Honeypot as a learning tool
As usual I'll give my Saturday courses during February and March at the University of Metz, my main topic will cover this year the use of Honeynet/pot technologies to discover and analyze old and new security threats. I was often using honeynets information as a basis for giving courses in network security and software engineering. In the early beginning, I was not really convinced by highly-interactive honeynet as it was more sending a bottle in the sea than having a real target. High-interaction honeynets are catching real attackers but quite often the same kind of attackers and cost a lot in time and money to setup, manage, monitor and analyze. The risks are quite high with highly interactive honeynet as they can be easily used to attack or launch large scale probes on the public Internet. Of course, you can use technical measures (mmmm… Maybe better to say : tricks) to limit the risks of being a nice launching pad for other attacks. It's not perfect, error prone and costly on the management side. After some years, I still think that the use of highly interactive honeynet is sometimes useful but only in rare case.
After a lot of experiment in the area, the low-interaction honeynets seem to me more useful and have more practical usage. A lot of honeynets framework exists in order to catch malware, spammer or misconfigured routing… with a reduced risks for their use compared to their highly interactive brother. During the session in Metz, I'll give the opportunity to the student to build their own low-interaction honeynet as a practical example. The approach is not only here to catch security issues in the wild but mainly is a practical hands on where the student can understand the inner working of a specific internet protocol, to understand abuse of internet services and the risks when developing (crafting) software. I hope that some of their honeypot projects could be used on the Internet and published (I'll insist on the fact to reuse existing honeynet/pot framework like honeyd in their "creation").
Managing Your Feeds
I'm often asked to give a list of my favorite public feeds. Yesterday, I cleaned up my list to clearly separate the private and public feeds (you know for this vague notion of privacy in our living connected world). There are now available in an OPML format. The file is composed of more 500 RSS/Atom feeds mainly containing my current blogroll, a list of monitored free software project or some specific rss/photo feeds. The OPML format is quite old and was created by Dave Winer. A lot of people was complaining about OPML (Outline Processor Markup Language) that the specification are quite unclear (too open for interpretation) , too simple or only using element attributes (I'm often a bozo but I don't care). That could be true… but OPML is simple, implemented and available. It works and at the end it's better to have such format than having 200 pages specification without implementation. The Sage Firefox extension is supporting import and export in OPML. There is also some other extension in Firefox. You can also share your feeds on share.opml.org but it's only useful for the social web freaks… but we are all freaks. aren't we ?
Patents used as an innovation metric ? where is the alternative ?
The patents are often used as defensive tool against other aggressive patenters. Red Hat
is registering patents in order to keep a portfolio against other companies playing unfair (if you can really play fair in the patent system but it's another discussion) in the software business. They keep the promise that they won't enforce their patents against software licensed under a free software license. The term "protection" is often used in the patent system but it's not often for protecting your invention but mainly to protect you against the potential racketeer.
Beside the "racketeer" protection, there is a very common use of patent : the innovation metric. A classical argument in favor of patent is to have such system to evaluate the innovation level of a company, a country or a region. The number of patent application is used to build dozen list of most innovative countries or the most favorable area in the world where investor should put money… Of course, we all know that only relying on the patent applications to build a kind of innovation index is a very truncated view where and when innovation pops up. Investors often relies on the capacity of a start-up to fill patents before doing large investment. Start-ups may have done a lot of research in development in a product or a service without having the ability to fill application. But you have other ways to evaluate the innovation level of start-ups like the number and the respective quality of scientific publications/papers, the various legal depots of copyrighted works, …
Evaluating innovation in a company based on a single factor like the patent system is dangerous for everyone including the investor. At a time where the society ask for more accountability inside the companies, we really need a better system to evaluate innovation. Of course, there is no miracle. There is no such thing like the perfect innovation index. But at least, we should start to think of a better solution. My first thought was that we don't need such metric as they are all broken. That's true but it looks like that the economical sector loves to use broken metric. If there is no alternative in the "innovation metrics", the economical sector will pick the only one available and it's clearly the broken one . It's maybe time to propose something else ?
Some random ideas to build such index :
- We shouldn't rely on a single factor
- We should rely on factors that could be easily audited by independent parties
- We should not discriminate companies or a specific factor
- The index is highly dynamic (monthly based ?)
- The index is public as long the company wants to participate
- The index is composed of all the factors (version of the index may changes following the changes of the factor)
Some potential factors (of course, they are all broken but not in the same area) :
- Scientific publication rate
- Scientific publication quality (based on known conference? editor? reviewer?)
- Patent application rate
- Research ratio commitment compared to the number of employee (must be accounted in the balance sheet)
- Registration of copyright rate
- Registration of copyright quality
- …
Maybe there are already some other indexes… I just think that the idea well worth investigating, at least to avoid the current single factor used : the patents.
Tags: copyright innovation patent metric
I was following a little bit the long discussion about net neutrality and found this quote from Tim Berners-Lee about net neutrality :
Anyone can build a new application on the Web, without asking me, or Vint Cerf,
or their ISP, or their cable company, or their operating system provider, or
their government, or their hardware vendor.
This quote summarizes really well what net neutrality is. There are a lot of discussion saying that this is not a problem when an ISP provides a differentiation regarding the services you access on the Internet. I think it is. The ISP has the role to provide you an access to a public network nothing more or… less. We don't want to get back to the old ages where there were Compuserve, a fidonet network, MSN and sometimes a wacky gateway to the Internet from those proprietary networks. We just want plain routed IP packet on the Internet…
Update 2007-01-23 : I'm not against traffic engineering in the ISP backbone. I'm just against the idea to have different kind of access depending of the agreement of the ISP made with various service provider. Imagine that you have your ISP giving you a fast access to live.com server engine but not to the google search engine. It's not a matter of law (Net Neutrality will not be solved by the legal framework), it's just a matter to keep the access to a public network. At the end, we must keep a free market when providing access to the public Internet.
My week could be easily resumed in one term, the recently term used by Bruce Schneier called Security Theater. What's the meaning of the Security Theater term :
security theater: security primarily designed to make you feel more secure.
I'm not always following Bruce Schneier (especially about the so-called security awareness, for a good summary about it, the Marcus Ranum point/counterpoint ) but I tend to follow his point of view regarding the security theater. Too often, impression of securiy is more important to people than a basic real security. It's not a matter of cost… as impression is sometimes more expensive to build than a simple security mechanism. It's just a question of sensibility, you may feel save just because there is a nice label on a box with "Military Encryption" or you have the "enabled firewall" icon on your computer desktop. Marketing is playing in that field too, just giving the impression. What's the most important? the theater or the backstage ? Theater is magical… but when you are going in the backstage you start to understand how it works. But how many people are going in the backstage to see how it works after all ? Not too many. of course, the offstage part is a critical part of the theater. This week, I was deeply in the backstage… to help the magical security theater to continue his work but trying to keep the security beyond magic.
![[FSF
Associate Member]](http://www.foo.be/fsfbutton-adulau.png){kind=small}
