Monday, November 15, 2010

3 Watersheds in Computer Security

Posted on Bruce Schneier's Cryptogram about a recent talk by Whitfield Diffie:

The first was the invention of the radio. Pre-radio, the most common communications security device was the code book. This was no longer enough when radio caused the amount of communications to explode. In response, inventors took the research in Vigenère ciphers and automated them. This automation led to an explosion of designs and an enormous increase in complexity -- and the rise of modern cryptography.

The second watershed was shared computing. Before the 1960s, the security of computers was the physical security of computer rooms. Timesharing changed that. The result was computer security, a much harder problem than cryptography. Computer security is primarily the problem of writing good code. But writing good code is hard and expensive, so functional computer security is primarily the problem of dealing with code that isn't good. Networking -- and the Internet -- isn't just an expansion of computing capacity. The real difference is how cheap it is to set up communications connections. Setting up these connections requires naming: both IP addresses and domain names. Security, of course, is essential for this all to work; DNSSec is a critical part of that.

The third watershed is cloud computing, or whatever you want to call the general trend of outsourcing computation. Google is a good example. Every organization uses Google search all the time, which probably makes it the most valuable intelligence stream on the planet. How can you protect yourself? You can't, just as you can't whenever you hand over your data for storage or processing -- you just have to trust your outsourcer. There are two solutions. The first is legal: an enforceable contract that protects you and your data. The second is technical, but mostly theoretical: homomorphic encryption that allows you to outsource computation of data without having to trust that outsourcer.

Diffie's final point is that we're entering an era of unprecedented surveillance possibilities. It doesn't matter if people encrypt their communications, or if they encrypt their data in storage. As long as they have to give their data to other people for processing, it will be possible to eavesdrop on. Of course the methods will change, but the result will be an enormous trove of information about everybody.

Security quirkiness at Akshardham

I had been to the Akshardham temple at Delhi recently and must say that it is one of the most beautiful temples I have ever seen. I would rate it on par with my Taj Mahal trip earlier this year. It is a must see for anyone visiting Delhi. The security is very high, probably due to the past attack on the Akshardham temple in Gujarat. No electronic items including phones or cameras are allowed. Security checks are similar to those at airports. Some observations:

1) Belts are not allowed to be worn through security check. Apparently, belts interfere with the new full body scanners installed at various airports. But guess what, there are no full body scanners at Akshardham!

2) Multi-factor authentication: Bags greater than the size of a small ladies purse are not allowed inside. We had to deposit our belongings filling up a form and received a token in exchange. To receive the items on our way back, we had to provide the token and speak out the name and telephone number we earlier entered on the form. God help those who specified numbers they do not remember and are stored on the deposited phone's contacts list.

Monday, August 09, 2010

Kashmir

I have been troubled reading a number of stories and watching debates on the recent Kashmir protests. There is not one Kashmiri that believes a political solution is not needed. They are inclined towards independence from Indian rule. You start thinking if India is doing to them what the British did to the Raj pre-independence. My impression of India trying to bring a progressive Kashmir to the mainstream is going for a toss. The intentions are there but the execution is similar to every other project in India. Lack of will, bureaucratic, filled with corruption and worse, a lack of regard for the public. It is like waking up from a dream of 30 years. How much longer should we live in this illusion?

Here is a letter from a Kashmiri journalist based of New York.

An Indian familiarization tour has been conducted by the Indian army for the Kashmiri youth.

Wednesday, April 07, 2010

Sports crazy

The deluge of IPL-3 is all over me. Although I decided not to follow it this year, for a multitude of reasons that I will not delve into now, it is hard to be a pariah when it is the talk of the town. I at least wanted to be neutral and simply appreciate good cricket but alas that became another broken resolve. My proclivity to the Chennai Superkings could not be curtailed, specially now that it is doing well.

