The Google IO conference is providing a host of interesting announcements. One that is currently getting a good deal of coverage is “Google Wave“. Of course we have to see what actually shows up but what it looks like is a bunch of snazzy Web2.0 AJAXy (with added HTML 5!!!) frontends and tools to a wiki. This is not necessarily a bad thing - wikis tend to be somewhat idiosyncratic and also very poor at handling anything other than raw text - but a jazzed up Wiki doesn’t sound quite as revolutionary as perhaps Google would like us to think Wave is.

On the other hand the announcement of SaaS/cloud interoperability between Google and Salesforce.com, which doesn’t sound particularly novel, may in fact be truly revolutionary for the users. By combining the clouds it becomes possible to write applications that use numerous Google tools and utilities (including I suppose Google Wave) and access the business data in Salesforce.com. This sort of integration may end up having a signficant effect on the business world at large because it permits even very small companies to have the seamless IT backend that hitherto have required large MIS organizations and have therefore only been possible for large enterprises. Indeed many large organizations have problems integrating customer facing sales and support data/applications with internal ones so it is possible that this integration may actually tip the balance in favor of smaller nimbler companies.

The one downside I can see with this integration is that it potentially leads to worse security breaches because a poorly written google API app could now expose all the salesforce.com data to an infiltrator. This, on the other hand, is something that the Wave team seem to have thought about since Wave will, we are told, not be tied to Google’s servers and can in fact be installed inside the company firewall.

Firefox3

A friend of mine who is in the process of renewing his British passport discovered this gem. It seems that sometimes you end up going to http://ips.gov.uk/ and sometimes to http://www.ips.gov.uk/ when dealing with the passport service. If by some mischance you end up at the former address and then want to use a service that requires SSL (such as the application tracker) then you get a warning about an invalid SSL certificate.

I’m highlighting this example because it is current but it is far from alone. For many sites the www is optional (at Extendance’s sites this is the case too for the most part) and increasingly visitors are not typing the “www”. The DNS will return the same IP address for the two options (with and without www) and the web server is able to provide identical pages. Unfortunately for SSL certificates this is not the case - the www means the two are different hosts and hence need separate SSL certificates.

There are plenty of workarounds (e.g. automatic redirects, two certificates) so it should be easy to fix. This means it is especially embarrassing for large government departments to not get it right.

Microsoft has decided to cooperate with the UK company Autonomy in the corporate search/data mining area. As far as I can tell this is the first time that Microsoft has looked at an external company to provide a key part of its product.

Furthermore, as the Register points out, this is a way for Microsoft applications to gain access to data stored in non-Microsoft formats of all sorts, something that has traditionally been a weakness for Microsoft.

What the article doesn’t point out is that this is likely to be positioned as a key differentiator to other appliance types of corporate seach tool - ones from companies like Google for example. It is also, I think, a key validation of the categorization/classification technologies that Autonomy has been pushing for a while now. It seems to me that automatic classification/categorization has been a niche technology for a while, and maybe this will prod it into the mainstream and possibly lead to Google buying a classification company just to catch up. There are plenty of little startups around that will no doubt be only too happy to help the big G….

I am not sure what it is about computer security and the law, but there seems to be rule that whenever a government seeks to write a law to specify criminal punishments for certain computer security offences it will end up making a law that criminalizes the actions of people who are trying to fix problems as well. We have already seen this with the DMCA in the USA being used to hobble disclosure of security problems, and in the UK where taking a URI and modifying the number at the end could be a crime (see the recent MTAS story).

Now we have the Germans bent on proving that anything that their anglo-saxon cousins can do badly they can do worse. The Register and Ars Technica have the details. From the latter link:

The new rules tighten up the existing sanctions and prohibit any unauthorized user from disabling or circumventing computer security measures to access secure data (see the law, sections 200 and following [in German]). Manufacturing, programming, installing, or spreading software that can circumvent security measures is verboten, which means that some security scanning tools might become illegal.

In other words if you run a program to check whether a computer is vulnerable (or if you develop such a program) you could be breaking the law. Of course in practice the Germans are unlikely to prosecute someone who runs a port scanner but as I understand the law something like Steve Gibson’s Shields Up or his LeakTest would be illegal under a strict reading of the law.

I have no doubt that the German authorities are sincere in their claims that this law will not be used to prosecute bona fide security researchers and consultants. However, as we have seen with the DMCA, it is not always clear when a consultant is a white hat or a black hat. Prosecuting someone who discovers an embarrassing security breach is one way of directing attention away from the breach itself, and this law appears to make such a strategy easy to implement in Germany.

The Register and Bruce Schneier both comment on a recent announcement from the EPFL in Lausanne that a joint team from the EPFL, the University of Bonn and NTT in Japan have managed to factor a 307 digit (decimal) number - a number about the size of the numbers used in 1024 bit RSA encryption. The number factored was a “special” one in that it was in the form of 2ⁿ-1, so it is not one that would actually be used for encryption. However, as the lead researcher explains, while this is not a sign that anyone can factor an arbitrary 1024 bit number today, it is most definitely a sign that the writing is on the wall for 1024 bit keys, because the progress from factoring special numbers using specially gather CPU resources to factoring arbitrary ones of a similar size using more easily obtainable CPU clusters is well known. It seems likely that by 2010 the 1024 bit RSA key will be considered insecure.

InfoSecurity is an interesting show because it is such a combination of products. One has everything from high-end hardware box makers (e.g. the Bivio 10G deep packet inspection device) to anti-virus or anti-spyware products for home users.

One trend that did seem obvious is that people are moving away from the idea of protecting the network as a whole towards protecting sensitive servers or other devices on the network. While this is not totally true - there were vendors such as Airtight Networks who try to eliminate WiFi networks from sensitive areas - the most common buzzword seemed to be NAC (Network Access Control), with numerous vendors offering different plays on this topic. Of course what is said at the show about NAC and what is actually deployed may be two different things, NAC solutions that have vulnerabilities can lead to really nasty security holes as Network World reports.

Another area of interest to me at least with my data comm background was the various approaches to encryption of data at wire level. Companies such as Infoguard and Insta were offering various low level encryption techniques and there were of course companies offering a variety of VPN and SSL encryption services to allow nomadic workers and partners access to sensitive information. Given the current UK scandal about medical records, one suspects that, like NACs, these secure access methods are going to be misapplied widely.

Indeed there were a couple of companies offering security audits and “ethical hacking” services - something which sounds like an excellent idea given that ever more sensitive personal data is being stored on computers that are accessible to anyone with an internet connection.

According to a thread today in the Skype Windows Forum, Skype users (and that includes me) have been receiving bogus skype chat messages which ask users to click on a link. If you do so you apparently get a rootkit which is only recognized by the very latest virus software versions.

In my case the chat message allegedly came from a friend and had a vaguely plausible subject, however it was clearly not genuine becuase the link was odd and becuase the user immediately left the chat session after sending the link. An example that I received this morning is:

[10:05:37] XXXX says:

Check up this:
http://24243.psadionkderunhdetionkdase.com/7/7849

[10:05:40] XXXX left this chat

Needless to say you should not even think about following the link which downloads either an .exe or .pif file that presumably includes the rootkit.