June 2005 Archives
The last free set of security updates to Windows 2000 has been released
. On July 1, Windows 2000 moves into "extended support", which means further updates will cost you.
By Chris on June 30, 2005 12:17 PM
has some Bluetooth security advice
. You really shouldn't need to think about security just to make a phone call — it should just work. The most successful security protocols are the ones that you hardly notice. Take SSL, for instance. It's used millions of times a day by people who never even realized it was there. Protocol designers need to concentrate on making their creations secure so that users don't have to.
By Chris on June 29, 2005 4:04 PM
By Chris on June 29, 2005 2:58 PM
Their advice: get a longer PIN; they say that an eight-digit PIN will take 100 years to crack. Our bet is that a) the “very expensive” gear will turn out to be stupidly cheap and easy to put together on your own; b) eight-digit PINs will be cracked in a lot less than 100 years; and c) we’re not going to see this one in the wild any time soon.
By Chris on June 28, 2005 11:43 AM
By Chris on June 27, 2005 10:13 AM
Linda Leung, writing in Network World
, has advice on how to hire reformed hackers to work for your software company
. Her conclusion: "If you do want to hire a reformed black hat as a consultant, don't let him anywhere near your network." Of course, if you don't let your newly hired hacker anywhere near your network, how do they do their job?
By Chris on June 24, 2005 9:28 AM
I hate spam as much as the next guy, but this is bad news for Hotmail users. Only a small percentage of email systems use Sender ID thanks to a variety of issues. Cynics will argue that Microsoft is using their millions of Hotmail users as leverage to increase adoption of their flawed protocol (and they'd be right). What we really need is email system vendors to work together to solve the problem rather than trying to run each other's products into the ground.
By Chris on June 23, 2005 11:26 AM
A company called Skyhook Wireless
announced a nifty service for using Wi-Fi access points to locate a user in a manner similar to GPS
. By assessing the relative strength of broadcast beacons from known Wi-Fi access points the service can pinpoint a user's location. While similar to GPS, it doesn't have quite the accuracy — and it requires an appropriate level of Wi-Fi density so its use is limited to urban areas. Still, they've identified several potential markets for the technology, and I'm hoping they find some buyers for this very novel use of Wi-Fi.
By Chris on June 22, 2005 8:43 AM
- It's on ZUG, a comedy site, "the world's only comedy site", in fact.
- Most of the receipts given as examples are from restaurants, the employees of which don't see your signature until after you've left
- The author quotes "ZUG reader Fronzel Neekburm".
- All a business really needs is your credit card number; the only time a signature comes into play is if you later dispute the charges with your credit card company
- He's a really lousy tipper. Come on, $1.00 on a $7.90 tab? That's 12.7%. Maybe his servers were too busy grumbling about their tips to notice the goofy signatures.
It's definitely possible to get away with signing your charge card slip with a goofy signature, which is not at all surprising to anybody who has ever bought anything over the internet or by phone without signing anything at all.
By Chris on June 21, 2005 8:56 AM
cites a Yankee Group report that security software is increasingly insecure
. The article points out that while much of this software was developed to protect users against flaws in Microsoft's code, for the first time this year the aggregate number of security holes in security software exceeds those found in Microsoft software.
This isn't happening because security software is getting worse; it's not. In general, all software is improving security as vulnerabilities become more widely reported and more quickly exploited. The main reason for that security software vendors like Symantec and McAfee are seeing an increase in holes relative to Microsoft is that while all software vendors are getting better at security, Microsoft is getting a lot better, and a lot faster
. As Microsoft products improve, hackers move on to lower hanging fruit.
Another reason is that security software is, of course, the first line of defense. If a hacker wants to attack machines inside a firewall, first he has to hack the firewall. Hacking security software also provides great bang for the buck: once you've hacked a user's anti-virus software, you have free run of his machine.
By Chris on June 20, 2005 10:46 AM
By Chris on June 17, 2005 3:05 PM
By Chris on June 16, 2005 9:52 AM
By Chris on June 15, 2005 3:45 PM
Today is the official release of Elektron Enterprise Edition
(although if you visited yesterday, you may have noticed it was unofficially available then). Advantages include:
- ODBC support, to store user credentials in your SQL database
- LDAP support, to authenticate users against your directory server
- The ability to authenticate users against another RADIUS server, allowing you to add Wi-Fi support to your existing RADIUS solution
- RADIUS accounting
- Authorization policies
- Email and syslog notification of server events
You can download a thirty day trial
now (and this really is the first release, despite the fact that its version number is 1.1 — we're keeping version numbers of Elektron editions in sync).
By Chris on June 14, 2005 10:12 AM
A Russian outfit called IframeDollars is paying website operators to infect user machines with spyware
. The miscreants supply willing webmasters with code that exploits known holes in Internet Explorer in order to drop nine separate pieces of malware on the machines of unsuspecting users. The business is paying 6.1 cents per machine infected. They claim to have paid out $11,890 already, which amounts to 195,000 compromised machines.
By Chris on June 13, 2005 11:08 AM
By Chris on June 13, 2005 10:55 AM
By Chris on June 10, 2005 10:10 AM
By Chris on June 10, 2005 9:55 AM
By Chris on June 10, 2005 9:43 AM
The big news here is not that they are adding encryption, but that they didn't have it before. Transaction Network Services provides service to "taxi and limousine companies, towing services, arts and crafts shows, and mobile concession and souvenir stands" so that these merchants lacking land line phone access can process credit cards. For years they have been transmitting consumers' credit card information wirelessly without any protection. Better late than never, I suppose.
By Chris on June 9, 2005 9:47 AM
Internet Explorer will run reduced user privileges by default
. I've mentioned this as a possible feature before, and it's nice to see it being implemented. Normally, when a program is launched by a user, the program has all the privileges of that user (install new programs, erase the hard drive, send spam). Since there's no reason for a web browser to need Administrator-level privileges, it makes perfect sense not to run it as Administrator. This simple change should save a lot of people of lot of security headaches (not that it will eliminate all of IE's security problems, but it will eliminate many of them and make others harder to exploit).
By Chris on June 8, 2005 10:28 AM
By Chris on June 7, 2005 10:51 AM
It's official, the rumors were true: Apple is switching to Intel processors
. Yes, we will be supporting it. Elektron
already runs on Windows — that takes care of our endian issues, and the GUI components are written using Cocoa, which require only "small tweaks". I'm guessing that the port will take less than an afternoon.
As a Mac user, I'm excited. As a Mac developer, I have mixed feelings. It's nice to know that there is a firm roadmap for future Macs, but now our testing matrix just got that much larger. Fortunately for us the bulk of our code is in a faceless daemon process that has easily automated testing. I don't envy developers that have a lot of manual testing for each release. This effectively doubles the amount of QA needed for such applications.
By Chris on June 6, 2005 11:14 AM
This is a significant piece of news for Bluetooth users. It leaves your Bluetooth handheld vulnerable to anyone within its range. As Bruce Schneier says in the article, "You can sit on the train and make phone calls on someone else’s phone." I guess I should finally be glad that my Treo 600 doesn't support Bluetooth.
By Chris on June 3, 2005 11:33 AM
By Chris on June 2, 2005 9:30 AM
It never fails — you ship a software release
and immediately find a bug that needs fixing. Elektron 1.1.1 repairs a problem with session timeouts (full details in the release notes included with the download). Download it here
By Chris on June 1, 2005 11:46 AM