I was wondering what makes a sports crazy fan. Why does it become crazier when the team is doing well? I guess it is to do with success that comes along with it. The success of the team becomes the success of the fan for some reason. The fan feels a sense of tremendous achievement/accomplishment leading to a big surge in the feel good factor. Just my 2 cents.

Thursday, March 18, 2010

Wildcats on a roll

The University of Kentucky men's basketball is one of the strongest basketball programs in America with over 2000 wins, the most by any college basketball team. It has a total of seven national championships and many a final four appearances.

In recent times it has been spiraling downwards with the nadir being unable to even qualify for the NCAA tournament. So come 2009-2010 season, it was not on my sports radar till Coach John Callipari was hired and he brought with him freshmen John Wall, DeMarcus Cousins and Eric Bledsoe. The media was abuzz with John Wall and there were videos showcasing his skillful play all over the Internet. He is being touted as a #1 pick for the NBA draft this season. The team did live up to its expectations drawing all fans wild with a 31-2 winning run this season, winning the SEC tournament, SEC championship and earning a top seed for the NCAA tournament.

They have now won their first round of the NCAA tournament and proceed to the round of 32 where they will meet Wake Forest. My best wishes to the team that I am currently addicted to following.

Saturday, February 13, 2010

Terror in Pune

We were on our way back from an extended stay at Crossword, Saurabh Hall driving through Bund Garden around 8:00 PM on Feb 13th. We had dinner plans at a Chinese restaurant in Koregaon Park and would have had to pass through German Bakery. As we went past Ruby Hall Clinic, we saw police personnel and ambulances. There was a lot of traffic on our side and we were driving bumper to bumper moving a few feet every few minutes. We then spotted police vehicles and an ambulance come on the opposite road. We presumed some VIP was being hospitalized. My friend Kishore called and informed us of the blast. We immediately called home and assured everyone that we were okay. We took a diversion through Nagar road and then reached home an hour later.

Today morning I was watching Chidambaram's press conference. I have tremendous respect for his work and I hope it is not because of the low standard set by the previous home minister. I however fail to agree with some of his statements. He mentioned: "There was intelligence on the Osho Ashram and the Chabad house being hard targets. There was adequate security provided and soft targets around were sensitised and asked to take necessary precautions. In this particular incident it is yet to determine the security at German Bakery."

I am not sure if it justifiable to place the onus of security on private establishments that are soft targets. What do they need to do? Install security scanners, CCTV, armed private guards? How much is needed and how much is overkill? An attempt can be made to counter specific threats but the scope of threats are infinite and it is not possible for every soft target to fortify themselves against all kind of attacks. I think security should be more collaborative with both the private establishment and the government agencies working together. Security here is security at the last line of defense. Important but not very effective. The real security lies in intelligence gathered much before. Chidambaram said that there was no intelligence failure but the fact that this even happened is a failure to gather specific intelligence.

Once the cat is let out of the bag it is hard to catch it even with a 1000 dogs.

Friday, January 15, 2010

Science and Faith

I recently attended Isha's "Inner Engineering" program and have started thinking about issues that are not proven scientifically but have been stated by the ancient gurus.

Today is a total solar eclipse and we have been advised to not eat food during this period. There is no scientific explanation but from history there have been many facts proven scientifically and corroborate the claims documented in ancient Hindu scriptures. When the ancient scriptures were written there was a lack of explanation as to why a conclusion was reached. Only facts were stated and they could have been through experience or logical deduction. These conclusions might be wrong too. It is also an altogether different issue that these scriptures were misinterpreted or twisted, on occasions, to generate fear and control in a community or these facts were relevant during those times and are inapplicable now. So what is the right course of action to follow when uncertain?

I recently had a discussion with my wife about some people that take the "be safe than sorry" approach. We were initially aghast at how someone with a modern outlook and a scientific mindset be this way. But would you rather wait another fifty years or more for the scientific community to backtrack and publish new findings/conclusions to realize that you could have lived your life better. Or would you arrive and follow a common agreement and a course of action that can be generated from science and faith?

I do not know.