Well I don't understand what those fools in Washington are doing. The subprime mortgage mess introduced a lot of debt into the system that got resold. The risk on this debt is unknown because the initial lenders did not do the proper vetting before granting the loans. Then they took these turds and rolled them into bigger turds and sold them to investment banks and foreign investors. Well the investors quit buying when they saw the writing on the wall and stuck the investment banks with the remaining crap loans. The only way we are going to get out of this mess is for all that 'bad debt' to get classified. Sure some of the homeowners that got those crazy loans will default, but not all. Once the risk is measurable then the banks will start lending to each other because their assets will be transparent. The banks will trust each other, what a novel concept! In the mean time, since banks aren't lending, business are burning stored capital (e.g. GM). To squelch this torrent, they are closing down lines, laying off and coming to the government with hat in hand.
My biggest concern in the whole fiasco is that our leaders will take the route of just throwing our hard earned tax money at it and hoping it will go away. Ladies and gentlemen of the Senate and House I hope you have more respect for my taxes than that. Initially, it was going to be a big handout. Then Paulson saw that the Brits were investing in their banks, and expecting some sort of return down the road. Well and good maybe we will get something for our money. Not that I like de facto nationalization of companies much more.
So what to do.
1. Setup a clearinghouse for troubled loans. This agency (yuck more government) would be able to take a adjustable rate loan that someone is having trouble meeting @ prime plus and convert it into a fixed rate that is tiered based on applicant credit score. Didn't we do something like this for the S&L mess?
2. At some point you have to make money more expensive (higher interest rates) to properly compensate investors for the risk in the system. Right now they have lowered the Fed funds rate to get banks to lend but that is not working. Rate is commensurate with risk. If there is more risk in the system then the rate must go up (duh)!
3. Let's face it we are in for a long hard season of layoffs. There are two tools that government uses to get the economy going again. The first is start a war... Well that's not an option. The second is start some infrastructure projects. The 30s saw TVA, dams, WPA etc. I'm not sure we need something to that scale, yet... but how about building out a high speed rail link to Chicago from New York? What about wind farms in Kansas? Let's put some of that American innovation to work.
As Oscar Rodgers of SNL Weekend update said so eloquently...
FIX IT! Strap it down and FIX IT! Now!
Friday, December 5, 2008
Friday, November 21, 2008
xbox 360
Well like many people out there I have determined that Microsoft had rushed the xbox 360 out too fast. The initial production run has thermal issues. I have had the red ring of death 4 times now. I have had the E74 error once. To Microsoft's credit they have proven that they want to make it right. I have gotten rush service and advanced hand holding the more problems I have had.
This last time we got the E74 error. In looking up the cause I was surprised to see that this too was a thermal issue. After the last Red Ring O' Death they had sent me a box that was very cool even after hours of play. All the ones before that were hot to the touch. This new unit is cool as well.
Microsoft has bundled the Netflix service in the 360. After the implosion of HD DVD I thought Microsoft would have to license Blu Ray. I guess not. Initial reports on the service are good. So the question is do I splurge on another 360 for the upstairs TV? PS3 may have the cheapest Blu Ray player but unless all of them start to get cheaper, I think Microsoft will put a dent in the market for people who are just looking to watch a HD movie.
This last time we got the E74 error. In looking up the cause I was surprised to see that this too was a thermal issue. After the last Red Ring O' Death they had sent me a box that was very cool even after hours of play. All the ones before that were hot to the touch. This new unit is cool as well.
Microsoft has bundled the Netflix service in the 360. After the implosion of HD DVD I thought Microsoft would have to license Blu Ray. I guess not. Initial reports on the service are good. So the question is do I splurge on another 360 for the upstairs TV? PS3 may have the cheapest Blu Ray player but unless all of them start to get cheaper, I think Microsoft will put a dent in the market for people who are just looking to watch a HD movie.
Labels:
technology,
xbox360
Thursday, November 20, 2008
A difficult interview question
In my role as system architect I get to interview the people for positions on my team. Most of my colleagues will ask the pure knowledge questions like "How would you implement an abstract class of vehicle given that you need subclasses of car and bus?" This kind of question shows that you understand OO concepts or you don't. Some of my questions are like this but I utilize some that are more vague. The one question that I always use will be
"Given a hypothetical project with 5 sub tasks, 3 of which you have done before and know how to do, and the last 2 are new techniques you have never done before - Given a hard deadline tell me in what order do you do the tasks?"
