In Security

PC Magazine Reviews Authentium SafeCentral

2008-07-23T09:58:00.009-04:00

PC Magazine just published an excellent review of Authentium SafeCentral.

Our security features all worked exactly as advertised and the reviewer had many positive things to say about the enhanced security SafeCentral offers online consumers - especially when it comes to online banking transactions.

The only negatives were lack of a password manager, lack of support for Firefox antiphishing, and slight slowness in rendering pages. All of these feature requests/issues have already been addressed for our new release.

The review focused on three main areas: phishing/spoofing, keylogging and screen-stealing, and DNS (URL lookup) security.

With respect to our antiphishing capabilities, one of the things I liked about the review was that the reviewer understood the need for a systematic, real-time approach to preventing phishing. Here's what he said about our abilities in that area:

"If you always visit your sensitive sites by launching them within SafeCentral, there's almost no chance you'll be taken in by a phishing scam."

He also tested our secure DNS lookup capabilities by hacking his test system HOSTS file, and found that we prevent that kind of DNS poisoning.

"I added a line to make requests for www.pcmag.com go to a different site. IE and Firefox were totally fooled, but the SafeCentral browser brushed aside my amateur hacking and went directly to PC Magazine's site."

Excellent! That is exactly what is supposed to happen - poisoning of the local HOSTS file is one of the easiest hacks to pull off, and our patent-pending TSX library (now part of SafeCentral) does a great job of preventing this.

On the subject of sneaky key-loggers and screen-stealers, the reviewer used a keylogger that's "sneakier than most" (his words) and again compared us to IE and Firefox (check out the slide show on PC Mag's site for screen shots of this attempt):

"The keylogger totally captured everything I typed in IE and Firefox. It saved screenshots, it recorded data from the clipboard, and it even tracked what URLs I visited in IE. But it didn't get a single byte of information from the SafeCentral session. I tried several other keyloggers with the same result. Good job!"

The reviewer noted at the end of the review that we could do with some improvements in speed (already addressed), password manager support (also already addressed), and support for the Firefox antiphishing technology (included in the latest build).

The complete text of the review, including screenshots of SafeCentral, can be found by going to PC Mag's site, buying the magazine, or clicking here.

If you'd like to download SafeCentral for free, please go here.

The DNS Mystery Ends Badly

2008-07-22T22:49:00.013-04:00

Okay, like a lot of security guys, I speculated on what Dan Kaminsky was going to announce at Black Hat regarding the current DNS vulnerability.

Here's a quick recap of the problem, courtesy of Wired:

"The DNS flaw that Kaminsky discovered allows a hacker to conduct a "cache poisoning attack" that could be accomplished in about ten seconds, allowing an attacker to fool a DNS server into redirecting web surfers to malicious web sites..."

"A cache poisoning attack allows a hacker to... translate a website's name to a different address instead of the real address, so that when a user types in "www.amazon.com," his browser is directed to a malicious site instead, where an attacker can download malware to the user's computer or steal user names and passwords that the user enters at the fake site..."

My own speculation involved an assumption of stupid levels of randomness. But if Thomas Dullien (aka Halvar Flake) turns out to be right (and as of this writing, most people seem to think that he is), I was off by a force of magnitude - in terms of both stupidity levels and the ease with which this vulnerability can be exploited.

The vulnerability allows hackers to basically take over a DNS cache "in about ten seconds" (see above quote). Wired predicts the first root kits will be in circulation by *tomorrow*. Here's a link to the post from Dullien.

So if the problem is known, why do I say this ended badly? Because we're looking at a massive, Internet-wide problem. Even though vendor patches are available, Internet security - and DNS lookups - are going to be compromised for as long as it takes for everyone to get compliant.

There are an estimated 10 million DNS servers out there. According to the Infoblox DNS Report Card survey in 2006, by the end of 2006, less than two thirds of DNS servers (61%) had been upgraded to BIND 9 - an improvement of barely 3% over 2005 levels.

With no policing forces at work (other than customer complaints and market forces), I predict that it will take years for all servers to be brought compliant. Which means this problem - DNS insecurity - is going to be around for a while.

I wouldn't be doing my job if I didn't point out that our secure transaction service, Authentium SafeCentral, uses an independent system of secure DNS servers linked to a secure client to make sure that every request for a bank or brokerage web site goes to the right place.

Building a Successful SDK

2008-07-12T10:23:00.011-04:00

Software Development Kits are a big part of what we do at Authentium.

For more than a decade, we have packaged and released system-level tool kits, including Linux and Windows-based antivirus SDKs, personal firewall SDKs, and system-level file-hardening tools.

These tool kits have been used by many industry leaders in the security, SAAS-based managed services, and telecommunications industries to create new products and services.

Based on this experience, we have learned a lot about what tool kits need to offer engineering teams. But first, let's start with a proper definition.

Software Development Kits (SDKs) should enable developers outside of the distributing organization to access and utilize the code/intellectual property in a way that clearly defines both the scope of the intellectual property (IP), and the scope of what is allowed to be done with it.

The commercial model needs to closely match the scope of the toolkit. If your toolkit effectively allows other companies to compete with you, or includes some significant ongoing service commitments (both these are true with respect to anti-virus tool kits, for example), then your model needs to take into account the need to price using a "co-opetition" model and fund the ongoing service costs.

SDKs by definition also need to be well-documented, starting with the licensing schema.

It is extremely important to let developers know up-front what can and can't be done with the code. In my opinion, Firefox does an excellent job of explaining what is covered under general public license (GPL) and what is owned by the third party developer. Knowing what the tool kit owner owns, and what you could potentially own, based on your use of the kit, is important when licensing in code.

Documents designed to inform engineers are the next step. There is nothing worse than "snobby" or badly-written documentation. Engineers face deadlines and have limited time to learn your code. They need to know that your engineers are dedicated to bringing them up to speed and helping them make this deadline - the quality of your documentation reflects this better than anything else.

For me, the first step in testing your documentation should be to ask someone that has never tried your toolkit to build something with it. Does the documentation clearly enable the engineer to create something using your toolkit, without resorting to calling the manufacturer? If the answer is yes, and your legal agreement is clear, proceed.

Features found in the product that a toolkit is based on are often not included in the SDK. In my view, this is wrong - rather than force your partners to "reinvent the wheel" you should present them with features as part of your commercial model. Include them in the code and value them correctly - that way, everyone wins.

The final thing any decent open platform code-base or SDK needs is good support, provided by people who are proud of the code and willing to help. SDK need to be supported either by an interactive, wiki-based community, such as is the case with Linux, PayPal or Firefox, or by a dedicated team of engineers prepared to answer questions from other developers.

