|
.: February 2009 Archives
This Wired article on a Fannie Mae logic bomb falls into the category of, "..and this is why we stress consistency in doing the simple things in security."
On the afternoon of Oct. 24, he was told he was being fired because of a scripting error he'd made earlier in the month, but he was allowed to work through the end of the day...
Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m. Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes.
How many times is a termination handled like this? Probably more regularly than I'd like to know. And how many times does it take to cause a business some serious problems? Just once.
By the way, how many reasonable people would finish out their day at work after being terminated? Sure, plenty would, but man that is a horrible decision by HR/manager.
by michael 02.02.09 at 1:24 PM in /general -
And this story of a 14-year-old boy impersonating a police officer for 5+ hours falls into the category of, "...and this is why we try to take human judgement* out of security controls."
One source said he was told the teenager “coded a couple of assignments” — meaning he used police codes to let a dispatcher know how he and his “partner” were handling particular calls. The source said he also was told the teen was allowed to drive the squad car.
He was allowed to do this because he was familiar with the protocols (how familiar does that sound to anyone knowledgeable about social engineering?) and because controls were skipped (roll call, etc). D'oh! Maybe this was a Superbad moment?
Side note: Why don't more people do things like this? Like so many crimes, they are not terribly hard to commit. The hardest part is crossing that very distinct moral line we have between what is right and wrong. Peer pressure influences this line, as does mental stability or digital anonymity (or distance maybe). And once you cross that line once, crossing it again becomes easier (downware spiral of repeat offenders). We rely heavily on this line.
* Note that we try to do this, but obviously this cannot always be done and there will always be a need for human decision-making or agility. But we try to, because we know which one we can trust, when created and maintained properly.
by michael 02.02.09 at 1:41 PM in /general -
This article on the continuing saga of the Heartland Payment System data breach falls under the category of, "...no shit, you make a great and obvious point! By the way, that's egg dripping off your face, right?"
He has called for greater information sharing to prevent cyber-criminals from using the same or similar techniques in multiple attacks.
"I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week," [CEO Robert] Carr said.
Obviously I pine about this sort of thing regularly. I think Jericho put it best on the infosecnews mailing list:
Great! I'm glad to hear Mr. Carr is all about sharing information. I take it to mean that we will get the full story about what happened at Heartland first, to show that he is serious about sharing information. Afterall, by his reasoning, if he shares this type of information with the world, then he may help prevent another intrusion like it.
Lastly, Mr. Carr, I can point you in the direction of any number of people who know and can share details on how to be better with security, some of whom may be technical employees in your own business. Don't spread the blame of personal and corporate ignorance across an entire industry (even if that is true, don't dilute the issue of Heartland in particular). At some point, someone made a mistake, made a poor risk acceptance, or decided that feigned ignorance is best (a tactic we're taught from childhood...). I don't mind if those above possibilities are the real reason (it happens!), but I do mind when someone tries to avoid admitting as much.
by michael 02.02.09 at 1:53 PM in /general -
Us technical geeks love solving problems, and we tend to see various things in the world as problems to be solved. We even argue amongst ourselves quite geekily from tech topics to religion to wars to rhetoric. We see everything as a problem that *must* have a solution out there. We immediately view any voiced opinion as a challenge to be overcome.
We probably all did some sort of logic puzzle books or crossword puzzle books as kids. But I wonder how different our worlds might be if not every puzzle in those books had a possible solution hidden away in the back.
by michael 02.02.09 at 2:09 PM in /general - comments(1)
I was going to shut up about Heartland, until I read Anton Chuvakin's part III post which pointed me to a post by Verisign. After reading Verisign, read the other links Anton lists; at least one readdresses what struck me about Verisign's post:
In our investigations of PCI related breaches, we have NEVER concluded that an affected company was compliant at the time of a breach. [emphasis theirs] PCI Assessments are point-in-time and many companies struggle with keeping it going every day.
Is there a problem with PCI? If there is one, the problem lies in the QSA community..., not the standard itself...
And Anton adds this, although I'm not sure if he's being sarcastic or not:
Think about it! It was always either due to changes after an audit or due to an “easygrader” (or even scammer) QSA.
