There's logging out, and then there's logging OUT
Here's an interesting idea...two-tier logouts:
I found this example at Linkedin.com. I wonder if this will become a widespread notion. In these days, could it hurt?
Posted on February 28, 2008 at 08:48 PM | Permalink | Comments (0) | TrackBack
My Digital Signature Adventure, Day Two
Today started with me requesting a digital certificate from Thawte "at the freemail level of assurance" for a POP3 email address I use that's different than the one I used yesterday to create my own digital signature. I intend to try to use both addresses as I continue to explore how digital signatures work.
These certificates are in X.509 format. There's still no Eudora support, so I chose to request one in Mozilla Firefox/Thunderbird format. (It's ironic that down the road, Thunderbird and Eudora will be merging, but they haven't yet.) The first thing I discovered: I can't request the Mozilla certificate from within Internet Explorer (makes sense, I guess).
So I requested one from within Firefox. Then I had to choose which email address to select for the certificate:
"Most mail clients support S/MIME and can use these certificates if you include your email address."
Next, Thawte had this to say:
"Strong Extranet Identities
"thawte offers a very simple but powerful 'extranet certification' system which enables organizations to certify their partners, customer, suppliers or employees, and to use these certificates for access control to secure web servers. The 'Strong Extranet' is the easiest way to migrate from username/password access control to certificate-based access control.
"If you have been certified as a member of any extranets the relevant identities will appear below. Check those you wish to include into this certificate."
None are listed. So onward I go.
"Accept Default Extensions
"The newest versions of the certificate standard allow you to embed a series of certificate extensions into your digital certificate. These extensions will influence how the certificate can be used by applications. You can safely skip this page by accepting the default extension configuration."Advanced Users: Configure Certificate Extensions
"Click "Configure Certificate Extensions" to customize some of the more common certificate extensions. Don't choose this option unless you know what you are doing."
Out of curiosity I click on "configure certificate extensions" and find this scary bit of text that stops me cold:
"Please note that the extension options below are not for the faint of heart. You probably won't trigger a Vogon invasion of Earth if you press the wrong button, but you might cause weird behaviour in some otherwise-normal software. Don't fiddle with this unless you've been told to, or unless you're a born fiddler."
With that, it's back to accepting the default extensions! But there's no "back" button so I have to start the process again and get back to that point.
"Public Key
"Your Personal Certificate will contain a public key. People will use that public key to encrypt information for your eyes only. If the drop-down listbox below does not include 1024-bit keys, then you should update your browser to full-strength crypto by downloading a new browser from Netscape. If for some reason you cannot do that, then try installing Fortify to upgrade your browser to full-strength crypto."
Firefox lets me choose between 1024-bit keys (medium grade) or 2048-bit keys (high grade). I choose 2048-bit keys.
"You can continue your request by pressing "Next" below. If necessary your browser will walk you through the public key generation process."
I continue.
"Confirm Netscape Certificate Request
"You are about to complete the certificate request process. Please look at the following summary and make sure that everything is correct. Once you press "Finish" below you will be unable to edit or alter the contents of this certificate!"The certificate will have a distinguished name that looks like this:
Common: Thawte Freemail Member Email: [my email address] "If you need a certificate with your full name in it, then you need to join the Freemail Web of Trust.
"It may also include at least the following extensions:
"X.509 SubjectAltName
"This certificate contains a set of alternative names for the certificate subscriber. They are listed below:
- Email: [my email address]
"Please note that we will also add a BasicConstraints, and ExtendedKeyUsage and an authorityKeyIdentifier.
"If you are happy with this, press "Finish" below. If not, please use your back button to select the correct distinguished name and certificate extensions for this request."
(Once again, frustration! Firefox opened this dialog in a pop-up window with no back button. What the heck -- forward I go.)
"Personal Certificate Requested
"Your personal certificate request has been committed to our database. You can track the status of all your certificate requests through the Certificate Manager. You will also receive email notifying you of major status changes for this request. For example, when your certificate has been issued and is ready for you to download, or when it is revoked, or when it is about to expire, our system will send you a cautionary message."Certificate Manager Page
"To go to your Certificate Manager page, within your account, click here.
"Your certificate should be at the top of the list. Click on it to view the current status. When your certificate is issued you will download it directly from that page!
"Get the most from your digital certificate with these products and services.
"S/MIME In Communicator And Later
"If you are using Netscape 3.x then you will not be able to use S/MIME for secure email and news. Upgrade now to Netscape 4.x or later to encrypt and sign your email!
"Non-US Users Can Get 128-bit Crypto!
"International users of the English version of Netscape Communicator 4.5x and earlier, which supports only 40-bit encryption, can upgrade their software at no cost to support full 128 bit encryption using the Fortify tool, available from https://www.fortify.net/download.html. Users of of the export version of Netscape Communicator 4.6 and later will have 128-bit encryption enabled already."
So now I wait for an email from Thawte. I'll have to install the Mozilla Thunderbird client in order to test this out, but that's work for another day.
Posted on October 18, 2007 at 04:52 PM | Permalink | Comments (2) | TrackBack
Perfect timing: Moderating the Smartphone Summit security panel
With Apple's announcement of the iPhone SDK, and plans to become a trusted source of certified third-party applications for the iPhone, the mobile phone industry is now challenged not to head back down the same path as the PC did, where malware, spyware and viruses broke the trust that the public once had when downloading applications.
I'm pleased to have a contribution to this conversation. Next Monday, I will be moderator of a panel in San Francisco, "Smartphone & Wireless Security: Steps to Safeguarding Your Business," at 2:00 p.m. at the Smartphone Summit.
