Josh's Blog

Entries from December 2008

Saturday, December 20. 2008

All the Free Tech Support You CAN Handle!

So no doubt, in good Christmas fashion, the geeks of the world will make their treks home, and fix lots of broken computers for all their friends and family.

So far this year, the most impressive for me is an aunt who managed to not install any Windows updates since 2004, and amazingly had no viruses.
Posted by Josh Bressers in Random at 11:27 | Comments (0) | Trackbacks (0)

Tuesday, December 16. 2008

New Firefox

There's a new Firefox out:
http://www.mozilla.com/en-US/firefox/3.0.5/releasenotes/

Get it while it's still hot.
Posted by Josh Bressers in Security at 21:07 | Comments (0) | Trackbacks (0)

Monday, December 15. 2008

A purple fish and 10 threats

This story is titled Top 10 Threats to Computer Systems Include Professors and Students, but really interesting part is talking about someone dressed up as a purple phish.

Apparently Karen McDowell from the University of Virginia spent several days dressed up as a purple fish (literally, a purple fish, follow the link, there's a picture), to raise awareness of phishing on campus.

I question if anyone doesn't really understand what phishing is any more. I'm sure lots of people don't know it's called "phishing", but they should be aware of all the scam emails they get.

The thing that comes to my mind every time I read a story like this is "Why isn't this a problem with snail mail and telephones?". The short answer is that those things cost money, and are easy to stop. email is basically free, and you can send it from virtually anywhere. A silly person probably now thinks "well, let's start charging for email then!", which my reply is "go away".

The possible solutions are probably:
1) Fix the mail servers (prevent the mails from ever being sent). Part of the magic of SMTP is how flexible it is, so that's likely not a good option.

2) Fix the email clients. This is probably a good place to start. As phishing is part of the spam problems, many clients do a nice job of weeding out the junk.

3) Fix the web browsers. The phishers usually need the victim to visit a bad site to steal information. Most web browsers now have various blacklists for malicious sites. I've been wondering though. What if we have browser whitelists. Let's say I enter a password into a password field (no sane person is going to enter a password into a textbox). The browser should ask me if I should allow this site to accept this username/password. Then when I end up at a phishing site, the browser will pop up a big warning, noting that I'm typing in my bank username/password, but I'm really at evilsite.com, is this OK? Sure some people will click OK, but many will probably notice a problem. This could also be a silly feature, who knows. Things like RSA tokens could be a big help here too, but one can only carry around so many of those before your key chain won't fit in your pocket.

4) If you're silly enough to fall for this, you deserve to lose your money. Darwinian evolution at work (or maybe it's intelligent design).
Posted by Josh Bressers in Security at 19:55 | Comments (0) | Trackbacks (0)

Saturday, December 13. 2008

When whitelists attack

So this troll disguised as a story emerged this week:
http://www.bit9.com/news-events/press-release-details.php?id=102

I presume this is one of those "hey look at me" sort of press releases, where they hope by saying something that's borderline crazy, it will get them more attention.

It's working.

So these people put together a list of ‘The Dirty Dozen’ - 2008’s Most Popular Applications with Critical Security Vulnerabilities.

But then they list their criteria, which are a number of silly thing, but the one that sticks out is this:
The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.

So their list should really be called: 2008's Most Popular Products that work better than the crap Microsoft ships.

As part of their press release they list the top 5:
- Mozilla Firefox, versions 2.x and 3.x
- Adobe Acrobat, versions 8.1.2 and 8.1.1
- Microsoft Windows Live (MSN) Messenger, versions 4.7 and 5.1
- Apple iTunes, versions 3.2 and 3.1.2
- Skype, version 3.5.0.248


Well, except one of them is a Microsoft product, so my name is a little inaccurate.

I would be surprised to see an organisation that doesn't use Adobe Acrobat. I suspect Adobe Flash Player is also on the list somewhere.

You could probably put up an argument that iTunes and Skype don't belong on a corporate network. Firefox is my browser of choice, and I don't know many people who think IE is better. If it increases employee productivity, it's a good thing.