In summary, SDKs need precise legal and commercial definitions, an appropriate and understandable commercial model, great documentation, cool features, and solid support. If you have all these, your SDK should be successful.

Note: My thanks to Vladimir Dubovik at US Bank for asking the question that led to this post.

DNS Insecurity

2008-07-10T20:47:00.011-04:00

Imagine an attack in which the hacker controls all your Internet traffic, and is able to redirect your web site requests away from your requested destination to a spoofed web site that they control.

This scenario is called a Man-In-The-Middle (MITM) attack, and is achieved when a hacker is successful in "poisoning" or modifying the Domain Name Server cache.

Once a DNS cache is poisoned, it enables intelligent interception and redirection of web site requests to be managed from a point remote from the client (and the destination.) DNS poisoning is, in many ways, a case study in online criminal efficiency.

Next month, as everyone in the security industry now knows, Dan Kaminsky is going to step up to the mic at Black Hat and talk about something everyone already knows is a big problem - DNS insecurity.

So what is Kaminsky going to tell us? The fact that an out-of-sequence patch was issued by Microsoft two nights ago (a patch that apparently kicked users of Zone Alarm firewalls off the Internet) explains where the problem probably lies.

The Register (which refers, accurately, to DNS insecurity as "the mad woman in the attic" and a "peripheral, forgotten issue") added some color today, unearthing a 2005 paper from Ian Green which makes for some interesting reading. Here's a peek at his paper:

"...as the infamous Mitnick vs Shimomura attack and other subsequent attacks have shown, many weaknesses in network protocols are a result of poor implementation rather than weaknesses in the underlying protocol. In the Mitnick attack, 'IP source address spoofing and TCP sequence number prediction were used to gain initial access'."

Hmmm. Can you can tell what is coming next? Three pages later, post a few hours of research, Green writes, of his target research (the XP DNS Resolver):

"The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and... the UDP source port of the query (which becomes the UDP destination port of the response) remains static for the entirety of a session (from startup to shutdown)."

In other words, Green has followed Mitnick's advice and found exactly what was predicted: stupid levels of predictability. The DNS transaction ID, which is allowed to be a random number 16 bits long, has been implemented in such a way it can be easily guessed ("n" + 1).

In his paper, Green faults Microsoft's flawed implementation of DNS in XP ("ten years after the Mitnick attack"). The Register article uses this as the basis of a theory about what Kaminsky is going to talk about - a theory that was bolstered by MSFT's out-of-sequence patch this week.

Anyway, let's assume that's right. That leaves us Internet users with a problem. Mitnick first paved the way 13 years ago. Green's paper, which was published by the SANS Institute, came out three years ago, in 2005.

If it turns out this is what Kaminsky is going to talk about, why is everyone assuming the problem will be taken care of quickly?

The truth is, it won't. Only a minority of vulnerable users will hear about this and download and install the patch - leaving lots of room for those folks looking to pull off the perfect Internet crime - the MITM, or Man In The Middle attack.

Note: It would not be proper for me to sign off without pointing out that a solution exists for XP users: Every single DNS request made inside Authentium SafeCentral is handed off to our secure DNS service.

This ensures that even users with totally compromised machines get to where they want to go, without experiencing a MITM attack.

Hartford Courant Does Good

2008-07-10T19:47:00.009-04:00

This morning, the editors of the Hartford Courant took a walk down the Yellow Brick Road and found courage, smarts - and a heart.

In an editorial this morning entitled "Drop The Charges" the Courant challenged Connecticut prosecutors to drop the bogus charges they have lined up against Julie Amero and take the retrial off the books.

In writing the piece, they proved that it is never too late to right a wrong, or claim back some respect.

For anyone unaware of this case, Julie Amero was the schoolteacher who was kicked out of her job after pornographic pop-ups appeared on an un-patched, unprotected school computer in front of several students.

Lots of people have since looked at the exact code she was looking at at the time (thank you archive.com) and found unmistakable evidence that this is probably among the worst cases of injustice ever perpetrated in the short history of Internet-related crimes.

Amero was without any shred of doubt very unjustly punished - there were links in the code that I saw that led to places other than those advertised, popups that aggressively spawned new popups, and let's face it, even if Amero went everywhere the prosecutors claim, why isn't the IT guy at the school attracting attention for not keeping the schools filters up to date?

The whole idea of having filters is so that kids don't get exposed to stuff like this - no matter what actions adults take.

The Courant compares Amero's current dismal state with that of some of the borderline inmates waiting for trial in Guantanamo. This isn't nearly as crazy as it sounds. Amero is also sitting in limbo waiting for prosecutors to get off their butts and admit they don't have anything.

Hartford folks, when your local politicians come to you for re-election, please do all of us a favor and ask them where they stand on the Amero issue. Make it a local issue.

Take a brave action - like the Courant has done today - and vote some prosecutors into place that will make your community worthy again of respect.

Update: Re the last paragraph, an alert reader has pointed out to me that things are not done quite so democratically in Connecticut. Click "Comments" (and watch for future entries in the Authentium InSecurity blog) for more...

500,000,000 Unpatched Browsers

2008-07-02T10:22:00.008-04:00

IBM, Google and the Swiss Federal Institute of Technology have just come out with a really interesting study. The subject was the relative security of the 1.4 billion users of the four main browsers currently in distribution.

Browser security is the hot area of study right now. Last week I wrote a piece in the blog on man-in-the-browser attacks, describing why it is so important that you use a secure browser. If you haven't read it, you should. But back to the study.

The study looked mainly at two things: the security "holes" or exploits that currently exist, and the effectiveness of the update strategies used by the 1.4 billion users of the four main browser developers - Mozilla (Firefox), Microsoft (IE), Opera (Opera) and Apple (Safari).

Firefox, which uses a completely automated update strategy, won the day with 83.3% of users patched up to the latest version, compared to less than 50% of IE users. IE users chose to ignore patches far more often because of IE's "permanently put-off this update" approach - leaving them more open to browser-based attacks.

As the ArsTechnica overview of the report states:

"Firefox and Opera are both credited for including an auto-update feature, but the team notes that "Firefox’s auto-update was found to be way more effective than Opera's manual update download reminder strategy." How effective? way more effective."

We like Firefox at Authentium. Authentium's SafeCentral end-to-end transaction security solution utilizes a specially-hardened version of Firefox 3 in conjunction with our system-level hardening technologies and a secure DNS system.

If you're thinking of downloading FF3, or upgrading, I'd recommend you go over to the site and get yourself a really secure browser.

Note: the ARS article was entitled "40% of Surfers Don't Bother With Browser Security Updates" - for us and all the other people working in risk mitigation, the fact that there are half a billion unpatched browsers out there is one scary fact.

