Well like many people out there I have determined that Microsoft had rushed the xbox 360 out too fast. The initial production run has thermal issues. I have had the red ring of death 4 times now. I have had the E74 error once. To Microsoft's credit they have proven that they want to make it right. I have gotten rush service and advanced hand holding the more problems I have had.
This last time we got the E74 error. In looking up the cause I was surprised to see that this too was a thermal issue. After the last Red Ring O' Death they had sent me a box that was very cool even after hours of play. All the ones before that were hot to the touch. This new unit is cool as well.
Microsoft has bundled the Netflix service in the 360. After the implosion of HD DVD I thought Microsoft would have to license Blu Ray. I guess not. Initial reports on the service are good. So the question is do I splurge on another 360 for the upstairs TV? PS3 may have the cheapest Blu Ray player but unless all of them start to get cheaper, I think Microsoft will put a dent in the market for people who are just looking to watch a HD movie.
Friday, November 21, 2008
Thursday, November 20, 2008
A difficult interview question
In my role as system architect I get to interview the people for positions on my team. Most of my colleagues will ask the pure knowledge questions like "How would you implement an abstract class of vehicle given that you need subclasses of car and bus?" This kind of question shows that you understand OO concepts or you don't. Some of my questions are like this but I utilize some that are more vague. The one question that I always use will be
"Given a hypothetical project with 5 sub tasks, 3 of which you have done before and know how to do, and the last 2 are new techniques you have never done before - Given a hard deadline tell me in what order do you do the tasks?"
Most inexperienced people will say "I will complete the easy tasks and then complete the hard tasks." Some people with experience will say the opposite. Either answer is correct, but the real question is next - "Why". Many candidates have a difficult time clearly explaining why. My preferred answer places the unknown tasks ahead of the known tasks for one simple reason. It eliminates risk from the project. If you perform the 3 known tasks and then get to the unknown tasks and discover that they cannot be completed, then you have failed in completing the project and expended the energy to do the 3 known tasks. If you attempt the 2 unknown tasks first then you might discover in the early phases that the project cannot be completed before you attempt the 3 known tasks.
Net take away: Always take the path to eliminate risk from your project as soon as possible.
"Given a hypothetical project with 5 sub tasks, 3 of which you have done before and know how to do, and the last 2 are new techniques you have never done before - Given a hard deadline tell me in what order do you do the tasks?"
Most inexperienced people will say "I will complete the easy tasks and then complete the hard tasks." Some people with experience will say the opposite. Either answer is correct, but the real question is next - "Why". Many candidates have a difficult time clearly explaining why. My preferred answer places the unknown tasks ahead of the known tasks for one simple reason. It eliminates risk from the project. If you perform the 3 known tasks and then get to the unknown tasks and discover that they cannot be completed, then you have failed in completing the project and expended the energy to do the 3 known tasks. If you attempt the 2 unknown tasks first then you might discover in the early phases that the project cannot be completed before you attempt the 3 known tasks.
Net take away: Always take the path to eliminate risk from your project as soon as possible.
Tuesday, November 11, 2008
No https, No transaction
I'm in the middle of a big home improvement project right now. I'm casting some concrete countertops for my bar in the basement. I was searching for some materials for this and found a site that I wanted purchase from. So I drop the item in my order cart and whip out my trusty credit card and click "Checkout now". I'm about to input all my info including CVV when I noticed there is no https in the URL. I was so disappointed. I emailed the company to give them a heads up and then went and found a different location for the product I wanted.
Labels:
security
Click to enlarge
One of my biggest annoyances is when you are shopping for items in a well laid out web catalog. You click on the item you want to look at. There is a link that says "enlarge". I click and I get an image about 1 - 5 % larger. What a waste of time. NewEgg knows how to present the merchandise.
Friday, November 7, 2008
How come?
When Firefox and IE give the security warning that page has secure and unsecure elements, HOW COME I can't see a list of what is unsecure?

When I click on details in IE I get

Come on.. throw me a bone people.


When I click on details in IE I get

Come on.. throw me a bone people.