The above lines of thinking strike me as a dangerous place to tread. Fine, maybe we get it through enough heads that PCI is not and was never meant to be a perfect roadmap to perfect security and martinis on a tropical beach.
So we shift the "perfection" to be on the QSAs? Or maybe shift the "perfection" to be on the host company? Or shift the blame to PCI only being point-in-time (duh)? These are dangerous roads whose underlying assumption is that there is a state of security.
QSAs can only be as good as the standards, visibility, power, talent, and cooperation of the host customer. The host customer can only be as good as the talent, corporate culture/leadership, and budget (yeah, I said it!) allows them. PCI can only be as good as the authors and adherence to the spirit of the rules by the customer and QSA.
To me, this isn't an easy answer, but I'd rather not throw blame around more than necessary. I can't blame a QSA unless they are specifically negligent, because all QSAs will make a mistake at some point, even if that mistake is because the customer didn't give them the necessary visibility or because of some brand new technology or 0day that no one has been testing for. In that situation, no QSA will ever measure up unless they are bleeding edge and do continuous testing/auditing.
If there is any place to lay blame, it has to end up on the shoulders of the corporate entities (or any entity). They ultimately are the place that holds the keys to the most variables. Indeed, the ultimate place that needs to make the fixes and demonstrate their commitment to security is the corporate entity. Even with the absence of PCI and QSAs, they still have to buck up.
by michael 02.03.09 at 10:56 AM in /general -
We use a Cisco SSL VPN at work. One of the features we have turned on when a user connects is a keylogger scanner. It just scans and alerts, but takes no administrative action. This scan seems to be rebooting the client machine on a couple of our users, and we're not yet sure why. While discussing this in a team meeting, my boss made mention that when the keylogger check runs on his system, it flags two benign files that are false positives. He clicks Ok and continues on. The question he raised is, "What value is this check giving us if users will just click through?"
I gave it some thought over lunch. The direct value may not be much. In fact, it may result in 0 improvement to users (since they won't know what to do with the keylogger alerts) and may not prevent any infected systems from entering our network (users can just click through). If we turn on administrative action by the VPN client, obviously legitimate users will be denied ability to do work.
There are a few indirect values to still having the keylogger on, even if it ultimately fails.
1. The keylogger may log what it detects on and whom, so we have some statistics and auditing in case something bad happens, or someone else gets in.
2. Information is given to those few users who may investigate the issues and improve their knowledge and system health. Not doing alerts perpetuates ignorance.
3. We potentially can prevent bad systems from entering our network, or capturing login information. And let's face it, logging our VPN IP and login information is instant ownage. This potentiality may be worth it alone.
Of course, there are costs which might outweight these indirect "vaules" that I see.
Ultimately, my boss mentioned in the meeting that it is clear that digital security is still not ready to be consumer-grade. And people certainly aren't ready to handle it themselves, for the most part. I tend to agree with him. I prefer my controls to be transparent to users as much as possible, but as good as possible as well. Unfortunately, we won't achieve security this way, but I feel the best returns are available on the technical side rather than relying on people.
by michael 02.04.09 at 12:49 PM in /general -
If you use a VNC product, more specifically UltraVNC or TightVNC (or others), you probably want to keep your eyes open for an upcoming new version of the client. Core released a VNC security advisory, and from the sound of it, a workable exploit is likely (hi Metasploit!).
Offsetting that risk, the exploit is on the client and not the server. This means an attacker has to not only get a workable exploit, but get a VNC user to connect to an untrusted or subverted VNC server. If you automatically have .vnc files mapped to the VNC client, this is where it might be useful for Metasploit to have a fake VNC server module to trick admins to connecting back to an attacker.
