Skip to main content

Practical Security

I stuck my neck out in another post called Security Paranoia and some people asked how one could go about improving security in a business environment.
From Gulfnews

First of all, you have to realize that you can never have perfect security.  Information will always leak out.  The best you can do is to slow the leakage down to an acceptable level, but please try to remain reasonable.  There is an old joke that military IT has the motto: "We are not happy, until you are not happy".  You got to allow business to carry on somehow.

Secondly, trying to educate your users about security and trying to get them to avoid 'risky behaviour' is a total waste of time.  They will do their damndest on purpose or by accident and it is totally up to you to ensure the system integrity despite your user's best efforts to the contrary.  If you don't want them to do something, then don't give them the tool to do it and if they have to have a 'bad' tool, then give them an isolated laboratory to work in.

Divide and Conquer

Government IT uses a process of divide and conquer:  Partition a network into smaller segments that need not communicate with each other.  Provide encrypted tunnels between distant nets that do need to communicate.  An excellent source of information is the Canada IT Security Guidance here:

In a business environment, provide separate servers, subnets and VLANs for the different departments, with deep packet inspection firewalls between them, so that if one department gets compromised, it doesn't bring the whole house of cards down.

End to End Encryption

Use end-to-end encryption wherever feasible.  When you notice that your company has developed strategic partnerships and use preferred vendors, talk to their IT and set up an encrypted tunnel between your email and phone servers, so that mail and voice between your companies turn black.  If you do it properly, the whole process of hardening your service will not be noticed by your users.

So whose end-to-end encryption should you use?  It depends on who your threat is.  If you are OK with your own government reading your mail and recording your phones, then you could use an off the shelf product made in your own country, or you could pick something from an unaligned little country on the far side of the globe in the hope that since they have no idea who you are, they likely won't do you any harm.

Some countries for example Canada, publish lists of equipment certified for government use ( - you can use those.  Me? I would avoid any off the shelf product and would rather build my own VPN gateways from a Linux distribution.

The important thing is to continually work on turning as much of your corporate communications black as you possibly can.  Monitor who your company is talking to and keep adding more VPN tunnels to the mail and voice servers of those companies.  This way, you provide transparent security service to your users - they won't even know about it and you and your counterpart at the other company can sleep better knowing that all their comms went black.

Encryption Tests

Verifying whether a VPN product is most probably good, is not as hard as you may fear.  Capture a stream of data and try to compress it (Just the data, not the datagram headers too!).  Encrypted data should be incompressible.   You can also try some statistical tests for randomness - the histograms should always be flat.   It should also only ever communicate with its opposite party.  If you sniff a VPN box with wireshark for a few days and it ever tries to communicate with anything else on the WAN, then burn the device at a stake...

Utilities for Personal Security

You should try out these projects, they are amazing and make end to end security easy:
  • Secure Telephone, Redphone -
  • Secure Video Phone, Jitsi -
  • Secure mail for Thunderbird, Enigmail -
  • Secure mail plugin for Mac OSX, GPGmail -
  • Secure webmail plugin for Chrome, Mailvelope -
With the above tools, you can easily turn most of your communications black.

At first, it feels a bit weird to use email encryption, but it will soon become a habit and plaintext mail will look funny.


Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018: If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well understood. Therefore,

Weather Satellite Turnstile Antennas for the 2 meter Band

NEC2, 2 m band, 146 MHz, Yagi Turnstile Simulation and Build This article describes a Turnstile Antenna for the 2 meter band, 146 MHz amateur satcom, 137 MHz NOAA and Russian Meteor weather satellites.  Weather satellite reception is described here .  A quadrifilar helical antenna is described here .   Engineering, is the art of making what you need,  from what you can get. Radiation Pattern of the Three Element Yagi-Uda Antenna Once one combine and cross two Yagis, the pattern becomes distinctly twisted. The right hand polarization actually becomes visible in the radiation pattern plot, which I found really cool. Radiation Pattern of Six Element Turnstile Antenna Only a true RF Geek can appreciate the twisted invisible inner beauty of a herring bone antenna... Six Element Turnstile Antenna Essentially, it is three crosses on a stick.  The driven elements are broken in the middle at the drive points.  The other elements can go straight throug

Patch Antenna Design with NEC2

The older free Numerical Electromagnetic Code version 2 (NEC2) from Lawrence Livermore Lab assumes an air dielectric.  This makes it hard (but not impossible) for a radio amateur to experiment with Printed Circuit Board Patch antennas and micro strip lines. Air Spaced Patch Antenna Radiation Pattern You could use the free ASAP simulation program , which handles thin dielectrics, you could shell out a few hundred Dollars for a copy of NEC4 , You could buy GEMACS if you live in the USA, or you could add distributed capacitors to a NEC2 model with LD cards (hook up one capacitor in the middle of each element.), but that is far too much money/trouble for most. More information on driving an array antenna can be found here: l Air Dielectric Patch   The obvious lazy solution is to accept the limitation and make an air dielectric patch antenna. An advantage of using air dielectric, is that the antenn