Securing PDFs

In a recent article, my favorite electronic evidence blogger, Sharon D. Nelson, Esq., in {ride the lightning} blog writes about how to properly secure a PDF document.

In order to properly secure an Adobe document, John [Simek, Vice President of Sensei Enterprises Inc.] advises a ‘two-step’ test.

The first step is to apply a password to the Adobe document that restricts any changes to the document (a “Change Permissions Password”).  The second step is to apply an “Open Document” password.  When both of these are applied, the PDF password cracker programs cannot get ‘at’ the flag that controls the editing of the document.

You provide your client with the “Open Document” password but not the “Change Permissions Password”.  This way they can view the contents of the document, but they have no ability to edit the document.

Using this dual password method, the software that is used to ‘crack’ the Adobe document password cannot get at the ‘flag’ and therefore cannot be used to break the security of the document (at least at this time).

This is very good advice, and as Sharon points out in a followup post, it will cost you nothing as your PDF generation software is already capable of doing this.

Turns out that the folks at Adobe, who know quite a bit about PDF documents provide a document (in PDF format!) all about securing PDF files. In addition to providing step-by-step instructions of the processes described in the previously mentioned blog entry [in sections entitled “Adding a document password” and “Restricting printing or changes to a document“] there are also the following sections.

Creating a Digital ID – A Digital ID is required whenever you certify or sign a PDF. A digital ID contains your signature information. If you don’t already have a Digital ID, you can obtain one from a third-party signature handler, or you can create a self-signed digital ID.

Sharing certificate information – To verify your digital signature or to enable others to encrypt documents for you, other users need to access your digital ID certificate. If you have created a self-signed digital ID, or if others can’t access your certificate, you can send it to them.

Signing a document – Make sure you have finished making changes to the document.

Creating a certified document – When you create a certified document, you indicate to others that you approve of its content. You can also specify the types of changes permitted for the document to remain certified. Detection of unwanted changes will be provided when the user signs the document. Therefore in order to protect the document, only the changes you wish to allow will be included.

You get confidentiality (when users encrypt using your cert) and well as integrity (if you lock down the document as suggested) and your recipients get non-repudiation (if you digitally sign the document). Nobody gets plausible deniability.

Portrait of the developer as a hacker

Throughout my career as a software engineer and all around code monkey, I have been both denounced and applauded as a “hacker”. In my current position, it is part of my duties to “think like a hacker”. Clearly there is a lot of confusion surrounding the term hacker. Wikipedia has these definitions.

Since the definition of hacker isn’t the actual topic of this post we’ll just leave it at that. What I really wanted to rant write about was inspired by this article by Neil McAllister in his Infoworld Fatal Exception blog entitled Does the ‘hacker ethic’ help or harm today’s developers? wherein he writes the following.

Today the world of programming is arguably even more accessible. Novices might start by working with HTML and JavaScript before moving on to PHP, or maybe by writing Visual Basic macros for their spreadsheets and eventually graduating to full-scale application development. Introductory tools abound, such as Microsoft’s Small Basic, and never in history has more quality application source code been available for students to learn from. Computing may be big business today, but the hacker spirit is still alive and well.

Still, I have to ask: Is that really a good thing? If every modern American schoolchild knows more about PCs and computing than their parents ever could, why does Vineet Nayar, CEO of the Indian IT outsourcing vendor HTC Technologies, claim that most U.S. college grads are “unemployable”? Are Americans really falling behind in technical know-how? Or could it be that in our willingness to embrace the hacker ideal, we’re producing programmers who are unprepared for real-world work?

According to HTC’s Nayar, the American graduates he’s encountered are all obsessed with making big salaries. In countries like India, China, Brazil, and South Africa, on the other hand — where students have no such expectation — grads are much more likely to have devoted themselves to learning such “boring” details as development process, business methodologies such as Six Sigma and ITIL, and understanding a broad range of development tools — things that too often go missing from American graduates’ résumés.

And the problem goes even deeper than that. American-style hackers don’t just make for bad team members; they also make for bad programmers, albeit for reasons new grads seldom anticipate. “Cowboy coders” might be technically proficient, but their code is less likely to be maintainable in the long term, and they’re less likely to conform to organizational development processes and coding standards. As a result, quality assurance — including testing, debugging, code reviews, and refactoring — are likely to suffer.

American software development managers often complain that Indian programmers are too literal-minded, and that they lack the intuition and entrepreneurship characteristic of American programmers. But to listen to Nayar tell it, American programmers have swung the pendulum too far in the other direction. Can it be that we’re too in love with the hacker ideal of the 1980s to produce programmers who are truly prepared for today’s real-life business environment?