The future of downloadable applications is at stake. Can we trust Apple, the other handset makers, and the carriers to do application security right? Will the certificate authorities step in and do it instead? Or will we continue to suffer through countless "trust me?" challenges from our devices? If the answer is the latter, I believe the notion of the downloadable application may be as doomed as so many pundits say it is. And that would make the public and all its most confidential information totally dependent on service providers.
Posted on October 18, 2007 at 08:55 AM | Permalink | Comments (0) | TrackBack
My digital signature adventure, Day One
We learn by doing. Some of us learn later than others.
When I listened to an old Security Now! podcast recently, and Leo Laporte told Steve Gibson that he digitally signed all his emails, I resolved then and there to start doing so myself. If Leo can do it, I can do it!
Of course, I'm still not sure what to tell the recipient of my signed email to do with that signature, but just sending signed email seems to me to be a great start.
My email client's old and out of fashion, the operating system is even older, but before I chuck both and just use Gmail or something, it's time once and for all to see if I can digitally sign my emails for the first time.
My email client: Eudora 7.0. The operating system: Windows 2000. There's probably a lot more of these out there than you might think.
First, I download GPG4Win. I click install. It tells me:
Welcome to the installation of Gpg4Win. GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.
This is GPG4Win version 1.1.0. file version 1.1.0.407. release date 2007-05-24.
I deliberately didn't choose the newest version available, figuring an older one would be more stable. But the Web site gave me no advice on this matter.
I'm installing the following: GNU Privacy Guard (not optional), GNU Privacy Assistant (GPA), Windows Privacy Tray (WinPT), GPG Explorer Extensions (GPGee), and Novice Manual. Installed to c:\Program Files\GNU\GnuPG. Added to Start Menu (Eudora folder), Desktop, and Quick Launch Bar.
When I opened the GPGee Manual, the beginning amused and frightened me:
GNU Privacy Guard, or GPG, is the premiere open source implementation of OpenPGP encryption. It is secure, free and open, versatile, and about as user friendly as toxic waste.
After installation, I wasn't sure what to do next. After I clicked on something one too many times, WinPT suddenly stopped working. Sigh. So I rebooted. This time up came the following dialog box:
I chose to generate a key pair (the option selected above). Doing this launched the key generation wizard:
Then I entered a passphrase to generate my key:
And finally, got this encouraging message:
Again, I wasn't too sure what to do next. But I knew Eudora needed its own plug-in to work with GnuPG and GPG4Win. I saw warnings telling me Eudora 7 didn't work with it, but other contradictory message saying that it did. There were also some old, broken links that didn't point to any Eudora plug-in, but finally I found this one and downloaded the plug-in (eudora-gnupg-plugin-2.0rc1.zip)from there. I unzipped the plug-in and read the English documentation. It told me to copy the file Eudora.GPG.dll into the plugins subdirectory of the directory where Eudora is installed.
When I restarted Eudora, new icons had appeared at the top. I created a test email. The new icon that lets me sign an email is at the top in the photo below, visible as a pencil icon (fifth from the right). Below it is the dialog box that appears when I want to enter my passphrase to sign the message. The "signing key" drop-down offers for me to fill the email address I gave when I generated the key pair:
The PGP signature got attached to my message, and the top of the message now states, "BEGIN PGP SIGNED MESSAGE".
I sent this test message off to my wife River, who received it and asked, "how do I know that's you?"
So that's where I stopped for Day One of my digital signature adventure. Another day, I'll try to find her an answer.
UPDATE: Apple's trying to answer River's question too, in order to open up the iPhone to third-party applications.
Posted on October 17, 2007 at 02:43 PM | Permalink | Comments (0) | TrackBack
Does the iPhone contain a big security blunder?
Steven J. Vaughn-Nichols raises quite an alarm regarding iPhone security:
"Now it seems that all applications run on the iPhone as root. Can you say biggest security blunder of the 21st century to date?"
This raises lots of questions for me. First, do any Mac OS X applications run as root as well? If not, why would Apple choose to run the iPhone applications as root?
Posted on October 3, 2007 at 04:05 PM | Permalink | Comments (0) | TrackBack
Does having a home server make you dorky?
Sun Microsystems CEO Jonathan Schwartz always has something interesting to say. Last night's remarks at a party at Burton Group's Catalyst North America conference were no exception. At one point, he took a straw poll of attendees, mostly CIO types, asking them how many of them had servers in their homes 10 years ago. Lots of hands shot up. Asked how many have one today, few hands were raised. Schwartz said when he arrived at Sun and learned that so many in the Sun community had servers at home, he thought to himself, "What a bunch of dorks." This remembrance prompted lots of laughs. He went on to describe how wonderful it is to have all these new Web services that store our data for us, and no doubt there are lots of advantages to this approach for lots of applications.
But I'm wondering if home servers are really an endangered species or not. Over at Calendar Swamp, I should be rejoicing about the huge number of services (Plaxo being the latest) that offer to manage your calendars in the great Web 2.0 cloud in the sky, right down to the newest devices (i.e. iPhone). But I remain reluctant to put that sort of information on someone else's server. Plaxo, to their credit, has a much stronger privacy policy than Google does, but it is merely dorky to wish, as I do, that I could run my own calendar server? Isn't that what the open source movement was all about? Someone needs to convince me that the same Internet subject to all sorts of security vulnerabilities is the same Internet that can keep my most personal information personal. I'm still waiting for proof. Do I concede that running my own server would be a bigger pain in the neck than I could ever want? Or do I imagine a future where servers just work (maybe because they're not Windows-based) and I don't have to outsource everything just to be secure? Does that make me a dork?
