Cloud & Telecom Security

This morning I read a good essay named “Security Myths and Passwords” by Prof. Eugene Spafford. Prof. Eugene told us his doubt on those best practices on password management policy, like “monthyly change”, based on the interesting origin of this “best practice”.

The defects and even failures in most of enterprise security defense systems can be root caused into problems in “security execution”, ie. the discrepancy between the policy and the real environment. The security manager just book those best practices into their “policy”, while not considering their staff, their skills, the data to protect, the threats to contain/mitigate…

[Tags]Security[/Tags]

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read more…

Rails is an outstanding rapid web-application development framework. It help by far simplify the time and prerequisite to web riders. Now you even have a quick gun to accelerate the installation and usage of Rails. That’s Instant Rails. The below is the release information for its latest release 1.3. Read more…

There was an interesting description on SMA (Secure Mobile Architecture) by another Richard from Boeing . SMA is expected to address security issues in VoIP and identity for those enterprise networks with some sample implementation inside Boeing

---

There have to be some fundamental changes in the way the Internet operates. One way is through a framework and architecture called the Secure Mobile Architecture (SMA). This architecture is published by The Open Group and is available at the following URL:
http://www.opengroup.org/bookstore/catalog/select.tpl?text=secure+mobile+arch The architecture addresses many of the issues you have been talking about. Until we actually address the issues of basing security on the MAC and IP addresses, all of your approaches will not address the basic problem.I have an example of the issues hiding our heads in the sand can lead to. I have been a member of IEEE 802.11 since about 1995. Boeing got involved in 802.11 because of the potential solutions 802.11 provided for both Internet access onboard airplanes and for the mobile enterprise communications. So I got involved early in the security provided for the Wireless LANs. The initial group of 802.11 standards developers felt, as I did, that the WEP was sufficient (good enough) to get the standard rolling. It wasn’t! The work around was VPNs for any wireless connections, but it definitely slowed and inhibited the growth of WLANs. It took six years to provide a WEP replacement that was cryptographically secure.

If IEEE 802.11i is any example, the VOIP growth and viability is inexorably tied to how secure our telephone calls are. I have always been incredulous that we never cared very much how vulnerable our telephone conversations are. The wire makes us seem less vulnerable, but in fact, backbone communications links are sometimes over major microwave links. Many of the Fortune 500 contractually stipulate that none of their business communications are sent over microwave links. In addition to the microwave links, we have wholly trusted our telephony companies to protect us and they have done quite a good job in that most of the connections are in central offices that have not been broken into. This is all changing now and this mailing list is at the forefront of the discussion. What do we do about voice security now that our telephone conversations are riding over the Internet and have all the Internet vulnerabilities of viruses, MAC address spoofing, IP address spoofing, replay, spamming, etc?

In the big picture, end-to-end secure sessions with cryptographically based mechanisms to identify people and machines are the only way to assure secure VOIP communications. In our work with the Secure Mobile Architecture (SMA), we have been exposed to all the regulatory requirements for privacy and legality. These requirements include Sorbannes-Oxley, HIPPA, and many others. They are quite extensive and demanding, especially of privacy and protection from exposure on the Internet. Without addressing the requirement of an end-to-end cryptographically secure infrastructure, we are not addressing the problem and those of us responsible for unleashing VOIP on the world have a responsibility to address this problem in a big picture way.

The core of the problem comes from the relationship of security and identity. When I first heard and participated in discussions on identity management, I was very skeptical that this was a required discipline at all. In fact, I still think that identity management is not the right term for what we need to address in Internet VOIP and WLAN infrastructure contexts. We do not need to manage the identities. In reality, the people, organizations, and enterprises need to be assured that their identities are protected when they use the Internet. So, the identity of a person or machine must be protected in a business context or in an individual context. By the way, this identity of a machine is an imperative one to address. We are still not doing a good job of identifying a computer or intelligent machine’s identity. In fact, as VOIP gets more integrated into the business processes and telephony becomes more versatile and VOIP applications are used for event notification, the validity of such processes is dependent on getting the cryptographically validated sources of the VOIP information you get.

The architecture The Open Group developed called the Secure Mobile Architecture (SMA) deals with these issues through the use of four elements (Boeing deployment); 1. Public Key Infrastructure (PKI) access, 2. use of the Host Identity Protocol (HIP), 3. a Network Directory Service (NDS), and 4. use of a Location Enabled Network Service (LENS). I will treat each of these and their relationship to VOIP and VOIP security in the following four paragraphs. Read more…

On April 19, 2006 Novell announced the acquisition of e-Security, Inc. for $72 M USD. e-Security is a small private company focus on security information and event management. As you know from my “SOC in China”, it’s the first SOC product implemented at China, introduced by iS-One. It becomes the prey of Novell, which was famous for its netware and Unix and now for its directory. Both of them are struggling to make a life under the competition from those big management software vendors.

It’s an important event at SOC/SIM market, after the acquisition of neuSecure by Micromuse and then by IBM finally.

