The Security Skeptic

My column, Watch Out for Security Freeware Gotchas, is available at Security Pipeline.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID321 by Dave Piscitello  

I've been helping my daughter's school network. Like many not-for-profit and privately funded schools, my daughter's school is a hodge-podge of PCs. While upgrading all the worthy PCs to Windows XP SP2, I've had to learn the magic incantations each vendor uses to enter SETUP for BIOS from a system boot start so that I could re-order the boot drive sequence.

A handy page to learn all these is the How to get into your computer BIOS at cyberwalker.net

Save a copy to disk. You may need it when you can't get online:-)

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID320 by Dave Piscitello  

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure:

What version of Windows did you discover this on? When was the software last released? Does the software vendor claim compatibility with the Windows version? Is the software on any compatibility list? What are the specific elements of the attack vector, and what is the probability that these can be encountered in real world Internet connection scenarios? Why should we worry or care about this bug?

You can guess the reactions. One wannabe couldn't answer any question but flamed me for not appreciating the spirit of the hunt. The exchange I had with one wannabe who posted a report of a buffer overflow in a 2001 version of a PC game on Windows 98SE is indicative of the problem:

Dave: "What practical consequence does this bug have for someone operating a large business network?

Wannabe: "Nothing, this game is not so much diffused and in a "large business network" the people should do their job, not play with games (except if the company is a software house that develops games)."

Dave: "The game's 4 years old, and wasn't a very good one. What's the attack vector for this game? Think of all the conditions that have to fall into place to compromise one home computer. It's too improbable to bother reporting, and the vendor is not going to invest a penny to fix it. So who benefits from the report?"

It's time for a reality traq on bug-traq. Thousands of professionals read this list to try to keep ahead of exploits and problems that could lead to significant large network exposures. Bug-traq has deteriorated from a place where we could go to help keep networks and applications healthy to a community of people who want 30 seconds of fame from identifying an obscure bug of little importance that affects a very small population. Put yourself in the position of someone really trying to apply bug-traq to make networks work well for his users. Now think about having to flog through several hundred reported and suspected vulnerabilities of little importance to find the one that affects your organization."

I closed my email by asking the wannabe to consider applying his talents to investigating applications and communications protocols where he can make a positive impact. I think this is sound advice for everyone on bug-traq.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID319 by Dave Piscitello  

I've had a long and rewarding relationship with Watchguard Technologies. I like the products. I like the people. Scott Pinzon, LSS editor, reminded me recently that the feelings are mutual.

I host a general security library at my personal web site. After I'd invested some time hunting down spyware resources to fix my son's PC, I discovered I'd found so many resources - and good ones - that I would host and maintain a resource page on spyware.

The page is popular, and generates enough AdSense revenue from Google that a server upgrade is within sight! I realized that quality resource pages were both a service to the community and revenue producers (or expense offsetters). So I began carving out topic specific resource pages from my library. Over a period of about a month, I'd created 5 resource pages, and these are all among the most popular hits on my site.

One recent page is on VOIP Security. Having visited this page after three others he found interesting, Scott Pinzon wrote a piece on Watchguard's RSS feed, Wire. In it, Scott says some very kind things about my efforts:

"I am tempted to describe Dave Piscitello as "the Stephen King of online IT resources." Lately, he has been cranking out a prodigious amount of work reminiscent of Stephen King's four-novels-a-year pace. And, like Mr. King, Dave's offerings hit more often than they miss..."

There's more, and I want to thank Scott for helping me promote these initiatives.

The hardest thing about hosting resource pages is keeping them fresh. If you visit my pages and can contribute a resource, please do!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID318 by Dave Piscitello  

I honestly don't know why we have debates, or more precisely, why we call what presidential candidates engage in "debates". I cannot recall a single televised debate, in this election or any over the past 4 presidential elections, where candidates debated a topic, with well-formulated proposals and novel ideas. Instead, every candidate throws waves of party-pleasing platitudes and drones on about their opponents' dreadful track records. Given the long list of shortcomings, failures, questionable entanglements, and objectionable voting records each candidate flings at is opponent, I find myself asking, "why on earth would any rational being vote for either of these guys?"