This sounds to me like Bit9's selling point is that if you're using broken tools that can't properly manage a robust IT infrastructure, don't get tools that work, let them help you minimise worker productivity and increase IT costs (by buying their tool) at the same time!
Posted by Josh Bressers in Security at 12:17 | Comment (1) | Trackbacks (0)

Wednesday, December 10. 2008

Insecure Belt Tightening

So while the worldwide economy is busy self destructing, there is a potential security impact I'd not really thought about:
Security risks rise as companies cut tech budgets.

This makes perfect sense. Budgets need to be slashed, and the places that don't actually make money, will probably see the biggest cuts (like security). You're going to have outgoing employees that have who knows what on their home computer. And don't forget a bunch of now unemployed people with skills that they could easily use to make some cash on the black market.

They say that every society is only three meals away from revolution. This holds true for individuals. I suspect most dishonest people started out as honest people in a bind. Morality is often a trait of the comfortable.
Posted by Josh Bressers in Security at 21:01 | Comments (0) | Trackbacks (0)

Tuesday, December 9. 2008

The business of security secrets

It's no secret that I don't think obscurity is a security feature (it's not, it doesn't work). It seems the Chinese government wants computer security technology to be submitted for government approval.
http://www.google.com/hostednews/ap/article/ALeqM5jDnJ0C2BTOmQa_hn3Kw0dph-EfoQD94UJST00

I'm sure that this is really more political than anything, but this is really the way it should work. Security is too important for it to be a closed up black box. My favorite example of this has to be the Sniffex device. A company had a product that did literally nothing, but called it a bomb detection device, so people bought it. Granted, testing such a physical device such as this is a lot easier than deciding if a given algorithm is properly implemented, but it's the same basic idea. When you trust a black box device manufacturer for a product you need because dishonest people exist, there is quite a bit of irony there. Who will you trust to trust the device maker?

All software has bugs. If you hide how your tool works, it's quite unlikely that the good guys will notice your mistakes. It's also quite likely the bad guys won't notice either, but that's a most dangerous bet to make.
Posted by Josh Bressers in Security at 21:06 | Comment (1) | Trackbacks (0)

Monday, December 8. 2008

Secretary of Cyberspace?

Well, probably not.
http://newsblog.projo.com/2008/12/by-john-mulliga-5.html

But I wonder if this will work. Most of these people really mean control when they talk about security, not actually keeping out bad guys. The Internet tends to avoid control in amazing ways. I don't think it's a secret that a lot of companies have horrible computer security. It seems there's a new data breach story every day.

I'm not sure if I know the answer to all this, or if I even really understand the problem, but I suspect that government intervention isn't going to solve anything. The thing that keeps appearing in my mind is why aren't there any computer professionals? I'm not talking about people paid to work with computers, but think of the universe of Engineering. There is something called a Professional Engineer. It basically is a certificate that proves you are actually an engineer, not someone pretending to be one. Perhaps using a doctor as an example is better. While yes, just having a medical degree doesn't mean you're any good, it does carry a certain level of understanding. I'd probably trust someone with an MD that a lot more than some guy who owns a stethoscope and works out of the local pub.

I often wonder if part of the horrible state of computer security are the result of people in way over their heads, trying to operate on an old wooden table.
Posted by Josh Bressers in Security at 21:28 | Comment (1) | Trackbacks (0)

Friday, December 5. 2008

Teeny Tiny Computers

So I read this story:
http://arstechnica.com/news.ars/post/20081204-a100-midget-pc-at-the-local-dollar-store-not-so-fast.html

and can't help but wonder. Do these little machines get security updates? I can't imagine a computer sold for $100 at the grocery store is going to be touting security as one of its features.

People are already horrible about keeping their computers updated, and if you suddenly unleash an army of vulnerable computers upon the world, I can only imagine what that would mean.

Also, it's been a painfully long time since I've posted anything. I do need to find some time in my busy life to keep this blog updated.
Posted by Josh Bressers in Security at 11:11 | Comments (2) | Trackback (1)
(Page 1 of 1, totaling 8 entries)

Calendar

Back December '08 Forward
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Twitter


Quicksearch

Archives

March 2010
February 2010
January 2010
Recent...
Older...

Categories



All categories

Syndicate This Blog

Blog Administration

Open login screen

Powered by

Serendipity PHP Weblog