Labels:
browser,
firefox,
technology
Thursday, November 6, 2008
A list of my favorite software
- Tomcat
- MySQL
- Eclipse / MyEclipse
- SQLYog
- Ubuntu
- Apache Commons
- Firefox
Labels:
technology
Password Management
We all have passwords. As IT professionals we have gotten used to them. Hopefully you have memorized them and they are not on a Post it next to your screen. What I want to discuss is separating passwords for different duties.
Consider for a moment a bank VP named Bob that is reasonably familiar with security. Bob is a careful guy and he doesn't utilize and easily guessed password. It's sufficiently sprinkled with different case, special characters and numerics. He's got this password thing figured out. Except he doesn't want to remember more than one password so he makes all his passwords the same. VPN login, work email, PC login, home email, iTunes login, and numerous other site share a variant of the same password. In some sites the id he enters is different. but they all use the same password.
Think about this. This means that if I can dig up the emails of executives for a given company and then cross reference that with similar emails in the same location I have potentially discovered the IDs for Bob. Now all I have to do is harvest his password from some lightly defended url. Unfortunately for the bank network security manager, his security is co-opted by Bob using his password in a different domain.
This is already being exploited by criminals: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133195
With the rise in popularity of social networking, criminals are attacking social network sites to harvest their passwords. These sites don't have greatly hardened security (really they are just protecting my list of friends) right? Wrong, people tend to want to use similar passwords for all sites. These users also have the potential to discuss what they do for a living. More than likely they have their email available on this site. The email credentials are a gold mine. Once an attacker has cracked your email account he doesn't even have to guess... he can open their email up and see password reset emails, and what websites the prey does business with. He could even ask that a password be reset.
To sign up for stupid web offers and free stuff, select a password that is used for just this purpose.
To protect your email from this, select an utilize a password only for your email account. Delete password reset type emails immediately after use.
To protect commerce types of accounts change that password and use it only with sites that you use your credit cards on.
To protect your banking and financial sites, again select yet another password.
To protect your work, again select yet another password.
This yields 5 separate passwords that you can use to mitigate your risk. This is not a perfect system by any means but it is better than having one password for all websites.
Consider for a moment a bank VP named Bob that is reasonably familiar with security. Bob is a careful guy and he doesn't utilize and easily guessed password. It's sufficiently sprinkled with different case, special characters and numerics. He's got this password thing figured out. Except he doesn't want to remember more than one password so he makes all his passwords the same. VPN login, work email, PC login, home email, iTunes login, and numerous other site share a variant of the same password. In some sites the id he enters is different. but they all use the same password.
Think about this. This means that if I can dig up the emails of executives for a given company and then cross reference that with similar emails in the same location I have potentially discovered the IDs for Bob. Now all I have to do is harvest his password from some lightly defended url. Unfortunately for the bank network security manager, his security is co-opted by Bob using his password in a different domain.
This is already being exploited by criminals: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133195
With the rise in popularity of social networking, criminals are attacking social network sites to harvest their passwords. These sites don't have greatly hardened security (really they are just protecting my list of friends) right? Wrong, people tend to want to use similar passwords for all sites. These users also have the potential to discuss what they do for a living. More than likely they have their email available on this site. The email credentials are a gold mine. Once an attacker has cracked your email account he doesn't even have to guess... he can open their email up and see password reset emails, and what websites the prey does business with. He could even ask that a password be reset.
To sign up for stupid web offers and free stuff, select a password that is used for just this purpose.
To protect your email from this, select an utilize a password only for your email account. Delete password reset type emails immediately after use.
To protect commerce types of accounts change that password and use it only with sites that you use your credit cards on.
To protect your banking and financial sites, again select yet another password.
To protect your work, again select yet another password.
This yields 5 separate passwords that you can use to mitigate your risk. This is not a perfect system by any means but it is better than having one password for all websites.
Securing Keystores I
The application I am working on is a secure document management system. Internal users and external users can share documents instead of passing them around by email. Security requirements have made encryption of these documents a certainty. Documents are uploaded via https so there is not problem in transport, but they have to reside encrypted on the disk as well. The IT Security group was looking for the following features.
If an attacker was to mount a brute force attack then they would have to first break the PBE on the keystore, then they would have to break the 2048 bit RSA wrapping the keys.
The keystore generation program will generate a keystore with a specified number of AES 256 bit keys. This number of keys will need to be substantially large to accommodate a unique key for each document. We use will use 50000. This should provide a set of keys randomly distributed within the keyspace.
Given that there is a possibility of an attack against two or more encrypted documents we will ensure that no two documents are encrypted with the same key.
