This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation http://www.microsoft.com
- Encrypting the Internet
- Extensions to the IODEF-Document Class for Reporting Phishing, Fraud, and Other Crimeware
- The Transitioning of Cryptographic Algorithms and Key Sizes
- When I'm Dead, How Will My Loved Ones Break My Password?
- Will New Certification Criteria Fuel Open Source E-Health Records?
- W3C Last Call Working Draft for CSS3 Module on Multi-Column Layout
- Build Virtual Appliances Using the OVF Toolkit
- First Public Draft: Web Categories
- Double Duty for Video Cards
Encrypting the Internet
Satyajit Grover, Xiaozhu Kang, Michael Kounavis, Frank Berry; DDJ
"New technologies that show the economy of using general-purpose hardware for high-volume HTTPS traffic... It is estimated that the Internet connects 625 million hosts. Every second, vast amounts of information are exchanged amongst these millions of computers. These data contain public and private information, which is often confidential and needs to be protected. Security protocols for safeguarding information are routinely used in banking and e-commerce. Private information, however, has not been protected on the Internet in general. Examples of private information (beyond banking and e-commerce data) include personal email, instant messages, presence, location, streamed video, search queries, and interactions on a wide variety of on-line social networks. The reason for this neglect is primarily economic. Security protocols rely on cryptography, and as such are compute-resource-intensive. As a result, securing private information requires that an on-line service provider invest heavily in computation resources. In this article we present new technologies that can reduce the cost of on-line secure communications, thus making it a viable option for a large number of services.
The motivation behind our research is primarily to enable widespread use of, and access to, HTTPS. It is important for service providers and users to be able to trust each other for their mutual benefit. An important aspect of the trust comes from knowing that private communications are kept confidential and adhere to the policies established between providers and users.
In summary: we are researching new technologies that offer cryptographic algorithm acceleration by factors. Our ultimate goal is to make general-purpose processors capable of processing and forwarding encrypted traffic at very high speeds so that the Internet can be gradually transformed into a completely secure information delivery infrastructure. We also believe that these technologies can benefit other usage models, such as disk encryption and storage..."
Extensions to the IODEF-Document Class for Reporting Phishing, Fraud, and Other Crimeware
Patrick Cain and David Jevans (eds), IETF Internet Draft
IETF has announced the release of an updated Internet Draft for Extensions to the IODEF-Document Class for Reporting Phishing, Fraud, and Other Crimeware. The document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070, The Incident Object Description Exchange Format. IODEF defines an XML data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. This document supports the reporting of phishing, fraud, other types of electronic crime. The extensions also support the exchange on information about widespread spam incidents. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud or spam cycle. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents . The extensions defined in this document are used to generate two different types of reports: a fraud report and a wide-spread spam report. Although similar in structure, each report has different required objects and intentions.
Background: "Deception activities, such as receiving an email purportedly from a bank requesting you to confirm your account information, are an expanding attack type on the Internet. The terms phishing and fraud are used interchangeably in this document to characterize broadly-launched social engineering attacks in which an electronic identity is misrepresented in an attempt to trick individuals into revealing their personal credentials (e.g., passwords, account numbers, personal information, ATM PINs, etc.). A successful phishing attack on an individual allows the phisher (i.e., the attacker) to exploit the individual's credentials for financial or other gain. Phishing attacks have morphed from directed email messages from alleged financial institutions to more sophisticated lures that may also include malware... The extensions defined in this document may be used to report the social engineering victim lure, the collections site, and credential targeted ('spear') phishing, broad multi-recipient phishing, and other evolving Internet-based fraud attempts."
Fraud Report XML Representation: The IODEF Incident element from RFC 5070 Section 3.2 and the rest of the data model are here expressed in Unified Modeling Language (UML) syntax as used in the IODEF specification. The UML representations is for illustrative purposes only; elements are specified in XML as defined in Appendix A, "Phishing Extensions XML Schema."
