I recently got back on sat radio with Sirius/XM. Now I see they’re floundering? I can’t say I’m totally surprised. While the idea of “commercial-less” music and radio is brilliant and necessary, as well as the beauty of being able to listen to what I want as opposed to what happens to be in my midwestern farm-state area, that has to balance with the fact that it costs money vs free FM/AM radio, and household budgets are tightening.

I don’t think sat radio has a real market anymore; it was a transitional piece kinda like Blu-ray today. What I think will be the future is all of the web-based podcast and radio stations (like my favorite somafm). All it takes is the ability for my car to get on an internet connection and pump out a stream into my receiver. That’s it! Sat radio is still a closed system, even if they do have 3000 channels. Give me an open system like the Internet to choose my station… With Sirius/XM, I’m paying for 297 channels I typically don’t listen to, and the 3 I do listen to are sometimes playing things that suck and make me go back to my ipod or cowon or a disc. The most expensive channels (Howard Stern, Martha Stewart) I’ve never and never will listen to.

And it doesn’t even have to be a subscription fee system! Just charge for the cables/receiver to handle streams, and then pay for what many of us already have: sat data connections through something like our phones. If our fav stations want donations or fees, then so be it.

I get some “ok” stations on sat radio, but I’ll get exactly what I want at all times when given the freedom of selection from the entire Internet. Seriously, Pandora streamed to my car? Hawt.

Can Sirius/XM save themselves? Sure, but only if the music/radio industry as a whole doesn’t stop them. Sirius/XM already has all the logistics to beam me somafm or Pandora. They just need to license it. And that’s where I think the industry will politically block them. I don’t think the general music industry dare reverse their years-long fights against online broadcasters…bastards.

Last night I finished reading Little Brother by Cory Doctorow. The book is centered around security, privacy, and hacking as a survival trait. The technical bits and pieces are excellent, and the entire premise is easily plausible. It is an easy read, engaging, and technically awesome. The book is firmly geared towards teenagers. While there are some underage drinking, drug references, and minor sexual content, this is nothing compared to what goes on in the lives and minds of maturing teens today. Even so, I would recommend it to any teen with a passing interest in technology (even if you just use MySpace for fun), as well as any adult who has such interest in protecting privacy, freedom, and digital security.

On a side note, it makes me smile with enthusiasm at what it must be like to be a teenager or younger, growing up firmly in the midst of all this social networking and technology surrounding every facet of our days. I get a bit giddy at what someone with unlimited time and imagination can do with electronics and our digital world; it’s awesome!

In my previous post I reacted to Rich Mogull delving into the idea of a government agency being allowed to clean or isolate compromised systems. I wanted to pull out one idea and just bring it up without hopefully beating it to death; a “something to think about” moment.

Compare and contrast the feelings of a government having the ability to control, clean, or isolate your computer system with the ability for a corporate security officer to control, clean, or isolate your computer system at work. I won’t wax on about it, but just sit back and think about it beyond just who owns the assets, but also the value of some measure of privacy both at home or at work. It’s a good exercise! We get very passionate about privacy at home, so should we bother with thinking about it a litle bit for workers at work?

I missed this discussionary topic from Rich at Securosis the other week. I’m likely a bit late to join the convo, but I wanted to post a link here and throw some reactions. Rich basically proffered the idea of allowing a regulated agency to isolate or clean compromised systems (i.e. from threatening the safety/security of others).
Read his post and the comments for starters. Below, I’ll try to be brief and bulleted.

1. Safety and security. There is a big difference between those two terms. The firefighters in Rich’s opening analogy deal with safety. I have no argument that a firefighter can break into my burning house and further trash it in the interest of public or personal safety. But when it comes to security, we have a different topic, especially when security is ephemeral and fights with privacy. It is usually very clear when safety is impacted and far less clear when security is impacted and to what degree.

2. Is cybersecurity that dire an issue? We security geeks often act like an unpatched system spewing spam is the worst thing in the world, but is it? Sure, we don’t like it, but how does that weigh with other issues I bring up below, or with our privacy? We are really nothing as a free country without being able to protect our privacy to a degree.

3. Mistakes or corporate vs individual. Let’s say we have compromised systems and an agency is mandated to go in and burn the books at 451 deg…err…clean the system or shun that network node from the rest of the internet (isolation). What if that was a Google data center? Or Mom’s Crab Shack? or my home system? It won’t take but a handful of mistakes before this breaks down. And what if that were a false positive?

4. Agendas. I hate to be a pessimist sometimes, but we can’t even go to war without half the general public speaking up about agendas (right or wrong). And things don’t get better with smaller incidents (pork barrels?), they just get less exposed. “Gosh, I don’t know how my opponent’s campaign office got raided like that!” “Gosh, just go easy on that large company that employs a huge number of my constituents…” “Gosh, my district has an *epidemic* of compromised systems; we need to declare a cyber emergency and get more funding!”

