The Security Skeptic

If you are not a recipient of our company newsletter, Cornerstone, you may not know that November 2003 marked our ten year anniversary of providing consulting services. Considering our size, and the tech industry's roller-coaster ride over this same period, we consider this a significant milestone. We have many companies and individuals to thank for our continued success.

Our first clients -- Nortel, British Telecom, NIST, MCI, AT&T Wireless, OSI, and Cisco Systems -- helped us affirm our credibility and competence. We want to thank all who championed our cause, providing our small and then novice company opportunities to perform services traditionally entrusted to larger firms. Special thanks to Dr. Vint Cerf, Christine Hemrick, Jon Shantz, Steve Morrison, and Morgan Littlewood for providing us with long term work to sustain us through our first 3 years.

We also wish to thank the many publications for whom we've had the pleasure of writing product evaluations and articles, including the succession of owners of Networld+Interop, with whom Dave has worked for nearly two decades. We sincerely appreciate the opportunities presented by new clients and the continuing loyalty of our long-term clients during this past year, especially Expertcity, JupiterMedia, OECD, TechTarget, and WatchGuard.

Along the way, we have had the distinct pleasure of working with and for a remarkable group of people, and most of you are Cornerstone readers. We look forward to continuing our business and personal relationships with you as we begin what we hope to be another exciting and rewarding ten years.

Happy New Year to all,

Dave and Lisa

Core Competence, Inc.

www.corecom.com

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID185 by Dave Piscitello  

My web server terminated unexpectedly at 1:51:15 a.m. on Friday December 19th. I was away from my office and unable to investigate and restore service until Saturday evening at 9:29:26 p.m. One of the lessons I learned from this experience was, "for small businesses, the "un" in uninterruptible is as much a function of battery life as capacity.

The incident did inspire me to write a bit about service availability and equipment reliability here.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID186 by Dave Piscitello  

While not quite as newsworthy as the Philadelphia Eagles Cheerleaders visiting for their annual lingerie calendar photo shoot, I've finally found time to install and use IP telephony in my office on Hilton Head Island. Read about my experience here.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID183 by Dave Piscitello  

Commenting on my article, Free Space Optical: Extending Optical Networks Where No Fiber Has Gone Before, Dave Carson wrote:

...thanks for writing one of the most succinct and most clear FASO articles in the industry. After reading FASO after FASO article in terms of application to a last mile wireless ISP plan, yours is by far the best in terms of clarity and comprehensive coverage of the industry."

Thanks, Dave (Carson).

FWIW, Free Space Optical is still around. The market and opportunities are growing. I found

the column, New Life for FSO, at Light Reading, quite interesting.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID184 by Dave Piscitello  

Mike Penacchi posted a good column about measuring (LAN) performance using a freely available tool, Iperf, at Comdex Loop.

Iperf is available from NLANR/DAST.

Happy reading... and measuring!

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID182 by Dave Piscitello  

I use Windows Terminal Services to manage my web servers. Yes, the service is blocked from the outside, the server is hardened, and I have ACLs to minimize unauthorized connections (I find it increasingly difficult to say *mitigate* these days). My blog software automatically updates blog pages and archives, but posting articles and shuttling images to the server from my desktop was a cumbersome FTP process, made even more so because I still use lame old FTP from the DOS command line.

I found this clever little utility at AnalogX called TSDropCopy. You install TSDropCopy on both your server and client, enter some rudimentary configurations, and you're ready to drag and drop files between your client to your server. You can even create path mappings across the two machines.

TSDropCopy is one of a handful of very useful AnalogX applications I've found nearly indispensible, ranging from web log analyzers to script- and cookie- blockers.

The software is free. The Windows clients have simple, uncluttered interfaces. It's all surprisingly small (no bloatware here). AnalogX are the kind of folks who give me hope that some people still engage in hacking as it was intended.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID181 by Dave Piscitello  

I've been spending more blog time writing for Comdex Loop than here. It promises to be an interesting site. Some of what I've written for Loop I've mirrored here, but you should visit Loop just in case I've overlooked something.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID180 by Dave Piscitello  

A colleague forwarded me Andrew Orlowski's column from The Register, where META Group analyst Jack Gold recommends that companies "poke out" the camera lens on cell phones as a means of mitigating the threats these insidious devices pose (see also, my editorial).

A bit over the top Jack. Can you spell D-R-A-C-O-N-I-A-N?

