IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« February 2005 | Main | April 2005 »

Hunting bugs for T-shirts (and cash)

A German programmer has received a flashy T-shirts, and got paid $2500, for pointing out 5 critical software flaws in products from the Mozilla Foundation.

Although I must admire that the non profit open source organisation is taking a novel approach to bug hunting, I'm also puzzled about what this does to the spirit of open source.

Software bugs are a fact of life and one that will be hard to eradicate any time soon. But the whole idea behind open source software development was to have a community of programmers work on a project for the greater benefit of society, the payment being honour and recognition from your fellow programmers.

What will be left of the open source idealism if we start paying bug hunters? Do we have to start paying developers whose code ends up in the Linux kernel next?

March 31, 2005 | Permalink | Comments (0) | TrackBack

Sweet, give me suites!

If you were looking to pick a fight with a vendor of security products three years ago, you would tell him that he needed a suite of security products. Some applications that work together nicely, do a good enough job and offer the user a one stop shop.

After they recovered from their hearth attacks because they realized that they would never be able to offer such a solution, they would start explain that users want best of breed. Security is not an area where you compromise.

The security vendors of course were living in their own little post 11 September bubble. Users were throwing money at security like Saudis use oil dollars to fund terrorists.

Users need best of breed. That of course is why Computer Associates decided to acquire a tool that eliminates unused accounts and passwords. Keep dreaming: CA is a company that thrives on offering "good enough" solutions to its users. CA's biggest strength is that it is a one stop shop for IT managers.

Security is moving to suites faster than ever. And for users and IT admins that is only good news.

March 31, 2005 | Permalink | Comments (0) | TrackBack

New US law enforces computer security honesty

Banks whose computer systems are hacked or suffer any other breach in their IT security from now on have to inform their customers about that if personal data has been exposed, new regulations from several US federal agencies require.

The lucky residents of California have had the joy of living under the Security Breach Information Act for over a year. The local law has similar requirements as the new federal one, but in addition to that applies to any company that suffers a breach in their IT security.

The new rules are so amazingly obvious that it's remarkable that they haven't been put in place earlier.

Companies for years have been lacking the motivation to properly tackle IT security because it is cheaper to clean up a mess than it is to prevent it from happening. Now that they are required to go public with these embarrassing facts, they might have more of an inclination to spring into action.

Self-regulation has had its chance for the past decades, and by now we can state without the smallest doubt that it doesn't work. Let's hope that this is only the start of a slew of new rules and regulations around the world.

March 29, 2005 | Permalink | Comments (0) | TrackBack

Wishful thinking: security complexity pushes outsourcing deals

Gentronics' hunger for new outsourcing business is clouding its common sense, it seems. In justifying the acquisition of security services specialist RedSiren by the global managed services company, Getronics claims Getronics that computer security has simply become too complex for firms to do themselves. This complexity is pushing companies towards outsourcing.

The problem is that for most companies handing over control over their IT security feels like passing out keys to their company vaults. In a recent survey among UK businesses, 80 percent of the respondents said that they were manageing their IT security in-house. Of that group another 88 percent said the need to have control was the main reason why they wouldn't consider changing this practice in the future.

March 24, 2005 | Permalink | Comments (0) | TrackBack

IBM gives spammers a taste of their own

IBM has launched a software application that hits spammers back just as hard as they hit the public. The new FairUCE service bounces spam emails directly back to the senders computer, not the email address from which they originate.

If enough people use the service, it creates the equivalent of a distributed denial of service (DDoS) attack on the spammers computers, clogging up their systems and taking up processor capacity and bandwidth that otherwise could be used for sending spam. And the great thing is: legally it isn't even a DDoS attack because all the service does is bounce the emails back.

March 23, 2005 | Permalink | Comments (0) | TrackBack

Lies, damn lies and ID card polls

So UK MPs think that 80-90 per cent of us support the use of ID cards do they? Like so much in life it all depends on how you phrase the question.

Ask a passer-by if he or she thinks crime should be reduced almost everyone would answer yes. Ask if it should be easier to identify criminals and you’ll get eh same response. Then ask if an ID card scheme is a good idea and you’re likely to get an affirmation as well.

Now ask anyone else if they think the government can always be trusted to look after its citizens’ interests and you’re likely to get a negative response. Then ask if the police should have the right to force someone to disclose their identity if they are not committing any crime, and you’ll get a no also. Ask then if ID cards are a good idea and I’ll bet the majority would find against.

The only questions over ID cards should be will the scheme actually work and how much will it cost. Since nobody’s been able to answer either of these questions as yet it’s safe to say the jury (while we’re still allowed such due process) is still out.

March 23, 2005 | Permalink | Comments (5) | TrackBack

Apple tempts DVD Jon

And lo there was a great wailing and gnashing of teeth in Apple headquarters. Is this called the big apple maybe? Less than 24 hours after the firm had fixed a ‘security hole’ that let people, quite reasonably, play the music they had paid for on any devices they want – not just iPods - the software wizards struck again.

There’s an important lesson here; one that the industry has problems learning. There is no such thing as a foolproof security system. A thousand engineering wage slaves will never be able to outperform tens of thousands of amateurs – people who break such systems for the sheer joy of it.

Expect this story to run and run, with Apple’s next move neatly countered by improved software. This is a race Apple can’t win. Instead it should open its proprietary systems and let music be free.

March 23, 2005 in Web/Tech | Permalink | Comments (0) | TrackBack