Security is still a chain

“Security is a chain; it’s as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they’re not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.” Bruce Schneier reminds us of these facts in a recent Wired column, Quantum Cryptography: As Awesome As It Is Pointless.

We get excited about new technologies and cool new features and devices. And then we ignore security policies and procedures, use and reuse weak passwords, and still don’t encrypt computer drives.

He closes by saying, “… as a product, it has no future. It’s not that quantum cryptography might be insecure; it’s that cryptography is already sufficiently secure.” Maybe quantum crypto will keep foreign powers from reading our critical national information. But for the rest of us, what we have is good enough. If only we would use it.


Metrics Madness

I hate metrics discussions some of us have in the IA world. On one side there are people who think that we should be able to come up with hard numbers by which to measure security. (“May I have a pound of security, please?”) On the other side are those of us who know that it is always going to be impossible to nail metrics down and we have to be satisfied with more squishy measurements of what “good enough” is. In the middle, I suppose, are those who want to please those in the first group, know what the second group knows, and chose to ignore it to please those
in the first group.

But, “good enough” usually is 1) better than what we have and 2) pretty darn good.

My New PDA: iPod Touch

Background. In iPod Touch as a PDA, I mention my “requirement” for a PDA, how I’ve been a happy user of a Palm computer for years, and have been very happy with the apps for the Palm. I also mentioned that it wasn’t the frustration of my sometimes very long sync times that made me look for something else, but that recently my Palm Tungsten E2’s battery started to behave erratically. And it is a replacement battery! (It almost never completely charged, and when it did it lost much of its charge quickly. And when using it would slip from quarter charge to “recharge soon” to “recharge now!” to quarter charge again. And the long syncs continued. (By “long,” I mean I would go to bed at 10PM and at 5:30 AM it was still chugging.)

What I got and general impressions. On Friday, October 10, 2008, I bought a Apple® – iPod® touch 32GB MP3 Player. Why the 32G? I did go back and forth on that. The Palm I am replacing only has 32MB (that’s an M). I also have a 30GB iPod Clickwheel. (It was originally a 20GB, but replace the drive when it crashed a few years back.) It is still working. I also have a 1GB iPod nano. So, while I didn’t need the 32 G, I had the money (from a recent consulting gig) and figured one is never sorry for more space. So, now I am looking to farm out my other 2 iPods.

Impression? Very intuitive to use (no user manual, though there is one at manuals.info.apple.com). It just worked. iTunes walked me through registration and then syched my music, Contacts, Events, and Mail settings. It charged very quickly via the USB connector. (It, of course, came with a USB cable, but I just used the one from my other iPods. Those are the same (though not all things are, as I will mention). I then set up the wireless settings (a slight pain given my long key and lack of skill with the virtual keypad on the touch. After that… everything worked!

Meeting my needs? I laid out my needs/wants in the above-mentioned blog entry. This is what I wanted and what I found:
  • Bible—I copied the free Bible Reader and free Bibles via the App Store from Olive Tree Bible Software.
  • ereader—I copied the free eReader app from eReader. The app itself allows one to download eBooks, so I just copied the books that I previously had on my Palm. I did this by putting them on a web page and pointing to them.
  • iCal sync (including birthdays)—It is standard, and if you show Birthdays in iCal on your desktop they will show up on the handheld.
  • Calculater—Standard app.
  • Address book sync—Standard app.
  • wireless access—As I said, it works great and I use it for email and web (and a lot more).
  • Notes or memos—Well, it has a Notes app, but it is not syncable. That rots. I found and downloaded the demo of Phoneview. The demo works fine. I am hoping that Apple provides syncing of Notes sometime. Notes sync in 3.0! 🙂
  • email—Works great.
  • To do/iCal Tasks—Missing. Not a show-stopper. I am hoping Apple fixes this lack, also.
  • expense tracking—I cannot find a simple replacement for the simple, free expense program my Palm had.
  • Secret!—I’ve found a number of lockbox programs. I want one I can populate through a copy from my desktop. It need not be fancy. Secret! was very simple. I want to any information in free form and have the option to encrypt the file (with 256 bit crypto or stronger). I will keep looking.
  • As I said, “I have Documents to Go on my Palm, that reads and writes Microsoft Offices files. I don’t really use this much.” Their web site says “Coming to iPhone/Touch soon.”
  • It seems very stable. Apps and syncing just work, although it helps if the Mac iSync process has finished what it does.
  • There are bunch of free or inexpensive apps and more keep coming.
  • When in iPod play mode, I can still read mail or do other things while it continues to play.
  • When I get up in the morning, instead of booting my PowerBook, I click on my Touch, touch the Mail button, and have emails in my hand in short order.
  • Some email attachments display fine on the iPod touch (text, images, PDF, Word doc files, Word docx files).
  • As I mentioned, no sync of Notes without using a 3rd party product. Added with version 3.0!
  • No keyboard option. (Maybe someday? Palm has attached and Bluetooth keyboards.)
  • No Copy/Paste. I’d like to copy a URL from a web page and email it. Or copy something from my Contacts book and paste it into a web form. I cannot. And my short-term memory is not what it used to be.
  • If I receive a meeting invitation, and I click on the attachment, Mail does nothing with it. I want it to add it to my calendar, as it does on my Mac. I assume they will add this functionality.
  • I really, really want a replacement for Secret! so I can securely carry my account information and passwords with me.
  • While the same USB cable that works for my old iPods work on this, the car and home chargers do not. I have to buy a new car charger for long trips (the new ones work in all iPods). I probably do not need a wall-charger as even if I travel overseas, I have my PowerBook.
Overall. Over all, it rocks. Syncing no longer takes all night. It has good to great battery life. And wireless use is very easy. And it is fun to use.

