Wednesday, August 22, 2007

Lucky I'm not a kid these days

...I would likely be arrested, expelled, or something.  This is insane that drawings of what even "looked like a gun" are treated as "a threat".  We drew all kinds of war pictures and other lurid things in grade school and high school that would probably get us painted as even worse by today's "standards".

Zero tolerance policies are actually Zero thought policies.  They allow schools to make one-size-does-not-fit-all decisions without any reprieve or mitigating circumstances.  Imagine if the justice system worked that way.

AZ: School suspends boy for drawing gun » Rational Review
School officials suspended a 13-year-old boy for sketching what looked like a gun, saying the action posed a threat to his classmates.

Intuit Quicken backdoor encryption key cracked

Turns out there is a 512-bit master encryption key used in all versions of Quicken since 2003 that allows for Intuit to decrypt your data (or potentially allow the Government to do so, as the conspiracy theorists are theorizing)
Pforzheimer acknowledged that there is a way to access encrypted Quicken files without a password, but that the ability is hardly secret. "It's for Quicken users who have forgotten their passwords - and only done when they call customer service or support."

Wonder how good their controls are for authenticating the owner of the files sent to them that they happily decrypt for $10? Or how good their controls are on who has access to the decryption key?  At least they should have disclosed to customers that they had this capability.

I have not found any technical details on the backdoor as it is likely proprietary info that Elcomsoft will use to make money with.

Russian security software firm Elcomsoft announced on Friday that the company's researchers had cracked the master password that secures encrypted Quicken files and which allows the software's developer, Intuit, to retrieve lost passwords.
Elcomsoft cracks Quicken "backdoor"

iPhone insecurity hype

Leave it to a new technology for chicken-little "analysts" to begin crying that the sky is falling.

What are the "problems" these analysts cite?
  • "no thought to enterprise security"
  • "may allow hackers to pilfer private data stored on or sent from iPhones"
  • "iPhones are unlikely to have a remote "lock and wipe" function that erases the device's data in the event that it's lost"
  • "iPhone's "closed" operating system makes it impossible to install protection software" (like antivirus)
So, iPhone is not a Blackberry.  And Blackberries, with the BES server, have some great enterprise class features.  But does the lack of some of those features mean the iPhone is a "security nightmare"?  That is just rhetorical hyperbole IMO.

And then there's Gartner:
"We're telling IT executives to not support it because Apple has no
intentions of supporting (iPhone use in) the enterprise," Gartner
analyst Ken Dulaney says. "This is basically a cellular iPod with some
other capabilities and it's important that it be recognized as such."
Sage advice from an IT support standpoint.  But do we all need to start battling with executives over them using iPhones as the next network security scourge?  Probably not.  Most iPhones are likely to be used to synchronize data to a PC.  Assuming you have adequate protection on your desktops and network from viruses, the risk is no different from iPods or any other device someone decides to plug into their laptop and sync data (contacts or calendar).  So, this is not a new risk.

There are certainly going to be some data loss risks with the iPhone, but those are not necessarily new to the iPhone.  There are many other devices people can hook up that perform similar functions and can hold enterprise data that also don't support centralized control.  You should design your security controls with that reality in mind so you don't have to say the sky is falling with every new device out there.  There are solutions to lock down USB ports with policy if you so choose, for example.

Analysts: iPhone Has Neither Security nor Relevance

OnSecurity podcast: taking issue with PCI DSS Web Application Firewall Requirements

I already have noted that equating a web app firewall to a security source-code-reviewed and threat-modeled application is ridiculous.  Dinis Cruz will remind you that the most devastating web application flaws are business logic flaws that none of these devices will find.  Even web application scanners are ineffective for most things beyond low hanging fruit.

Holes in the Firewall?

Holes in the Firewall?
Are there shortcomings in the application layer firewall requirements
set by the PCI Security Standards Council? Paul Henry, vice president
of technology and evangelism at Secure Computing Corp., thinks so, and
explains to Lisa Vaas in the OnSecurity podcast.

Linksys unofficial firmware: DD-WRT

I may want to check into this as a nicer alternative for my WAP54G instead of HyperWRT, which is no longer maintained.  There is a compact version for devices with limited memory.  Wonder if it still has the samba driver in it...

DD-WRT is simply a project which was originally based on the official GPL Sources of Sveasoft Alchemy. but turned later to a OpenWRT Kernel vase firmware variant. Due the nature of GPL based projects, this firmware will be also release under this license. Initially i wrote this modification to make it possible, to use the Linksys WRT54G/GS inside our Wireless Lan network as cheap replacement for our professional Lancom and Orinocco access points. so what was missing? first, we are using radius authentication with a central account management inside our network for user authentication. There is already a radius application available for OpenWRT, but openwrt was no choice since it is not user friendly for a non computer professional without any linux knowledge. so i just integrated it with some small enhancements in the alchemy software. my wrt-radauth modifications:

Secure Programming with Static Analysis

I will definitely be checking this book out.