Posted on June 29, 2007 at 08:29 AM | Permalink | Comments (0) | TrackBack
Thawte needs to support more email clients
Nearly two years ago, I wrote this post looking for a cheap, easy way to digitally sign and encrypt my email. Recently I came across Thawte, which provides X.509 digital certificates for individual use, for free. Unfortunately, Thawte only supports Netscape Communicator/Manager, Internet Explorer, Outlook, Outlook Express, Lotus Notes (R5), Opera, and the C2Net SafePassage Web Proxy (acquired by Red Hat in 2000). I'd like to see Thawte support Apple Mail and Eudora, the email software in use in my family (and many, many other places). Or if Eudora isn't in the cards, how about supporting Firefox? Then I could use Gmail. But I won't tie myself to Internet Explorer just to use Gmail.
Posted on May 11, 2006 at 10:38 AM | Permalink | Comments (3) | TrackBack
The 36-hour patch
I timed how long it took Windows Update to run the latest security patch, from first bytes downloaded to installation completed, on my older Windows 2000 laptop. About 36 hours, over broadband! A good thing I didn't particularly care when it was going to ask to reboot the system.
Posted on April 17, 2006 at 10:55 AM | Permalink | Comments (0) | TrackBack
Stopbadware.org
There's a new forum collecting and discussing information about malware. Stopbadware.org includes a Google discussion group that I certainly hope makes it through the Chinese Google firewall.
Posted on January 26, 2006 at 11:49 AM | Permalink | Comments (0) | TrackBack
Apache's Ben Laurie exudes quiet confidence
When your software commands this kind of market share, you can afford to take FUD from your competitors in stride, even if that competitor is Microsoft. Apache Foundation's Ben Laurie had plenty more to say in my latest Opening Move podcast at IT Conversations. Unlike Eclipse, Apache isn't often the spotlight of podcasts, so I think it's a fascinating look at a very important open source organization.
If you want to see the Microsoft podcast that prompted me to contact Ben at last month's ApacheCon, you can find it here.
Technorati tags: Apache, ApacheCon
Posted on January 18, 2006 at 05:20 PM | Permalink | Comments (0) | TrackBack
Followup to yesterday's Apache security questions
I'm definitely engaging with the top Apache minds regarding security, following my post yesterday.
Paul Querna, who presented about Apache HTTP Server 2.2 yesterday at ApacheCon, replied in my comments:
"Can you please point to what smack microsoft is spreading about the security of apache?"
Sure. The most recent such talk I'm aware of comes from Microsoft IIS evangelist Brent Hill, interviewed on MSDN's Channel 9 in September.
Paul continues:
"'We' do take security very seriously. Its just not the most interesting topic for an ApacheCon presentation. There is a presentation about more generic 'Web Application Security', from the mod_security author on Wednesday morning."
Indeed, I attended that talk this morning, by Christian Wenz. It was a brilliant lecture and demo, frequently focused on PHP vulnerabilities. It didn't completely answer my questions, but it lays some great groundwork for a conversation I'll be having with Apache security expert Ben Laurie while I'm here. So I'll have my answers soon. Thanks Paul for adding your feedback.
Technorati tag: ApacheCon
Posted on December 13, 2005 at 11:30 AM | Permalink | Comments (0) | TrackBack
Apache security: An issue or not?
I'm in San Diego this week for my first ApacheCon. Microsoft continues to talk smack about security vulnerabilities in Apache HTTP Server, as compared with Microsoft's IIS Web server. I'm curious to hear the Apache side of the story. But nowhere on the agenda here, in the sessions or the BoFs, is there time devoted to discussing Apache HTTP Server security. Either Microsoft is exaggerating the problem, or the Apache Foundation is making a mistake by not addressing these accusations head-on, or both. I'll post more as I hear it here.
Technorati tag: ApacheCon
Posted on December 12, 2005 at 08:47 AM | Permalink | Comments (1) | TrackBack
Eudora 7 supports S/MIME
It's good to see a new version of Eudora that supports S/MIME. I've harped on secure email in the past, and would definitely prefer to stay with Eudora rather than switch entirely to Outlook. (Of course, I'm now using both, as well as Gmail.)
Technorati tags: S/MIME, Eudora
Posted on November 16, 2005 at 04:33 PM | Permalink | Comments (0) | TrackBack
Microsoft's IIS: good product, bad training and marketing?
According to a podcast from September to which I'm just now listening, Microsoft's Internet Information Services (IIS) 6.0 is more secure than Apache, has more granular access control than Linux or Unix, and runs ease-of-use rings around either. But in this podcast, Microsoft evangelist Brent Hill fumes about IIS's persistent bad reputation. Hill says security experts are still judging it by its 2001 track record, mistrained trainers are giving out bad advice in classes, security firms profit from continuing to promote obsolete fears, and Microsoft doesn't spend many marketing bucks to tout the new, improved IIS. As I prepare to attend my first ApacheCon next month, this has been fascinating listening. (None of which is to say Microsoft doesn't have other IIS problems, not the least of which is, it only runs on Windows.)
Posted on November 16, 2005 at 02:27 PM | Permalink | Comments (0) | TrackBack
Microsoft hoards bad-Web site info for its own profit
Listen to Leo LaPorte talk with Steve Gibson about "how Microsoft's 'HoneyMonkey' system works, how it finds malicious web sites before they find you, and what Microsoft is doing (and NOT doing) with this valuable security information it is now collecting."
It's shameful that Microsoft is putting profit before helping to create a more secure Internet. Leo and Steve praise Microsoft for telling us about HoneyMonkey in the first place; but in that action I see much more marketing than altruism.
Technorati tags: security, HoneyMonkey
Posted on September 15, 2005 at 06:50 PM | Permalink | Comments (3) | TrackBack
Corporations reject .Net runtime because of security fears
Adam Cogan, a MIcrosoft regional director (independent developer) from Australia, told a PDC press briefing today that he's glad Microsoft hasn't forced the .Net Framework runtime on all Windows users, essentially because it would increase the attack surface for security breaches.
