November 2004 Archives
Today HP released the iPaq hx2000 line
of PocketPC devices. Each model includes a biometric fingerprint reader. This is a welcome feature, despite the problems with fingerprint identification
, because password entry on a keyboard-less device is a big enough pain that many users simply turn off password protection. Other welcome features include integrated Bluetooth and 802.11b with a built-in 802.1X/PEAP client. Starting at $349, they are very reasonably priced.
By Chris on November 30, 2004 4:57 PM
USA Today has a story describing a honey pot project to test network vulnerabilities on different operating systems
. A Windows XP machine running Service Pack 1 with no additional patches was compromised within four minutes of being placed on the internet. Machines running Windows XP SP2, Linspire, and Mac OS X avoided being compromised despite repeated break-in attempts. Simply installing a free firewall
on the Windows XP SP1 machine provided the security needed to keep out attackers. "The firewalls did their job," says [Ryan Russell, co-author of the study]. "If you can't get to them, you can't attack them."
By Chris on November 30, 2004 4:44 PM
By Chris on November 30, 2004 10:37 AM
By Chris on November 29, 2004 1:07 PM
Glenn Fleishmann reports
on a PC World test that checks out Belkin's pre-802.11n gear
. I think that the biggest advantage for 802.11n users is the increase in wireless range. This is particularly true for home users: it could remove the need for multiple access points to provide complete coverage for the home; and for wireless clients who are primarily using the network for internet access, speed is already limited by their broadband connection. Thus, a wireless speed boost is not going to help much.
I can't figure out from the product page
whether the access point support WPA Enterprise or not. It claims WPA support, but the manual only makes mention of WPA-PSK. Oops, in fact, this Wi-Fi Planet review
makes it clear that the new Belkin does not have WPA Enterprise support. So Elektron
users, I guess we will have to wait...
By Chris on November 29, 2004 11:23 AM
By Chris on November 29, 2004 10:42 AM
By Chris on November 27, 2004 4:29 PM
By Chris on November 27, 2004 2:35 PM
Of course, the telcos have an even larger existing network, many, many more locations (there are probably a dozen telco COs between my house and the nearest Wal-Mart), lots of experience selling networking services, and an existing base of broadband customers. Still, the competition should be a good thing for consumers.
By Chris on November 24, 2004 3:45 PM
Mary Hodder says not to buy a Treo 650
. The reasons she gives (in addition to her ongoing problems with multiple Treo 600s):
So, why not buy the Treo 650? Well, the 650 does apparently fix the speaker problem, but does not have compatible connectors.. in other words, everything you bought for the Treo 600, like a car adaptor, or keyboard, or USB power/sync for your laptop, won't work on the Treo 650.
By Chris on November 24, 2004 3:21 PM
Looks like yet another Internet Explorer flaw, and this one works on XP SP2 as well as previous versions of Windows.
By Chris on November 23, 2004 12:31 PM
Huh, Safari supports URLs for man pages. If you're viewing this in Safari, try this link for the ls man page
. I don't know how useful this is in real life, but cool nonetheless.
By Chris on November 23, 2004 10:43 AM
When installing the file "extended theme.sis," Symbian phone users are informed by the operating system (OS) that the software is not Symbian Signed -- a trusted software application program initiated by the OS developer -- and asked if they want to continue, according to Hyppönen [Mikko Hypponen of F-Secure].
"This is definitely a good warning but the problem is that any advanced PC user who downloads software regularly sees this kind of warning 99 percent of the time and simply clicks OK," he said. "So the warning isn't really protecting much."
This underscores my long-held belief that all the clever security software in the world is no match for a careless user.
By Chris on November 23, 2004 9:54 AM
By Chris on November 23, 2004 9:37 AM
Philadelphia is working to create a city-wide Wi-Fi hot spot
, but is facing opposition from pols in Harrisburg
. It seems that Verizon is lobbying the state legislature for language in Pennsylvania House Bill 30 that would effectively undermine Philadelphia's plans in an obvious bid to prevent any competition in the broadband arena. The bill is on Governor Rendell's desk
, and so far there is no indication whether he will sign or veto the bill. If you're a Pennsylvania resident who believes in competition rather than government protected monopolies, there is still time to contact the Governor
and let him know how you feel.
