IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« August 2005 | Main | November 2005 »

Fortress US

So the US is to get RFID passports, the poor devils.

My American friends are less than impressed and are privately getting passports renewed now so that they can be RFID free for as long as possible. I don¹t blame them - the idea of walking around broadcasting personal information would make me nervous too.

Sadly we¹ll get a taste of this in the UK as well. Tony Blair and his Government have a fascination with this stuff and, given his close relationship with the global village idiot currently running the US, he¹ll become convinced we should all become radio broadcasters too.

October 29, 2005 | Permalink | Comments (0) | TrackBack

What spyware is isn't the problem

So what is spyware?

Seems simple, but in fact it¹s not. Is a website cookie that records your password so that you don¹t have to log on every time spyware? What if it also tracks your movements? This is the kind of philosophical debate techies love - and it looks set to run and run.

But it misses the point. It doesn¹t really matter. What matters is that you the user get to know exactly what is being installed, what it will do and how to get rid of it.
But that¹s never going to happen. If it did then the legitimate spyware industry would collapse, because no one really wants to be spied on.

October 29, 2005 | Permalink | Comments (0) | TrackBack

Smug post

Hotmail is still having problems. I hate to say I told you so, but?

October 29, 2005 | Permalink | Comments (0) | TrackBack

Official advice

There have been some crushingly bad government information campaigns over the years, but this latest one looks rather effective.


People have been crying out for advice on safe computing and it’s well past the time the Government should have stepped in. Like them or loath them, people generally trust Government information broadcasts because it’s the one information source that can’t really sell you anything, and so is slightly more impartial than a commercial ad campaign.


There have been some stinkers – ‘Protect and Survive’ springs to mind. Here was a campaign that advised us to survive a nuclear attack by painting the windows white and hiding under a door, which was so movingly sent up in ‘When the wind blows’. In fact it was little more than a PR campaign to make sure we died with the minimum of fuss if the hot war started. The current ‘Talk to Frank’ campaign will also be consigned to the dustbin of history, one hopes. What kind of idiot asks a 10-year-old in a silly hat for drugs advice?


But there have also been successes. ‘Clunk Click every trip’, ‘Don’t Die of Ignorance’, ‘Follow the Green Cross Code’. This latest campaign looks to be a winner too; it’s simple, easy to understand and makes good computing sense.

October 27, 2005 | Permalink | Comments (0) | TrackBack

Vote geek

MP Dr Nick Palmer makes a worrying point in his chat to Barely any MPs have hands on technical experience and, in an increasingly IT dominated world, this doesn’t bode well for the future.

Now you could say that there’s no need, the Sir Humphries of this world have enough specialists to deal with any problems in formulating law. But that misses the point. Some of the misinformation that members of the public believe is almost certainly reflected in their MPs and I wouldn’t want to rely on the civil service to pull us out of every hole.


So if you’re an IT administrator think about a career in the mother of all Parliaments. Your country needs you.

October 27, 2005 | Permalink | Comments (0) | TrackBack

Spamming scum

Is there nothing these people won’t try? Selling anti-bird flu drugs online takes preying on the vulnerable to a new level. Then again, if you’re stupid enough to buy drugs online, maybe you deserve what’s coming to you.


October 27, 2005 | Permalink | Comments (0) | TrackBack

Where there's value …

The line between the real and the online has blurred further and some lucky gamer is $100,000 richer as a result.

But we've already seen the consequences of this, because where something is valuable some grotty little toerag is going to try and steal it. It's happened before and it'll happen again.

I'm the last person to call for new laws at the drop of a hat but the status of virtual property really needs to get sorted out. These games are only going to get more popular and blood has already been shed over virtual property.

October 26, 2005 | Permalink | Comments (0) | TrackBack

VeriSign tweaks Icann's nose

VeriSign's got a good deal here. It can still put out its search service as long as Icann gets the chance to check it first. While that monitoring is needed it still leaves VeriSign with the revenue it expects and all the leverage it can get from the .com domain.

There's also the security problems of having a private company controlling such an important domain. VeriSign has to be one of the most attractive companies out there for hackers right now.

October 26, 2005 | Permalink | Comments (0) | TrackBack

Comcast cock-up

No wonder Comcast is keeping shtum about blocking Hotmail. This looks like some overzealous security that went a little bit wrong.

It's easy to dislike Hotmail; it's full of spam, easily hackable and nothing screams 'newbie' like a Hotmail address. But a security threat, I think not. Probably just a spam filter set too high.

October 26, 2005 | Permalink | Comments (0) | TrackBack

Who's the mummy?

