Core Dump

Labels: security, software

The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.

Labels: Microsoft, security

Labels: security

Labels: funny, security

Labels: Another thing to worry about, Microsoft, security

Labels: computing, security

Labels: Internet, security

Van Loan argues that the changes are long overdue, pointing to a kidnapping case in Vancouver earlier this year as evidence of the need for legislative change. In several interviews, he has described witnessing an emergency situation in which Vancouver police waited 36 hours to get the information they needed in order to obtain a warrant for customer name and address information.

While that makes for a powerful example, a more detailed investigation into the specifics of the case reveals that Van Loan's rendition leaves out some important details. Over the summer, I launched Access to Information requests with the Ministry of Public Safety, the RCMP, and the Vancouver Police Department, seeking further information on the kidnapping case.

Both Public Safety and the RCMP responded that they had no additional information to provide other than the transcripts of the minister's interviews. The Vancouver Police identified the case as a February kidnapping (not March as suggested by Van Loan). The suspect was ultimately arrested and the case is currently before the courts, therefore limiting the department's ability to provide much detailed information.

However, in an admission that goes to the heart of Van Loan's claims, a legal adviser disclosed that no ISP records were sought during the investigation. In other words, the case the minister of public safety has presented as evidence of the need for mandatory disclosure of ISP customer records never involved a request for such records and yielded an arrest using the current law.

Labels: intellectual property, politics, security

Uh-oh. Now that a terrorist has tried unsuccessfully to blow up a Saudi prince with a bomb shoved up his ass, the TSA is obliged to perform rectal exams on every flier for the rest of time. After all, once a jihadi failed to blow up a plane with his shoe, we all needed to start taking our shoes off. Then some knuckleheads believed they could blow up a plane with energy beverages and hair gel, so now we have to limit ourselves to 100ml of all liquids and gels, unless they're for babies or are prescription (because no mass-murderer would be so evil as to forge a doctor's note, which, as every junkie knows, cannot possibly be forged).

Now we found someone who was made to believe he could kill people with an asshole bomb, and so it follows that the TSA will have to ban -- or at least inspect -- our assholes. They're like opinions, you know, everybody's got one. Except, of course, most of us got to keep our assholes to ourselves. Not anymore.

Labels: Another thing to worry about, security

(1) HIGH: OpenOffice.org Word Document parsing Multiple Vulnerabilities
Affected:
OpenOffice.org 3.1

Description: OpenOffice.org is an open-source office software suite for
Windows, Mac OS X, Linux, Solaris, and other operating systems. Multiple
vulnerabilities have been identified in OpenOffice.org which can be
triggered by opening a specially crafted Microsoft Word document with
vulnerable installations of OpenOffice.org. The first issue is an integer
underflow error in OpenOffice.org while parsing certain records in the
Word document table. The second issue is a boundary error while parsing
certain records which can lead to heap overflow. Successful exploitation
in both the cases might allow an attacker to execute arbitrary code. Note
that, depending upon configuration; documents may be opened by the
vulnerable application upon receipt, without first prompting the user.
Full technical details for this vulnerability are available via source
code analysis.

Status: Vendor confirmed, updates available.

References:
Secunia Research Security Advisories
http://secunia.com/secunia_research/2009-26/
http://secunia.com/secunia_research/2009-27/
Vendor Home Page
http://www.openoffice.org/
SecurityFocus BID
http://www.securityfocus.com/bid/36200

Labels: security, software

Coalescing in an online chat room, members of the group, known as Pranknet, use the telephone to carry out cruel and outrageous hoaxes, which they broadcast live around-the-clock on the Internet. Masquerading as hotel employees, emergency service workers, and representatives of fire alarm companies, "Dex" and his cohorts have successfully prodded unwitting victims to destroy hotel rooms and lobbies, set off sprinkler systems, activate fire alarms, and damage assorted fast food restaurants.

But while Pranknet's hoaxes have caused millions of dollars in damages, it is the group's efforts to degrade and frighten targets that makes it even more odious. For example, a bizarre July 20 prank ended with a hotel worker actually sipping from a urine sample provided by a guest at a Homewood Suites in Kentucky. Additionally, at least twice this year, fast food workers--fearing that they would suffer burns after being doused by chemicals from a fire suppression system--stripped off their clothes on the sidewalk outside their respective restaurants.

