Off the Top: Security Entries
Oddities on an Odd Day
There were three things from today's White House and Capitol evacuations that were a little more than bothersome.
First it was reported that a couple weeks ago there were evacuations, but the cause of the radar blips were clouds. It sounds like the system is not quite ready for prime time and our lives depend on it.
Second, the only way those of us not working in the Capitol nor White House knew something was up was people calling them or they caught something in the media. The city government of Washington, DC was not informed until after the all clear was sounded. After September 11, 2001 this Government seems to have learn little and changed their planning very little and they prove they lack competence at every turn.
Lastly, our President was out in the country-side on a bike ride. Oh, it was the middle of the day on a Wednesday and the President of the United States is out with an old school chum for a bike ride? You have got to be out of your mind. Not only did people elect this guy, he is getting paid for leading not bike riding and playing hooky, and he is allowed to keep his job?
Cyber Hole
One element of Homeland Security that gets little coverage, but could be be one area that is the most vulnerable is the cyber front. It does not bode well when the U.S. Cyberterrorism Czar resigns. This makes at least three in three years, not to count those that have had the job offered and turned down. The word on the ground is one of the nation's greatest vulnerabilities is also tied to one of the party in the White House's largest donors. Every Czar left out of frustration. This one gave less than one day's notice. Amit was also considered by most of the industry to be a very influential person and to listen to what industry needed to provide a safe digital environment in the U.S.
Is it most important to protect donors to your political party or to protect America and its infrastructure? My job is reliant on a safe infrastructure. If you are reading this you are using the infrastructure.
One Less Browser Option?
The talk on Metro this evening between a few folks was whether they would be able to use Internet Explorer the following day at work. The security hole in the browsers have been very problematic over the years, with this past year being particularly bad. This newest security hole permits your keystrokes to be copied by another party with out the user ever knowing. The warnings have been for banks, but it has spread to any log on, password, credit card number, or any information imaginable secure or wide-open, it does not matter.
Molly's WaSP Buzz entry outlining mainstream publications advising user to stop using the browser and Slate's "Are the Browser Wars Back? How Mozilla's Firefox trumps Internet Explorer" article frame the problems and options well.
My personal favorite browser on Windows is Firefox, which is one of the Mozilla browsers (it is the makers of the guts of the newest Netscape browser. On Mac I am a fan of Safari and Firefox and have both running at all times. You have options for browsing. Hopefully your bank and other purveyors of information were not foolish enough to build to just one browser.
Closing the Vulnerability
As mentioned elsewhere the URL vulnerabilities on Mac OS X can be closed very easily with RCDefaulApp, which allows you to turn off telnet called from the URL. The free application also allows turning off many other function calls from the URL as well as mapping file extensions to applications.
SixApart's TypeKey Coming Soon
SixApart's TypeKey looks to be a good resource to help authenticate those making comments on Web sites. I have been very happy with SixApart's TypePad, not that I am ready to move off my own system. Actually it sounds like TypeKey will have an open
Mac OS X is secure
Richard Forno sets the record straight on Mac OS X security compared to Windows. Forno is the former Chief Security Officer at Network Solutions. The technical overview from Forno shows that Apple's Mac OS X is far and away more secure than Windows.
Public disclosure of Microsoft usage
In an article from the New York Times regarding software oversight needed because some large companies don't check their own software for vulnerabilities, I ran across the following:
Proposals for government action being discussed by policy makers and computer security experts include strengthening the Department of Homeland Security's cybersecurity division and offering tax incentives to businesses for spending on security. Another proposal would require public companies to disclose potential computer security risks in Securities and Exchange Commission filings.
and the double standard for Microsoft
"There's a reason this kind of thing doesn't happen with automobiles," says Bruce Schneier, chief technical officer at Counterpane Internet Security in Cupertino, Calif. "When Firestone produces a tire with a systemic flaw, they're liable. When Microsoft produces an operating system with two systemic flaws per week, they're not liable."
I can just see it now the SEC requiring companies to divulge on their filings that their security threat is using the Microsoft OS. But, this would explain the day or two of lost productivity each quarter. I know of more than a handful of major firms (through friends that work at them) that had whole divisions (200 to 1,000 people) that were knocked off-line or completely out because of the last vulnerabilities. These did not show up in the news and their investors most likely were not informed.
