Main | August 2007 »

July 31, 2007

Did Yahoo! Know More About Chinese Dissident Cases?

Yahoo! apparently knew more than it has previously admitted regarding the nature of the cases it was dealing with when Chinese authorities asked for information used to put away dissidents.

Rebecca MacKinnon has been closely following Yahoo!'s willingness to cough up user information that aids the Chinese government's dissident repression, so her latest update on the matter is a useful brief on the latest developments as well as a link feast for anyone needing to play catchup.

After providing the summary, she offers some interesting thoughts:

I don't think it is meaningless to push companies like Yahoo! to be more mindful of the human rights situations they will face before they decide whether or not to open a particular product or service in any given market. There is a reason Microsoft never introduced a localized Chinese Hotmail and why Google hasn't introduced a local Chinese Gmail. Because they don't want Shi Taos and Wang Xiaonings on their hands. Companies can make choices about how they engage in a market and what services are appropriate given the political situation.

While I agree that companies should be pushed to consider the human rights consequences of their dealings, I think it's inaccurate to say China's odious human rights practices are "why Google hasn't introduced a local Chinese Gmail."

Google couldn't introduce a local Chinese Gmail because it wasn't licensed to do so. In late June, however, it did get a license that expanded its ability to introduce Internet content it couldn't previously, including, according to a WSJ report that's now locked up, Gmail. And it got that license after failed attempts to create local (to China) proxy companies to circumvent China's license requirements for foreigners. So, at least according to the WSJ, Gmail has not been unavailable in China for want of effort on Google's part.

Getting that license doesn't put Google on the hook or off the hook where the issue of dealing with repressive regimes is concerned. It just means that any consideration of Google's dealings in China has a new dimension. And it means the persistent narrative that Google's guiding goodness intuitively steers it away from anything more heinous than some light search censorship is weak.

Disclosure: I have strong opinions about this story and I've blogged about them elsewhere: 1 and 2. Those items are worth linking in the interests of transparency, and because there's an awesome Star Wars parable in the second one.

Posted by mhall at 11:10 AM | Add Comment

July 30, 2007

It's Black Hat Week

internetnews.com has a sampler of the Black Hat agenda. It seems, regarding this previous post, that Cisco gets to keep the association with NAC, whether it wants it or not:

"Last year Cisco Network Access Control (NAC) was proven fallible; this year at least two different security researchers will be presenting additional findings on how to bypass NAC.

"In a presentation titled NACATTACK, security researchers Dror-John Roecher and Michael Thumann are going to release a tool that may well be able to help get around NAC.

"'We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist,' the Black Hat abstract for the NACATTACK session states."

Posted by mhall at 7:36 PM | Add Comment

Symantec Tops NAC Roundup

Despite a bad quarter with analysts harping on its enterprise products, Symantec walked away with good marks for its NAC products in a NetworkWorld roundup that concluded Symantec "provided the most solid NAC functions across the board."

You can do worse than that roundup to get a sense of where NAC is at. Or rather, perhaps, to get a sense of the many places NAC is at. Just two years ago, "NAC" was synonymous with "Cisco." The tech press narrative was all about a perceived "race" between Microsoft (with NAP) and Cisco, with questions about whether the two might interoperate, and a bunch of mistaken talk about NAC being a "technology" or a "standard" the same way people talk about SMTP or HTTP.

When you read a NAC roundup that mentions a "multitude of products" and concludes that the secret to success with NAC is to pick a vendor and let yourself be locked in ... well ... "Welcome to the human network."

Posted by mhall at 7:33 PM | Add Comment

July 27, 2007

Expert: Spam Sucks, and Conferences Discussing This Fact Are Pointless

Spam: You've Come a Long Way, Baby

The FTC revisited the issue of spam again in 2003, where things got so heated that then-Commissioner Orson Swindle (a former Marine and "Hanoi Hilton" survivor) had to physically separate two attendees who nearly came to blows.

The tensions that were so evident in 2003 were no where to be seen in 2007. Even the appearance of the notorious Scott Richter, who once famously described himself in an interview on The Daily Show with Jon Stewart as a not a spammer but rather a "high volume email deployer," was met with yawns. What became quite clear during the course of the two-day event was that not a lot of progress has been made in the intervening four years since the last spam event. Proposals for increasing the security of email against forgeries and phishing, some of which were first debuted in 2003 (and at a subsequent event devoted to email authentication issues in 2004) are still being hotly debated instead of deployed.

It seems like a lot of energy went into pushing SPF through, fighting over Microsoft's initial attempts to patent standards it should have just left in the public domain, then learning that SPF, which nobody thinking reasonably believed was a silver bullet, was not a silver bullet. Since then, the tone seems to be one of resignation, with the occasional glimmer of emotion and genuinely disturbing outpouring of ill wishes for forced sodomy or a good shanking when a particularly odious spammer gets federal time.

