Comments for Systems Security

Comment on Where is all the nodejs malware? by Saqib Ali

Saqib Ali — Wed, 03 Apr 2013 20:55:16 +0000

Disagree? Not at all. In fact this is a real risk. It has happened with jquery.

One thing that I do to detect these type of malware infestation is constantly run network analysis on the webservers that is serving our apps. It sends us a daily report of all the network connections of all types. We visually inspect the report to see if there are anything out of order. You have to do this visually. It is unlikely that a automated system will detect this type of anomaly. But once you are familiar with the traffic patterns of your app, it only takes few minutes to inspect the daily network report.

We are in the process of setting up a client machine that mimics the user on the webapp, The plan is to run the same network analysis on the client to see if there any anomalies in the network traffic. That should take care of client side javascript malware in the webapp.

Comment on cloud failure modalities by footnote | Systems Security

footnote | Systems Security — Wed, 27 Jul 2011 08:55:02 +0000

[...] post on cloud failure modalities made passing reference to someone whose Google existence had been snuffed out for no adequately [...]

Comment on Outsourcing undermined by cloud failure modalities | Systems Security

cloud failure modalities | Systems Security — Sat, 23 Jul 2011 12:32:41 +0000

[...] topic mentioned in an earlier article is also germane: the legal jurisdiction in which the service provider sits may be far from clear [...]

Comment on email retention by Andrew Martin

Andrew Martin — Wed, 13 Jul 2011 18:38:21 +0000

That’s interesting. I thought that for some (I would name names, but perhaps that is unwise) it was explicitly to avoid retaining discussions they’d rather not report. But maybe that’s how everyone understands it, but not the corporate position.

The Data Protection Act compels us to retain personal information no longer than is necessary. But few are sure how long is necessary.

Comment on Outsourcing undermined by Joe Loughry

Joe Loughry — Tue, 12 Jul 2011 20:55:50 +0000

In a further discussion on cloud computing security this morning, someone mentioned that if law enforcement decides to seize your provider’s servers—even for an offence perpetrated by another customer of the provider—you may lose access to YOUR data without warning and for a long time.

Replication is the solution: with $n$-seizure-tolerant fail-over, keep on computing even as law enforcement officers unrack machines in one data centre! Wonder if that business opportunity has been pitched to VCs yet.

Comment on email retention by Joe Loughry

Joe Loughry — Tue, 12 Jul 2011 20:54:36 +0000

Financial institutions in the U.S. save every communication: they scan both sides of every piece of paper that comes in the post, archive email, instant messages, and record every telephone call. But traders use their personal mobiles to avoid the surveillance net.

Other companies won’t admit they delete emails as a litigation defence; if pressed, they claim that storage space for mboxes is excessive and costing them too much.

I worry about the loss of institutional memory; after a desktop hard disk failure, a few tech refresh cycles, building moves and corporate email system upgrades, it’s a wonder anyone can find the documentation from a project more than a few years old. Multiply the lost NASA moon landing tapes by a few million companies’ haphazard IT infrastructure, and 1995–2010 might be reckoned by future historians another Dark Age.

Comment on Outsourcing undermined by J. Loughry

J. Loughry — Thu, 07 Jul 2011 23:19:41 +0000

‘…they either break US law or they break EU law.’

This needs to be more widely publicised.

Comment on on an unfortunate tension by J. Loughry

J. Loughry — Thu, 07 Jul 2011 23:06:22 +0000

Of the channels presently available—802.11, Bluetooth, IR, acoustic or HDSPA—I agree 802.11 has the right combination of features: power enough to communicate with a large space without requiring an unreasonably large number of transceivers in the venue, non-line-of-sight so that devices in pockets and bags and participate, and fairly low power requirements. What is missing is a protocol and an incentive for manufacturers to follow it. Man pages for Ethernet cards on FreeBSD or Linux are full of complaints from device driver writers about corner-cutting hardware manufacturers, incompletely or incorrectly implement standard interfaces and protocols, claimed features of the hardware that do not work, and firmware updates without corresponding version number changes. The new protocol must be implemented as high in the OSI model as possible, because otherwise we can’t depend on all the hardware manufacturers writing the functionality in their firmware. It either has to be done at the PHY level (by the two or three suppliers who actually make the radios everyone else uses) or at the device driver level. In between, there is opportunity for manufacturers to cheat.

Comment on Spectacular Fail! by Andrew Martin

Andrew Martin — Thu, 07 Jul 2011 19:14:49 +0000

Postscript: it transpires that IE9 doesn’t work on WinXP. Microsoft offers IE8 instead.

Comment on on an unfortunate tension by Andrew Martin

Andrew Martin — Thu, 07 Jul 2011 08:36:03 +0000

I’m sure that such a signalling regime has its place.

But surely the problem is with the non-compliant devices (and their owners) – always assuming, again, that electrical interference in commercial avionics is actually a problem. I’m not sure how you would incentivize a global standard: there’s little in it for the vendors. Moreover, I don’t think you could realistically ensure that all airport security checkpoints could weed out the rogue devices, any more than the cabin crew can. Economically, I’m not sure it’s a problem anyone wants to solve.

The problem of recognition is going to become a bigger and bigger one, though. Having more and more devices able securely to report their identity – in a privacy-sensitive way – is definitely a desirable thing. Having 802.11 as the bearer for that seems overwhelmingly likely to me.