You've got to love mother nature. After all the technical security gizmos mankind can come up with, she trumps us every time.

We've had robotic noses for a few years now but none can match the sniffer dog, sniffer pig and now the sniffer wasp. If there is an anthropomorphic personification of nature she's looking down and thinking "Now that's how it's done. Learn people."

October 25, 2005 | Permalink | Comments (0) | TrackBack

At what cost profit?

The news that Cisco is working on interoperability shows that, in the cut and thrust of competition, the security of the human life isn't always lost.

I know we talk about IT security here but the magnitude of the earthquake disaster in Pakistan and central Asia is such that we really should be putting all hands to the pumps and doing whatever it takes to get aid to the suffering.

Winter is coming in and the potential for loss of life makes 11 September look like a stubbed toe.

Plus you never know, there could be interesting discoveries to be made that could benefit the future of communication. But whatever the result the security of human life is key.

October 25, 2005 | Permalink | Comments (0) | TrackBack

Funny face

Deary me. After writing last week about silly phone security with the mobile that checks how you walk, now we have facial recognition technology.

For goodness sake, how much security do you need? Just keep the damn thing in your pocket, password protect the phone and the Sim card (and not 1111 or anything else easy to guess) and have the phone number of your operator in case the phone gets stolen.

October 25, 2005 | Permalink | Comments (0) | TrackBack

Walk and talk

The Finns have given a lot to the world of technology; Nokia, Linux, the first auction of 3G licences to name but a few. But this latest idea for mobile phone security is rather too silly to make it into practical applications.

Leaving aside the fact that there's enough mobile security tools out there (if only the manufacturers would actually use some of them) the idea of using someone's gait as a security tool is just plain odd. Biometric security needs to rely on physical constants – iris, fingerprints and vein structures. Imagine having one of these phones and twisting your ankle for example. You'd have to put in a password every time you used the phone.

As a final point I've been to Finland a lot and learnt early on to never, ever try to drink level with the Finns. Maybe it's the long, dark winters. Maybe it's the endless combinations of fish, reindeer and cloudberries that come with every meal. Whatever it is you can see more respectable men and women falling down drunk in the streets of Helsinki than anywhere else in Europe.

Try using your walk-secure mobile when you are, to use the lovely Irish expression, drink taken – or even try to remember the password…

October 20, 2005 | Permalink | Comments (0) | TrackBack

Snail's pace from Oracle

For all the criticism of its patching policy Microsoft looks like a paragon of virtue next to Oracle's latest release.

85 flaws patched, and this from a company that only thinks it needs to patch every three months. There's no excuse for this, as some of those flaws are very serious.

So, while its customers sit with insecure software and Oracle digests its profits and slowly stirs itself into action, the rest of us are left wondering why we're shelling out for its expensive software.

October 20, 2005 | Permalink | Comments (0) | TrackBack

This is the end

So it's happened. ID cards are our future and we'll probably never be rid of the things.

Civil servants have been trying to get these in for years. So too have the technology companies, which sense a boondoggle of massive proportions.

And when the scheme is finally enacted, late and over budget (not that a firm budget has even been released) guess who'll be footing the bill? Here's a clue. Look in the mirror.

October 20, 2005 | Permalink | Comments (0) | TrackBack

Fiddling while Rome burns

There are very few press releases where you actually doubt that a company could be so stupid. Obviously we all keep our eyes open in the run up to April Fool's Day, but today's inbox filler was a classic: a Gartner report into the effects of bird flu.

Now there's a lot of hysteria about bird flu at the moment. As a race we're overdue for a pandemic and, with so many hungry and weakened people on the planet, any illness would find plentiful numbers of victims. But there's still no person-to-person infections and we should maybe calm down.

Reports like this don't help. Yes, disaster planning has its place but, for decency's sake, a respected analyst firm like Gartner could have used better language.

If things do go pear-shaped I'll be protecting my loved ones, not worrying about "reduced workforce productivity".

October 19, 2005 | Permalink | Comments (0) | TrackBack

Money, power and web censorship

It now appears that the Myanmar government may be using Fortinet's firewalls without the company's knowledge or consent. Fortinet is undoubtedly concerned about charges of sanctions-busting, although realistically asking for its kit back isn't going to be an option.

But what about those countries that aren't on an embargo list but still censor internet access? Some are relatively benign, Singapore for example, but when it comes to China and other states that repress their own population a line needs to be drawn. No matter if there are sales to be made there's the ethical dimension to consider.

