerpt from The Social Life of Information, and an article by Grady Booch where the title is a take-off on Fukuyama's classic, The End of History. Tom's article is the only one to reference Fukuyama in the context of science/technology policy and academic freedom. In crafting policy, is it useful to distinguish between basic knowledge and specific vulnerabilities in a finished product? Tom's opening line refers to "the free pursuit of knowledge." The implication in Joy's argument, and in Tom's response to it, suggests that it is possible, through policy, to wall off certain areas of knowledge in a selective manner, based on some balanced assessment of risk and reward. Set aside the wisdom of the policy issue; it's not clear to me this is even possible. So much of what turns out to be disruptive knowledge arrives unexpectedly. This much should be obvious by definition. Yet frequently it seems to be brushed aside. Joy focuses on big, deliberate endeavors; he refers to "efforts" like the Manhattan Project. Although the history of the Internet is deeply intertwined with defense, it is worth noting that the World Wide Web was not the product of a grand-vision project. Well, actually, it was, but that big project was about physics, not information management. The Web arose from an off-the-books "effort" to organize some documentation. Recall the recent Freeman Dyson articles that I recommended. The next supervirus is as likely to arrive courtesy of a five year old, playing in the backyard, as from a diabolical terrorist with genocidal tendencies. Inherent in Tom's premise is the idea that one has the ability to distinguish between knowing and doing. At the bleeding edge, on zero budget, with only the vaguest ideas of the applications or impact of what you're exploring, this may not be a reasonable assumption. There is a subtlety between "doing" and "applying"; you might "do" in the lab but "apply" in the wild. But as Tom asks, what if you have no lab? When the wild is your lab, either for lack of resources, or because the wild is your object of study, "doing" and "applying" are often one in the same. Update: Greg Conti has made the CACM issue available as a ZIP archive. Academic freedom and the hacker ethic |
|
IEEE Transactions on Information Forensics and Security |
|
|
Topic: Computer Security |
10:38 am EST, Mar 15, 2006 |
The first issue of this new journal may be of interest. A sampling of articles follows. Steganalysis using higher-order image statistics Techniques for information hiding (steganography) are becoming increasingly more sophisticated and widespread. With high-resolution digital images as carriers, detecting hidden messages is also becoming considerably more difficult. We describe a universal approach to steganalysis for detecting the presence of hidden messages embedded within digital images. We show that, within multiscale, multiorientation image decompositions (e.g., wavelets), first- and higher-order magnitude and phase statistics are relatively consistent across a broad range of images, but are disturbed by the presence of embedded hidden messages. We show the efficacy of our approach on a large collection of images, and on eight different steganographic embedding algorithms.
Personal authentication using 3-D finger geometry In this paper, a biometric authentication system based on measurements of the user's three-dimensional (3-D) hand geometry is proposed. The system relies on a novel real-time and low-cost 3-D sensor that generates a dense range image of the scene. By exploiting 3-D information we are able to limit the constraints usually posed on the environment and the placement of the hand, and this greatly contributes to the unobtrusiveness of the system. Efficient, close to real-time algorithms for hand segmentation, localization and 3-D feature measurement are described and tested on an image database simulating a variety of working conditions. The performance of the system is shown to be similar to state-of-the-art hand geometry authentication techniques but without sacrificing the convenience of the user.
Automatic facial expression recognition using facial animation parameters and multistream HMMs The performance of an automatic facial expression recognition system can be significantly improved by modeling the reliability of different streams of facial expression information utilizing multistream hidden Markov models (HMMs). In this paper, we present an automatic multistream HMM facial expression recognition system and analyze its performance. The proposed system utilizes facial animation parameters (FAPs), supported by the MPEG-4 standard, as features for facial expression classification. Specifically, the FAPs describing the movement of the outer-lip contours and eyebrows are used as observations. Experiments are first performed employing single-stream HMMs under several different scenarios, utilizing outer-lip and eyebrow FAPs individually and jointly. A multistream HMM approach is proposed for introducing facial expression and FAP group dependent stream reliability weights. The stream weights are determined based on the facial expression recognition results obtained when FAP streams are utilized individually. The proposed multistream HMM facial expression system, which utilizes stream reliability weights, achieves relative reduction of the facial expression recognition error of 44% compared to the single-stream HMM system.
