The Blog self()

Consumerism, Paradox of Choice and Unsubstantiated Claims

Sat, 19 May 2012 10:57:46 +0200

On May 15, 2012, The New York Times published an article by Adam Davidson, co-founder of NPR’s Planet Money, titled Making Choices In the Age of Information Overload.

Mr. Davidson meshes together brand information overload or, if you prefer, signaling on one hand and product information/review overload on the other. He thinks that we, as consumers, are better off in an information-rich world. I would go the extra mile and call it an information-obese one.

At one point he quotes a business professor from the University of California, Davis: “If there is a critical-enough mass of informed buyers, that is sufficient” to pressure manufacturers to make better-quality goods, Bhargava says. “That group of informed consumers creates a force. It doesn’t have to be everybody.”

There are two problems here. First, what is a critical-enough mass? 100, 200, 1000 buyers? More?

Second, how do you know that you are dealing with informed buyers and not a company’s employees or software comment bots? And what’s an informed buyer? Somebody who has been using the product for two days and claiming it’s a sturdy, very solid unit or one who has been using it for 2 years?

Some solid, peer-verified scientific ground is more than welcome to back this kind of marketoid statement. I would have preferred it if Mr. Davidson interviewed a psychologist/sociologist instead of a business professor.

jazzy diggin by Noray, featured on the very cool, downtempo...

Sun, 22 Apr 2012 07:28:29 +0200

jazzy diggin by Noray, featured on the very cool, downtempo album 1974-2010 A Tribute (In Memory of Nujabes), released on www.onryourecords.fr. A very good example of mixing with style, including elements of groove and jazz.

I would have love to share another fantastic tune called colors by Ash Day, featured on the same vinyl but last I looked, it is not available on Youtube (and no, for the life of me I won’t go looking for it on Dailymotion). So you have to go to your local vinyl store and catch the good vibes.

It’s Your World by Gil Scott-Heron & Brian Jackson....

Fri, 13 Apr 2012 16:13:32 +0200

It’s Your World by Gil Scott-Heron & Brian Jackson. One of the countless contributions of this amazing duo to the great black Music.

Gil, you are dearly missed. May you rest in peace.

A down-to-earth observation of the Dropbox Cloud

Fri, 09 Mar 2012 11:08:00 +0100

The Cloud™ is everywhere to be seen in the current Information Technology landscape and many oracles (with vested interests) such as Microsoft predict that it is not going away anytime soon.

It certainly offers many useful features that make our digital lives easier. There are hidden costs however that users should know about before trusting their data (or their employer’s) with the Cloud™.

Take Dropbox as an example. It’s one of the most visible Cloud-based services on planet Silicon. It allows you to synchronize your files across all sorts of devices. It is extremely easy to open an account and install the client and join their 70 million+ users, frolicking in a cozy cloud. But how many of those users took the time to carefully read the Terms of Service or care about two major security incidents the service had in 2011?

Issue 60 of MISC Magazine features an article from yours truly about Dropbox ; in French though. Leveraging some business intelligence, OSINT, careful reading of the ToS and observation of the Dropbox client behavior, the article aims at rising the public’s awareness of some important issues before they trust anything into the hands of Dropbox. I also knock on a few doors that might be worth exploring by other members of the Information Security community.

Is Dropbox secure enough? Is the company behind it trustworthy? Well, there are no easy answers to these questions. It largely depends on your trust scale and the type of data you share on their cloud (and Amazon’s since they heavily rely on AWS). But I certainly wouldn’t upload my employer’s or any sensitive data on their “cloud”. Security has been, is and will remain a trade-off.

If you have the opportunity to read the article, let me know what you think.

