The Security Skeptic

I've been considering just how vulnerable home and small offices are to the underhanded and IMO unethical monitoring, tracking, collecting and disclosure of information that can be gathered from browsers, email clients, messaging agents and other end user applications used daily by folks who are entirely in the dark regarding the extent to which their privacy is invaded with each web transaction, query, and interpersonal communication they perform.

Cookies. Tracking technology. Spyware. Gathering of information under opt-out rather than opt-in contractual agreements. Honestly, how different are businesses that abuse these techniques from spammers, phishers, and crackers?

I'd love to see a small office firewall evolve from the "filter filter blah blah we do NAT" species to something really valuable for the hapless SMB:

• implement an SMTP proxy that scrubs email client and server headers;

• provide an proxy that scrubs HTTP requests, reveals nothing about individual users and computers; essentially, a proxy that provides the same kind of secure anonymous surfing MEGAPROXY and other public servers offer...

• provide a proxy that detects spyware and tracking technology and blocks back channel communication to the information gathering weasels who sell such data to help "personalize" marketing.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID198 by Dave Piscitello  

Application protection. Application "intelligent" firewalls. Web application firewalls. Deep packet inspection. Content inspection proxies.

Synonyms? You bet. The most common term among these (and more) is application protection, a catchall term, applied generically to all security measures that protect application services. As you can imagine, you can protect applications in many ways in a network. So where is it best applied? Read my article.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID197 by Dave Piscitello  

I follow BugTraq, but not fastidiously. When my BugTraq email folder exceeds 100 messages, I browse the subject lines for relevant vulnerability information. First, I cull all the messages that report on *nix and related software because I don't run that OS here. Despite popular belief to the contrary, this typically eliminates half the messages in my folder - yes, Virginia, some vulnerabilities are reported on software other than Microsoft's...

Every so often, I google what I imagine to be an obscure piece of software for which a bug is reported. Case in point is a freeware system tray utility called switchoff. I was surprised to discover that this convenience tool was downloaded hundreds of thousands of times from Tucows, Cnet, et. al.

Google's results also show multiple vulnerabilities disclosed over the past year, yet the most recent version available has not been updated since September, 2002.

What appears to be "switched off" here is common sense. A large population of users continues to download and install software of questionable quality, authored by someone with apparently neither the time nor inclination to maintain it, for the apparent value of saving some mousing and keystrokes.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID196 by Dave Piscitello  

My January editorial for Watchguard Technologies' LiveSecurity Service is the fiftieth I have written for the company, over a period of more than four years. I received a most gratifying letter of congratulations from the LiveSecurity directors and editors, past and present.

And some fabulous Washington State wine:-)

Nearly all of my past editorials are hosted at http://www.corecom.com/html/livesecurity.html

A recent CNET news column claims that "most security specialists classify hackers as white hats or black hats, but in reality, most hackers fall somewhere in between".

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID193 by Dave Piscitello  

Prentice Hall sent me a copy of Thomas Maufer's book, A Field Guide to Wireless LANs for Administrators and Power Users. Thomas Maufer presents all the material you'd expect from a book published in 2003 on a subject that's been in the tech limelight since the late 1990s. The book is very accurate and well-written, but not particularly inspiring. Maufer spends about 2/3s of the book covering the 802.11 protocols, standards and operation. This information is broadly available, and Maufer does a commendable job explaining engineering level details in a manner that will appeal to even the most general audience. Maufer performs packet dissection and analysis from captured WiFi traffic, a convention I use frequently because I feel it is more "real world" than standards regurgitation I've seen too often from William Stallings and company.

The remaining 1/3 of the book covers security and applications (deployment scenarios). The coverage on security is disappointing. Maufer does a good job covering the security features defined in 802.11 standards (WEP, user authentication including EAP...) and explains WEP's flaws brilliantly, but he doesn't cover the complementary security measures commonly recommended as "best practices". If you do buy this book, you should buy a complementary one to learn about securing wireless LANs, or read the dozens upon dozens of columns, white papers, and articles my partner, Lisa Phifer, has written on the subject.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID195 by Dave Piscitello  

The RIAA's aggressive "anti-piracy" campaign to eliminate music sharing, swapping, downloading, and copying may be winning battles, but the music industry is still losing the war.

RIAA's biggest problem isn't illegal copies of music, but its own unwillingness to take ownership of the problem. They want everyone *else* to be responsible. Individuals should feel bad about sharing music. Legislators should protect artists and music companies by enacting laws with harsh penalties for sharing. Law enforcement agencies should treat music theft as seriously as crack cocaine.

Set aside the issue of whether music sharing or copying is legal, and look at the other problems the RIAA chooses to ignore:

• They failed to see the impact of digital music, and have yet to come up with a copyright protection mechanism that is adequate, much less "failsafe". Moreover, what the RIAA comes up with will probably antagonize consumers even more than the odious packaging used to thwart shoplifting. Or it will be cracked within weeks of implementation.

• They have positioned themselves as The Bad Guys to the most lucrative demographic of buyers. Even tricky Dick Nixon wasn't as universally reviled as the RIAA.

• Especially with regard to Internet-based music sharing, they fail to see a bigger threat: ad hoc IP networking.