I've talked to admins who deal with large e-mail user bases and I've never walked away feeling much hope that anyone was genuinely interested in getting behind much of anything. Technically proficient users have built personalized spam barricades that, considering the challenge posed, work wonderfully. The average SpamAssassin user probably has a lot more trouble with false positives than misses. Some of them are largely disinterested in user complaints because they imagine the users probably do nothing in self-defense and may even make their own problems worse with crappy habits. But when those proficient users inflict their preferred tool on general user populations, the users hate it. The one solution most normal users can abide is the one the elites hate the worst.

Worse, widespread belief among some technical elites that spam has broken e-mail beyond any repair means any sense of urgency about fixing the problem is fading. When we start seeing things like five.sentenc.es getting nods of approval from advanced users, it's a sign that e-mail has become more tired than wired ... a chore that it's more cool to hate than do well in the face of less open, more selective modes of communication (like IM and even Twitter).

That isn't going to change with the current crop of teen users, who'll be bringing their expectations to the technology businesses deploy in a decade. They're used to the relatively gated world of whitelist IM and SMS, and they think e-mail is for old people.

I'd guess the next anti-spam conference will be even more depressing.

Posted by mhall at 8:43 PM | Add Comment

July 26, 2007

Security and Privacy Links for 26 July, 2007

Sweeping up some links for Thursday, July 26:

» Symantec has reported a mixed quarter.

Analysts also had a beef with the company’s move to expand from its consumer-based security product comfort zone into the enterprise arena with data center products and services. In fact, third quarter '07 results saw an 8 percent decline in year over year revenues of the (DCMG), and there was no growth in the quarter ending in March.

Tough break. Nobody said life after OneCare was going to be easy.

» "Judge Allows State Anti-Spying Lawsuits Against Telecoms to Continue":

State lawsuits against telecoms that allegedly helped the federal government spy, without warrants, on Americans can proceed, a federal judge ruled Tuesday, dismissing the federal government's arguments that the states were overstepping their authority.

» Security conferences versus practical knowledge:

" ... there is a definite gap in the market. Missing today on the network security conference front is that of practical knowledge. It is not everybody who can attend today's cutting edge security conferences and actually walk away having learned something. Was it me being asked by an employee to attend a conference today, I would have a few questions to ask. What is it that you are going to get out of it, and just how will it benefit our network? If the answers aren't there, you're not going. Practical knowledge is where it is at."

» Salon's Machinist on the MySpace sex offender purge:

Currently, the site's policies bar children under 14 from using the site. Under Cooper's proposal, any adult who signs up with the site would be subject to a public records' database search -- you could submit your credit card number, say -- for identity verification. If a minor wanted to use MySpace, she'd have to submit a parent's I.D. info, and then MySpace would contact the adult by phone or mail to get approval.

The idea would seem to be tough to implement, and possibly crippling to MySpace and -- because it applies to the alarmingly vague category of "social networking sites" -- many others besides. (Is the local business review site Yelp a social networking site? How about Digg, or Technorati, or YouTube?)

How is it we tolerate seat belt laws, helmet laws, cellphone-while-driving laws and assorted other "for your own good" legislation, but can't bring ourselves to place the responsibility for online security on parents? When you've got a toddler, a missing fork and an electrical outlet, do you put a plastic guard in the outlet or do you sue the electric company for failing to install toddler detection technology in every house?

But our legislators have no patience for parental responsibility. They didn't develop this impatience in the Internet era ... they've always looked for ways to shift responsibility to anyone besides parents. That's what happened during the music hearings, it's what happened with video game labeling, and it's what's happening now with social networking sites.

Here's why:

» MySpace is on the defensive with legislators:

"Republican Congressman Lamar Smith of Texas immediately pounced on the issue and criticized Democrats for failing to focus on it while instead censuring White House aides.

"'While Democrats continue to play political games, critical issues facing the American people are being neglected,' he said in a prepared statement. 'In the past six months, 39 law enforcement officers were killed in the line of duty, over 7,500 murders were committed and 5,600 children were sexually solicited online. In a recent report, MySpace estimated there were nearly 30,000 sex offenders on its site. These numbers are troubling and it is our duty to address these problems for the American people.'"

Which would seem to indicate the cynics are trying to link up with the chicken littles to score some quick political capital. They're certainly not going to slow things down by asking how the audience for their little kabuki performance can take some responsibility for itself.

Posted by mhall at 12:49 PM | Add Comment

July 25, 2007

Sources Close to MySpace Purge Are Getting Hysterical

I really wanted to just put the MySpace sex offender purge behind me, but my colleagues at internetnews.com unearthed a nugget in the story that no one else seemed to have:

… while technology helps MySpace adhere to its zero-tolerance policy for sex offenders, sources close to the issue told internetnews.com that this won’t be solved until states pass laws forcing predators to register their e-mail addresses the same way they have to register street addresses.

The mind boggles.

Posted by mhall at 7:58 PM | Add Comment

MySpace Boots 29,000 Registered Sex Offenders. Now If Only I Knew What That Meant.

