All your info are belong to us

Google Health has opened its door today, and the ramifications are quite frankly worrying. Don't get me wrong, I am a big fan of Gmail and the Google Search Engine (best Hacking tool on the planet), but this is a worrying development. Google Health aims to be a portal to organise and maintain all of your health records...lets think about this all for a second.

On the face of things Google is a company that aims to be number one in the field of Online Advertising, and they clearly are, through the use of highly targetted adverts. What they are really all about is Data Aggregation. To quote Sir Francis Bacon - "Knowledge is Power", and that is what Google are all about - sorting and categorising every single piece of information about every person on the planet.
Now thats not necessarily a bad thing. Just because they have access to all of that information does not necessarily mean they will abuse it - but the fact remains that they can, or indeed they can be forced by another group (i.e. a government) to hand over certain information. Having all of your information in one place like that is just asking for trouble.

Do I sound overly paranoid (my tinfoil hat is the height of fashion)? Well let me ask you this question. I have a mate called Dave (Dave may or may not be hypotethical). Dave runs a small data storage company and for a low low price (free), has kindly offered to store every email you recieve; catalog every site you visit (yes even the dodgy ones you swear you never go to); store all of your personal documents (both the ones on the web, and those on your pc); keep your personal calendar for you (not that you care that he knows where you will be every minute of the day); mind all of your private photos (which you have kindly cateogorised and labelled for him); and of course keep track off everybody you are acquainted with.

But wait - theres more! He will now keep all of your medical history safe for you as well! Remember that nasty rash "down there"; or the incident with the gerbil, the bungee rope and the rocket launcher - all neatly documented in case you ever need to access it.

But there is no need to be paranoid, because Dave would never do anything dodgy with your information. Afterall his Companies motto is "Don't be Evil"...

Wheres the Risk? Oslo apparently.

Just back (well a few days ago) from the RISK 2008 conference in Oslo, Norway. Overall I really liked this conference, although I did not get to attend all of the talks due to my average (read: non-existant) command of the Norwegian language, so as such I limited myself to the talks of an English speaking variety.

The conference was held in the Norwegian national football stadium (real football, not the version with body armour and 40 ad breaks), so the hosts, Mnemonic, had gone for a football theme. All of the organisers were dressed in Referees jerseys; Going over time by 5 minutes saw you recieving a yellow card, and in extreme cases a red would see an early end to your conference.

The first speaker up was Marcus Ranum, who delivered an excellent and very entertaining talk about how we are stuck dealing with all of the mistakes of the past, and how we must be much more careful going forward. He also has an interesting read on his website about the "6 Dumbest Ideas in Computer Security". The only other English presenations for the day where by Peter Finnegan on Oracle Security/Lack there off, and by Sebastien Deleersnyder explaining what OWASP was all about.

That evening Mnemonic put on an excellent drinks reception, and a really nice dinner. There was also a very good comedian, at least all of the locals were laughing, although he did a sketch about going through airport customs that was mostly in English and was great. The night was good craic overall, and hats off to Mnemonic for organising it.

The 2nd day of the conference started with Joanna Rutkowska's talk on Virtual Machine malware. This was a talk that I was really looking forward to - unfortunately my own presentation was up next so I spent most of the time down the back going over that. The bits I caught were as interesting as ever. My own presentation on "Fighting web-based, profit-driven threats" sparked quite a few questions from the audience (joys of being the only AV Speaker), especially from the afore mentioned Joanna. Eventually the organisers called time on the questions, but the spirited debate continued during the break attracting a bit of a crowd.

Essentially a lot of people where saying that a) pattern matching is dead b) counting unique md5's as a measure of the rise in malware is pointless c) we should fix the OS, not build on it.

On A I mostly agree - pattern matching on its own is not capable of dealing with the current threat landscape, but when complemented with other technologies like Behaviour Based detection, Web Threat Protection and Data Leak Protection, suddenly we have a decent defense-in-depth model.

Regardless of the fact that the number of unique samples has gone through the roof, the fact is the number of individual variants is also on the rise. Everyone knows that is trivial to generate 10,000 copies of the same malware - but you still need to deal with each of them, and thats why the malware industry does it. Even if you have only one brand of bullet, firing 10K at the target instead of 1 makes it a lot more likely you are going to do some damage

In an ideal world fixing the OS is a big step. Proper process isolation, data permissions, etc go along way to helping secure a system but the majority of malware attacks are still aimed at the most vulnerable part of the system - the part between the keyboard and the chair.

Anyhow - the other English presentation of the day was a really interesting talk by PDP of Gnucitizen.com (if you don't already regularly read it, you should). He gave a very nice run down of attacks against Web 2.0 that was both entertaining and informative, and was tied with Marcus's presentation as far I was concerned for the best at the conference.

Anyhow back now to a place where beer does not cost €10, but that may all change as I head to CARO in Amsterdam later this week.

Full Program of the Event
Copy of the Slides from my presentation