Security Bullet In
Communiques from the security front, sir
Wednesday 2 April 2008, 5:25 PM
Red Hat 'disappointed but not surprised' by OOXML result
Open source vendor Red Hat has expressed its disapproval of the process by which Microsoft's Office Open XML was adopted as an ISO standard.
Microsoft has faced allegations of 'stuffing the ballot boxes' to push through the document format, and could be under investigation by the EC for anti-competitive practices in ramming home OOXML.
"Red Hat was disappointed but hardly surprised that the single-vendor, monopolist-promulgated standard, Office Open XML, made it though an unfortunately flawed fast-track ISO approval process," wrote the Red Hat legal team in a blog post. "We also note that there remains an ongoing investigation by the European competition authorities into the practices employed in the process."
"So, if you define interoperability as single vendor’s format to promote operation with that same vendor’s dominant product, you can declare victory," the post continued. "But Red Hat thinks governments and enterprises are not so easily confused. The Open Document Format, which has long been a multiparty-supported ISO standard, will continue to be a force in procurement decisions to be reckoned with. Government and Enterprises are tired of the lack of choice, lack of innovation, and premium rents from vendor lock-in. We doubt anyone will be confused by this outcome."
The Red Hat legal team has more faith in governments' IT procurement capabilities than I do, then.
Meanwhile, the Association of Competitive Technology (ACT), an organisation which lobbys government to limit antitrust actions, limit free and open source software uptake in government, and to support strong intellectual property rights in software, was jubilant. Some claim ACT is a front organisation for Microsoft, which is a member. However, ACT has other members including eBay, Oracle, and Verisign.
"ACT and thousands of software developers around the world support ISO approval of OOXML," wrote ACT president Jonathan Zuck. "ACT’s support is based on giving developers an open standard that both enables high fidelity archiving of billions of existing electronic documents, and supports the thousands of existing applications built on the Microsoft Office platform." Zuck obviously thinks that reports that OOXML is not interoperable with versions of Windows prior to Vista are overblown.
"The efforts of IBM, Sun, and their allies to polarize and politicize this technical standards process seem to have blown up in their faces," says Zuck, using language that obviously isn't meant to inflame the debate.
"Rather than learn from their mistakes IBM and friends are now trying to tarnish the reputation of ISO and its members," Zuck continues. How could Microsoft encouraging its members to join ISO committees to push through the OOXML specification possibly tarnish ISO's reputation? And could it be that governments will not be able to trust ISO/IEC DIS 29500, as OOXML is now known, as far as they could throw it?
Tuesday 18 March 2008, 6:16 PM
Hannafords supermarket loses up to 4.2m records
Hannaford's chain of supermarkets in the US has lost up to 4.2 million customer records.
A Hannaford's employee told ZDNet.co.uk on Tuesday that 2000 of the compromised customer credit and debit card details have been used in fraudulent transactions, and confirmed that it may have lost up to 4.2 million details.
In a press release posted on its site on Tuesday, the New England company said it had lost the details during wireless card transactions.
"The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization," said the release.
When I rang Hannaford's, one of their employees told me that the breach had extended from 7 December until 10 March.
"We had 4.2 million transactions during that time frame," said the employee. "We don't know how many cards were affected. We've definitely had a lot of worried customers." The employee added that no customer names had been associated with their credit card details.
The details appear to have been lost in a similar manner to the 45 million details lost by retailer TJX, which used WEP to encrypt its wireless transactions.
Thursday 21 February 2008, 1:53 PM
US brings down its spy satellite
The US Navy claims to have scored a hit on an ailing spy satellite, and brought it down.
Last week the Pentagon announced that the US Navy was to fire on the satellite. The Pentagon claimed that the ailing satellite needed to be brought down before it re-entered earth's atmosphere as it contained a hazardous chemical - hydrazine - a compound derived from ammonia, used in rocket fuel.
