Today HP released the iPaq hx2000 line of PocketPC devices. Each model includes a biometric fingerprint reader. This is a welcome feature, despite the problems with fingerprint identification, because password entry on a keyboard-less device is a big enough pain that many users simply turn off password protection. Other welcome features include integrated Bluetooth and 802.11b with a built-in 802.1X/PEAP client. Starting at $349, they are very reasonably priced.

USA Today has a story describing a honey pot project to test network vulnerabilities on different operating systems. A Windows XP machine running Service Pack 1 with no additional patches was compromised within four minutes of being placed on the internet. Machines running Windows XP SP2, Linspire, and Mac OS X avoided being compromised despite repeated break-in attempts. Simply installing a free firewall on the Windows XP SP1 machine provided the security needed to keep out attackers. "The firewalls did their job," says [Ryan Russell, co-author of the study]. "If you can't get to them, you can't attack them."

Wi-Fi Planet has coverage of new equipment from NetGear featuring Power over Ethernet (PoE). The FS108P 8 port fast ethernet switch includes four powered ports, and the WG102 802.11b/g access point accepts PoE. The article quotes a $700 price tag for a single switch and four access points, making it the first affordable wireless PoE solution for small business. And as an extra bonus, the whole shebang supports WPA Enterprise, making it perfect for use with Elektron.

The Symbian phone based Trojan "Skulls" just got a new, more insidious variant, "Skulls.B". The new Skulls includes the Cabir virus, giving it the ability to replicate itself to nearby handsets using Bluetooth. Insidious, yet somehow ingenious — I'm not sure how to feel. Maybe I should finally be thankful that my own phone doesn't support Bluetooth.

Glenn Fleishmann reports on a PC World test that checks out Belkin's pre-802.11n gear. I think that the biggest advantage for 802.11n users is the increase in wireless range. This is particularly true for home users: it could remove the need for multiple access points to provide complete coverage for the home; and for wireless clients who are primarily using the network for internet access, speed is already limited by their broadband connection. Thus, a wireless speed boost is not going to help much.

I can't figure out from the product page whether the access point support WPA Enterprise or not. It claims WPA support, but the manual only makes mention of WPA-PSK. Oops, in fact, this Wi-Fi Planet review makes it clear that the new Belkin does not have WPA Enterprise support. So Elektron users, I guess we will have to wait...

Kottke reports that Ken Jennings finally loses on the November 30 Jeapardy, capping an amazing run of 74 straight victories and $2.5 million in winnings.

Ben Edelman installed an clean, unpatched version of Windows XP to see how quickly it would be compromised by spyware and adware. With the viewing of only one page, he had 18 pieces of unwanted, invasive software installed. Time to start browsing safely!

palmOne has acknowledged the problems with the Treo 650. They've agreed to give a 128 MB SD card to any Treo 650 purchaser who requests one.

Robert X. Cringely has an interesting idea: Wal-Mart should get into the WiMax business. They've got a robust existing network, piles of capital, and lots of locations — enough to blanket most of the populated land of the United States.

Of course, the telcos have an even larger existing network, many, many more locations (there are probably a dozen telco COs between my house and the nearest Wal-Mart), lots of experience selling networking services, and an existing base of broadband customers. Still, the competition should be a good thing for consumers.

Mary Hodder says not to buy a Treo 650. The reasons she gives (in addition to her ongoing problems with multiple Treo 600s):

Of course, carefully reading a download warning doesn't help if there's no download warning.

Looks like yet another Internet Explorer flaw, and this one works on XP SP2 as well as previous versions of Windows.

Huh, Safari supports URLs for man pages. If you're viewing this in Safari, try this link for the ls man page. I don't know how useful this is in real life, but cool nonetheless.

InfoWorld has coverage of a new Trojan affecting phones running the Symbian Series 60 software, including the new Nokia 7610. The trojan itself is not particularly interesting, but there is one telling quote from the piece:

This underscores my long-held belief that all the clever security software in the world is no match for a careless user.

Ars Technica has a roundup of spyware removal tools. I've had good luck with Ad-Aware. Still, the best defense is to not get infected in the first place: keep up to date with system patches, don't download anything you're not absolutely sure of (and make sure any executable is digitally signed), and run your browser with minimal privileges.

