Lab Notes

Musings on Wi-Fi security issues, our product plans, and the general state of the world. Follow up with your comments and complaints to Lab Notes's .

September 2005 Archives

Linksys Ships MIMO Access Point

The pre-802.11n product story is gaining steam: Linksys introduced the WRT54GX2, which is based on the same Airgo Networks chipset as Belkin's pre-802.11n models. The nice things about these access points is that they are backward compatible with 802.11b and 802.11g, and while you won't get the speed increase when using the new access points with these older clients, you will get an increase in range. All this, WPA security, and a street price under $100.

By Periodik Labs on September 30, 2005 12:10 PM | Permalink

Five Reasons for Palm's Slide

Michael Singer lists the five reasons he sees for Palm's descent and ultimate adoption of its rival's operating system. I'll add a sixth: it has always been a pain to develop software for Palm devices. The development tools have always been sketchy, and the runtime architecture is extremely limiting. Segmented code and limited RAM partitions practically required that applications be limited in scope. This was fine when the Palm Pilot was first introduced and its guiding principal was to have small applets that performed only one task. As competition increased among PDA makers and among Palm software vendors, applications grew and became unwieldy for developers to work with. Meanwhile, Microsoft made it simple to develop large, powerful Windows CE applications. Now here we are, with Windows Mobile (née Windows CE), finally replacing the Palm OS. As a longtime Palm user (a Treo 600 is my current device), I rue the change; as a Palm developer, I say "good riddance."

By Periodik Labs on September 28, 2005 10:10 AM | Permalink

Finding Hay in a Haystack

The London police arrested and held overnight a man who met their definition of a terrorist. Unfortunately, their definition of what constitutes a terrorist is pretty broad, and could include just about anybody taking public transportation. In this case, the man was "wearing a jacket 'too warm for the season'" while using a cell phone. I believe in relying on humans to catch suspicious behavior — the plot to detonate a bomb in LAX was foiled by an alert customs agent who felt the suspect looked "hinky." The problem comes when you define suspicious behavior so broadly that you can't find the real terrorists for all the innocent people caught up in your dragnet.

This kind of overload of suspicious behavior is a problem for computer security as well. Windows system administrators are familiar with Event Viewer, the centralized, catch-all logging tool for Windows servers. It contains thousands of entries at any given moment, some important, most not. While there is the ability to flag entries as critical, the most useful information is in the non-critical entries. For instance, a critical error could be a message saying the a user tried to log in with an invalid password. This indicates that the system is working correctly — the system should reject invalid logins. Real problems are caused when the system is working incorrectly. Information about this is frequently mired in the non-critical entries, if it is logged at all. One of the major features we are working on for the next major version of Elektron is better reporting and management of the deluge of information that can be generated so that system administrators can access the server data they need when they need it.

By Periodik Labs on September 27, 2005 7:24 PM | Permalink

Linus on Linux Development

Linus Torvalds talks about the patch system that comprises Linux kernel development. It's interesting to me the way that open source and closed source development processes are similar, despite protestations from both sides. Our own closed source development process for production code (that is, imminent releases rather than early pre-release code, which has a somewhat more relaxed approach) includes a patch system where each submission is thoroughly reviewed before being incorporated into the main code stream. What's more, it's a single person who is the final arbiter of whether a patch is release-worthy. Regardless of whether a project is open source or not, there are best practices to be followed. Hopefully — since that final code arbiter is me — the burnout that Linus talks about is still a few years away (of course, having having only two other contributors rather than two thousand helps).

via Slashdot

By Periodik Labs on September 26, 2005 10:30 AM | Permalink

Taking The Private Out Of Virtual Private Networking

Following up on Google Secure Access, it's worth noting the license agreement that comes with the Windows installer:

We have the right to monitor, intercept and disclose any transmissions over or using our facilities, and to provide user information, or use records, and other related information under certain circumstances (for example, in response to lawful process, orders, subpoenas, or warrants, or to protect our rights, users, or property).

Although unnerving on its surface, in point of fact any ISP can be forced to monitor your network traffic under court order — Google is no different. Still, I'm comforted to have a full private VPN here that encrypts my data end-to-end, not just halfway.

By Periodik Labs on September 23, 2005 10:29 AM | Permalink

Google Secure Access from Mac OS X

The new Google Secure Access claims to require software that is currently available only for Windows. However, they are using PPTP, which is available for a wide variety of platforms, including Mac OS X. Here's how to configure your Mac OS X machine to use Google Secure Access:

1) Launch Internet Connect (it's in the Applications folder, or available from your AirPort menu)

2) From the File menu, choose "New VPN Connection..."

