According to a number of places, but primarily Bruce Schneier, SHA-1 has been broken by a team of researchers in China. It's not time to panic if you're using it, but it is time to start thinking about a replacement.

Schneier notes that hashing isn't very well understood. Encryption, he notes, is much better understood and therefore more secure. Unlike RSA's SecurID and other token-based two-factor authentication systems, WiKID uses asymmetric cryptography in our WiKID Strong Authentication System.

It seems as though researchers are improving their ability to break hashing systems. Scott Contini and Yiqun Lisa Yin published a paper on Fast Software-Based Attacks on SecurID.

While their research isn't a smoking gun, they make a solid case for not recycling your tokens, which is frequently done.

According to a recent study by researchers from my alma mater, the University of Virginia, the use of cameras to fine motorists who run red lights actually increases the number of accidents at those intersections. There are fewer T-bone collisions, but more rear-end collisions.

However, a federal study dug deeper and found that the red light cameras saved money - $28,000 to $50,000 annually for each intersection - because the collisions were less expensive. I would rather get rear-ended any day of the week, so I concur.

Perhaps there is another option: don't tell the motorists that the cameras are there. They would know that the city has them, but not necessarily which intersection. Perhaps a city could buy a limited number of movable cameras. This would minimize the "immoral hazard" or whatever you would call the opposite of a moral hazard.

Full article at the Washington Post

Economist spends $1 for public good

I picked it up for a $1 just to see what information would be included. Lo' and behold it has name, spouse, kids, address, telephone, job description, work address, e-mail, degree earned, and when. I assume that the folks listed gave permission for them to be included, but I wonder if they thought the CD-ROM directory would be sold to a used bookstore and end up on the clearance shelf where anybody could walk away with it for a buck. I am sure that a good identity thief wouldn't need a $1 CD-ROM to get the information. However, the directory does have 13,290 entries, so the cost per name/address would be pretty cheap.

By posting this to my blog, where hopefully it will get picked up and seen by others, I have some added incremental value to his $1. Without a hammer.

Of course, it may do harm to alumni associations and other non-profits that rely on directories for fund raising efforts. Perhaps they will keep them on paper.

There's been plenty of debate over whether open source software is more or less secure than proprietary software and it now seems to have mostly died down as people realize that "it depends" is the correct answer. OSS camp points to Apache and other packages and the proprietary camp points out the vast improvement in IIS.

I read a recent editorial on esecurityplanet.com that made me think more about why "it depends".

Sure enough, OSS source code is available for all the world to scrutinize. The problem, though, is that all the world doesn't do that. Take, for example, the ill-fated Sardonix project. It was a DARPA-funded project to provide a public forum for vetting OSS software and making the results available to the world. But 'build it and they will come' wasn't quite what happened. The project languished due to lack of interest and it was eventually scrapped.

Making source code available to the world does little, if anything at all, to advance the security of the software.

I think this a poor analogy, IMO. I think think that the main reason why open source software can be considered secure is that it gets deployed and tested. I don't know anyone who has looked at the actual iptables code, but I know lots of people that will vouch that it's a great, secure firewall for lots of situations. They will do so because they have been running it and testing it for a long time and watching it get better over time.

People can say the same thing about IIS, that it has gotten much more secure. The key difference is in the economics of it. If you take snort as an example, it has a great reputation in the open source world because a large number of users - for the most part highly sophisticated technicians used it for free and provided feedback to Martin Roesch who was able to improve the product. He then went on to found Sourcefire to offer support services and add-ons.

What would the cost of that testing been if it was proprietary software? It's very hard to say, but think of it this way: 5 higly qualified QA testers, plus hardware, rent, benefits etc, I would estimate at $100,00 per year. I'm guessing that snort was out for at least 1 year before Sourcefire was founded, so that's $500,000 for product testing alone. Now add your cost of capital (assuming you can get it at all without a product, deployments and customers) at the standard VC rate of 50% per year and you're at $750,000.