Philadelphia is working to create a city-wide Wi-Fi hot spot, but is facing opposition from pols in Harrisburg. It seems that Verizon is lobbying the state legislature for language in Pennsylvania House Bill 30 that would effectively undermine Philadelphia's plans in an obvious bid to prevent any competition in the broadband arena. The bill is on Governor Rendell's desk, and so far there is no indication whether he will sign or veto the bill. If you're a Pennsylvania resident who believes in competition rather than government protected monopolies, there is still time to contact the Governor and let him know how you feel.

Glenn Fleishman covers the AirPort 4.1 update in this week's TidBITS.

A server hosting banner advertisements was hacked and used to spread some form of malware. Exploiting an as-yet unpatched hole in Internet Explorer, users visiting web sites served by this host (including popular news site The Register) can become infected. The news.com article is vague on the details of what exactly the malware does, except to say that "once compromised by the program, an infected system will allow an attacker to install additional programs." What makes this web server compromise more insidious than average is the nature of banner advertisements: it wasn't just visitors to this specific web server that were vulnerable, it was every web site hosting ads served by the affected host.

Apparently, having Windows XP Service Pack 2 installed prevents infection. If you're running XP but haven't yet installed the Service Pack, do yourself a favor and download it and install it soon. It's a pretty big leap forward in security for XP.

When you login to your Windows box as Administrator or as a user that is a member of the Administrators group, every application you run has Administrator permissions. This includes, of course, such commonly exploited applications as Internet Explorer and Outlook. If you get a viral email attachment or hit a malware-infected web page and inadvertently execute the attacker's code, that code is running at the same permission level as the application hosting it. If that application has Administrator-level privileges, your entire system is laid bare to the attacker.

Fortunately, Windows provides programmers with APIs that allow applications to be launched with their privileges restricted. You don't really need Internet Explorer to have the ability to write to your system32 directory, so why give it that ability? Michael Howard has a write-up (including sample code and a working executable) on how to accomplish this.

Now, given that the sample code is freely available, it would be nice if someone could pick up the ball and add some additional features. For instance, automating the process of creating shortcuts so that users do not have to create them manually. Maybe make a little launch bar that hold restricted applications (or maybe existing launch bar authors can incorporate the limited-privileges launch into their products). How about hooking the Windows shell so that when a user launches an application she is prompted for the privilege level she would like? Of course, that last one would need some way of saving the preference for each application, since that could get annoying really fast.

When one user secures their computer, everyone wins: that's one less computer able to propagate viruses and other malware to the rest of the world. We should make it as easy as possible.

On the plus side, you can now use your Treo 650 as a wireless modem for your laptop via Bluetooth. Sprint had disabled this feature in their version of the Treo 650, promising an updated profile to re-enable it sometime next year. Fortunately for us, the Bluetooth-consuming public, an intrepid hacker found a two-byte change that re-enables dial-up networking.

Palm's Treo travails demonstrate the benefits of real-world testing. All the functional specifications in the world are no substitute for putting your product in the hands of actual users and seeing what they do with it.

This is the reason we're doing a preview release of Elektron. We can create automated tests for the fundamentals: does our implementation of PEAP interoperate with Microsoft's implementation of PEAP? How about Cisco's? Can Mac OS X users login using TTLS? What we can't automate are the human factors: does this dialog box make any sense? Does it take too many steps to change a user's password? If I check this box, do I inadvertently disable important security features? These are the kind of questions we are trying to answer by putting product in the hands of actual users.

From the looks of things, Palm skipped this step with the Treo 650. They ran their automated tests, found out that their FAT filesystem was stable, and that the database API mapped to the new filesystem correctly. That's what the specification called for, so that's what they delivered. It seems they missed how people actually use their Palms to store data.

It's hard to imagine that with a little usability testing this wouldn't have been discovered. The first reports of Treo 650s maxing out on data that fit onto Treo 600s were online within 24 hours of the product's release. With Elektron, we have the advantage that getting our product into each additional user's hands has virtually zero incremental cost. With the Treo, Palm has to build another device at the cost of a couple of hundred dollars (or so I presume, I don't know what their actual cost is, but it is certainly quite a bit more than zero). But even getting it to a couple of dozen power users would have discovered this, and would end up costing substantially less in the long run.

Instead, Palm ends up with egg on its face, something it can scarcely afford given its shrinking market share. It leaves me wondering who in the Palm food chain dropped the ball. The engineers working on the new filesystem would certainly have known about the problem. Did they not tell anyone? Do the Treo product managers and Palm executives use Treos? It's a shame that something with such potential was hobbled by something so simple.

