IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« June 2005 | Main | August 2005 »

Rewarding times

As the conviction of the author of Sasser B showed, it is possible to catch at least some virus writers.

But bounties like this are going to become increasingly ineffective because of the changing nature of the threat. We're dealing with hardened criminals now, not frightened teenagers.

Police love people like Sven Jaschan because they're easy to catch, mostly. They either leave clues in the code or they brag about it to their few and far between friends.

After all, what's the point of getting a really big virus infection if no-one knows it was you who did it? Once caught they usually spill their guts in seconds and are happy to show how they did it.

But when a bunch of identity thieves commissions a virus they aren't going to leave clues, or brag about it. And they're not looking for reward money, they're looking for your money.

July 19, 2005 in IT Security | Permalink | Comments (0) | TrackBack

International resources

It's very easy to bash the US at the moment, and while the country's leaders may be unpopular right now they're not helping matters since the decision to withdraw from making Icann international.

The US has already said it will shut down the GPS system if it feels the need, a move that would leave thousands of travellers lost or stranded and be catastrophic for business. But how much worse would it be if the internet's top domains were blocked? We'd be talking damages that would make the worst virus outbreak look like a computer sniffle.

If push came to shove we'd survive, but with some of the wacky noises coming out of the White House you can see why the UN is concerned.

July 19, 2005 | Permalink | Comments (0) | TrackBack

Watching us, watching you

Here's news for the paranoid: a camera so small it fits in a toilet roll.

Now the person who did this (almost certainly a man) wins top prize for innovation, but bottom prize for decency. If there are cameras in the toilet then we're all part of Big Brother.

July 19, 2005 | Permalink | Comments (0) | TrackBack

Excuses excuses

It's almost a shame Microsoft has settled its latest legal spat. Longhorn's been so badly delayed over the years that any excuse for a bit more time could have worked in Redmond's favour.

July 18, 2005 | Permalink | Comments (0) | TrackBack

Manufacturing consent

We get a lot of surveys in this business, and some are more use than others. This latest offering is a tricky one. The Blu-Ray Association commissions a survey that finds consumers like their technology – shock horror.


I'd advise you to check out an old series of Yes Minister to see how such things can be skewed. Not that I'm suggesting this one is, but with every one of these always consider who's paying for it and how many people did they ask.

July 18, 2005 | Permalink | Comments (0) | TrackBack


Now here's an invention that's really multitasking. Lord knows how they've managed to do it but a split screen TV. That should save some family arguments.


But the second half of the story was what really had me grasped. Being able to limit screen display like this is going to make public computer a lot safer. If you travel into work on public transport just shoulder surf for a while – you'd be amazed at what people are willing to display in public.

July 18, 2005 | Permalink | Comments (0) | TrackBack

Open secrets

To paraphrase Henry II who will rid me of this turbulent argument?"


The security ratings of Microsoft and Linux are a favourite debating point between advocates of the two systems. Why is this?


Well initially it was a useful stick for the open source to beat Microsoft. When you've going up against a behemoth like Microsoft you use everything you've got and it proved quite an effective tactic for a while.


But by continually harping on about it Linux risks being pigeon-holed and the real benefits of its approach will be masked. Any operating system can be secure with the right procedure – it’s the rest of the package that needs examination.

July 18, 2005 | Permalink | Comments (0) | TrackBack

Calling a spade a spade

Methinks Intel doth protest too much when it complains that AMD is staging a media campaign. Intel runs one of the most ruthlessly efficient marketing and press departments in the known universe – complaining that the other side is playing by the same rules is hardly edifying.   

July 18, 2005 | Permalink | Comments (0) | TrackBack

Net nanny misses a trick

The news that there's to be a new web site classification system will reassure some web users but won’t work against illegal sites.


Censorware is all well and good in the right circumstances – it can stop a lot of embarrassing questions if you're bringing up kids for example – but the unscrupulous web site owner just isn’t going to use the system. So what if this means they don't get on Google, that's the last thing some of them want.

