Reduce the number of technologies, not providers of!

In some of the companies I've visited over the years, there was an internal policy that seemed strange to me: when contracting with service providers or goods providers, employees of the company should try to keep the number of providers as small as possible.
It's not the policy in itself that seems strange to me, it's the fact that it is also applied to IT goods and services.

Basically, the policy relies on the two ideas below:

1. With fewer providers, you can purchase more of the same and negotiate a better price next time.
2. With fewer providers, you can establish true relations of trust and avoid gaps between what's asked and what's provided.

That would mean that the cost per unit decrease if you remain with the same provider:
However it relies on the three following assumptions:

1. Purchasing at a specific provider will impact the price of other providers only downwards, and that will be only a small impact. This is wrong in IT, because the cost of moving to another provider is very high, because of software and hardware incompatibilities.
   
2. You can negotiate with providers. This is wrong in IT, because you're always speaking with big international companies. If they allow you to negotiate, that's within an already well-thought area.
   
3. A true relation of trust brings a really better service from the providers. This is wrong in IT, because the hardest part is always the exploitation of a product or service, not its purchase. Good relation with the provider only marginally increases quality.
   

In fact, because of incompatibilities, once you've made a move toward a provider, the cost (not price) of moving to something else shoots up. It will require time, money and will probably require you to throw away what you made in the first place.
Knowing that you can't move anymore, the provider you chose has the hands free to increase prices.
That's what happens in reality:
So, to my mind, the policy of reducing the number of providers is detrimental to IT services.

However, the real difficulty coming from the integration of very complex technologies, very differently thought, born in in very different companies or universities, and best manipulated by people outside your company (either service providers or editors), I think it is a good policy to maintain a list of technologies that you use, the (in)compatibility links between them and to think carefully before adding one to the list.

1-factor authentication in the Matrix

I just remembered the way Seraph tells Neo in the Matrix "You do not truly know someone until you fight them." and I was trying to sort the fight that follows into one of the typical categories of authentication:

1. Check what someone has.
2. Check what someone knows.
3. Check what someone is.

when I realized that in the precise context of the Matrix, in the case of Neo, categories 2 and 3 are the very same.

• Neo is the One because he knows he is the One.
• Being the One, Neo knows he is the best kung fu fighter.
• Knowing he is the best kung fu fighter, Neo is the best kung fu fighter.

He is because he knows and he knows because he is. Seraph indeed performs a 1-factor only authentication to check Neo is the One.

-+- The little joys of security-thinking ! -+-

Vulnerability in VPN/SSL platforms: so what?

The US-CERT points that using a VPN/SSL to access arbitrary web sites circumvents the security features of modern browsers.

I have an odd sensation of being in a troubled IT/ITsec world when I read that. What seems so strange to me is not the vulnerability, it's that it requires a US-CERT advice for people to notice.

I mean... For years the web has been struggling to build protocols like HTTPS (and to get the mainstream browsers support it correctly). And we hear every day that even though the protocol is a jewel in itself, it is not sufficient for security. That's why we have vulnerability reports for browsers, anti-phishing features, certificate authorities, etc.

Now we build a new tool that will handle web sites and forward them to and fro and we should think that it does not deserve the same amount of care and time to mature? No, no, no...
Big expert organizations like Microsoft, Google or Mozilla struggle at it, why should Cisco, Juniper or SafeNet have it right from the first time?

Pessimistic: It's always the same game. You build something strong and then you build it anew making the same mistakes. And every time you get surprised.

Optimistic: Now that the vulnerability is public (I thought it always was!) maybe the VPN/SSL makers will improve their products.

Realistic: If you use the intranet from the Internet, you should be prepared to handle the security of the intranet as if it were exposed to the public. That means, for instance, investing some time in understanding a VPN/SSL product before entering wildcards in its policies.

EDIT 12/04/2009: Cisco says it very well ^^

"Administrators are advised to configure clientless SSL VPN sessions so that only trusted internal networks are accessed using the VPN session. All other connections should be accessed without using the SSL VPN session."

Common antivirus products disabled within minutes

It was the subject of a contest organized by the French IT (and other disciplines) engineering school ESIEA. Results are available as slideshows at this address.

Summarizing roughly, the most common antivirus products (McAfee, Norton = Symantec, Kaspersky...) can be disabled within minutes by a clever virus maker.

Shredding files mostly useless (review)

Bruce Schneier points that filesystems sometimes get in the way of secure file deletion.

I blogged about that six months ago (second point in that bill) after checking my understanding of the question with the developer of Inferno.

I since heard about similar stories quite a few times, either from software like filesystems or recovery systems or from hardware like Flash memory putting the content of a file in arbitrary locations. It seems to be a fairly well known fact among people who spent time on the matter.

To my mind, apart from shredding entire drives when the hardware is disposed of or goes from an user to another, companies should not waste time on shredding.