By Chris on November 23, 2004 9:03 AM
By Chris on November 23, 2004 8:44 AM
A server hosting banner advertisements was hacked and used to spread some form of malware
. Exploiting an as-yet unpatched hole in Internet Explorer, users visiting web sites served by this host (including popular news site The Register
) can become infected. The news.com
article is vague on the details of what exactly the malware does, except to say that "once compromised by the program, an infected system will allow an attacker to install additional programs." What makes this web server compromise more insidious than average is the nature of banner advertisements: it wasn't just visitors to this specific web server that were vulnerable, it was every web site hosting ads served by the affected host.
Apparently, having Windows XP Service Pack 2 installed prevents infection. If you're running XP but haven't yet installed the Service Pack, do yourself a favor and download it and install it soon
. It's a pretty big leap forward in security for XP.
By Chris on November 22, 2004 4:31 PM
When you login to your Windows box as Administrator or as a user that is a member of the Administrators group, every application you run has Administrator permissions. This includes, of course, such commonly exploited applications as Internet Explorer and Outlook. If you get a viral email attachment or hit a malware-infected web page and inadvertently execute the attacker's code, that code is running at the same permission level as the application hosting it. If that application has Administrator-level privileges, your entire system is laid bare to the attacker.
Fortunately, Windows provides programmers with APIs that allow applications to be launched with their privileges restricted. You don't really need Internet Explorer to have the ability to write to your system32 directory, so why give it that ability? Michael Howard
has a write-up
(including sample code and a working executable) on how to accomplish this.
Now, given that the sample code is freely available, it would be nice if someone could pick up the ball and add some additional features. For instance, automating the process of creating shortcuts so that users do not have to create them manually. Maybe make a little launch bar that hold restricted applications (or maybe existing launch bar authors can incorporate the limited-privileges launch into their products). How about hooking the Windows shell so that when a user launches an application she is prompted for the privilege level she would like? Of course, that last one would need some way of saving the preference for each application, since that could get annoying really fast.
When one user secures their computer, everyone wins: that's one less computer able to propagate viruses and other malware to the rest of the world. We should make it as easy as possible.
By Chris on November 22, 2004 3:51 PM
On the plus side, you can now use your Treo 650 as a wireless modem for your laptop via Bluetooth
. Sprint had disabled this feature in their version of the Treo 650, promising an updated profile to re-enable it sometime next year. Fortunately for us, the Bluetooth-consuming public, an intrepid hacker found a two-byte change that re-enables dial-up networking.
By Chris on November 22, 2004 3:31 PM
Palm's Treo travails
demonstrate the benefits of real-world testing. All the functional specifications in the world are no substitute for putting your product in the hands of actual users and seeing what they do with it.
This is the reason we're doing a preview release of Elektron. We can create automated tests for the fundamentals: does our implementation of PEAP interoperate with Microsoft's implementation of PEAP? How about Cisco's? Can Mac OS X users login using TTLS? What we can't automate are the human factors: does this dialog box make any sense? Does it take too many steps to change a user's password? If I check this box, do I inadvertently disable important security features? These are the kind of questions we are trying to answer by putting product in the hands of actual users.
From the looks of things, Palm skipped this step with the Treo 650. They ran their automated tests, found out that their FAT filesystem was stable, and that the database API mapped to the new filesystem correctly. That's what the specification called for, so that's what they delivered. It seems they missed how people actually use their Palms to store data.
It's hard to imagine that with a little usability testing this wouldn't have been discovered. The first reports of Treo 650s maxing out on data that fit onto Treo 600s were online within 24 hours of the product's release. With Elektron, we have the advantage that getting our product into each additional user's hands has virtually zero incremental cost. With the Treo, Palm has to build another device at the cost of a couple of hundred dollars (or so I presume, I don't know what their actual cost is, but it is certainly quite a bit more than zero). But even getting it to a couple of dozen power users would have discovered this, and would end up costing substantially less in the long run.
Instead, Palm ends up with egg on its face, something it can scarcely afford given its shrinking market share
. It leaves me wondering who in the Palm food chain dropped the ball. The engineers working on the new filesystem would certainly have known about the problem. Did they not tell anyone? Do the Treo product managers and Palm executives use Treos? It's a shame that something with such potential was hobbled by something so simple.