July 18, 2005 | Permalink | Comments (0) | TrackBack

Ugly facts

I can still remember first reading about quantum computing in an early edition of Wired. Here was the new technology that could do it all, turning phonons into gateways and making today's fastest processors look like Turing's bombe.

It was heady stuff indeed but the news from the Netherlands to mind what Thomas Huxley called the great tragedy of science - the slaying of a beautiful hypothesis by an ugly fact*.

But all is not lost for quantum computing. The news is a set back, nothing more. Goodness, if we can bring light speed down to 40 mph or make a Pot Noodle tasty there's no limit to human ingenuity.

One factor when quantum computing does come is going to be security. A true quantum computer would carve through current codes like a hot knife through butter. Consequentially it may be some years after the fact that we learn they have been invented. 

* - Post modernists out there may dispute the existence of any true facts, rather that everything is an incompletely tested hypothesis. This explains why they make such bad conversation.



July 13, 2005 | Permalink | Comments (0) | TrackBack

Survival of the fittest

So once again the big boys are getting together to stop spam. Call me a bluff old cynic but the chances of this solving the problems are remote.

The very fact that there's a news release on setting up the group shows its weakness. As spam filters show spammers are constantly adapting their techniques and can do it a lot faster that a bunch of industry folk arguing about who gets first dibs on writing the new standards.

Most major inventions occur because their time has come and spam is no exception but that doesn't stop me roundly cursing Laurence Canter and Martha Siegel every time my inbox overflows.

July 13, 2005 | Permalink | Comments (0) | TrackBack

Market manipulation

You know you're getting on in years when you start recognizing old riffs in new tunes – the excellent new Scissor Sisters album has tons of this.

It's tricky to know these days what's really popular with music these days. The charts can be manipulated in any number of ways. A guest on the Today Program pointed out that Elvis' recent chart success owed more to a marketing campaign than popular taste.

Which is why I trust things like Amazon's chart predictions on Harry Potter all the more. Yes Amazon's only one company but it gives you more of a pointer to popular taste than some charts.

July 13, 2005 | Permalink | Comments (0) | TrackBack

Freeze, drop that wireless card!

The fate of the distinctly unregal Benjamin Smith III will cause a shiver down the spine of some people.

There's something about technology that seems to incite light-fingered tendencies in the most respectable of citizens. Pillars of the community have purloined music on their hard drives, the mildly technical regularly piggyback on wireless traffic and there have been some shocking cases of staff walking off with office computers that shouldn’t have left the desk, let alone the building.

Will the jail sentence stop others wardriving – probably not. But it might make one or two people think twice.

July 13, 2005 | Permalink | Comments (0) | TrackBack

Beware geeks bearing gifts

You just don't know who to trust these days when it comes to emails.

It's not just viruses hidden in the news of papal bull, Osama Bin Laden or the latest weirdness in California now we can't trust the IT department.

What's particularly galling about this is that it hits those keen to ensure that they aren't part of the problem. A nasty bit of social engineering that.

Anyway, the cure is simple; call and check. Most administrators will happily exchange a ten second chat for a hours of system clearing. 

July 13, 2005 | Permalink | Comments (0) | TrackBack

Free as a bird

So Sasser's author goes free. He could head down to the local bierkeller should he so desire tonight and sink a stein to the legal system. He shouldn’t celebrate too loudly however, there might be a few system administrators who'd like a word with him.

He shouldn’t worry, they're not violent, but three hours of detailing exactly what they had to do to get rid of the damn thing is enough to make anyone wish for a cozy cot behind bars.

July 13, 2005 | Permalink | Comments (0) | TrackBack

Bombing Diaries 2

As with September 11th email has proven its worth again.

While mobile phone networks fail and landlines are put under stress it's email that's always got through, reassuring the worried and coordinating the response.

