Testing New Provider

My backup was from a few weeks ago so any of the more recent comments are gone but everything else seems to be good. Assuming this gets from Ecto where I’m writing it all the way to the Feedburner feed, I think we’re back to normal. In case anyone cares, I’m using Bluehost now; quite pleased so far.

Where’s Sean and what of IDE?

Sorry for the long delay between posts. I was hoping by now there would be something public that could be discussed regarding Identity Engines’ fate but alas we don’t seem to be there yet. I’m sure I’ve signed all kinds of confidentiality agreements so I’m not going to be the one to spill the beans. I sincerely apologize to our customers. In the final days of the company–like every other day of the company’s history–you were our top priority. I am hopeful that the arrangement, once announced, will give you all a path forward.

Personally, I start a new job at Cisco soon. My role will broaden out a bit from security and identity but I expect to keep my fingers in both pies for the foreseeable future–I’m excited to get started. I don’t know what this means for my blog though. I need to give that some thought and discuss it with my new group.

False Positives at 725 Rounds a Minute

OK, last post today…I think:

Speaking of hard computing problems, according to Wired’s Danger Room blog, robots with machine guns have now been deployed in Iraq. These robots (dubbed special weapons observation remote reconnaissance direct action system [SWORDS]) have not fired yet but:

Michael Zecca, the SWORDS program manager, tells DANGER ROOM. “But that’ll be happening soon.”

Speaking as someone whose seen commercial security systems fail repeatedly during my time in the industry, I certainly hope their software is better than our software. Something tells me that there isn’t a “powered by Windows Mobile” sticker anywhere on the bot. However, with commercial OSs performing more and more functions for the government, it doesn’t seem completely outside the realm of possibility.

Setting the ethical implications aside of turning war into a game of network Doom, the repercussions of a crypto or software failure in the transmissions from the controller to the bot are enormous. I wonder what they are using and what sort of testing they underwent. I wouldn’t be surprised to see some security through obscurity in there somewhere. On a related note, Steven Murdoch over at Cambridge has an interesting post explaining why software problems are as big or bigger than crypto problems in e-voting systems. The same applies here as well (note his mention of rocket launches):

Good software engineering is necessary but, in the case of voting systems, may be especially difficult to achieve. In fact, such systems have more similarities to the software behind rocket launches than more conventional business productivity software. We should thus expect the consequential high costs and, despite all this extra effort, that the occasional catastrophe will be inevitable.

Technorati Tags: ,

Facial Recognition Accuracy

Since my last two posts have been about biometrics how about one related concerning crowd facial recognition? Bruce Schneier points to German test results (in German):

Two hundred frequent travellers volunteered to have their faces recorded and three different systems tried to recognize the faces in the crowds of a train station. Results (in German): 60% recognition at best, 30% on average (depending on light and other factors).

Facial recognition in a crowded public place seems like an extraordinarily hard computing problem to solve. Oditogre, an early commenter to Bruce’s original post raises an interesting question:

Google translator mangled it pretty badly, but I got the gist enough that it didn’t seem to say how many false positives there were. That would be the biggest issue, to me. If they can achieve 30% recognition rate with 0% false positive rate, that could well be a very effective system for catching fugitives, but otherwise, it’s just going to be a bad waste of money.

I personally don’t see how you can have a 30% success rate with zero false positives. Network IDS systems can’t prevent false positives and they’re working with binary data. Later on in the comments it appears that the false positive rate was .1%. While this may seem good, imagine how many folks will walk past a particular point in Times Square today or the Otemachi metro station in Tokyo.

Technorati Tags:

Radius Cracked!

Apologies for the sensationalist title, I couldn’t help myself. I’m writing this blog post using voice recognition software as my left arm is broken. I broke it snowboarding in a half-pipe at Squaw Valley this past weekend. Given my day job, there was only one bone in my arm that I could have possibly broken–that’s right, my radius. Feel free to insert your own joke about the robustness, scalability, and reliability of radius. I, for one, have a new-found respect for the importance your radius plays in daily life.

RSA Conference Next Week

Just a quick note to remind folks that next week is the RSA Conference in San Francisco. I’ll be up in the city much of the week and would love to chat with anyone who reads this blog. My company is in booth 430 and I’ll be around there much of the time. If you’d like to chat, drop me a line or swing by the booth.

On another note, sorry about the lack of posts of late. I was working against a publishing deadline which I’ve now met. I’m sure RSA will provide plenty of fodder for future posts. Last year’s RSA was all about NAC, this year it will be interesting to see what the buzz-leader is.

Technorati Tags:

IPv6 Security Update

Happy New Year everyone! I hope that folks had a great holiday. I thought I’d start off 2007 with a bit of an off-topic post.

Back in 2004 Darrin Miller and I did some work looking into IPv6 security. The major result was a paper describing the various security considerations in IPv6, setting aside IPsec. At the time, the majority of the research we saw was looking at IPsec as the principle means of securing IPv6. Since IPsec support is a “standard” feature of IPv6, this was a reasonable assumption. As it turns out, for various reasons outlined in the paper, this wasn’t such a good idea. The paper was well received and even found its way into some US-CERT recommendations, and was largely reused as chapter nine of Deploying IPv6 Networks.

Fast-forward almost three years from then and some things have changed and many others haven’t. The IETF v6ops working group is still churning out some new docs on the subject which is great. However, just like in 2004, the market seems to be ignoring IPv6. Not even a federal mandate to deploy v6 in the government by 2008 is enough to get things going. GCN recently reported as much, highlighting agency concern that security vendors aren’t migrating their products to IPv6 quick enough.

I’ve not done a lot of poking around in IPv6 security lately. In preparing for this blog post I went through and updated my IPv6 security links page to tag any additional dead links and add a few new ones. The fact that this links page–largely untouched since 2004–returns in the top five results of a google search for “IPv6 security” says more about the attention paid to the subject than a lengthly blog post ever could have. The top result is a presentation (from a former colleague at Cisco) that Darrin and I expanded on in our work. Eric did a great job with that presentation but given the governement’s focus on IPv6, I would have guessed research from 2003 would not be so well ranked.

Technorati Tags: ,