I went to university with a bona fide rocket scientist, a profession he drunkenly admitted first appealed to him because of the response to "What do you think you are…" He later took a position with a major arms company and his defence when questioned on this was that if he didn't do it someone else would.

This is never an excuse for a rational adult, and it shouldn't be a response accepted by a technology company. So someone else will do, it then let them. As long as the best minds steer clear the resultant product will be sub-standard and easier to defeat.

The next time you specify some hardware and software check to see who the company's overseas customers are and make your decision. NGOs are preparing lists and this is also something I'm going to be looking into and reporting on as well. After all, is your shiny new kit worth a lifetime of misery for a political prisoner?

October 18, 2005 | Permalink | Comments (0) | TrackBack

Are you being served?

The latest figures from RSA show that a lot of consumers are still clueless about identity fraud, but it's still scaring them away from doing business online.

For all those e-tailers out there, get a grip. You are losing custom because you can't meet your customers' needs. Until businesses take this a lot more seriously e-commerce will continue to be plagued by fears of fraud.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Acceptable behaviour

So farewell Alan Ralsky; not lamented in the slightest.

Imagine a shoplifter who gets sued and settles with the shop on the understanding that he doesn't steal from their store again. Sounds ridiculous but that's exactly what suspected spammer Ralsky did with Verizon in 2002.

Verizon dropped the ball on this one. They could have shut him down there and then and they bottled it as far as I can see. Now you can argue that a company has a duty solely to its shareholders - indeed it's the law - but there's a wider responsibility here.

If a company is prepared to sacrifice its customers' time rather than taking a stand for them, I'd think about using another provider.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Banking on fraud

Bruce Schneier has raised an interesting point about phishing: who bears the responsibility for stopping it?

At the fundamental level it's individuals who need to be on their guard against phishing. We need to be more aware that phishing is our problem. There is absolutely no reason to send an email containing your banking details to anyone. Period.

But beyond that it's clear that the banks are not doing enough either. There are a variety of steps that could be taken to solve the problem but, until the financial cost is passed directly onto the banking community, we won't see them in this country.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Microsoft does it again

Just when you're beginning to trust Microsoft it manages to waste that brand capital.

There's no real excuse for this latest patch to be causing such problems. Having met its head of patch testing we can confirm that he's an honourable man and that the company is committed to testing.

It can only mean that someone was asleep at the switch. P45s all round please.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Painting the Forth Bridge

The attempts to stop websites stealing content are a bit like painting the Forth Bridge: a never ending task. It has to be done but heaven help the poor soul whose job it is to search the whole web for this stuff.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Security price shake-up

When Microsoft finally gets its backside into gear and brings out a proper security suite it's going to cause a major shake-up in security pricing.

But lower prices, while a good thing, won't be that much of a benefit if innovation stops. We saw that happen with browser development, which stalled for five years after Microsoft achieved market domination.

That said the doomsayers won't have much to worry about for the moment. The security industry is a mature market and Redmond will have to fight for market position.

It's also facing something of an image problem and a lot of security managers will have problems trusting Microsoft on security.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Traffic jam computer style

Toyota's Prius is a wonderful car. It's the wave of the future but, as software becomes a more integral part of a car, we're going to see more problems like this.

Attempts to hack the Prius have proved unsuccessful thus far but with the way exploit code goes in 50 years it won't be botnets taking over your PC that cause headaches, but possibly joyriders taking your car for a spin remotely.

Nevertheless don't let this put you off a Prius. If the ex-head of the CIA drives one for national security we should all take note.

October 18, 2005 | Permalink | Comments (0) | TrackBack

Corporate responsibility

Yahoo has finally caved in to pressure and shut down chat rooms used by paedophiles to attract young children. The only question is what were they thinking in allowing them in the first place?

Despite a personal passion for free speech there's no excuse for allowing web forums like 'Kiddies who love sex', or '8 to 12 year-old girls who love men'.

As a forum hoster Yahoo has a clear obligation to shut down such conversations, even if it takes a financial hit from employing someone to do so.

If it doesn't, then I'd hold them at least partially responsible if a child is lured into peril by a predator.

October 13, 2005 | Permalink | Comments (0) | TrackBack

The bigger picture

The ongoing spat between the US and the rest of the world over control of the internet isn't going away and may threaten the economic security of us all.

It's sad that it has come to this but the internet really does need to come under world control. It's a world tool and the UN is the best body to run it.

You're going to see a lot of posturing over the next few months but for all the talk the US is in a bit of a state. After all, what's it going to do? Shut down?

October 12, 2005 | Permalink | Comments (0) | TrackBack

Shoot the messenger

Hold the front page. A company hawking a Linux antivirus product has predicted that Linux viruses will become a big problem.