Can candidates really present a strong case and a clearly articulated plan to solve the myriad of problems on the U.S. Federal government's to do list. Honestly, what can W or Kerry promise? Can either say,

"Hi, I'm your candidate. I'm influential, credible, and knowledgeable enough to overcome a divided congress that won't set aside partisan politics. I am a student and advocate of the U.S. Constitution, have no private agenda, and am thus eminently qualified to fill Supreme Court vacancies with judges who will see that our country's laws are consistent with what the Framers intended.

"I know how to satisfy constituencies on both sides of thorny issues like abortion and gay marriage. Under my administration, pro-life advocates will have the opportunity to adopt or arrange and finance adoption and care for any unwanted pregnancy. Gays can marry, but only in closets. Yes, folks, I'm kidding. Truth is, we have so many more serious problems, I just don't see these as being issues a president ought to put ahead of health care reform, improved education, disaster relief, and poverty in the largest and most economically viable country on earth.

"The 900-page tax reform proposal I wrote last night eliminates every inconsistency and reduces taxes for everyone yet adds nearly a trillion dollars to the budget each year. And that trillion dollars will pay for universal health care exceeding what members of the U.S. Congress receive; increase social security benefits; provide approximately $7000 per student for education for every state in the Union; amend insurance practices so that windfall profits are used to offset premiums; and provides tax relief for companies that pay employees salaries that exceed the minimum wage.

"I have spoken with diplomats and heads of state of every member of the United Nations, who now understand and trust me to make sound decisions regarding international matters..."

Back to reality. Neither presidential candidate can deliver on any promise made during an election campaign. It's simply not under his control! And this is what the Founding Fathers intended the office of the president to be! The office of the president (Article II) was created after Congress (Article I) and it's arguably the least empowered office.

Presidents with lasting influence are historically rare. Teddy Roosevelt awed and inspired. Thomas Jefferson was flat-out brilliant. People like these don't run for president any more. Then again, perhaps today's problems would deter them both as well.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID317 by Dave Piscitello  

I recall are public commitments from Redmond to make Windows more secure. Does Windows XP Service Pack 2, which Microsoft claims is "the most important update ever for Windows XP", deliver the promised goods? More...

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID316 by Dave Piscitello  

I've been sitting on this resource page for nearly a month, and finally managed to publish it last night. Voice over IP and Voice over WLAN are hot topics. Enterprises and even small and medium businesses are adopting or integrating VOIP; service providers are offering consumers VOIP service over broadband; and WiFi hotspots are bracing for the inevitable VOWLAN storm. VOIP's kewl, but operators and users alike should become familiar with VOIP security issues. I've accumulated useful links at VoIP Security Resources. Happy reading!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID315 by Dave Piscitello  

I'm back from a long weekend in Gifford and Vero Beach, Florida, where I helped re-roof the Gifford AME church. These communities were both seriously affected by back-to-back hurricanes. I posted a brief photo journal of our relief efforts here. I can't tell you how good it feels to help people in a very tangible way. Living in a community that could easily suffer similar hurricane damage, the entire experience was sobering as well: life's precious, respect and enjoy it!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID314 by Dave Piscitello  

Reality is as integral a part of many people's lives as surfing the 'net. Morning radio talk shows have devolved into recaps of the prior evening's island competition, bug buffet, or struggle to be the last apprentice groveling. I confess: I don't get it. But in the spirit of ratings, here's Loop's contribution to Reality Web. Episode One finds Don at work, desperately trying to benchmark a new web service. The phone rings... More...

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID312 by Dave Piscitello  

I was asked by Watchguard Wire to comment on the deceptive marketing practices certain "anti spyware" products employ to increase sales. As part of accumulating resources for my Spyware Resources page, I've installed and tested more than a dozen purported anti-spyware packages to find which are most effective. The deceptive practices of more than a few "anti" spyware vendors are pretty ugly. Read my full commentary at Watchguard Wire.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID313 by Dave Piscitello