"Dex", who took his nickname from the lead character in "Dexter," the Showtime series about a serial killer who murders serial killers, is bitingly contemptuous of law enforcement and its ability to stop Pranknet or locate its members. When a victim warns him that they are contacting police, he laughs derisively and offers to provide cops with a crayon to trace his number. He and his followers place their prank calls via Skype, confident that the Internet phone service sufficiently cloaks their identities and whereabouts.

Labels: Internet, security, society

Although corporate- and government-issued ID cards embedded with RFID chips don’t reveal a card holder’s name or company — the chip stores only a site number and unique ID number tied to a company or agency’s database where the card holder’s details are stored — it’s not impossible to deduce the company or agency from the site number. It’s possible the researchers might also have been able to identify a Fed through the photo snapped with the captured card data or through information stored on other RFID-embedded documents in his wallet. For example, badges issued to attendees at the Black Hat conference that preceded DefCon in Las Vegas were embedded with RFID chips that contained the attendee’s name and affiliation. Many of the same people attended both conferences, and some still had their Black Hat cards with them at DefCon.

But an attacker wouldn’t need the name of a card holder to cause harm. In the case of employee access cards, a chip that contained only the employee’s card number could still be cloned to allow someone to impersonate the employee and gain access to his company or government office without knowing the employee’s name.

Labels: security

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.

Labels: Microsoft, security

Chief among the changes is a beefed up program to eradicate security bugs from its enormous base of existing code. While Adobe has had a secure product lifecycle in place since 2005, the program has largely emphasized ways to make sure products under development incorporate safe coding practices, Brad Arkin, Adobe's director of product security and privacy, told The Reg.

"What we're doing differently here is shifting our focus for this effort onto the legacy code and looking at it in the light of where would an attacker start first, rather than what is the code that we're working on right now from a developer perspective," he said.

The expansion puts engineers from Adobe's Reader development team side by side with members of the ASSET, or Adobe Secure Software Engineering Team, to identify Reader vulnerabilities that are most likely to be exploited. They use software fuzzers to throw malformed data at the oft-abused applications. They then poor over the results and combine them with threat modeling (and Microsoft's !exploitable Crash Analyzer) to prioritize code that should be rewritten.

Labels: security, software

Attackers are using rigged PowerPoint files to exploit an unpatched vulnerability in Microsoft’s presentation software, according to warning late Thursday from the software maker.

In a pre-patch advisory, Microsoft described the attacks as “limited and targeted,” the kind of language that suggests it is being used to steal data from corporate or government networks. The malware associated with the attack is a Trojan dropper embedded within an exploit in .ppt or .pps data files.

According to the advisory, the vulnerability allows remote code execution if a user opens a booby-trapped PowerPoint file.

The newest Microsoft Office PowerPoint 2007 and Microsoft Office for Mac 2008 are not affected.

Labels: Microsoft, security

• Display whether a running process is digitally signed or not

• Display for a process, in a tooltip, the version number, copyright information, and path and file name

• Assign CPU affinity and priority to a prcess, and remember the settings between sessions

• Add a Services tab to the Task Manager

• Add a TCP/IP tab to the Task Manager to display open TCP/IP connections

Labels: security, software

Labels: Internet, security

The flaw affects version 9 of Reader and Acrobat as well as earlier versions, according to Adobe's advisory. A buffer overflow condition can be triggered by opening a specially-crafted PDF, which gives the attackers control of the computer. Shadowserver wrote that the flaw could be exploited on systems running Microsoft's Windows XP SP3.

Adobe called the flaw "critical," it's most severe rating, and said it will release a patch for Reader 9 and Acrobat 9 by March 11. The company said patches for version 8 of Reader and Acrobat will follow, then finally for version 7 of Reader and Acrobat.

Labels: security, software

Labels: Internet, security

The attack surface for password-stealing Trojans currently targeting an unpatched flaw in Microsoft’s Internet Explorer has expanded to include all versions of the browser, including the newest IE 8 Beta 2.

Microsoft released an updated advisory to warn that the underlying flaw affects much more than IE 7 and to spread the word about additional workarounds that can help limit the damage from actual attacks.

Microsoft’s latest advisory also includes technical instructions on how to use ACL to disable OLEDB32.DLL, how to Unregister OLEDB32.DLL and how to Disable Data Binding support in Internet Explorer 8.

