The Security Skeptic

I recently installed a Powerline backbone network, to extend my home network. Read about this often overlooked alternative here.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID171 by Dave Piscitello  

Book Review: The Myth of Homeland Security

Marcus Ranum's Myth of Homeland Security is a sobering and insightful look at the policies enacted following the September 11 attacks, and the bureaucracies responsible for their implementation and enforcement. Marcus subjects the U.S. Patriot Act, the Department of Homeland Security and its constituent organizations to a level of scrutiny few American and even world citizens have attempted. He describes how conflicting political agenda, personal ambition, empire building, and animosity rendered the Three Letter Agencies dysfunctional in the past, and how the DHS threatens to prolong rather than remedy the problem. He lambasts the press for its obsession with perpetuating fear, uncertainty and doubt; legislators, for pork-barrel legislation guaranteed passage as riders to the Patriot Act; security vendors and Beltway bandits for flaming fear with fans for profits. No party's left unscathed, and the book is a compelling read precisely for this reason.

Marcus relates stories of oversight, in-fighting, and fumbled handoffs between agencies, absurd and insipidly foolish behavior by the press, and self-serving actions by government agencies and legislators. You'll find reason to laugh in nearly every chapter, but if you are like me, the laughter will hint of irony and discomfort. Marcus leaves me unsettled, and re-kindles the same existential sense of vulnerability I felt as I watched the Twin Towers burn and collapse over and over and over on television from my hotel room in Atlanta, far from my family. He reminds us that we can never be 100% safe without sacrificing freedoms we enjoy and changing the ways we live and behave.

This is not a technology book. It's certainly not the kind of book that anyone familiar with Marcus Ranum's many contributions and remarkable accomplishments in the field of Internet Security would expect. But it's precisely the kind of "suffer no fools" analysis colleagues and close friends find most engaging and remarkable, and have come to expect. Myth of Homeland Security ranks high on my list of worthwhile and thought-provoking reads.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID169 by Dave Piscitello  

Dr. Paul Judge posted a very interesting view about SPAM at ComDex Loop, The Ins and Outs of SPAM Defense.

Does anyone find it frustrating that we can only react to SPAM and not block it at the source? Like DOS attacks and network level probes, we are completely hamstrung by our inability to enforce and validate traffic sources: at the IP address level as well as the application level, we are too willing to deal with "garbage in" rather than isolating sources and pruning/blocking them.

Yes, source (address) validation is a very difficult problem. But if we choose to ignore it or concede it's hopeless, then we will forever be locked in a game of network cat and mouse.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID166 by Dave Piscitello  

Find presentations from the ComDex 2003 Las Vegas session, Security Policy here:

• Dave Piscitello

• Jody Patilla

• Dianna Kelley

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID164 by Dave Piscitello  

Phishers are one of the lowest forms of e-life. These email scam artists pose as representatives of Charles Taylor, PayPal, and other legitimate businesses, hoping to fleece money or reel in your credit card or bank account information.

I have no sympathy for phishers. What they do is reprehensible. Apparently I'm not alone. Every post to the discussion thread at SecurityFocus.com for Kevin Poulsen's article, Unlucky Phisher Pleads Guilty condemns Helen Carr's phishing schemes. And everyone is hopeful that the US Justice Department will be able to impose the maximum sentence of five years, and wishes it could be more.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID163 by Dave Piscitello  

Dave Strom has been publishing the Web Informant for, well, forever. [Web-Informant] #350, 12 November 2003: Amazon opens up offers an insightful look into Amazon's foray into Web Services. This informant lives up to its name and reputation, visit strom.com and read it!

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID162 by Dave Piscitello  

According to a news item by Kieren McCarthy at Techworld.com, and to the apparent delight of many Linux users and bug traqrs, Microsoft has "hired several analysts to review how fast holes are patched in the open source software and is expected to announce that Windows compares favorably."

While the weenies giggle and chat about how they are finally rattling Microsoft's chain, I can only shake my head in disbelief. Why anyone, much less Microsoft, would try to focus - or perhaps divert - attention on "who's quicker to fix broken code?" boggles my mind. It reminds me of the lampoon where George Bush is assailed by reporters about healthcare and the economy and his response is, "look, there's Saddam Hussein!!!".

I suppose if misdirection works for George, it should work for Microsoft as well.

If there's an issue every software community should consider, it's the sheer volume of bugs in starNIX, Windo$e and dozens of applications that don't appear on the radar of the world where meaningful business is conducted. Perhaps bugtraq-ing is trés outré and what we're seeing is simply a temporary phenomenon? Perhaps not.

I dread to think what's next. Imagine the home pages of Microsoft, Caldera, and Red Hat all boasting "over <integer>million bugs patched".

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID161 by Dave Piscitello  

Kudos to Cisco Systems for publishing a truly informative and comprehensive white paper on wireless LAN security. Even the discussion of Cisco Wireless Security Suite is professionally done.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID160 by Dave Piscitello  

I have trouble remembering how to format special characters in HTML. The free webmaster resources at WebAnalysis include a page of HTML special characters unicode.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID158 by Dave Piscitello  

I was asked recently if I would recommend someone to argue the side of proprietary software in a security debate. My response was that I honestly don't know anyone who is knowledgeable, credible, and willing to engage in this sort of debate any longer.

"Which is better?" is a tired tale that has nothing to do with security and everything to do with religion and bias and envy. No one with a modicum of professionalism wants to argue with folks from the open source community who delight in attention they garner when they disparage Windows. I suspect that Microsoft begs off invitations to such public debates because they have exhausted the pool of qualified people willing to participate. I'm actually quite happy that MSFT's engineers choose to stay in Redmond, to work at improving product, over participation in amateur theatrical performances with badly written scripts (pun intended).

Let's look at this issue from another perspective. In my blog #46, Web Server Market Leader: Apache or Microsoft IIS?, I mention a poll that shows more Fortune 1000 companies run web and other critical internet service on Windows than <choose-your-*nix>. Are all these administrators crazy, stupid, duped, or coerced? I don't think so. I imagine that they are very informed, experienced, disciplined professionals. I also suspect that the best among the Financial community's administrators would scoff at the lame arguments, snorting and snickering you invariably suffer through during "Which is Better?" sessions.

What too many open source folks refuse to admit is that securing operating systems and services all boils down to running the server you are best informed and prepared to secure, which reduces to experience and a whole lot of RTFM and GTFW (google the freakin' web!). Consider this: the reason a *nix guru (imagines) he can secure a *nix system better than a Windows system probably has much more to do with the vast experience accumulated over hundreds upon hundreds of hours of use and administration and far less to do with inherent flaws in Windows Security architecture. A corresponding investment by the same bright fellow in Windows administration would yield a system just as rigorously secured.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID157 by Dave Piscitello  

The Web virtually assures that nothing is ever permanently lost. I discovered an electronic version of a Computer Communications Review article I co-authored with colleagues Jeff Rosenberg and Steve Gruchevsky in 1987. The hopelessly curious among you can now read Adaptive routing in Burroughs network architecture in Acrobat format.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID159 by Dave Piscitello