The Reuters report on MySpace's eviction of 29,000 registered sex offenders hits the highlights:

• "Popular Internet social network MySpace said on Tuesday it detected and deleted 29,000 convicted sex offenders on its service, more than four times the figure it had initially reported."

• "'The exploding epidemic of sex offender profiles on MySpace -- 29,000 and counting -- screams for action,' Connecticut Attorney General Richard Blumenthal said in a statement."

• "As of May, there were about 600,000 registered sex offenders in the United States."

So about five percent of the registered U.S. sex offender population was hanging out on MySpace. The Guardian calls it a "mass infiltration".

Some headlines have changed "sex offenders" to "predators," which underscores Reason Online writer Kerry Howley's point about "the enormously elastic definition of sex offender," made last year:

One such case is Wendy Whitaker, who performed oral sex on a 15 year old boy 10 years ago, when she was 17. Whitaker owns a home near a church daycare center in Georgia; police forced her to leave that home last year. She then moved in with her brother, whose niece will go to school next fall. Since a school bus will pick up her niece from the house, Whitaker will again be in violation of the law if a new bus stop zoning law passes. According to the Southern Center for Human Rights, which is fighting the Georgia legislation, thousands of people will be forced to move if the law takes effect. Twenty-five of those are in nursing homes.

In February, USA Today said the "registered sex offender" designation tends to "dump all sex offenders together, even though some are child rapists and others may be 18-year-old men who had sex with underage girlfriends. There is no national breakdown of sex offenders by severity of their crimes."

The paper further noted that some jurisdictions include urinating in public as a sex offense requiring registration.

If you feel like following every one, you can check out a list of links to each state's requirements for registration. Not all of them work, some don't really list the criteria. What you will gather if you eventually stumble onto a page that includes the pertinent legal code (like Oregon's statutes, section 181.594) is that some registered sex offenders probably need to be registered as a matter of public safety, while others probably don't. You'll also learn that some states (Oregon, again) take the extra measure of designating some sex offenders "predatory" depending on the nature of their crimes.

The elasticity of the meaning of "registered sex offender" is a policy debate for some other blog. Having satisfied my curiosity regarding just who MySpace kicked off its service yesterday, I'm here to note that we'll surely be seeing more and more legislation aimed at curtailing online privacy in the name of "stopping predators," and this particular story will be cited to justify a lot of police and prosecutorial overreach.

Seems like a real breeding ground for unintended consequences to me.

Posted by mhall at 3:16 PM | Add Comment

Sophos Report: Apache Users to Get Comeuppance

Sophos put out a security report for the first half of 2007 today. Two assertions are worth relaying:

1. "The first half of 2007 has seen an explosion in threats spread via the web, which has now taken over from email as the preferred vector of attack for financially motivated cybercriminals."

2. "The fact that more than half of all infected web pages were hosted on Apache servers demonstrates that infection is not simply a Windows problem. Earlier this year, during a global ObfJS attack, in which legitimate sites were compromised so that they could serve up a malicious code, 98 percent of affected servers were running Apache - many of which were hosted on UNIX rather than Windows platforms."

The whole report is available for free with registration from Sophos' press release.

Regarding the first assertion, I don't feel like I have much reason to doubt it and it doesn't draw any particular scrutiny.

Regarding the second, it gets muddier. I don't understand what some of the numbers or terms Sophos is using mean, so I wrote Sophos' U.S. press contact and asked a few questions that boil down to this nutshellized version of the mail I sent:

"What do you define as a 'web threat?' From the report, it could mean that 51 percent of Web-based security incidents recorded involved an Apache server, or it could mean that 51 percent of recorded instances of servers being compromised due to server-specific exploits occurred on Apache servers."

Until I know all that, it's hard to comment on the report's pointed focus on Apache-on-non-Windows as a unique security problem. I'll post again when I get a response and understand what the report's saying a little better.

Posted by mhall at 2:39 PM | Add Comment

July 24, 2007

Cisco Releases Wireless ARP Storm Patch

A Cisco security advisory entitled "Wireless ARP Storm Vulnerabilities" will, no doubt, read as a generic version of anything Duke's wireless networking team might have to say in the specific regarding The Great iPhone Scare of Ought-Seven.

If that's too much information, Ars Technica breaks it down in bitesize chunks. Nut:

"It doesn't say anywhere that the iPhone is the source of these test ARPs, but the timing and the fact that an Apple employee is one of the authors of the RFC that specifies the use of these test packets doesn't leave much room for doubt."

Side note: Here's a canned search of Google News for the terms "iphone" and "Duke." Yesterday the drift of headlines was still very much "'twas iPhone killed the WLAN." That changed some time since yesterday, with an overwhelming number of the headlines correcting last week's problematic reporting.

