Category Archives: Security

Virus Alert From A Friend Of Mine

3 Replies

This just in from a tech buddy of mine.
I’m not trying to cause alarm, but if you’re running Windows, how about you kinda drop everything you’re doing and install the latest Microsoft security updates real quick, so you’ll be prepared when this latest security hole is inevitably exploited.

Microsoft has yet another very serious security flaw that give anyone with the right know how total ccess to your computer. I don’t know all the details – but it might be the biggest one yet. If you remember the SoBig virus last fall – this one will similar in that it doesn’t require you to get email for you to be attacked or hacked.
I say “will be” because right now there is no virus. But the flaw is there and it will be a matter of days before someone write a virus to take advantage of the flaw. And – your anti-virus software will have no effect. Microsoft has posted a patch and that is how you protect yourself – download and install that patch.
Here’s the link to Microsoft’s Windows Update:
http://windowsupdate.microsoft.com
I am also asking that those of you who have blogs and newsletters and high traffic web sites post this warning on your front page and include it in your newsletters. The best defense to this virus is to stop it before it begins. As you all know – this virus will affect non-windows users in that the new viruses turn windows computer into spam robots and we are still getting the bounce messages from the last virus. Let’s see if we can stop this before it starts by first – patch your computer now – then – tell everyone to patch theirs. You can cut and paste this warning into your blog or newsletter.

Bruce Schneier On Why Computer Profiling Sucks (Ahem. Why It’s Ineffective At Catching Terrorists)

1 Reply

Security God Bruce Schneier explains why computer profiling as a preventative measure for detecting potential terrorists just doesn’t work. At all.

Terror Profiles By Computers Are Ineffective
By Bruce Schneier for Newsday.

Even those who say that terrorists are likely to be Arab males have it wrong. Richard Reid, the shoe bomber, was British. Jose Padilla, arrested in Chicago in 2002 as a “dirty bomb” suspect, was a Hispanic- American. The Unabomber had once taught mathematics at Berkeley. Terrorists can be male or female, European, Asian, African or Middle Eastern. Even grandmothers can be tricked into carrying bombs on board. One problem with profiling is that, by singling out one group, it ignores the other groups. Terrorists are a surprisingly diverse group of people.
There’s also the other side of the trade-off: These kinds of “data mining” and profiling systems are expensive. They are expensive financially, and they’re expensive in terms of privacy and liberty. The United States is a great country because people have the freedom to live their lives free from the gaze of government, because people are not deemed suspects for possible future crimes based on extensive surveillance sweeps. We as a people believe profiling is discriminatory and wrong.
I have an idea. Timothy McVeigh and John Allen Muhammad – one of the accused D.C. snipers – both served in the military. I think we need to put all U.S. ex-servicemen on a special watch list, because they obviously could be terrorists. I think we should flag them for “special screening” when they fly and think twice before allowing them to take scuba-diving lessons.
What do you think of my idea? I hope you’re appalled, incensed and angry that I question the honesty and integrity of our military personnel based on the actions of just two people. That’s exactly the right reaction. It’s no different whether I suspect people based on military service, race, ethnicity, reading choices, scuba-diving ability or whether they’re flying one way or round trip. It’s profiling. It doesn’t catch the few bad guys, and it causes undue hardship on the many good guys who are erroneously and repeatedly singled out. Security is always a trade-off, and in this case of “data mining” the trade-off is a lousy one.

Continue reading

The EFF Asks: Who Controls Your Computer?

Leave a reply

The EFF released the following advisory a while ago. The concerns still stand.
Check it out.