5. IPS. One argument that still surfaces about IPS is their ability to suddenly shun false positives. In practice, it is difficult to do, but in theory, an attacker (or mistaken configuration!) can trigger an IPS to fire blocking protections and shun legit servers or networks. Remember SWATing? Eve calls 911 and gives Vince’s address so SWAT raids Vince’s house. Oops! This is very similar to the “mistakes” bullet above.

6. Potentiality. What if a system is potentially vulnerable to an attack? The debate on being proactive once “active” is allowed becomes muddier, and dangerous. ThoughtCrime, FutureCrime?

6. The Slope. We move very big steps closer to questioning the integrity of our Operating Systems. Should we proactively shun every Windows box not behing a network/firewall device? Why not just shun every non-perfect OS? We do like to batter and bash groups like Microsoft for their system’s insecurities, but let’s face it, such a product will never be perfect. Especially as a consumer product. I don’t like the road such actions move us towards.

7. Nothing to hide. Want to instantly drive a privacy advocate or even most hackers crazy? Utter the phrase, “Well, innocent people have nothing to hide.” If you still hold that argument aloft, I’m sorry in advance for your ignorance or tragic upbringing. I’d rather be surrounded by Mac zealots proclaiming their OS 100% secure…

8. Get off my systems. As an individual or a corporate entity, I would not be happy about someone being able to arbitrarily control my systems, even to “fix” them or “save” others. More on this on a follow-up post…

At the end of the comments, “Rob” posted what I think sums up my feelings, “I don’t like disagreeing with Rich, but I’d rather have a million botnets active on the internet than sacrifice the tiny remaining legal barriers to police invading my computers.”

I think we all know the news of another data breach, this time most likely at an online payment processor. My contribution to any thoughts on this is how quickly the information network in regards to breach rumors (and hopefully later actual details!) has become. It has been at least 4 days since I first heard these rumblings and only today is there some real information being presented by affected parties or VISA/Mastercard. And still no indication of who exactly is at the victim.

There is SSLFail. I’ve talked about SSL before. Jay Beale has been presenting on similar issues. And now Moxie Marlinspike has given another eyebrow-raising talk at Black Hat about SSL and HTTPS attacks (pdf). It’s like SSL implementations aren’t being asked if they want a gut punch or a face punch, but rather just getting both. Some of his material is similar to what Beale does, and while I don’t care who was first, the fact that multiple people are pointing these out is noteworthy itself. Mubix tweeted (twitted? twatted? oh my) a link to the video preso.

SSLStrip is the tool he announced, but I don’t see it public yet. Moxie has other SSL tools, too. And I’m curious who still doesn’t set (CAs) or check (browsers) basicConstraints.

Bottomline: If you’re still not scared of SSL MITM attacks at your local hotspots, you need to be. In fact, any time you’re on a network you can’t trust, you need to exercise reservation in your actions.

I didn’t realize the Information Security magazine was available online (pdf). Some highlights:

Schneier and Ranum go point/counterpoint on the topic of social networking and the workplace. Schneier has an excellently polished point, and I think Ranum has some good points, too, and properly attacked Schneier’s weak point on CEP transparency.

The 2009 Priorities Survey section wasn’t too interesting other than 75% reporting the Data Leak Prevention was a must-have. To me, this is like saying you need a complex man-trap…when there are plenty of open side doors and windows with nary a lock on them. DLP is definitely a conversation-starter whether you like it or not! The article continues on into access control, an equally twisted term. Are you talking issuing playful tokens or are you talking actually getting into who has access to what and how to limit that? Two very different ballgames..

I like the spirit of David Storms’ 10 tips to protect your company in a down economy (if you get the eEye newsletter, this is the story that didn’t get linked!). With the economy stagnating (or going down), I think many companies have put new projects on indefinite hold. At least in the tech area, I’ve not heard of huge swaths of layoffs unless the company is already bloated. So this might mean staff levels are frozen, but staff still need to get things done. With possibly less projects, it might be worthwhile to take on some free/open tools and leverage them instead of some bloated, expensive big-box that doesn’t really confer much true security knowledge. #8 about properly terminating employee accounts should really be #1 this year. With remote access and layoffs, many people will have knee-jerk thoughts of revenge or fear and may act on those ideas before access is properly terminated. Just this week we had 11 layoffs and those of us who hold those access keys learned about them all at the time of or after the fact. Gambling with fire!