How ironic, considering the whole idea of promulgating the runtime was to provide the installed base necessary for ISVs to rewrite their apps in .Net and thus abandon insecure unmanaged code.
Windows XP Media Center PC ships with the .Net runtime, and someone else at the briefing thought most of Dell's systems shipped to homes also includes .Net. I wonder if ISVs are writing more Windows managed code for homes than for businesses.
Technorati tag: PDC05
Posted on September 15, 2005 at 04:11 PM | Permalink | Comments (3) | TrackBack
Windows Update staggers under new worm attack
When a worm strikes Windows users, Windows Update experiences a denial-of-service attack, since so many users are trying to access it simultaneously to check for new security patches. So it is this week with Zotob and its mutations. Articles like this one from TechRepublic don't help: "It is important that you update your Windows system immediately with the latest patches." Uh, even if my system was updated last week (as it was)? Here's what Microsoft states as of today: "If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants."
Hmm, now, how can I easily tell if I have already installed that update? When I select "Review your update history" I don't see any reference to said security bulletin, only a bunch of patches referenced by Knowledge Base number. It seems like we're so near and yet so far from being able to help Microsoft reduce its Windows Update server load by being able to easily confirm ourselves that we're already protected.
Posted on August 17, 2005 at 02:49 PM | Permalink | Comments (0) | TrackBack
Sync at last
Ladies and gentlemen, we have sync.
In the end, it required me to spend an hour on the phone with Motorola tech support. (Handango was only the distributor and first-line support triage for Motorola's Mobile Phone Tools.) The solution involved tweaking the software as well as my Bluetooth profile. I don't remember all the steps the technician walked me through, but I recall at one point, it mattered whether I had Bluetooth-via-USB instead of straight Bluetooth.
Oh, and one last nasty surprise. I may have had to turn off my Windows Firewall to make it work! This morning, I've turned it back on. The next time I sync, I'll be watching to see if I have to turn it off again. Either way, I'll update this post accordingly.
Technorati tag: Bluetooth
Posted on July 27, 2005 at 06:48 AM | Permalink | Comments (0) | TrackBack
Bluetooth connection established, but sync remains elusive
I've purchased and downloaded Motorola's Mobile PhoneTools for a PC running Windows XP SP2. Its Bluetooth Setup Wizard seems somewhat duplicative of the previous Bluetooth setup I just went through, and smack dab in the middle of that, I've gotten the pop-up message: "Comm port Installation Failed." Mobile PhoneTools is a Handango product. No phone support. I submitted my problem to an online support form, and received the following reply:
"Thank you for contacting Handango Customer Support.
"Our Customer Support Team has received your request. Since some issues require time to research, our goal is to respond to you within 3 business days. Our email reply to your request will come to you from support@handango.com. Please make this email an approved recipient for future correspondence so our replies do not get caught in your spam filter.
"In the meantime, you may be able to find an answer on our Answer Database."
I didn't.
More than a year ago, my wife River got this Bluetooth sync stuff to work easily between a Sony Clie and a Windows PC. I'm not so lucky or skilled, I guess.
Technorati tag: Bluetooth
Posted on July 26, 2005 at 03:41 PM | Permalink | Comments (0) | TrackBack
Microsoft: No Bluetooth certified devices
This morning I'm installing a D-Link USB Bluetooth adapter so I can synchronize my new Bluetooth-enabled phone's address book (and maybe my calendar?) with my PC running Windows XP. Installing the D-Link software, I encountered the following Driver Signature Notice:
"Currently Microsoft does not have a certification program in place for Bluetooth devices. As a result, at this time it is not possible to provide certified drivers for Bluetooth devices. In the event that Microsoft implements a Windows Logo certification process for Bluetooth devices. signed drivers will be made available.
"To avoid receiving several prompts for signed drivers during the installation process, select OK to disable unsigned driver warnings, and proceed with the installation. The default warning option will be re-enabled at the completion of the installation of the Bluetooth drivers. This option is an effort to provide the best customer experience while using the product. If you select Cancel, the installation will continue without disabling the warnings and you will be required to select Continue at each prompt to proceed with the installation."
Continuing the installation, dire warnings ensue, as Microsoft "strongly recommends you stop this installation now and contact the software vendor for software that has passed Windows Logo testing."
Ordinary human beings shouldn't have to read, much less think about, such security messages.
Technorati tag: Bluetooth
Posted on July 26, 2005 at 09:38 AM | Permalink | Comments (1) | TrackBack
The next dismal trend: Too much security
Today I had to have a network tech troubleshoot my new HP Pavilion. I had opted to have HP install Symantec's Norton Internet Security on this PC. Everything worked fine the first time I booted up; but then, Norton configured itself not to connect to my home network's workgroup. The tech said he'd seen this before at a business in Oakland, and the only remedy was to uninstall Norton Internet Security. Do it, I said. Of course I paid him for his time.
So there you have it: Security is getting in the way of getting work done, and costing folks money. Not news, right? Well, expect to start hearing the phrase "too much security" for systems overly locked down, or whose security software does things its users had never intended. A balance must be struck, and security has to become more adaptive, more autonomic, less rigid than this.
Posted on May 25, 2005 at 10:39 PM | Permalink | Comments (0) | TrackBack
Fiendish security exploit encrypts PC user's data
Some enterprising crook just took computer crime to a whole new level, by figuring out how to invade someone else's computer, encrypt some of the victim's files, then holding the encryption keys for ransom. Evil, and brilliant.