Security 101: Locking Down Your Premises

2008-07-01T18:56:00.007-04:00

Bank Infosecurity's Linda McGlasson has an excellent post over at her site today on what happened during a real-world, real-person penetration testing exercise at an (unnamed) financial institution.

I had had two discussions this week CSO at banks who said they are becoming overwhelmed with similar real-world security problems, like social engineering of their call-center staff and proper checking of vendors and hosting companies at the front desk.

The bottom line is that a lot of nice people just want to be nice - and that makes them easy targets for people looking to do "walk-in" style attacks. These nice people need to be better trained to understand that sometimes being nice involves being firm and inflexible.

In any case, locking down these vectors is the correct place to start. The correct prioritizing of security efforts involves first locking down the physical premises. Putting in place advanced network security is only effective in conjunction with a robust and wide-ranging set of security policies that includes every potential attack vector.

Linda's blog can be found here.

Insecurity and the Need for Heroes

2008-07-01T16:43:00.019-04:00

I was in Lower Manhattan on 9/11 when the planes hit. And as the horrible events of that day unfolded, I, like many other New Yorkers, tried to help.

I went first to St Vincents in Greenwich Village to donate blood, watching as thousands of dust-covered refugees from the City streamed north, past white-coated doctors and nurses waited in vain beside a line of empty gurneys.

Then, once it became clear that blood wasn't what was needed, I headed with a group of other guys over to the docks to volunteer to help dig people out - only to be turned away because they wanted people "with tools and experience" - as in, experience in digging and cutting through steel and concrete.

So I went back to the neighborhood - just as the National Guard arrived and started locking everything down, from 14th St south to Battery Park.

As it turned out, the only heroic act that I managed to perform during 9/11 was the procuring of emergency supplies and the refilling of Kristen Johnson's water cooler (it's a long story). Hardly the stuff of legend. I went to bed - late - deeply unsatisfied with my contributions.

Meanwhile, the real heroes became more heroic to us New Yorkers by the day.

That afternoon, and for all the next day, and days after that, we would cheer them on from the east side of West St, as the firefighters and cops and construction workers kept digging, looking for "the people in the pictures" as we came to call the missing in the weeks after the tragedy.

The experience was unprecedented for me. I'd never felt such insecurity - or been in the middle of a disaster scene before. I had never ever before seen real life heroes up close, working to save lives - except for doctors and nurses and mothers. This form of heroics - the disaster response - I had no ability to comprehend it beyond the obvious sacrifice happening right in front of me.

Which brings me to the subject of this blog.

In his book "The Black Swan", Nassim Taleb postulates that a forward-thinking, highly-placed politician could have prevented the tragedy of 9/11 - by forcing the adoption of laws mandating additional security in the form of terror-proof, secure cockpit doors on aircraft.

He then explains that had this additional security been put in place, 9/11 would probably not have occurred, and New York, and the WTC, would have continued much as before.

But as Taleb explains, every action has a cost. Imagine the life of our politician as he faces re-election one year after his successful legislation. His success in forward-thinking has, unexpectedly, created a large personal problem: His overwhelming success has resulted in the complete destruction of a whole class of threats.

What remains, once the threat of an attack has been removed? The cost. And only the cost. Ask George W. Bush and Dick Cheney.

And so it ends with our hero. Taleb's story concludes with our lawmaker - the politician who "prevented" the attack - being turfed out of office for imposing such a ridiculously costly and unnecessary "security burden" on the airline industry, perhaps after the running of an ad campaign explaining how "all that money" could have been "better spent".

Taleb's story (originally told to explain the theory of Black Swans, like 9/11) goes a long way to explain why CSO's and their hard-working IT security staff often feel unappreciated.

It explains why boards and governments almost never sign up for large-scale security spending. It explains why "adequate amounts of security" and "heroics" will forever be incompatible. It explains why firefighters get depressed and sometimes light fires.

It also explains a lot about the security software industry. Analysts and engineers working in antivirus facilities like Authentium's Virus Lab sometimes get frustrated when criminals and hackers get lionized by the press - especially after an all-nighter spent securing the world from the threats they've created.

Taleb's story illustrates why when insecurity is rife, as it was on 9/11, heroes are needed. But it also explains why, with few exceptions, the names of the most successful folks in the threat prevention business are seldom heard outside of the industry.

Because, by improving security, they have killed off the likelihood of threats, and the need for heroes. They have made the terrible event go away, before it could occur, and become invisible as a result.

Thanks, Bill

2008-06-27T23:53:00.009-04:00

I read several of the articles this evening describing the departure of Bill Gates from Microsoft, and quite a lot of the commentary.

While some of it was appropriately complementary, I thought a lot of it was kind of spiteful and missed the mark. One of the comments that I did see that I agreed with was from Rob Pegoraro of the Washington Post:

"...one of the foremost virtues of Microsoft's operating systems has been the staggering variety of third-party programs available for them."

Pegoraro is correct. This really is Gates' legacy at Microsoft: unlike the Apple world, which until very recently was a (relatively) closed environment, Gates perpetrated a non-Jobsian world in which we all got to write software and compete with each other.

Yes, there's that whole monopoly situation that happened, but for all the word processing companies that were put out of business, there are a bunch of other software developers - including several extremely large companies - that would not (could not) have existed without the hobbyist approach taken by Gates and Allen.

For anyone interested in these *real* early days of Micro-Soft (when it was three employees - Gates, Allen and Davidoff - and still had a hyphen), check out the text of the letter written by then-hobbyist Gates pleading with hobbists to pay him and Allen royalties for BASIC so they can "hire ten programmers and deluge the hobby market with good software".

Like the shareware/hobbyist generation of developers he helped get started, he lists his apartment as the suggested drop point for donations - 1180 Alvarado SE, #114, Albuquerque, New Mexico, 87108.

Did Microsoft simply do a better job of engaging the user? Or did convenience (and bundling, as in Office) win the day? The release of FireFox 3 may settle once and for all the questions about whether better design (and investment in innovation) eventually win out over time.

For me, the most interesting aspect of Gates is not his company but the approach he is taking to deploying his wealth. He and his wife are doing some pretty remarkable things around the world, and are, unlike many organizations, attempting to deploy their money in ways that will ensure the bulk of it is used efficiently.

I think a century from now, Microsoft will almost certainly no longer exist. Gates' wealth distribution - and the results of his actions in this area - will be his lasting legacy.

Internet DNS Root Managers Attacked

2008-06-27T22:52:00.011-04:00

In the past hour, various news outlets have reported that users to the web sites of ICANN (the Internet Corporation for Assigned Names and Numbers) and IANA.org, the Internet Assigned Numbers Authority, have been redirected by a Turkish hacker group calling itself "NetDevilz".