We can’t talk about much in security without the silly thought that we might be “spreading FUD.” That is largely because shit just isn’t as secure as people think it is or expect it should be! Of course, there are two types of FUD: True FUD and False FUD. ..A discussion for another time perhaps!

More FU…errr…insecurity talk will be had at a presentation I wish I could see: Adam Laurie’s Satellite TV Hacking at Black Hate DC. An article about it is over at The Register.

An exploit against MS09-002 (IE7) is in the wild. This is a vuln that may lead to code execution in the context of the user. Thanks for the heads up on Twitter!

Today I needed to adjust the script that maintains my web environment. A developer needed a folder inside a website to be redirected to a different URL. This is easily done in an IIS MMC with just a few clicks. Since the dev needed any call to or inside that folder to go to a specific destination (and not carry over the trailing path), the box is checked for “the exact URL entered above.”

But my web install script deletes all sites and rebuilds them nightly. So, I need it to also rebuild this redirect.

In IIS6, it is easy to list out all of the children objects in a site, such as Virtual Directories. But if something has not specifically been given an object ID in the metabase, you can’t edit it like an existing object. In IIS6, regular old subfolders inside a site are not objects by default. You have to make them objects, in this case an IIsWebDirectory, before you can manipulate them.

This script snippet connects to an existing website, creates the IIsWebDirectory object, and sets the httpredirect property. Note that the folder may or may not actually exist in the site hierarchy yet. That’s ok! Also, the “, EXACT_DESTINATION” is the piece that makes the necessary check mark.

$iis = [ADSI]”IIS://localhost/W3SVC”

$findsite = $iis.psbase.children | where { $_.keyType -eq “IIsWebServer” -AND $_.ServerComment -eq “mywebsite” }

$site = [ADSI]($findsite.psbase.path+”/ROOT”)

$targetredirect = “/different/path, EXACT_DESTINATION”

$directory = “MySubFolder”

$newwebdir = $site.psbase.children.Add($directory, “IIsWebDirectory”)

$newwebdir.psbase.commitchanges()

$newwebdir.put(“httpredirect”,$targetredirect)

$newwebdir.psbase.commitchanges()

Part of troubleshooting this is echoing back psbase.properties to see what values I needed. This little piece will help, especially when you make the change manually and refresh this to see what changed. Get $iis, $findsite, and $site before doing this:

$homer = $site.psbase.Children | Where {$_.KeyType -eq “IIsWebDirectory”}
foreach ($donut in $homer) { $donut.httpredirect }
or
$homer.psbase.properties

My Tuesday quick rant. I’m not a big fan of schizophrenic IT departments (not a fan, but sometimems reality has to be tolerated). These are IT departments that one week want things fast and agile (like a cowboy!). Then the next week they realize fast often means mistakes, misconfigurations, and missing pieces that weren’t planned for, so the goal is suddenly to be slower and more deliberate (woot change management!). Then the next week, something needs to be done immediately in a cowboy state…

Not a fan of that…especially when the deliberate state makes the cowboy sprints much more painful and vice versa.

For future reference, some notes on hardening Apache. In case this post ever dies, it references these notes, and also points to some deeper tips.

I’ve long proclaimed email is dead (ok, it’s very slowly dying). It is great, but wasn’t ideal or forward-thinking enough (I can easily say that now that we’re beyond the forward!). IRC had it right early on, but just wasn’t and isn’t accessible enough… IM is excellent, but you often lose the buffering ability when someone is offline.

At lunch the other day I overheard a group of older adults talking and they delved into the topic of communicating with younger kids/adults. “They just don’t check their email like they used to. You have to text or post on their Facebook to get their attention.”

It’s true, right? Email is still dying and giving way to texting, IM, and social networking (aka Twitter, Facebook). Say that to anyone in a corporation and they may argue, but I’ll argue back that corporations (and later government) are the slowest entities to change. We’ll drag email on for another 10 years, most likely.

So last night I checked out my Twitter feeds again. Yeah, pretty hopping especially during and post-Shmoocon! In fact, I notice I still get new people following me very regularly. Seems I should jump back in! Hell, I also noticed I had some LinkedIn requests and Facebook requests (when the crap did I open a Facebook?!)…I may not dive totally into the latter one, but Twitter is just too powerful and cool paired with texting to keep drifting away from it.

Sony releases new piece of shit that doesn’t work. NSFW due to profanity, so put your headphones on.

EthicalHacker.net has a new challenge up. This is may be a first, I get to see it with plenty of time to submit something! Normally I see these after the fact or with 2 days to deadline. Oh, and The Brady Bunch was one of those shows that I watched but never liked; kinda like being forced to eat brussel sprouts as a kid; you sometimes have to, but it leaves a horrid taste in your mouth.