With 4 days to go until Windows Vista General Availability launch, Jim Alchin wrote a pretty interesting (and very long) blog post with regards to security vs. convenience at the example of Windows Vista.

Look at it yourself: http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

Windows Vista Rocks!!!

Roger

Sometimes it is interesting how certain themes keep popping up again and again. But let's start at the beginning:

For example in the field of public key cryptography we make use of so-called hash functions. A hash function is a function which turns data into a number of limited size. For example SHA-1 returns a 160-bit number. These functions (especially SHA-1) are heavily used to digitally sign messages. The core problem with those functions is collision: How likely is it that two (meaningful) messages get the same hash value? This is especially problematic as SHA-1 has only 2^160 possible results. If you need more information about hashes, look at Wikipedia at http://en.wikipedia.org/wiki/Hash_function

Now, a brief look at the theory of statistics: There is something called the Birthday Paradox (the birthday paradox states that given a group of 23 (or more) randomly chosen people, the probability is more than 50% that at least two of them will have the same birthday. For 60 or more people, the probability is greater than 99%, although it cannot actually be 100% unless there are at least 366 people. quote from http://en.wikipedia.org/wiki/Birthday_problem). If you apply this to SHA-1, you reduce the number of attacks to get a collision with more then 50% to 2^80.

Now, this was the basics. On February 13th, a team of Chinese researchers published a paper showing a weakness of SHA-1 that reduces the number of attacks needed to 2^69 (http://theory.csail.mit.edu/~yiqun/shanote.pdf)

This caused certain discussions in the crypto space. But at the end, well, we (the IT pros) have to change the hash algorithm - over time. But not now and not by tomorrow. I think that over time, it is clear that we have to move away from SHA-1 but before we do this, there has to be a consensus what the next standard shall be. Is it Nessie, is it SHA-256 or SHA-384 or SHA-512? I personally think that the situation is similar to the one regarding 3DES. It was decided to move to another symmetric algorithm and then it took some time until Blowfish was selected (and is now called AES) and now the software vendors started to migrate.

99.999% of all the applications, in my opinion, will be able to live even with the risk for a collision of 1:2^69. If you are within the remainder, then you should probably think about migrating

Roger

Well, it is time to open this blog: Starting from February 1st, I will take over the position as a Chief Security Advisor for Europe, Middle East, and Africa. During the last five years, I was holding the same position locally in Switzerland, now moving on to take over the region.

Acting as a CSA, together with my right (or left) hand in Switzerland, I ran a blog targeting the audience locally and I decided that I want to keep up with this tradition. This blog shall not replace any of the official channels, but my core goal is to give you certain information about what we see as Microsoft and what could be interesting for you in the security space.

One experience I made: The Swiss are not too good in posting comments - we rally got any during those years. But as soon as you met one of the readers in person, they all of a sudden started to tell us what they liked (or dis-liked) and how they looked at the blog. Does this change in EMEA? I do not know yet but would appreciate if I would get more feedback from you.

Anyway, I am looking forward working with you in the future

Roger

As you probably know, I am based in Switzerland. Since quite some time, Swiss ISPs are mandated to retain their IP-logs for a few months in order to support Law Enforcement.

It seems that the US is now going down this road as well and it will be interesting to see, what kind of data have to be logged an retained. As always the big issue is the delicate balance between privacy, the requirements of the industry, and the need of Law Enforcement.

http://www.businessweek.com/ap/financialnews/D8MQJU880.htm

Roger

Since a long time (at least 9/11) there is a lot of discussion about the way terrorists use/will use the Internet,

It is clear that the Internet is used for publicity and communication. There are experts saying that the Internet itself will not be a target for an attack for terrorists because of this fact - they would destroy one of the most important communication channel.

Will they use the Internet as an attack channel to critical infrastructure? Well, I hope that we will not see that ever happen.

What I never thought of is, that they seem to use the Internet for "fund raising". Read yourself: http://www.zone-h.org/content/view/14508/30/

Roger