IE users should bear in mind that there’s a growing list of exploitive sites taking aim at this vulnerability and now that the exploit code is publicly available, the threat will certainly grow in the coming days and weeks.

Until Microsoft can issue a patch — out-of-cycle or otherwise — you should consider using an alternative browser like Mozilla Firefox or Opera. If you must use Internet Explorer, be sure to securely configure the browser with the mitigations described above.

Labels: Microsoft, security

This type of malware is very, very disturbing. One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.

This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs.

No website should ever offer you to download an anti-malware package as soon as you visit the site. Any site that purports to do so is either run by criminal gangs or by an organization whose business practices are so deceptive that you should never consider doing business with it. A reputable site will present you with product information and then leave the downloading decision up to you, not force it upon you. No software that pushes the purchase decision so heavily in your face is likely to be legitimate.

Labels: security

This spam/malware campaign is very prolific. I am seeing dozens per minute at the office mail system.

The anti-virus guys aren't fully cleaning - or even detecting - this one. One indication of infection is a strangely-named (random letters) folder in your "Program Files" folder, along with some entries in your registry that help keep your computer infected.

One good place to go to help clean up your computer is here: http://www.bleepingcomputer.com/tutorials/tutorial42.html . Follow the instructions carefully to get their expert help in spyware/virus removal. I've had good experiences with their help.

Labels: Another thing to worry about, security

Labels: security

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page that asks the user to download a codec, a well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs a proxy program on the PC, Emm said. The proxy program allows hackers to route other traffic through the compromised PC, helping the hacker essentially cover their tracks for other malicious activity, Emm said.

The malware has wormlike qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft's Windows Media Audio format, wraps them in an ASF container, and adds links to further copies of the malware, in the guise of a codec, according to another security analyst, Secure Computing.

The ".mp3" extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.

Labels: Another thing to worry about, security

This is the way MITM attacks work against web-based financial systems. A bank demands authentication from the user: a password, a one-time code from a token or whatever. The attacker sitting in the middle receives the request from the bank and passes it to the user. The user responds to the attacker, who passes that response to the bank. Now the bank assumes it is talking to the legitimate user, and the attacker is free to send transactions directly to the bank. This kind of attack completely bypasses any two-factor authentication mechanisms, and is becoming a more popular identity theft tactic.

The plan had a chance of working because, for months, in an operation one army officer likened to a "broken telephone," military intelligence had been able to convince Ms. Betancourt's captor, Gerardo Aguilar, a guerrilla known as "Cesar," that he was communicating with his top bosses in the guerrillas' seven-man secretariat. Army intelligence convinced top guerrilla leaders that they were talking to Cesar. In reality, both were talking to army intelligence.

This ploy worked because Cesar and his guerrilla bosses didn't know each other well. They didn't recognize each others' voices, and didn't have a friendship or shared history that could have tipped them off about the ruse. Man-in-the-middle is defeated by context, and the FARC guerillas didn't have any.

Labels: security

As for the origins of 'the cargo', there was dispute even among the best-informed rumour-mongers of Waziristan.

Some said the uranium had come from the Iranian nuclear plant at Natanz. Others believed it was from North Korea, or even dissident elements in the Russian Federation.

Whatever the source, though, the outcome was the same.

The 'real and imminent' threat to which Mohammed al Baradei, chief of the International Atomic Energy Agency, had alerted the world in June 2004, had finally come true.

Al Qaeda had acquired the means, and the technical know-how, to build a crude, simple, but brutally effective nuclear bomb.

The Curve of the Binding Energy

Labels: security

Microsoft Word is prone to a remote memory-corruption vulnerability.

An attacker could exploit this issue by enticing a victim to open and interact with malicious Word files.

Successfully exploiting this issue will corrupt memory and crash the application. Given the nature of this issue, attackers may also be able to execute arbitrary code in the context of the currently logged-in user.

Labels: Microsoft Word, security

Since 9/11, there has been an increasing war on photography. Photographers have been harrassed, questioned, detained, arrested or worse, and declared to be unwelcome. We've been repeatedly told to watch out for photographers, especially suspicious ones. Clearly any terrorist is going to first photograph his target, so vigilance is required.