EFF Reports on Trusted Computing
San Francisco – The Electronic Frontier Foundation (EFF) on Thursday published a landmark report on trusted computing, a technology designed to improve security through hardware changes to the personal computer.
The report, entitled “Trusted Computing: Promise and Risk,” maintains that computer owners themselves, rather than the companies that provide software and data for use on the computer, should retain control over the security measures installed on their computers. Any other approach, says the report’s author Seth Schoen, carries the risk of anti-competitive behavior by which software providers may enforce “security measures” that prevent interoperability when using a competitor’s software.
“Helping computer owners defend their computers against attacks is progress in computer security, but treating computer owners themselves as the bad guys is not,” said Schoen. “Security architectures must be designed to put the computer owner’s interests first, not to lock the owner into the plans of others.”
Links:

For the full press release

EFF report: “Trusted Computing: Promise and Risk”

EFF companion commentary: “Meditations on Trusted Computing”

CNET story about the EFF report

Microsoft’s Trusted Computing PCs Trust Everyone But You

1 Reply

A Safer System for Home PC’s Feels Like Jail to Some Critics
By John Markoff for the NY Times.

In an effort to retain the original open PC environment, the Microsoft plan offers the computer user two separate computing partitions in a future version of Windows. Beyond changing the appearance and control of Windows, the system will also require a new generation of computer hardware, not only replacing the computer logic board but also peripherals like mice, keyboards and video cards…
“This will kill innovation,” said Ross Anderson, a computer security expert at Cambridge University, who is organizing opposition to the industry plans. “They’re doing this to increase customer lock-in. It will mean that fewer software businesses succeed and those who do succeed will be large companies.”
Critics complain that the mainstream computer hardware and software designers, under pressure from Hollywood, are turning the PC into something that would resemble video game players, cable TV and cellphones, with manufacturers or service providers in control of which applications run on their systems.
In the new encrypted computing world, even the most mundane word-processing document or e-mail message would be accompanied by a software security guard controlling who can view it, where it can be sent and even when it will be erased. Also, the secure PC is specifically intended to protect digital movies and music from online piracy.
But while beneficial to the entertainment industry and corporate operations, the new systems will not necessarily be immune to computer viruses or unwanted spam e-mail messages, the two most severe irritants to PC users.
“Microsoft’s use of the term `trusted computing’ is a great piece of doublespeak,” said Dan Sokol, a computer engineer based in San Jose, Calif., who was one of the original members of the Homebrew Computing Club, the pioneering PC group. “What they’re really saying is, `We don’t trust you, the user of this computer.’ ”

Continue reading

Some Constructive Suggestions Towards Stopping Identity Theft

Leave a reply

Here’s a nice article about the subject that isn’t just trying to scare you, and actually tries to answer the question “What can really be done about it?”:
Some Simple Solutions to Identity Theft
Credit agencies must be more vigilant. A first step: quickly and routinely alerting consumers that their credit histories have changed
By Alex Salkever for BusinessWeek.

Most of the damage could easily have been prevented if the credit agencies adopted the common-sense practice of directly notifying individuals whenever a change on his or her report occurs, and whenever a third party accesses their credit report. Yes, it might cost the credit agencies more in overhead. But credit agencies spread such costs around to customers, banks, car dealerships, and others that pay to access consumer credit ratings. How hard is that?
This criminal case has many security experts worried because it points up some glaring weaknesses in credit reporting. Your credit information — in effect, your financial identity — can easily be stolen by alert thieves with access to sensitive information. Yet, credit agencies don’t share with individuals what’s going on with their credit reports — unless consumers ask. This anomaly will become a national economic issue as identity theft grows.

Continue reading

War Driving Has Become Out Dated – Time for Peace Driving

2 Replies

How nice to see an article come clean with the real reason for all this fuss about Wardriving: to sell people an overpriced solution.

But to computer-security experts, “war-driving” has turned into a marketing opportunity. Past war drives embarrassed a number of companies, and in preparation for the big event this weekend, some of these experts have been pitching their services.
This week, for example, International Business Machines Corp. has been urging sales representatives to warn corporate clients of the need to secure their wireless networks. The merchandising tie-in: Your network can be safeguarded by an IBM security service that goes for $15,000 to $30,000.