When we had dinner for CCClub Beijing gathering yesterday evevning, I suggest Billy adding RSS feed to the web site. Billy told me his thinking that RSS might steal away much pageview of the website and thus lower the readers’ stickiness. I don’t think so.

When you prepare to roll out your RSS feed, you must be thinking those feed readers might won’t click to the “original page”, so that your page view will be eroding. It seems to be a reasonable thinking. But my first question is why you run your web site? second question is why so many web sites are hurrying to advertise their RSS feed?

If some of your RSS items always won’t bring your subscribers to further clicking, there might be two reasons: your content is just not absorbing enough, and the content is just enough at that moment. For the first case, of course it’s not the fault of readers. You need to better your content or they are not your reader objectives, ie. wrong subscription without hurt to both parties. For the second case, you have succeed in getting to your goal : to broadcast your message, why not further waste your bandwidth and adding server load. You lose nothing but those sterile pageviews.

Rather, RSS might bring something good that you overlook. RSS feed by far ease the accessibility and readibility. As a result, your message will reach more desktops than just staying at your web site.
Buddy, just go RSS. It won’t steal your page view and erode your reader stickiness at all. It will do good.

[Tags]RSS,Web2.0[/Tags]

.flickr-photo { }
.flickr-frame { float: right; text-align: center; margin-left: 15px; margin-bottom: 15px; }
.flickr-caption { font-size: 0.8em; margin-top: 0px; }

tagcloud,
originally uploaded by Richard Zhao.

When I was participating CNNOG 3 conference, I wrote down my tag cloud as the diagram, where you might find so tremendous scope you have to have a peek to catch up with the earth rolling.

FT.com reports that “Skype says texts are censored by China” by Alison Maitland. It’s incredible, both from technical and political aspects. I do believe it’s a distorted story by western reporters. Every skypers can testify the lie and absurdness. It betrays the fact that the scepticism and bias to China are expanded from VoIP to text chat. See what he said at the below:

Skype, the fast-growing internet communications company that belongs to Ebay, has admitted that its partner in China has filtered text messages, defending this compliance with censorship laws as the only way to do business in the country. In a Financial Times interview, Niklas Zennström, Skype’s chief executive, responded to accusations that the company had censored text messages containing words like “Falun Gong” – a banned movement – and “Dalai Lama”. He said that Tom Online, its joint venture partner in China, was complying with local law.

“Tom had implemented a text filter, which is what everyone else in that market is doing,” said Mr Zennström. “Those are the regulations.”

He claimed that compliance with Chinese censorship was no different from obeying rules governing business in western countries. China, along with the US and Germany, is one of Skype’s three biggest markets in terms of active users of its free telephony service, which routes encrypted calls between computers via the internet.

Entering the controversy that has seen Yahoo, Google and Microsoft heavily criticised for working with China’s censorship rules, Mr Zennström said: “I may like or not like the laws and regulations to operate businesses in the UK or Germany or the US, but if I do business there I choose to comply with those laws and regulations. I can try to lobby to change them, but I need to comply with them. China in that way is not different.”

[Tags]Skype,China[/Tags]

Force10 is getting into a new territory by the release of its P-series 10GE/GE IDS/IDP yesterday. Basically speaking, it's the first 10G IDS/IDP products in the market. Force10 P-series products includes P-10, which has two 10GE ports, and P-1, which has two 1GE ports. They can work like with SPAN from switches lieke IDS's , and in-line like IPS's. Force10 will compete against Juniper, Cisco, Fortinet, 3Com and other high-end IDS/IPS/UTM vendors.

It's a bit astonishing that 2x10GE port P-10 is condensed into a 1U rack mountable box. Based on its patented DPI (deep packet inspection) technology, P-series engines run at full line-rate for GbE or 10 GbE network links with full deep-packet inspection and stateful signatures/policies enabled.

While they're at it, Force10 officials are taking a swipe at the mainstream security market with the P-1, a similar two-port box for Gigabit Ethernet lines.

MetaNetworks was shipping its own products, but those are subsumed by the P-series, which Force10 believes is more suitable for volume shipments. Force10 officials have said they'll eventually turn MetaNetworks's FPGA-based technology into a series of blades.

Any lead Force10 has in 10-Gbit/s security might not last long. Fortinet Inc. admits it doesn't have a 10-Gbit/s intrusion detection and prevention box, but the company pledges it will "announce something, probably within the next couple of months," a spokeswoman says.

Both of the P-series systems are shipping in production, with the P-10 listed at $95,000 and the P-1 at $38,000.

Click here for the datasheet.

Gary Audin wrote a good post on VoIP and SOX, very unique view point and insight. Gary reviewed the goal and criticized the maturity and operationality of SOX and even predicted the modification in the near future.

The SOX goal is to insure the reliability of publicly reported financial information. Corporate boards, enterprise executives and directors, attorneys, auditors, small business owners, rank and file employees and security analysts have expanded duties as well as penalties as result of the SOX act. The legislation was not thoroughly debated. The result is being questioned, delayed and will probably be modified. It is a moving target where auditors may develop new policies and requirements in the future. My initial comments on SOX will found in the previous Blog, “Putting up with SOX”.