Twitter's Free iPad 2 Scam (with a twist)

Mon, 05 Dec 2011 23:52:15 +0100

Someone, something going by the handle @mahanarfmhul3 (a.k.a Mahana Cox) sent me the following message on Twitter:

As of this writing, @mahanarfmhul3 began emitting tweets about two hours ago with a frequency of 1 tweet every 3~5 minutes. The account totals 26 tweets. 19 of them are of the same kind I received:

While the remaining 7 look harmless ; most probably to thwart Twitter’s algorithms for detecting SPAM and phishing attempts. 5 of these “innocuous” tweets are written in English while 2 are in Spanish:

I highlighted a tweet apparently addressed to someone called AdamWeitner. Except that Adam Weitner is not following “Mahana Cox”. And the tweet is not addressed properly to him since the @ sign is not used as a prefix.

Now let’s look into the phony link I received: tinyurl(dot)com/6v5g4wz. Since it’s a TinyURL shortened link, we can preview it by prefixing the URL with preview:

Now that we have the URL behind the shortened link, we can dig a bit further. whois tells us that the domain is very fresh as it was created on Dec 4, 2011 through GoDaddy.

McAfee’s Threat Intelligence and MalwareDomainList do not have identification data (yet) for this URL.

However, Wepawet finds some interesting results:

ipadzu(dot)net seems to be yet another site hosting one of those numerous Free iPad2 scams that are running rampant on Twitter. WOT gives it a poor reputation:

This shows once more why it is unsafe to click on URLs, shortened or otherwise, before doing some basic checks.

During the course of this investigation, no animal was harmed. However, it seems that LongURL have some funny results to say the least:

Sorry Mehana, I am not interested in your free iPad 2 and I’ve flagged you as a spammer with Twitter.

Thoughts on Security Practices and the Consumerization of IT

Wed, 16 Nov 2011 10:08:43 +0100

Tim Rains, Director of Trustworthy Computing Communications at Microsoft, has published an interesting post on TechNet pertaining to the IT consumerization wave that is hitting enterprises at full force and the difficulties these companies face to deal with it.

Tim refers the 14th annual Global Information Security survey from E&Y.

The following excerpt, cited by Tim, is a telltale sign of enterprises groping for answers on how to address these consumer-grade devices in the corporate network (emphasis added):

our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.

The vast majority of respondents try to tackle the issue from a security policy and awareness perspectives. 3rd comes encryption as many CISOs and CSOs try to concentrate on the data rather than on the equipment.

By approaching the problem from a data-centric point of view, they aim to isolate and protect corporate data stored on BYO devices. Sadly a well-known fact of information security is that whoever controls the device controls the data. Building a castle in uncharted territory is an ill-advised strategy.

I am not saying that data-centric approaches are useless. I am saying that they are not sufficient and must be complemented by a threat-centric approach as championed by Richard Beijtlich.

We should be monitoring what goes in and out of these devices and beef up our incident response capability to act swiftly in case of data exfiltration and other significant threats to brand image, business data and intellectual property etc.

Unsung HEROes

Fri, 28 Oct 2011 09:04:25 +0200

IT departments all over the World have a reason to mourn. They have been urged by Forrester Research to support Macs.

What Forrester Research purports as a new era of computing has been here for years but they were blinded by their strong Microsoft/PC inclinations.

They seem to take notice. At last. But in their haste to make this old movement look new, they invented yet another term for what has already been coined BYOD (Bring Your Own Device).

Now, we are told, Mac users should be called HEROes:

“HERO,” it turns out, is a Forrester acronym for Highly Empowered and Resourceful Operatives — “the 17% of information workers who use new technologies and find innovative ways to be more productive and serve customers more effectively.”

Stop rubbing your eyes out of utter disbelief. You aren’t dreaming. HEROes. Highly Empowered and Resourceful Operatives.

We will never stop getting surprised at how imaginative marketoids are.

Les Mc Cann playing Love for Sale from the 1969 album Much Les....

Thu, 27 Oct 2011 15:07:02 +0200

Les Mc Cann playing Love for Sale from the 1969 album Much Les. Got it on LP in near mint condition from the awesome Betino’s Record Shop in downtown Paris.