Most inexperienced people will say "I will complete the easy tasks and then complete the hard tasks." Some people with experience will say the opposite. Either answer is correct, but the real question is next - "Why". Many candidates have a difficult time clearly explaining why. My preferred answer places the unknown tasks ahead of the known tasks for one simple reason. It eliminates risk from the project. If you perform the 3 known tasks and then get to the unknown tasks and discover that they cannot be completed, then you have failed in completing the project and expended the energy to do the 3 known tasks. If you attempt the 2 unknown tasks first then you might discover in the early phases that the project cannot be completed before you attempt the 3 known tasks.
Net take away: Always take the path to eliminate risk from your project as soon as possible.
"Given a hypothetical project with 5 sub tasks, 3 of which you have done before and know how to do, and the last 2 are new techniques you have never done before - Given a hard deadline tell me in what order do you do the tasks?"
Most inexperienced people will say "I will complete the easy tasks and then complete the hard tasks." Some people with experience will say the opposite. Either answer is correct, but the real question is next - "Why". Many candidates have a difficult time clearly explaining why. My preferred answer places the unknown tasks ahead of the known tasks for one simple reason. It eliminates risk from the project. If you perform the 3 known tasks and then get to the unknown tasks and discover that they cannot be completed, then you have failed in completing the project and expended the energy to do the 3 known tasks. If you attempt the 2 unknown tasks first then you might discover in the early phases that the project cannot be completed before you attempt the 3 known tasks.
Net take away: Always take the path to eliminate risk from your project as soon as possible.
Tuesday, November 11, 2008
No https, No transaction
I'm in the middle of a big home improvement project right now. I'm casting some concrete countertops for my bar in the basement. I was searching for some materials for this and found a site that I wanted purchase from. So I drop the item in my order cart and whip out my trusty credit card and click "Checkout now". I'm about to input all my info including CVV when I noticed there is no https in the URL. I was so disappointed. I emailed the company to give them a heads up and then went and found a different location for the product I wanted.
Labels:
security
Click to enlarge
One of my biggest annoyances is when you are shopping for items in a well laid out web catalog. You click on the item you want to look at. There is a link that says "enlarge". I click and I get an image about 1 - 5 % larger. What a waste of time. NewEgg knows how to present the merchandise.
Friday, November 7, 2008
How come?
When Firefox and IE give the security warning that page has secure and unsecure elements, HOW COME I can't see a list of what is unsecure?

When I click on details in IE I get

Come on.. throw me a bone people.


When I click on details in IE I get

Come on.. throw me a bone people.

Labels:
browser,
firefox,
technology
Thursday, November 6, 2008
A list of my favorite software
- Tomcat
- MySQL
- Eclipse / MyEclipse
- SQLYog
- Ubuntu
- Apache Commons
- Firefox
Labels:
technology
Password Management
We all have passwords. As IT professionals we have gotten used to them. Hopefully you have memorized them and they are not on a Post it next to your screen. What I want to discuss is separating passwords for different duties.
Consider for a moment a bank VP named Bob that is reasonably familiar with security. Bob is a careful guy and he doesn't utilize and easily guessed password. It's sufficiently sprinkled with different case, special characters and numerics. He's got this password thing figured out. Except he doesn't want to remember more than one password so he makes all his passwords the same. VPN login, work email, PC login, home email, iTunes login, and numerous other site share a variant of the same password. In some sites the id he enters is different. but they all use the same password.
Think about this. This means that if I can dig up the emails of executives for a given company and then cross reference that with similar emails in the same location I have potentially discovered the IDs for Bob. Now all I have to do is harvest his password from some lightly defended url. Unfortunately for the bank network security manager, his security is co-opted by Bob using his password in a different domain.
This is already being exploited by criminals: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133195
With the rise in popularity of social networking, criminals are attacking social network sites to harvest their passwords. These sites don't have greatly hardened security (really they are just protecting my list of friends) right? Wrong, people tend to want to use similar passwords for all sites. These users also have the potential to discuss what they do for a living. More than likely they have their email available on this site. The email credentials are a gold mine. Once an attacker has cracked your email account he doesn't even have to guess... he can open their email up and see password reset emails, and what websites the prey does business with. He could even ask that a password be reset.
To sign up for stupid web offers and free stuff, select a password that is used for just this purpose.
To protect your email from this, select an utilize a password only for your email account. Delete password reset type emails immediately after use.
To protect commerce types of accounts change that password and use it only with sites that you use your credit cards on.
