Cloud & Telecom Security

本想取个大题目，中/美互联网的比较，可自已不是这方面的专家，想想还是这个题目合适一些，做为我这段时间浏览过的一些网页的整理，再加上我对国内网页的了解，做一个比较，整理几点不同，更专业的评价就留给大家吧。

一、    对网页的定位认识不同
1.网站是为了给用户提供服务的 Read more…

本文回顾综述了业界在移动核心网中利用对等网络技术的进展，以及中国电信业界在此领域内的努力和贡献等。对相关的性能和安全问题进行了研究分析。最后，文章给出了未来研究方向的分析和展望。
关键词：对等网络  分布式技术
International Standards of Mobile Core Network Based On P2P Technology
Abstract: This paper reviewed the new progress at mobile core network based on P2P technology. Technological challenges, including performance and security problems, are investigated. Finally, the trend analysis and roadmap were given.
Key Words: Peer to Peer Network, Distributed Network Technology Read more…

WordPress released a new stable version 2.6.5. The officical WordPress organization advises all users to upgrade to this new version. The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x.

The problem is that security’s effectiveness can be extremely hard to measure. Most of the time, we hear about security only when it fails.

- Bruce Schneier, <<Beyond fear thinking sensibly about security>>

There is no security on this earth, only opportunity

- Douglas MacArthur (1880-1964)

Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative. If we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.
- Bill Gates

In a recent survey by RSA, a fact was discovered that insiders dodge security for productivity. I agree that it’s very common at a company that workers and employees share a computer or share some accounts. It might be a not-bad compromise for a non-critical and non-sensitive IT environment in order to cost saving. Anyway, in most cases, it violate best practice and should be corrected.

It’s very exciting to get the login page of https://imo.im. It’s amazing. It’s a web-based multi-client instant messager. At this moment, it can support MSN, Yahoo, AIM / ICQ, Google Talk, MySpace, and Skype. Yes, and Skype.

I used my MSN account to do the first ride. It has multiple crisp and slim windows embeded in the webpage, one small window for a session. The login and chatting are very responsive.  It support Chinese (double byte characters) very well.

Then I began to test Skype. The Skype login is quite fast. It works! I am wondering how these guys simulate a Skype client to login. You know two years ago it became top news when somebody re-engineered the Skype protocol and developed their own Skype-compatible client.

I know imo.im is using SSL. However, before users are rushing to transfer to imo.im, they must solve security concerns. That’s far away to convince users at its security. For example, how they handle the user data, including the account information, password, and chat history.  Actually when I recommend imo.im to one of my friends, I was told that he did not want to test this because he didn’t want to exposure his account information.

All in all, this is my first ride with imo.im. Its user experience is by far better than previous web IMs. In addition, it supports Skype. It’s great plus. However, there is a long way for them before users are convinced to drop their trational GUI IM clients.

The below charts are worldwide distribution of malcode and DDoS attacks by Arbor networks.

The first one is a set of major malcode distribution points for May, 2008, by country, while the second one is who are hosting the DDoS attack botnets (these are the controlling servers, NOT the attacking bots). This is the number of attacks commanded by hour by server country.

It seems that too much malcode and DDoS attackes are originated from China. If this data is true, it betrays that China ISPs and government should do more to clean the network. Meanwhile, this means a great security market potential at China, even though the security market volume is relatively very small at this moment (less than 2B$ per year)

The death toll of China Sichuan(Wenchuan) earthquake has reached up to 51151, while 288431 wounded, and 29328 missed.

Along with the death toll is still increasing, yesterday, at some major BBS and forums, a story is quickly spreaded out about the abuse of earthquack relief materials – the camp. It’s said some earthquake camps were found at Chengdu city areas, which should not be covered by the relief.  This news made people very angry.

The government authority promised to investigate this and back to the people with a fair and transparent result.

A 7.6 magnitude earthquake happened in Sichuan Provice at 14:35pm May 12,2008. According to latest news, the dealth toll of the earchquake at Wenchuan, Beichuan counties, Sichuan Province, China, has reached up to 9219. Premier Wen Jiabo has been to Chengdu to direct the disaster recovery activities.

Check out the related news at Sina.com.

God bless China! God bless people at earthquake zones.

天佑中华！向震区人民祝福！

It’s interesting, although I have not understood them clearly. The Q12-12 questions of Gallup is:

1. I know what is expected of me at work.
2. I have materials and equipment I need to do my work right.
3. At work, I have the opportunity to do what I do best every day.
4. In the last seven days, I have received recognition or praise for doing good work.
5. My supervisor, or someone at work, seems to care about me as a person.
6. There is someone at work who encourages my development.
7. At work, my opinions seem to count.
8. The mission/purpose of my company makes me feel my job is important.
9. My associates (fellow employees) are committed to doing quality work.
10.I have a best friend at work.
11.In the last six months, someone at work has talked to me about my progress.
12.This last year, I have had opportunities at work to learn and grow.

This evening, I read one whitepaper sent by Paul a few days ago. This is a good whitepaper which covers much CISSP knowledge and financial terms, e.g. probability, NPV, etc. This whitepaper makes a new term – ROSI. It means Return On Security Investment.

This diagram is copied from the whitepaper which is used to illustrate the security investment and attitude. It’s interesting. Actually, security awareness is one of most important jobs of all CISO. They must be very good at promoting security and communicate with financial controllers and business decision makers.

It’s very cool that you can calculate quantitively the return against security investment, even though it must come along with a lot of assumptions.

原来一直坚持这个博客是一个纯粹的技术博客，可是最近西方关于奥运的一些举动非常让人气愤。转帖下面一篇邮件传递的热帖，强烈支持奥运圣火传递！强烈支持北京奥运会！ Read more…

拉丁美洲的一个关于网络犯罪的会议上发现了一个有趣的现象。当前的网络犯罪越来越多的体现出高度地域化的特征，换句话说，网络攻击、钓鱼等被定制为只针对某个特定的国家或者地区，或者用户群体。这些定制过的攻击很少会越过设定的边界。这样定制过的地域化的恶意攻击变得更加隐蔽，更难被国际范围的反病毒公司检测发现，所以可以隐蔽持续更长的时间。 从这个意义上来说，本土防病毒公司将会更有优势，国际反病毒公司需要开设更多的本地化的研究中心和快速响应中心来应对这种地域化的趋势。

Mozilla has published a “Critical” Security Advisory to address stability problems introduced by fixes for security issues in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1380). Some users experienced crashes during JavaScript garbage collection. Upgrade to version 2.0.0.14 for Firefox and Thunderbird and version 1.1.10 for  SeaMonkey to fix this issue.

It’s reported that Redhat halts plans for comsumer focused Linux. It’s a little surprise and disappointed news.

Last year, the greater china reps of Redhat visited us and recommended their desktop Linux solution to us. The benefits of Linux desktop include lower license cost and zero virus threats and etc. At that time, they told us that many MNCs have begun to adopt desktop Linux.

Taking into the current SaaS wave, in the long run, the value of traditional operating system is shrinking,while the content and web services are ramping up. This is partly the reason why Microsoft is proposing to Yahoo.

Why Redhat stops the desktop Linux?