Like we really needed this.

Hacker’s Blog

January 18, 2006

Copyright and The Choice Between DRM and Security

Filed under: Security — Hacker @ 7:43 am

Slashdot | The Choice Between DRM and Security

Seeing the above made me think about Copyright and Security. It seems that Copyright used to be a security mechanism to protect one’s creations. Before the digital age, copying creative works was expensive. Those who sought to make a profit from copying other’s work could find themselves at the wrong end of the law and thus were taking a large risk with their capital. Gift copying was too expensive for most and had limited distribution, even as audio and video cassettes became common.

Now in the digital age, commerce is global and it is hard to track down copyright pirates. Worse, gift copying has practically no cost to the gifter. Thus copyright can no longer protect information profitably. Note that doesn’t mean copyright is useless, just not useful for ensuring profits from the distribution of a creative work.

None of this is new and there are others who have studied and written about this in much more detail. What I think is interesting is to take the pure security view. This is hard for a security techie like me, because we have been taught that security is some piece of technology.

Technology is not the best word to use here, since its meaning has morphed over time. Copyright was a ‘technology’ by the old definition. Now we use technology to refer to automata. This causes us to forget a lot about what information security is about and can be. We techies get so lost in the bits and algorithms that we forget that much of the security we rely on today is as insecure as copyright.

As the world becomes more digital, there will be new options, such as DRM, that can provide protections where old ones like Copyright fail. In some ways, these protections are even stronger than what was available before, but they also come with a price, such as privacy. As a security practitioner, one has to dig deep to understand the history of the protection of an asset as well as the potential consequences of new protection technologies.

• • •
 

December 14, 2005

Security for Calculators

Filed under: Security — Hacker @ 9:10 am

I think it’s about time that we document security for calculators. No, I’m not talking about the cherished TI-35 that I’ve got buried in a drawer somewhere. I’m talking about the machine I’m working on and its brethren. I’m also not talking about documenting the security of calculators. Security for calculators. That is, security documentation that can be understood and processed by computers as well as people.

Let’s face it; if it wasn’t for people, then we wouldn’t be having all of these information security problems. The InfoSec world continues to get more and more complex, and yet for the most part, people are required to process all this complex data. Let’s look at a couple of specific examples.

First are the IP Services and ports that are required to support an application. Often this traffic must pass through a firewall or NAT (or both) and often there are issues around that. Currently if this is documented at all, then it is a poorly formatted list of TCP/UDP ports and possibly end points. Some expensive firewall engineer has to look at those, determine if there are any security issues with them, and then correctly translate them into the format the firewall understands. Anomaly IDS sensors have to learn the application flows, because no one can take the time to tell it what they should be. Etc.

The effort to load firewalls and other security devices could be reduced substantially by having some XML schema for documenting the IP services in use. Security is only as good as the knowledge about the application in question. Having such standards would substantially enhance the ability to know what was going on within an application.

A second area is within RFC standards. Currently, if there is a security section at all, it again must be parsed by a human. Does a service provide its own authentication? What controls are available within the service? What are the expectations, dependencies etc? Even having the packet schema in XML would help a lot in developing parsers for new protocols. I’ll probably need to explain this in more detail this, but that will have come later.

Ultimately security is too important to leave up to us humans, but we’re never going to get computers to do it well if we can’t put things in terms that they can understand. We have the tools, XML, various standards bodies, etc. We just need to start using them.

• • •
 
« Previous Page
Like we really needed this.