According to the New York Times, users visiting the servers of the above organizations were re-routed to a domain called "atspace.com" and greeted by the message ""You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

This is obviously *not* good news. These two organizations manage the core (root) servers that match domain names (i.e. web sites) with the http requests made by your browser (the site you type into the address field - i.e. www.google.com).

When hackers "poison" DNS servers (Domain Name Servers) in the manner they did today, their intention is most often to take your request for the web site of a bank and redirect it to a site "dressed up" to look like your bank.

This is usually called a "DNS poisoning" or "pharming" attack, but the points are usually much closer to your PC: common points of attack include your local hosts file, your cable router, the DNS server at your ISP - in short, places relatively close to home.

An attack on the root DNS system would be of a different magnitude entirely. Attacks on the root DNS system are potentially far more damaging than attacks on your local ISP DNS servers. Rather than just re-route a single request, or group of requests from a user, a prolonged attack on the root DNS system could have potentially quite harmful effects if the rerouting were to involve targeting of banking or financial systems, or government addresses.

I'm frankly amazed that attacks of this nature are still possible at organizations like this. To me, the attack, labeled a "cyberprank" by some news organizations, is anything but a cyberprank. A different, lower-level hack involving manipulation of records for financial gain or terrorism could have created quite a different story.

DNS security is an often overlooked requirement and something that almost no security software suites provide an answer for.

When we were designing the core concepts for SafeCentral at Authentium, one of the requirements that I added to the service early on was a requirement that every DNS request generated by the user should be send to a secure infrastructure for resolution - rather than into the non-secure DNS system as it currently exists. We've since added additional security methods to ensure that these DNS requests reach the right destinations.

Today's attack shows why such diligence is necessary - and why the Internet remains a somewhat unpredictable and non-secure environment - and why you should use the best security possible when banking or transacting online.

The Non-Innovator's Dilemma

2008-06-22T12:10:00.016-04:00

"The Innovator's Dilemma" refers to the value-reducing situation that arises when a company decides not to innovate, and chooses instead to focus on merely sustaining its existing products and processes.

This phrase was first introduced by Clayton M. Christensen in the best-selling book of the same name. However, I personally think the title doesn't provide an accurate description of the situation.

I would have gone with "The Non-Innovator's Dilemma". Yes, it's less catchy, but it potentially better reflects what actually goes on inside a company populated by both innovators (who are typically not managers) and managers (who are typically not innovators).

First of all, some definitions. The word 'dilemma' comes the Greek words "di" (meaning two) and "lambanein" (meaning, "to take", as in choosing a path). Not every decision results in a dilemma. A dilemma only occurs when the choice becomes difficult, and the decision process becomes prolonged. Dilemmas last only as long as the decision-making process.

"Innovation" usually involves a new or novel approach to solving a problem - i.e. the invention of the telephone solved the need for inter-personal communication, the automobile solved the need for inter-home transportation, the assembly line solved the need for mass-production (in the face of mass-demand), and the advertiser-supported search engine enabled advertisers to place targeted advertisements in front of users via the Internet.

Innovations are often termed "disruptive technologies" because they "disrupt" the markets they enter, displacing older technologies (hello TV dinner, goodbye home-cooked meal) and creating new disruptive manufacturing processes (and new marketing channels, markets and support systems) in the process.

Because true innovators are usually future-aware and focused of the potential value of their innovation, they rarely find themselves in any kind of dilemma at all when it comes to plotting the company's forward path. To them, the reason for the disruption they are proposing is obvious, and value of their tinkering and suggested changes abundantly clear.

The real dilemma usually starts when the non-innovative decision-maker, typically a manager of the type produced by the various business schools, is forced into a room with an innovator and asked (by the innovator) to change his capital allocation budget or the course of the company, either slightly, or in a very disruptive way.

It is this executive, not the wild-eyed innovator/developer, that now faces the true dilemma. Depending on the scope of the new idea, the challenges the manager faces in making a choice whether or not to pursue the disruptive innovation may be enormous, and involve every facet of the corporation's life. Here's an imaginary summary of half a minute's worth of his/her brain activity upon hearing about this new approach:

"I have 'x' amount of capital. I have made firm commitments to my investors as to what our existing product will produce in terms of an ROI (return on investment) for the next three years.

"The cost of ripping up my business plan, disrupting my staff, recruiting new experts, reinventing my processes and legal forms, retraining my sales and support networks, pitching new customers on the new idea, refocusing my development team, and repositioning us in the market is going to be enormous...

"Not to mention the cost of emptying my warehouse/servers of all that old product/code and upgrading customers and the potential liabilities of sunsetting that business - this is going to require me to spend hours engaged with board members and lawyers and other executives and require me to rewrite the budget, and..."

Faced with these kind of challenges, many executives will often just politely tell the innovator "let me think about it", and back away from the table. Or, if they can't articulate these feelings to this basic level, they may instead decide to say something along the lines of:

"You damn guys are the *exact same team of guys* that asked me for millions of dollars to come up with the product that we're shipping *right now* - and now you're saying that it isn't good enough?!"

Sometimes, a decision-maker will listen and respond in cool fashion to disruptive ideas with this time-honored answer - "prove to me that a market exists for this innovation."

In response, the innovator will often mention that the inventors of the car, Coca-Cola, canned food, the radio, the television, PCs, Kool-Aid and Guitar Hero were all unable to show that a market existed for their innovations - until after they were released.

Which brings us to the dilemma.

The imagined scenarios above are, of course, gross simplifications. But regardless of the relative complexity (or not) of the events that lead up to the decision point, it is at the decision point that the non-innovator's dilemma actually begins.

Will the non-innovative decision-maker choose merely to sustain the existing business? Or get in behind the disruption/innovation? (It should perhaps be pointed out that at the moment the executive makes the decision in favor of disruptiveness, he is no longer a non-innovator, but has joined the ranks of the innovators - maybe Clayton has the right title after all.)

I am lucky enough to work with a smart bunch of guys at Authentium, both on the board and in management, that understand that disruptive technologies - like SafeCentral - are solely needed in the security software space. But many other inventors and innovators aren't as lucky - which means their companies wont be as "lucky" either.

Nassim Taleb, author of The Black Swan, suggests that businesses succeed only when they create environments within which "aggressive trial and error" is tolerated - and he goes further to suggest that only with "endless tinkering" can innovative companies get "lucky" and deliver to stockholders the future Black Swans/Googles of the business world.

