CyberSecurity Institute

The three largest computer makers–Dell, Hewlett-Packard and IBM–have started selling desktops and notebooks with so-called trusted computing hardware, which allows security-sensitive applications to lock down data to a specific PC. But Microsoft’s plans to take advantage of the technology have been delayed, meaning the software heavyweight likely won’t get behind it until the release of Longhorn, the Windows update scheduled for next year.

That leaves hardware makers in a rare position: They are leading Microsoft, rather than working to support one of the software giant’s initiatives.

“Our success is not dependent on Microsoft,” said Brian Berger, executive vice president at security company Wave Systems and the marketing chair for the Trusted Computing Group. “When Microsoft comes on board with some of what they have talked about, it will be that much better, but this is not a Microsoft-centric activity.”

The Trusted Computing Group, the industry consortium that sets specifications for the specialized hardware, has had to rely on other software makers to demonstrate the benefits of running a trusted PC. Largely a footnote in 2004, the technology is set to take off this year, with the top three PC makers shipping laptops and desktops equipped with hardware security.

Dell, the last holdout, announced that it had added the security technology to its latest line of notebooks on Feb. 1.

In 2005, more than 20 million computers will ship with the trusted platform module, up from 8 million in 2004, according to estimates from research firm IDC.

The technology locks specialized encryption keys in a data vault–essentially a chip on the computer’s motherboard. Computers with the feature can wall off data, secure communications and identify systems belonging to the company or to business partners. That means companies can improve the security of access to corporate data, even when the PC is not connected to a network.

Microsoft is a significant proponent of trusted computing. When it first publicized plans in 2002 to create a security technology known as Palladium, it said that its software component might be released as early as the end of 2004. At the time, digital-rights advocates raised concerns that the technology could be used by software makers and media companies to control people’s PCs, putting Microsoft on the defensive.

What’s new: The top three PC makers have started selling models with encryption hardware, even though Microsoft’s software for the technology has hit delays.
Bottom line: That leaves hardware makers in a rare position: They are leading Microsoft, rather than working to support one of the software giant’s initiatives.

http://news.com.com/Hardware+security+sneaks+into+PCs/2100-7355_3-5619035.html?part=rss&tag=5619035&subj=news

Classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded and technically adept: the Soviet Union. You might argue with the government’s decision to classify this and not that, or with the length of time that information remained classified. But if you assume the information needed to remain secret, the procedures made sense.

In 1993, the U.S. government created a new classification of information–Sensitive Security Information–that was exempt from the Freedom of Information Act. The information under this category, as defined by a Washington, D.C., court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words–“air” and “passengers”–and changed “safety” to “security.”

Currently, there’s a lot of information covered under this umbrella. The rules for SSI information are much more relaxed than the rules for traditional classified information.

Before someone can have access to classified information, he must get government clearance.

Before someone can have access to SSI, he simply must sign a nondisclosure agreement, or NDA.

If someone discloses classified information, he faces criminal penalties.

If someone discloses SSI, he faces civil penalties.

SSI can be sent unencrypted in e-mail; a simple password-protected file is enough.

A person can take SSI home with him, read it on an airplane, and talk about it in public places.

People entrusted with SSI information shouldn’t disclose it to those unauthorized to know it, but it’s really up to the individual to make sure that doesn’t happen.

It’s really more like confidential corporate information than government military secrets.

The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. For example, the terrorist watch list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. My guess is that more than 10,000 people have access to this list, and there’s no possible way to give all of them a security clearance.

Either the U.S. government relaxes the rules about who can have access to the list, or the list doesn’t get used in the way the government wants. On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded and much less technologically advanced.

SSI rules really make more sense in dealing with this kind of adversary than the military rules. I’m impressed with the U.S. government’s SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.

http://news.com.com/Common+sense+on+security/2010-7348_3-5616209.html?part=rss&tag=5616209&subj=news

SUVP was disclosed by the Wall Street Journal; until then, the year-old program had been a closely-guarded secret. It’s so secret, in fact, that a search on Microsoft’s Web site for “SUVP” comes up empty.

Microsoft said that SUVP’s testing is beneficial to everyone, since “the end result is high-quality update for customers.”

The spokesperson denied that the Air Force, or any other organization or company participating in SUVP — the Air Force is the only participant that’s been named so far — gets a jump when it comes to patches. “The program is not designed to give the Air Force or any customer who participates in SUVP, a competitive advantage, and the service does not receive mission-critical patches before any other customer.”

http://www.techweb.com/wire/security/159900380

In recent months the Australian market has seen the release of several new players in the VoIP space and analyst predictions to the effect that 2005 will be the year that VoIP takes off in a big way.

There has even been a public discussion paper released by the Australian Communication Authority on regulation of the potentially disruptive new technology, and various public responses from telecommunications providers. A study commissioned by contact centre software provider Concerto showed that those in charge of contact centres were still only tentatively appraising the technology.

The managers came from a broad range of industry segments and took part in the research in January and February of this year. Of those 100, only 2 percent listed VoIP technology as being next on their shopping lists for their call centres, and only 6 percent said that VoIP was the technology that had made the most impact on improving productivity in their call centre over the past 12 months.

In contrast to the lack of interest in VoIP technology, 9 percent of respondents said they would soon be purchasing speech recognition software for their call centres, although only 1 percent said speech recognition technology had had the most impact on productivity in their contact centre in the past 12 months.

“Call centres are carefully evaluating the business benefits that will drive investment in VoIP and converged technologies,” said Concerto Australia and New Zealand general manager Gerry Tucker.

http://www.zdnet.com.au/news/communications/0,2000061791,39184629,00.htm