Each document will be encrypted with a randomly selected key from this pool. Allowing that the password based encryption of the keystore is breakable, I decided to use the keywrap classes to encrypt each secret key.
If you make the assumption that a keystore's PBE can be broken, then it would be relatively trivial to write a program to attempt to decrypt the files with the secret keys. We need a way to lock this keystore specifically to our code. To do this we will end up storing the RSA private key used to wrap the AES keys in our program as a byte array. This will lock this keystore to the code used to decrypt the files. Thus the attacker will have to grab the classes as well as the encrypted files and the keystore.
Below are the relevant parts of our keystore generator.
- Key rotation - allowing a security manager to generate a new keystore and rekey all documents as needed.
- Keystore password stored on remotely.
- Keystore password > 25 chars.
If an attacker was to mount a brute force attack then they would have to first break the PBE on the keystore, then they would have to break the 2048 bit RSA wrapping the keys.
The keystore generation program will generate a keystore with a specified number of AES 256 bit keys. This number of keys will need to be substantially large to accommodate a unique key for each document. We use will use 50000. This should provide a set of keys randomly distributed within the keyspace.
Given that there is a possibility of an attack against two or more encrypted documents we will ensure that no two documents are encrypted with the same key.
Each document will be encrypted with a randomly selected key from this pool. Allowing that the password based encryption of the keystore is breakable, I decided to use the keywrap classes to encrypt each secret key.
If you make the assumption that a keystore's PBE can be broken, then it would be relatively trivial to write a program to attempt to decrypt the files with the secret keys. We need a way to lock this keystore specifically to our code. To do this we will end up storing the RSA private key used to wrap the AES keys in our program as a byte array. This will lock this keystore to the code used to decrypt the files. Thus the attacker will have to grab the classes as well as the encrypted files and the keystore.
Below are the relevant parts of our keystore generator.
...snip... String keyStoreEntryAlias = null; // Change the output file location to where ever you want to store the new KeyStore File keyStoreOutputFile = new File(keyStoreName); KeyStore keyStore = null; try { // NOTE: This creates numKeys of random SecretKey. If you lose the keystore and you have used it // to encrypt some file you are HOSED. DO NOT lose the KeyStore file that is // generated from this program. Keep a second copy on a CD and put it in a safe. // // We are using the AES encryption algorithm to represent our SecretKey // Create an empty keyStore keyStore = KeyStore.getInstance("JCEKS"); keyStore.load(null, password); //create RsaEncrypter with nulls to use the embedded keys. RsaEncrypter rsaEncrypter = new RsaEncrypter(null, null); PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(rsaEncrypter.getPrivateKey().getEncoded()); String privateKeyStr = Base64.encodeToString(privateKeySpec.getEncoded(), true); System.out.println( "PrivateKey: \n\r" + privateKeyStr ); // to output embedded private key with some massaging. add quotes take off [] System.out.println( "Embedded PrivateKey: \n\r" + Arrays.toString(privateKeyStr.toCharArray())) ; X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(rsaEncrypter.getPublicKey().getEncoded()); String publicKeyStr = Base64.encodeToString(publicKeySpec.getEncoded(), true); System.out.println( "PublicKey: \n\r" + publicKeyStr ); // to output embedded public key with some massaging. add quotes take off [] System.out.println( "Embedded PublicKey: \n\r" + Arrays.toString(publicKeyStr.toCharArray()) ); for (int i=0; i<> { KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey key = keyGen.generateKey(); byte[] wrappedKey = rsaEncrypter.wrapKey(key); //System.out.println( "NakedKey: " + key.getEncoded()); //System.out.println("WrappedKey: " + wrappedKey.toString()); SecretKeySpec skWrapSpec = new SecretKeySpec(wrappedKey, "AES"); //create a alias for the key keyStoreEntryAlias = (String)RandomStringUtils.randomAlphanumeric(16); // test to see if key alias already exists if (! keyStore.containsAlias(keyStoreEntryAlias) ) { // Add our secret key as an entry in the empty keyStore KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(skWrapSpec); keyStore.setEntry(keyStoreEntryAlias, skEntry, new KeyStore.PasswordProtection(password)); } } // Write the keyStore to disk. FileOutputStream fos = new FileOutputStream(keyStoreOutputFile); keyStore.store(fos, password); System.out.println("AES 256 Key store created with " + keyStore.size() + " random RSA wrapped SecretKeys. \r\n"); System.out.println("Alg --- Aliases --- \r\n"); Enumeration aliases = keyStore.aliases(); StringBuffer buf = new StringBuffer(""); while (aliases.hasMoreElements()) { String keyName = (String)aliases.nextElement(); SecretKey theKey = (SecretKey)keyStore.getKey(keyName,password); String keyStr = ""; String algorithm = theKey.getAlgorithm(); if (verbose) { keyStr = Base64.encodeToString(theKey.getEncoded()); } buf.append( algorithm ).append(" ").append(keyName).append("| ") buf.append( keyStr ).append("\r\n-----------------------\r\n"); } System.out.println( buf.toString() ); System.out.println("File is: \"" + keyStoreOutputFile.getCanonicalPath() + "\""); } catch (Exception e) { System.out.println("Error: " + e); e.printStackTrace(); } ...snip... Stay tuned ... I will reveal the RSAEncrypter and AESEcrypter source to show you how the wrapping and unwrapping occurs. If you are looking for more information on the key wrapping technique these references may help. http://www.faqs.org/rfcs/rfc3394.html http://www.java2s.com/Code/Java/Security/WrapAndUnwrapKey.htm http://books.google.com/books?id=WLLAD2FKH3IC&pg=PA50&lpg=PA50&dq=key+Wrapping+java&source=web&ots=O9EnrPo8xB&sig=8UuFnc04iXEhBqeduJLKZU46MFk&hl=en&sa=X&oi=book_result&resnum=3&ct=result These two don't use the KeyWrap technique but they are similar. http://www-users.york.ac.uk/~mal503/lore/pkencryption.htm http://www.junkheap.net/content/public_key_encryption_java
Labels:
encryption,
enterprise_software,
java,
keystore,
security
Hello World
Is this thing on? What else did you expect for my first post... something profound?
Labels:
errata
Subscribe to:
Posts (Atom)