Further, Gary discussed what IP telephony (IPT) / VoIP systems might bring to SOX compliance.

IP Telephony systems will have IP phones that may access the Internet and softphones that are compromised. These could be the man-in-the-middle for attacks or malicious behavior. The call server could be hijacked to create denial of service for the VoIP service. Trojan break-ins could access financial information from an IPT device. Even when there are security personnel and procedures in place, if they are handled poorly and the CEO and CFO falsely report that they are diligent in their control, penalties may occur.

….

Do not wait for the audit. The results can be costly. Be proactive as you move to VoIP/IPT.

IMHO, because SOX is a financial oriented act, so if VoIP/IPT is not your business, ie. revenue generator, you might not cover VoIP auditing in your SOX compliancy audit, because in general they are not used to process and control those financial numbers. However, it's different to those VoIP operators, where security control of VoIP billing directly impact the final financial results and morever the shareholders' benefit.

There are pungent comments, criticism, satire, etc to those ISPs and telecom operators on their blocking, filtering and even passive attitude to P2P, from all over the internet. However, from the stand of ISPs, they have a lot of broken-hearted story to tell to their subscribers, shareholders, and those regulatory authorities. It seems that the earth has been divided into two camps: one is P2P pros, one is the P2P cons. But who is the judge ?

See an absorbing discussion named ISP Rise Against P2P Users at slashdot.org. The below is some excerpt…

bananaendian writes “Spencer Kelly from BBC’s Click program writes about the emerging backslash against high bandwidth P2P users. Apparently it has been estimates that up to one third of internet’s traffic is caused by BitTorrent file-sharing program. Especially ISPs who are leasing their bandwidth by the megabyte are more inclined to resort to ‘shaping your traffic’ by throttling ports, setting bandwidth limits or even classifying accounts according services used. What is your ISPs policy regarding P2P and is it fair for them to put restrictions and conditions on its use.”

ISP: Backslash
P2P: Forward slash. Riposte.
ISP: Touche. QOS Packet Filtering!
P2P. Lunge. Encryption!
ISP: En guard. Subpoena compliance.
P2P: Aahaaah! Ubiquitous Mesh Networks.
ISP: Arrrgh! [dies].

Where is BadAnalogyGuy when you need him?
–
Hello, Dad? I’m in jail.

[tags]Telecom,P2P,Voip[/Tags]

The first lawsuit on copyrights infringing by P2P software at mainland, China, was reported yesterday.

Kuro is a web site company providing music share services with their P2P based software. According to its website logo, it provides downloading and sharing of more than half a million MP3 pop songs and other music, using a software named Kuro, which is reported to be developed by a Taiwan software company.

A music and culture company at Shanghai, Busheng, claimed that Kuro illegally spreads up to 59 songs, owned by them, without any payment and even notification.

P2P is a sort of excellent technical model to allow mass file downloading and sharing. The number of P2P based applications is keep a rocket growth, along with strong law dissention. A couple of countries are legislating to regulate the development and application of P2P sharing and downloading. In greater China region, first law suit on BT (the most famous file sharing software based P2P) was reported at HongKong at last year, where the defendants were sentenced guilty and put into prison for 3 months.

Although the P2P sharing companies are often harassed by legal issues, but nobody would like to overlook their potentials to impact the Internet. A recent acquisition report of VeryCD by Google betrayed the background business value of such P2P sharing platforms. VeryCD is the central government of the new-rich P2P sharing platform – eMule, where you can find numerous movies, songs, books, and other electronic media, sharing by those millions of eMulers.

There are flooding IM clients waiting for your choice, isn’t it? But which one do you like? which one fit your interests the best? I believe you must not have time to review them on by one. In fact, even if you have time, you just won’t like to do that.

IM Watch is doing that for you. It lists out and reviews almost each one you have heard of, (except the most popular one at China – QQ of Tecent,) covering Gtalk, Skype, GAIM, AIM, Unyte, Gizmo Project, Chatzilla, Psi, PhoneGaim, Yahoo Messenger, …..

For a more comprehansive collection of various IM clients, see Betanews.

A week before, Anonymizer announced the availability of its Operation: Anti-Censorship software, which is “designed to circumvent Chinese government efforts to block access to certain Web sites”, according to the report of Infoworld. Read more…

Now everyone at the world has been knowing Lucent’s acquisition by Alcatel, or anyway, you can say it a merge. Who turned the telecom vendor giant into a prey? Who is the root cause killer of Lucent? Of course, not Alcatel.
When I graduated from PKU and joined China Telecom to start my job career at 1997, Lucent, not long time after the spin-off from AT&T, is the superstar of the stock market and one of the top telecom vendors in the world, full of respects and honors from the industry, along with the upsoaring stock price. Their employees are very proud of their titles and name cards. The red circle logo was the image of success and high stability, reliability. At that time Cisco was merely a challenger with something called “IP” technologies. One of my friends who was going to do an interview at Cisco China offices told me: “I was going to interview to a small company, named Cisco…”. Read more…