To protect your banking and financial sites, again select yet another password.
To protect your work, again select yet another password.
This yields 5 separate passwords that you can use to mitigate your risk. This is not a perfect system by any means but it is better than having one password for all websites.
Consider for a moment a bank VP named Bob that is reasonably familiar with security. Bob is a careful guy and he doesn't utilize and easily guessed password. It's sufficiently sprinkled with different case, special characters and numerics. He's got this password thing figured out. Except he doesn't want to remember more than one password so he makes all his passwords the same. VPN login, work email, PC login, home email, iTunes login, and numerous other site share a variant of the same password. In some sites the id he enters is different. but they all use the same password.
Think about this. This means that if I can dig up the emails of executives for a given company and then cross reference that with similar emails in the same location I have potentially discovered the IDs for Bob. Now all I have to do is harvest his password from some lightly defended url. Unfortunately for the bank network security manager, his security is co-opted by Bob using his password in a different domain.
This is already being exploited by criminals: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133195
With the rise in popularity of social networking, criminals are attacking social network sites to harvest their passwords. These sites don't have greatly hardened security (really they are just protecting my list of friends) right? Wrong, people tend to want to use similar passwords for all sites. These users also have the potential to discuss what they do for a living. More than likely they have their email available on this site. The email credentials are a gold mine. Once an attacker has cracked your email account he doesn't even have to guess... he can open their email up and see password reset emails, and what websites the prey does business with. He could even ask that a password be reset.
To sign up for stupid web offers and free stuff, select a password that is used for just this purpose.
To protect your email from this, select an utilize a password only for your email account. Delete password reset type emails immediately after use.
To protect commerce types of accounts change that password and use it only with sites that you use your credit cards on.
To protect your banking and financial sites, again select yet another password.
To protect your work, again select yet another password.
This yields 5 separate passwords that you can use to mitigate your risk. This is not a perfect system by any means but it is better than having one password for all websites.
Securing Keystores I
The application I am working on is a secure document management system. Internal users and external users can share documents instead of passing them around by email. Security requirements have made encryption of these documents a certainty. Documents are uploaded via https so there is not problem in transport, but they have to reside encrypted on the disk as well. The IT Security group was looking for the following features.
If an attacker was to mount a brute force attack then they would have to first break the PBE on the keystore, then they would have to break the 2048 bit RSA wrapping the keys.
The keystore generation program will generate a keystore with a specified number of AES 256 bit keys. This number of keys will need to be substantially large to accommodate a unique key for each document. We use will use 50000. This should provide a set of keys randomly distributed within the keyspace.
Given that there is a possibility of an attack against two or more encrypted documents we will ensure that no two documents are encrypted with the same key.
Each document will be encrypted with a randomly selected key from this pool. Allowing that the password based encryption of the keystore is breakable, I decided to use the keywrap classes to encrypt each secret key.
If you make the assumption that a keystore's PBE can be broken, then it would be relatively trivial to write a program to attempt to decrypt the files with the secret keys. We need a way to lock this keystore specifically to our code. To do this we will end up storing the RSA private key used to wrap the AES keys in our program as a byte array. This will lock this keystore to the code used to decrypt the files. Thus the attacker will have to grab the classes as well as the encrypted files and the keystore.
Below are the relevant parts of our keystore generator.
- Key rotation - allowing a security manager to generate a new keystore and rekey all documents as needed.
- Keystore password stored on remotely.
- Keystore password > 25 chars.
If an attacker was to mount a brute force attack then they would have to first break the PBE on the keystore, then they would have to break the 2048 bit RSA wrapping the keys.
The keystore generation program will generate a keystore with a specified number of AES 256 bit keys. This number of keys will need to be substantially large to accommodate a unique key for each document. We use will use 50000. This should provide a set of keys randomly distributed within the keyspace.
Given that there is a possibility of an attack against two or more encrypted documents we will ensure that no two documents are encrypted with the same key.
Each document will be encrypted with a randomly selected key from this pool. Allowing that the password based encryption of the keystore is breakable, I decided to use the keywrap classes to encrypt each secret key.
If you make the assumption that a keystore's PBE can be broken, then it would be relatively trivial to write a program to attempt to decrypt the files with the secret keys. We need a way to lock this keystore specifically to our code. To do this we will end up storing the RSA private key used to wrap the AES keys in our program as a byte array. This will lock this keystore to the code used to decrypt the files. Thus the attacker will have to grab the classes as well as the encrypted files and the keystore.