According to a US DoD press release, at about 10.26pm EST yesterday the USS Lake Erie (CG-70), fired a single modified tactical Standard Missile-3 (SM-3) hitting the satellite approximately 247 kilometres (133 nautical miles) over the Pacific Ocean as it traveled in space at more than 17,000 mph. USS Decatur (DDG-73) and USS Russell (DDG-59) were also part of the task force.
The US DoD claimed a hit on the satellite's fuel tank. However, it being a spy satellite, the US is obviously anxious to recover any bits and pieces that don't get burnt up in the earth's atmosphere. The Press Association reported that the US will send "hazardous materials" teams, codenamed 'Burnt Frost', to recover any pieces that fall to earth.
Russia has questioned the US explanation for bringing down the satellite, claiming it was a thinly disguised arms test, reports ZDNet.co.uk sister site CNet News.com.
Me, I reckon it's all of the above, apart from the rocket fuel explanation. Consider the size of the earth vs. the size of a satellite - what's the likelihood a) that much of the satellite would survive entering the earth's atmosphere if the DoD just left it, and b) even if some of it did survive, that it would hit an inhabited part of the world?
Defence people are always paranoid their gadgets may fall into the hands of the 'enemy', while shooting down their own satellite gives the US DoD an excuse to develop the technology needed to shoot down satellites.
How to test whether that technology works? Why, by shooting down their own satellite they can test the technology, while not provoking the international incident that would occur if they shot down someone else's spy satellite, say China's, or Russia's. The US DoD now has a plethora of data about shooting down spy satellites, and has also handily demonstrated to any potential 'enemy' that it has the capability to shoot down objects orbitting the earth.
Everyone's a winner, apart from the American taxpayer. The US DoD spent $30m on that one missile alone, according to some reports - it would be interesting to know what the total bill will be. I'd imagine spy satellites don't come cheap.
Wednesday 20 February 2008, 5:34 PM
Security scholarships up for grabs
Security training organisation (ISC)2 has announced that it has eight scholarships to give to post-grads involved in information security research.
One-year scholarships of up to £6,250 each will be awarded to up to eight full-time post-graduate information security students, at any regionally accredited university worldwide, said an (ISC)2 press release. The submission deadline is April 30, 2008.
However, the bar is quite high for gaining the scholarships. To apply, candidates must submit a scholarship application form, undergraduate and graduate transcripts, three character references and a proposed budget for using the scholarship funds. Students must also include a certified statement from their faculty advisor or institution confirming that:
· The applicant is a post-graduate student in good standing in the institution and with the relevant department;
· The applicant is pursuing a defined information security research project that has been approved by their college or university;
· The applicant’s research supervisor must also submit a letter of endorsement reflecting the character of the individual and the projected timeline to project completion.
At the time of writing, (ISC)2 was unavailable for comment, but I put a question to them as to why the entry criteria were so stringent, especially the multiple character references: Is it to keep crackers out?
Tuesday 19 February 2008, 3:42 PM
Hardware encryption: Caveat emptor
When is 128-bit AES not 128-bit AES? When it's actually XOR.
According to security publication Heise, numerous hardware encryption products are being misadvertised as encrypting data using 128-bit AES.
The Advanced Encryption Standard (AES) is a block cipher used by the US Government, and other organisations, interested in having very strong encryption indeed.
Heise sister publication c't magazine cracked open an Easy Nova Data Box by German vendor Drecom, advertised as using 128-bit AES. However, by analysing the encryption, c't found that the block cipher was actually exclusive-or (XOR).
The problem with XOR by itself is that it's relatively easy to break, by analysing how frequently letters or groups of letters appear in the ciphertext.
This is exactly how c't managed to deduce the XOR cipher.
"Who would have expected that decryption would be so easy?" said the article. "Indeed, the bar is so low that even novice attackers will have no trouble getting over it."
Moreover, when c't went to Innmax, the manufacturer of the chip used in the hardware, the IM7206 controller chip, Innmax confirmed their findings.
The publication warned that other hardware encryption products using the IM7206 would probably be similarly easy to crack.
Previous