Now, I often get back to ideas on making a network more hostile to attackers, and this can be another opportunity, especially if a workable exploit is developed or released. Get your hands on a subverted VNC server, set it up in some dark space or honeypot area of your network and wait for someone attempt to connect.
by michael 02.05.09 at 3:32 PM in /general -
Grats to Mubix on his OSCP! In his post he talks about how the OSCP won't get anyone a job, and I think he's 99% correct. However, the caveat to that is to anyone that would know what the OSCP is, it does have meaning. So the other 1% might be a manager who knows the OSCP and knows that anyone who has it probably has a certain level of geekery and interest in security beyond what even the CISSP will demonstrate (e.g. those sales people who are required to get CISSP and finally do so on their 6th try...). This is part of the reason I want to get back to the OSCP afer my ill-fated attempt last year (right when I got slammed with a coworker quitting). The other part being that it actually is freakin hands-on!
by michael 02.06.09 at 2:35 PM in /general - comments(1)
Thank you to Tyler (SSLFail.com) for posting that Jay Beale has (finally!) released The Middler (sorry, no front page discussing it, just a direct link). Released, but it looks like, upon a very quick glance, that it might not be nearly finished yet. The Middler was discussed at Defcon 16. It is a tool that can inject into http traffic between client and server, intercept and reuse session credentials, and more. In short, this is a tool that automates what many of us have known can happen when you're on a non-trusted LAN. Only scarier. And more accessible.
By the way, props to Jay for apparently skipping ahead to the demos. There is a ton of information in his presentation and all of it relevent, but I was a bit disappointed in not seeing many demos at the Defcon talk. Despite that, his was one of the best talks I saw there!
by michael 02.09.09 at 9:18 AM in /general -
Anton Chuvakin posted over a week ago about some possible reasons why Heartland Payment Systems had their data breached. After his 5 examples, he concludes that none of them specifically follow that PCI failed or is irrelevent. In a way, he is correct, but what we're doing here is playing with semantics vs perception. (Something we who throw around the term "hacker" often should be very intimate with.)
If PCI didn't fail in any of those cases, one could argue that PCI will never fail us. That means PCI compliancy doesn't offer much beyond any other list of Best Practices. Best Practices that are required. We've known for some time that PCI is just a general guideline. But there is either a perception problem on those adopting PCI, or a presentation problem by the PCI Gods that are requiring it.
If PCI can't be blamed for anything, then what value is there? If PCI doesn't allow a CTO to shift blame onto it (or a QSA) when things go wrong, there are plenty who then see no value in it. In which case it is just a requirement to meet in the least painful/costly fashion possible (which does not preclude simply lying about it). And then there truly is no value in it for those persons.
I don't agree with that position, but it exists whether I like it or not.
Maybe the underlying concept we need to continue to hammer out is: Security is not easy.* Security is hard work. Security is not always cheap. Security costs money. I'm sure there is a haiku in there somewhere...
* Just think of all those painful experiences trying to align secure practices to people and a business. Years of those experiences, trying to guide the moving waters of a river to where you want them to flow. There are small and large security battles lost every day, and poor individual decisions made constantly and gambles accepted. We're certainly not in it bcause the job is easy!
by michael 02.09.09 at 10:50 AM in /general - comments(1)
I'm a bit surprised to see talk of BackTrack4 since it seemed like BackTrack3 is barely a year old. Alas, a new version can only be a good thing! Shmoocon attendees got to check out a pre-release version and I wouldn't be surprised if they did an IRC channel pre-release outing as well. Hopefully sometime soon BT4 will be widely released to the public or available to me via some other channels.
I had a few small quibbles about BT3 over BT2. I was unimpressed with the tossing away of the stealthy boot up. BT2 was very quiet on the wire, while my experiences with BT3 involved it starting up and immediately wanting an IP from the first network it saw. The BT3 hard disk installer was still pretty unintuitive, although the forums are invaluable for figuring it out.
BT4 goes back to the stealthy startup (omg newbies, you gotta start network!), and from what I gather will be much friendlier for a more permanent distro-like install (I'm assuming, here). I enjoy the livecd a lot, and someday I'm sure I'll enjoy a USB install more, but some of us really don't mind at all loading it on some older laptop for permanent use and tinkering. A vmware image as well? That might be worthy of a little jizz in my pants!
by michael 02.09.09 at 2:16 PM in /general -
In case someone has strangely missed this story, Chris Padget has made some headlines for a recent video where he reads and clones RFID tags around the San Francisco area. Read the comments for some good discussion (amidst the ignorant noise).
This is a very big issue for three reasons. First, obviously we need to care what may or may not be disclosed from the tags. Is it personal? Is it just a number that is looked up? This is probably the easiest issue to resolve.
