Screenshot: A Weblog

I've been keeping track of interesting stories about security over the past couple of months for my intersession course, mostly ones that I have found through Slashdot, BoingBoing and/or Digg. As part of the process of selecting which ones will make it into the final week of the course and which ones will not, I thought I would put the whole list here, mostly without comment. If you notice anything that seems particularly interesting (especially if you happen to be in my course!) let me know and it will probably move up my list of things to discuss.

• Last year's Hack of the Year involves a Swedish hacker obtaining passwords for a number of governmental and embassy email accounts using TOR, an open-source tool that obscures web traffic. Think TOR sounds cool? Check out this guide to using TOR to surf anonymously to learn more about how it works.
• Not surprisingly, a study of wireless networks used in retail stores shows that most of them are insecure to some degree, with 25% not even using any encryption at all.
• We have read about hackers taking advantage of default passwords back in the 80s, but it remains a problem and there are a number of lists out there of default passwords for modern hardware.
• This is a slightly older story and the infected drives were pulled off the market, but certain Maxtor 500GB hard drives are being shipped with Trojans on them that send information on them back to sites registered in Beijing. But it seems that hardware being shipped with malware installed is a growing problem with digital photo frames also recently being infected.
• We all got used to the idea of disabling Javascript or Java in our browsers to block malware, but now Flash advertisements have malware embedded in them too.
• Sometimes what you think is a virus is just Microsoft being Microsoft: "During normal operation or in Safe mode, your computer may play "Fur Elise" or "It's a Small, Small World" seemingly at random. This is an indication sent to the PC speaker from the computer's BIOS that the CPU fan is failing or has failed, or that the power supply voltages have drifted out of tolerance."
• A hole in QuickTime allows SecondLife avatars to be hijacked and made to turn over their Linden cash. Huh - I am about halfway through that novel.... More seriously, though, security within MMORPGs as a subset of software security seems to be a growing topic of interest.
• A McAfee report predicts more cyberattacks against and by governments in the coming years, based on evidence that many countries, including the US, have already started to use cyberattacks. It seems the attacks are mostly for the purpose of espionage. A related article coming out of this reports frames the issue as a coming cyber cold war - interesting in the context of this report that a number of recent blackouts outside the US were due to cyberattacks. And cyber-espionage need not be just against countries; corporate cyber-espionage is also believed to be on the rise.
• There is a lot of argument about how to compare the relative safety or number of holes in operating systems or software. Recently Microsoft reported that the number of holes announced in IE was less than in Firefox, and the Head Security Strategist at Firefox responded that the count did not include holes patched in major service packs and thus not announced, and discusses the security risk this represents for users. A similar argument get made in comparing Mac versus Windows vulnerability stats, with Mac by this report having many more flaws, but there being a question of whether apples are being compared to apples or not...
• This commentary on the balance between security and usability is worth reading. Part of the usability issue here is supporting depreciated filetypes, and whether that support needs to include security patches.
• This long technical article, in PDF format, describes a Chinese black market in malware. I have only skimmed the article so far but it has an interesting classification of the different players in the black market and how they related to each other, as well as a couple of case studies. Somewhat related is this article on the emerging "malware economy".
• If cracking WEP seems daunting (though it probably shouldn't after reading that guide...), maybe you want to practice on the less securely encrypted wireless keyboards.
• Lots of end of the year reports, including that 3.2 billion dollars was lost to phishing attacks and anti-virus protection is less good at detecting malware when looking at responses to new attacks.
• Sometimes sneaky malware-style behavior finds its way into commercial products, such as the feature in Adobe's CS3 that reports back usage data to a server with a sketchy name.
• South Carolina may require forensic investigators to have a PI license and some are concerned since the specialized skill set for forensic investigation currently has little overlap with the training and skill set of licensed PIs. The motivation, of course, being a desire to ensure that evidence to be used in trial is collected using appropriate standards.
• A recent report says that projects to find and repair security holes in open source software are proceeding well - the more interesting part of the article possibly being the large government supported effort to harden open source systems as their use expands. This would appear to be another "hidden" cost of free, open-source software.
• A case originating a couple of years ago and centering around the question of whether unauthorized (but unblocked) whois and DNS lookups constitute hacking has been decided in the positive (more commentary critical of the decision here).
• Worried after all of this that your computer is going to go kablooey any minute now? Keep this nifty Ubuntu LiveCD based technique for restoring your Master Boot Record in your back pocket...

Posted by Amanda at 12:27 AM | Permalink | Comments (1) | TrackBacks (0)

I've been saving up news articles about security vulnerabilities for my cyberattacks class, but I'm not quite sure where to fit in a discussion of potential vulnerabilities in Boeing's New 787. On the crazy-cool side, the plane is going to have internet connectivity in the cabin for passengers. On the crazy-stupid side, the passenger's network is connected to the cockpit network. Solutions are being discussed, but they do not seem to include just keeping the two networks physically separate. But software solutions can, and probably will, have holes, and Boeing is treating this as a software-debugging problem. I can't imagine what the justification would be for wanting the networks to be connected. I am a big proponent of the "if it is absolutely vital, keep it unplugged from any network" school of security. Or, frankly, if you can't do it safely, I'll get by without internet access on my plane flight....

Posted by Amanda at 12:26 AM | Permalink | Comments (3) | TrackBacks (0)

I was having a discussion over dinner about the problems with current presidential primary process, particularly the scheduling of them - yeah, I know, it's a controversial stance! Pretty much everybody you talk to has an idea for what could make the current scheduling better, and we were arguing the merits of various hypothetical plans when somebody observed that perhaps people with more expertise and who had actually analyzed the relevant data had looked at this question. So it was home to Wikipedia and their US Presidential Primary page, and the also good FairVote page on Presidential Primaries.

The major variations seem to involve either (1) group primaries starting with small states, and then working up to larger states towards the end of the process, (2) ordering the primaries to start with a random sampling of primaries but with structure imposed to start with "easy" primaries and work up to the larger, more expensive ones, (3) working through regions of the country in turn, or (4) pulling one state from each of a set of regions for each of a set of primary dates. FairVote has nice details on how each of these work with sample breakdowns/schedules.

The cynic in me thinks it likely, though, that any of these plans is going to lead towards a bias towards particular groups/regions and against others, and that saavy analysts will be able to work out which these are and the constituency with the best lobbying power is going to win (if anything ends up changing). To me, this calls out for a different plan (yep, despite what I said about listening to people who actually know what they are talking about, I'm going to throw in my ignorant two cents...) based on pure randomness. Let's pick a set of primary dates, and then randomly order the states among those dates. In order to prevent a state from being consistently devalued by falling late in the process, if you are in the last quarter of the primaries in one cycle, you are guaranteed to be in the first half of the primaries in the next cycle.

Sure, in any given year, you could have a bad outcome - small states could get a disproportionate say, primaries could be located such that poorer candidates have a harder time competing, etc. But you would avoid systematic biasing and considering the long-range trends of presidential elections, these concerns ought to even out. Otherwise, the debate seems to focus on whether particular goals (giving larger, urban states more say, making campaigning easier on fringe candidates, etc.) actually is desirable or not. And as I like to remind my students when looking at various AI systems, you always want to ask yourself if your highly engineered system beats random chance....

Posted by Amanda at 12:53 AM | Permalink | Comments (5) | TrackBacks (0)