Email sometimes seems positively outdated – low amounts of data and no multimedia! But an event like this shows the low tech solution is sometimes the best. Now if only people would answer the things more quickly.

July 13, 2005 | Permalink | Comments (0) | TrackBack

Bombing Diaries

By now you'll have heard of the bombings in London. For the record I'm proud of my fellow Londoners; we're handling this with upper lips so stiff you could iron your shirt on them.

The key to this is not to panic. Like many other I spent years under an IRA bombing campaign and you can drive yourself crazy worrying about it. Don't – that's how they win. Here at VNU Towers it's business as usual, even down to the traditional pint and a sandwich at our local pub.

July 13, 2005 | Permalink | Comments (0) | TrackBack

Information is power

Coming back through Heathrow last night customs was utterly empty.

Now, on a flight in from Amsterdam, home of semi-legal drugs, you'd have thought they'd have been checking things. But as a Customs officer explained, no-one with an ounce of sense would try and smuggle drugs from such a notorious location.

In any case most airports have a few 'foxes' – undercover customs staff – who keep an eye out for suspicious characters.

This applies to IT security as well. Attacks via poorly patched browsers are a case in point. Why struggle though the firewall when you can nip into a system via an unpatched user instead?

July 7, 2005 | Permalink | Comments (1) | TrackBack

Shocking police behaviour

I had to share this. To prove the effectiveness of Taser electronic stun guns the head of Manchester police volunteered to be shot by one.

Look at the face of the policeman doing the shooting.

July 6, 2005 | Permalink | Comments (1) | TrackBack

Why Microsoft should thank pirates

Lunchtime is a good opportunity to mingle with developers around the world, and I recently met a chap from India who had a refreshing view of pirates and their role.

He explained that he'd be out of his job (Office developer) if piracy was curbed. If a mint copy of Office sells for hundreds of pounds very few people are going to buy it and this gives a huge incentive for a local software vendor to come up with a low cost word processor or spreadsheet and corner the low cost market.

But if they can buy a pirated copy of Office for a few pounds there's no incentive for local programmers to undercut that. In the meantime the pirate copy users learn to use Microsoft software and sooner or later a proportion of these will buy a legitimate copy.

"Every time I see a pirate I smile at him. That's my future employment prospects he's got spread out on the pavement before him," he grinned.

July 6, 2005 | Permalink | Comments (0) | TrackBack

What's Bill been smoking?

The TechEd sessions are an opportunity for engineers to share information openly and honestly, but this seems to have gone to some people's heads.

Four Microsoft engineers were talking at one such event and were debating a question on passwords. Bill Gates has already said that passwords will be dead in a few years as we move to two-factor authentication. His staff disagree.

"I'm sorry Bill but you're smoking crack on this one; passwords will always be with us," said the leader, who shall remain nameless for reasons of his job security.

"Yeah, and he doesn't share it either," chimed in his colleague.

Do they know something about the recreational habits of Microsoft's chairman that we don't? Fine inquiring minds want to know.

July 6, 2005 | Permalink | Comments (0) | TrackBack

Taking the fun out of life

Microsoft's plans to introduce DRM into documents and other data are going to make life a lot less fun for some of us.

As any hack knows, Word documents can contain all kinds of interesting information if you now how to look and plenty of good stories have been broken this way. Seeing what data was keyed in and then deleted is the best possible way to see exactly what you're not supposed to see.

As for other data, I know of a few staff on airlines and government offices whose jobs are about to get a lot more boring. Looking at confidential data is one of the perks of the job – checking out the star's income tax records, for example, or seeing if the airline staff have put any embarrassing information into your passenger profile.

Yes, it's worth it for the security benefits but, at the same time, it's another nail in the coffin of a fun day at the office.

July 6, 2005 | Permalink | Comments (0) | TrackBack

TechEd out

The first true night of TechEd approaches and the delegates have had their evening drinks and are heading out to network, party or just plain sleep.