I think he's right. Interestingly, when you look at shareholder growth, it is the tinkerers that make for a good long-term bet - Bell (Bell), Marconi (Marconi), Edison (GE), Ford (Ford), Jobs (Apple), Page and Brin (Google) all returned huge multiples to their investors.

In fact, several studies have shown that public companies led by an entrepreneur/tinkerer (i.e. Steve Jobs at Apple, or Fred Smith at FedEx) grow 8% faster year on year than companies led by a non-tinkerer. One more myth exploded.

Speaking of myths, in addition to the excellent Nassim Taleb (who causes me to wear a permanent wry smile while reading), I would recommend Scott Berkun's book "The Myths of Innovation".

Berkun does a great job of debunking the stereotypes associated with the typical inventor-genius and provides instead an overview of the kind of hard work - and tinkering - that has always been required to create a successful new product.

SafeCentral "Free Trial Version" Link

2008-06-19T09:22:00.006-04:00

A couple of you wrote in yesterday asking for the downlink link for the "free trial version" of Authentium SafeCentral.

Rather than bury this response in the "Comments" section... the "free trial version" link is the same as the main link I quoted in the blog: http://www.safecentral.com

Just head over there, enter your email address, and the download should start immediately. That's all there is to it.

Note: kudos to Daniel Sullivan of Konceive. The new SafeCentral site design looks really nice, Dan.

Gpcode and the "Long Tail" of Ransomware

2008-06-18T07:35:00.012-04:00

Many years ago, when I used to work in parts of the world that were considered unsafe (e.g. Washington D.C.), I was sent by my former employers to a day course on "kidnapping and ransom insurance" so I would know what to tell my abductors if I were ever bundled into a stolen SUV, tied up with coarse ropes, and held for ransom in a damp basement somewhere.

(Note to any would-be potential kidnappers - the policy I'm referring to above lapsed over a decade ago. Please take me off your list.)

Aside from the surge of vanity that came over me at the thought that I might be of value to a kidnapper, one of the other things that struck me as strange during this briefing was that their instructions went against everything I'd ever seen in a movie.

In fact, what my instructors advised me to do was this: be boring. Do *not* try to be a hero and/or try to escape (this was, according to them, when most injuries/deaths happen). Tell the kidnappers the dollar amount you're insured for - and hand them the phone number of your insurance company (this was conveniently printed for me on a plastic-coated, wallet-sized card).

I was to do zero negotiating myself - they were adamant about this. It was critical to tell the kidnappers the correct dollar amount. It needed to match the dollar amount the kidnappers would hear upon calling the insurers.

According to these guys - who, despite the apparently exciting nature of their work, were insurance salesmen - having this "fixed value" would be helpful in reducing the time in captivity and the phone number/trusted party would keep me alive.

Not only would it reduce the "back and forth" of negotiations, and allow everyone to get back to a happy place (i.e. home/the jungle) faster, it would reduce the possibility of a "long tail" - which is the (belated) subject of this blog.

What is the "long tail", in kidnapping terms? That's what happens when your distressed wife empties out your bank accounts, then drives to the alloted meeting point under the train tracks on 10th Avenue at midnight, expecting to see your bloodied and battered face in the headlights - only to be told by the kidnappers "we want more".

I could keep telling this story, but you can probably see where this is going. The first demand was simply the start of a very long process of wringing every last dollar out of the "channel" - in this case, the distressed spouse, her family, your family, your employer. This, dear reader, is the "long tail" of kidnapping. And this is unfortunately is what also occurs in the kidnapped home computer version of our story.

By now, everyone has probably heard of "ransomware" - the kind of virus that somehow gets onto your c: drive, encrypts your data using terrorist-grade encryption, then asks you to buy a "key" to unlock it.

Failure to buy the key, the hackers warn, will cause your data to be "publicly released" (almost always a bogus claim, because they don't have the server space to store your 80 gigabytes of downloaded videos, along with everyone else's).

Alternate claims include the threat that your personal data will be permanently deleted on date "x" (also bogus - because most of these programs don't include a "delete" function), or rendered "permanently inaccessible" (unfortunately, probably true).

You may have also heard via the media that there is a new version of this form of malware, identified last week by Kaspersky as the "Gpcode.ak virus", that will wrap your personal data up into a ball and then encrypt it using a 1024 bit key.

How much encryption is 1024 bits? A lot. The government standard-length key used by your browser to encrypt transactions is billions of times easier to crack. In fact, the largest number that has ever been factored by anyone was this number, and according to several experts, that outcome has been achieved precisely once.

What this all means is that unless you can get you hands on the key (or find some flaw in the implementation of the encryption mechanism, which is what Kaspersky is attempting to do, in partnership with other security firms), your data is staying locked up. Which leaves you with a stark choice: Either give up on your data permanently, or pay the ransom demanded by your kidnappers.

My advice? Do *not* pay the money.

Yes, I know - this contradicts my opening story. But in the real world example that I provided above, an entire industry has gone to work to understand the myriad factors at work when a real-world kidnapping is committed, and has determined that the best course of action is a one-time payment, negotiated via experts, and executed via a trusted party.

In the case of ransomware, or the kidnapping of your computer data, no such trusted party exists, and there is no guarantee that the first payment isn't simply the start of a "long tail" that could get extremely ugly.

How long? How ugly? Well let's look first at the payment mechanism - do you really want to give these hacker/ransomware guys a credit card? Do you really think they'll just ding it once and send you a receipt? Of course not.

Sure, you could potentially bypass that problem by using a debit card purchased from that nice lady at the mall - and you could potentially have them send you the key to a free email account you'll use only once - but what if they send you an executable? Do you think it will just install and magically unlock all that personal data that has been sewn up and then uninstall and you'll never hear from the hackers ever again?

Talk about a "long tail" - when I think of all the possible things that their "data unlocking" executable might include, and could do to your credit, your bank accounts, and your PC over time (please see yesterday's post on Man in the Middle attacks for one example), it makes buying a new PC look like a cheap option.

Which brings us to the happy ending: the reason that ransomware has yet to become a plague on the computing subset of humanity is that most folks, by the time they get set to enter their credit card or unlock their data using the "unencrypt" package they just received via Hotmail, have cycled through the above options, made the right call, and said "goodbye" to their data.

That's what you should do too.

ADVICE #1: PC users have one excellent option available for thwarting potential hostage takers that unfortunately doesn't exist in the real world: it's called "data backup". If you haven't already reached for your backup drive after reading this, now would be an excellent time to do so. One backup a day, and you'll never feel like a victim. Easy.

ADVICE #2: Since I wrote this, Kaspersky has posted a happy ending of their own - a free utility based on Christophe Grenier's PhotoRec utility that Kaspersky claims will restore data and file paths erased by Gpcode. You can get it here. Kaspersky suggests that users who have suffered from Gpcode donate to the author of the PhotoRec utility rather than pay cybercriminals. I agree.