Second, even if the item is just a number that is looked up, all it takes is some relatively simple database tracking or data points to start stumbling over the lines of privacy. #3482749 is Michael Dickey. #3482749 is shopping at Wal-Mart at 7:30pm. #3482749 stopped for a shake at McDonald's at 8:15pm. And so on... And it wouldn't take much to track this. If all the legit scanners that get issued are dumb but ping back to the master database system, the database just needs to log the location of the scanner that pinged in.
Third, just how easy is it to clone a tag and fool scanners? Kinda like me opening up a Facebook page for someone else, I might be able to do quite a bit of damage to someone's profile or reputation by wandering around with a cloned ID just for the heck of it. Or maybe I'll just clone my own and give it away on the streets and generate so much noise... In fact, how defensible would that tag information even be, legally, if I can generate doubt like that? Can I overpower my own RFID tag by transmitting a stronger signal and drown out my card?
Besides, let's face it, as a shop owner I might want to buy some cheap RFID reader and put it near the front door just keep my own tabs on who my repeat visitors are based on their number. And it's just a hop-step away from keeping a personal record of them so they can pay quicker by keeping their credit card on file and just charging them based on the number on the RFID. Come on, there's a whole industry of people salivating at the possibilities of such tracking and ID...
And if "do no evil" Google will happily cross the line of privacy in pursuit of the profits, so too will others. It will just take some curious entity that is large enough to connect data points and suddenly that slippery slope is rushing by fast enough to burn our ass.
In short, it's not just about the data given off by an RFID tag, but also how that data can be correlated. And how much the general public is made aware of the risks of unshielded tags or unquestioned tracking.
by michael 02.10.09 at 2:53 PM in /general - comments(1)
Quick note that BackTrack 4 beta is publicly available now.
I-Hacked has a series of nice links on installing BackTrack 4 that I didn't feel up to snagging and reposting here.
by michael 02.12.09 at 8:48 AM in /terminal23 -
EthicalHacker.net has a new challenge up. This is may be a first, I get to see it with plenty of time to submit something! Normally I see these after the fact or with 2 days to deadline. Oh, and The Brady Bunch was one of those shows that I watched but never liked; kinda like being forced to eat brussel sprouts as a kid; you sometimes have to, but it leaves a horrid taste in your mouth.
by michael 02.12.09 at 10:22 AM in /general -
Sony releases new piece of shit that doesn't work. NSFW due to profanity, so put your headphones on.
by michael 02.12.09 at 1:15 PM in /general - comments(2)
I've long proclaimed email is dead (ok, it's very slowly dying). It is great, but wasn't ideal or forward-thinking enough (I can easily say that now that we're beyond the forward!). IRC had it right early on, but just wasn't and isn't accessible enough... IM is excellent, but you often lose the buffering ability when someone is offline.
At lunch the other day I overheard a group of older adults talking and they delved into the topic of communicating with younger kids/adults. "They just don't check their email like they used to. You have to text or post on their Facebook to get their attention."
It's true, right? Email is still dying and giving way to texting, IM, and social networking (aka Twitter, Facebook). Say that to anyone in a corporation and they may argue, but I'll argue back that corporations (and later government) are the slowest entities to change. We'll drag email on for another 10 years, most likely.
So last night I checked out my Twitter feeds again. Yeah, pretty hopping especially during and post-Shmoocon! In fact, I notice I still get new people following me very regularly. Seems I should jump back in! Hell, I also noticed I had some LinkedIn requests and Facebook requests (when the crap did I open a Facebook?!)...I may not dive totally into the latter one, but Twitter is just too powerful and cool paired with texting to keep drifting away from it.
by michael 02.13.09 at 2:09 PM in /general -
For future reference, some notes on hardening Apache. In case this post ever dies, it references these notes, and also points to some deeper tips.
by michael 02.16.09 at 3:56 PM in /general -
My Tuesday quick rant. I'm not a big fan of schizophrenic IT departments (not a fan, but sometimems reality has to be tolerated). These are IT departments that one week want things fast and agile (like a cowboy!). Then the next week they realize fast often means mistakes, misconfigurations, and missing pieces that weren't planned for, so the goal is suddenly to be slower and more deliberate (woot change management!). Then the next week, something needs to be done immediately in a cowboy state...