Posted on May 24, 2005 at 05:10 PM | Permalink | Comments (0) | TrackBack
A new Mac vs. a new Windows PC
As it turned out, my household took delivery of two new PCs within days of each other; first, a new Mac 15-inch Powerbook running TIger, which went to my wife; and a new HP desktop PC running Windows XP SP2. Microsoft still has a long way to go. The Mac setup was seamless; the PC setup included a Windows Update to somehow install a GDI security patch issued last September (?! Remember, I received this built-to-order HP system today) and the usual folderol, such as writing down the product key for Norton Internet Security. This HP PC system also recommended an immediate spyware scan, and Norton Internet Security recommended using itself instead of Windows Firewall. AND, "do not share Norton security status with other products" -- including, presumably, anything on the system provided by Microsoft! It's like watching companies arm-wrestle for your shattered piece of mind. All in all, a terrible first out-of-the-box experience for the PC user. Question to Robert Scoble: I wonder how Longhorn will change this experience for the better, and why the Mac is so serene (nonwithstanding the effect that adding Norton Security would have on that system, though I didn't feel compelled to purchase it.)
Posted on May 4, 2005 at 10:34 PM | Permalink | Comments (0) | TrackBack
Advertising industry fights to save cookies
The advertising industry, feeling the hot breath of Congress, is finally organizing to try to make Web cookies safe for use, addressing privacy concerns. They've set up Safecount.org to do this. It's incredibly lame, however, that they're setting up a mailing list, but no blog.
Posted on April 27, 2005 at 02:53 PM | Permalink | Comments (0) | TrackBack
FTC workshop: Adware=spyware
Online Media Daily reports:
Companies that install ad-serving software on consumers' computers and serve them pop-ups--such as WhenU, Claria, and 180solutions--bristle at being called "spyware," rather than the more neutral term "adware." But is spyware really the wrong word for such companies? Perhaps not, according to participants in a spyware workshop convened last year by the Federal Trade Commission.
It's good to see the advertising industry trying to clarify these terms. The story goes on to suggest that software installed without consent is clearly spyware, while software installed with consent could be adware. But how do you define consent, if users are clicking impatiently through terms of service screens without reading them?
Posted on March 9, 2005 at 11:40 AM | Permalink | Comments (0) | TrackBack
Law enforcement arrests make minimal dent in computer crime
I've got a story on PC World this morning about how law enforcement isn't really making a serious dent in computer crime, despite some high-profile arrests. The crimes are clearly changing, however, from kiddie exploits to serious organized crime. The really bad news, which PC World chose to edit out, is that lots of businesses are choosing to quietly pay big money to extortionists who provide evidence that they can bring down their Web sites with denial-of-service attacks. Overall, there isn't really any authoritative data on just how big the computer crime problem is. But make no mistake: It's still growing. Protect your computers and your data, and demand that your technology providers give you all the security options you need.
Posted on March 7, 2005 at 09:51 AM | Permalink | Comments (1) | TrackBack
Source code analytics: Another way Microsoft can build trust
Coverity appears to be a trusted evaluator of how buggy software is. Using software design principles, Coverity recently found fewer bugs in the Linux source code than in comparable commercial operating systems. MIcrosoft won't let them analyze the Windows source code. I urge Microsoft to allow this analysis to take place. I suspect Coverity would have no problem signing the appropriate NDAs. There are also new marketing benefits to those who go through Coverity evaluations.
Posted on February 28, 2005 at 11:00 AM | Permalink | Comments (1) | TrackBack
A trustworthy Internet
Every technology debate swirling around the Internet is converging around the notion of trust. Many email services are now untrustworthy, to the extent that many ISPs are blocking some legitimate email, intentionally or unintentionally. Now the Web is becoming untrustworthy, due to Google implementing an auto-link feature on its toolbar that will distort, for many, the apparent links included in any Web page. Statements such as "we're not evil" fall on deaf ears as the trust firestorm grows. (Don't get me started on the company that coined the term Trustworthy Computing.) What's the solution? One word: education. Don't believe those who say the average Internet user can't be educated and should instead be manipulated. But be prepared for a long, rocky road. And on the way there, we'll see a curious phenomenon: The absolute need for more generalist thought, more cross-disciplinary thought, and fewer blindered specialists focused only on one technology or one political point of view or one dogma. It's time for skepticism (some of which accounts for why my book is taking so long to write), but also for deeds, for action, not for fear. Look at Wikipedia, the best new educational tool of the new century. The way any page can be edited by anyone, it shouldn't work and should be untrustworthy. But it does work and I trust it more every day. The Wikipedia community doesn't have to go around telling people how not-evil they are. [Crossposted from Service Provider Journal, which I also write]
Posted on February 28, 2005 at 09:18 AM | Permalink | Comments (0) | TrackBack
SHA-1 flaw prompts sign of doom
Spotted yesterday outside San Francisco's Moscone Center, where the RSA security conference is underway: A young woman carrying a handwritten sign: "We are doomed." I asked her what it was about. Answer: The SHA-1 encryption algorithm flaw now verified by researchers.
Posted on February 17, 2005 at 08:56 AM | Permalink | Comments (0) | TrackBack
The rootkit menace
Although I didn't attend this session by two Microsoft program managers at RSA 2005, IDG News Service did and filed a chilling report. Rootkits are bad news. They give added incentive (as if any were needed) to organizations to apply anti-virus and firewall software to their systems, particularly Windows. I'm appalled to hear here that many Windows XP users haven't applied Service Pack 2 because they're still on a dial-up connection. I agree with sentiment that Microsoft should distribute Service Pack 2 on CDs in every post office, right next to the AOL CDs. It's not too late for Microsoft to do something more than they're doing. And what about those using older versions of Windows?
