Government info sites don’t work

There’s a relatively new site called “www.ready.gov” that the Department of Homeland Security has set up to keep the American people informed on what they do and how the people should prepare themselves for terrorist onslaughts, natural disasters and war and stuff. As with most such government initiatives, I see a lot of problems. First and foremost that they don’t really try to inform people in a useful way, they try to pacify people to keep them from becoming upset. In other words, they do their best to keep people un-informed.
Continue reading “Government info sites don’t work”

More on peroxide

Tonight: The London police chief tonight said the order to shoot stands firm and even though they regret the mistake, more people can expect to be shot.

“It’s still happening out there, there are still officers having to make those calls as we speak, he said, adding: “Somebody else could be shot.”

I can’t believe this. Is this really happening?

2005-07-26: Bruce Schneier says about the same thing, but more.

Peroxide and strip, or die

It’s time for all good law-abiding citizens with a darkish exterior and heavy clothing to go into hiding or peroxide themselves into a more non-threatening color. Or at least avoid public transport. Or being outdoors. It’s “shoot on sight” if you *look* like a terrorist. See the quote below from the Jerusalem Post.
Continue reading “Peroxide and strip, or die”

Don’t switch off mobile phone networks, extend them

Terrorists may talk to each other using mobile phones, just like any other people in this world. They may even use them, theoretically, to set off bombs from a distance. This has led governments to consider switching off mobile phone networks after terrorist attacks. In the same vein, allowing the use of mobile phones on airplanes in flight worries them a lot. This is nonsensical for a number of reasons.
Continue reading “Don’t switch off mobile phone networks, extend them”

Is it due diligence to avoid US hosting providers?

I just read a letter to the editor by Richard Stallman in Communications of the ACM, May 2005, where he points out that whatever the privacy policy of a website, the USA PATRIOT act (or USA PAT RIOT act as he calls it) allows collection by law enforcement of any private information without a warrant. His point is that the “privacy seal” advocated by some, means nothing.

US companies are subject to this act in any case, but for us non-US residents and non-US companies, it seems an utterly bad idea to host our data on American based ISPs, since all of a sudden our data can be collected by the US government without a warrant or even without us knowing about it. The ISP can’t even tell us, can they?

Does this mean that applying prudent IT security principles would prohibit any non-US based company from using any US-based hosting provider? Or maybe even any hosting provider with a US-based company anywhere in the ownership chain?

It seems that way to me.
Continue reading “Is it due diligence to avoid US hosting providers?”

Have they forgotten about PKC’s and SSL?

I just read an article in IEEE Computer, June 2005, called “Security Technologies Go Phishing”. It’s about new ways of stopping phishing attacks. Among other things, they present a system that lets a bank (for instance) have their users choose a picture from an album. That picture is then included in email that the bank sends out, so the user knows that the email is for real and not spoofed. To me, there are many things wrong with this idea and any similar developments. (Please note: the article mentions other interesting systems and the given company has other interesting products. I’m only picking on this one idea, here.)
Continue reading “Have they forgotten about PKC’s and SSL?”

Smart cards should have keypads and beepers

Increasingly, computers are used to write pharmaceutical prescriptions and other medical documents. In most cases, the “signing” of these documents is a sad affair involving some simple checking of checkboxes and clicking of buttons. The application usually takes it from there, attesting to anyone willing to believe it that the logged on user (whoever that may be in reality) clicked the click and thereby took responsibility for the whole thing.

In more sophisticated systems, an actual digital signature is applied to the prescription. If we’re lucky, it’s also done in the right way (except I’ve never heard of a system doing it right), with digital signatures. If we’re even more lucky, that digital signature is not kept on the computer, a floppy, a USB flash memory or a dumb card (a magnetic stripe card or memory card), but on a smart card with microprocessor. But even then, we’re far from safe.
Continue reading “Smart cards should have keypads and beepers”

The Semantics of Signing

When we apply a digital signature to a data structure, we only apply it to the data actually present in the structure. But most of that data is only meaningful in relation to external data tables, and used with certain applications, which can change without influencing the signature on the data structure. This is a serious problem in many application areas, but in none as much as in medical informatics.
Continue reading “The Semantics of Signing”

Medical data communication systems, next generation

A discussion of how future medical information communication systems could be built for maximum security and openness. Multiple actors do want and need access to the architecture so they can freely select components to fit into the architecture. These components can be conversion engines and scripts, maintenance systems, encryption and signature systems, and communication links.

Those medical institutions, labs and care providers that have moved over to computerized medical records usually are able to send requests, reports and other communications to each other using computer networks. Often, this is done by third party systems that centralize the conversion of the data. These third parties usually also provide the communication infrastructure and the necessary client applications, but it’s a cultural thing, so it varies a bit from country to country. For a number of reasons, I do think the time has passed for these third parties, even though they’ll probably be in business for a while longer. Nothing in medical computing changes very quickly.
Continue reading “Medical data communication systems, next generation”

Authenticating transactions, not people

Two-factor authentication using hardware tokens to log on to internet banking sites (among other things) is intended to make banking over the Internet more secure. It turns out that it isn’t as great as it seems to be on first blush. Bruce Schneier has talked about this problem several times. Why is this problem so difficult?
Continue reading “Authenticating transactions, not people”