![Joi Ito [logo]](/_site/img/joi-ito-logo-300.png){kind=logo}
伊藤譲一氏はMacにswitchだそうで。 しかしまあAppleはMac OS X 10.1にすらsecurity patchを出さないようなクソベンダーなわけですが(Mac OS X 10.2 aka Jaguarでは直ってる)。確かに。XServeも使ってたけどやめた。でもJaguar楽しい。もうWindowsなんかさわりたくない。どうしよう。。。
Recently in コンピュータとネットワークの危機管理 Category
Apple Security »
Categories:
Organized crime hacks banks »
Categories:
僕は前から言っているんですが、ホームページの書き換えなんかよりも犯罪組織による金融業界への攻撃の方がよっぽど重要な問題。噂は昔から出てますが今回はワールドバンクの方が言っています。しかも表にその犯罪のニュースが出ないために口止め料まで払っている。ガートナーによると80%の銀行に対するコンピュータ犯罪は警察には報告されないらしい。
Computerworld
Hacking syndicates threaten banking
By DAN VERTON
NOVEMBER 04, 2002The number of organized hacking syndicates targeting financial institutions around the world is growing at a disturbingly fast rate. And so is the number of banks willing to pay these high-tech extortionists hush money to protect their reputations, according to a security expert at The World Bank.
Cases in which banks, brokerage firms and other financial institutions have quietly paid hacking syndicates extortion money are "extremely widespread," said Tom Kellermann, senior data risk management specialist at The World Bank in Washington. Kellermann, who co-authored a study on the electronic security risks facing the global financial community, presented the findings during an Oct. 29 online seminar sponsored by Cable & Wireless Internet Services Inc. in Vienna, Va.
無線LANのSecurity »
Categories:
InfoWorldWiFi eyes better wireless LAN securityBy Stephen Lawson
October 30, 2002 11:37 am PTTHE WIRELESS ETHERNET Compatibility Alliance (WECA), which certifies IEEE 802.11 wireless LAN products with the WiFi label, on Thursday will announce a new set of mechanisms to combat the security problem that has plagued wireless LANs.
A WECA official did not provide details of the mechanisms but said they are intended to replace the current security system based on WEP (Wireless Encryption Protocol).
WEP, which is built in to products that use the IEEE 802.11b and 802.11a standards, is easy for intruders to break into, according to many analysts and other observers. A task group within the working group that administers 802.11 in the Institute of Electrical and Electronic Engineers Inc. (IEEE) is developing a new security specification that would require equipment to support several different strong algorithms for encrypting traffic. That work is not done yet, and products using it are not expected until the second half of next year.
やっとこの話が動き出した。実は今の無線LANのSecurityは最悪です。WEP Keyが設定されていると大丈夫だと思ったら、大間違え。wepcrack見たいなプログラムを使えば数分でクラックできます。一部のアクセスポイントはもうSecurityをよくしてますが、ほとんどのAPはまだ。ですので、WEP KEYを設定したからって、安心しないでください。しかし、ほかの人が自分の回線を使うことを気にしなければ自分のネットーワーク内の通信を全部暗号かければいいだけですが。
最近出たホアイトハウスの"National Strategy To Secure Cyberspace."にはブッシュとなかがいい業界人のアドバイザーが多くあまり本当のエキスマートはいなかたみたいですね。こういうなんちゃってエキスパートパネルは日本だけじゃないんですね。;-p
このレポートはかなりアメリカの業界と他国の政府からかなり期待されていたみたいですが、読んでもおまりしんせんな事は書いていない。でも、フォーマットはかっこいいし、まー、何も知らなくてステータスがあるものしか読まない人にはいいかも。
David Farberのリストで以下を見つけました。
Richard FornoAmerica's National Cybersecurity Strategy: Same Stuff, Different AdministrationRichard Forno
(c) 2002 Infowarrior.org. All Rights Reserved
Article #2002-11.
Permission granted to reproduce and distribute in entirety with credit to author.
Today the White House releases its long-awaited "National Strategy To Secure Cyberspace." This high-level blueprint document (black/white or color), in-development for over a year by Richard Clarke's Cybersecurity team, is the latest US government plan to address the many issues associated with the Information Age.
The Strategy was released by the President's Critical Infrastucture Protection Board (PCIPB), an Oval Office entity that brings together various Agency and Department heads to discuss critical infrastructure protection. Within the PCIPB is the National Security Telecommunications Advisory Council (NSTAC), a Presidentially-sponsored coffee klatch comprised of CEOs that provide industry-based analysis and recommendations on policy and technical issues related to information technologies. There is also the National Infrastructure Advisory Council (NIAC) - another Presidentially-sponsored klatch - allegedly consisting of private-sector 'experts' on computer security; but in reality consists of nothing more than additional corporate leaders, few if any considered an 'expert' on computer security matters.
Continue reading 最近出たメリカの政府のCybersecurityのレポートには本当のエキスパートはいなかったみたい.