Having worked over the years with a number of outsourcing vendors (including HTC) I find Mr. Nayar’s comments quite amusing. Without dismissing his points entirely, it’s kind of hard to read “American graduates are all obsessed with making big salaries. In countries like India, China, Brazil, and South Africa, on the other hand, students have no such expectation” as anything other than “American graduates refuse to be exploited as the peasants they are“. But there are some valid points. Many American, Western European and Australian software developers particularly recent graduates are likely to get positions with smaller startup companies. These companies value innovation and speed of delivery above all. In their world there is no long run. Yet. They have to get something dazzling out right now. Therefore those are the things that developers are rewarded for: quickly producing amazing stuff. And the reward is usually that they get to keep working at a cool place. If you aren’t a hacker you’re a slacker in this world.

Now fast forward (or rewind depending on your point of view) to developers in large corporations that have products on the 10+ versions and development processes that have been evolving for 20+ years. You know, the guys that defined Six Sigma and ITIL. It’s a much different world there. Due to heavyweight processes and the burden of history and politics these shops tend to put out higher quality, more conservative products far less often than their smaller, more agile but less stable brethren. “Cowboy coders” don’t do too well in this kind of environment.

But it’s easy to see why Mr. Nayar holds his opinions, given the sort of development projects that are typically outsourced. Smaller companies usually outsource maintenance of that dazzling and rapidly developed (read “quick and dirty”) code. Larger companies usually outsource long term maintenance or conversion of legacy code. Arguably tasks that really shouldn’t be done at all, but almost invariably work that will be discarded as soon as it’s practical. In other words nothing critical or complex.

I’m certainly not implying that the developers who work for the outsourcing vendors are incompetent, it’s just the nature of outsourcing development. Essentially what you have is a contract that states “we will do precisely this coding for precisely that amount of compensation“. It’s the “precisely this coding” part that is the devil’s abode. It has been my experience that outsourcers will do exactly what you specify. No more, no less. If you are even the slightest bit vague or make assumptions about existing knowledge or skills there will be much unpleasantness often leading to project failure. Your project that is. The outsourcer still gets paid.

Another experience I’ve had with off-shore outsourcing induces hilarity with respect to Mr. Nayar’s Utopian view of software development team spirit in emerging markets. I was working for a large corporation that had outsourced the maintenance of a legacy system to an off-shore organization (in Bangalore if you must know) while I was busy working on replacing that system (a system that supported ITIL change management if you must know). I trained six (count em – 6) different project leads over the course of six months to do this maintenance because almost as soon as each was trained they took another position with another outsourcing vendor for higher pay. Finally gave up on the outsourcing before anything was ever really accomplished. Other than providing training to some smart folks that allowed them to get better gigs. To paraphrase Curt Cobain, it certainly smells like team spirit to me.

But back to Neil’s question, Can it be that we’re too in love with the hacker ideal of the 1980s to produce programmers who are truly prepared for today’s real-life business environment?

I would submit that unless you are a hacker you won’t be prepared for today’s real-life business environment. Yes even in large organization. Did I mention that I work for a large corporation and it is precisely this hacker ethic, thinking outside the box, trying to understand how everything works and most importantly how everything can be broken and exploited, that is a large part of my job as Advisory Software Engineer. But it is also true that if you are strictly a hacker, you limit your abilities as a software engineer. Note again that my education is in Electrical Engineering (as opposed to Computer Science) and that I’m certified in ITIL fundamentals (among other things). The point is that this isn’t an either-or proposition. You must be both a competent engineer and a hacker. If you rely strictly on your education to  inform your development, you will be doing on-the-job-retirement real fast. You need that hacker ethic to drive you to try crazy stuff, stuff that average developers don’t think of. And you will need that hacker ethic to figure out how that new technology really works, as opposed to how it’s advertised to work. Whether you are in Denver, Bangalore, Beijing, Sao Paulo or Capetown. Then if you work for some doofus like Mr. Nayar, you can always walk across the street and get something better once you get enough experience. On his dime. And how sweet is that.

Last Chance for a Stolen Laptop

I came across this interesting little program that might act as a last resort if your laptop gets stolen. While it is certainly no substitute for full disk encryption, which is what you should really be using to protect your data, I recognize that there are some situations where you cannot use full disk encryption. Like say when your employer refuses to allow you to install something on their hardware that would prevent them from accessing the data thereon. If that’s the case then while you are attempting to drag them into the 21st century you should give Prey a shot.

