Category Archives: Security

Bittersweet Security

All the way north on the Island of Madagascar is a city named Ambanja. The E. Guittard company claims to produce a 65% cacao bittersweet with flavors from the region. If you believe their website, the bars are a product of Criollo beans from the fertile Sambirano Valley.

Personally, all I can say is that I found the Ambanja Bittersweet very dry and light in taste, and a stark contrast to Guittard’s Chucuri Bittersweet. The latter is apparently a Columbian bean, which I think has a far more smooth and spicy flavor with a rich and familiar aftertaste.

This all makes me wonder if the “unknown” method of distributing food will come under pressure from newer and better distribution methods for old-world and boutique-type brands.

Take for example the unpleasant situation when a restaurant tells you that ground beef can not be prepared “rare” because of a law meant to protect you from disease — bad beef. Someone should alert the big beef that automation can be counter-productive when it becomes overly efficient at promoting one value in spite of all the others. In fact I usually say I would pay more if I could get a hamburger that came right from the “trusted” local butcher because I know my body is happier when I eat better food. I guess I should find out if you can even have a local butcher, baker…

So although I truly appreciate the security control model provided by the US government to reign in the mass-automation meal industry I would much rather know that the origins of my meal could be traced and therefore controlled right at the root-causes. Come to think of it, how do I find out whether the beef industry has the same or better tolerance for risk that I do? Is their idea of “safe” one in 1,000,000 deaths or is it the big fat 0?

Consider for a second the BSE website, which was prominently advertised on the front page of the National Cattlemen’s Beef Association. It provides the following assurance:

U.S. beef producers have worked with federal authorities for more than 15 years to set up the system of science- based firewalls that is working today to keep the food supply safe.

Hmmm, last time I checked firewalls are a single control and thus widely considered insufficient on their own to provide adequate security. Not such a great marketing campaign, if you ask me. Alas, nothing else is mentioned although I found it interesting that the Cattlemen’s website also links to some anti-vegetarian propaganda.

I suspect that if a proper set of consumer-based controls were in place, they might be able to preserve “single-origin” (e.g. quality) values on a large scale, such that we would still have excellent flavor and texture along with desireable price. But until that happens, wise consumers seek out the small-batch and single-origin brands that are a healthier choice and more in tune with their real needs (better cost-benefit ratio).

Back to chocolate, I have to wonder, are you safer trying to stay on top of the additives in the giant brand chocolate bars, or are controls more likely to be present and effective with small-batch real cacao, cane sugar, lecithin and vanilla? And does fair-trade mean less chance of sabotage? Mmmm, chocolate.

When was the last time you looked at your Padlock?

The little gold SSL padlock, that is.

VeriSign is reported to be saying some interesting things about changes they would like to see to increase user trust in SSL certificates. Most would agree that the level of protection from SSL encryption has made a huge improvement to online commerce for a very minimal investment (even “official” intermediary-signed SSL certs can be purchased for as little as $30/each). However the ubiquity of SSL, and lack of a unified standard root authority, has included a trade-off in terms of validity of the certificates. In other words, as the old adage goes, the lower the barrier to adoption the higher the rate of fraud.

So, if you are a certificate-selling company, you are probably debating how to introduce new controls to (re)establish the trustworthiness of the padlock (and raise prices). The browser companies are thusly also considering how to upgrade the padlock to represent the upcoming upgrade in “assurance”. Well, actually, to be fair they are considering how to represent the assurance that was supposed happen in the first place, now that the current icon has been watered-down to represent “RC4128” and not much more:

When the padlock was first invented by Netscape in the early days of the Web, it stood for a secured connection with an identified Web site. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo. “Browsers did an end-run around this. Nobody expected anyone to delete what was a key part of the certificate issuance process, which was the business verification,” she said. “Browsers were unprepared to display high assurance and low assurance certificates in a different way.”

Kudos to Comodo for saying so…I guess if you have lost control of a currency’s value, you have to print new currency to restablish control.

Sober Day, 2006

F-secure has an excellent write-up on their blog that details an impending Sober attack, scheduled for January 06, 2006:

Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 6th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever. The virus even synchronizes the machines via atom clocks so the activation will not happen before January 6th, even if the clock of the computer is incorrect.

Scan early, scan often. But the more interesting part of their log entry is this:

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn’t want to talk about it publically then – we didn’t want to fill in the virus writer on this. But he must know this by now.

And then they give examples of the URLs. Nice work.