See also: IETF IODEF specification references
The Transitioning of Cryptographic Algorithms and Key Sizes
Staff, NIST Discussion Paper
"At the beginning of the century, NIST began the task of providing cryptographic key management guidance. This included lessons learned over many years of dealing with key management issues, and attempts to encourage the definition and implementation of appropriate key management procedures, to use algorithms that adequately protect sensitive information, and to plan ahead for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. Some of the guidance provided NIST in SP 800-57 includes the definition of security strengths, the association of the approved algorithms with these security strengths, and a projection of the time frames during which the algorithms could be expected to provide adequate security. Note that the length of the cryptographic keys is often an integral part of these determinations... The security strength is measured in bits and is, basically, a measure of the difficulty of discovering the key... The reality is that we need to examine each class of algorithm and sometimes make some adjustments...
This paper is intended to bring some of the transition issues associated with the use of cryptography to the attention of the Federal government and the public, and to obtain feedback about the proposed approaches."
See also: Cryptographic Key Management
When I'm Dead, How Will My Loved Ones Break My Password?
Cory Doctorow, The Guardian
"Tales from the encrypt: If you care about the integrity of your data, it's time to investigate solutions for accessing and securing it—and not just for the here and now... Like an increasing number of people who care about the security and integrity of their data, I have encrypted all my hard-drives—the ones in my laptops and the backup drives, using 128-bit AES—the Advanced Encryption Standard. Without the passphrase that unlocks my key, the data on those drives is unrecoverable, barring major, seismic advances in quantum computing, or a fundamental revolution in computing. Once your data is cryptographically secured, all the computers on earth, working in unison, could not recover it on anything less than a geological timescale...
But what if I were killed or incapacitated before I managed to hand the passphrase over to an executor or solicitor who could use them to unlock all this stuff that will be critical to winding down my affairs —or keeping them going, in the event that I'm incapacitated? I don't want to simply hand the passphrase over to my wife, or my lawyer. Partly that's because the secrecy of a passphrase known only to one person and never written down is vastly superior to the secrecy of a passphrase that has been written down and stored in more than one place. Further, many countries's laws make it difficult or impossible for a court to order you to turn over your keys; once the passphrase is known by a third party, its security from legal attack is greatly undermined, as the law generally protects your knowledge of someone else's keys to a lesser extent than it protects your own..."
Will New Certification Criteria Fuel Open Source E-Health Records?
Marianne Kolbasuk McGee, InformationWeek
"Until now, certification requirements for electronic medical records were pretty hefty, addressing hundreds of stringent criteria that comprehensive inpatient and ambulatory systems must meet in order to get a seal of approval from the Certification Commission for Health Information Technology, or CCHIT, a non-profit federally supported group (www.cchit.org).
A couple of weeks ago, CCHIT announced it was replacing the single certification approach its had since 2006 with three new certification "paths." CCHIT said the changes are meant to help support more widespread adoption and "meaningful use" of certified health IT systems by doctors and hospitals so that they're eligible to receive federal stimulus incentives that kick-in starting in 2011. In a nutshell, CCHIT says its three CCHIT certification paths include: (1) A rigorous certification for comprehensive EHR systems that significantly exceed minimum Federal standards requirements. (2) A new, modular certification program for electronic prescribing, personal health records, registries, and other technologies. Focusing on basic compliance with Federal standards and security, the EHR-M program would be offered at lower cost, and could accommodate a wide variety of specialties, settings, and technologies. (3) A simplified, low cost site-level certification. This program would enable providers who self-develop or assemble EHRs from noncertified sources to also qualify for the federal incentives..."
See also: XML and Healthcare
W3C Last Call Working Draft for CSS3 Module on Multi-Column Layout
Håkon Wium Lie (ed), W3C Technical Report
A last call review has been issued for the "CSS3 Module:Multi-Column Layout" specification, produced by members of the W3C CSS Working Group. Comments are invited through October 01, 2009.
