Best practice on password management

April 29, 2006

This morning I read a good essay named "Security Myths and Passwords" by Prof. Eugene Spafford. Prof. Eugene told us his doubt on  those  best practices on password management policy, like "monthyly change", based on the interesting origin of this "best practice".

The defects and even failures in most of enterprise security defense systems can be root caused into problems in "security execution", ie. the discrepancy between the policy and the real environment. The security manager just book those best practices into their "policy", while not considering their staff, their skills, the data to protect, the threats to contain/mitigate…


Will Net Neutrality come again?

April 29, 2006

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read the rest of this entry »

Instant Rails 1.3

April 25, 2006

Rails is an outstanding rapid web-application development framework. It help by far simplify the time and prerequisite to web riders. Now you even have a quick gun to accelerate the installation and usage of Rails. That's Instant Rails. The below is the release information for its latest release 1.3. Read the rest of this entry »

SMA, VoIP and Identity

April 25, 2006

There was an interesting description on SMA (Secure Mobile Architecture) by another Richard from Boeing :). SMA is expected to address security issues in VoIP and identity for those enterprise networks with some sample implementation inside Boeing

There have to be some fundamental changes in the way the Internet operates. One way is through a framework and architecture called the Secure Mobile Architecture (SMA). This architecture is published by The Open Group and is available at the following URL: The architecture addresses many of the issues you have been talking about. Until we actually address the issues of basing security on the MAC and IP addresses, all of your approaches will not address the basic problem.

I have an example of the issues hiding our heads in the sand can lead to. I have been a member of IEEE 802.11 since about 1995. Boeing got involved in 802.11 because of the potential solutions 802.11 provided for both Internet access onboard airplanes and for the mobile enterprise communications. So I got involved early in the security provided for the Wireless LANs. The initial group of 802.11 standards developers felt, as I did, that the WEP was sufficient (good enough) to get the standard rolling. It wasn't! The work around was VPNs for any wireless connections, but it definitely slowed and inhibited the growth of WLANs. It took six years to provide a WEP replacement that was cryptographically secure.

If IEEE 802.11i is any example, the VOIP growth and viability is inexorably tied to how secure our telephone calls are. I have always been incredulous that we never cared very much how vulnerable our telephone conversations are. The wire makes us seem less vulnerable, but in fact, backbone communications links are sometimes over major microwave links. Many of the Fortune 500 contractually stipulate that none of their business communications are sent over microwave links. In addition to the microwave links, we have wholly trusted our telephony companies to protect us and they have done quite a good job in that most of the connections are in central offices that have not been broken into. This is all changing now and this mailing list is at the forefront of the discussion. What do we do about voice security now that our telephone conversations are riding over the Internet and have all the Internet vulnerabilities of viruses, MAC address spoofing, IP address spoofing, replay, spamming, etc?

In the big picture, end-to-end secure sessions with cryptographically based mechanisms to identify people and machines are the only way to assure secure VOIP communications. In our work with the Secure Mobile Architecture (SMA), we have been exposed to all the regulatory requirements for privacy and legality. These requirements include Sorbannes-Oxley, HIPPA, and many others. They are quite extensive and demanding, especially of privacy and protection from exposure on the Internet. Without addressing the requirement of an end-to-end cryptographically secure infrastructure, we are not addressing the problem and those of us responsible for unleashing VOIP on the world have a responsibility to address this problem in a big picture way.

The core of the problem comes from the relationship of security and identity. When I first heard and participated in discussions on identity management, I was very skeptical that this was a required discipline at all. In fact, I still think that identity management is not the right term for what we need to address in Internet VOIP and WLAN infrastructure contexts. We do not need to manage the identities. In reality, the people, organizations, and enterprises need to be assured that their identities are protected when they use the Internet. So, the identity of a person or machine must be protected in a business context or in an individual context. By the way, this identity of a machine is an imperative one to address. We are still not doing a good job of identifying a computer or intelligent machine's identity. In fact, as VOIP gets more integrated into the business processes and telephony becomes more versatile and VOIP applications are used for event notification, the validity of such processes is dependent on getting the cryptographically validated sources of the VOIP information you get.

The architecture The Open Group developed called the Secure Mobile Architecture (SMA) deals with these issues through the use of four elements (Boeing deployment); 1. Public Key Infrastructure (PKI) access, 2. use of the Host Identity Protocol (HIP), 3. a Network Directory Service (NDS), and 4. use of a Location Enabled Network Service (LENS). I will treat each of these and their relationship to VOIP and VOIP security in the following four paragraphs. Read the rest of this entry »

Novell Acquires e-Security

April 21, 2006

On April 19, 2006 Novell announced the acquisition of e-Security, Inc. for $72 M USD. e-Security is a small private company focus on security information and event management. As you know from my "SOC in China", it's the first SOC product implemented at China, introduced by iS-One. It becomes the prey of Novell, which was famous for its netware and Unix and now for its directory. Both of them are struggling to make a life under the competition from those big management software vendors. 

It's an important event at SOC/SIM market, after the acquisition of neuSecure by Micromuse and then  by IBM finally.   

Will RSS steal away your page view?

April 21, 2006

When we had dinner for CCClub Beijing gathering yesterday evevning, I suggest Billy adding RSS feed to the web site. Billy told me his thinking that RSS might steal away much pageview of the website and thus lower the readers' stickiness.  I don't think so.

When you prepare to roll out your RSS feed, you must be thinking those feed readers might won't click to the "original page", so that your page view will be eroding.  It seems to be a reasonable thinking. But my first question is why you run your web site?  second question is why so many web sites are hurrying to advertise their RSS feed?

If some of your RSS items always won't bring your subscribers to further clicking, there might be two reasons: your content is just not absorbing enough, and the content is just enough at that moment. For the first case, of course it's not the fault of readers. You need to better your content or they are not your reader objectives, ie. wrong subscription without hurt to both parties.  For the second case, you have succeed in getting to your goal : to broadcast your message, why not further waste your bandwidth and adding server load.  You lose nothing but those sterile pageviews.

Rather, RSS might bring something good that you overlook. RSS feed by far ease the accessibility and readibility. As a result, your message will reach more desktops than just staying at your web site.
Buddy, just go RSS. It won't steal your page view and erode your reader stickiness at all. It will do good.

My tag cloud

April 21, 2006

.flickr-photo { }
.flickr-frame { float: right; text-align: center; margin-left: 15px; margin-bottom: 15px; }
.flickr-caption { font-size: 0.8em; margin-top: 0px; }


originally uploaded by Richard Zhao.

When I was participating CNNOG 3 conference, I wrote down my tag cloud as the diagram, where you might find so tremendous scope you have to have a peek to catch up with the earth rolling.