Not a fan of that...especially when the deliberate state makes the cowboy sprints much more painful and vice versa.
by michael 02.17.09 at 3:27 PM in /general -
Today I needed to adjust the script that maintains my web environment. A developer needed a folder inside a website to be redirected to a different URL. This is easily done in an IIS MMC with just a few clicks. Since the dev needed any call to or inside that folder to go to a specific destination (and not carry over the trailing path), the box is checked for "the exact URL entered above."
But my web install script deletes all sites and rebuilds them nightly. So, I need it to also rebuild this redirect.
In IIS6, it is easy to list out all of the children objects in a site, such as Virtual Directories. But if something has not specifically been given an object ID in the metabase, you can't edit it like an existing object. In IIS6, regular old subfolders inside a site are not objects by default. You have to make them objects, in this case an IIsWebDirectory, before you can manipulate them.
This script snippet connects to an existing website, creates the IIsWebDirectory object, and sets the httpredirect property. Note that the folder may or may not actually exist in the site hierarchy yet. That's ok! Also, the ", EXACT_DESTINATION" is the piece that makes the necessary check mark.
$iis = [ADSI]"IIS://localhost/W3SVC"
$findsite = $iis.psbase.children | where { $_.keyType -eq "IIsWebServer" -AND $_.ServerComment -eq "mywebsite" }
$site = [ADSI]($findsite.psbase.path+"/ROOT")
$targetredirect = "/different/path, EXACT_DESTINATION"
$directory = "MySubFolder"
$newwebdir = $site.psbase.children.Add($directory, "IIsWebDirectory")
$newwebdir.psbase.commitchanges()
$newwebdir.put("httpredirect",$targetredirect)
$newwebdir.psbase.commitchanges()
Part of troubleshooting this is echoing back psbase.properties to see what values I needed. This little piece will help, especially when you make the change manually and refresh this to see what changed. Get $iis, $findsite, and $site before doing this:
$homer = $site.psbase.Children | Where {$_.KeyType -eq "IIsWebDirectory"}
foreach ($donut in $homer) { $donut.httpredirect }
or
$homer.psbase.properties
by michael 02.17.09 at 4:12 PM in /general -
An exploit against MS09-002 (IE7) is in the wild. This is a vuln that may lead to code execution in the context of the user. Thanks for the heads up on Twitter!
by michael 02.17.09 at 4:38 PM in /general -
We can't talk about much in security without the silly thought that we might be "spreading FUD." That is largely because shit just isn't as secure as people think it is or expect it should be! Of course, there are two types of FUD: True FUD and False FUD. ..A discussion for another time perhaps!
More FU...errr...insecurity talk will be had at a presentation I wish I could see: Adam Laurie's Satellite TV Hacking at Black Hate DC. An article about it is over at The Register.
by michael 02.18.09 at 11:04 AM in /general - comments(1)
I didn't realize the Information Security magazine was available online (pdf). Some highlights:
Schneier and Ranum go point/counterpoint on the topic of social networking and the workplace. Schneier has an excellently polished point, and I think Ranum has some good points, too, and properly attacked Schneier's weak point on CEP transparency.
The 2009 Priorities Survey section wasn't too interesting other than 75% reporting the Data Leak Prevention was a must-have. To me, this is like saying you need a complex man-trap...when there are plenty of open side doors and windows with nary a lock on them. DLP is definitely a conversation-starter whether you like it or not! The article continues on into access control, an equally twisted term. Are you talking issuing playful tokens or are you talking actually getting into who has access to what and how to limit that? Two very different ballgames..