At work I lose two to four hours per week of productivity to software bugs, security vulnerability patching, or operating system issues on the Windows platform we have to use. At home I do similar tasks on a Mac OS X based system and use Linux servers and I have a half an hour per month lost for the same things. Given I do more rigorous work at home and spend about an equal amount of time on the computer at home as I do at work I don't see why folks use Microsoft.
Microsoft gets an F for security and consumers pay
Security experts give Microsoft an 'F' CNN reports, but some experts are pointing to Apple as being more secure. One of the experts will be switching to Mac as he finds his wife's never gets viruses Mac.
I was supprised when Bank of America embraced Microsoft OS for its ATMs and services. My first thought was that they did not understand security or care about their customer's digital information. When I was changing banks my first consideration was digital security. I seem to have been thinking correctly this time as it seems the Slammer virus hit major company's resources using Microsoft OS and Bank of America had serious problems. As our society moves more toward digital interactions we need a secure framework and Microsoft has never provided that and appears it never will. The regular people who depend on the digital systems are the ones who suffer and the economy takes a huge hit with every Microsoft failure. We really need to stop the reliance on Microsoft now.
Apple security
Just in case you thought Microsoft was more secure than Apple...Jish boards a plane
If you think our skies are safe, go read Jish is all aboard. Some how I have a the feeling he could retell this one at Fray Day. I am going to miss Fray in SF this year and miss seeing all the wonderful folks that attend and tell their stories. I will be trying to go to the DC event.Microsoft embraces Apache Web server
CNet News discusses Microsoft's .Net set to link to Apache, which is a great step as the Microsoft IIS web server is increasingly being dropped as a viable option because of never ending security problems. This would literally doom Microsoft's .Net initiative as it would not be usable on the Internet without their Microsoft Internet server. By moving the ability to run the .Net framework on an Apache server Microsoft not only extends their ability to run their services on a superior Web server with far fewer security problems, but Apache is now recognized as a viable Web server by Microsoft. Apache owns the majority share of the Web server business and those of use that have had the ability to use it prefer it hands down to Microsoft's IIS.Internet more serious
The Washington Post provides the Internet gets serious article today. The article discusses security and copyright issues that have pulled back on the fun. I do not qutie agree that security has to limit fun, it has put a damper on what can be done on the Windows side of the world (a poor framework for the operating system is part of the problem here). The copyright issue does put a lid on fun, as in many cases it really limits picking up on ideas and extending them. Much of this problem falls at the feet of law makers who have set rules in place that were not well thought through from the perspective of information use. The article gets kudos for bringing up Lawrence Lessig's Creative Commons project.WiFi security
Seven security issues to watch with WiFi networks, a.k.a. 802.11 wireless networks. There are a handful of issues that we have to be aware of to either address or live with. I find the benefits greatly out weigh the downsides.MS looses to Open Source on security
Microsoft's sales pitch to the Pentagon back-fires as they pitch security of Microsoft as a point to use against Open Sourse solutions. Microsoft only wins that game in their marketing material.MS security causes sad day
Life sucks when: You have to pull an e-mail account that you manage from service. Particularly when this account is for your Dad. My Dad can be reached at Tom and I will be keeping Thomas. The TJV account is closed.
Why you ask? The account was hacked with the klez virus. He cleaned his hard drive, as he had no choice it or another virus took the hard drive out. He took another hard drive and put it in that machine and started fresh. This may have also infected his new laptop. Yes, all of these machines run Windows (the swiss cheese security system). My dad is more than computer savvy and Windows is not a consumer OS, as it is nothing more than an e-mail away from destroying everything digital you own (among many other issues, which I spend hours assisting friends and relatives with their continual problems with the MS OS). Microsoft continues to lie about its focus on security and the basic problem is the OS itself, it is not secure and it seems it will never be secure. UNIX has some issues, but has many more years of development under its belt, which is why is far more secure. UNIX variants (Apple Mac OS X, Linux, BSD, etc.) all have the advantage of years of experience and advanced developers working on the OS.