Previously:

• iPhones May Be Polite After All
• New Wi-Fi Blackberry Announced (Hope It's More Polite Than the iPhone)

Posted by mhall at 7:21 PM | Add Comment

Security and Privacy Links for 24 July, 2007

Sweeping up some links from here and there:

» Danny Sullivan has a good timeline of the recent search engine privacy news with some insights from key players. He hits a point I didn't stop to think about for long yesterday: "There's a tinge of PR stunt in this, but if looking for a PR edge will get the search engines moving, I suppose that's a necessary evil."

And later on he follows that up with "[P]rivacy is too important for PR games."

It is.

Public relations work is the radar chaff of policy discussion. It's not there to clarify any objective fact unless that clarification is immediately useful to the publicist's client. In the case of privacy policy, where all the major commercial players have little incentive to address the issue unless goaded, it means there's not even a real discussion. Just a bunch of companies hoping nobody will bring the subject up, and planning to say nothing unless they see some advantage they can press at little cost to themselves.

» The Firefox team is looking a little more humble after learning it shouldn't have stopped at merely pointing fingers at Internet Explorer when it fixed a recent bug.

From last week's gotcha: "Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer."

This week: "We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well."

Jesper Johansson has a lot of detail about where the Firefox team went wrong.

» A potential iPhone security flaw has surfaced. Gizmodo has a video demo. Researchers point out Windows Mobile phones could have the same problem.

Whenever a new iPhone (or Mac) security story pops up, I go pay a visit to Daring Fireball. The site's author, John Gruber, will spend thousands upon thousands of words arguing just about any point. You can read that as remarkable attention to detail, and you can also read it as serious effort to avoid being wrong too often, since he's pretty fond of his Jackass of the Week award.

That's not to say he's always right. He isn't. At the same time, he's reliably zealous in his defense of all things Apple, so if he doesn't do much to contest an Apple security scare, that tells me something. His initial entry on this latest iPhone security story is muted, but I'm sure we'll hear more. Or not. Which will speak volumes.

» And another regarding yesterday's post about search engine privacy:

Sunday's Oregonian (my local paper) carried an article about two seventh-graders who are facing felony sex abuse charges and a lifetime on the sex offender registry for a bottom-slapping spree. The reporting indicates the matter is one of extreme police & prosecutor overreaction, and the story now has national attention.

Since we're not here to chronicle bottom-slapping sprees, I'll just loop this back to what made me think of yesterday's entry:

If our police and prosecutors are already operating in an environment where these actions seem reasonable to them – or even something they should test against public reaction – Microsoft's instant use of "child predators" as a rationale for keeping its search logs useful to law enforcement ought to make us nervous. That's clearly a crowbar with some potency both as an enabler of law enforcement overreach and as cover for service providers of any kind who will not protect their users given a suitably inflammatory reason.

Posted by mhall at 1:09 PM | Add Comment

July 23, 2007

Shorter Microsoft: Our Search Privacy Policy is Still Cop-Friendly

Last week I was puzzled about Google's new cookie expiration policy because I didn't see the value. The more I read about it, the more I realized a lot of people were either puzzled or simply dismissive.

One could, however, get the sense that Google has earned a lot of respect for publicly addressing privacy issues. I linked to Jim Harper who argued "As important as the substance of the new cookie policy, Google is talking about their information practices and the effects their practices have on privacy. What other company does even that?"

Well, since last week it turns out that there are a few others:

The NYTimes tech BITS blog has an entry up this morning that summarizes a few new announcements on the search privacy front.

The nut of the post is that Microsoft and Yahoo have both announced log anonymization policies (Microsoft anonymizes at 18 months, Yahoo at 13), Ask.com has announced the eventual release of a search anonymizing feature it calls AskEraser, and both Microsoft and Ask are calling for industry-wide privacy standards.

The NYTimes entry is fairly cursory. The Seattle Post-Intelligencer has better coverage of Ask's news. The Seattle Times goes into more detail on Microsoft's new privacy measures, which involve more than cookie expiration dates and log anonymizing.

So the search engines are all awesome now and it's a wonderful new Golden Age of Privacy! Right?

Well ...

"Asked whether Microsoft was considering something similar to Ask Eraser, Peter Cullen not only said no, but argued that too much privacy was actually dangerous. Anonymized search, he said, 'can become a haven for child predators. We want to make sure users have control and choices, but at the same time, we want to provide a security balance.'"

(I think "child predators" means "people who prey on children," not "children who prey.")

In other words, you should read Microsoft's privacy policies as being in line with the consumer wing of privacy activism: a concern that massive collections of aggregated customer data are bad because they represent a risk of identity theft or other consumer-targeted criminal behavior if they're compromised.

But when Microsoft throws out "child predators" in defense of whatever remaining anti-privacy policies it maintains, we should read that not to mean "Microsoft is drawing the line in defense of the children," but "Microsoft is drawing the line where a privacy policy might bring the company into conflict with law enforcement."

If you were bothered by search engine privacy policies (or their lack) before this week, and if those objections came less from worrying about your credit rating and more from worrying about ever-increasing government surveillance powers, the past week's news may not seem like such a great leap forward after all.