Gather a few dozen kids with WiFi-enabled laptops chock full of MP3s. Add an access point. Turn on DHCP. Within minutes, music swapping is up and running. With storage as inexpensive and plentiful as it is today, kids don't need to browse or be selective: copy *everything*.

One such party isn't much of a threat. Imagine weekly, even nightly, parties at every high school and university.

Given the trends in removable storage, you may not even need a network to match the pace of music downloads via peer-to-peer networks. Exchange a 1 Gig SD with your buddy. And then with two more buddies. And two more buddies...

The problem RIAA faces is social, not technological. We've seen this before, and ultimately, Prohibition was repealed. Can you spell *unenforcable*?

The music industry's biggest failure is that they won't consider a different model for selling music. I'm no marketing genius, but it seems to me that there's a price point and convenience threshold for every product that's both attractive and acceptable, where the majority of people will simply find it easier and acceptable to pay for music than scrounge for it.

That magic figure may not be very appealing now, but it's a more likely scenario than silver-bullet technologies or a music police state.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID192 by Dave Piscitello  

Wired News reports Adrian Lamo has cut a deal with the Feds. He'll plea guilty to one felony charge for cracking into The New York Times' computers. He faces up to 12 months' imprisonment, fines, and compensatory damages.

Lamo should be eminently unemployable, and is reportedly having trouble landing a job. Speaking with Wired News, he is quoted as saying, "How the hell do I tell employers what I've been up to for the last three years?"

Alas - make that at last - being "outed" as a cracker has its consequences. Adrian's sorry ass resume may not even meet arcade counter job requisites, and at minimum wage, he'll be paying back the NYT for the rest of his life.

I understand from David Strom that he's studying journalism. I imagine he's counting on reporter friends who glamorized his escapades to find gainful employment.

Lamo's also quoted in Wired as having said, "I'd rather stand at a cash register than lend legitimacy to an industry as reliant on fear and deception as the computer-security business."

I hope someone is actually foolish enough to offer Adrian a job in computer security, I'm really curious to see if he'd really decline a six figure job and dole out change for arcade games.

By the way, the security industry feeds on Fear, Uncertainty, and Doubt. Folks like you provide the deception.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID191 by Dave Piscitello  

I've found a definitive source for advice on prolonging battery lifetime, at the Battery University.

Briefly, Lithium-ion batteries provide 300-500 discharge-and-charge cycles. Partial discharges work best, and the batteries are memory-free. The referenced URL goes into considerable detail, and provides a table comparing capacity loss and retention when you recharge at the recommended 40% level versus the typical 100%.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID190 by Dave Piscitello  

I speaking publicly and teach occasional seminars at universities. A question I'm frequently asked is, "which is more important: a certification or practical experience?" I suppose I'm asked this because I don't have a CISSP, ISSEP, SSCP, GIAC, or any of the major certifications, and folks are curious why I haven't sought one. Perhaps they wonder how I do what I do without one, or merely trying to goad me into a rant.

Are security certifications useful, or are they padding for resumes? If I were to hire someone, would their experience mean more to me than certification?

I think a certification managed and conducted by a trusted third party establishes an interesting baseline for competency in any discipline. And increasingly, certification programs require a minimum number of years of practice from professionals before they may take the exam, and some require re-certification and a commitment to maintaining competency. But ultimately, a certification is more like an SAT or MCAT. These, in my opinion, measure what you remember, what you have been taught, perhaps what you have learned from experience, and your ability to analyze a relatively small and contained information set in a small amount of time.

What certification programs do not quantify is whether an individual's strong suite is defining, designing, implementing or administering a secure system or network; whether he or she operates best as a leader or follower; works well in groups or alone ; reliably meets benchmarks; presents effectively to managers and subordinates; or performs well under stress. These are equally critical hiring criteria (to me), and are hard to evaluate without serious consideration of an individual's prior work experience. When hiring a security professional, I recommend you ask for and interview references. You may also want to seek out former co-workers or managers other than those referenced as well.

Certification and prior work experience are complementary, but experience ought to be prerequisite, and a certification a complementing corroboration of an individual's capabilities. But is this enough?

For a security professional, I think not. I believe that *character* is prerequisite to both experience and certification. An individual whose trustworthiness, work ethic, and professional integrity are unquestioned is the most important hiring criteria.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID188 by Dave Piscitello  

The BBC notes that Tim Berners-Lee was made Knight Commander of the Order of the British Empire shortly before New Year's Eve, 2003. Some long-in-the-tooth netizens expressed the opinion that he was one among many who contributed to the pioneering and innovation that led to the creation of the World Wide Web.

While it is almost always the case that no individual is solely responsible for a given accomplishment, it seems always the case that one individual is singled out. Tim's a wonderful man and I'm delighted he is now "Sir Berners-Lee".

My dear friend and mentor, Vinton Cerf, is once again making headlines, this time evangelizing the Interplanetary Internet. Vint is often referred to as the Father of the Internet, and this attention continues to spawn skepticism. Like Tim, Vint would not hesitate to mention the dozens of people who were instrumental to the birth of the 'net.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID187 by Dave Piscitello