Sunday, February 14, 2010

2010: Year of the Tiger, Lets stop it from extinction

Good news: China and India are working together to save the Royal Bengal Tiger.
Sad fact: Most of the 100+ tigers lost in 2009, were poached under mysterious circumstances. We need more than statements from the two nations to save this endangered beauty.

Sixty years ago, the tiger count was more than 11,000 in the Indian subcontinent. This has dropped to 1,000 as we enter the year of the tiger. Since the last "tiger year" was celebrated in 1998, the wildcat's population has halved. We need to collectively turn around and eliminate this half life period of the Bengal tiger. Folks in India, South Korea, North Korea, Japan, China and all over the Asian continent, are after the carnivore for religious/superstitious reasons. From its skin, nostrils, penis to the bones, this beautiful beast is mercilessly cornered and killed. Chinese medicine made out of tiger skin does not help the situation either. The Chinese government has long denied direct or indirect links to tiger poaching in India. Their plan to legalize poaching is no answer to protect India's national animal. Wild tigers struggle immensely from rapidly shrinking habitat and food sources. Humans have hunted the tiger's primary prey, such as deer and wild pigs, almost to extinction. Lifting China's ban on the tiger part trade and legalizing it would only increase the threat from profit-driven poachers by placing an irresistible bounty on the head of wild tigers.

Global weather pattern changes and rising sea levels have a direct effect on the decline of the tiger population whether Siberian, Royal Bengal or otherwise. Malaysia has an ambitious goal to double its population of wild tigers to 1,000. Wonder why China, India cannot follow suit. India's tiger economy may survive the financial and socio-political crisis. The question that we need to answer is can India save the tiger.

At times like these, the superstitious may believe ~Vyagrho rakshati rakshitaha~ to turn around this shameless act of modern day man.
"Vyaghra rakshati rakshitaha" translates to "Saving the tiger will save you in return". Wonder what the right words in Cantonese or Mandorin are? For now, I'd say "Gong Xi Fa Cai!" May the Year of the White Tiger be prosperous and lucky for you, your family and the Tiger.

Saturday, February 13, 2010

Balancing out the perils of social networking

There are going to be more critics than fans on the subject of perils of social networking. However, there are three sides to every argument: The conservative (leftist), progressive and the truth.

Social networking is the fastest growing industry. I finally gave in to social networking a few weeks ago and have been addicted to it. I have not yet reached the crossover stage to term this unproductive. The expectation to reply to a wall, tweet, or buzz, is analogous to being online on an IM at workplace. This begs the question how an entity balances this raging technology. Research indicates that 75% of the workforce accesses their Social Networking (SN) sites during work time. Blocking access to SN is a common practice. This is not a solution though. This is a hassle to administrators who have to add more proxies to the blacklist each day.

Nothing propagates faster than a tweet these days. Till recently celebrities were being attacked by traditional media for tweeting so much. Now twitter is the media everyone's quoting. While SN provides huge advantages in finding old pals, lost relatives, job opportunities, and life partners (yeah!), you are exposed to strangers (stalkers), ton of spam, and false profiles. Bad publicity is supposed to be worse than none, excepting the folks on the silver screen.

One has to treat acess to the social networking sites just like they treat access to their bank accounts. Usage of best practises like not revealing personal information publically should be the amongst the top priorities.

None of the popular SN sites are all sunshine and completely foolproof. Some of them with a little negligence on behalf of the individual could prove dangerous. A little too much to reval on this social networking account;-)

Thursday, June 25, 2009

Security and Privacy: Best practices?

For more than a couple decades we have been trying to build secure systems and applications. Enormous time and effort from the academia and industry have taken the technologies surrounding security to new dimensions . However, a majority of these areas that still remain vulnerable to an attack. Operating Systems with weak controls and unaddressed flaws have been widely adopted for cost, ease, and every so often we hear the word "open source" to justify the choice.

Layers of so-called 'security software' layers have been built on top these flaws to mask the fundamental security threats. The configuration of these security layers and the job of having to run them during ciritcal work hours has never gone well with end users creating additional burden. This does not help the systems performance and leaves a lot to be wondered when it comes to creating efficient and smart security software packages. When you consider insider threats, the pre-configured intrusion systems and firewalls do not serve the purpose. On top of these we have malware detection systems and requirement to get latest "live" patches. Yet, I am not sure if we are moving away or closer to securing our critical data. On top of this, identity theft is definitely not declining inspite of all these kewl and secure tools. In fact, identify theft affected almost 10 million victims in 2008 in the United States alone - an embarassing 22% increase from 2007.

I am positive that one of the reasons for these repeated failures is that we are not addressing the root cause of the problem. Threats by nature are all unique. The timing, nature, environment and the state of the application software makes it close to non-replicable. If you give a malware instance an Einsteinic avatar, two objects however identical cannot exist in the same space at the same time. Environment and ecosystem details define the state of the attack and the nature of the entry for the threat. Get this - there cannot be one security system for all attacks. The more artificial and incomplete solutions you throw on top of your core system will add burden to your system making it even more vulnerable. The worst part being your ignorance of the newer potential threats that you have just exposed your systems too. Think about using a pill that cures your headache but carrying unknown health hazards as side effects.

Once upon a time, a wise man by the name Birbal was walking back to his king's palace. Birbal found a man looking for a ring in a heap of sand beside the road. Birbal asked the man if he knew that the ring was in the sand. 'Yes,' was the answer. 'I made a hole and put it in myself to keep it safe.''Didn't you mark the exact place?'' asked Birbal.'Yes. Do you think I would bury a ring of great value without a sign? Right above the place where I buried the ring was a cloud shaped exactly like a camel. Now the cloud has gone, and my ring seems to have gone also. There are many lessons one can infer from this story. One of them being making sure we search for solutions in the right places. This applies apty to privacy and cybersecurity. If an attacker is motivated and has sufficient time and history about a particular system, no system is foolproof. There is no perfect security system as such and an assured denial-of-service attack can be accomplished with enough exposure to a system environment. That is why we use the term "best practices" as the real goal should be to anticipate all the possible threats and construct sufficient defenses against each of the likely threats. Your overall goal has to be to reduce overall risk and minimize the time and extent your system is compromised.

Building generic security tools on top of systems that are not well understood is like sending open invitations to hackers and at the same time is like neglecting the basic premise in secured computing: Only Privileged users can have access to security/admin sections. We need to start thinking on what policies and rules we need to put in while adding on newer pieces of software and then... strictly enforce them. It cannot be the other way. You cannot have a management solution for a technical problem. The other part if to ascertain the true value of assets that we are protecting and determine the tolerance level for a given exposure.

As responsible members of the secured computing ecosystem we need to ensure we do not look for the ring under the cloud where we secured them. Do you feel completely secure completing an online bank transaction? Ignore the insurance part. Here are some recent examples of internal threats where no firewall could have worked its magic wand.

(1) Yusuf Acar, Washington D.C.'s CSO, is still in jail on charges of the bribery scheme he was running out of his office. One of the biggest challenges facing authorities is understanding how pervasive his access was to systems and information in the IT infrastructure - Acar had set up backdoors throughout the organisation through his privileged accounts;

(2) In one of the most infamous cases of privileged abuse, IT worker Terry Childs was charged with bringing San Francisco to a grinding halt last year by using his privileged admin account to lock down the San Francisco IT system;

(3) Fannie Mae narrowly avoided a devastating attack after a former employee used his privileged access to implant a logic bomb on the company's network that could have brought the network down entirely.

So... what questions do you have in your mind? Doubt, they say, isn't the opposite of faith; it is an element of it.