Posted by mhall at 3:00 PM | Add Comment

July 20, 2007

Updated: iPhones May Be Polite After All

Macworld reports the "iPhone may not be cause of Duke wireless woes."

Some reports say Apple says the matter has been resolved. A clarification is evidently forthcoming this afternoon.

My guess is that some iPhone behavior exacerbates a problem on Duke's network. To the extent we haven't heard of iPhone users blithely crushing networks as they wander from building to building anywhere else, it sure seems like the sort of problem we used to call "synergistic failure" in the signal corps. "Gremlins" didn't sound technical enough.

Since I'm out on a prediction limb, I might as well add that since I'm predicting it'll be a problem a. iPhones exacerbated and b. Duke's network really does have, Apple zealots and iPhone haters alike will be declaring victory shortly.

One more prediction: Wild-eyed Mac zealots will not produce any evidence that Duke IT employees are secretly in the pay of Microsoft.

Update: Duke's CIO issued a statement clearing Apple, blaming Cisco and mortally humiliating one of her assistant directors:

"The reality is that a particular set of conditions made the Duke wireless network experience some minor and temporary disruptions in service. Those conditions involve our deployment of a very large Cisco-based wireless network that supports multiple network protocols.

"Cisco worked closely with Duke and Apple to identify the source of this problem, which was caused by a Cisco-based network issue. Cisco has provided a fix that has been applied to Duke's network and there have been no recurrences of the problem since. We are working diligently to fully characterize the issue and will have additional information as soon as possible. Earlier reports that this was a problem with the iPhone in particular have proved to be inaccurate."

Well, that's that, mostly. I'm still not sure how completely my first prediction was wrong, but it sounds like Duke IT's Kevin Miller, an assistant director of communications infrastructure, jumped the gun by singling out the iPhone when there were other trouble-making clients. Or it could mean the iPhone was uniquely capable of triggering the bad behavior because of some specific characteristic in its network stack. It's still Cisco's fault if the iPhone's behavior was different from other clients but in spec. If Duke comes out and says other clients caused the problem, too, then ... well ... bitter ashes for Kevin Miller, who will have gotten everything wrong.

My second prediction was half right, though: Mac zealots are declaring victory (and calling for "liable" suits ... so they've evidently already started drinking, too.)

I'm sticking to my third prediction, though some will just say that's further evidence of how deep the conspiracy goes.

Posted by mhall at 5:42 PM | Add Comment

July 19, 2007

Considering Googledorks

As promised a few days ago, Paul Rubens on googledorks. Etymological note: Paul uses "Googledork" in the pejorative sense, to refer to someone who leaves something hanging out where Google can find it (and someone malicious can make the dork in question suffer). I think the non-tech press tends toward thinking that googledorks are the instigators of Google searches for compromising information. I guess it makes sense: Nerds blame the victims, victims blame the nerds. Where you're at in terms of victim status determines just who you think the dorks are.

Posted by mhall at 9:15 PM | Add Comment

Study: Like It or Not, Challenge/Response Anti-Spam Works Best

Consulting firm Brockmann & Company released a study on Tuesday that compared the efficacy of assorted anti-spam technologies, as well as the overall user satisfaction for each. The study uses a number referred to as the "spam index" to make comparisons.

In short, the spam index is a measure of how much time you waste going through your spam folders, how many false positives you find when you do that, and how often you have to ask someone to resend a message because, perhaps, your spam filter ate it. For now we'll set aside the notion that, with that last item in the list, the index might more properly be named "The Spam and Weasel Spam-Filter-Blaming Coworker Index."

Brockmann provides a calculator if you're curious about your own spam index.

By comparing spam indexes for each type of solution, the study concluded:

1. Your ISP's spam filter is as bad as you think it is.
2. Your SpamAssassin installation isn't much better, and is generally a little worse than everything else.
3. Challenge-response (c-r) systems suck about half as much as anything else on the market.

We all know challenge-response systems work pretty well. That's never been in question. The problem is that they can cause problems for people who are not us.

I once interviewed a company in the c-r business along with a fairly vociferous detractor of the approach, and found the debate hadn't shifted much since it first started: c-r advocates say they've got the key to eradicating spam in our lifetime, at the cost of occasional one-time inconvenience. C-r haters say the price for the solution is the inconvenience c-r advocates admit to, plus a raft of secondary bad effects including "blizzards" of bogus c-r responses for anyone who falls victim to a joe job.

The study also concluded that c-r users are much happier with their solution than anyone else: Sixty-seven percent reported they were satisfied with a c-r system. People who used "open source filters" reported the very least satisfaction: 16 percent of the respondents.

I don't think I'd ever go with c-r for my own mail setup, but some days I think Jupitermedia (my employer, this blog's publisher) could go c-r and I'd breathe a sigh of relief. The sort of legitimate mail that comes in from the PR industry seems to confuse bayesian learners enough that there's a lot of overlap between marginal spam and mass-mailed press releases. If our mail admins wanted to shoulder the karmic burden the c-r haters say would be their due, I'd let them and enjoy a much less spammed existence.