Except that it's nonsense. The 9/11 terrorists didn't photograph anything. Nor did the London transport bombers, the Madrid subway bombers, or the liquid bombers arrested in 2006. Timothy McVeigh didn't photograph the Oklahoma City Federal Building. The Unabomber didn't photograph anything; neither did shoe-bomber Richard Reid. Photographs aren't being found amongst the papers of Palestinian suicide bombers. The IRA wasn't known for its photography. Even those manufactured terrorist plots that the US government likes to talk about -- the Ft. Dix terrorists, the JFK airport bombers, the Miami 7, the Lackawanna 6 -- no photography.

Labels: politics, security

Labels: security, software

he rare – and the lurid – loom large in our imagination, and it's to our great detriment when it comes to our safety and security. As a new father, I'm understandably worried about the idea of my child falling victim to some nefarious predator Out There, waiting to break in and take my child away. There's a part of me who understands the panicked parent who rings 999 when he sees some street photographer aiming a lens at a kids' playground.

But the fact is that attacks by strangers are so rare as to be practically nonexistent. If your child is assaulted, the perpetrator is almost certainly a relative (most likely a parent). If not a relative, then a close family friend. If not a close family friend, then a trusted authority figure.

Labels: security, society

Until now attacks using these NULL pointers were thought to be too complicated to be any real threat, but Dowd has figured out how to take this NULL pointer and use it to write data of his choosing into a known location of the computer's memory, from where it is read by another component of the Flash player, the ActionScript Virtual Machine.

And from there he can, having solved a series of computational challenges that are equivalent to doing multi-dimensional Soduku while waterskiing, own your computer by getting the ActionScript Virtual Machine to run his commands without realising it.

It works for the Flash player on Firefox or Internet Explorer. It even works on Vista because Flash doesn't take advantage of the extra memory protection measures that Vista offers.

Labels: Another thing to worry about, security

Labels: photography, security

Using their new powers under the Patriot Act, U.S. intelligence officials can scan documents, pick out certain words and create profiles of the authors - a frightening challenge to academic freedom, Mr. Puk said.

For instance, a Lakehead researcher with a Middle Eastern name, researching anthrax or nuclear energy, might find himself denied entry to the United States without ever knowing why. "You would have no idea what they are up to with your information until, perhaps, it is too late," Mr. Puk said. "We don't want to be subject to laws of the Patriot Act."

Labels: Internet, security

Microsoft has confirmed reports of vulnerability in Word that allows an attacker to exploit a system via the Microsoft Jet Database Engine, which shares data with Access, Visual Basic and third party applications.

Microsoft in its advisory said the potential for attack is “very limited.” Reports of the Word flaw were highlighted by Panda and Symantec in the last two weeks. On March 3, Panda researcher Ismael Briones stumbled on the new exploit. On Thursday, Symantec also noted the Jet vulnerability. According to Symantec.

The attacker needs only to find a trick to force the MS Jet library to open the file and trigger the vulnerability that will run the malicious shellcode. Some social engineering and a little help from Office applications will work out well in this specific attack. In fact, it is possible to call MSJET40.DLL directly from MS Word, without using Access at all.

Labels: Microsoft Word, security

States have until May 11 to request extensions to the Real ID rules that were released last Friday. They requires states to make all current identification holders under the age of 50 to apply again with certified birth and marriage certificates. The rules also standardize license formats, require states to interlink their DMV databases and require DMV employee to undergo background checks.

Extensions push back the 2008 deadline for compliance as far as out 2014 if states apply and promise to start work on making the necessary changes, which will cost cash-strapped states billions with only a pittance in federal funding to offset the costs.

Last year Montana passed a law saying it would not comply, citing privacy, states' rights and fiscal issues.

Paranoia strikes deep
Into your life it will creep
It starts when you're always afraid
You step out of line, the man come and take you away
We better stop, hey, what's that sound
Everybody look what's going down

Labels: politics, security

Yeah, and if you think that's funny, imagine this kid's life when he's an adult and Every goddamned flight he takes involves an extra hour of hassle, a search, no assigned seats, being turned away, being humiliated, being harassed... There's a special circle of hell that's being prepared for the domestic fear-mongers who've helped the terrorists make Americans so very afraid.

Labels: politics, security

I don't disagree that things will continue to get worse. Complexity is the worst enemy of security, and the Internet -- ­and the computers and processes connected to it -- ­is getting more complex all the time. So things are getting worse, even though security technology is improving. One could say those critical insecurities are another emergent property of the 100x world of 2017.