Prey helps you find your stolen laptop by sending timed reports to your email with a bunch of information of its whereabouts. This includes the general status of the computer, a list of running programs and active connections, fully-detailed network and wifi information, a screenshot of the running desktop and — in case your laptop has an integrated webcam — a picture of the thief.

Prey can use a web URL to check if it should generate and send the report, so you have a way of alerting remotely the program whenever your laptop disappears. It can (and should) be run as root so it doesn’t depend on an active user session to run, but only on a succesful boot.

You may be thinking “but what’s the point of this program if the guy will probably just format the thing right away?” and you’re completely right. However, experience shows that thieves tend to look in stolen computers for valuable information, so there’s actually a chance you can catch the guy (and there’s even some succesful cases!).

The best part about Prey is that it runs on Mac OS/X, Linux and Windows, is Open Source licensed under GNU Public Licence v3.0 and is completely free. As in free speech and free beer. So it won’t cost you a thing to try it out.

But as I mentioned before, if it’s portable it should be encrypted. Period. If your employer is balking turn them on to TrueCrypt, another open source and free multi-platform software package. If they insist on paying then they can get PGP Desktop. In the meantime use something like Prey.

Your Online Shadow

My ghost likes to travel so far in the unknown
My ghost likes to travel so deep into your space
from “Growing Up” by Peter Gabriel

Almost everyone these days has an online persona. A shadow identity or ghost of our physical selves. Not to get too metaphysical, that’s just what happens courtesy of Google when you decide to have a FaceBook, LinkedIn or MySpace page or blog or even Twitter. While allowing us to reach unimaginably large audiences with our self generated content. According to Security Bloggers Network member Martin McKeay’s web page counter his Network Security Blog has received over 24000 hits in a single day. The blog has 3221 subscribers through Feedburner. Certainly the average internet user is not nearly as well known, followed or prolific as Martin (aka “Captain Privacy”), but neither are they invisible. Laura Spencer in this article for the FreelanceFolder has this to say about your online shadow.

A couple of times every month I browse on over to Google and search for my own name to see what the results will bring. After I’ve done that, I type in the name of my website and run the search engine again.
Checking your online reputation like this is something that every freelancer should do on a regular basis. I wouldn’t recommend stopping with Google, either. You should also check on Twitter and on other social media sites.

While it might seem vain to search for yourself online, it’s actually an important step in protecting your online reputation. If you do business online, then you not only be checking on but also working to protect and manage your online reputation.

What You Can Learn From Your Online Reputation
Every time you search for your own name on Google or Twitter, you can learn several important things:

  • What people are saying about your business. If you have an unhappy customer, it’s possible they won’t express that dissatisfaction to you. Instead, they may blog about their dissatisfaction or comment negatively about your work on other sites. Sometimes, untruths and misinformation are spread about your company online without your knowledge.
  • Whether your work is being used without permission. As a freelance writer, my work is often “scraped” by plagiarists and used on other sites without my permission. Many plagiarists are careless about stealing my work — often my name remains with the piece. A quick search can turn up my articles on sites that I never submitted them to.
  • Whether someone else is using your personal or business name. As a freelancer, your name and your business name are important. But, are you the only one using your name? With a few quick searches, you can determine who is using your name online. If another individual or business has the same name, how are they using that name? Do they appear to be reputable?

This same advice is particularly applicable to high school or college students who utilize Web 2.0 as a major source of self expression and communication with friends. I saw a documentary about teens and social networking [I can’t remember where – I’ll post a follow up when I do] wherein a high school girl was bemoaning the insensitivity of her parents who had [gasp!] forced her to reveal her MySpace password. Presumably so they could monitor her activities. The primary complaint with this intrusion into her privacy was that MySpace was a “private place where she and her friends could express themselves freely“. Okay… About all I can say to that is that she better hope that her parents do a really good job of censorship now or she may have a rude awakening when potential employers, years later after college, discover all that wicked cool [to a teenager] stuff that she posted. And her friends posted. And her ex-friends posted. This could get ugly.

Gina Trapani has this article in Lifehacker all about how you can monitor your online shadow in a fairly automated way.

You already know how well your name Googles affects how strangers and potential employers find and perceive you. Short of Googling yourself every week, how do you keep tabs on your name or your product or company’s Google-ability?

Most search engines offer feeds of their results, but compiling them one by one is a time-consuming pain in the tuckus. Using a simple tool called MonitorThis, you can get ego search results from over 22 engines into your newsreader in one shot.

Since Google’s not the only game in town, you might want a more comprehensive look at where your keyword appears on the net, across blogs, photo search sites and more. MonitorThis is a simple web page that can construct a subscription list of search result feeds in one click. MonitorThis includes results fromTechnoratiMSN NewsFlickrYahoo and MSN, among others.

