Saturday, October 31, 2009

Reaction to my blog posts on passwords from Government Computer News

"...Mushegh Hakhinian, security architect at IntraLinks, pointed out in a recent blog posting that a pass phrase that contains 16 letters — all lower case with no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals and other characters..." Full article by William Jackson here

My article on ebizQ: SaaS-Based IRM Solutions to Secure the Enterprise

Data leaks are one of the chief threats facing enterprise IT managers today. Information Rights Management (IRM) technologies are perfectly designed to protect the enterprise by effectively reducing and/or eliminating the risk of accidental leaks.Read full article here

My article special to the Cloud a Better Place for Our Data?

Data loss is an all too common a theme in the news these days. The recent Sidekick outage, however, stands out for several reasons but most importantly because the data loss affected both customer contact information as well as customer’s files such as images and schedules. Let’s put aside who is at fault in this particular situation and whether cloud computing introduces data loss risks, which ultimately became the focus of this controversy, and instead look at this from a consumer’s point of view. full article here

Saturday, July 4, 2009

What is it with encryption?

"In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events..."

No, this is not a citation from the Declaration of Independence, though it is close and would be appropriate today. This is the encrypted message that Robert Patterson, a mathematics professor at the University of Pennsylvania has sent to President Jefferson over 200 years ago. It was cracked recently by Lawren M. Smithline of Center for Communications Research in Princeton, N.J., a division of the Institute for Defense Analyses(see

The story in WSJ online ( was the last push to write this post. As the 'security guy', who provides answers to countless compliance questionnaires on details of encryption implementation in applications - it has always bothered me why was it so difficult for software engineers to implement cryptography correctly. Why almost nobody bothers to use initialization vectors? How come developers rarely go beyond copy/paste of the first sample code they come across? Virtually no research and complete disregard of key management. I have my theory now. Cryptography is a fusion of science, engineering and business. Typically, people get the science (the algorithm as in AES or SHA) and engineering part, and completely miss the key management. Maybe because key management system is a business application, some might argue a mission critical one, that is difficult to implement if there is none available. Maybe the reason is in not allowing enough time for proper research and design.
There is no justification, even if for the first time implementing encryption in an application, for not reading up on the subject, though.
In any case, I have seen just one application so far that has gotten it right without using HSMs (hardware security module - used to secure encryption keys).
They used to treat cryptography with more respect in the past be it some 200 years ago or 20 years. James Sanborn has erected Kryptos sculpture, at CIA headquarters of all places, and nobody has solved the fourth and the last part of the cryptic message contained in it(see A sculptor has had enough foresight to create a message that even the CIA were not able to decipher for 20 years! Maybe this will get engineers' attention.

Tuesday, June 9, 2009