However, it was still rather sad to see the rest of the usual inaccurate bullshit about Wardriving that is always included in these articles.
Hackers target wireless networks
By William M. Bulkeley
Hopefully I’ll have time to clarify this puppy in greater detail over the weekend — it really, really needs to be done. While explaining this whole concept of taking connectivity without asking for it — they’re leaving out the payback:
free universal connectivity!
So yeah, some guy walking down the street can get his email with his PDA while he walks by my house FOR FREE! And I can do the same while I’m walking by his house. How cool is that!?
Or how’d you like to check your email/surf the web while you’re waiting for the Bus (that’s always late), or waiting for that band to come on, or waiting to hear about that one business deal while you’re in the waiting room about to make another. All that kind of stuff can happen cheaply — in a way that everyone can afford — using community wireless networks.
And your schools and libraries all have connectivity because it’s just there.
This universal connectivity is what this kind of paranoid propaganda is fighting against. They want us to have to pay somebody for it somewhere, every time we connect, every time we use a different device, everytime we access an application even.
If we work together, we can just pay what we’re already paying for at home and have easy wireless connectivity away from home, when we often need it most for whatever device we have around at the time, wherever we happen to find ourselves.
If big business wants to provide a wireless network that’s cheaper and easier to use, let it. It will have to charge reasonable prices however, if it has community networks competing with it.
We don’t need a World Wide Wardriving day — every day is World Wide Wardriving Day. We need a better word for it — one without “war” in it.
Perhaps that was the first mistake.
Or perhaps a community-based movement has evolved since then —
a Peace Driving movement.
Perhaps I’ve said to much 🙂

Continue reading

What the FBI Doesn’t Get (About Wireless Security)

2 Replies

A week or two ago, the FBI got freaked out about wireless networks.
Their conclusions were confused, at best. Luckily Paul Holman, Theodore Pham,
Merin McDonell, and Skyler Fox had a nice mailing list thread to help put everything into perspective.
Thanks to Paul, Theodore, Merin, and Skyler for giving me permission to publish this email exchange in-tact.

(Theodore Pham) Say I forget my wallet containing my credit cards in a restaurant. Wardriving/warchalking is essentially posting a sign saying my wallet is sitting their out in the open and it contains credit cards. That signage in and of itself is NOT THEFT. But the moment someone uses my credit cards without my specific permission IS THEFT. My credit cards should NOT be
considered a public resource just because I FORGOT to put my wallet back in
my pocket out of public access.

(Merin McDonell) I think your wallet analogy is wrong. I think an apple tree is better. You have a nice big apple tree in your back yard and the apples fall in your neighbors yard and in the alley. Is it a crime if people eat the apples that
are on the ground and off your property? If you DON’T want anyone to eat any
of the apples that grew on your tree, if for some reason you need all 347
apples, you could trim your tree so that all the branches end right on your
property line and all of the apples would fall in your yard. Done.

Continue reading

When DRM Goes Wrong You Get Palladium

Leave a reply

Slashdot interviewed Ibiblio Director Paul Jones.

DRM is the general term for the groups of solutions to the need for creators to be compensated for their work while allowing their audience to easily access those works. Or at least that would be ideally what DRM should do.
When DRM goes wrong, it tramples on the rights of the citizens to have access to information that they have legally purchased, want to criticize, parody, legally reuse or share.
When DRM goes wrong, it creates barriers to innovation and creativity. It biases access and reproduction of information to only certain technologies.
When DRM goes wrong, it creates and perpetrates closed markets and monopolies.
When DRM goes wrong, everyone suffers. It takes us back to the Stationers Guild, a response to the printing press. “The Stationers Guild obtained monopoly rights in the printing and probably distribution of all books, a monopoly codified by the Tudors in a licensing system aimed at censoring religious dissent” which lasted until the early 1700s.
When DRM goes wrong, it is called Palladium.
The good news is that Palladium is vaporware – so far.

China Figures Out How To Spy in the Year 2002

Leave a reply

I’m not saying this story is true (consider the source 🙂 — but if it was true, China would sure be smart.

Why bother with all of the usual Double Agent hassles when you can just sit back and hack into the entire military industrial complex from the comfort of your own home?

See the LA Times story by Eric Lichtblau:
CIA Warns of Chinese Plans for Cyber-Attacks on U.S..