Well we've had Linux dominating the web server sphere for some time now but few  viruses. Linux on the desktop is getting more common and no real virus outbreaks.

Methinks Grisoft doth protest too much.

October 12, 2005 | Permalink | Comments (0) | TrackBack

Ready, set, patch

Another month, another patch session from Microsoft.

IT administrators now face a race to patch before someone reengineers one of the patches and sends out a virus to exploit it. It's only taking days now but if you're running a 10,000 client system that's not enough time.

Even if the hackers take a month or so there'll still be a vast pool of users out there who haven't updated their systems.

The problem is going to get worse too. When Cisco and others finally build their much touted intelligent network, unpatched PCs are going to have problems getting online, virus or not.

October 12, 2005 | Permalink | Comments (0) | TrackBack

You get what you pay for

There's an old saying – pay peanuts, get monkeys.

While the accountants can applaud outsourcing staff jobs to India from a security standpoint it's a really bad idea. They may be able to halve staffing costs but that's going to be little help if staff are far easier to corrupt.

In a country where salaries are low it not only takes very little to pay them a living wage but it's also cheaper to bribe them. Already call centre staff are being bribed for peanuts, reaping big profits for crooks.

There's another point. If you can see your own staff you can tell if someone's behaving funnily, if they look suspicious. It's unlikely that an outsourcer will have this kind of close relationship with his staff, and even if he does why should he investigate security. As long as the invoices keep coming he's happy and to rock the boat for security's sake makes non sense.

October 11, 2005 | Permalink | Comments (1) | TrackBack

Apied knowledge [No more puns or else - ed]

Pieing has become an increasingly popular form of social protest and another leading figure has been hit for the second time this year. She's not alone. Bill Gates and others have fallen prey to the actions of groups like the US Biotic Baking Brigade or the Dutch group TAART.

It's all usually taken in good spirits and no harm done. But it highlights one aspect of physical security, the effect of which on computer security is usually forgotten. Physical security is key to IT security but ask most IT managers about a building's weak points and I bet you'll get a blank look from most.

Arch cracker Kevin Mitnick explained how in many ways physical insecurity can get around millions of dollars worth of firewalls and intrusion protection systems. In an example he described how a hacker, posing as a visiting salesman, could ask to use one of the meeting rooms while waiting. If he finds a data port, the job of penetration is much easier.

So be aware of physical security. How easy is it to access data points and where are they located? You could just avoid an electronic pieing.

October 11, 2005 | Permalink | Comments (0) | TrackBack

Words you could regret

David Wood of Symbian was bullish about the secure nature of the Symbian OS, stating that there are no back doors. Those words could return to haunt him.

As any programmer knows it's impossible to write totally secure code. The sheer complexity of the process is such that holes get missed and even the most carefully architected OS can be vulnerable.

As the use of smartphones continues to grow hackers will be focusing increasingly on Symbian. David may have to eat his words with a big piece of humble pie. The Symbian code is very good, but no-one's perfect.

October 11, 2005 | Permalink | Comments (0) | TrackBack

Time to ponder

As you read this two Britons are languishing in jail for releasing a virus two years ago. Ironically if the legal process had been faster they might have got a lesser sentence than the slap on the wrist awarded by the judge.

Two years ago virus writing was seen as quite harmless; the pastime of teenagers with brains but no common sense. These days it is less socially acceptable and the courts take a harder line.

Nine months for the two of them is a very short sentence and they'll be up for parole in half that time. Maybe while they're waiting they could clean up some virus ridden PCs.

October 11, 2005 | Permalink | Comments (0) | TrackBack

Germans first to Robocop

Who would have thought that Germany would become the first country to recruit robot security guards.

We all know you can't write perfect code and these at least aren't armed, like those planned for use by the US military in Iraq. Still I hope for the manufacturer's sake they leased rather than bought the robots. I wouldn't bet on them lasting five minutes once British football fans go on the rampage.

October 11, 2005 | Permalink | Comments (0) | TrackBack

Lan of the dead

Hats off to the Dutch police for showing their British counterparts that The Netherlands isn't all pornography and pot.

A few years ago the police were talking in hushed tomes about people with hundreds of computers set up as botnets. Now I wouldn't be surprised if some grotty little virus writer has broken the million mark.

There's going to be a lot of talk about how evil these people are but that misses the point. Without unsecured computers botnets wouldn't exist - malware would bounce off firewalls like Mr Blobby taking a high dive.

October 11, 2005 | Permalink | Comments (0) | TrackBack