Not a lot going on news wise. Added to that, I'll be away from the computer most of the time until tomorrow night. So don't expect much until Monday morning or so - Happy Easter.

posted by mt at 19:00

Here's some insight into the physical security of a building which houses some very important machines - root name servers.
posted by mt at 18:59

Slow day so far, I haven't come across anything worth passing along.
posted by mt at 10:32

Attention Ebay users: USE SSL! According to ZDNet, most people do not.
posted by mt at 00:02

The NYT has a good article on how terrorists have used the Internet, and some rather simple methods, to cover their tracks. This is worth a few minutes of your time, the author does an excellent job of explaining the difficulties involved when tracking someone online.

Getting cooperation from Internet service providers in other countries can also be a hurdle, although operating outside the reach of American laws regulating how Internet communications may be monitored presents some advantages. "If it comes down to it, we would do a black-bag job on an I.S.P. literally, kick in the door in the middle of the night," said Mark Rasch, an expert on cyberlaw in Reston, Va., who formerly headed the Justice Department's computer crime unit and is now a vice president at Predictive Systems, a security firm.

posted by mt at 11:58

Grand Rapids, Michigan has fallen victim to a phreaker.

According to McQuillan, "very sophisticated" hackers in New York, using decommissioned cellular phones, broke the codes to the city's switchboard the weekend of July 20-23.

The hackers used a little-known feature that allowed voice-mail access to reach an outgoing line. That feature, which was not used by city employees, has since been taken out of the system, McQuillan said Tuesday.

Contrary to what the city thinks, it's not very sophisticated and is a rather well-known feature among the phreaking community. The full story is here.
posted by mt at 11:35

The @Stake team annnounced last week that they could intercept messages destined for the popular RIM Blackberry devices. This article criticizes the CEO of RIM, and vendors in general, for downplaying vulnerabilities. Check out the analogy the CEO tries to make - what the hell is he talking about?

Balsillie was asked about an attack discovered by @Stake that enabled researchers to read wireless messages intended for a user of the Internet Edition of RIM's popular BlackBerry device. He huffed and he puffed and he blew the question down, saying, "Internet traffic isn't supposed to be secure. ... It's kind of like a company making beer and cola and someone saying that there's alcohol in the company's drinks, when the children are drinking cola."

posted by mt at 09:28

NETWARCOM - that goes down in my book as the coolest name of the year. It's the Navy's new Network Warfare Command group.
posted by mt at 09:21

More information on the FBI's Carnivore program should be coming out thanks to a federal judge. We already know it's just a big sniffer. What would be interesting is under what circumstances they can use it and if it ignores innocent users' email.
posted by mt at 21:35

SecurityFocus has part II of No Stone Unturned up. It's a technical piece told in a fictional style - fun to read and lots of interesting tips.
posted by mt at 11:34

Here's something I've been thinking about. It's an article on panic rooms - like the new movie with Jodie Foster. It's a neat idea, but how common are these things? Very - according to the article. It quotes a guy who designs panic rooms for homes. It all sounds very elaborate, but you have to be one paranoid person to get one. I'd spend the extra money beefing up security for the rest of the property.
posted by mt at 10:57

This guy is half right. He writes about open source vs. closed source security and correctly states that both are insecure. In the long run, however, an open source project will be reviewed thousands of times by hundreds of programmers - each looking for a security flaw. Can we say the same about closed source? I doubt it.
posted by mt at 10:46

ZDNet has a column on wireless security. They offer this advice:

Treat it as you would any other media--use it as a transport layer only. And don't send information through a wireless network unless it is acceptable for the world to see--like a postcard.

I agree. If you're not using some sort of encryption, assume it can be compromised.


posted by mt at 10:28

Jon Katz has a short commentary at Slashdot on how 9/11 changed the tech economy.