By Chris on November 22, 2004 3:14 PM
I'm glad I held off on ordering a Treo 650, it seems that they have a significant problem with the new filesystem.
. Basically, Palm changed from using directly-accessed database storage to using a a FAT filesystem to store data. This is great for compatibility: common operating systems have FAT support built-in (Windows of course, but also Mac OS X and Linux), so you should be able to mount your Palm's filesystem on your Desktop system with little work on Palm's part. The big disadvantage that has now to come to light is that database records are aligned on FAT's 512 byte blocks. This means that database records that use to take up the actual size of the data being stored plus a small amount of overhead (8 bytes, if I recall correctly) now take up the size of the data, plus the overhead, rounded up to the next 512 block. So if you are storing a phone number, instead of using, say, 20 bytes, that same phone number now takes up 512 bytes. Ouch.
I love my Treo 600, and was really looking forward to Bluetooth support (really, really, really looking forward to it!) but now I'm inclined to hold off. For a couple of days, at least...
By Chris on November 22, 2004 10:05 AM
This seems like a reasonable compromise to me. You don't have to spend any additional time staring passively at ads, there's just an additional graphic on your screen while you are skipping the "real" commercials. Television programs cost money to create and broadcast, and broadcasters need some way to recoup their costs. We, the television-consuming audience, used to pay for our entertainment by sitting patiently watching ads. Now that the technology exists to easily bypass these ads, it's not at all unreasonable for broadcasters to want to leverage that same technology to recoup some of their lost revenue. If they can't, we may get stuck with even more offensively bad but cheap to produce reality shows
Tivo users' ire should be directed instead at Congress, which has introduced H.R.2391
which, among other choice tidbits, includes a gem outlawing devices that can fast-foward past commercials "that would otherwise be performed or displayed before, during or after the performance of the motion picture"
By Chris on November 19, 2004 10:44 AM
Apple has released version 4.1 of their AirPort software
. One item of interest for Elektron users: it supports WPA over WDS. This means that you can extend your WPA network without having to run cable to distant base stations.
By Chris on November 18, 2004 6:09 PM
By Chris on November 18, 2004 4:24 PM
Yesterday I switched the blog from a home-brewed system written in PHP over to SixApart's TypePad
service. It only took a few posts to realize that my own quickly cobbled together system was not going to scale very well.
This means that all my previous posts (fortunately, there were only a handfull) have been lumped together on the same day the day I imported them into TypePad. The nice thing is that I now get to use Ranchero's excellent MarsEdit
to work on the blog, and there's now comments available (and, in theory, somebody else is dealing with comment spam). It also means that there is now an Atom feed
available, in addition to an RSS feed
, although the XML link at the left still points to the RSS feed (version 1.0 now, the home-brew system used version 0.91). There's also RSD
there, and I would probably care about those if I had any idea what they are.
By Chris on November 17, 2004 10:38 AM
Jonathan "Wolf" Rentzsch has a nice roundup of the Mac FireWire security vulnerability
. In a nutshell, plugging into the FireWire port of any Mac gives an attacker unimpeded access to that machine's RAM. This includes the ability to read anything sensitive that might be sitting around in memory, like password or crypto keys, and perhaps more insidiously, to write to memory as well. This gives an attacker with access to a FireWire port complete control of the Mac in question.
Of course, the key phrase is "access to a FireWire port". The attack requires physical access to the machine, and if an attacker has such access, then the FireWire vulnerability is not the only threat. They could, for instance, force the machine to boot from a CD, which will gives full access to any attached drives.
Apparently, enabling an Open Firmware password closes the hole, so if you have a machine that could be vulnerable, you might want to enable a password
. This will also fix the boot-from-a-CD problem as well.
By Chris on November 16, 2004 10:39 AM
is going to be one of the less productive days around the Corriente office...
The morning TV news reported that Microsoft in anticipating $80 million in sales on the first day of release. I don't kow what percentage of that actually ends up in Microsoft's pockets, but I gotta imagine whatever it is will cover the entire cost of the game's development. In one day. Wow.
By Chris on November 16, 2004 10:38 AM
The Schneier article
that I mentioned before
makes the connection between adding new features to software and security flaws due to inattention to careful review and secure coding practices. The obvious target of this kind of criticism is Microsoft, which has earned a reputation over the years for just this kind of behavior. While this may have been true in the past, I think that the reputation is no longer deserved.