Posted on February 17, 2005 at 08:46 AM | Permalink | Comments (0) | TrackBack
MD5 hash vulnerability in beta Microsoft AntiSpyware
Someone on the cryptographer's panel at RSA 2005 just noted that Microsoft AntiSpyware, demonstrated earlier this morning, is one of many products still under development which employ the MD5 hash algorithm, even though the security of that algorithm was broken last year. A quick check on the Web doesn't indicate which hash algorithm is employed by Spybot Search & Destroy, the anti-spyware tool I use.
Posted on February 15, 2005 at 11:53 AM | Permalink | Comments (1) | TrackBack
Internet Explorer 7.0: Short on details
At RSA 2005, Bill Gates just announced Internet Explorer 7.0 will be entering beta testing this summer, but the announcement was short on details. It will respond to the phishing epidemic in some fashion, but he didn't give any further explanation. This announcment isn't going to make anyone switching to Firefox reverse direction.
Posted on February 15, 2005 at 10:05 AM | Permalink | Comments (0) | TrackBack
Cloudmark SafetyBar offers an email anti-phishing approach
Cloudmark's here at ISPCON to introduce its Cloudmark SafetyBar 4.0, which protects Outlook and Outlook Express from spam and phishing attacks. SafetyBar shares some similarities with Web Caller-ID, which I mentioned last week. During his session, I asked CEO Karl Jacob his opinion of Web Caller-ID. He said it's better to catch the phishing scheme where the user first encounters it -- in an email -- instead of raising all sorts of alarms once the browser loads.
Posted on November 3, 2004 at 11:22 AM | Permalink | Comments (0) | TrackBack
Web Caller-ID: Fighting back against phishing
The blogosphere seems to have overlooked the August announcement of an interested anti-phishing technology, Web Caller-ID from WholeSecurity. It's the first browser plug-in that helps rapidly immunize Web browsers against various phishing scams. eBay has already deployed it as Account Guard, a new feature in the eBay toolbar for Internet Explorer.
I learned about Web Caller-ID at Digital Identity World 2004, which I'm attending in suburban Denver this week. While the plug-in is limited to Internet Explorer browsers at present, Whole Security is preparing plug-in for the Firefox browser as well, says Scott Olson, senior VP of marketing at WholeSecurity.
UPDATE: GeoTrust has a complementary free toolbar for IE that verifies the SSL certificates of Web sites you visit; a Firefox version of this TrustWatch toolbar is in development.
Posted on October 26, 2004 at 03:25 PM | Permalink | Comments (0) | TrackBack
Someone explain Windows 2000 on shelves to me
Give that Microsoft head honcho Steve Ballmer warns everyone to upgrade from Windows 2000 to Windows XP in order to run Windows securely, will someone explain to me why stores (such as Fry's Electronics) still stock and sell Windows 2000? Shouldn't every copy of Windows 2000 now include a free copy of the Windows XP upgrade? Is it irresponsible for Microsoft to sell Windows 2000? I'm sure this makes sense in some parallel universe, but it doesn't really make sense in ours.
Posted on October 26, 2004 at 01:17 PM | Permalink | Comments (0) | TrackBack
A problematic security suggestion from Robert Scoble
Robert Scoble, recorded at Gnomedex (at time point 1:11:55): "I'm running [Windows XP in] non-administrator now, and I can't install software without going back out and thinking about it. Every time I install something, I have to go back out to my administrator account, think about it. Do I really want to load this piece of software? Okay, yes I do. I install it. Then I go back to non-administrator mode."
This got me thinking, and digging around in Windows XP (with Service Pack 2 installed).
It takes more than a bit of digging for the average home user to discover that they should go to Control Panel, then click on User Accounts, and examine what they find. How about leading users there the first time they install SP2, or turn on a new PC with Windows XP?
The challenge today is they've almost certainly already first installed a bunch of software under their administrator accounts. While you can create a non-administrator account, log out of the administrator account, and log back in as a non-administrator (a.k.a. Limited account), you will find that some things work differently under the new account.
For instance, the Internet Explorer Favorites (a.k.a. bookmarks) that you created under the administrator account aren't immediately available under other accounts. I fail to find any quick and easy way to access them.
Other programs also act as if you've just run them for the first time. My Outlook 2002 email program contained none of my email, for instance. Likewise, my RSS aggregator, NewzCrawler, acts as if it's newly-installed, and I don't seem to have an easy way to move my preferences over. If it's a matter of dragging some folders from one place to another, could I please have a wizard to make this easy? It would really help.
Some other programs don't appear to have this problem. Eudora, Microsoft Word and Excel are accessible from either account. Why are they not a problem when IE, Outlook and NewzCrawler are?
If you're using a laptop computer, one annoyance is that when you create the new account, the "create new account" wizard doesn't automatically prompt you to create a password for the account. You have to go back into the account after you've created it, then create a password. If you forget to do this, then you've created a security hole into a previously-password-protected laptop, because you have a new account that's not password protected.
I'm surprised, overall, with just how little information is easily findable on this subject of migrating into using Limited accounts in Windows XP. I looked in Google and found very little that was directly related. Perhaps Amazon's A9 would point to some books about XP SP2 that delve into this, but I've already spent enough time researching this for now.
If you're reading this Robert, this post also provides a classic example of the utility of Trackbacks, because the IT Conversation where you made this statement has its own Trackback URL, which I pinged when I created this blog entry, so that listeners of that show can also easily see my post as a comment.
Posted on October 17, 2004 at 09:45 PM | Permalink | Comments (0) | TrackBack
Zone Alarm and Office Update
Microsoft's Office Update refused to run successfully on an older Windows 2000 PC until I temporarily turned off ZoneAlarm Pro. It would have been nice if Office Update had detected ZoneAlarmPro and recommended this action, as it apparently does in some Windows Update situations. Perhaps on Windows XP, this isn't a problem, but since I don't run ZoneAlarm on XP, I have no way of knowing. With all the Windows 2000 still out there, Microsoft should do some more troubleshooting of its update services.