As it is now, I've got two layers in my anti-spam setup:

A SpamAssassin installation with a decent whitelist does bayesian filtering over everything when it comes through. On my computer, I have SpamSieve to sweep up what got past SpamAssassin. I used to rely on Apple Mail's bayes learner, but it collapsed under the weight of its own corpus.

SpamAssassin can be trusted to find the really spammy stuff ... things that score over 8 points on its scale. At about four points, it's seldom producing false positives in the midst of a lot of spam. The mail it scores below a four is all over the place ... could be spam, could be ham and I don't want to sit down and take an average to find the exact sweet spot. So that's where SpamSieve handles the rest. It's easier to fine-tune and train on the client end than popping open an ssh session and fiddling with SpamAssassin, or bothering with server-side scripting to process false positive/false negative folders.

Posted by mhall at 7:44 PM | Add Comment

July 18, 2007

New Wi-Fi Blackberry Announced (Hope It's More Polite Than the iPhone)

Blackberry Cool is predictably verklempt about the new Blackberry 8820. Heck ... I own my Blackberry the same way I own a stapler and a lawnmower, which is to say "with no publicly expressed enthusiasm," and I'm a little verklempt about the thing.

The excitement-making part is the way the new model will support 802.11a/b/g. Especially for anyone suffering, like me, on AT&T/Cingular's lamentable EDGE network.

Yep ... that was a link to a review of the iPhone and how unfortunate it is that tired, slow AT&T is providing the cellular data. EDGE is pretty much EDGE on any device, though, and as Ars' reviewer noted, "whenever you're within range of a WiFi network that you can use, use it" to avoid EDGE "speeds [that] vary wildly between great and eye-stabbing."

I eagerly await dragging my trailing-edge self down to the Cingular store in a few years and picking one of these up.

And speaking of the iPhone and Wi-Fi, Duke University has an iPhone-related mystery on its hands. Network managers there say iPhones periodically flip their lids, flood the WLAN with ARP requests, and knock up to 30 APs off the net at a time. Apple's investigating. Early speculation is centering around users moving between APs on the network, though there's some debate about whether it's all Cisco's fault or Apple's.

Update (7/20): Duke doesn't sound so sure it's the iPhone and is promising to report on the matter by the end of the day. I'll update this entry with a link to whatever update ends up coming out.

Update 2 : As promised. Spoiler: It's Cisco's fault.

Posted by mhall at 2:12 PM | Add Comment

July 17, 2007

After the iPhone Hype, the Scares

This is one of the worst headlines ever:

"Malware problem on the iPhone is getting worse"

Jeepers! There's a malware problem on the iPhone? And it's getting worse?

Well ... no.

If you choose to read that article and lose two minutes of your life that you'll never get back, you'll learn there's a new trojan that hijacks attempts to visit the official iPhone site from a Windows PC and harvests credit card information. It passes that information along to bad people. It also causes browser popups advertising the iPhone to appear, just in case the infected machine's owner isn't really interested in buying one and perhaps needs some nudging.

So, the "malware problem" here isn't quite with the iPhone. In fact, to be susceptible to this problem you pretty much have to not own an iPhone at all.

If you're curious about any real iPhone dangers, SPI says the iPhone's Web dialer could be subverted. So there's one. That's earned a ho-hum from other researchers, but at least it's arguably an iPhone problem. Not a "Windows users rendered unable to resist pretty consumer electronics then falling victim to their own computer's bad security" problem.

Posted by mhall at 3:17 PM | Add Comment

If You Can Spell, You're Probably Safe from Phishing

... at least, that would seem to be the takeaway from McAfee's promotional quiz, which purports to test your ability to detect phishing scams.

On the way to receiving a congratulatory message certifying me as a "security guru," I was reminded that:

1. People are evidently still falling for the obfuscatory URL trick.
2. Some legitimate pages are so bad that one wonders why the company didn't fire all its Web designers and hire the phishers, ridding us of ugly, frightening sites and giving the criminals something to do.
3. Phishers are god-awful spellers. But if bad spelling is a dead giveaway, at least one page in the quiz itself should send you fleeing from McAfee.com, lest you wake up in Nigeria missing a kidney with a pocket full of maxed credit cards.

That last leads me to wonder if I didn't stumble onto a carefully crafted phishing site designed to inflate my sense of security and make me a bigger mark.

Posted by mhall at 2:37 PM | Add Comment

July 16, 2007

Updated: New Two-Year Google Cookies No Longer Tracking The Unix Clock Apocalypse

Google's shortening its cookie life expectancy.

