Make sure your voicemail pin is long, or end up like HP. What does it feel like to wake up and hear one of your voicemail messages being read on CNBC?
I love discoveries like this. A group from UMass claims they can identify DoS attacks. Read the details - every router along the path will need to be updated to do it. That's practical. We won't see this in production anytime soon.
Adler has developed an automated technique for tracing a stream of
I know I said I'd be away, but I'm just checking email - honest. Couldn't resist this little update on Microsoft's recent MBSA tool. I haven't had a chance to play with it, but these reviews don't sound promising.
Damien Adams, of technical services firm ScienTech, said: "For Microsoft to suggest that users should pay for tools to fix problems in its software is insulting.
I'll be away from computers for the next few days, but will check in whenever possible. Look for more activity next week. Have a good weekend.
I remember stumbling across this guy's webpage last year after reading an article about him. The story painted him as a genius who built a European security firm and was living the good life. It was all quite slick and very flashy. But no one in the industry had ever heard of him, so there was a hint of BS floating around the whole thing. Looks like that was the case - he's in prison now for several counts of business fraud.
The escapades of larger-than-life German Netrepreneur Kim Schmitz made
MS has postponed Hailstorm, it's privacy violating venture into web services.
"They ran into the reality that many companies don't want any company between them and their customers," said David Smith, vice president for Internet services at the Gartner Group (news/quote), a computer industry consulting and research firm.
IRC - clubhouse for crackers? Personally, I think it's just a bunch of bots with the occasional conversation, it's not nearly as fun as it used to be. CNN has a short piece on how criminals are using IRC.
Yikes - some airport security horror stories. I used to carry on 2 bags. Then I switched to a briefcase only, now it's just a book.
9:35 p.m.: McCarran International Airport, Las Vegas
A computer crash wrought havoc on British flight schedules yesterday. It doesn't look to be security related, but shows the impact a brief outage (16 minutes) of a critical infrastructure component can have.
Information from the West Drayton computer centre which processes data for all British commercial flights was blacked out from 6.05am for a crucial 16-minute period. Data for all flights had to be hand-written, causing massive delays to flights in-bound and taking off.
Reading through the wires this morning, same old stuff. Every story seems to be a rehash of something we already know - DoS still a threat, blah blah blah, security market attracts cautious investors, blah blah blah. It's difficult to find an original article, especially from a major outlet.
I did find this piece on corporate espionage, something that happens more often than we think. Unfortunately, most companies don't consider it to be a threat during risk analysis.
The information-gathering techniques are almost always legal and carried out by trained professionals - often former government intelligence operatives highly trained in obtaining military and economic secrets.
Another Microsoft story, this one from Salon, discussing the Trustworthy Computing program. Some interesting insight into the cultural fears MS, and computing in general, needs to address.
One of the reasons there's been little debate about Trustworthy Computing is that no one -- including most Microsoft employees -- seems to know what it is. Even the company's public relations experts have trouble conveying Mundie's vision. But for those willing to wade through it, his white paper details the big picture in depth: "Trustworthy Computing is a label for a whole range of advances that have to be made for people to be as comfortable using devices powered by computers and software as they are today using a device that is powered by electricity."
My friend Scott's blog linked to this article at the NY Times discussing MS's security initiative. Evidently, every single programmer at MS has attended a secure programming class in the past 2 months - and now they're experts. I especially enjoyed this gem:
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
I've read about a few private companies that sell satellite imagery for intelligence purposes. How did companies like that get started? I would have guessed they were somehow prevented from getting off the ground. They weren't, and now everyone's using satellite intel.
Perhaps a half-dozen countries as well as some private companies have spy satellites that, while not as good as those used by the United States, are able to supply solid military intelligence.
A scary scenario discussing some possible ramifications of the recent Kazaa debacle. In case you didn't hear, Brilliant Digital (the company which distributes Kazaa) has the ability to control the PC's of those using the popular file-swapping service.
Any attacker who can control 100,000 machines is a major force on the internet, while someone with a million or more is currently unstoppable: able to launch massively diffuse DDOS attacks, perform needle in a hayfield searches, and commit all sorts of other mayhem. We already understand how worms could be used to gain control of so many machines. Yet the recent revelation that Brilliant Digital Media has bundled a small trojan with KaZaA has underscored another means by which an attacker could gain control of so many machines: poorly secured automatic updaters. If an attacker can distribute his own code as an update, he can take control of millions of machines.
This is a great overview on the process of discovering security bugs. Seven steps to getting posted on BUGTRAQ.
To systematically find bugs, individuals do need
Now it makes sense. The recent MS security initiatives are turning up in its antitrust defense.
An interesting incident is outlined here involving computer forensics. What I find fascinating about this story is that the company who thought it was victimized, actually considered analyzing the drive in-house. They did the right thing by outsourcing the forensic work, but I'm amazed it was even an option. Could the evidence have stood in court had they done it themselves?
Morning, I'm feeling better and back at the computer. In the car today, I heard Howard Stern, of all people, talking about hackers. It was kind of funny, I thought it was my imagination. Robin, his co-host, said something like "Hackers can go anywhere they want". And Howard correctly assumed that we have no idea how many breaches really take place. Strange hearing such talk on that show.