Tuesday, December 15, 2009

Security as Interdepartmental conflict...

I received this message in my hotmail this morning:

Why does Microsoft get dinged for this type of presentation? Why does it happen? On a small scale it was probably because the hotmail Calendar team wasn't talking with the hotmail Security team.  But that doesn't answer much.  Computer security is still, in almost all industries and architectures, and "add-in".  It is overlaid on top of existing products and architectures.  The "security guys" are on separate teams, their training is exclusive, their recommendations are "integrated" into existing products. The practice of security  never fully integrates into test suites for most product development because  it can't be marketed like a popsicle.  It is sold as an immunity, a dose of antibiotic, a pill.   Compatibility of security architecture with existing product development has ambiguous ownership.

Saturday, December 5, 2009

Cell Tracking

This is the link to an absolutely extraordinary post  on privacy by Christopher Soghoian:
http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html . Mr. Soghoian's post describes the evolution of "Cell Tracking", an issue the EFF has discussed for a number of years at http://www.eff.org/issues/cell-tracking. An exceptional video on current status of the law  for "cell tracking"  and "mobility tracking" can be found here:  http://www.youtube.com/watch?v=YFo2VcfWCBQ&feature=channel/

The information reminds me that the OS inside most cell-phones is a literal "black box".  Because I run midpssh, I can usually find cell's IP address in the netstat tables of my SSH Server. I can see there may be some filtered ports on my phone.  But I cannot:
(1) access a console or ssh prompt
(2) run a network sniffer or IDS on my cell phone to see if someone is "pinging" my location or hacking me.

Your cell phone is a tracking device that forbids you from root access.