Yes, IT systems will continue to become more critical to our infrastructure­ -- banking, communications, utilities, defense, everything.

By 2017, the interconnections will be so critical that it will probably be cost-effective -- and low-risk -- for a terrorist organization to attack over the Internet. I also deride talk of cyberterror today, but I don't think I will in another 10 years.

Labels: security

Firefighters from Quebec said they were held up at the Rouses Point border crossing while trying to provide mutual aid to firefighters battling flames at the Anchorage Inn Sunday.
Lacolle and St. Paul fire officials said several members of their squad didn't have proper photo identification and were held up for close to 15 minutes while trying to reach the fire. Fire officials also said border agents inspected some of the fire trucks.

Clinton County fire officials said they called Customs and Border Protection to let them know firefighters would be crossing from Canada, but the crews were still held up.

Labels: security, The Crazy Years

Labels: photography, security

The RFID Guardian project has released the hardware and software schematics for the latest version of its personal RFID firewall. The RFID Guardian is a device that detects all the RFID tags on your person (passport, transit pass, bank-card, toll-card, car keys, etc), and interdicts them so that they can't answer queries anymore. The Guardian can clone all of these tags, and emit their signal on demand, but unlike a dumb tag, the Guardian only emits when you tell it to, and gives you a central way to set and enforce policy about when you will be identified and by whom.

Labels: hardware, security

n some States, you need a FBI criminal background check to purchase chemicals. Some metals, like lithium, red phosphorus, sodium and potassium, are almost impossible to purchase in elemental form. This is thanks to their use in manufacturing methamphetamine. Sulphur and potassium nitrate, both useful chemicals, are being classified as class C fireworks (here is a good precursor link). Mail order suppliers of science products are raided. Many over-the-counter compounds now require what is essentially a (poor) background check. Even fertilizer (ammonium nitrate) is under intense scrutiny. Where does this trend end? Ten years from now, will the list include table salt, seawater and natural gas — precursors to many industrical chemicals?

Labels: science, security

We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.

This isn't the way counterterrorism is supposed to work, but it's happening everywhere. It's a result of our relentless campaign to convince ordinary citizens that they're the front line of terrorism defense. "If you see something, say something" is how the ads read in the New York City subways. "If you suspect something, report it" urges another ad campaign in Manchester, UK. The Michigan State Police have a seven-minute video. Administration officials from then-attorney general John Ashcroft to DHS Secretary Michael Chertoff to President Bush have asked us all to report any suspicious activity.

The problem is that ordinary citizens don't know what a real terrorist threat looks like. They can't tell the difference between a bomb and a tape dispenser, electronic name badge, CD player, bat detector, or a trash sculpture; or the difference between terrorist plotters and imams, musicians, or architects. All they know is that something makes them uneasy, usually based on fear, media hype, or just something being different.

Even worse: after someone reports a "terrorist threat," the whole system is biased towards escalation and CYA instead of a more realistic threat assessment.

Labels: security

Within five years of 9-11, TSA had likewise discovered that the main mission of any organization that does not have to justify its mandate is to spend as much as possible, but while NASA merely wasted the taxpayer's money, mindless spending by Homeland Security translates into the waste of the nation's time as well. Treating passengers like Spam In A Can astronauts prepared to suffer unending delays to get off the ground manifests bureaucratic sadism more than safety concern.

NASA 's downward trajectory can teach us a lot about what else TSA should not be doing, but if history is any precedent, the last thing Hom

Labels: security

Labels: security

Rule #0: be prepared. If you're going to travel, you need to line up all your ducks in a row first. Make sure your passport is in date and doesn't look as if it's been tampered with. (In particular: if the photograph page looks as if someone may have messed with the photograph, get a replacement passport right now.) Make sure your flights are booked, and (if flying to the USA) you've got an itinerary with the addresses of where you're going to be staying. There will be an exam, administered in flight, and if you don't fill out the landing card properly the immigration officer may refuse you entry. Take a black ballpoint pen. (Pack two!) Visas are a whole other kettle of fish; luckily for me, most places I fly to don't require them. (The USA has a visa waiver scheme for EU citizens that covers vacations and short business trips — as long as you're not working as "an agent of the foreign press" or earning a living. This covers things like trade shows and, apparently, science fiction conventions and publicity tours.) You should also almost certainly ensure that you have comprehensive travel insurance policy, including medical and legal cover of at least $1M. Oh, and make sure your mobile phone works in your destination country and your phone plan covers international roaming. (Note that GSM phones do not work in Japan, dual-band European GSM phones don't work in all parts of the USA, CDMA phones — from the USA — do not work anywhere outside the USA, and so on. There are some other rules. Ask your phone company for guidance.)

