When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move. 

Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

Steps are now being taken, rather faster since Dan Kaminsky came up with a really effective DNS poisoning attack, to secure DNS by using DNSSEC.

The basic idea of DNSSEC is that when you get an answer from the DNS it will be signed by someone you trust. At some point the “trust anchor” for the system will be “.” the DNS root, but for the moment there’s just a handful of “trust anchors” one level down from that. One such anchor is the “.se” country code domain for Sweden. Additionally, Brazil (.br), Puerto Rico (.pr), and Bulgaria (.bg) have signed their zones, but that’s about it for today.

So, wishing to get some experience with the brave new world of DNSSEC, I decided that Sweden was the “in” place to be, and to purchase “cloudba.se” and roll out my first DNSSEC signed domain.

The purchase wasn’t as easy as it might have been — when you buy a domain, Sweden insists that people provide their identity numbers (albeit they have absolutely no way of checking if you’re telling the truth) — or if a company they want a VAT or registration number (which are checkable, albeit I suspect they didn’t bother). I also found that they don’t like spaces in the VAT number — which held things up for a while!

However, eventually they sent me a PGP signed email to tell me I was now the proud owner of “cloudba.se”. Unfortunately, this email wasn’t in RFC3156 PGP/MIME format (or any other format that my usually pretty capable email client understood).

The email was signed with key 0xF440EE9B which was reassuring because the .se registry gives the fingerprint for this key on their website here. Rather less reassuringly footnote (*) next to the fingerprint says “.SE signature for outgoing e-mail. (**) June 1 through August 31.” (the (**) is for a second level of footnote, which is absent — and of course it is now September).

They also enable you to fetch the key through a link on this page to their “PGP nyckel-ID” at http://subkeys.pgp.net.

Unfortunately, fetching the key shows that the signature on the email is invalid.

Since the email seems to have originated in the Windows world, but was signed on a Linux box (giving it a mixture of 0D 0A and 0A line endings), then pushed through a three year old copy of MIME-tools I suppose the failure isn’t too surprising. But strictly the invalid signature means that I shouldn’t trust the email’s contents at all — because the contents have definitely been tampered with since the signature was applied.

Since the point of the email was to get me to login for the first time to the registry website and set my password to control the domain, this is a little unfortunate.

Even if the signature had been correct, then should I trust the PGP key?

Well it is pointed to from the registry website which is a Good Thing. However, they do themselves no favours by referencing a version on the public key servers. I checked who had signed the key (which is an alternative way of trusting its provenance — since the email had arrived to a non-DNSSEC secured domain). Turned out there was no-one I knew, and of 4 individual signatures, 2 were from expired keys. The other signature was the IIS root key — which sounds promising. That has 8 signatures, once again not people I know — but only 1 from a non-expired key, so perhaps I can get to know some of the other 7?

Of course, anyone can sign a key on a public key server, so perhaps it makes sense for .se to suggest that people fetch a key with as many signatures as possible — there’s more chance of it being signed by someone they know. Anyway, I have now added my own signature, using an email address at my nice shiny new domain. However, it is possible that I may not have increased the level of trust

When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.

Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pet’s name online but friends, family members, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.

Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He details this on 4chan.org:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Best practices for setting up the password reset functionality of any online service:

1. Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
2. Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
3. Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.

OnAir has so far tested their calling/texting-only service on two aircraft--one operated by Air France, one by TAP Portugal--even though RyanAir announced plans that its planes would started being unwired with the service by late 2007. Still no word on that fleet progress.

Qantas will apparently launch cached Web browsing and limited Web email (probably through a proxy) along with instant messaging, with full Internet service coming "later in 2009." This is clearly due to a lack of satellite coverage that was just remediated a few weeks ago (see below). The first plane with limited service, a new A380, should be in flight 20-October-2008.

The Morning Herald seems to overstate the importance and scope of a complaint filed by the union representing American Airlines' flight attendants. The detailed coverage in the U.S. had more to do with the potential for issues, and likely attendants lack of interest in policing yet another media on the plane. Filtering doesn't work, the attendants probably already know, and this may just be a negotiating point with the airline.

On why Qantas is waiting until late 2009? This requires unwinding how OnAir gets its signal.

Aeromobile and OnAir both rely on Inmarsat satellites for their service. Both companies had several years ago staked their futures on the fourth-generation network Inmarsat was to inaugurate with three satellites that would use beamforming to allow precise delivery of nearly 500 Kbps per receiver, with hundreds or thousands of regions being able to be targeted from a single satellite. Inmarsat's third-gen network--don't confuse this with 3G cellular ground-based networks--can deliver about 64 Kbps per channel.

Now, unfortunately, Inmarsat was three years late on launching its trans-Pacific bird. While the company claims 85 percent coverage of the earth and 98 percent coverage of population, there's a big gap over the Pacific that also prevents them from having good overlap between the U.S. and Japan/China/Korea, as well as the southern Pacific, covering Australia. Since the biggest market for long-haul flights would likely be Australia, Japan, and China, traveling trans-Pacific or trans-hemispheric routes, that gap is rather large.

Aeromobile opted to build out a service, deployed only by Emirates airline as far as I can tell, that uses the 3G service since it was available, and most necessary equipment is already installed on most over-water planes. OnAir was waiting for 4G, which has necessitated a long wait, but allowed them to launch in Europe with a seemingly next-generation service. Given that OnAir is controlled by an airline-owned integration firm, SITA, and by Airbus, they're not going anywhere.

Inmarsat finally lofted its third satellite on Baikonur Cosmodrome in Kazakhstan on 19-August-2008, and the launch and separation was reported as successful. Previously, the company has needed up to a year to verify and deploy its 4G satellites. (You can read extremely close coverage of the launch at a Web site devoted to space enthusiasm.)

However, the dirty little secret about Inmarsat's BGAN is that it costs a fortune to heft bandwidth across it. Thus, in-flight broadband over BGAN, if it's ever available, is going to be changed on an extremely high per-MB rate. None of the providers want to say this. This is in contrast to Row 44 (and, once, Connexion by Boeing), which relies on leased Ku-band transponders where they can fix costs and they require high volumes to keep per-bit costs efffectively low.

OnAir's launch of calling on Air France's service involves paying a few euros per minute for calls, which might help you understand what data costs could ultimately run.