Below are the relevant parts of our keystore generator.
...snip... String keyStoreEntryAlias = null; // Change the output file location to where ever you want to store the new KeyStore File keyStoreOutputFile = new File(keyStoreName); KeyStore keyStore = null; try { // NOTE: This creates numKeys of random SecretKey. If you lose the keystore and you have used it // to encrypt some file you are HOSED. DO NOT lose the KeyStore file that is // generated from this program. Keep a second copy on a CD and put it in a safe. // // We are using the AES encryption algorithm to represent our SecretKey // Create an empty keyStore keyStore = KeyStore.getInstance("JCEKS"); keyStore.load(null, password); //create RsaEncrypter with nulls to use the embedded keys. RsaEncrypter rsaEncrypter = new RsaEncrypter(null, null); PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(rsaEncrypter.getPrivateKey().getEncoded()); String privateKeyStr = Base64.encodeToString(privateKeySpec.getEncoded(), true); System.out.println( "PrivateKey: \n\r" + privateKeyStr ); // to output embedded private key with some massaging. add quotes take off [] System.out.println( "Embedded PrivateKey: \n\r" + Arrays.toString(privateKeyStr.toCharArray())) ; X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(rsaEncrypter.getPublicKey().getEncoded()); String publicKeyStr = Base64.encodeToString(publicKeySpec.getEncoded(), true); System.out.println( "PublicKey: \n\r" + publicKeyStr ); // to output embedded public key with some massaging. add quotes take off [] System.out.println( "Embedded PublicKey: \n\r" + Arrays.toString(publicKeyStr.toCharArray()) ); for (int i=0; i<> { KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey key = keyGen.generateKey(); byte[] wrappedKey = rsaEncrypter.wrapKey(key); //System.out.println( "NakedKey: " + key.getEncoded()); //System.out.println("WrappedKey: " + wrappedKey.toString()); SecretKeySpec skWrapSpec = new SecretKeySpec(wrappedKey, "AES"); //create a alias for the key keyStoreEntryAlias = (String)RandomStringUtils.randomAlphanumeric(16); // test to see if key alias already exists if (! keyStore.containsAlias(keyStoreEntryAlias) ) { // Add our secret key as an entry in the empty keyStore KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(skWrapSpec); keyStore.setEntry(keyStoreEntryAlias, skEntry, new KeyStore.PasswordProtection(password)); } } // Write the keyStore to disk. FileOutputStream fos = new FileOutputStream(keyStoreOutputFile); keyStore.store(fos, password); System.out.println("AES 256 Key store created with " + keyStore.size() + " random RSA wrapped SecretKeys. \r\n"); System.out.println("Alg --- Aliases --- \r\n"); Enumeration aliases = keyStore.aliases(); StringBuffer buf = new StringBuffer(""); while (aliases.hasMoreElements()) { String keyName = (String)aliases.nextElement(); SecretKey theKey = (SecretKey)keyStore.getKey(keyName,password); String keyStr = ""; String algorithm = theKey.getAlgorithm(); if (verbose) { keyStr = Base64.encodeToString(theKey.getEncoded()); } buf.append( algorithm ).append(" ").append(keyName).append("| ") buf.append( keyStr ).append("\r\n-----------------------\r\n"); } System.out.println( buf.toString() ); System.out.println("File is: \"" + keyStoreOutputFile.getCanonicalPath() + "\""); } catch (Exception e) { System.out.println("Error: " + e); e.printStackTrace(); } ...snip... Stay tuned ... I will reveal the RSAEncrypter and AESEcrypter source to show you how the wrapping and unwrapping occurs. If you are looking for more information on the key wrapping technique these references may help. http://www.faqs.org/rfcs/rfc3394.html http://www.java2s.com/Code/Java/Security/WrapAndUnwrapKey.htm http://books.google.com/books?id=WLLAD2FKH3IC&pg=PA50&lpg=PA50&dq=key+Wrapping+java&source=web&ots=O9EnrPo8xB&sig=8UuFnc04iXEhBqeduJLKZU46MFk&hl=en&sa=X&oi=book_result&resnum=3&ct=result These two don't use the KeyWrap technique but they are similar. http://www-users.york.ac.uk/~mal503/lore/pkencryption.htm http://www.junkheap.net/content/public_key_encryption_java
Labels:
encryption,
enterprise_software,
java,
keystore,
security
Hello World
Is this thing on? What else did you expect for my first post... something profound?
Labels:
errata
Subscribe to:
Posts (Atom)