Microsoft usually lays on a good party and this time it's a Dutch Scissor Sisters tribute band. The mind boggles.

July 6, 2005 | Permalink | Comments (0) | TrackBack

Back Room Boys

So the boffins have a new wheeze: a device for crowd control. As the scuffles in Edinburgh show the police aren't exactly being overrun at the moment but it's an odd application of a very useful technology, as I recently discovered.

If you've passed through Heathrow recently you might have been asked to try out the Secure 1000, a millimetre wave scanner that can effectively look under your clothing. I've tried it twice and it's very sharp, picking up a forgotten two pence piece in my back pocket. It does take a few minutes, far too long for practical use, but it's being considered.

Quite how popular it will be in real life I don't know. While undeniably effective your first thought when they let you see the image is usually about trying to get some more exercise. The second is who gets to see the image of you from the front. It is to their credit that the test subject recruiters have shown great restraint given the attractiveness of some air travellers.

July 6, 2005 | Permalink | Comments (0) | TrackBack

I am not a number!

I've been tagged; a first to my knowledge.

Arrived last night at TechEd in sunny Amsterdam and, aside from the usual t-shirt and baseball cap for the colour-blind, the entrance bag contained my own personal RFID tag.

This is not, Microsoft hastened to tell everyone (two or three times in the opening keynote alone), in any way linking names to numbers. But they did show a very interesting program that tracked the crowds at TechEd US as they moved from hall to hall.

The presenter explained in tones of wonderment that this would allow them to track people-flow and so anticipate demand. He had a lovely graph showing that, surprise surprise, when the keynote ended people left the auditoria and went to the group talks! Well worth the investment.

Maybe retired Microserf Paul Allen isn't the only one with ambitions for space and the planets beyond. As number 111111111111111111111369 I can only assume that Bill has some major market growth plans.

July 6, 2005 | Permalink | Comments (0) | TrackBack

Lost in space

Many people question the need for Nasa to send a probe into a comet. There are plenty of problems that need solving here on earth, the cynics say. 

But this mission was vital to securing the future of the planet. There is a school of thought that comets aren't solid hunks of rock, but floating clouds of smaller rocks held together by loose bonds.

If that's the case it doesn't matter if Bruce Willis can pilot a shuttle with physically impossible skills; if something's heading our way it'll be down to the shelters if mankind hopes to survive.

We need to know this stuff. We've had five major extinction events in the world's history that we know about, and at least two of those were down to strikes by space objects.

In 1972 we dodged a bullet when a huge rock skimmed the atmosphere and appeared as a flaming ball above Yellowstone Park. Yes, we have problems on earth, but it makes sense to ensure we'll still be around to solve them.

July 5, 2005 | Permalink | Comments (0) | TrackBack

One, two pick up my shoe

Anyone who tells you they have a 100 per cent safe security system is either lying or fooling themselves. There's no security beyond the grave and it's something we need to realise.

The news that two-factor authentication may not be as safe as was once thought will make some worry, but look at this realistically. Yes it's possible to beat, but that's not the point. Hackers go for easy targets.

There's an old tale of two hunters who disturb a bear. As they run for their lives one hunter points out that they can't hope to outrun the bear. His colleague replies: "I don't have to outrun the bear. I just have to outrun you."

July 5, 2005 | Permalink | Comments (0) | TrackBack

Cash or caring?

Another day, another Internet Explorer flaw. Only this time there's no patch.

Leaving aside the relative merits or otherwise of Internet Explorer this is going to be a story to watch. Microsoft constantly disses open source code for relying on volunteers for technical support, maintaining that business can't rely on enthusiasts to solve its problems.

Then again, see how quickly this flaw gets fixed compared to Firefox flaws. The last problem with Firefox took less than a week to fix.

Given that some of the patches Microsoft releases are for holes found months before, it'll be interesting to see whether commercial specialists can work faster than those who do it for love.

July 5, 2005 | Permalink | Comments (0) | TrackBack