I'm glad I held off on ordering a Treo 650, it seems that they have a significant problem with the new filesystem.. Basically, Palm changed from using directly-accessed database storage to using a a FAT filesystem to store data. This is great for compatibility: common operating systems have FAT support built-in (Windows of course, but also Mac OS X and Linux), so you should be able to mount your Palm's filesystem on your Desktop system with little work on Palm's part. The big disadvantage that has now to come to light is that database records are aligned on FAT's 512 byte blocks. This means that database records that use to take up the actual size of the data being stored plus a small amount of overhead (8 bytes, if I recall correctly) now take up the size of the data, plus the overhead, rounded up to the next 512 block. So if you are storing a phone number, instead of using, say, 20 bytes, that same phone number now takes up 512 bytes. Ouch.

I love my Treo 600, and was really looking forward to Bluetooth support (really, really, really looking forward to it!) but now I'm inclined to hold off. For a couple of days, at least...

Word that Tivo would start showing ads while users fast forward through commercials caused quite a stir in the Tivo community. Turns out the concern was overblown. You'll still be able to fast forward through commercials (well, maybe not), you'll just have to watch a small banner ad while doing so.

This seems like a reasonable compromise to me. You don't have to spend any additional time staring passively at ads, there's just an additional graphic on your screen while you are skipping the "real" commercials. Television programs cost money to create and broadcast, and broadcasters need some way to recoup their costs. We, the television-consuming audience, used to pay for our entertainment by sitting patiently watching ads. Now that the technology exists to easily bypass these ads, it's not at all unreasonable for broadcasters to want to leverage that same technology to recoup some of their lost revenue. If they can't, we may get stuck with even more offensively bad but cheap to produce reality shows.

Tivo users' ire should be directed instead at Congress, which has introduced H.R.2391 which, among other choice tidbits, includes a gem outlawing devices that can fast-foward past commercials "that would otherwise be performed or displayed before, during or after the performance of the motion picture"

Apple has released version 4.1 of their AirPort software. One item of interest for Elektron users: it supports WPA over WDS. This means that you can extend your WPA network without having to run cable to distant base stations.

No mention of random drop-outs, though. There have been complaints regarding printer sharing. Seems that some printers that previously were shareable are no longer supported after the update.

via Joi Ito's blog

Yesterday I switched the blog from a home-brewed system written in PHP over to SixApart's TypePad service. It only took a few posts to realize that my own quickly cobbled together system was not going to scale very well.

This means that all my previous posts (fortunately, there were only a handfull) have been lumped together on the same day — the day I imported them into TypePad. The nice thing is that I now get to use Ranchero's excellent MarsEdit to work on the blog, and there's now comments available (and, in theory, somebody else is dealing with comment spam). It also means that there is now an Atom feed available, in addition to an RSS feed, although the XML link at the left still points to the RSS feed (version 1.0 now, the home-brew system used version 0.91). There's also RSD and FOAF there, and I would probably care about those if I had any idea what they are.

Jonathan "Wolf" Rentzsch has a nice roundup of the Mac FireWire security vulnerability. In a nutshell, plugging into the FireWire port of any Mac gives an attacker unimpeded access to that machine's RAM. This includes the ability to read anything sensitive that might be sitting around in memory, like password or crypto keys, and perhaps more insidiously, to write to memory as well. This gives an attacker with access to a FireWire port complete control of the Mac in question.

Of course, the key phrase is "access to a FireWire port". The attack requires physical access to the machine, and if an attacker has such access, then the FireWire vulnerability is not the only threat. They could, for instance, force the machine to boot from a CD, which will gives full access to any attached drives.

Apparently, enabling an Open Firmware password closes the hole, so if you have a machine that could be vulnerable, you might want to enable a password. This will also fix the boot-from-a-CD problem as well.

Today is going to be one of the less productive days around the Corriente office...

The morning TV news reported that Microsoft in anticipating $80 million in sales on the first day of release. I don't kow what percentage of that actually ends up in Microsoft's pockets, but I gotta imagine whatever it is will cover the entire cost of the game's development. In one day. Wow.

The Schneier article that I mentioned before makes the connection between adding new features to software and security flaws due to inattention to careful review and secure coding practices. The obvious target of this kind of criticism is Microsoft, which has earned a reputation over the years for just this kind of behavior. While this may have been true in the past, I think that the reputation is no longer deserved.