Posted on October 4, 2004 at 09:57 AM | Permalink | Comments (0) | TrackBack
DotNetRocks pointed listeners to dangerous Web site
One of the more interesting tech-oriented Internet audio shows out there is DotNetRocks, produced by Carl Franklin and Rory Blyth. It's unabashedly pro-Microsoft and pro-.Net, as you would expect from its name. It's independently produced, although Microsoft does pay the show's bandwidth bill, which I imagine is considerable. Despite being independently produced, you won't find much criticism of Microsoft, unless you count one appearance by Novell's Miguel de Icaza, the man leading the port of the .Net Framework to Linux as Mono (and is anyone embracing .Net really a critic of Microsoft?). While DotNetRocks can occasionally shed light on some of the warts of living in a mostly Microsoft world, I've never heard anything really embarrassing on it until the conclusion of Show 79, released on September 6, 2004. At the 1:57:00 mark, Franklin, commenting on a goofy-audio Web site pointed to in the previous show, says: "Apparently It has some trojan/virus or something like that, so don't go to that site." The rogue site was taken down before September 6, but I wonder how many listeners were bitten by the site? Trustworthy computing indeed.
Posted on September 27, 2004 at 11:00 AM | Permalink | Comments (2) | TrackBack
Eight months and a service pack later, this huge IE security hole remains
Was that an all-clear we heard last month for Internet Explorer security? Don't believe it for a second. Unless you think you can avoid clicking on a hyperlink in an email...ever. Dan Appleman, a friend of Microsoft's although he's independent, explains this vulnerability clearly. I noted the vulnerability in January 2004. Windows Service Pack 2 is installed now (on both my XP systems as of this morning) and the vulnerability remains. My question is, why? And did Microsoft just miss its golden opportunity to fix it? And why on earth should anyone as knowledgeable as Dan expect millions of users to type in all URLs acquired from email by hand?
Posted on September 21, 2004 at 01:37 PM | Permalink | Comments (0) | TrackBack
Upgrading Windows ME to Windows XP (with a Smile)
I finally decided to upgrade my old Windows Millenium Edition PC to Windows XP tonight. Good thing I had audio to entertain me, such as the latest Brian Wilson Smile tracks and the Smile Electronic Press Kit from Nonesuch Records. The upgrade took more than an hour, and when it was done, StarOffice didn't work anymore. Fortunately, Microsoft Word 2000 likes XP better than it liked Windows ME, so I can use it again for large text files. I also have to reinstall my scanner. Some add-ons didn't load into my app tray as they did before, but probably this is a good thing. Finally, Windows Update refuses to run on the new XP system, so I get to badger Microsoft for a solution to that one in the morning. Also, don't expect XP to automatically come with Service Pack 2; the Upgrade copy I ordered from Dell, which shipped last Friday, was still SP1. At least I was able to turn on Windows Firewall.
Posted on September 20, 2004 at 11:12 PM | Permalink | Comments (0) | TrackBack
Installed Windows XP SP2
I finally installed Windows XP SP2, after periodically checking Windows Update. (I had automatic updates turned on, but got tired of holding my breath waiting for my download.) First security alert after installation: "Windows Firewall has blocked some features of this program." The program? Connection Manager from Microsoft Corporation. I don't know whether to laugh or cry for the state of Windows security today.
Posted on September 2, 2004 at 11:45 AM | Permalink | Comments (0) | TrackBack
Sept. 15 Microsoft security Webcast requires LiveMeeting
At such a crucial time for Microsoft, when Windows XP SP2 is just finding its way into general circulation, it's regrettable that Microsoft has chosen to require its LiveMeeting product in order to tune into its September 15 Webcast, the one that will accompany the first security updates post-SP2. (You have to register for the event in order to learn that LiveMeeting is required.) I don't own LiveMeeting; Microsoft wants to charge me 35 cents a minute to use it. There's a 30-day "the first hit is free" type demo available. (Oddly, this page asks visitors to "choose the plan that works for you" but only presents the pay-per-use model.) This is the sort of video content Microsoft's Channel 9 really should be offering for free.
Posted on August 28, 2004 at 05:01 PM | Permalink | Comments (0) | TrackBack
XP SP2: Here come the new security holes
InfoWorld: "Security researchers inspecting a new update to Microsoft Corp.'s Windows XP found two software flaws that could allow virus writers and malicious hackers to sidestep new security features in the operating system." The dialogue now could shift from one of believing that Windows XP SP2 plugs all critical security holes in the operating system, to a discussion of how severe are the remaining holes. A well-placed phishing scam could still lead to major havoc, it seems.
Posted on August 18, 2004 at 01:23 PM | Permalink | Comments (1) | TrackBack
BitTorrent and XP SP2: A security pickle
Some folks have been trying to use BitTorrent, the peer-to-peer content distribution system, to speed up the process of downloading Windows XP SP2, which Microsoft currently limits to 2.5 million downloads per day. But Don Park points out that BitTorrent is inherently insecure. "It is entirely possible for hackers to intercept and inject trojans and viruses" into the downloads, even circumventing the MD5 hash security check I mentioned previously. Cory Doctorow reports that Microsoft shut down such a BitTorrent site, simply citing the DMCA.
All this raises profound questions about the future opportunity for "zero-day" exploits where the vulnerability requires a patch that's so large that it can't be distributed within the same day to the entire customer base. I suppose Windows XP SP2 is a special case, one where Microsoft is playing catch-up after years of neglecting security needs. But Redmond had better hope that they slide through this current delicate time. And I can't fault them for not revealing ahead of time that the update would take that long to push out to the current user base. Let's hope the bad guys didn't figure it out ahead of time and can't react fast enough now.