Keeping a MS box secure requires somebody with a lot of experience and they are not cheap. The MS total cost of ownership being lower than UNIX is a myth and unfounded. If you have MS open to the outside world (Internet server, DSL at home, or unfiltered (through virus scanner) e-mail, etc.) you need an MS security expert focussed on ensuring the sanctity of whatever is considered valuable on the MS boxes. This person will cost as much, if not more, than a senior UNIX systems administrator (who are, by and large, veterans in UNIX security also as it comes with the territory).
Too many folks (that are near and dear to me) have had MS servers hacked or been victims of viruses in the past couple of weeks. Granted the MS boxes hacked may not have been watched over by MS security experts, but that is what it takes.
Making choices, as far as what language to develop Internet applications, should keep in mind lock in factors. A UNIX only or a Microsoft only solution that requires the application be only run on a certain type of server has never been a great idea. This becomes even more apparent now. In my opinion this has never been a good option. Fortunately, there are many more options available that run on nearly all OS platforms. These include: Perl, PHP, Java (JSP), Python, ColdFusion, etc. Each of these languages have their own plusses and minuses, but if a certain OS platform becomes an unavailable option the applications can relatively easily be moved to another OS. This is not the case with ASP, and even less so the .Net framework (as noted before. Sure ASP can use ChiliSoft, but that is a very short term solution (as you know if you have ever had to use it, it buys you time to recode everything into a portable application language) and requires double to triple the hardware resources to run it compared to ASP on MS or any other language running natively.
All of this is just the beginning of the reasons why I most likely have bought my last Windows machine. The other reasons fall into the areas of trust and pricing. This explanation may follow soon.
Microsoft really did have swiss cheese security with all the holes in their servers. Seriously this is an imediate mandatory patch for the MS servers, so says Microsoft.
The Microsoft rants of late have been attributable to horrible networking problems that keep corrupting my mapped drives. The mapped drives to production and development servers work fine for days then blow-up. The server's response was the file was already open, when I was trying to copy over a file on one of the servers. Some days I could not even log on. I can have more than one mapping to a server so to copy to different project drives. Windows 2k says no way Jack. Not only this but setting up passwords for others today for them to log into the dev box, MS popped up an error message stating they had to have changed their password on their first login. That was their first login. Fully patched machines running too. What a poor excuse for an OS. Things have improved by the end of the day, but too much time is wasted on the crappy OS.
Wearable Computing and Airport Security
NT Times Circuits offers a look at Steve Mann's problems getting his weable computing self through airport security. All seemed to be fine until last month.The NY Times writes about methods to protect our laptops from theft. (I saw more laptops this past week to make it seem like it was a revolution, not to mention approximately 80% of the laptops were Apple).
Representational State Transfer (REST) and the Real World provides the ability to add security to XML-based Web Services, among other beneficial elements.
I was hoping this article would never be written as it is the antithesis of the Web. The Washington Post writes about setting up international boders on the Internet, which includes a digital border patol that denies access. My hope is that while there is a Web there is a way to get arround these restrictions. The whole world does not need to become like China and block content from outside its borders.
SecureMac seems to offer solid information, warnings, and fixes for Apple Mac security issues. It will be a good site to keep my one's on.
Part 2 of the PHP security issues, which explains how to shore up your PHP application builds.
On Earthweb, Jordan Dimov, provides PHP securtiy guidence. Some of this is a restating of known holes, which have been closed, or can be closed. It is good to read through this just to be safe.
The Beeb News provides a wake-up call to those that are still in the dark about wireless network security. The article welcome to the era of drive-by hacking shows how pervasive lax security is in London. This unaware approach to wireless network security can be a nice cheap way to get a fast Internet connection, but it also leave corporate and/or home networks wide open for abuse. The terms used for those that partake in the break in access are "war driving", "war pedaling", or "war walking" depending on the mode of transport used to take your laptop from open access network to open access network.
The article found that none of the networks use anything stronger than the built in security measures on the wireless hubs. The London area even has maps potting wireless access areas. Some see this access as a public good, but many of the enterprises networks, which house files and account information are wide open too.