Reading The New York Times, The 2.0 Way

Tue, 13 Sep 2011 11:34:18 +0200

I enjoy reading The New York Times on the iPad much more than on any other device or browser. The NYT iPad application is very well designed and offer the much-touted ‘immersive’ experience many iPad users talk about.

‘Immersive’ applications are nothing new. This is what we may call full-screen apps without resorting to Gartner-like buzzwords. And full-screen applications have existed for a long time. However, the iPad takes them to the next level as Windows decoration, scroll bars, notifications coming from other applications like the dreaded “you have a new message” pop-up and everything else that may cross your focus line is taken away.

When I can’t use my iPad and instead sit in front of my ‘traditional’ workhorse of a laptop I’ve been struggling to find a way that would mimic as much as possible the NYT experience on the Apple tablet.

Let me step aside for a moment as I want you to note how the tables are being turned and how I use ‘traditional’ as an adjective when thinking about my almost last generation MacBook Pro laptop. Apple and, possibly, others are creating a whole new way of computing. Look at the upcoming Windows 8 operating system and you won’t fail to notice how serious Microsoft is about the tablet approach (let’s hope they get it right this time). As a result, I am growing unhappy lugging around 3.5 Kg worth of hardware, dealing with window placement, turning off as much notifications as possible and so on. I have to fight for my right to focus on the task at hand. Computing is a means to an end.

Anyway, back to the main track. I’ve been frequently using Google Chrome for more than a year now and I am satisfied with it. Performance is snappy, security is satisfactorily addressed and useful extensions are out there. Which brings me back to the main topic. The NYT have created a wonderful extension for Chrome that does mimic the iPad application as you can see.

Simple, streamlined and efficient. Isn’t that beautiful design? That’s computing at our service and not the other way around. And hopefully we’ll see more of it in the next years.

C’mon Apple! Why have you made these boxes checked by...

Fri, 29 Jul 2011 22:49:00 +0200

C’mon Apple! Why have you made these boxes checked by default on OS X Lion, even after the iOS tracking mess?

Cert-IST 2011 Annual Forum

Mon, 27 Jun 2011 21:16:00 +0200

I had the opportunity to attend the Cert-IST 2011 Annual Forum held on June 7, 2011 in Paris, France.

Cert-IST is a French CERT dedicated to the Industrial, Services and Tertiary sectors. They organize a yearly annual forum. Last year’s edition was mildly interesting. The most interesting presentation IMHO was given by a security professional working for Sanofi-Aventis about how they conducted their security awareness programs. In comparison, it would be an understatement to call this year’s edition an interesting conference as most presentations were really thrilling.

First of all, let me apologize to my non-French speaking readers as all the presentations were made in French. This year’s theme was “Security and Modernity: a Challenge for the Enterprise?” and questioned the numerous technologies and trends from the standpoint of security professionals, be it the Cloud™, the smartphone invasion, the traction that the BYOD (Bring Your Own Device) movement is gaining in the enterprise, social networks, or APT attacks.

There have been quite a number of very interesting presentations such as:

Keynote “Security and Modernity” by Antoine GARAPON, Judge: CISOs continue to view Information Systems as a territory to defend while attackers act as sea pirates. They view the Internet not as land but as a body of water where they can sail, looking for preys. It is necessary that we, security professionals, look for a middle ground and get out of the “forbid everything not absolutely necessary” mindset. Otherwise, we won’t be able to cope with the challenges that we are facing (think new technologies).
National Strategy for Cyber Defense by Patrick PAILLOUX, General Manager, ANSSI: very interesting feedback on the French Ministry of Finance’s attack and the resources ANSSI allocated for incident response. The attacks were not sophisticated but their perpetrators had important means and were highly organized. Mr. PAILLOUX insisted on the necessity of having a CERT-like capability or at least some sort of incident response in every company to help cope with the new threat landscape.
Securing Mobile Devices for Enterprise Usage by Jean-Marie MELE, Security Engineer, France Telecom Orange: very good presentation on the technical and legal issues pertaining to BYOD (Bring Your Own Device). In France, a personal device is the property of its user even if it is used in a professional context. As such, it cannot be audited or submitted to a pentest without the consent of its owner. A number of Android vulnerabilities were also cited. It is necessary to follow such trends and adapt to them or risk being completely bypassed.
Cloud Computing: Legal Questions by Jean-Marie JOB, Attorney: excellent presentation on the legal aspects of Cloud Computing. Who is responsible of data processing (and thus must make sure that personal data is processed according to the French law)? What are the important points to keep in mind before moving to the Cloud? What happens if personal data is handled outside of the EU?

If you’d like to dig deeper, read my full account (in French) and/or download the presentation materials online.

"We’ve seen several dozens of malware targeting Android over the last year. We’ve never..."

Thu, 02 Jun 2011 09:09:46 +0200

“We’ve seen several dozens of malware targeting Android over the last year. We’ve never seen a single malware targeting standard iPhones.”

- Mikko H. Hypponnen, Chief Research Officer, F-Secure

A short definition of APT (Advanced Persistent Threat)

Thu, 19 May 2011 11:40:02 +0200

There have been a lot of discussions involving APT (Advanced Persistent Threat) attacks. Many abuse this term to define any sufficiently advanced attack, no matter the motives of the attacker and as long as the attacked party is a high profile company or any organization that can get the information security community’s attention.

Please note that depending on whom you ask, sufficiently advanced is a widely fuzzy qualifier and must not be considered as a valid definition given the bias that is introduced, voluntarily or not, by the involved parties.

That said, I believe that all APT attacks share something in common, as written on page 69 of the IBM X-Force 2010 Trend and Risk Report:

the key is that the attacker is dedicated to maintaining a persistent capability to extract data.

Another good and far more complete definition of APT has been proposed by Richard Beijtlich in early 2010. Richard now works for MANDIANT, a company that seems to have an extensive experience in dealing with such attacks.

Light: On The Sound Side

Sun, 24 Apr 2011 21:24:51 +0200

A few days ago, I’ve received a wonderful record from The Numero Group, one of my favorite labels. It’s called Light: On The South Side and it features a 2 LP gatefold vinyl and a 132 page hard back book.

The 2 LPs are a compilation of 17 tracks of the kind of funky Chicago blues that was played in Chicago’s South Side clubs in 1975-77 and the hard back book features some incredible pictures taken by Michael L. Abramson, a white guy in that massively black neighborhood. The pictures show the crowd, not the artists, that haunted those joints back in the day. There were some incredible cats and ladies in those places. The music is captured in a ‘raw’ fashion. You could hear a hiss now and then, some background noise and other details that makes you travel back in time without living the comfort of your sofa.

While most of the selection is very good, a few tracks stand out such as Andrew Brown’s You Made Me Suffer:

Such is the power of music and pictures. Together they can create the necessary conditions to make history real and restitute a long-gone atmosphere.

"Root cause of attacks isn’t vulnerabilities, its economics. The data is economically valuable,..."

Thu, 31 Mar 2011 09:56:36 +0200

“Root cause of attacks isn’t vulnerabilities, its economics. The data is economically valuable, therefore the attack is worth money to do.”

- Adam J. O’Donnell

expose: Mazamet Ville MorteIn 1972, road accidents caused...

Tue, 01 Mar 2011 21:49:38 +0100

expose:

_{_{Mazamet Ville Morte
In 1972, road accidents caused 16,770 deaths in France. In the town of Mazamet which had a population of 16,610 at the time, journalist Michel Tauriac depicted its entire population lying down on its roads.}}

On The Usefuless of Light Meters In Photography

Tue, 01 Mar 2011 09:53:31 +0100

Last year, Sascha Welter convinced me to trash my digital Nikon D90 camera and get a ‘real’ camera instead, a Mamiya C330 Professional (yeah, that “Professional” tag on the front of the camera makes you feel good but won’t improve your photography skills in any sensible way).

