Back in 1979, just out of grad school, I got my first real job working as a software developer (we used to be called "programmers" in the olden days). I learned the C programming language then and did my software development on a Digital Equipment Corporation PDP-11/70 minicomputer running 6th edition UNIX. And for the first time, I was using a multiuser computer which could be crashed by a non-privileged user doing non-privileged things. I mean, an error in Charlie's or Mike's (never mine!) code could crash the whole machine. "Why doesn't the operating system protect against such things?"
As I said, that was 1979. 30 years later, in September 2009, my friend David Strom, citing a report from the SANS Institute on top cyber security risks, wrote "Unpatched applications are the real threat." Are they? I reiterated what I asked 30 years ago: "Why doesn't the operating system protect against such things?"
Quoting the SANS report, he writes, "Most web site owners fail to scan effectively for the common flaws," and "TippingPoint reported that vulnerabilities that were more than two years old were still waiting for patches."
Patching? The SANS report is a good reminder of what can and should be done in the short term. But, it is clear that, while patching is useful (I won't even write "important"), it should only be important for data integrity or program availability, not for security of the data or of the system. The hardware and software system should protect against such things. The computer science world has been flirting with "trusted computing" and trusted operating systems for years. The "real threat?" Operating systems we still cannot trust to effectively control and contain user-level applications.
12/23/09
"Senate Panel Agrees with Avolio"
Okay, the headline actually says, Senate Panel: 80 Percent of Cyber Attacks Preventable, but basically the panel said what I have said in over 60 different blog entries (according to this search on "same old"). The article by Kim Zetter opens with this statement:
Another Wired article pointing out a similar problem states, Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices
Why don't we get it? None of it is expensive. None of this is hard. None of it is new.
If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented.This October 2009 Wired article is an example of what I'm (and they are) talking about. The headline states "Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks." It goes on to mention "The device is installed with default configurations." (See what I wrote about default configurations and what to do about them at Top Ten Security Threats, but in this case it would not have helped as Time-Warner did not permit changing the router in question.)
Another Wired article pointing out a similar problem states, Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices
Why don't we get it? None of it is expensive. None of this is hard. None of it is new.
Evernote
Many have reviewed Evernote, and months have gone by since I first mentioned it in my blog. I will briefly discuss how and why I use Evernote and point to some other helpful blog posts.
In my quest to get things done, I used to make use of email and of my PDA to keep task lists and to remind me of things I did not want to forget. (As the senior Dr. Henry Jones says, in Indiana Jones and the Last Crusade says, "I wrote them down in my Diary so that I wouldn't have to remember.") If I found something on the web that I wanted to download or read, but didn't have the time to deal with at the moment, I would send myself emails with the subject "tryme" or "readme." When I got home in the evening, I would take care of them by actually downloading something I wanted to try or reading something I wanted to read (on my iPod touch screen, or by printing).
Also, as I have mentioned, I make extensive use of Notes in my PDAs; I used to use Memos on Palm, and now Notes on my iPod touch. Then I started reading about Evernote. I read 7 Ways to Use Evernote. I also read 9 Ways I use Evernote, and How To Use Evernote to Remember Everything, Part 1 and Part2.
I started using Evernote to capture the things I previously emailed. I did this on my home PowerBook Pro of on mywork MacBook Pro.
The notes were accessible on both and on my iPod touch. I took brief reminder notes on my touch. I started taking notes Evernote in the classes I was taking using my PowerBook, I'd take notes on my iPod touch when reading for the classes, and I would study reading (and searching) through both on my touch. 
The more I use Evernote, the more I like it, and the more ways I find to use it.
In my quest to get things done, I used to make use of email and of my PDA to keep task lists and to remind me of things I did not want to forget. (As the senior Dr. Henry Jones says, in Indiana Jones and the Last Crusade says, "I wrote them down in my Diary so that I wouldn't have to remember.") If I found something on the web that I wanted to download or read, but didn't have the time to deal with at the moment, I would send myself emails with the subject "tryme" or "readme." When I got home in the evening, I would take care of them by actually downloading something I wanted to try or reading something I wanted to read (on my iPod touch screen, or by printing).
Also, as I have mentioned, I make extensive use of Notes in my PDAs; I used to use Memos on Palm, and now Notes on my iPod touch. Then I started reading about Evernote. I read 7 Ways to Use Evernote. I also read 9 Ways I use Evernote, and How To Use Evernote to Remember Everything, Part 1 and Part2.
I started using Evernote to capture the things I previously emailed. I did this on my home PowerBook Pro of on mywork MacBook Pro.
The notes were accessible on both and on my iPod touch. I took brief reminder notes on my touch. I started taking notes Evernote in the classes I was taking using my PowerBook, I'd take notes on my iPod touch when reading for the classes, and I would study reading (and searching) through both on my touch. 
The more I use Evernote, the more I like it, and the more ways I find to use it.
9/21/09
Be Careful With Those Firefox Extensions
People who know me from my consulting and teaching days, or who have read my web site from my consulting days, have read my blog. or have been in a class I taught, know that I am a pretty cautious guy when it comes to the Internet.