3) Select PPTP, and click the Continue button

4) From the Configurations pop-up menu, choose "Edit Configurations"

5) Enter the following values:

Description: Google <or something else descriptive>
Server Address: 66.28.250.27
Account Name: <leave blank>
User Authentication: Password <leave it blank>
Encryption: Maximum (128 bit only)
Advanced: <leave Enable VPN on demand unchecked>

6) Click OK

7) Don't connect yet, instead, launch Safari (or whatever web browser you use), and go to https://vpn.google.com/getpass/

8) From that web site, you will end up with a line of data that looks like:

66.28.250.27 5417399273 n2QHcciMOuv5vvwiNTjZ

Three items: the first is the IP address of the VPN server, the next is your dynamic username, the third your password. Copy and paste the second value (5417399273) into the Internet Connect VPN Account Name field, and copy and paste the third value (n2QHcciMOuv5vvwiNTjZ) into the password field.

9) Click "Connect"

If you have problems, it may be because you are behind a firewall that is blocking outbound PPTP. That's the case here in our office &mdash connecting fails from our regular inside-the-firewall Wi-Fi network, but works from our outside-the-firewall guest Wi-Fi network.

Keep in mind that your data is encrypted only as far as the Google servers, so the wireless connection is secured (and that's probably the most vulnerable point), but beyond Google's servers, your data is out in the open. And of course, all of your data is traveling through Google, so you particularly have to trust Google to use this system.

By Periodik Labs on September 22, 2005 10:14 AM | Permalink

Eleven Months For Paris Hilton Hacker

The hacker who broke into T-Mobile's website and downloaded Paris Hilton's address book received a sentence of 11 months in juvenile detention. Good. Given the difficultly in tracking down and prosecuting hackers (and by "hackers" I mean the black hat theft and extortion types), harsh sentences will hopefully act as a deterrent. While the fact that it was Paris Hilton who was the star victim in this case makes it a little amusing, the prosecutors claim that the total amount of damage for all the crimes the juvenile is charged with is around $1 million.

By Periodik Labs on September 21, 2005 10:05 AM | Permalink

Google Secure Access

Google seems to now have a free VPN service. It's available for download when you connect from a Google Wi-Fi hotspot, which for me is the bigger news: that Google is now in the hotspot business.

via Wi-Fi New News

By Periodik Labs on September 20, 2005 9:59 AM | Permalink

Sniffing, Er, Hearing, Out Sensitive Data

As if you didn't have enough computer security issues to worry about, our neighbors down the street at Cal have come up with a way to figure out what you are writing by listening to the sounds of the keyboard as your type. Of course, assuming the government can read what's on your computer monitor — even through a wall — maybe it's not such a big deal.

By Periodik Labs on September 19, 2005 10:24 AM | Permalink

Television Shows Scramble Forensic Evidence

New Scientist says that because of CSI, juries' understanding of forensic science has been contaminated. It seems that a lot of people actually believe that if you find a hair at the scene of a crime, you can stick it in a computer and immediately get the perpetrator's name and current whereabouts, as well as a real time video of the crime occurring. It sounds funny, but I wouldn't want to be on the receiving end of a false conviction because a a jury gave too much weight to sketchy evidence. CSI isn't all bad, though: it may finally rid pop culture of Britney Spears.

By Periodik Labs on September 16, 2005 9:33 AM | Permalink

98,000 Stolen Identities Recovered

A laptop containing personal information on more than 98,000 Cal students that was stolen in March has been recovered after it was sold on eBay. I suppose consumers can find a small amount of comfort in this, knowing that the real target of one of the larger ID thefts was really the laptop containing the data, not the data itself. The thief likely didn't know what was on the laptop, and it was sold on eBay with all of the data intact. Cal dodged a bullet on this one, but as far as I know, the lost laptop of the Cal professor which contained military secrets is still at large.

By Periodik Labs on September 15, 2005 10:05 AM | Permalink

DTK Release Breaks Compatibility

According to ThinkSecret, the latest release of Mac OS X for Intel breaks compatibility with applications built on earlier builds. The speculation is that Apple is doing this to prevent piracy. I have a less sinister theory: the Application Binary Interface (ABI) changed between builds, causing the break. Normally, the ABI (which defines at the machine code level how executables are laid out and how they communicate with the OS) is fixed between builds going back for years since it is unacceptable to users to have a new version of the operating system break their existing applications. However, since the Developer Transition Kit is available only to developers, breaking the build is less important than evolving the ABI to make sure that it is solid and well architected on the day that Mactel machines ship to end users. After all, once it ships, Apple can't change it.

By Periodik Labs on September 14, 2005 10:58 AM | Permalink

When People Ask For Security Holes As Features

It would be funny if it weren't true: Raymond Chen describes some of the lengths that hardware vendors will go to avoid the warning Windows XP gives that their drivers may be untrustworthy. The comments tell even more nefarious ways of getting around the warning dialog, like having the installation program take over the mouse to click the dialog's OK button before the user has a chance to read it. My favorite is the developer who describes how his former employer's installer disabled the dialog without re-enabling it, allowing not only their own driver to be installed without warning, but every subsequent driver, regardless of its source.