This venerable, sturdy camera was produced from 1969 to 1974 and it makes square (6x6) exposures. It has no light meter, no auto focus and no thousand option menu that requires a rocket scientist to operate. Indeed, this is a wonderful tool for actually taking pictures instead of having to digest a 3000 pages long manual and brag about it in tearooms.

So how would you do to get the ‘light’ right as there is no light meter? Of course, this is not a digicam. So you can’t shoot a picture at every f/stop and hope you get one right. This camera takes rolls. Either 12 or 24 exposure rolls. So every shutter release counts (as in money). The rule of thumb is to rely on the age-old Sunny f/16 or, even better, its expanded version (courtesy of Sascha).

This is how I got started. This is how I rediscovered photography and started really enjoying it instead of worrying about menus, options, RAW vs. JPEG, histograms and every other thing that gets in the way of what should be a simple, straightforward pleasure down the composition path.

After some time, experience kicks in and Sunny f/16 starts to be engraved in your brain. So your “guessing” gets better. But at times, for example in the evening or inside a shop, “guessing” is about as useless as sleeping on the floor, letting your cat get your bed in the hope that Chinese rice will be better this year. Well, yeah you could wait until the daylight with your subject or if you were inside a shop, ask the shopkeeper to temporarily remove the roof.

So I got a Sekonic Twinmate L-208 light meter and took it for some field testing during a recent trip I made to Prague. Earlier this morning, I had the chance to have a quick chat about it with Sascha on IRC (yeah, I know, the cool kids in town use Facebook nowadays). Here is an excerpt of our conversation:

Sascha: don’t you think you would have had the same result with “guessing” in those conditions?
Saad: you want my sincere, unbiased opinion?
Saad: provides a mucho better experience
Sascha: hehe, yeah
Saad: the lightmeter takes away some of the fun
Sascha: the light meter is good for when you run out of guessing, e.g. inside a shop
Sascha: just continue with guessing and use the light meter only when really needed
Sascha: before Xmas I was with XXX at the place of one of her uncle’s - an old dude who used to do a lot of photography
Sascha: when I was measuring in the dining room at one point he predicted what I’d measure - and he was right to the 1/3 stop
Sascha: it’s all a matter of experience
Sascha: if you lived through times when light meters were inaccurate and too expensive to be really available, you’d use a table till you learned it by heart
Sascha: and you’d remember your exposures and thus learned what worked and what didn’t
Sascha: so you got the experience

Needless to say, I agree :-)

Disco Stones

Wed, 16 Feb 2011 18:06:14 +0100

Disco Stones:

ligertigerlove:

ligersntigers:

Another song from Some Girls

The Stones get a little disco.

"One of the things about design that makes it such a joy is that it requires balance. If elements are..."

Thu, 10 Feb 2011 08:05:59 +0100

“

One of the things about design that makes it such a joy is that it requires balance. If elements are too large, each change will be more expensive than it needs to be. If elements are too small, changes will ripple across elements. And optimizing the design takes place against the backdrop of an unpredictable stream of changes.

—Kent Beck on Coupling and Cohesion

”

- http://feedproxy.google.com/~r/37signals/beMH/~3/swSXGIWSKrA/2766-one-of-the-things-about-design-that-makes

"Show me one CISO who can deinstall — and write-off — a fully deployed enterprise security product..."

Wed, 12 Jan 2011 10:14:11 +0100

“Show me one CISO who can deinstall — and write-off — a fully deployed enterprise security product because the marginal utility it contributes is not worth the complexity cost it engenders.”

- Digital Affluence Is Making Us Less Secure, Dan Geer, CISO, In-Q-Tel