*******Forwarded from: security curmudgeon
>> http://www.whitehouse.gov/news/releases/2002/09/20020918-12.html
>
> Established by Executive Order 13231, NIAC will make recommendations
> regarding the security of the cyber and information systems of the United
> States' national security and economic critical infrastructures. The
> Committee will also examine ways that partnerships between the public and
> private sectors can be enhanced to improve cyber security.
>
> Let's break down this advisory board by title...
>
> 1 Chairman/President/CEO
> 8 Chairman/CEO
> 2 President/CEO
> 3 Chairman
> 1 Vice Chairman
> 2 CEO
> 1 COO
> 1 President
> 1 Executive Vice President
> 1 Governor
> 1 Mayor
> 1 Police Comissioner
> 1 Chief of Police
>
> That's a whole bunch of people that likely get their e-mail printed and
> handed to them.
>
> Now, let's see if any of them have an interesting track record with
> security...
>
>> Alfred R. Berkeley III, Vice Chairman, NASDAQ Stockmarket Inc.
>
> http://www.attrition.org/mirror/attrition/1999/09/14/www.nasdaq-amex.com
> http://www.attrition.org/mirror/attrition/1999/09/15/www.nasdaq-amex.com
>
> Domain Name: NASDAQ-AMEX.COM
>
> Administrative Contact:
> Nasd DNS Admin (ND542-ORG) nasdadmin@NASD.COM
> Nasdaq Stock Market, Inc
> 9513 Keywest Ave
> Rockville , MD 20850
> US
> 301.590.6856
> Fax- 301.590.6374
>
>> L. George Martinez, Chairman, Sterling Bank and Sterling Bancshares Inc.
>
> http://www.attrition.org/mirror/attrition/2001/04/15/www.banksterling.com
>
> Domain Name: BANKSTERLING.COM
>
> Administrative Contact:
> Throgmorton, David (DT5737) throgmor@BANKSTERLING.COM
> Sterling Bank
> 15000 Northwest Frwy
> Houston , TX 77040
> 713 507-7781 (FAX) 713 896-9159
>
>> John W. Thompson, Chairman and CEO, Symantec Corporation
>
> http://www.attrition.org/errata/sec-co/symantec01.html
> http://www.attrition.org/errata/sec-co/symantec-nipc01.html
> http://www.attrition.org/mirror/attrition/2001/01/19/smallbiz.symantec.com
> http://www.attrition.org/mirror/attrition/1999/08/02/www.symantec.com
>
>> Thomas E. Noonan, Chairman, President and CEO, Internet Security
>> Systems, Inc.
>
> ISS' ethics have been called into question repeatedly for the last several
> years.
>
>> Enrique Hernandez, Jr., President and CEO, Inter-Con Security Systems
>> Inc.
>
> Interesting, searching for Inter-Con Security Systems (since that name
> didnt ring a bell), the first hit i get is:
> http://www.gao.gov/decisions/bidpro/290493.htm
>
> second hit is interesting:
> http://www.law.com/regionals/ca/opinions/mar/bv23235.shtml
>
> another article calls them "the largest privately held security services
> firm in the world"
>
> he is a UnitedWay board member...
>
> and 30 hits into google, all i can see is that they provide guards for
> buildings and have no easy to find web page.
>
>> Maynard G. Webb, CEO, e-Bay
>
> http://www.attrition.org/mirror/attrition/2001/03/22/www.qa.ebay.com
> http://www.attrition.org/mirror/attrition/1999/03/13/ebay.com
>
>> William F. Owens, Governor of Colorado
>>
>> Jorge Santini, Mayor of San Juan Puerto Rico
>
> These two are "security experts"?
>
>> Karen Katen, President, Pfizer Global Pharmaceuticals and Executive Vice
>> President, Pfizer Inc.
>
> http://www.attrition.org/mirror/attrition/2001/04/09/www.pfizer.se
>
>
> All in all, I really don't get a warm fuzzy when thinking these people
> are going to help figure out how to protect our infrastructure.
---
From: Peter Bachman
Organization: Cequs Inc.
Date: Sat, 28 Sep 2002 02:11:43 -0400
To: dave@farber.net
Subject: Re: [IP] Interesting - Breakdown of the President's 30 'experts' on
infrastructure security advisor (NIAC)
Looking at Rick's very informative web site, I toodled over to
http://www.whitehouse.gov
where the original executive order is listed, #1321.
http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html
It has the following wording.
(b) NIAC. There is hereby established the National Infrastructure Advisory
Council, which shall provide the President advice on the security of
information systems for critical infrastructure supporting other sectors of
the economy: banking and finance, transportation, energy, manufacturing, and
emergency government services. The NIAC shall be composed of not more than
30 members appointed by the President. The members of the NIAC shall be
selected from the private sector, academia, and State and local government.