Today, via web mail, I was checking my personal (non-APL) email. I saw one of the messages was from Hallmark Postcards, saying I had a postcard from someone. Now, I already knew that it was spam, just from that information. What I should have done was just check the box next to it and click on "Report Spam." Instead I opened the message. No problem. I saw the URL for the card, so I "hovered" my mouse over it. It was "postcard.exe." Into the spam folder with you, sucker!
A few minutes later I got a call from someone in the IT department here at APL. One of our security devices indicated I tried to download that file. It blocked the download and reported it. Now, the Windows executable would have done nothing on my Mac, and recall I did not click on it to download it. What had happened?
I looked through the add-ons and extensions I had in Firefox. Sure enough, amidst the security-related add-ons, I also had added Interclue, "Your Personal Link Preview Multitool." It promises, "Before you click the link: Hover your mouse pointer over the link, and a Linkclue icon will appear. Rest your mouse on the icon, and up pops an enhanced summary of the linked page."
Hmmm. I don't think it actually tried (or tries) to download anything. I think that our security software saw this in the stream and triggered an alarm. (On the other hand, what does it mean to "preview" an executable? I'm not sure, and I didn't need Interclue enough to want to keep it. I uninstalled it and restarted Firefox.
Update
I heard from my co-worker in the IT department. He writes:
Today, via web mail, I was checking my personal (non-APL) email. I saw one of the messages was from Hallmark Postcards, saying I had a postcard from someone. Now, I already knew that it was spam, just from that information. What I should have done was just check the box next to it and click on "Report Spam." Instead I opened the message. No problem. I saw the URL for the card, so I "hovered" my mouse over it. It was "postcard.exe." Into the spam folder with you, sucker!
A few minutes later I got a call from someone in the IT department here at APL. One of our security devices indicated I tried to download that file. It blocked the download and reported it. Now, the Windows executable would have done nothing on my Mac, and recall I did not click on it to download it. What had happened?
I looked through the add-ons and extensions I had in Firefox. Sure enough, amidst the security-related add-ons, I also had added Interclue, "Your Personal Link Preview Multitool." It promises, "Before you click the link: Hover your mouse pointer over the link, and a Linkclue icon will appear. Rest your mouse on the icon, and up pops an enhanced summary of the linked page."
Hmmm. I don't think it actually tried (or tries) to download anything. I think that our security software saw this in the stream and triggered an alarm. (On the other hand, what does it mean to "preview" an executable? I'm not sure, and I didn't need Interclue enough to want to keep it. I uninstalled it and restarted Firefox.
Update
I heard from my co-worker in the IT department. He writes:
What our network systems saw is the following exchange between your host and the remote serverI agree. Avoid this Firefox extension.Request from your host:This, of course, shows your host asking for postcard.exe and our Websense device referring your host to a block page thereby preventing the download. Your Firefox plug-in wants to provide a preview of the web page. To provide a preview, it apparently downloads the web page (or at least part of it). Otherwise, how would it know what the page looks like so it could provide a preview? It looks like a rather dangerous plug-in, one designed for a more friendly Internet.
GET /postcard.exe HTTP/1.1
Host: nn.nn.nn.nn
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Reply to the request:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 21 Sep 2009 14:05:36 GMT
Connection: close
Via: HTTP/1.1 localhost.localdomain (Websense-Content_Gateway/7.1.2 [c s f
])
Location:
http://nn.nn.nn.nn/cgi-bin/blockpage.cgi?ws-session=3741857785
Content-Length: 0
9/12/09
Safeguard your Notebook Computer
No matter how careful you are about physically protecting your small notebook computer, you need to plan for the worse. A few months ago, The Unofficial Apple Weblog (TUAW) had an article 9 things I learned from almost losing my MacBook Air. It is Mac-specific in the details, but no matter whether you have a MacBook, a Windows notebook, or something else, computers are getting smaller, disks are getting larger, and that raises the vulnerability to information loss. And no matter what you think, you have data on your computer that, in the wrong hands, could cost you money.
It reminded me of a few columns, not Mac-specific, I wrote years a few years back:
It reminded me of a few columns, not Mac-specific, I wrote years a few years back:
9/11/09
9/9/09
New Software: iTunes 9.0 and iPod touch 3.1 update
I'll make this short and sweet. I updated my iPod touch software to 3.1 and my iTunes to 9.0, both announced today (among other things you can find on the Apple Website. I installed iTunes thorough the iTunes program, checking for software update. It downloaded iTunes 9.0, Quicktime Player 7.6.4, and restarted my PowerBook.
I started iTunes. Anytime I accessed the iTunes store it crashed. So, I manually downloaded iTunes 9.0. It works fine now.
See 3.1 features and iTunes 9.0 features for more information.
I started iTunes. Anytime I accessed the iTunes store it crashed. So, I manually downloaded iTunes 9.0. It works fine now.
See 3.1 features and iTunes 9.0 features for more information.
Subscribe to:
Posts (Atom)
