Archive for October, 2007

Security by Letterhead

October 30, 2007

i am not sure how many of you have faced this – but i face this very often and this article represents my true feelings.  

Security by Letterhead – by Bruce Schneier

“This otherwise amusing story has some serious lessons:

John: Yes, I’m calling to find out why request number 48931258 to transfer somedomain.com was rejected.ISP: Oh, it was rejected because the request wasn’t submitted on company letterhead.

John: Oh… sure… but… uh, just so we’re on the same page, can you define exactly what you mean by ‘company letterhead?’

ISP: Well, you know, it has the company’s logo, maybe a phone number and web site address… that sort of thing. I mean, your fax looks like it could’ve been typed by anyone!

John: So you know what my company letterhead looks like?

ISP: Ye… no. Not specifically. But, like, we’d know it if we saw it.

John: And what if we don’t have letterhead? What if we’re a startup? What if we’re redesigning our logo?

ISP: Well, you’d have to speak to customer–

John (clicking and typing): I could probably just pick out a semi-professional-looking MS Word template and paste my request in that and resubmit it, right?

ISP: Look, our policy–

John: Oh, it’s ok, I just sent the request back in on letterhead.

Ha ha. The idiot ISP guy doesn’t realize how easy it for anyone with a word processor and a laser printer to fake a letterhead. But what this story really shows is how hard it is for people to change their security intuition. Security-by-letterhead was fairly robust when printing was hard, and faking a letterhead was real work. Today it’s easy, but people — especially people who grew up under the older paradigm — don’t act as if it is. They would if they thought about it, but most of the time our security runs on intuition and not on explicit thought.

This kind of thing bites us all the time. Mother’s maiden name is no longer a good password. An impressive-looking storefront on the Internet is not the same as an impressive-looking storefront in the real world. The headers on an e-mail are not a good authenticator of its origin. It’s an effect of technology moving faster than our ability to develop a good intuition about that technology.

And, as technology changes ever increasingly faster, this will only get worse.”

Toby Keith – A Little Too Late (Funny)

October 25, 2007

How lovely song & funny video 😀

Yayyy – back to home

October 8, 2007

finaly, after living the life alone for 2+ months – i am leaving for Pakistan in few hours. It was a great trip , a great learning experience in a free country and much more. Here i come Lahore 🙂 Offcource you too London 😉

PTCL and my thoughts

October 4, 2007

On a mailing list, i ended replying too long against PTCL and i thought to post it out – thats my personal views about PTCL/PIE:

 PTCL is a strange company i have ever seen providing worst services &
SLAs (with upstream providers) and still sayin they are redundant.
They are totally not redundant. Service levels are the poorest on IP
Cloud or IPLCs both. IPLCs on SMW3/SMW4 are always flapping (and i am
not talking about any specific city, i have seen it at multiple places
at the same time) and no one knows what the reason is – the blame game
goes on and on. IP Cloud is never upto SLA, destinations are always
having packet loss, delays and extra routing hops via hongkong/london
even if you have to reach a simple hop in New York. And for solving
routing issue, client itself have to originate a conference call, and
grab engineers from all service providers using its contacts and guess
what PTCL NOC staff cannot join the international conference call – as
they have 2min. auto-drop feature on all international phones in their
facility.

For Flag network, your E1s are always having problem and next day you
figure out there was problem in port at mux and this happens 5 times
in a month. For Verizone, your next hop latency have too much jitter
to make it worse for Real time data applications. And they take 2
months to figure out their Router in NY is having high CPU. For PIE
managed b/w, its just like a local cable wala system, sometime their
internal routers are having packet loss on higher MTUs and it took
client to make them understand what MTU is and why that problem is,
after changing router port, they tell the client no it there was no
problem with them, it was in Karachi or at client media.
Technically TW1 also doesn’t provide us any total redundancy. They
only provide redundancy till Gulf, from their onwards we are on the
same/shared fiber optics which Flag or Verizone are using. The actual
redundancy can only be formed if we have an active fiber link with
India (and its real important for our economy as well) and multiple
providers like TW1 and some other directly make contracts with other
Tiers via Hong Kong path.
May be i am expecting more from PTCL when i compare PTCL services to
my other providers i.e. Global crossing, level3, Verizone USA/UUNet,
Cogent – but point is we are paying for these services and from past
5+ years there haven’t been any significant improvement with PIE/PTCL
and they don’t accept it either.