Three days a go we quietly released Elektron 1.0.2 for Mac OS X (download here). This was in response to a problem with the startup script when running on Tiger.

Elektron 1.0.2 is only needed for new installs on Tiger. The only change from 1.0.1 is the startup script — if you're already running Elektron 1.0.1 on Panther you don't need it, and if you are upgrading your Elektron 1.0.1 machine from Panther to Tiger, you shouldn't need it. The Tiger installer fixes the file ownership on system startup items during the upgrade process automatically (or so I've been told — I haven't tested it myself).

ZDNet UK examines the problem of rogue access points on corporate networks. iPass claims to have found 28 rogue access points — unofficial wireless connections set up by employees tired of waiting for management to roll out their own wireless infrastructure — on a single floor at a Boston-based financial institution.

The Wall Street Journal covers the theft of credit card numbers from retail point-of-sale software [subscription required]. In a nutshell, several popular POS software packages retain a customer's credit card, including the credit card verification (CCV) number. This of course makes them an attractive target for thieves.

Why on earth are they saving these numbers? Chipotle Mexican Grill was listed as one of the companies that suffered a card number-related security breach. Do they really need your card number after you bought your burrito? I have absolutely no sympathy for these companies — retaining sensitive information for no reason other than "because we can" is just asking for trouble. At our own online store, we never store full credit card numbers, just the last four digits. That way, in case a customer needs to make a return, we can let them know which of their cards they used to make the purchase (we'll still need to have the full card number given to us again to make the refund, which again we won't retain).

On a side note, am I the only person who sees "POS software" and thinks of something other than point-of-sale? How did that acronym get popularized?

It appears I spoke too soon when I described Elektron's Tiger compatibility. It turns out that Tiger likes its startup items to be owned by root with the group set to wheel, while Elektron installs its startup item with root ownership and the group set to admin. This causes Tiger to kvetch about permissions on launch. To fix this, in Terminal.app issue the command:

sudo chown -R root:wheel /Library/StartupItems/Elektron

You'll be prompted for your password. We'll fix this in Elektron 1.0.2 by the 29th.

Glenn Fleishman discusses passwords. Password policy enforcement is tough — as a network administrator, you want your users to have long, unguessable passwords. Your users, on the other hand, just want to use their computers. Basic password testing is relatively easy, just check that the password is long enough (eight characters is a starting point), contains mixed-case characters and at least one number or symbol. Bonus points: check that there are no dictionary words contained in the password. For instance, "1Password!" meets the criteria outlined above, but is not too hard to guess.

If you are stuck with a password-only authentication system (that is, you can't deploy two-factor authentication like smart cards), one solution could be to have administrator-generated passwords. For the new web store we are developing, we have a password reset feature that generates a new password when the user forgets the old one. We used a generator similar to this one, which creates pronounceable passwords that aren't actually words, for instance, "ideffite" and "aternyma". We add some punctuation to mix things up a bit. It's far from perfect, but just about the best we can do under the circumstances — we can't very well require that everyone have a Corriente-issued SecurID token before ordering from our store.

Apple has posted a new knowledge base article describing a problem with changes in the LDAP schema in Mac OS X Server 10.3.9. We've tested against the changes (which are not described in the article) and they do not appear to affect the beta of Elektron Enterprise Edition for Mac OS X. If you are using the beta on Mac OS X Server 10.3.9 with LDAP authentication and experience any trouble, let us know.

Fred Langa opines in InformationWeek on security vulnerabilities in Firefox. In comparison to Internet Explorer, he writes, Firefox has recently been affected by more security exploits. An article on MozillaNews is a rebuttal which downplays the vulnerabillities (the first comment on the article is "Langa == Pwned").

What does it all mean? Even vaunted open source software has bugs. The original article makes this point, and the rebuttal acknowledges it. When it turns out that your software has bugs (and it does!) the correct response is not say "oh yeah? well our competitor has more bugs!". You need to acknowledge the bugs and fix them, something that both Microsoft (in recent years, at least) and the Firefox developers have been very good at.

Proof that not all of us Berkeleyans are granola-munching pacifists: a Cal professor, somewhat perturbed by the theft of his laptop, called out the thief in front of the rest of his class (a transcription is here for folks unwilling to sit through the video).

It's entertaining, but probably a load of BS. Look at the claims: "the people in Redmond Washington were very interested to know why it was that the same version of Windows was being signalled to them from two different computers." Windows activation only occurs at installation time; once the OS was installed on the laptop, it wasn't phoning home like the professor claimed. How about "The thief also did not inactivate either the wireless card or the transponder that's in that computer." A transponder, like LoJack for your laptop? I'm pretty deeply involved in computer security, but I've never heard of such a thing. I do believe the part about the Wi-Fi card allowing tracking — the campus IT guys could conceivably see the access point to which the laptop was connected, which would give them a reasonably clear view of where the laptop was located. This in turn would allow the campus police to arrest the thief if he were sitting alone in a remote corner of the campus library. However, if he's sitting in the student union with a couple of hundred other students on laptops, good luck picking him out.

It's a bluff, maybe it will work, maybe it won't. I have to guess that anybody with the temerity to steal the professor's laptop from the classroom is not going to be cowed by these threats. If I were the FBI agent investigating this crime, I would have some questions for the professor as well, like "why did you leave such sensitive, top-secret information sitting unencrypted on a laptop that you couldn't be bothered to keep an eye on?"