Of course, I guess Bruce Schneier would argue about encryption, rather than deletion :-)

How would I steal IDs and passwords from people?

I've been asked a question by a former classmate (or rather he challenged me) to give a proposal to steal IDs and passwords from people with little danger for me and little required technical knowledge from me.
Here's my proposal, I don't know whether it's new at all, I guess it's not. It's purely virtual, I've not tested anything like this.

1. I go to a place where people use laptops: train stations, a home apartment in a crowded city or a job place where the Internet access is not given to all employees.
2. I create an unprotected wifi access point, open to all. And I keep listening when someone does connect. It may take time, but that's not part of the given problem so I'm assuming I've got time.
   
3. I count on the fact that at least one service the victim will use is not secured via SSL or similar. So when that happens, I just take note of the login/password couple.
4. Then I go and try the login/password in other applications such as Facebook, Gmail, MSN, online stores and so on. As most people use the same passwords for many applications, I think it could be a correct ratio of success.
   

Friday liberty blogging - I'm French and that's something

It might be an unknown fact to my non-French readers, the French government is currently flooding the media with questions about the French identity. What is it to be French?

They also use the fuss to cover up their shameless unprincipled immigration practices, but that won't be the subject of the present bill.

The subject is the French identity, I would like to elaborate about it, because I'm one of the lucky ones down here who have spare time and spare thoughts to ask such questions and try to answer them. When my friend Thierry Kakouridis wrote an article about the matter (FR), I thought I had to reply to it.

France is a melting-pot of people with various views and cultural heritage. It is not one. For instance, several values are deeply written in the culture of my natal region that are not always shared in other places in France:

• Anti-clericalism: People can believe whatever they want as long as it does not encroach upon my life and my political freedom. If it does, they, not I, have to withdraw.
  
• Ability to live on one's own: You will be well-considered if you don't require help. You'll still be welcome if you do require help, but you won't be thought of so highly.
  
• Giving one's word: Something said is just as good as something signed in black and white on paper.

And I did inherit these values from my living there for twenty years. Yet, as I said, these are not prominent values everywhere in France. So which should be the values of the French? First of all, I think there is the freedom of ideas. Foreigners are often surprised at the way the French take the liberty to interpret non-negotiable things. Whether it be the law, the religion or the management theories, the French often only take what they want from it. And if you ask them why, they always have a good (yeah, or bad) explanation for it.

This is one the basic freedoms that people from occidental democratic countries enjoy. And that's a freedom that can only be removed from you if you don't use it enough.

For this freedom to be within reach of a humble citizen, it requires:

• A culture that values culture above wealth,
• A culture that values thinking above believing,
• And the associated society that preserves and enriches this culture.

I think other freedoms are less important to the French. We cannot be French without allowing ourselves to think freely about things of interest.

We also use to have equality and fraternity in our national motto. This to me relates to two other main components of the French conscience:

• The hatred of ubris. Not all the French believe in a God up-there but all the French agree that there is no God down-here. The excess of pride that leads to think of oneself as a God and to behave as such is un-French. It is considered a disease that can affect both individuals and nations.
  For instance, the French renounced the death penalty. We mostly consider that a nation has no divine right to claim lives.
  This it, to my mind, the meaning of the equality word in out motto: none of us is a God.
  
• The meritocracy. While we enjoy the equality of people in rights and dignity, we clearly know that we are different and of different skills. And none of us can pretend to be good at everything. Yet, we believe in the need to live and work together. And this means that we have to know and reward the merits of each. And this goes, not through money but through respect and consideration from others.
  This is precisely why the French are outraged at the idea of a film maker being treated as a usual burglar, or at the idea of their previous president being thrown in prison.
  Sure, the law is equal for all, but in conjunction with the fact that all the French choose by themselves which laws to apply and which not, meritocracy is commonplace in France. You get "powers" from being known for your past achievements. In exchange for these powers, you have to continue to serve well the nation. We know that we are not working against each other, rather for each other.
  That is, to my mind, the meaning of the fraternity word in our motto.
  

To answer Thierry's underlying questions:

• Yes, one is first of all what he/she wants to be. And most of the French want to be French rather than regional or European or other. And that's precisely why there is such a fuss about national identity right now: the French do feel that their identity is at risk. (To my mind that's more because of the current government than because of the immigrants. And some people are thinking the wrong way, because of fear or ignorance. That part is indeed a French failure.)
• There could be some confusion about Theodore Roosevelt's words. It could be misinterpreted as a call for "cultural purity". It's not. It's a call for everyone to adhere fully to the identity. And as such, the American president's words match my feeling about the French integration style. You can be more than French, but you cannot be half-French.
  There is no room for hyphenated Frenchism, reduced Frenchism, but there is plenty of room for people to bring in additional cultures from whatever source nationality.