Note: Don't count on this fix working the next time - it is going to get harder as the Gpcode versions get higher. Back that data up!

ADVICE #3: A final piece of advice: make sure your browser disallows "drive-by downloads" - or downloads from unknown or non-trusted sources - so you can avoid getting hit by Gpcode and its clones at the outset. The best solution in this area is Authentium's very own SafeCentral.

First Amero, Then Fiola, Then...

2008-06-17T23:25:00.011-04:00

You'd think after the mess created by the prosecution of the Julie Amero case in CT, State Prosecutors (and employers) in nearby North Eastern states (i.e. MA), might have become a little more informed as to the myriad ways in which "bad content" can find its way onto a computer - other than via the hand of the computer user.

Apparently not. Anthony Fiola, a 53-year -old MA resident (and a former accident investigator with the Department of Industrial Accidents - tell me *that* isn't irony), is the latest guy to be told to clean out his desk and frog-marched from his former employer's offices a la Amero after a search of his laptop revealed porn on the computer.

And because this story is now out there, you know it didn't stop there. After a forensic investigation by the State, Fiola was charged with downloading "unauthorized content" onto a laptop he was given by his former organization's IT department and sent up for trial - a series of events that led to Fiola losing his paycheck, his insurance, and his employment benefits.

Although most friends deserted Fiola, his wife did not. Fired up, she hired a lawyer and the lawyer hired an independent expert. And as a result, Fiola became the second person to be saved from jail time for an act he most probably did not have anything to do with.

Memo to MA state computer crime detectives and consultants: Guys, the kind of spyware that causes this stuff is rife, and well-documented (check out Alex Eckelberry's site over at Sunbelt Software for some great analysis and commentary on the Julie Amero case, or Authentium's very own Robert Sandilands for more technical analysis).

In any case, maybe it's time that state forensic experts also started relying a little less on one piece of fairly well-discredited forensic analysis software. You all know the application I'm talking about.

Anyway, for those wishing to get mad at the world (and at over-eager state prosecutors) all over again, PC World has a very well-researched article on the Fiola story here that I couldn't hope to embellish or improve. It's told by Fiola in his own words, and its pretty candid, and pretty darn sad.

If this guy's a liar, I'll eat this blog.

Man in the Browser Attacks - Worse Than Viruses?

2008-06-16T22:16:00.028-04:00

The problem with computer security terminology is that while some forms of attack sound appropriately nasty, some of the emerging forms of malware sound more like cartoon characters than serious threats. Take, for example, the "Man in the Browser" attack.

The idea that a computer can become "infected" with a virus, or piece of self-replicating malicious code, is universally understood as "bad", because the analogy is fairly straight-forward, and viruses are universally bad things.

But the idea of using CPU cycles to replicate viruses is considered pretty old-hat these days. Most criminals think it better to use your CPU to process transactions, or ship online banking credentials.

In fact, that's all they think about. Today's villains don't spend their time figuring out how to open your CD tray remotely or clog up your memory - they spend their time engineering ever-smarter ways to get their hands on your money.

So while virus-like behavior can sometimes still be helpful, the model for emerging attacks is no longer the infectious agent. Today's model is the "secret agent", or "snitch". Criminals are now focused on placing their malware in line with your transactions.

Which explains why the focus - and the battleground - for security threats and preventative measures alike is now your browser.

Your browser acts as the central interface for almost every transaction on the internet. Browsers are relatively simple creatures - over ten years, they have evolved to simply render the code passed to them into "pages" of text and images, forms, flash objects, popups, and javascript alert boxes, among other things.

When you make a request to your bank, via your browser, both you and the bank's server are saying to your browser, "render this". Unfortunately, your browser can sometimes prove to be a little too obliging.

Man in the Browser (MITB) attacks have been around for several years, but have recently begun receiving more attention because of their (now proven) ability to thwart the additional security that was supposed to be provided by expensive two factor authentication devices, including physical tokens.

Talking to an authentication token salesman about "challenges" used to invoke funny stories about pocket-lint and what happens when tokens accidentally go through the wash, or end up at the cleaners, or in the hands of valet parking attendants.

This is no longer the case - most two factor token sales reps are now extremely aware of the limitations of these devices - and somewhat nervous about the future of their industry. In the past two months, several large banks - including Abbey and HSBC - have announced rollbacks of these programs.

If you're a two factor authentication user, you should be nervous too. Because those sleek black physical security tokens with the gorgeous flashing red LED readouts are fairly easily bypassed using pretty standard social engineering techniques. Read on.

The "hack" looks like this: You head on over to your bank's site, and tab into the wealth management portal. You enter your user name and pull out your expensive, clock-based, two factor authentication token. You turn it on and key the PIN into the site.

What happens next varies, according to the criminal's MO, and the type of malware installed on your machine. But typically, as your page is being rendered, a piece of software now resident in your browser (that you - or your teenage daughter - previously installed because the video you were watching said "you need a new video codec") wakes up and inserts a few additional lines into the code - maybe five lines of javascript - an alert box, a timer function, and maybe some in-page content -and sends a message to a hacker, far far away.

What happens next looks perfectly normal. Upon loading, the alert box pops up - something like the dialog box pictured above - and says "Server synchronization in process... please be patient", accompanied maybe by a nice animated GIF in the bank's colors.

Except at that moment, as you sip your coffee and watch the seconds pass, secure in the knowledge that these sophisticated systems and occasion waiting periods are the "price of modern security", a hacker somewhere is receiving a timely message that you have started an authenticated session and are ready to transact, using the credentials contained in the message. At which point, he can simply log in as you.

Now this doesn't happen every time. Sometimes, the hackers choose to wait, secure in the knowledge that this capability will be there many sessions into the future, and that at some future point an increased account balance may make it more worthwhile to have waited.

And sometimes, the crimeware is configured to allow the hacker session to kick in when you "log out" (was that really the bank's "log out" screen that you just saw? Really?)

As the guys in our labs are quick to point out, there are many variations on the MITB theme, most of them horrible, and well-funded. In some instances, MITB malware is programmed to decrypt and load only when the users requests content from a particular bank (this is apparently a common approach right now in Brazil).

The bottom line is this - no matter what you see going on during your session, if you see something "different" or unexpected happening during your online banking session, close your browser immediately, and call your bank or online broker.

Most online banks are exceedingly good at *not* changing things within their UI - because their user interface designers know that changes make users nervous. So if you see something new, like an alert box, please don't assume that the bank has changed their policy. This almost never happens.

