TAing for Web Commerce, Security and Privacy

This term I’m TAing Web Commerce, Security and Privacy for Norman Sadeh. The course is targeted at both technical students in computer science and electrical engineering as well as Tepper business students. The mix in backgrounds is purposeful.  Issues of web commerce are not just technical issues, they are issues of politics and business.

It will be interesting to see how the class progresses over the school year.

Strict enforcement of Information Assurance policies?

Nice article over at Network World.

How do we resolve the issue of acknowledging (to ourselves) that some of our information assurance (IA) policies cannot, or should not, be strictly enforced, while at the same time conveying to staff the importance of always following IA policies?

InfoSec Personnel Management

I found an article on Personnel Management and INFOSEC by M. E. Kabay which I like.  Its basically a paper discussing managerial techniques for managing employees in an organization from an InfoSec perspective.  I particularly like this analogy for how employees

What would you do if you discovered that an employee who used to occupy your current office still had the key? You would politely ask them to give it up. No one would question the reasonableness of such a request. However, when you remove access to the network server room from a system analyst who has no reason to enter that area, you may be treated to resentment, sulking and abuse. People learn about keys when they’re children; they don’t extend the principles to information security. People sometimes treat access controls as status symbols; why else would a CEO who has no technical training demand that his access code include the tape library and the wiring closet?

Unauthorized accesses of data

Officers run a background check on the president.

http://www.wsbtv.com/news/20218458/detail.html

SSH into a Windows computer

Here is an excellent description of how to turn a Windows computer into an SSH server using Cygwin.

Congradulations Dr. Janice

Janice Tsai successfully defended today. Congratulations!

Keys on Pidgin encryption and OTR

As a security and privacy conscious end user I have started encrypting my IM chats with Pidgin Encryption and Off-The-Record Messaging. Both plugins for Pidgin automatically create public/private key pairs which are used to encrypt my IM chats. Unfortunately, I also use many different computers to chat with my friends and by default each computer creates its own public/private key pair. I want my chats to always look like they are coming from me despite the computer I am on so I looked up how to copy the private keys between computers.

In Ubuntu Linux all the relevant files were all listed under the .gaim folder in my home directory. In Windows XP they were listed under the .purple in my Application Data folder.  All you have to do is move the files listed below from the appropriate directory on the original computer to the same directory on whatever other computers you want to use the same public/private key.

On my computer the keys were located in:

Windows: C:\Documents and Settings\UserName\Application Data\.purple

Ubuntu Linux: ~/.gaim

(In some versions of Ubuntu ~/.purple)

OTR

  • otr.private_key
  • otr.fingerprints

Pidgin Encryption

  • id
  • id.priv
  • known_keys

The known_keys and otr.fingerprints files list the public keys of other people who you chat with. You don’t have to move these files if you don’t want to. The otr.private_key, id and id.priv files contain your private key and must be moved.

NSA reading emails of private citizens

Raw Story has a story on NSA’s improper use of wiretapping technology. MSNBC interviewed a former security analyst who discussed how members of the NSA used their wiretapping abilities to read the email of private citizens. Risen reported that Bill Clinton’s emails had been read. He then clarified saying:

“It sounded like, from the former NSA analyst that we interviewed, that it was rare to access the emails of celebrities or famous people, but that it was fairly routine, according to him, for people to access the emails of girlfriends or wives or other people that they might know.”