IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« July 2005 | Main | October 2005 »

Losing your ballot

The right to vote is a precious one and should never be abused. While some countries have gone for electronic voting I've huge doubts about it. Now a foolproof system is being devised.


Despite my misgivings about electronic voting this initiative should be applauded. It's a much better solution than allowing private enterprise to take it on.

Take the situation in the US at the moment. The two companies who dominate electronic voting machines manufacture in the
US are run by brothers, one of who has very strong links to the Republican party. 

Far be it of me to suggest any impropriety – in fact the chances of them successfully getting away with fraud are minimal – but it hardly inspires confidence.

In this country we have a paper ballot; simple, incorruptible and checkable. There are those who say that voting is too much of a hassle and electronic voting would increase turnout but this is nonsense. Our ancestors fought and died for the freedoms we enjoy today and winging because you've got to walk a few hundred feet to the nearest polling place dishonours their memory.

August 22, 2005 | Permalink | Comments (0) | TrackBack

Mugging moves online

Oh for the good old days when all you needed for a game was a copy of the latest Dungeons and Dragons playbook and a limited number of friends. As these games have moved online we're seeing things that would never have been allowed in the old analogue days of role playing games, including this online mugger.


It's tempting to scoff and say it's only a game. Well it is and it isn't. For some people the online world is just as real as the offline one, and can be preferable. After all if you're flipping burgers for minimum wage in reality and a lord high paladin with top notch wizarding skills in the virtual world which one are you going to prefer?


It's good this guy got caught, but we're going to see a lot more of this sort of thing and people are going to be tempted to take the law into their own hands.

August 22, 2005 | Permalink | Comments (0) | TrackBack

Freedom of speech

It's an oft quoted and utterly stupid statement that freedom of speech doesn’t include the right to shout "Fire!" in a crowded cinema. It does, if there is a fire.


Microsoft has problems with the way the latest flaw in their software has been publicised, and they have reason to be. Had this flaw been reported to them first they could have built a patch to solve it; as it is IT administrators have a rough weekend ahead.


There's considerable disagreement about how to deal with vulnerability reporting. Software manufacturers don't want flaws reported because it makes the hacker's job easier. Vulnerability testers want to make headlines and get business for themselves and claim if they didn’t publicise flaws then they wouldn’t get fixed.


There's a logical way out of this. If you find a flaw report it to the company. Give them time to find a patch, say three months, and then if there's no action release the news. When the patch is ready the person or firm who found the vulnerability gets the credit and administrators can deal with the problem immediately.


This latest announcement shouts of publicity hunting. So if you're thinking of hiring these people you might want to ask them to be a little more responsible next time.

August 22, 2005 | Permalink | Comments (0) | TrackBack

The Inside Job

We talk a lot about evil hackers breaking into databases but all the evidence shows the bigger risk is the inside job, as AOL has shown.


Here is a guy who sold out his employer for cash and the problems only going to get worse. People are greedy and there will always be the temptation to sell out your employer for cash, particularly if you're a grievance.


I'm not too worried about this case, it was only spamming. But my biggest fear is there's a programmer in a major software house putting little chunks of spyware in common applications. If that happens we're all in deep, deep trouble.

August 22, 2005 | Permalink | Comments (1) | TrackBack

Love your laptop

I don't carry a laptop bag, even though my beloved lappy goes with me everywhere. A laptop case screams out "I've got a very expensive bit of hardware that can be easily sold on the black market – care to steal it?" If you're carrying a laptop put it in a haversack, it'll be less conspicuous and do your back a world of good.


But I do like this latest idea, laptops that call for help. Your data is protected, you've a good chance of getting the hardware back and best of all when the police do swoop chances are they'll find a lot of other criminal activity that needs clearing up.


August 22, 2005 | Permalink | Comments (0) | TrackBack

Talking sense

I was checking to see it wasn't April Fools Day when one of the biggest antivirus firms tells you the latest virus attack isn't too bad. Time will tell if Kaspersky are right but it's nice to see a level head in an industry dominated by scaremongers.


August 22, 2005 | Permalink | Comments (0) | TrackBack

Competitive hacking

Now it seems organised crime is getting competitive over the latest viruses. But don't mistake this for a game, it's merely free enterprise in action .

We need to recognise that our PCs are valuable tools not just to us but to those who would seek to use them for darker purposes. Patch and protect people, because it's only going to get worse.

August 22, 2005 | Permalink | Comments (0) | TrackBack

Abandon Adware

Adware is one of the fastest growing problems in computing and it has dire consequences for security. Software that logs web viewing habits and records that information can easily be subverted. 

Now an adware supplier is suing one of its associates for over enthusiastic use of spyware. This is useless – no matter how unobtrusive adware is the digital equivalent of the phone tap and security departments need it locked out fast.