Labels: security, society

Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans.

FBI wiretapping rooms in field offices and undercover locations around the country are connected through a private, encrypted backbone that is separated from the internet. Sprint runs it on the government's behalf.

The network allows an FBI agent in New York, for example, to remotely set up a wiretap on a cell phone based in Sacramento, California, and immediately learn the phone's location, then begin receiving conversations, text messages and voicemail pass codes in New York. With a few keystrokes, the agent can route the recordings to language specialists for translation.

But the documents show that an internal 2003 audit uncovered numerous security vulnerabilities in DCSNet -- many of which mirror problems unearthed in the bureau's Carnivore application years earlier.

In particular, the DCS-3000 machines lacked adequate logging, had insufficient password management, were missing antivirus software, allowed unlimited numbers of incorrect passwords without locking the machine, and used shared logins rather than individual accounts.

The system also required that DCS-3000's user accounts have administrative privileges in Windows, which would allow a hacker who got into the machine to gain complete control.

Labels: politics, security

The incident started when Monica was stopped while going through airport security because there was water in her son's sippy cup. The sippy cup was seized by TSA. Monica wanted the cup back because the sippy cup was the only way her son would drink -- and it was a long flight between Washington, DC and Reno, Nevada where she was going for a family reunion. If you've ever had a toddler you understand about sippy cups.

Labels: politics, security, The Crazy Years

The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press.

Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong.

The alleged plan, to blow up JFK's fuel tanks and a small segment of the 40-mile petroleum pipeline that supplies the airport, was ridiculous. The fuel tanks are thick-walled, making them hard to damage. The airport tanks are separated from the pipelines by cutoff valves, so even if a fire broke out at the tanks, it would not back up into the pipelines. And the pipeline couldn't blow up in any case, since there's no oxygen to aid combustion. Not that the terrorists ever got to the stage -- or demonstrated that they could get there -- where they actually obtained explosives. Or even a current map of the airport's infrastructure.

Labels: politics, security

Our greatest recent overreaction to a rare event was our response to the terrorist attacks of 9/11. I remember then-Attorney General John Ashcroft giving a speech in Minnesota -- where I live -- in 2003, and claiming that the fact there were no new terrorist attacks since 9/11 was proof that his policies were working. I thought: "There were no terrorist attacks in the two years preceding 9/11, and you didn't have any policies. What does that prove?"

What it proves is that terrorist attacks are very rare, and maybe our reaction wasn't worth the enormous expense, loss of liberty, attacks on our Constitution and damage to our credibility on the world stage. Still, overreacting was the natural thing for us to do. Yes, it's security theater, but it makes us feel safer.

Labels: politics, security

Labels: Microsoft, security, technical communication

Labels: security

Labels: security

The default security settings for IE are basically sensible and I would change only a few, and this is the first time I've ever said that. I would tighten things up just a bit, disabling MetaRefresh, disabling "Launching programs and files in an IFRAME", disabling "websites in less privileged web content zone can navigate into this zone", and disabling Userdata Persistence. Otherwise, IE7 on Vista offers a decent compromise between security and usability. The privacy conscious are, as always, encouraged to use Mozilla for browsing instead, and leave IE in its default configuration, to be used solely for manual sessions with Windows Update.

Data hygiene is still an absolute disaster on Windows. In fact, it's worse than it ever was in some ways, and that's very bad indeed. Browser traces still in the registry, heavy and complicated indexing to improve search, new locations where data is being stored. It all adds up to a privacy nightmare. Keeping a Vista box "clean" is going to be impossible for all but the most knowledgeable and fastidious users.

So don't rush out to buy Vista in hopes of getting much in return security-wise. I do like some of the changes, at least in theory, or as a decent platform on which to build an adequately secure version of Windows one day. But that day, if it ever comes, will be well in the future.

Labels: security, Vista

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

Labels: Internet, security

Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

Labels: Linux, Microsoft, security

Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.

Labels: computing, security

Labels: Microsoft Word, security