Cyberwarfare

Interesting posts are starting to show up out there about a surge of interested in the US armed forces and cyberwarfare. There's a lot of momentum building up. If you were at SANS in Orlando last week, you might have heard about a new project SANS is going to launch very soon. Stay tuned--expect an official announcement sometime in the next week or so.

Last week I had the pleasure of presenting at the SecureIT Conference in Los Angeles, CA. A keynoter, Randy V. Sabett, J.D., CISSP, made some very interesting points about US law with regards to defense. Generally, US federal laws tend to favor the fact that the individual can do anything necessary to defend his person. For Cyber Law issues, this is contrary to the history of case law established for non-Cyber issues.

So what I'm saying is that playing the Devil's Advocate or to role play a bad guy just to understand an attack is a very useful thing. But what about offensive skills? Does the properties of Mutual Assured Destruction apply to Cyberwarfare? Is it possible to display offensive strength and still be legally OK?

Now don't get me wrong, I'm not standing next to an ankle biter saying "Sweep the leg, Johnny!" But I think some interesting things are in motion . . . Stay tuned . . .

Audio Watermarking for Triangulation

This is an interesting thing that uses practical steganographic techniques to pinpoint the location where a recording device is in a movie theatre. It's not entireably unbelievable that this is possible, given that we have surround sound. I imagine the accuracy varies, though, not all theatres are equal and you may have the folks disapproately located.

The ways around this seem obvious to me: heavily convert the audio, and record from multiple locations, mixing it down. Of course, that likely affects the sound quality of the final bootleg product, but it would do the job. Or the bootlegger could mix in interesting signals that would skew the triangulation (like my previous post about how a certain sine wave prevents youtube.com from compressing the audio in a video).

Not to wave-off their work, but we really need to be moving forward and not lateral right now, like most security issues--it's an arms race.

The past week was good, enjoyed speaking at SecureIT. This week I'll be at TUG U2U then Charleston, NC for SANS Sec 504, see http://bluenotch.com/events for more info.

When your backup method is not out-of-band=FAIL

So I spent quite a bit of time traveling lately, last week I was in Edmonton, AB. When I return to my office there are two labels from UPS saying they tried to deliver the package. What really seems silly is their policy states (according to the unhelpful and unlucky person who answered my phone call) is that they hold onto the package for 5 business days, waiting for you to respond to the postcard they just mailed you--TO THE SAME PLACE THEY HAVE NOT BEEN ABLE TO GET ANYBODY!

You would think that either the collection of UPS stickies on the door, or the fact their excellent tracking database records the delivery attempts, that mailing a postcard to the same address is a terrible idea. All you catch there is somebody who wasn't available at the time to receive the UPS package, not people who are gone for a simple week!

Of course, by chance, they came during a week when nobody was in the Bluenotch Corp. office, and the killer is that the package spends more time in transit from shipper to me, then a measly 5 business days at a UPS location 20 miles away, then twice again as much time going back to the shipper. This package has spent more twice as much time on a UPS truck than waiting to be picked up, and it is going to double again when the shipper-reships it. The thing is, I know that email address and phone number is included in the shipping documentation, so if they really wanted to try to resolve the situtation, they could.

So try to get the most value out of this little incident--Don't have your backup system or your communications in same flawed mechanism, be SURE it is truly as out-of-band as possible.

Had a great discussion during my File Systems with FUSE talk at SCALE and this week I'll be at Secure IT Conference in Los Angeles. Next week is a series of workshops put on by The User Group at TUG 2009: Users To Users.

Working on a killer project I hope to post about at the end of the week once I get a few more details pounded out.