IEEE Transactions on Information Forensics and Security |
|
Security giant's data lost |
|
|
Topic: Computer Security |
8:20 am EST, Feb 26, 2006 |
McAfee, the Santa Clara security software company, has lost the personal information of thousands of its employees due to a lapse by an external auditor. On December 15, the auditor, an employee of Deloitte & Touche, left an unencrypted CD containing the names, social security numbers and McAfee stock holdings for more than 9,000 McAfee employees in an airline seat pocket.
D'oh! Security giant's data lost |
|
RE: Invasion of the Computer Snatchers |
|
|
Topic: Computer Security |
12:11 pm EST, Feb 18, 2006 |
Decius wrote: According to Slashdot the Washington Post published his hometown as the "location" caption for an odd image in the article. He lives in a very small town. Chances are he is going to prison.
I replied: That's quite a slip-up. It will be interesting to see how the Ombudsman handles this one. (Email her at ombudsman@washpost.com.)
With an estimated male population of 1447 in 2004, and based on the US national age-sex pyramids provided by the Census Bureau, approximately 103 men in this town are between the ages of 20 and 24. If we assume a flat distribution across that range, there are roughly twenty 21-year-old men to consider. If you look directly at the 2000 Census data for the town, there were 240 total (male and female) in the 15-19 group. Advance that group five to six years, adjust for population growth, account for the male-female ratio, and you come up with an estimate of 25 21-year-old men. When you consider how many of those 25 dropped out of high school (74% of residents 25 and older graduated from high school), you're down to 5-7 suspects. When you consider how many of those 5-7 still live with their parents, along with the percentage of 21-year-olds who haven't yet married, you're down to two or three guys. And how many of those families live in a brick rambler with a tan, weathered couch in the living room? And when you consider the obesity epidemic, along with the presumed low incidence of computer geekiness in rural middle America, it's hard to believe that more than one of those three guys is an unemployed geek with a new laptop and a "wiry frame." RE: Invasion of the Computer Snatchers |
|
Invasion of the Computer Snatchers |
|
|
Topic: Computer Security |
9:06 pm EST, Feb 17, 2006 |
Washington Post magazine profiles a botnet operator. Hackers are hijacking thousands of PCs to spy on users, shake down online businesses, steal identities and send millions of pieces of spam. If you think your computer is safe, think again.
Invasion of the Computer Snatchers |
|
Brazilian police bust hacker gang |
|
|
Topic: Computer Security |
1:47 pm EST, Feb 16, 2006 |
Brazilian federal police arrested 41 hackers today accused of using the internet to divert millions of dollars out of other people's bank accounts. Some 200 federal police were deployed in the operation to serve 65 arrest warrants against a gang of hackers mostly operating in Campina Grande, some 1,800km north-east of Rio. Arrests also were made in six other states. Police said the leader of the gang was a 19-year-old and five of those arrested so far were minors. Police were still looking for 24 other alleged gang members.
Brazilian police bust hacker gang |
|
Topic: Computer Security |
3:19 pm EST, Feb 4, 2006 |
What is the Amazon Honor System? The Amazon Honor System is a safe and easy way for you to support your favorite Web sites and to buy digital content on the Web. Amazon.com has successfully completed hundreds of millions of online transactions and has more than 29 million customers. Now, the Amazon Honor System lets you use Amazon.com payment technology to make payments to Web sites as small as $1.00. Web sites use the Amazon Honor System to collect voluntary payments from their users and to accept payment for digital content. In many cases, the Honor System is the only way a Web site can economically collect small payments. In others, the Honor System allows the Web site to raise money for continued operations without resorting to intrusive banner advertisements. How does the Amazon Honor System paybox know my name? When you look at a Web page, the words and pictures you see actually may come from several sources. Your browser software assembles the pieces and displays them as a single page. On the Web site you were visiting, most of the content you saw was transmitted from server computers used by the site's operator. The image made up of the paybox and your name displayed within the paybox was different--we sent it to you directly from Amazon.com. This allowed us to recognize you by name just like we do when you visit the Amazon.com Web site. Because Amazon.com's servers transmitted the image containing a paybox and your name within the paybox directly to your browser software, the site owner never saw the paybox or your name and never received any information about you.
Even if it is secure, this strikes me as rather disconcerting. I'm sure there are cross-site scripting attacks that would allow the site operator to obtain your name from the URL of the image. Amazon Honor System |
|