That's big savings. It's valuable feedback from the best set of testers you could want. The users benefit from the use of the software. I look at it as price discrimination - or yield management. The developer is capturing the value of the feedback and testing in exchange for free software. There is a potential problem with free riders, but over all that is minimal as the main target market will pay for support and or add-ons if the product justifies it. It's not truly price discrimination because paying customers are paying for something else, but you get the picture.

If you need proof that the open source business model provides economic benefits consider that the CEO of a prominent Atlanta-based OSS company has two nannies..

A nice round up of article over at Infoworld, which links to a Washington Post article on virtual credit cards.

There's a lot of questions about the value of virtual credit cards. While consumers are limited to a $50 liability, the likelihood of that event has increased - or perhaps the awareness of that likelihood has increased. Also, I agree that attackers are combining stolen information to commit full-blown identity theft, so the less info "out there" the better. I wonder if there is a privacy benefit as well.

Still, despite a background in the payments and security space and a credit card account at one of the companies that offers the single-use numbers, I haven't signed up. Why not? It's not all that scary to me. I don't like that credit card company. I expect that my bank will switch providers now that MBNA has been acquired by a competitor. I like the miles from AmEx, but AmEx dropped their program.

What is interesting is that second-tier internet ecommerce players haven't promoted it in conjuctions with the issuers. People have more (though perhaps misplaced) confidence in the security of a large internet player like Amazon than in BobsElectronics.com. Couldn't Bob get more business if they relied on the security of the larger players like Citi and MBNA? Perhaps Bob doesn't want the buyers to be confused just when their are ready to purchase.

Seems like a good opportunity for a consortium of smaller ecommerce players. They face a drop in revenues due to fear of card fraud. They have different agenda from the processors, credit card companies and large ecommerce players.

Being an entrepreneur means wearing a lot of hats. Start-ups should always 'eat their own dog food'. Dean Kamen has taken to the next level: He's drinking his own urine

I have a rather meaningless quote in a nice summation on Bloomberg about the RIM/NTP fracas.

To me, the real problem that RIM faces is a lack of third party development support. It's ironic that the Palm could have such good third-party support and a great ISV program, but never get email down the way RIM has. Why is that? Did the existance of the Palm standard email limit the demand for other solutions? There were 3rd party mail applications, but they still weren't as good as RIM's. Could the device/OS not handle it?

It will be interesting to see how J2ME vs. BREW will pan out as well. J2ME is definitely a much more open platform. Now that AT&T and Cingular have merged, will they compete against Verizon for enterprise customers?

We have always thought that the cell phone would make a great multi-purpose tool, especially for two-factor authentication. What we have found however, is that the carriers and device manufacturers either do not understand the need or they are justifiable targeting consumer markets with products like ringtones and games.

Perhaps now that authentication is a consumer play, the carriers will take notice?

Burnham's Beat reports Q4 Earnings:

Silicon Valley, CA – (BLOGNESS WIRE) – Jan. 11, 2005

Burnham’s Beat today reported record results for its fourth quarter ended December 31, 2005. Revenues for Q4 2005 were $168.64 up 176% compared to $61.08 in Q4 2004 and up 27.3% sequentially vs. Q3 2005. Earnings before expenses, which management believes are the most cynical results we can think of, were also up 176%.

Commenting on the results, Bill Burnham, Chief Blogger of Burnham’s Beat explains “This quarter’s results continue to demonstrate that blogging is a complete waste time. While we did not achieve our previously forecasted results of 100 billion page views and ‘Google-style cash, Baby!’, we remain hopeful that people forgot about those projections. There are several reasons for missing our projections including an outage of our hosting provider in late Q4 which cost us a least $1.00, the continued poor quality of the writing on the site, high oil prices, several deals that slipped to next quarter, and uncertainty created by the war in Iraq. ”