I know more than a few engineers (and one product manager) at Microsoft and I can confidently say that, to a person, they are singularly focused on creating secure software. They know that the eyes of the world are on them, and they consider security to be the most important feature of any of their products. All software project decisions, from high-level product architecture to nuts-and-bolts coding are viewed through this prism.

The bigger problem today with added features in software, particularly in security-related products, is that these new features are making software increasingly difficult to configure correctly. I recently had the pleasure of installing Microsoft's Internet Authentication Server (IAS) in order to do some compatibility testing (IAS performs functions similar to our product). It took me three hours to get it barely limping along. By the time I was done it seemed to be working, but I had no confidence that with all my fiddling I had not inadvertently created any number of security risks. Fortunately, this was all being done on a Virtual PC machine rather than a production server, so when I was done I just deleted the virtual machine and any possible security holes went away.

We've spent a lot of time adding features, and then taking them out. These are features that looked good in the product specification, but in real world usage turned out to be more complicated than they should be. Our goal is to make a product that does everything that a user needs it to do, and no more. Now this is admittedly an unobtainable goal, as every user's needs are different. Still, it provides us with a target as we develop our products. If it ever takes any user three hours to install one of our products, then we missed this target by a mile.

Earlier, I mentioned that we were lots of problems with an AirPort Extreme base station. Looks like the problems were due to the AEBS and not any kind of radio interference. After replacing the AEBS with the Linksys all of the problems with dropped connections went away.

One data point: we were seeing problems with a 17" AlBook with an Airport Extreme card and "interference robustness" enabled, as well as an older 15" TiBook with AirPort (no interference robustness option). The 15" was suffering drop-outs at a much greater rate than the 17". Now they are both working great.

I assume that Apple is aware of the issue, but so far they have had not made any public comment.

Bruce Schneier has put up a new blog post, "Computer Security and Liability". In it, he proposes that software vendors takes on some of the liability for security breaches. As it stands right now, all costs associated with security failures are borne by the software user. The idea is that if software vendors could be held financially liable for failures in their products, they would be more inclined to create secure products in the first place, rather than concentrating on adding new features.

It's an interesting idea, but it's not going to happen anytime soon. First, because the cost of software would balloon far beyond what just about any customer would be willing to pay. Here at Corriente we, like every responsible software vendor, already pay a tidy sum for our professional liability (AKA "errors and omissions") insurance. And that's without the constant threat of massive lawsuits hanging over our heads. Factor in the new costs, and we have two choices: close our doors or pass the cost on to the customer. If we did pass the cost on to the customer, I bet we'd be closing our doors pretty soon anyway.

The customer always pays for software security, whether at the front end or the back end. Right now the demand seems to be for the costs to be pushed to the back end, for the cost of security to be paid after the security breach occurs. Customers are, in effect, self-insuring against security faults. Any vendor that changes this model for their own products, to accept liability as their own, isn't likely to be able to compete in the marketplace.

Another problem with software vendor liability is that it doesn't address open source software. Who is the vendor? Will individual programmers be liable for faults in their software? That would have a chilling effect on the OSS movement. The more likely outcome would be for OSS users to accept liability as they do now, which promotes the status quo.

The article, like all of Schneier's writings, is an interesting read, with some of the comments taking issue with his conclusions. Give it a read.

There's a lengthy thread on the Apple AirPort discussion boards concerning seemingly random drop-outs while using Airport Express base stations. There are also reports of problems with Airport Extreme base stations as well, which is consistent with my experience with one of our AEBS units. A couple of days ago I swapped in a Linksys WRT54G (a great, inexpensive access point, $54.74 after $10.00 rebate at Amazon right now) and it's working smoothly, so this seems to be a problem with the AEBS rather than a case of some kind of 2.4GHz interference.

I'm watching this closely because having a flakey access point is a real pain in the neck when using WPA Enterprise, since dropping the connection forces a re-authentication. The fast reconnect feature in Elektron helps, but the hiccup is still noticeable and more than a little irritating. [via AirPort Blog]

The NSA has posted their Apple Mac OS Security Configuration Guide. It's part of their series of security configuration guides describing how to lock down a variety of applications, operating systems, and network devices. At 109 pages, it's not a short read, but it is definitely the most comprehensive set of guidelines available today.

Of course, you don't need to take every bit of advice they give. For instance, instead of removing AirPort support altogether you could pick up a copy of Elektron to secure your AirPort network.