Wednesday, April 30, 2008

On the Internet, no one knows you're a (dyslexic dead) dog

The expression "on the Internet, no one knows you're a dog" has become a cliche. But now, we see that in reality, on the Internet, no one knows you're a dyslexic dead dog!

What do I mean by that?

There have been a number of messages floating around about the death of a hacker known as rgod. But someone who claims to be rgod says "Thank you for your kind words. I am pleased to inform you that I am not dead. I have been the subject of a horrendous and difficult joke. Some hackers unknown to me have compromised my web server and email accounts making it impossible for me to access my site. They are falsely stating that I have died. Please ignore this statement until my services can be fixed."

So how do you prove, as someone who's known by a pseudonym, that you're not dead?

[Added 30Apr08: It appears that in fact rgod may be dead, but it's hard to tell for sure. One Bugtraq posting noted "But, if isnt dead, why he use a computer based translator to translate, from english, something that he can write in correct italian ? I'm italian and i garantee that is not italian", to which another responded "Yes, someone else told me already in private that the 'I'm not dead site' was a hoax. I did not know rgod and I don't know if he's dead or not - I just wanted bugtraq to know, that there's something else going on here - without taking sides. The decision which website to trust (or, more generally, (how) to trust online information at all) is left to the bugtraq readers." [emphasis added]. I won't continue to update this posting, as I think the current uncertainty adequately summarizes the problem!]

Tuesday, April 15, 2008

Nabatean security

Raise your hand if you know who the Nabateans were. OK, now that we've established that, the Nabateans were an ancient people who lived in much of what's now Jordan, Israel, and Saudi Arabia. (I'm no expert, but the article on Wikipedia seems pretty good.)

So what do the Nabateans have to do with security? Separation of duties, security by obscurity, and perimeter security. Let me explain. I spent last week in Israel, mostly visiting family, but also doing some sightseeing. And like any security engineer with a "security mindset", I thought about security as I saw some of the ancient sites.

As I learned in my visit to Avdat, there was an ancient route for transporting spices and perfumes from what is now Yemen to Greece. The perfume makers kept their technology a secret, but needed to get the product to market. The Nabateans knew how to cross the desert safely, which the perfume makers didn't know. But they didn't know how to safely cross the Mediterranean, which the Greeks knew. So each group had their role, with strongly enforced separation of duties. (Nabateans would be killed for drinking alcohol, which I presume was a method of ensuring that they didn't spill the beans.)

So how did the Nabateans cross the desert safely? First, they established cisterns to hold the water, since oases aren't entirely reliable. They camouflaged them, so they wouldn't be found by other desert wanderers. Second, they marked their route using a series of large stones, but again they were set up in such a way that they could only be followed by one who knew the secret to interpretation. In other words, security by obscurity.

And perimeter security? The Nabateans got fabulously wealthy through the perfume and spice trade, and eventually built the city of Petra (in modern Jordan). Petra is several respects. The "buildings" weren't actually buildings, but rather elaborate caves carved into the rock walls. But for purposes of this discussion, the important thing is that Petra is in a very narrow valley with high walls - the only way to attack the city was by coming in at one narrow entrance to the valley, which could be defended relatively easily - a simple perimeter defense, just as a firewall is (incorrectly) believed to provide that feature today.

[For those considering visiting Avdat and/or Petra, I highly recommend doing it in the spring or fall - the summertime is far too hot to make these comfortable vacation destinations!]