Members of the NIAC shall have expertise relevant to the functions of the
NIAC and generally shall be selected from industry Chief Executive Officers
(and equivalently ranked leaders in other organizations) with
responsibilities for the security of information infrastructure supporting
the critical sectors of the economy, including banking and finance,
transportation, energy, communications, and emergency government services.
Members shall not be full-time officia!
ls or employees of the executive branch of the Federal Government.
-------------------
The actual individuals are also listed at:
http://www.whitehouse.gov/news/releases/2002/09/20020918-12.html
Some comments:
There's an interesting and implicit assumption in the "Strategy" about
"ownership and operation of cyberspace", and that one can hope to derive a
line of responsibility and expertise by involving the CEO (or
equivalent) of these related companies, in protecting critical
infrastructure. If this assumption
is correct, then we should all expect some tangible metrics as to how these
CEO's implmented
various parts of the strategy, and what business benefits were derived.
-pb
Peter Bachman
前マイケルから聞いていたけど、GPSは簡単にジャミング出来るらしい。かなり軍はGPSに頼っている部分もあって、結構問題になっているみたい。
From David Farber's IP
Wall Street JournalU.S. Military's GPS Reliance Makes A Cheap, Easy Target In recent months, the Pentagon has stepped up orders for precision-guided bombs that use GPS technology. The Pentagon could use such bombs in an invasion of Iraq to target Iraqi military installations with pinpoint accuracy. However, these precision-guided bombs may be vulnerable to GPS jammers. At the Paris Air Show in 1999, a Russian company called Aviaconversia demonstrated a 4-watt GPS jammer. The jammer weighed about 19 pounds and was capable of denying GPS reception for more than 100 miles. Many such jammers are available through the Internet for as little as $39.9. That has caught the attention of military officials and politicians alike. "We believe Saddam Hussein has GPS-jamming capability and that he will use it," said Rep. Joseph Pitts, the co-chairman of the Electronic Warfare Working Group. The members of this group include 25 congressmen who have been studying GPS vulnerability, among other issues. "While we do not know the extent of our vulnerability, there is evidence to suggest that GPS jamming can significantly inhibit precision targeting," Mr. Pitts added. While jammers can interrupt the commercial signal, the military signal is configured in such a way so as to make it difficult to interrupt. But the problem is that the military uses the commercial signal to track the military signal. Some research is on to come up with a technology that allows direct access of the military signal by aircrafts. Currently, increasing the signal power is the only solution. Such efforts are under way and the Air Force is planning three stages of upgraded satellites over the next 10 to 15 years.
ウィンドーズの開発のトップがマイクロソフトはあまりセキュリティーの事を考えていなかったと言って自分達はお客さんのために出来ることをちゃんとしていなかったことに対して恥ずかしいと言っている。("I'm not proud.")
Infoworld
Lead Windows developer bugged by security
By Matt Berger
September 5, 2002 1:46 pm PT
SEATTLE -- BRIAN Valentine says he's not proud.[snip]
"I'm not proud," Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security."
占いとバイオメトリックス »
Categories:
指紋、手のひらのパターン、虹彩パターン、声紋、顔の作り、などの人間の身体の要素を使ってコンピューターへのアクセス認証をするのがバイオメトリックス技術....なのだけど、考案する人はどこから思いつくのだろうか?
以前93年ころ、アメリカでWhole Life Expoというニューエイジ系の展示会を覗きに行ったことがある。その時の展示で虹彩パターン占いをしてるブースを見つけて面白いと思っていたら、数年後、虹彩パターン認証の話がニュースに出てきた。虹彩パターンは個人ごとに違うのでユニーク性が高いからだそうだけど、でもこれ、よく考えると占いに使われるものと原理がダブっているような...。
手相占いは古くからあるし、顔の作りで見る性格占いもあるけど、どちらもバイオメトリックス技術になっている。ほかに何か使えるバイオメトリックス占いはあるだろうか? でも、占いだと思っていたらバイオメトリックスデータを集められていて、裏で売買されていたらゾッとしないかもしれない。
PGP is back! »
Categories:
PGPユーザーの間で不安の種だった件がひとつ落ち着きました。新しくPGP Corporationという会社が出来て、Network AssociatesからPGP製品の権利を買い取ったそうです。NAIがPGP製品のサポート中止を発表してから、ユーザーと関係者の間では今後の開発とサポートが心配されていましたが、これで一安心というところです。
PGP CorpのCTOのJon Callasからのポストが上がってきました。これによると今後もPGPのソースコードは公開され続けるといっています。彼は前のPGP IncでもChief Scientistをやってたので、今後の開発も信頼がおけると思います。
米国国税庁のコンピュータがなくなっている »
Categories:
8月16日のWashington Postの記事によると最近の監査の結果では個人情報、Social Security Numberなどが記録されている米国国税庁のコンピュータが盗まれたかなくしてしまったか、いずれにしてもないと。すでに数千の政府コンピュータがないそうです。日本でもこういう監査するのかな?
Thanks for this link Sen