Robert Hale has an article in the Santa Clara Computer and High Technology Law Journal titled "Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet". In it he raises the possibility of legal liability both for users who access insecure Wi-Fi networks and for those who run them. It's a scholarly legal paper, still it's understandable by us lay folks who have a grasp of Wi-Fi technology.

Following up on yesterday's post about Verizon's CEO's claims that its network problems are due to what he feels are unrealistic customer expectations, Vocal Laboratories has given Verizon an "A" in their quarterly report ranking cell phone customer satisfaction. Apparently the graders didn't spend much time in the San Francisco Bay Area — when I was in school an "A" meant "excellent", not "slightly less bad than everybody else".

Carol Ellison's recent eWeek column covers the idiotic comments made by Verizon CEO Ivan Seidenberg to the San Francisco Chronicle. He calls municipal Wi-Fi a "dumb" idea, but saves his really choice complaints for Verizon's own customers:

Umm, the reason I got the idea that my cell phone would work in an elevator is the Verizon commercial I saw last night featuring a man talking on his cell phone in an elevator!

This article on silicon.com begins with an attention-grabbing title, but as you read down you find it's not that bad — or at least it's not wireless specific. VoIP is not a wireless security threat because of any idiosyncratic interaction with wireless technology, but rather because VoIP requires additional ports be opened on a company's firewall, which, of course, makes it just as much a threat to traditional non-wireless services.

So why the alarmist headline conflating wireless and VoIP? It's two, two, two buzzwords in one!

Bruce Schneier on a new minefield in Iraq that is remotely controlled by a soldier with a Wi-Fi enabled laptop.

Finally, a weekend off! We just posted the first public beta of Elektron Enterprise Edition. It's available from our download page. The new features in this version of Elektron include:

If you're happy with the standard edition of Elektron, there's a new beta of the forthcoming version 1.1 available, too.

The Wi-Fi Alliance has added new protocols to the WPA certification test suite.

For IT managers, this increases confidence that their chosen Wi-Fi authentication protocol will work with their equipment. In theory, WPA-capable Wi-Fi hardware should work with any EAP method capable of generating encryption keys (including PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, et. al.). This new test suite ensures compatibility rather than relying on theory.

It was nice to get away from the office for a couple of days, and it was nice to get back and find the news that us Mac folks have been waiting for: Mac OS X 10.4 "Tiger" will ship on April 29th. Om Malik wonders if developers will be ready in time. I'm happy to report the Elektron is indeed ready. Of course, we'll do a couple of days of testing once the final seed is released to developers (and before the shipping version is in end-user hands), but I'm confident that everything is ship-shape.

A man tries to pay a $114 tab using $2 bills and gets arrested. Apparently the sales drones at his local Best Buy had never seen a $2 bill, and as Baltimore Country police spokesperson says "we're all a little nervous in the post-9/11 world."

A friend once had a great idea for a fun prank: you can buy $2 bills in sheet form. Take a sheet of money and a pair of scissors into a store, and when you check out, whip out the the sheet and the scissors and start cutting off individual notes. Perfectly legal, but apparently not funny in the "post-9/11 world".

Google released the satellite photo service that works in conjunction with Google Maps to much fanfare this week (as with pretty much every Google service, it's a "beta").

So what's the security angle that warrants a post to this particular blog? Zoom in on 1600 Pennsylvania Avenue. Notice that the roofs of the White House, the Old Executive Office Building (to the left) and the Treasury Department (to the right) are blacked (well, browned and greened) out.

The feds demonstrated WEP cracking at the ISSA show. They showed how to break a 128 bit WEP key in a trivial amount of time:

They didn't use the NSA's basement full of supercomputers for the crack, just an off-the-shelf laptop and widely available WEP cracking tools.

Mac OS Wireless Adapter Compatibility List. Awesome resource. I can vouch for the Linksys WPC-54G working with the Apple AirPort software on a pre-AirPort bronze keyboard Powerbook G3, and for the IOxperts driver with a Lucent WaveLan Silver (note: no WPA security with that one, it's WEP or nothing).

In this week's TidBITS, Adam Engst details having his credit card number stolen, likely as a consequence of online shopping. I've had credit card numbers stolen twice. The first time was by an old-fashioned dumpster diver. Five years ago my AMEX number was obtained by somebody digging through my trash who used it to buy thousands of dollars worth of A/V gear over the phone. The police has no trouble tracking the guy down since he was stupid enough to have the equipment shipped to his home address. The theft didn't cost me anything but the price of a paper shredder, which I now use religiously.

The second theft was more insidious, and is demonstrative of the pervasive lack of privacy today. My MBNA Visa card was used to charge large amounts of money at retail stores in the Atlanta area. I don't carry my Visa card with me, and I hadn't been to Atlanta in years. Not coincidentally, MBNA's Southern Regional Headquarters is located in Atlanta. It was an inside job all the way, which is the risk you run when you give thousands of employees access to the private records of millions of customers. The overwhelming majority of MBNA's employees are honest, but all it takes is one bad apple. A look at the weekly parade of privacy abuses shows that something needs to be done.

We've been periodically testing Elektron against development builds of Tiger, as we get ready for the next version of Mac OS X. In earlier builds, everything worked great except for a slight user interface glitch. We figured we'd wait until Tiger got a little closer to shipping to deal with it. Now that Tiger's release may be imminent, we spent the day yesterday re-testing. Lo and behold, the bug was in Tiger, not Elektron. Everything works great, no work necessary on our part. Like Hannnibal used to say, "I love it when a plan comes together!".

News.com reports on yet another IE flaw that gives an attacker the ability to execute code on your machine.

Sigh.