Wall Street analysts have been buzzing for months now about the new spending about to be unleashed as government, business and private citizens turn to technology to fight terrorism, improve security, shore up our business and communications infrastructure, and protect the country from a wide-ranging series of horrors from "dirty bombs" to bio-terrorism. The battlezone is going digital.

posted by mt at 13:36

There is some more information on the new 3com product designed for home VPN users and telecommuters. The device supports IPSEC and PPTP, costs $350 and will be available in April. We should see competing devices emerging shortly. This is a great enhancement to the current crop of SOHO router packages.
posted by mt at 12:52

While correcting the link for the e-business PDF mentioned below, I found this:

The number of flaws reported in firewalls have rocketed by nearly 50 per cent over the past four years because IT pros don't know how to configure them.

I can confirm that this is, unfortunately, often the case.
posted by mt at 12:41

I have a new article on broadband security online at SecurityFocus. Take a look and let me know what you think.
posted by mt at 11:06

Some excellent thoughts in this short piece on web security - specifically Java.

If we can't make software behave in a way that warns us when it's overstressed, we have to provide redundant strength: We have to encrypt our data traffic so that a man-in-the-middle attack doesn't intercept clear-text transmissions. We have to create, and use, least-privilege accounts for even our single-user machines, instead of merely logging in as Administrator because it's the easiest way to get full access to the machine: The privileges you have can be hijacked by malicious code, so why give yourself any privileges that you won't actually need that day? Users who had both of these good habits could treat last week's Java discoveries as someone else's problem.

Surprise! According to the Yankee Group, more money will pour into the security industry.

posted by mt at 10:38

The PDF linked at the end of this report on e-business security, has several good tips. There are multiple definitions and some Q&A, its worth a quick read - especially for those just beginning to address security.
posted by mt at 10:27

Good thing my PGP keys are an obnoxious 4096 bits. Read this to find out why yours should be just as long.
posted by mt at 07:24

Came across this tonight, the article rambles a bit, but conveys a good message - "secrecy is an illusion". Your keyboard might be revealing more than you think.
posted by mt at 21:19

The insider threat, an often overlooked aspect of security, is discussed in this article. Securing the outside of a network only solves half of the problem, the inside is still quite vulnerable.

On another note, I found several headlines full of potential, but the content was worthless. This was just a bad news day - all I found was fluff, flashy quotes and FUD. I'll only pass along items worth your time. Hopefully, something will turn up later today.
posted by mt at 14:19

Several excellent points in this commentary on Microsoft's recent announcement about file organization software for future products. Be afraid - the author shows why this is both a shrewd business move and ruthless tactic.

So Microsoft wants to get rid of application files (such as MS Word doc files) and store everything in a database. The ramifications of this are staggering. It is a brilliant strategic move in that Microsoft users are not "chained down" by their loyalty to Windows -- they are chained down by their loyalty to their most heavily used Office applications -- principally Word and Excel. Microsoft's ability to keep users locked into Windows is largely a function of its ability to keep users locked into Microsoft Office.

posted by mt at 09:39

ZDNet UK has a summary of a talk given by well known white-hat Rain Forest Puppy. I agree 100% with his philosophy:

RFP's recipe for staying one step ahead of the script kiddies is surprisingly simple: "if you don't need it -- TURN IT OFF."

For the telecommuters out there, this article mentions new hardware from 3com, which has built-in VPN tunneling capabilities. I'll have an article at SecurityFocus later this week addressing broadband security. It's especially relevant for those working from home over DSL and cable.
posted by mt at 09:07

War driving in Philadelphia. Please remember to lock down your wireless networks.
posted by mt at 11:15

Doc Searls has some good stuff today on the CBDTPA, including this new piece.

Jamie Zawinski tells us how to webcast legally - good luck.

What's going on here is that the music industry establishment are absolutely terrified of the internet, and are trying to prevent any kind of progress that might require them to evolve and change their business models to keep up with the times. They are pretty much trying to legislate the internet out of the way, and force things to continue to be done as if early-20th-century technology was still all we have to work with.

posted by mt at 10:51