Luckily, this story does have a happy ending. For a solution to the above conundrum (at least one that doesn't involve getting in your car and going to the branch), check out some of my previous posts on SafeCentral - an end-to-end secure session technology that stops MITB attacks from happening in the first place.

I strongly recommend that you download and use this protection - regardless of how sophisticated your authentication token may appear to be. It's free, and it works.

Cuomo's Surprising Victory Against Child Porn

2008-06-10T21:44:00.007-04:00

Today, the news broke that several major ISPs have reached an agreement with NT Attorney General Andrew Cuomo to block child porn sites from their networks.

The Attorney General didn't act directly against the ISPs, or try and break new legal ground in the State Legislature - instead, Cuomo and staffers dove into service level agreements provided by the ISPs to customers, and looked for clauses obligating the ISPs to act in instances where child porn was reported by customers.

And when the ISPs didn't act when consumers called in, in accordance with their SLAs ("service-level agreements"), the Attorney General took them to court, on behalf of the "wronged" consumers, and extracted a settlement.

In the settlement announced today, the ISPs, Sprint, Verizon and Time-Warner, agreed to pony up over a million bucks to help fund further efforts to stamp out child porn, which will fund a few salaries over at the excellent National Center for Missing and Exploited Children.

The ISPs are also obligated to "search and report". According to one news source:

The investigators identified a total of 88 newsgroups that were distributing child porn; the ISPs have agreed to block access to all of them. The AG's office has also created hashes for over 11,000 images they have identified, and the ISPs have pledged to scan the websites they host for items matching those hash signatures.

Firefox v3: Exciting but Incomplete Security

2008-06-09T19:36:00.008-04:00

Make no bones about it: the FireFox version 3 release version is the first software application download that I've looked forward to in years.

FireFox 3 is, for me, the first really user-friendly browser. As Google knows, but no one else cares much to admit, an awful lot of consumers currently go to Yahoo by typing "Yahoo" into the search field, rather than the address bar.

FireFox is potentially changing the game by moving all of this "action" into the address bar, and matching previous site requests and paths with keywords.

The new FireFox address bar is screamingly intuitive (want to find that weather site you went to three days ago? FireFox will pull up everything with "weather" in its path when you type "weather" into the address bar.)

Wow.

On other issues, the security stuff is really nice-looking, and the integration with Verisign EV is very tasty as well. But "Larry" the FireFox security icon (actually described as a "customs agent" on their site) may actually end up setting up users for a "cavity search"...

The problem with solutions that look after just one small piece of the problem, is that you end up facing the "armored Humvee problem" recently described to me by a "security logistics expert" over lunch in Kuwait.

This problem is, in short, that all defenses are "weapons-specific". No amount of armor on a Humvee will stop the most recent insurgent IED innovation - a shaped charge that turns a sheet of copper into a molten fireball that can burst through any amount of armor.

While the consequences are nowhere near as serious, software/browser designers face the same issue.

The changes to FireFox, while welcome, have modified the "armor" of FireFox without taking into account the massive changes that have taken place in the area of weapon-development by the insurgents of the Internet world - the identity thieves and online criminals.

As sexy as it looks, and as welcome as it will be to lots of users, FireFox 3 unfortunately lacks armor in several places where armor is most needed. As such, it will not present a barrier to serious intruders looking to steal data.

To really operate a defense, the user needs to have everything locked down in the DNS request chain, everything locked down in the OS, and all malware, including any horrible zero-day keyloggers and screen-capture devices already on the PC, needs to be rendered harmless.

As for the message above ("Your connection to this web site has been encrypted to prevent eavesdropping"), don't get me started on the many ways this tells users the wrong thing.

SafeCentral (the next version of which will incorporates FireFox 3, including the FF3 address bar), and the SafeCentral Secure DNS Service, together plug virtually all of the security holes that I just talked about. V3 will be available mid-July.

The downside? None.

You were going to download FireFox v3 anyway, right? ;-)

The Buzz on SafeCentral

2008-06-03T22:35:00.007-04:00

Internally at Authentium, the story about SafeCentral is well-known. But now a buzz is building to match the story - a buzz that is a lot of fun to be part of.

The story I just referred to is just part of a path we've been on, for many years now. As a company, our developer team has been building security software and serving up virus definition files for more than seventeen years.

In 1992, we released the world's first professional antivirus product (F-PROT Professional), a technology that many IT administrators still remember fondly - and still buy from us.

This technology incorporated some of the first, and eventually the best, anti-malware heuristics - a sophisticated set of technologies that was first brought to bear against the LoveBug virus back in the nineties, and has gone on to protect the customers of several software industry leaders, under multiple OEM deals, from thousands of threats since.

But the real story that is emerging currently is the story of what the defensive technologies will look like in the emerging world of predominantly zero day threats - a world in which even the very best reactive technologies can't stop hackers from stealing personal data, online banking tokens, or whole identities.

When our technologists first came up with the unique approaches to security personal computing environments, now productized as SafeCentral (previously VirtualATM), we were lucky enough to have backers and directors that recognized our approach that was potentially game-changing.

These guys voted to fund an approach that would be utilized to provide real-time protection, regardless of the amount of malware a consumer might have on their PC. These guys provided us with the cash and the support we need to get to this point, based on an understanding that the game is starting to change: reactive risk management solutions are within five to ten years of failing their SLAs. Pro-active risk management solutions are required in order to ensure business and consumers are able to continue to process information.

Last week, we received the results of third party testing of the final release version of our pown contribution to pro-active solutions: SafeCentral. The results clearly state that we are meeting our claims of enabling a secure, end-to-end secure session.

What is also clear from our testing is that our technology fares many times better than its closest competitor - a product that protects only certain types of text entry fields from keyloggers and screen-scrapers, and leaves pop-up windows and personal information in the clear.

In stark contrast to our competition, SafeCentral does an extremely good job of protecting users transactions, even when the originating PC has been compromised, or when the consumer chooses to go to a new site - an activity that most consumers will agree is an extremely common behavior.

We've come a long way in five years, and it feels good to be here. Developers, thank you, guys. It is really fun to be finally selling this stuff. Consumers, please go to SafeCentral.com and check it out - the full version is free, and we'd love for you to get the best protection you can - on us.

Focus should be AIR not Acrobat

2008-06-03T08:55:00.006-04:00

I just took a look at Adobe's new step into collaborative/social web spaces - acrobat.com.

The site is not that impressive, and little more that brochureware really, for five of Adobe's least-appealing pieces of IP: Buzzword, Create PDF, Share, MyFiles and ConnectNow - Adobe's attempt at a WebEx clone.