By Periodik Labs on September 13, 2005 10:18 AM | Permalink

The Six Dumbest Ideas in Computer Security

Marcus Ranum describes what be believes to be the six dumbest ideas in computer security. Some make sense, others don't. For instance, his "Hacking is Cool" rule says that you shouldn't hire hackers, because that just encourages more hacking. Sure, hacking is a social problem, but that makes it a problem that IT can't fix. If you are a system administrator, you can't eliminate hackers — all you can do is protect your network against them. That's a technology problem, and that kind of problem can be solved by hiring people who understand hacking.

via Slashdot

By Periodik Labs on September 12, 2005 10:11 AM | Permalink

Political Wi-Fi

Dave Winer found political message in his list of available wireless networks. What's even more interesting to me is the number of networks that showed up: there's six in the list, and the scrollbar indicates more lurking offscreen. Still, not all of Berkeley is quite so political (or technically savvy): from my desk here, I only see three other networks, two of which are still set to the default SSID factory configured on the access point.

By Periodik Labs on September 9, 2005 9:56 AM | Permalink

Writing Secure Web Browsers Is Hard, Part XVIII

There's a new exploit in Firefox that allows arbitrary code execution by simply having a user click on a URL in a web page. Fortunately, it's an easy fix and there should be a patch available very shortly.It's yet another browser bug, but what really caught my eye was the cryptic sentence:

However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.

I'm curious as to what exactly happened. A lot of developers are very sensitive about their code, and get angry when you point out its flaws (which it invariably has, but that's another story). Personally, I get embarrassed about my own bugs, and when a user reports one, I'm apologetic to the point of obsequiousness.

By Periodik Labs on September 9, 2005 9:49 AM | Permalink

iTunes Phone Not Quite Worldly

It's time for me to get a new phone, and the new ROKR E1 iTunes phone looks nice: it's small, has Bluetooth, plays music, and works with Cingular, the only provider to have decent coverage at my house. The only thing that disappoints me is that it is tri-band, not quad-band, GSM (it's 900 MHz that's missing). This means that there a number of GSM countries in which it won't work. I don't know the reason for the omission — it's not as though Motorola can't make a small quad-band phone. After all, the sexy V3 RAZR is quad-band. Fortunately, I'm not traveling to any 900 MHz GSM countries anytime soon, so I don't have to let that be a deciding factor.

By Periodik Labs on September 8, 2005 9:48 AM | Permalink

Katrina Increases Push for Public Radio Spectrum

One possible good to come out of Hurricane Katrina is that more radio spectrum might be opened up for use by emergency services. You may remember back when digital television was first appearing, the government agreed to give broadcasters new spectrum for free for use with digital television signals. Broadcasters would would transmit new digital services over the free spectrum, while continuing to transmit analog services over their existing spectrum. Once the transition to digital was complete, broadcasters would return the analog spectrum to the government. Now, that time is almost here.

In the wake of 9/11 and Hurricane Katrina, legislators are pushing for that spectrum to be used for public safety purposes. The current proposals calls for the spectrum to be divided into two pieces: one set aside for emergency workers, and another to be auctioned off to private interests. The auction is worth billions, so there is a temptation to sell off the whole spectrum. Fortunately, some we do have some public officials who can see past the short term and understand that retaining some of the spectrum for public use has an incalculable value.

via FierceWiFi

By Periodik Labs on September 7, 2005 1:14 PM | Permalink

Verizon Website Flaw

Simply by knowing the phone number of a Verizon Wireless subscriber, you could view their monthly usage, general location, and make and model of their phone. Fortunately, it is highly unlikely that this information could be of use to identity thieves, but the man who discovered the flaw says that it could be used to clone users' phones. As a result of the report of the flaw, Verizon has begun a detailed review of their website security. That's good, but it should have been done before the website was deployed.

By Periodik Labs on September 6, 2005 9:00 AM | Permalink

Labor Day

It's a holiday here in the US, see you on Tuesday...

By Periodik Labs on September 5, 2005 10:11 AM | Permalink

San Francisco Wi-Fi Summit

On Wednesday, San Francisco officials held a summit of government and industry leaders to discuss the plan to blanket the city with Wi-Fi. The article calls their plan "ambitious", and that's the right word for it: it calls for a network that can be accessed from a moving vehicle, can penetrate buildings, and will cost less than commercial networks. The city is 47 square miles, much of it dense, urban neighborhoods. It's a gigantic undertaking, and I'm hoping they succeed — and thus convince my town across the bay to follow suit.

By Periodik Labs on September 2, 2005 7:21 PM | Permalink

ChoicePoint Cashes In On Its Own Failures

As you'll recall, ChoicePoint sold the personal information of 150,000 people to criminals. Now they've figured out how to make some more money off their mistake: offer to sell reports to those people affected by the security breach so that they can see if their identity has been compromised. Now that's chutzpah.

By Periodik Labs on September 1, 2005 9:21 AM | Permalink

« August 2005 | Main Index | Archives | October 2005 »