October 2005 Archives
After receiving thousands of comments (98% of which were opposed to the idea), the US government has given privacy a hearty Bronx cheer and decreed that US passports will have RFID chips embedded
. No longer does an identity thief need to open your mail or break into your bank, now he just needs to walk near you with a scanner. Thanks, Condoleezza
By Chris on October 28, 2005 1:42 PM
SSL version 2
, which suffers from known security flaws
, will soon be dead
. Microsoft will disable SSLv2 by default in Internet Explorer 7, which effectively means that web sites that still require SSLv2 will no longer be able to do so. It's about time.
By Chris on October 26, 2005 10:18 AM
The Chief Security Officer at Cisco says that the company user's have a "hygiene" problem
. What he means is that not enough Cisco network administrators keep up to date on their software security patches. As the SANS
editors point out, the problem is not that administrators don't want the latest version of IOS, it's just that installing a new version of IOS is such a pain in the neck that they are loath to do it. A single IOS vulnerability can mean weeks of upgrading for any large Cisco shop. The last time I upgraded IOS on a single Cisco access point it took over an hour. Granted, some of that time was spent re-reading the instructions (i don't do this very often, and keeping hardware up to date is not really part of my job description), but multiply even a fraction of that times several thousand access points, routers, switches, et. al., and you get an idea of the scale of the problem.
By Chris on October 25, 2005 5:58 PM
"The professionalism of these rootkits is coming to another level,"
said Allen Schimel, chief strategy officer at StillSecure. He's talking about the latest wave of malware, which seems to be of a much higher quality. Rootkit authors have created generic tools to bypass detection software. All a script kiddie needs to do is to get one of these kits, wrap their own nefarious payload in it, and set it loose on the net to create their own spambots, DDOS zombies, or simply wreak havoc on users' hard drives. It's days like these that make me glad I'm primarily a Mac user (not that Macs are invulnerable, of course, though they do have a lot fewer incidents).
By Chris on October 21, 2005 10:06 AM
By Chris on October 19, 2005 9:34 AM
Microsoft has created a new piece of software called VirtualWiFi
that allows a single Wi-Fi card to be connected to multiple networks simultaneously. I haven't downloaded the source, but reading the site suggests that it is implemented something like preemptive multitasking. That is, connections are made to multiple access points and the software rotates through them, sending and receiving data as necessary. The software deals with each acsess point individually, but by rotating through all access points quickly, it gives the appearance of simultaneity.
By Chris on October 18, 2005 12:25 PM
By Chris on October 13, 2005 10:10 AM
The Department of Homeland Security
has started a program, "Build Security In"
, with best-practices security guidance for software developers. It's new, so a lot of the advice is pretty well known already ("strcpy() considered harmful"), but it shows a lot of promise. I've bookmarked the site.
By Chris on October 12, 2005 10:52 AM
An investigation by the European Commission will try to determine if Microsoft's new ant-virus and anti-spyware products violate anti-trust statutes
. I have mixed feelings: one the one hand, as an ISV, I understand the concern about Microsoft stepping on the toes of other ISVs. On the other hand, many of the businesses complaining have made billions on the security holes present in Windows. If these holes are closed, that's not a bad thing for consumers. I suspect that Microsoft is reluctantly entering the desktop security space — they've wanted to stay out of it, close the holes at the OS level and leave the rest to Symantec and its ilk, but the situation just got too bad, the complaints too overwhelming. Windows is now synonymous with insecurity, and the only company that can rectify that is Microsoft.
By Chris on October 11, 2005 10:06 AM
By Chris on October 10, 2005 9:48 AM
By Chris on October 6, 2005 11:08 AM
has always been illegal, but now you can sue for civil damages in California
. Not that it will do much good: if the threat of going to prison didn't dissuade phishers, the threat of getting sued won't either. Plus, while you might win your lawsuit here in California, just try collecting your damages from the Romanian teenager you defeated in court.
By Chris on October 5, 2005 9:51 AM
Judge Richard Kramer San Francisco Superior Court doesn't think that people who have had their identity stolen need to know about it: "I don't see the emergency,"
he said. It seems that Judge Kramer has never had his identity stolen. The ruling stating that Visa is not responsible for notifying cardholders is based on a technicality. Because consumers are not not direct customers of Visa — they are customers of the bank that issued the card — it's the bank's responsibility to tell them that their identity has been compromised.
Fortunately for consumers, the CardSystems case involves the theft of credit card numbers, not additional identity information such as social security numbers, meaning any damage caused is likely to be easily reversible. As the article points out, the real losers are the merchants who unwittingly accept the stolen credit cards. They will be left on the hook for the cost of the goods sold. That's the way it works with the credit card companies: they claim to protect you from liability from fraudulent charges, but the cost is really borne by merchants.
By Chris on October 4, 2005 10:19 AM