I like the spirit of David Storms' 10 tips to protect your company in a down economy (if you get the eEye newsletter, this is the story that didn't get linked!). With the economy stagnating (or going down), I think many companies have put new projects on indefinite hold. At least in the tech area, I've not heard of huge swaths of layoffs unless the company is already bloated. So this might mean staff levels are frozen, but staff still need to get things done. With possibly less projects, it might be worthwhile to take on some free/open tools and leverage them instead of some bloated, expensive big-box that doesn't really confer much true security knowledge. #8 about properly terminating employee accounts should really be #1 this year. With remote access and layoffs, many people will have knee-jerk thoughts of revenge or fear and may act on those ideas before access is properly terminated. Just this week we had 11 layoffs and those of us who hold those access keys learned about them all at the time of or after the fact. Gambling with fire!
by michael 02.19.09 at 8:55 AM in /general -
There is SSLFail. I've talked about SSL before. Jay Beale has been presenting on similar issues. And now Moxie Marlinspike has given another eyebrow-raising talk at Black Hat about SSL and HTTPS attacks (pdf). It's like SSL implementations aren't being asked if they want a gut punch or a face punch, but rather just getting both. Some of his material is similar to what Beale does, and while I don't care who was first, the fact that multiple people are pointing these out is noteworthy itself. Mubix tweeted (twitted? twatted? oh my) a link to the video preso.
SSLStrip is the tool he announced, but I don't see it public yet. Moxie has other SSL tools, too. And I'm curious who still doesn't set (CAs) or check (browsers) basicConstraints.
Bottomline: If you're still not scared of SSL MITM attacks at your local hotspots, you need to be. In fact, any time you're on a network you can't trust, you need to exercise reservation in your actions.
by michael 02.19.09 at 1:32 PM in /general - comments(2)
I think we all know the news of another data breach, this time most likely at an online payment processor. My contribution to any thoughts on this is how quickly the information network in regards to breach rumors (and hopefully later actual details!) has become. It has been at least 4 days since I first heard these rumblings and only today is there some real information being presented by affected parties or VISA/Mastercard. And still no indication of who exactly is at the victim.
by michael 02.23.09 at 1:46 PM in /general -
I missed this discussionary topic from Rich at Securosis the other week. I'm likely a bit late to join the convo, but I wanted to post a link here and throw some reactions. Rich basically proffered the idea of allowing a regulated agency to isolate or clean compromised systems (i.e. from threatening the safety/security of others).
Read his post and the comments for starters. Below, I'll try to be brief and bulleted.
1. Safety and security. There is a big difference between those two terms. The firefighters in Rich's opening analogy deal with safety. I have no argument that a firefighter can break into my burning house and further trash it in the interest of public or personal safety. But when it comes to security, we have a different topic, especially when security is ephemeral and fights with privacy. It is usually very clear when safety is impacted and far less clear when security is impacted and to what degree.
2. Is cybersecurity that dire an issue? We security geeks often act like an unpatched system spewing spam is the worst thing in the world, but is it? Sure, we don't like it, but how does that weigh with other issues I bring up below, or with our privacy? We are really nothing as a free country without being able to protect our privacy to a degree.
3. Mistakes or corporate vs individual. Let's say we have compromised systems and an agency is mandated to go in and burn the books at 451 deg...err...clean the system or shun that network node from the rest of the internet (isolation). What if that was a Google data center? Or Mom's Crab Shack? or my home system? It won't take but a handful of mistakes before this breaks down. And what if that were a false positive?
4. Agendas. I hate to be a pessimist sometimes, but we can't even go to war without half the general public speaking up about agendas (right or wrong). And things don't get better with smaller incidents (pork barrels?), they just get less exposed. "Gosh, I don't know how my opponent's campaign office got raided like that!" "Gosh, just go easy on that large company that employs a huge number of my constituents..." "Gosh, my district has an *epidemic* of compromised systems; we need to declare a cyber emergency and get more funding!"
5. IPS. One argument that still surfaces about IPS is their ability to suddenly shun false positives. In practice, it is difficult to do, but in theory, an attacker (or mistaken configuration!) can trigger an IPS to fire blocking protections and shun legit servers or networks. Remember SWATing? Eve calls 911 and gives Vince's address so SWAT raids Vince's house. Oops! This is very similar to the "mistakes" bullet above.
6. Potentiality. What if a system is potentially vulnerable to an attack? The debate on being proactive once "active" is allowed becomes muddier, and dangerous. ThoughtCrime, FutureCrime?
6. The Slope. We move very big steps closer to questioning the integrity of our Operating Systems. Should we proactively shun every Windows box not behing a network/firewall device? Why not just shun every non-perfect OS? We do like to batter and bash groups like Microsoft for their system's insecurities, but let's face it, such a product will never be perfect. Especially as a consumer product. I don't like the road such actions move us towards.
