Tuesday, March 31, 2009

Is Windows 7 closed-source?

It seems easy for the people allowed to test Windows 7 to leak it. My question now: how easy is it for some insider to leak the source or parts of it? I would rather say it's quite possible for a project this size and a company this size.

Now, what about the argument of secrecy? Has security through obscurity twilight a meaning?

Shredding files [2/4]: Shredding empty space

Once you understand that there are shadow copies of your files of value, you get it that it's useless to shred files, as is often recommended, though.

So what's next, how to ensure your files are not recovered? At this point in our reflexion, the problem is that there are confidential bytes in the "empty" space of the hard drive. So, some software provide a tool to "shred" the whole of the empty space. Here, we mean that it will browse the full length of the empty part of the disk and cover it with random patterns, to remove all chances of recovery of the previous data.

The good point is: theoretically it works. The bad point is: practically, it's unmanageable because it means using those random patterns on the size of the empty space of your hard drive. Like dozens of gigabytes. So it takes very long.

The good practice becomes: tell your top management to bring in their laptops for a good shred, before they go to a risk area (like travelling abroad to negotiate contracts). The bad practice is: present your executives with the tool and tell them to do it themselves regularly.

Sunday, March 22, 2009

Why it's useless to "shred" files, most of the time

It's becoming common knowledge that a file can be recovered from the hard drive even after being removed. The basic idea is that a file = a container + a content.

When you remove the file, the operating system (whether it be Windows or Linux or else) destroys the container but keeps the content. So the actual bytes of your file remain on the hard drive. And a myriad of software (most with a shareware license) have grown to sell you the idea that by writing zeroes or random patterns over the content, it will make it unrecoverable. That's theoretically true.

A file shredder by Lavasoft

The problem is that the soft only destroys what you ask it to. So if there is another copy of the file, that you don't know about, that one will still be available for recovery. And that's the problem with all of MS Office software (and other office suites). These office applications create backup copies to recover if (ever) there is a crash.
And you don't ask the shredder to shred them, so they remain on the hard drive, even if you shred correctly the main file. (You can't shred them, because 1° they're necessary 2° you don't know where they are 3° that would be a long job.)

As a conclusion, if you use your shredder for office files such as .doc, .xls and so on, just drop it, it's useless.

Articles about Geekonomics - delay

I told to some of my readers that I would write a series of articles on Geekonomics: The Real Cost of Insecure Software, by David Rice. This excellent book attacks the macroscopic questions of why software is so insecure and how to secure it.

I have lent this book and will be late (gosh, I am already late), till I get it back.

Saturday, March 21, 2009

The French police* reduces IT staff by 17% by using opensource

*not exactly police, here we speak about the "gendarmerie", which is a military body of 105,000 gendarmes ("men-at-arms") dedicated to protection missions, in France mainland, in the overseas areas, and also abroad.

With agreement from the original author, Xavier Guimard, Lieutenant Colonel in this army, I translated into English the presentation he gave in Utrecht, Netherlands, about this shift in policy and its results.

The original presentation, in French, can be found here.

Please read the document itself, but to make it short, the change was deep, it was motivated by cost reduction, and it produced outstanding results. The document also quotes logging, good integration with a SSO and open standards as factors for the overall excellent security.

Friday, March 20, 2009

10,000 Romanians spied upon by their employers

The news comes from the daily newspaper cotidianul.ro (RO).

The application is named Cyclope, developed by Amplusnet, a Romanian company, and works on all Windows stations. It reports things such as the time spent on some filetypes, the time spent surfing the web and integrates with notions such as overtime hours, in order to provide HR with detailed information, not only on the statistical level but also on the personal one.

The current size of the target is roughly 10,000 employees in Romania and, according to Amplusnet, 50,000 employees in other countries.

Let's take this opportunity to remind that such spying upon employees is not legal everywhere. In Europe especially, different laws exist to make sure that the workplace doesn't become a hell. In France, the monitoring of employees is allowed only in a very strict legal framework (FR). In Switzerland, spying upon employees at work is completely illegal (FR). In Romania, there is more subtlety. Cristian Ducu has examined the matter (RO).