"This document has been a Working Draft in the CSS Working Group for several years. Multi-column layouts are traditionally used in print. On screen, multi-column layouts have been considered experimental, and implementation and use experience was deemed necessary in order to proceed. Several implementations have occurred over the past years, and this draft incorporates useful feedback from implementors as well as authors and users.
The module describes multi-column layout in CSS. By using functionality described in this document, style sheets can declare that the content of an element is to be laid out in multiple columns. On the Web, tables have also been used to describe multi-column layouts. The main benefit of using CSS-based columns is flexibility; content can flow from one column to another, and the number of columns can vary depending on the size of the viewport. Removing presentation table markup from documents allows them to more easily be presented on various output devices including speech synthesizers and small mobile devices..."
See also: the W3C Style Activity
Build Virtual Appliances Using the OVF Toolkit
Steve Schmidt, Mike Gering, Andrew R. Freed; IBM developerWorks
"The Open Virtualization Format (OVF) is an open standard for packaging and distributing virtual appliances (or software) that is to be run in virtual machines. The standard describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines; the standard is designed so that it is not tied to any particular hypervisor or processor architecture. In this article, the authors describe the OVF standard and the OVF Toolkit developed by IBM.
The OVF environment is an XML document that is generated by an OVF deployment platform at the time an OVF package is being deployed and in turn, made available to guest software within the deployed virtual system(s). The intent of the OVF environment document is to provide the virtual system guest software (of a deployed OVF package) property variable information that can be used to "customize" the guest virtual system(s). Authors of OVF package descriptors (the OVF envelope) indicate what custom properties will require variable input. During the deployment activity of an OVF package, the deployment platform collects the values to be associated to the custom property keys and constructs the OVF environment document..."
See also: DMTF Open Virtualization Format (OVF)
First Public Draft: Web Categories
Sam Johnston (ed), IETF Internet Draft
A version -00 I-D on "Web Categories" specifies the Category header-field for HyperText Transfer Protocol (HTTP), which enables the sending of taxonomy information in HTTP headers.
Summary: "A means of indicating categories for resources on the web has been defined by Atom (RFC 4287). This document defines a framework for exposing category information in the same format via HTTP headers. The 'atom:category' element conveys information about a category associated with an entry or feed. A given 'atom:feed' or 'atom:entry' element may have zero or more categories which must have a "term" attribute (a string that identifies the category to which the entry or feed belongs) and MAY also have a scheme attribute (an IRI that identifies a categorization scheme) and/or a label attribute (a human-readable label for display in end-user applications). Similarly a web resource may be associated with zero or more categories as indicated in the Category header-field(s). These categories may be divided into separate vocabularies or "schemes" and/or accompanied with human-friendly labels...
See also: Atom references
Double Duty for Video Cards
GCN Staff, Technology Blog
"When the next version of the Mac operating system, code named Snow Leopard, is released later this year, users might experience some surprising boosts in speeds, at least for some applications. The time it takes, for instance, to re-encode a high-definition video for an iPod could dramatically decrease from hours to a few minutes. Snow Leopard will have the ability to hand off some of the number crunching in that conversion to the graphics processing unit (GPU). The new OS is scheduled to include support for Open Computing Language, which allows programmers to have their programs tap into the GPU...
Typically, the GPU, usually embedded in a graphics card, renders the screen display for computers. But ambitious programmers are finding that GPUs can also be used to speed certain types of applications, particularly those involving floating-point calculations. For instance, researchers at Belgium's University of Antwerp outfitted a commodity server with four dual-GPU Nvidia GeForce 9800 GX2 graphics cards. The server would be used to look for ways to improve tomography techniques. They found that this configuration could reconstruct a large tomography image in 59.9 seconds, which is faster than the 67.4 seconds it took an entire server cluster of 256 dual-core Opterons from Advanced Micro Devices. The cluster cost the university $10 million to procure, whereas the researchers' server only ran $10,000...
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/