Previously, Google cookies, which store user preferences, were set to last until the Unix calendar apocalypse, 2038. While it was always comforting to me to know that if I made it to 70, my Google cookie would survive with me, it made some people irritable. (Warning: Link contains gratuitous mention of goose-stepping and a picture of a chimpanzee)

The new policy sets the expiration date for Google cookies to two years from the user's last activity. If you put down your keyboard right now, walk away, and visit none of Google's properties until July 17, 2009, your cookie will die. On July 18, 2009 you'll be forced to tell Google you want 100 results per page -- and that those results better include adult content and not that watered down "SafeSearch" business -- all over again. Visit in the meantime, and the cookie will renew.

I don't understand the perceived privacy value of the new two year span.

As Google representatives have noted in the past, setting the expiration date to 2038 was just shorthand for "a very long time from now." "Two years from now" is decidedly less time than "31 years from now," but for a repeat Google user the cookie life span is still, effectively, perpetual. And two years is an awfully long time if we're talking about the perceived threat of inadvertent self-incrimination via the connection of a cookie to search logs. It seems that most people who just happen to use Google are no more "secure" than they were already, and that people who don't like having a unique identification tied to search logs at all will have the same beef they always have.

As Jim Harper noted on his blog this morning, the real "winners" are one-time or very infrequent Google users, who will eventually slide down the cookie memory hole. But they'll do that at no faster rate than the logs on their searches are set to be anonymized under Google's new anonymization policy, anyhow.

Maybe the real intent was just to defuse the "Google's cookie will last until 2038!" talking point. Not that anyone who's convinced Google is an NSA pawn will care.

Update: The Register calls the policy change "practically meaningless," and suggests that "most people who don't return to Google after two years are either dead or confined to maximum security prison - most likely dead." Either way, the dreaded NSA sneak-and-peekers already have them or can't get at them any longer.

Posted by mhall at 3:49 PM | Add Comment

July 13, 2007

OneCare 2.0 Sounds Like a Recipe for Zombies

Since we're in the "getting to know you" phase of the blog here, I'm going to go ahead and indulge in a little self-revelation: Windows scares the living hell out of me.

It's my own thing to get over, because even I think it's a partially irrational fear. Put me in front of a Windows machine and I start feeling hunted. I've got XP running on a virtual machine in Parallels Desktop. (More self-revelation: I'm a Mac weenie, but not of the "switched from Windows" variety, and certainly not of the 'I blogged 3,000 words on the origin of Moof, definitively and publicly eviscerating a forum of misguided newbies who didn't even hear about Macs until the SE, for God's sake' variety.) I'm sort of comfortable with it under Parallels because virtualization, in a way, is to operating systems like Plato's cave allegory is to people. The operating system *thinks* it's in control of a real computer, but it's not. That limits the damage it can do and helps me feel like I'm in some kind of control ... the same way we're in control of bears at the zoo.

I've heard the horror stories about Windows and its security problems, and how if you bring an unpatched Windows box up on the 'net Eastern European mafiosi will max your credit cards but leave you enough to buy a ticket to Nigeria to help that nice oil minister recover his lost fortune. And to the extent I am a big flailing Windows ninny, it might as well all be true. But to the extent I also have reading comprehension skills and have been using computers since before there even was a Windows, I'm also pretty clear on a key point about Microsoft's security track record: It's not good.

In fact, just this April I could be overheard complaining about Microsoft OneCare betas, which protected your data from being deleted by malware by going ahead and deleting it first. (More self revelation: I write a column at PracticallyNetworked.)

So my colleagues over at internetnews.com noted the advent of another OneCare beta, and even if I first skimmed the story to see if there was anything juicy about it preemptively selling your Social Security Number to meth traffickers, my attention sharpened when I read this:

Among the new features that Microsoft is baking into the new version of one care is Multi-PC and home network management. [...] It includes support for up to three PC's as part of the product cost. The new feature in version 2 will provide a single dashboard for managing the security of networked PCs and for resolving issues across the network, as well.

The current version of OneCare includes a backup feature which will be expanded in version 2 with a centralized backup feature that would allow a user to control and manage backups for all networked PC's that are part of the same OneCare subscription.

I've read elsewhere that a OneCare "master" can push printer driver updates to its slaves, recommend security settings adjustments and trigger file transfers.

So ... you've got this operating system from this company. It's got security problems, and the company that makes it has security problems. On a network of equals, it's not such a menace because its basic instinct is to keep to itself. But now you're going to install software on it that lets it tell other computers on your network what to do. It can even send them things it purports to be printer drivers, or provide instructions to do things it purports to be safe.

You see that the software says "beta" on the label, and you know that the last time you saw "beta" on this particular software, it ate all your Outlook files while some Microsoft engineers used the company's recent fixation with "speaking to customers in a human voice" to calmly explain it was all your fault and please download the next version to see if it deletes all your mail again, because it probably won't this time but we'll never know if you don't try.

If you're a busy householder, you'll lose your temper when your kid asks for the tenth time "Dad, my computer told me I needed to click 'OK' to be safe ... should I do it?" and you'll finally tell him that even though you've always taught him to never let his computer do anything it seemed to suggest all by itself, it's o.k. now because things are different ... it's safe now.

