Archive for September, 2009

Updates to the Map of Crypto Law.

September 30, 2009 Leave a comment
Google Map of International Crypto Law

Google Map of International Crypto Law

There have been a few updates to the famous map of crypto laws lately, for those new to the map, or who have forgotten it I’ve linked the picture above to it.

Fell free to mail me with corrections and additions.


H.R 2221 – The Federal Data Accountability and Trust Act

September 30, 2009 Leave a comment

This week I’ve been working my way through H.R 2221 – the “Data Accountability and Trust Act” . This proposed legislation is making its way through the Committee on Energy and Commerce at the moment, and if passed, will rationalize data protection legislation across the USA at a federal level. Read more…

Speaking at Focus 2009, Vegas on October 7th.

September 28, 2009 Leave a comment

On October 7th I’ll be chairing a “Birds Of A Feather” session on the use of McAfee encryption products at our 2nd Annual user conference – Focus 2009. This session will be a chance to put me on the “Hot Seat”, and a chance to ask probing questions about McAfee’s current, and future product strategy.

I’ve done a few of these in the past, some have been very constructive, and have led to wide ranging product changes based on customer experiences we just didnt consider, some have been mud-slinging sessions though. I hope we’ll have the former, though I’m quite happy to sit through both.

For those coming to Focus who read this Blog, please feel free to find me and introduce yourselves – I’ll be at the conference answering questions and helping out throughout.

You can contact me via Twitter (CTOGoneWild) – I’ll be monitoring the #focus09 feed throughout the duration, or you can post a comment here.

I’m especially interested in knowing what kind of things you’d like to see discussed during this session, so if you have a question about our products or design strategy, tweet me (or comment) so we can properly answer them on the day.

Think Like A Spy…

September 25, 2009 Leave a comment

PhishingRecently John Sileo spoke at the Department Of Defense’s Joint Family Readiness Conference on the topic of identity protection and theft. As a two time victim of identity theft, John is well placed to speak from the heart about the practical, factual, and emotional aspects of this problem, and though I was not able to attend his presentation the writeup on his presentation is well worth a read.

John advocates a couple of thought processes which I’ll let you read the details of directly from the transcript, but to summarize he encourages us all to “Think Like A Spy” – to question the validity of the request for information at every stage, and with every person. Read more…

Elite turns 25, or How I met David Braben

September 24, 2009 2 comments

This week marks the 25th anniversary of one of the most famous computer games ever published – Elite, by David Braben and Ian Bell.

Released to the world on September 20th, 1984 for the 8 bit BBC Microcomputer. Initially rejected by the software publishers of the time, Elite was picked up by Acornsoft and managed to sell 1,000,000 copies on a whole range of platforms. Written by two guys, without the help of a studio, artists, or project managers, and entirely in assembler, for a machine which had less memory “than most emails”, it stands the test of time as one of the finest examples of how gameplay trumps visual beauty every time.

Read more…

Missouri’s new Data Protection Disclosure Law.

September 21, 2009 Leave a comment

Although maybe unnoticed, a month ago Missouri finally joined that heady club called “States which have Data Privacy Laws”.

On 28th August, the “Missouri Data Breach Notification Law”, or House Bill 62 took effect, not protecting, but at least enforcing care and attention of residents personal information (Social Security Numbers, Driver’s Licence Numbers, and information which could be used to access a residents financial accounts). Note I use the word “resident”, because, as with the other 47 or so State laws, this one applies to the Residents of Missouri, not to the businesses. If you have Missouri resident information in your datacenter in Tinbuktoo, you are still required (under civil and actual damages) to comply. Read more…

Cold Boot Attacks Revisited (again).

September 16, 2009 2 comments

Following my recent post on FireWire Attacks, I thought I’d follow up on that other classic Full Disk Encryption exploit, The “Cold Boot Attack”.

Back in February 2008 a group of clever Princeton students published their infamous paper “Lest We Remember: Cold Boot Attacks on Encryption Keys“. Though the retention of data in RAM chips has been known since their invention, and certainly since at least 1978, The “Princeton Paper” reminded us that when you turn a computer off, it does not mean all the data from memory is instantly gone, and of course, if something important remained, like an encryption key, then your computer security might be vulnerable. Read more…

Speaking at GTC East: The New York Digital Government Summit

September 16, 2009 Leave a comment

For those in the Federal space, I’ll be presenting practical data protection measures at GTC New York next week on the 23rd, in Albany. You can find out more about the GTC Conference from their web site, but it promises to be a packed day, with great speakers like Gene Kranz (Former Director, Mission Operations, NASA), Mark Allen (6-Time World Champion, Ironman Triathlon),  and of course yours truly.

The conference also has a training track where you can swot up on the latest technologies and methodologies in topics as diverse as applying for grants, Rapid Application Development, and Project Managment to name only three.

Privacy By Design, Madrid 2009

September 15, 2009 Leave a comment
Privacy By Design

Privacy By Design

For those interested in the “big picture” of privacy and technology, I’ll be at the PbD conference in Madrid this year, 2nd November, talking about privacy enabling technologies such as data protection, identity protection etc. You can get details about the conference from the PbD website, which is being run just ahead of this years 31st International Conference of Data Protection and Privacy.

Privacy by Design is a concept promoted by Ann Cavoukian, Ph.D, Information & Privacy Commissioner Ontario, Canada which aims to promote the idea of systems and processes built with privacy in mind, rather than retrofitted afterwards. I encourage all readers to browse her site which is quite informative, and gives you perhaps a “bigger picture” view than IT alone.

Firewire Attacks Revisited

September 14, 2009 4 comments

For those who follow these kinds of things, you’ll remember that back in 2004 an enterprising group of people (Maximilian DornseifMichael Becher, and Christian Klein) gave a series of talks on how to bypass many kinds of computer security using the FireWire ports. This attack, though obvious from reading the specification of the Firewire / i.LINK / IEEE 1394 bus, simply used a computer acting as a “rogue” device to read and modify any memory location on a target PC.

Yes, ANY memory location, and that’s quite supported, even required by the FireWire/iLink specification, which needs direct-memory-access for some devices (like iPODs) to function.

Enterprising people have written attacks that use this “exploit” to get around encryption products, and locked workstations on Mac, Linux and PC.

Read more…