August 22, 2005 | Permalink | Comments (0) | TrackBack

Train by example

At last, a security policy that makes sense and harms no-one. It seems faux phishing emails are now being sent out to check how well trained staff are, and if they fall for it they get a tap on the wrist. This has to be one of the best security measures I've seen in a long time – do it now to your staff. They may not like you for it but in the long run they'll benefit.


August 22, 2005 | Permalink | Comments (0) | TrackBack

Bite on this Apple users

44 patches. In one go. This makes Microsoft's patch Tuesday look like amateurs night. Apple users get very smug about how safe their systems are. This gives lie to that – Apple are just as vulnerable, it's just that no hacker really cares that much about only getting five per cent of the world's computers.



August 22, 2005 | Permalink | Comments (0) | TrackBack

Beware the false prophet

Now the bombers of July 7th have seemingly blown away any objections to identity cards the government is getting busy with biometrics.


One small problem – they don’t work. There hasn't been a single biometric test that hasn't been cracked by hackers and at any time there's a failure rate that goes as high as five per cent. That's three million Britons who are going to get in trouble because of faulty security. Surely all this money would be better spent by bobbies on the beat and better intelligence.

August 22, 2005 | Permalink | Comments (0) | TrackBack

Worm turns

So Zotob is causing trouble as predicted. It's bad, but not too bad.

I was on holiday in

New York

when Sasser broke and by lucky chance was staying with an employee of a major bank who lost their entire network for the afternoon. That cost the company millions. This is just a flea bite in comparison.

August 22, 2005 | Permalink | Comments (1) | TrackBack

One step forward, two steps back

You couldn’t make this up.


puts developers at risk – it's the kind of thing to make big Bill Gates choke on his morning toast.


On the plus side this problem is being picked up now rather than when the software's actually on our PCs. But if I was head of security at


I'd be wandering round the


team with one of those big foam hammers they love so much and dealing out a few gentle bonks.

August 22, 2005 | Permalink | Comments (0) | TrackBack

The news that the


national infrastructure is deeply vulnerable brings a mixed response. Post September 11th we've seen billions wasted on useless security boondoggles and that haven’t made life any safer.  

This was demonstrated by the case of Gary McKinnon. Everything we learn about his case shows this is not a skilled hacker, he used script kiddy tools and got lucky guessing passwords. He also had the advantage that the US Navy is still using NT4. It the largest military force in the world can't get a decent operating system for the 21st century there may well be something to this report.

August 22, 2005 | Permalink | Comments (0) | TrackBack

Reasonable risk

I'm a space nut; I'll freely admit it. To quote science visionary Carl Sagan "This is the time when humans have begun to sail the sea of space." It's what we as human's do – we started out in caves and went to look over the next hill, then the next continent, then across the seas and mountains. Now it's time to go forward.


But space travel is risky. NASA used to approach design by making the safest mechanism possible and then redesigning it to make it safer. It was a good approach but didn't help a lot of dead astronauts, most recently the tragic deaths of the


space shuttle. Leaving the atmosphere is risky.


So the news that Virgin Galactic has got a licence to build spaceships is deeply heartening – it shows an adult attitude to risk. Let people make the best bet they can on security and trust their judgment.


What has this to do with computers I hear you ask? Well plenty. There's no such thing as safe computing any more – as more and more people get computer savvy we're going to see more problems. But the internet is possibly the most important invention since the printing press and to stop using it because of security fears would be as stupid as deciding to turn our backs on our future outside the gravity well.

August 22, 2005 | Permalink | Comments (0) | TrackBack

I've got this bridge you can buy…

Scammers use many different tricks but many depend on our good nature, like this latest scam.


It's easy to scoff at the credulous nature of those who click the email link and expose themselves to scammers but those who do are going to be motivated by the desire to help someone less fortunate than themselves. So go easy on the victims, they are merely doing what has made humanity great.


Conversely scamming may also be one of the oldest professions of mankind. Chimpanzees regularly scam each other out of food by shouting their equivalent of "Look out, there's a lion coming" and stealing everyone else's fruit as they rush for the trees. It seems some habits die hard.

August 22, 2005 | Permalink | Comments (0) | TrackBack

Sasser again or damp squib?

It's looking like we're got the first big worm outbreak of the year. What makes this one more worrying is that where as Sasser took about two weeks to surface after Microsoft issued the patch for the flaw it exploited this one was done in days.


In all probability this isn’t going to be as big as Sasser – only Windows 2000 users are really in trouble. But the speed at which these evil little malcontents are reverse engineering patches is truly worrying.

August 22, 2005 | Permalink | Comments (0) | TrackBack