"Click 'OK' and be at peace, my child ... OneCare 2.0 is in charge of our family's well-being now. It will never hurt us."

I eagerly await the arrival of our new OneCare 2.0-exploiting, family-network-enslaving zombie overlords.

Posted by mhall at 1:52 AM | Add Comment

July 12, 2007

Getting Past the Checklist Mentality in Network Security

Besides just getting started on this blog, I manage a site called Enterprise Networking Planet. I don't plan to post every single thing we cover over there over here, but we've had a run of articles in the past several weeks that are just the sort of thing I was imagining when we talked about starting this blog:

A few weeks ago, Paul Rubens handed in a story about an online course called "Offensive Security 101."

Rather than running down a bunch of dry checklists, telling you what to do and what not to do, the course puts the same tools the black-hats are using in the hands of the students, then teaches them to get cracking. Paul's write-up is a detailed overview of how the course is run, including the VPN students are given to run wild on, testing their new skills against virtual servers. Paul was pretty enthusiastic about it all when we discussed the assignment. Evidently students are told there's no penalty if they see one of their classmates on the VPN and decide to take a swing at owning their machines. It sounds like a lot of fun.

Paul also picked up some interesting techniques he's been sharing in the weeks since. It's just as easy to fall into checklist wrangling when you're reporting security as you are learning it, but that's not doing a reader any favors. His latest stuff offers a better glimpse at how complex security has gotten, and how flexible you have to be in response.

Last week he did a rundown on Metasploit. It wasn't a tutorial so much as it was an over-flight, but if you're trying to move beyond more traditional security audit checklists and move into actual penetration testing, printing this one out and handing it to a reluctant boss might be useful. Yes, bad people use Metasploit. Liquor store robbers also use guns. We still let our police have them. Maybe Paul can help you make the case that it's time to do some real pen testing ... or form a tiger team.

This week he was back with a consideration of the many ways users can bust out of a network, even one where nothing more than port 80 is open, to get at whatever services administrators wish users would quit trying to get at. I remember feeling pretty clever when I used to let friends behind restrictive corporate firewalls tunnel to a Squid proxy over port 22, but Paul has some stuff in his article I hadn't thought of. Looks like my little Squid trick was a pretty crude hack. And it seems I can never read about users tunneling out from behind a corporate firewall without thinking about The Beagle Boys digging their way out of prison.

Posted by mhall at 11:54 PM | Add Comment

July 11, 2007

AP: Military ftp Serving Up Secrets

I can't think of a better way to kick off a new blog that's supposed to touch on issues including Internet privacy and security than to note an item recently off the AP wire that indicates our military ... well ... it's sort of struggling with the whole "Internet" thing.

The Associated Press went fishing for secrets on unsecured public ftp servers run by the military:

"In one case, the Army Corps of Engineers asked the AP to promptly dispose of several documents found on a contractor's server that detailed a project to expand the fuel infrastructure at Bagram — including a map of the entry point to be used by fuel trucks and the location of pump houses and fuel tanks. The Corps of Engineers then changed its policies for storing material online following the AP's inquiry.

"But a week later, the AP downloaded a new document directly from the agency's own server. The 61 pages of photos, graphics and charts map out the security features at Tallil Air Base, a compound outside of Nasiriyah in southeastern Iraq, and depict proposed upgrades to the facility's perimeter fencing.

"'That security fence guards our lives,' said Lisa Coghlan, a spokeswoman for the Corps of Engineers in Iraq, who is based at Tallil. 'Those drawings should not have been released. I hope to God this is the last document that will be released from us.'"

But it probably won't be if the article is any indication. The AP found dozens of sensitive documents lying around unsecured ftp servers the reporters were apparently able to uncover with no more skill than the trusty old "change the http:// to ftp:// in my browser's location bar" trick.

In response? A spokesperson for one compromised military contractor said "[t]he only way you could find it is by an awful lot of investigation." Like, evidently, changing the "http://" to "ftp://" in your browser's location bar a few times. The spokesperson was apparently unfazed by DoD assertions that the material found could lead to compromises of correctly secured systems.

So take the widespread (and amateurish) security gaps a few reporters turned up, and add in complacent agencies that shrug off information that could lead to further compromises with "that wasn't even classified."

Then pay a visit to Wired where this evening they're reporting an "unprecedented criminal probe" into the actions of FBI agents who abused the already problematic PATRIOT Act to gather information on thousands of Americans by lying to phone companies about non-existent subpoenas. The consider that the phone companies apparently rolled over without asking to see the subpoenas.

If the government is doing such an abysmal job of keeping its own secrets, and if its agents can't even be bothered to obey an already law-enforcement-friendly act while they gather our secrets, how is it people can still talk about the "tinfoil hat crowd" every time someone asks if even more sweeping surveillance and data-gathering power is a good idea?

Posted by mhall at 10:14 PM | Add Comment