What MonitorThis does is construct an OPML file which you can import to your newsreader.

The article includes step-by-step instructions on exactly how you would set this up. Adam Pash in this Lifehacker article has yet another idea for tracking your not-so-elusive online shadow if you are a Twitter user.

In a post-Twitter world, you can also use something like TweetDeck to create a persistent Twitter search to keep track of what’s being said about you online. (For example, we keep a fairly close eye on what people are saying about Lifehacker this way, so that if people are having issues with the site or complaints with a post, we can address them as necessary.)

Remember, the first step is realizing that you have an online shadow and that like Peter Gabriel, your ghost likes to travel so far into the unknown. You can’t control how far it travels, but you can guide it. Or at least find out what trouble it has got itself into on the way.

Moving on

“à tout le monde, à tous mes amis, je vous aime, je dois partir”
“To everyone, to all my friends, I love you, I must leave”
“A Tout Le Monde” by Dave Mustaine (Megadeth)

Although I’ve always kept my employer anonymous in this blog, a fair number have guessed that in real life I work for none other than Alan Shimel at StillSecure where I’ve been primarily developing the Safe Access NAC product. Until now. Next week I’m starting at a new position with another company. A large enterprise imaging company who will remain anonymous so as not to be compromised by my rants and ramblings here. Don’t worry, Security For All will continue. I’ll just have different security issues to rant about.

But before I leave StillSecure I like to acknowledge, and share what a great experience it’s been to work here. Without a doubt the most brilliant engineers and scientists I have ever encountered, were encountered at StillSecure. It has been a humbling and often intimidating experience for me. Yeah, I know I just used “humbling” and “me” in the same sentence. But it’s true. It’s also been the wildest ride in terms of hard core learning and experience that I’ve ever been on. Like drinking from a fire hose. Every single day. With the result that when I  accurately represent my StillSecure work experience on a resume folks assume it’s padded. And I’m not alone. In truth I’m pretty average for talent at StillSecure. To be clear, this move is definitely not due to any problems betwixt myself and StillSecure. On the contrary, working here has opened up new career opportunities for me. One of which was just to good not to take.

So to set the record straight and in homage to one of my favorite TV shows, Mythbusters, I’d like to address some myths and rumors about StillSecure. So without further ado…

Myth: StillSecure is not doing well.

If by “not doing well” you mean growing the business  in terms of both revenue and product offerings while keeping costs low and winning prestigious industry awards all during the worst economy since the great depression, then I guess you’re right. Seriously though, StillSecure is not only surviving but thriving. And congrats to CEO Rajat Bhargava who is a finalist for the Ernst & Young Entrepreneur Of The Year® 2009 Award for the Rocky Mountain Region.


Myth: StillSecure is a tiny code monkey sweatshop with Dilbert-esque cubicals in a dark warehouse.

Actually there are no cubicals at StillSecure, rather a “bullpen” arrangement that facilitates agile development. The execs and admins use the same arrangement. Right now I’m sitting at my desk, looking out the window (actually a whole wall of windows) onto the front range of the Colorado Rockies. The StillSecure offices are in Superior, Colorado located approximately half way between Denver and Boulder on highway 36. On the upper floor above “Old Chicago” [restaurant], “Super Joe” [coffee shop] and “Superior Liquor” [booze]. That just about covers all the major food groups. I’m trying hard to imagine a more beautiful place to work. Sorry I can’t.


Myth: McAfee/Symantec/SomeOtherBigSecurityCompany is waiting for StillSecure to tank so they can get the technology at fire sale prices.

If this is true, then like Rudyard Kipling’s Elephant’s child who was waiting for his nose to shrink back to normal after being stretched into a trunk by the Crocodile on the banks of the great grey-green, greasy Limpopo river, they will have to wait a long time. Also they might want to let the senior sales guy, who just had his best quarter ever in Q1, and looks to beat that in Q2 in on the secret. Or they might want to watch their backs.


Myth: Alan Shimel is now kinder, gentler and less profane than the notorious Alan “I hafta call BS on that” Shimel of the past.

Okay you got me. This really is a myth. In real life he’s, well, Alan. Don’t try to BS him. But he is is kind to many if not most children, dogs and salesmen.


So there you have it. I’ll end by thanking Alan Shimel and Mitchell Ashley (no longer at StillSecure but still Alan’s co-host of the StillSecure, After All These Years podcast) for hiring me at StillSecure and encouraging me to blog. And all of my colleagues at StillSecure. This experience has been truly outstanding.

So long and thanks for all the fish.