I was surprised by the site's focus. To me, the site comes off as an attempt by the "older generation" Acrobat marketing folks to pull off a "younger generation" trick using stuff that isn't really suited for the kinds of collaborative applications that the site hints at.

And some other things were surprising too: despite an abundance of typically beautiful interfaces, clicking the Begin" button on any of the offerings I tried resulted in the appearance of a faux-dialog box that lacked any form of "close" button, tab or even text-based link. The only way to "close the box" is to click in the empty black space next to it.

This wouldn't normally be worth a mention, except that this is *Adobe* - the kings/queens of tasty UI design. There are very few folks better at the game than Adobe at walking consumers down a predefined nav path.

When it comes to potential for collaboration and sharing of tools, I think Adobe should have put all this PR money behind a truly socializable technology - Adobe Integrated Runtime, or AIR. AIR is a seriously cool collaborative platform, but despite some early successes, it just isn't getting the kind of push it should be, or being opened up to the extend it needs to be.

In fact, right now, AIR is on the same adoption path as PDF - which I'm sure pleases some of the "old time" marketing folks. But 2002 levels of success should please no one. The exponential rise of competitive pressures means that things need to be adopted at a much-faster pace these days to rank as even a partial success.

There is the kernel of a haiku in here somewhere for these normally hot product guys: Adobe should focus on the AIR, not the Acrobat.

Turing and the Poison Apple

2008-06-01T20:48:00.007-04:00

Okay, I'll stop it with the Bletchley posts after this one. But the story told by one of the guides - of the death of computing pioneer Alan Turing, by cyanide-laced poison apple - stuck with me, and deserves repeating.

Turing was, from the beginning, an outside. His several biographies point out his eccentricities in youth, including the death of his best friend (and rumored first love), Christopher Morcom, from tuberculosis.

My guide painted a similar picture of Turing as that painted in his bios - "scruffy", "loathe to wash", "difficult to be around", and the indecipherable (for me, anyway) "a man who likes his holidays, if you know what I mean".

But a few years after, after rising fast through Princeton and Cambridge, Turing, as everyone knows, helped save the free world. His breakthroughs in thinking led to the cracking of the Enigma and Lorenz ("Tunny") codes, the creation of the world's first programmable computer, and his last paper on computing, "Computer Machinery and Intelligence", published in 1950, was the first to propose a series of standardized tests for artificial intelligence.

As I walked around Hut 8 last week at Bletchley Park - still largely in the same condition it was when occupied by its chain-smoking mathematicians and crossword-solvers - I found myself becoming angry at the story of what happened to Turing later - after so my lives had been saved, and so much had been contributed to the future of computer science.

As the story goes, in the very early part of Bletchley Park's formation, before frivolities such as cinema were curtailed, Turing had gone to see the Walt Disney cartoon feature Snow White, and was much taken with the scene in the movie involving the Wicked Witch's Poison Apple.

According to the accounts of at least two historians, Turing left the movie much enamored with the story, and quoting one line over and over:

"Dip the apple in the brew, let the sleeping death seep through".

These were to prove to be prophetic words.

Sixteen years after he started his ground-breaking work for MI5, in 1952, police received a phone call from Turing complaining that things had been stolen from his house by 19 year old Arnold Murray, a young man he'd "been seeing", and an accomplice.

When questioned about Murray, Turing admitted, naively, that yes, he was a homosexual, and he had been having a relationship with the younger man.

The police pounced. And despite all Turing had contributed during the war, and despite his OBE (or perhaps because of it), prosecution for public indecency (and a public trial) followed.

During the trial, the press took him apart. Upon his conviction, Turing's GCHQ security clearances were withdrawn. Hormone treatments involving injections of estrogen were ordered by the judge and resulted in Turing growing breasts and becoming obese, depressed, and ultimately, suicidal.

Turing did struggle to publish a few additional works - including a paper of the first linking the Fibonacci Series with the structure of plants - but one night in 1954, he finally decided he'd had enough.

The next morning, Turing's housekeeper found Turing dead, a half-eaten, cyanide-laced apple beside his bed.

Al-Kindi, Frequency Analysis and Scrabulous

2008-06-01T19:10:00.013-04:00

Ever wonder why you get stuck with too many "I" tiles while playing Scrabulous, but never have enough "H" or "S" tiles?

Ever have the feeling maybe the letters aren't distributed optimally? As it turns out, you're right.

How do we know this? Frequency analysis - the study of repetition of certain letters or words within encrypted messages - a science first conceived in the ninth century by the great Arab philosopher Abu Yusuf Ya'qub ibn Is-haq ibn as-Sabbah ibn omran ibn Ismail al-Kindi.

Al-Kindi was the first to note that encrypted messages could be cracked by using "cribs" - i.e. by looking for repeated groups of letters or words, such as the arabic "al", roughly equivalent to the English "the", and according to Simon Singh, he even wrote a book on the subject (one of 290 such contributions to science) entitled "A Manuscript on Deciphering Cryptographic Messages".

"One way to solve an encrypted message, if we know its language, is to find a different plaintext of [that] language... and then count the occurrences of each letter... then we look at the ciphertext and classify its symbols. We find the most occurring symbol and change it to the form of the [most occurring] letter of the plaintext symbol... and so on, until we account for all symbols of the cryptogram we want to solve."

Yes, dear reader, this was written over a thousand years ago - most probably at the "House of Wisdom" in Baghdad, where Al-Kindi spent most of his life, before dying in 873. Al-Kindi's original book can still be found in the Sulaimaniyyah Archive in Istanbul.

It was the use of frequency analysis by British scientists at Bletchley Park that allowed Britain to win the second war. Turing and others, looking for ways of breaking the codes, theorized that early-morning reports from naval vessels would contain reports on weather.

By using the German words for weather ("wetter") and time as "cribs" (and employing other pieces of knowledge, such as the fact that in German, the letter "E" appears, on average, once every five letters), and using automated analysis machines called "bombes", they were able to determine the settings used by the Enigma machines, often early in the day - a breakthrough that saved millions of lives, and changed the course of history.

Anyway, back to Scrabulous and those missing tiles...

The original Scrabble game called for 100 tiles, and for the most part, the distribution follows the general distribution of letters in the English language. However, is we use Beker-Piper, we quickly find that things are not "as they should be".

Based on analysis of English conducted by Beker and Piper, authors of "Cipher Systems: The Protection of Communication", there should be 4 additional letter "H" tiles, 4 additional "T" tiles, at least 3 additional "S" tiles, and 2 less letter "I" tiles - even accounting for the blanks.

So the next time you're stuck for a chat subject on Scrabulous, you can say "I was reading about this ninth century Arab philospher the other day, and as it turns out..."