7. Nothing to hide. Want to instantly drive a privacy advocate or even most hackers crazy? Utter the phrase, "Well, innocent people have nothing to hide." If you still hold that argument aloft, I'm sorry in advance for your ignorance or tragic upbringing. I'd rather be surrounded by Mac zealots proclaiming their OS 100% secure...
8. Get off my systems. As an individual or a corporate entity, I would not be happy about someone being able to arbitrarily control my systems, even to "fix" them or "save" others. More on this on a follow-up post...
At the end of the comments, "Rob" posted what I think sums up my feelings, "I don’t like disagreeing with Rich, but I’d rather have a million botnets active on the internet than sacrifice the tiny remaining legal barriers to police invading my computers."
by michael 02.25.09 at 11:03 AM in /general -
In my previous post I reacted to Rich Mogull delving into the idea of a government agency being allowed to clean or isolate compromised systems. I wanted to pull out one idea and just bring it up without hopefully beating it to death; a "something to think about" moment.
Compare and contrast the feelings of a government having the ability to control, clean, or isolate your computer system with the ability for a corporate security officer to control, clean, or isolate your computer system at work. I won't wax on about it, but just sit back and think about it beyond just who owns the assets, but also the value of some measure of privacy both at home or at work. It's a good exercise! We get very passionate about privacy at home, so should we bother with thinking about it a litle bit for workers at work?
by michael 02.25.09 at 11:34 AM in /general -
Last night I finished reading Little Brother by Cory Doctorow. The book is centered around security, privacy, and hacking as a survival trait. The technical bits and pieces are excellent, and the entire premise is easily plausible. It is an easy read, engaging, and technically awesome. The book is firmly geared towards teenagers. While there are some underage drinking, drug references, and minor sexual content, this is nothing compared to what goes on in the lives and minds of maturing teens today. Even so, I would recommend it to any teen with a passing interest in technology (even if you just use MySpace for fun), as well as any adult who has such interest in protecting privacy, freedom, and digital security.
On a side note, it makes me smile with enthusiasm at what it must be like to be a teenager or younger, growing up firmly in the midst of all this social networking and technology surrounding every facet of our days. I get a bit giddy at what someone with unlimited time and imagination can do with electronics and our digital world; it's awesome!
by michael 02.25.09 at 1:04 PM in /general -
I recently got back on sat radio with Sirius/XM. Now I see they're floundering? I can't say I'm totally surprised. While the idea of "commercial-less" music and radio is brilliant and necessary, as well as the beauty of being able to listen to what I want as opposed to what happens to be in my midwestern farm-state area, that has to balance with the fact that it costs money vs free FM/AM radio, and household budgets are tightening.
I don't think sat radio has a real market anymore; it was a transitional piece kinda like Blu-ray today. What I think will be the future is all of the web-based podcast and radio stations (like my favorite somafm). All it takes is the ability for my car to get on an internet connection and pump out a stream into my receiver. That's it! Sat radio is still a closed system, even if they do have 3000 channels. Give me an open system like the Internet to choose my station... With Sirius/XM, I'm paying for 297 channels I typically don't listen to, and the 3 I do listen to are sometimes playing things that suck and make me go back to my ipod or cowon or a disc. The most expensive channels (Howard Stern, Martha Stewart) I've never and never will listen to.
And it doesn't even have to be a subscription fee system! Just charge for the cables/receiver to handle streams, and then pay for what many of us already have: sat data connections through something like our phones. If our fav stations want donations or fees, then so be it.
I get some "ok" stations on sat radio, but I'll get exactly what I want at all times when given the freedom of selection from the entire Internet. Seriously, Pandora streamed to my car? Hawt.
Can Sirius/XM save themselves? Sure, but only if the music/radio industry as a whole doesn't stop them. Sirius/XM already has all the logistics to beam me somafm or Pandora. They just need to license it. And that's where I think the industry will politically block them. I don't think the general music industry dare reverse their years-long fights against online broadcasters...bastards.
by michael 02.25.09 at 1:33 PM in /general - comments(2)
|