And people wonder why I cringe when I'm introduced as an industry analyst.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID178 by Dave Piscitello  

True story...

My daughter and I were cleaning out my car and accidently threw away my cell phone. 10 days later, my wife left her cell phone in a rental car in Philadelphia. OK, we're idiots (parents, actually, but some would say the terms are tautological).

Go online to SprintPCS. *Zero* phones without camera under $300 (I didn't have the loss insurance of course).

Go to Radio Shack. Again zero.

Go to SprintPCS store 20 miles away, "we have one under $100, but we're all out and aren't getting any more, try Staples".

Go to Staples, buy the LAST TWO LG 1200 flip phones (rather nice, only 3 oz). And they were $99.95.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID179 by Dave Piscitello  

My article, Re-emergence of SSL VPNs, was selected by IT Business Edge as among "the 10 most useful insights to have recently hit the Web on VPNs, intrusion detection and other hot security issues."

IT Business Edge also lists VPNs: Tunnel Visions as the #1 article on the list, written by my brilliant partner, Lisa Phifer.

This is one of the few times I imagine, "gee, if only we had more than two employees..."

I've copied my article from its blog entry to a separate web page..

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID177 by Dave Piscitello  

I received a surprising number of comments on my Powerline Ethernet (HomePlug) post and article. Henry Lewis writes:

"This reminds me of the old intercom over AC power line devices which were subject to crosstalk between homes which were on the same side of a given transformer, (although they also had RF interference from fluorescent lighting which I presume does not happen here). How far down the block does this go? Although driveby's would be eliminated, is it better or worse than WiFi interception between homes?"

Good question. My understanding is that "how far" depends on how utilities deploy power lines. Conceptually, it's "whatever arbitrary network of outlets receives power from the same source" - like any other tree topology, the branches must stem from the same trunk or root. What's interesting about this is that depending on the country and power company infrastructure, this may be a piece of your home (all the circuits connected to the same meter), several apartments in your building, even multiple homes in a neighborhood).

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID176 by Dave Piscitello  

Several visitors asked if I had opinions about which alternative for home networking is best. Honestly, no single home networking alternative is right for everyone, and in many cases, including mine, you'll find you need more than one.

I wrote an article a while ago comparing "classic Ethernet", Wireless LANs, and Home Phone Networking. I barely mentioned powerline Ethernet (HomePlug), which was in its embryonic stage at the time of publication.

Still you may want to read Home Alternatives for Shared Network Access Service Providers.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID175 by Dave Piscitello  

More of the same. Yet another game of cat-and-mouse.

Just prior to Comdex, I was dismayed that the efficiency of my antispam measures had seemingly collapsed. Spammers were obfuscating words by using special characters, as in p0rn.graphy and fr33 s3x.

Pornography and other undesirable email was slipping through my ISP's spam gateway at an alarming rate.

What's alarming?

I receive 300-400 spam messages per day, a consequence of having my email associated with so many web pages where I've published articles online. Until late October, my spam gateway was catching over 97% of the spam (I know this because every 2 weeks, I visit my quarantine area, and I keep a rough count of spam that arrives, and calculate "efficacy"). Suddenly, I'm receiving 30 or so spam per day, which is a drop in efficiency of nearly 10%.

Two weeks and a gateway update from Postini later, my spam gateway efficiency is at 97%.

Cat and mouse, or chess if you choose.

Spammers analyze how antispam software is detecting their activity, and adjust their techniques accordingly. Antispam software vendors study the new "attack" and adjust accordingly.

So... are both sides making enough money for this to go on ad infinitum?

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID174 by Dave Piscitello  

My Powerline Ethernet article attracted several comments, and inspired me to Google a bit. A Broadband Home Labs evaluation of Homeplug draws an interesting set of conclusions regarding HomePlug deployment. The most intriguing and in my opinion most helpful for troubleshooting were the conclusions in the section , "What Makes Outlets Good or Bad?" Visit the link to learn about finding a "good" outlet for your Master adapter.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID173 by Dave Piscitello  

Camera phones create challenging security and privacy problems. We're already seeing suggestive commercials on television, where voyeuristic lad sends photos of a couple passionately kissing to his camera phone buddies. I'm convinced we will read about security incidents as well as suits claiming privacy violations and sexual harassment as organizations face these problems and identify remedies.

Read my full article here.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID172 by Dave Piscitello