Skip to content

Intercontinental Smash and Grab

A couple of weeks ago, one of my credit card numbers was compromised. This is all too routine these days, and the credit card company detected and removed the suspicious transactions quickly. What I found notable, however, was the fact that multiple charges were attempted in different currencies in rapid succession – an Australian on-line merchant, German Amazon, and so on, alongside fast food vendors in New York, and that at least some of them hit almost simultaneously. As I spoke on an incoming call from the card vendor’s fraud department, I could see successive charge notifications overwriting one another on my cellphone’s display. I’d think that the fact of closely-spaced transaction attempts across numerous countries would be likely to raise risk flags – even though less definitively today than when cards were ordinarily presented across counters by hand – but perhaps fraudsters may still find that a dispersed attack improves the expected value that’s obtainable in the narrowing time window before countermeasures can respond. I don’t know if and where there may be variable delays for transactions to propagate through different payment systems, but maybe this is also a factor.

Excellent course available

For anyone interested in extending and/or refreshing their understanding of cryptography, I’d strongly recommend Dan Boneh’s Cryptography I MOOC available on Coursera. In six lecture-rich weeks (plus a 7th, reserved for the final exam), it covers practical, mathematical, and theoretical aspects of symmetric-key and public-key crypto, providing solid and informative content on each. A great resource!

Where’s the Security Love?

I was intrigued to open Bloomberg’s graphic from census data, visualizing the occupational pairings of people’s marriage choices, and quickly being presented with a set of links for the “Information Security Analysts” category. Said category showed up somewhat towards the “More male occupations” side of the spectrum, though rather less so than other IT roles like “Computer Programmers” and “Computer Systems Analysts”.  That’s nice to see; maybe it results from security coming of age as a core discipline in a more recent and less gender-biased era. The data suggests that many security analysts marry teachers and nurses, but also shows a fascinating link for female-female marriages to “Automotive Body Repairers”. This may be a classic case of overmining small samples from Big Data to derive dubious conclusions. If it reflects a deeper message, though, I’d love to know what it is.

Longest. Progress Bar. Ever?

I’ve been using a MacBook Pro for a few years, which I’ve been quite happy with except for some annoying behavior when resuming from hibernation. Being Security Guy by habit, I’ve unsurprisingly been using FileVault disc encryption; after typing a password to unlock the volume, I’d often been waiting for a minute or so, sometimes spanning a screen blank and reset button tap, before being presented with another password entry prompt and the chance to enter a useful system. (Deceptive UI indication aside: please don’t provide a blinking cursor in a text box before it’s ready to accept input!) Accumulated impatience having eventually spurred me into action, a web crawl yielded references like this article, suggesting that OS X Yosemite was intolerant of at least some earlier FileVault configurations and recommending decryption and reencryption. I started the decryption on a disk with about 140 Gb in use; though it changed before I got to screenshot the display, the progress bar started out with a caption estimating 43 days to complete the task. That proved conservatively pessimistic, with the operation taking about 10 hours in the actual event. I’m used to symmetric crypto being quick, often invisible inline at human scale; 43 days read more like what I’d expect if a fairly substantial exhaustive search had been required.

Observed: adaptive reuse for Rainbow documents

Back in a day, there was anticipation that these volumes would provide the basis for generations of secure computing platforms. I was intrigued to observe their innovative reuse for nutritive purposes when I saw their depicted role within this recent project. They’d be conveniently at hand on my own bookshelf as well.

Gold standard of risk quantification

Would that IT security risks could become as low and quantifiable as these! Intrusion anticipation, looking actively ahead over 100 years. That’s a challenging model to strive towards.

Information Security History: An Interactive Overview

Continuing my interest in presenting this field’s history, I’ve assembled a small interactive site intended to provide an introduction to aspects of information security as they’ve evolved across computing eras.  Comments and discussion welcome here.