I know more than a few engineers (and one product manager) at Microsoft and I can confidently say that, to a person, they are singularly focused on creating secure software. They know that the eyes of the world are on them, and they consider security to be the most important feature of any of their products. All software project decisions, from high-level product architecture to nuts-and-bolts coding are viewed through this prism.
The bigger problem today with added features in software, particularly in security-related products, is that these new features are making software increasingly difficult to configure correctly. I recently had the pleasure of installing Microsoft's Internet Authentication Server (IAS) in order to do some compatibility testing (IAS performs functions similar to our product
). It took me three hours to get it barely limping along. By the time I was done it seemed to be working, but I had no confidence that with all my fiddling I had not inadvertently created any number of security risks. Fortunately, this was all being done on a Virtual PC machine rather than a production server, so when I was done I just deleted the virtual machine and any possible security holes went away.
We've spent a lot of time adding features, and then taking them out. These are features that looked good in the product specification, but in real world usage turned out to be more complicated than they should be. Our goal is to make a product that does everything that a user needs it to do, and no more. Now this is admittedly an unobtainable goal, as every user's needs are different. Still, it provides us with a target as we develop our products. If it ever takes any user three hours to install one of our products, then we missed this target by a mile.
By Chris on November 16, 2004 10:38 AM
One data point: we were seeing problems with a 17" AlBook with an Airport Extreme card and "interference robustness" enabled, as well as an older 15" TiBook with AirPort (no interference robustness option). The 15" was suffering drop-outs at a much greater rate than the 17". Now they are both working great.
I assume that Apple is aware of the issue, but so far they have had not made any public comment.
By Chris on November 16, 2004 10:37 AM
Bruce Schneier has put up a new blog post, "Computer Security and Liability"
. In it, he proposes that software vendors takes on some of the liability for security breaches. As it stands right now, all costs associated with security failures are borne by the software user. The idea is that if software vendors could be held financially liable for failures in their products, they would be more inclined to create secure products in the first place, rather than concentrating on adding new features.
It's an interesting idea, but it's not going to happen anytime soon. First, because the cost of software would balloon far beyond what just about any customer would be willing to pay. Here at Corriente we, like every responsible software vendor, already pay a tidy sum for our professional liability (AKA "errors and omissions") insurance. And that's without the constant threat of massive lawsuits hanging over our heads. Factor in the new costs, and we have two choices: close our doors or pass the cost on to the customer. If we did pass the cost on to the customer, I bet we'd be closing our doors pretty soon anyway.
The customer always pays for software security, whether at the front end or the back end. Right now the demand seems to be for the costs to be pushed to the back end, for the cost of security to be paid after the security breach occurs. Customers are, in effect, self-insuring against security faults. Any vendor that changes this model for their own products, to accept liability as their own, isn't likely to be able to compete in the marketplace.
Another problem with software vendor liability is that it doesn't address open source software. Who is the vendor? Will individual programmers be liable for faults in their software? That would have a chilling effect on the OSS movement. The more likely outcome would be for OSS users to accept liability as they do now, which promotes the status quo.
The article, like all of Schneier's writings, is an interesting read, with some of the comments taking issue with his conclusions. Give it a read.
By Chris on November 16, 2004 10:37 AM
There's a lengthy thread
on the Apple AirPort discussion boards
concerning seemingly random drop-outs while using Airport Express base stations. There are also reports of problems with Airport Extreme base stations as well, which is consistent with my experience with one of our AEBS units. A couple of days ago I swapped in a Linksys WRT54G
(a great, inexpensive access point, $54.74 after $10.00 rebate at Amazon
right now) and it's working smoothly, so this seems to be a problem with the AEBS rather than a case of some kind of 2.4GHz interference.
I'm watching this closely because having a flakey access point is a real pain in the neck when using WPA Enterprise, since dropping the connection forces a re-authentication. The fast reconnect feature in Elektron
helps, but the hiccup is still noticeable and more than a little irritating. [via AirPort Blog]
By Chris on November 16, 2004 10:33 AM
Of course, you don't need to take every bit of advice they give. For instance, instead of removing AirPort support altogether you could pick up a copy of Elektron
to secure your AirPort network.
By Chris on November 16, 2004 10:31 AM