From: Brian Chess <[email protected]>

Subject: Secure Programming with Static Analysis
Jacob West and I are proud to announce that our book, Secure Programming with Static Analysis, is now available.
The book covers a lot of ground.
* It explains why static source code analysis is a critical part of a secure
  development process.
* It shows how static analysis tools work, what makes one tool better than
  another, and how to integrate static analysis into the SDLC.
* It details a tremendous number of vulnerability categories, using
  real-world examples from programs such as Sendmail, Tomcat, Adobe Acrobat,
  Mac OSX, and dozens of others.

Sign up for Google Technical Talks in Seattle

Technically, they are in the Kirkland office.  Sign up and get notified of upcoming talks.  I attended one by Vint Cerf that was very elucidating.

Join us for Technical Talks in Seattle

ext2 driver for Windows

I had previously used ext2fsd, but that was quite a pain to set up.  This has a nice installer and lets you map your Linux drive right to a drive letter in Windows because it is a full kernel-mode file system driver (Installable File System driver).  It supports read/write too.  Doesn't support any security on the drive so caveat emptor.

It doesn't support any partitions using volume management either (not a surprise).

Ext2 IFS For Windows
provides Windows NT4.0/2000/XP/2003 with full access to Linux Ext2 volumes (read access and write access). This may be useful if you have installed both Windows and Linux as a dual boot environment on your computer.

"I ain't afraid"

Heard a snippet of this great song by Holly Near that I heard on a podcast.  You can get the song on her website for free.

Some choice lyrics:
I ain't afraid of your Yahweh
I ain't afraid of your Allah
I ain't afraid of your Jesus
I'm afraid of what you do in the name of your God

Free MP3 Download
Free MP3 Download "I Ain't Afraid" 5.4 MB This is one of the great songs from the CD Edge Copyright 2000 Hereford Music

Saturday, August 11, 2007

Google goes "Offline" with Gears

This is a great development.  The main thing I used GreatNews for was its ability to sync and view postings offline (although many RSS feeds are lame and truncate the stories...)  Of course, GreatNews doesn't work on Linux so Google Reader can now be my main feed reader.  It's great for podcasts too if you want to listen on the PC.

Of course, Google's delivery of the firefox extension is from a non-SSL link...  See slight paranoia: A Remote Vulnerability in Firefox Extensions for why this can be hazardous to your computer's health.

Official Google Reader Blog: Oh Sam I Am, can I read it on the tram?
Google Gears, a browser plugin that enables offline web applications. Once you've installed Google Gears, you can download your latest 2,000 items so they're available even when you don't have an internet connection. To get started, simply click the "Offline" link in the top right of Google Reader.

Linux USB Bugs

Seems as if many devices don't like Linux's USB device autosuspend feature.  Many will stop functioning and will need to be disconnected and reconnected to function again.  I've got a multi-card reader that will hang and get these errors.  It was a problem on my old computer and is still plaguing me on my new one.  Glad to see that it's going to be fixed.  Newer kernels >= 2.6.22 have a feature that lets you turn autosuspend off without having to recompile the kernel:

sudo echo -1 > /sys/module/usbcore/parameters/autosuspend

[linux-usb-devel] usb-storage autosuspend bug?

Bug #85488 - Comment #363

Bug #85488 in linux-source-2.6.20 (Ubuntu): “some usb_devices fault if usb_suspend enabled”

Googling from Seattle

The rumours are true.  Google is officially both on the Eastside and Westside now.  Now they could make me an offer I couldn't refuse...  I wouldn't prefer to work in Kirkland but even Fremont would be a jaunt more than Downtown.

Business & Technology | Google takes space in Fremont for expansion | Seattle Times Newspaper
Google, based in Mountain View, Calif., plans to sublease about 60,000 square feet from Getty Images at the Waterside Building on North 34th Street.

That amount of space would accommodate about 240 workers, according to commercial real-estate brokers.

Google now has an engineering center in Kirkland and sales offices at another building on North 34th Street in Fremont. The new space will be used for additional R&D engineers, said Sunny Gettinger, a Google spokeswoman. She declined to say how many people Google plans to add in Fremont.

"Seattle is just very rich in engineering talent, We're running out of space in our other offices there, and we're continuing to grow," Gettinger said.

I-35W Bridge Collapse Photos

These are pretty amazing and tragic to look at.  I hope Seattle gets going on replacing the Alaskan Way Viaduct that I travel on every day to work...


By some estimates, it would only take about 9 billion dollars a year for 20 years to clear the backlog across the country of our crumbling infrastructure.  It took lots of Federal monies to build it; it's going to take Federal money to fix it.  Instead, we're spending close to a Trillion dollars on the Iraq war.  Politicians:  look around you.  The enemy is you for not funding the proper priorities.  It's us for not demanding it and holding you accountable.

I've also heard about some deficiencies in the procedures followed for reviewing bridge safety that need to be fixed.  Typically, bridges are reviewed on a 2 year cycle and estimates are made about their longevity and safety for 5-10 years into the future.  However, given that it may take at least 5-10 years to get a repair/replacement project passed, funded, and completed, it may be too late even then.

If you are interested in how things like this can happen, check out Why Buildings Fall Down:  How Structures Fall