The vulnerabilities Don mentions in regards to BitTorrent, however, may be the bigger story here. How secure is BitTorrent in such a case, or any other basic services (such as VoIP) based upon peer-to-peer mechanisms?
Posted on August 13, 2004 at 06:48 AM | Permalink | Comments (4) | TrackBack
Guarding against fake Windows XP SP2 downloads
From Mary Jo Foley's Microsoft Watch: "Microsoft is warning customers not to be fooled by fake downloads purporting to be [Windows XP] SP2." What follows are instructions to tell if the download is authentic, including an MD5 checksum of the real file. There are also a few Microsoft applications that aren't compatible with the new service pack. All in all, if you're in charge of maintaining Microsoft Windows XP at your large organization, you'd better have all this figured out before you leave on any August vacation.
Posted on August 13, 2004 at 06:32 AM | Permalink | Comments (1) | TrackBack
XP SP2 puts the squeeze on health care
You think IBM has problems? How about being a hospital dependent upon devices that run Windows? They want to have the latest Windows security patches installed, but how can they when the device manufacturers haven't certified that their products run okay with XP SP2 installed? How many lives could be at stake? Have virus, worms and faulty patches already been responsible for any deaths? If that information's being supressed, how can it be uncovered?
Posted on August 10, 2004 at 11:15 AM | Permalink | Comments (0) | TrackBack
IBM's go-slow on XP SP2: Prudent or reckless?
It's come to this: A vital security patch for Windows is now viewed as a possible liability because of all the applications it breaks. ZDNet reports IBM is taking a go-slow approach to installing Windows XP Service Pack 2 (SP2) because of this, even though it's almost certain that exploit writers are firing up their best mischief-making to attack systems by reverse-engineering some new threats based on the threats SP2 fixes. IBM (and any other large corporation) had better hope that the exploits don't occur until they can install the update. Or maybe they should just call Novell or Sun and conduct an emergency migration to desktop Linux.
Posted on August 10, 2004 at 10:13 AM | Permalink | Comments (0) | TrackBack
A clever URL redirect
Wading through the comments on Microsoft's IE blog I discovered a clever URL hijack. The domain http://www.trustworthycomputing.com resolves straight to a Google search: "microsoft security OR privacy flaw OR flaws OR hole OR holes". Trustworthy Computing is the wrapper around all of Microsoft's efforts to create a more secure, reliable Windows computing platform. Such a URL hijack must be an embarrassment to Microsoft. I searched at the USPTO Web site and it doesn't look like the term is a registered trademark of Microsoft, so the hijack must be fair game. (The URL is registered to Simplify.net in Stoughton, Wisconsin.)
Posted on August 4, 2004 at 03:12 PM | Permalink | Comments (0) | TrackBack
My current browser safe practices
A while ago I started using Firefox whenever possible as my Windows XP browser. I'm still using Internet Explorer for several reasons. My news aggregator, NewzCrawler, supposedly supports Mozilla, but I haven't figured out how that's done, so it's still using IE as its embedded browser. When the Scob/Download.ject scare took place last month, I permanently changed my IE Internet zone to disable ActiveX controls, Java, active scripting, and Java applet scripting (is this the same as Javascript?). I've had to back off of these settings for some trusted sites, but it hasn't always worked. It worked for Windows Update, but when I run TypePad, the editing controls that allow easy insertion of a link, or boldface styling, don't display even though I tell IE to completely trust TypePad. In this case, it's okay; I can run TypePad from Firefox. Lots of other things just don't work either under the locked-down IE or Firefox, due to many Web sites' dependence on Javascript or ActiveX. Particularly this affects my ability to watch multimedia, such as Microsoft's Flash-based presentation on projects underway at Microsoft Research. To view these, I turn to an older PC I have running Windows ME. I'm careful on that PC never to visit unfamiliar Web sites. It's a lot to remember, but it's working, for me, for now. It's certainly annoying though.
Posted on August 3, 2004 at 03:45 PM | Permalink | Comments (0) | TrackBack
XP SP2: Microsoft's hour of truth?
Listen to this quote from a Real Networks spokeswoman: "The changes Microsoft is proposing for SP2 will have serious negative consequences on the consumer experience of many applications and Web sites." Folks, XP SP2 is going to be cataclysmic for Microsoft. They can't go back; they've committed to this release. But going forward is going to be their worst nightmare too. Nothing I've heard or read leads me to believe that Microsoft or its customers have easy solutions. So I'll predict a couple of things. Interest in the Macintosh will spike immediately after the negative reaction hits. Desktop Linux remains too fractured to have much upside in 2004, but all bets are off in 2005, particularly when (not if) Web sites retool to more fully support Mozilla and other browsers. UPDATE: Leave it to Rob Enderle to call replacing a product "a last resort."
Posted on August 3, 2004 at 12:06 PM | Permalink | Comments (0) | TrackBack
There ought to be liability for keeping quiet about security holes
Ed Foster hits the nail on the head: "If a website faces liability for inadvertently exposing visitors to a Trojan, shouldn't it face even more liability for keeping quiet when a warning might save some previous visitors from having their bank accounts drained?"
Posted on August 2, 2004 at 04:40 PM | Permalink | Comments (0) | TrackBack
How the MSJVM compromises security
After further reading, I discovered why Microsoft's recommending removal of its Java Virtual Machine from Windows. It seems that uber-nasty spyware CoolWebSearch uses an exploit in the MSJVM to plague Windows computers. A page at MVPs.org (not a Microsoft Web page, but a page run by some of its third-party consultants) talks not only about removing the MSJVM but also about installing in its place the Sun JVM for Windows, which has no such exploit. I still wonder how Microsoft managed to botch Java's usually solid security sandbox in its JVM, but that's a moot point. The Micr