The thing that used to really kill me was when I would do large Contact list changes. I organize my address book into different books (like categories): APL, Business, Personal, Press, Restaurants, etc. My biggest address book category is my church directory, with 1736 entries. I just updated it by deleting all the entries in the category and then importing the updated list (from a tab-delimited file). Next, I told the Sync process to “Sync Now,” which gets its head right. Then I clicked Sync in iTunes after first clicking Contacts under Advanced. This replaces the information on the iPod with the desktop information on the next sync. It worked perfectly and quickly. I’m very happy.


Gmail “Bad Bahavior”

In Mail and Gmail, I reported how I changed things “to have my avolio.com email hosted on Google.”

Mostly all was well. Mostly. Then one day, I sent a message to a mailing list I am on. And I did not get a copy of the message in my Inbox. See, here’s what is supposed to happen:
  • My email client connects with Google, authenticates, and transfers the mail.
  • Google accepts it, does the DNS magic to decide where it is for and connects to that mail exchanger (email server). Let’s say it was for mylist@lists.example.com.
  • The, in this case, Mailman list server, changes the Subject, adding the prefix [MYLIST], adds some footers about how to unsubscribe, etc., and
  • then tries to send to every list member.
And I never got the mail. Other people had, because I got replies. But, their replies went to Me, and to mylist@lists.example.com, so I was not surprised I got a copy. But, why wasn’t I getting from the list?

I had the system administrator of lists.example.com check the mail log. The log showed Google accepting the messages. I just never got them. I sent messages to postmaster@gmail.com. I sent to postmaster@avolio.com (also, Google, now). I went to the help page and followed the steps and sent in a report complete with mail headers. No response.

Then I looked at the discussion groups and found a bunch of others with the same problem of Not receiving emails sent by myself to discussion list. Hmmm.

As I posted, in part, to the forum
Now, I see that Google throws away email that seems to be some percentage identical to email I sent.

As a previous poster pointed out, it is *not* identical. The Subject line is changed (at last with a Mailman server) to put the list name in brackets in the subject line, headers are added, and footers are added. I suppose Google thinks this is a feature but it certainly is incorrect behavior in the email world. And, of course, I as a sender get no confirmation that the list server is working correctly.

This really is not as bad as I thought — I thought I could get no email from the lists. It is, however, bad.

How exact is exact, Google? You are throwing away mail that is sent to

“Don’t be evil.” This is close.


Happy Anniversary Firewall ToolKit!

The TIS FWTK was delivered via FTP to DARPA 15 years ago today. The next day we delivered it to DUNSnet. We did change the firewall industry with its delivery. And then we changed firewall pricing as Steve Walker and I, doing a “back of the envelope” SWAG decided on $15K for software only, $18K with hardware. Other vendors, with pricing at over $50K dropped their prices within a week.

Best wishes to its daddy, Marcus Ranum.

It’s still the most fun I had in a job, my own consulting gig a close second.

Read something historic at Firewall TookKit.

As early as v1.0, the firewall toolkit had “application intelligence,” also known as “application awareness,” and “deep packet inspection.” We just weren’t marketing guys.