Sunday, December 31, 2006

Told You So: Spam surge drives net crime spree

Not it's not my imagination: Spam is on the rise and criminals are to blame. Brings new irony to the phrase "there ought to be a law against it" and deeper for Bill Gates promise that spam will be solved in 2006.

p.s. Wonder why it's spam and not SPAM but sometimes Spam? Get the official word here.

Wednesday, December 27, 2006

Whole New Security Vista? There's a target painted on new Microsoft OS

"Hi-tech criminals are looking forward to the consumer release of Windows Vista, say security experts." BBC News. Why? Because it is presents new opportunities, new possibilities for abuse.

"What?" you say, "surely this is the 'most secure version of Windows yet.'" (As proclaimed by Microsoft.) According to the BBC article, if new features won't get you to upgrade to Vista, security enhancements should, according to the co-president of Microsoft's platform, products and services division, Jim Allchin,. Vista will still be worth getting, thanks to its better defenses against phishing attacks, spyware and other malicious code, Allchin told the BBC. "Safety and security is the overriding feature that most people will want to have Windows Vista for."

Unfortunately, lack of historical perspective is widespread in the marketing sector of the IT industry, and too often it spreads to the media that covers IT. Where are the articles that compare and contrast the claims for Vista with those made for Windows NT, which was also claimed to be the most secure version of Windows yet, as was XP Professional? (Notice a pattern here?)

Believe it or not, I have some sympathy for Microsoft at this point because it is faced with a three-pronged dilemma (and we all know those three-prongers can be painful). Here are the three in play at the moment:
  1. Claiming that something is the "most secure ever" is like painting a target on it. I recall arguing against the launch of a web security certification program back in about 1996 for this very reason. Hackers were big into defacing web pages at the time and locking down a site was pretty difficult with the tools available. So putting a "Certified Secure" sticker on the home page would have been a red rag to a herd of hackers.
  2. But Microsoft had to claim Vista wasthe most secure ever because there don't seem to be enough other new things in the OS to warrant paying the asking price for the upgrade.
  3. But Microsoft is a huge company and [IMHO] it is hard for huge companies to achieve excellence in anything, particularly where there are competing goals.
And writing secure code is a major case of competing goals. The whole thrust of computing over the last 25 years has been broader, faster, smoother access to data, often using cutting edge tools. Security is all about tried and tested tools and roadblocks, not for the sheer joy of being obstreperous--for example, in the manner of Dilbert's 'Mordac the Preventer' character--but due to the classic dichotomies between "free & open" versus "safe & secure," and so on.

At the turn of the year it is always interesting to consider what the future holds. Will Vista be a boon or a boondoggle? Developments on the security will likely be the deciding factor.

Thursday, December 21, 2006

California Hacking on Such a Winter's Day: USC hacker sentence after UCLA hack

I thought the juxtaposition of these two stories was interesting, on the 12th and 21st of December:
UCLA warns 800,000 people that hacker gained access to their personal information
USC hacker sentenced to 6 months of home detention
Now add this November nugget to the mix:
Rising cost of data security breaches: $182 per record
Now consider this: the June 2005 breach of USC's online student application system compromised 275,000 records and caused the university to shut down the site for 10 days and the perp gets 6 months home detention. But if the cops had found one twentieth of an ounce of crack on the guy he would be going to jail for a minimum of five years. Somehow, something is screwed up here.

Saturday, December 16, 2006

Internet Explorer 7 User Interface Fiasco: Am I nuts or not?

As astute readers will have surmised, I'm in my mid-fifties. At this time in a person's life it's not unusual to wonder, from time to time: Am I going soft in the head? For me, one of those times was my first use of IE7. Here is a little bit of what the program looked like when I installed it. Astute observers will observe there is no menu bar (File-Edit-View -etc.).
Because web browsing is now the thing I do the most on my computer--actually writing within the web browser as I am right now--I like to place my browser controls in a particular configuration. And I like some sort of consistency. So I set to work on IE7. I found you can get the old menu bar to show up, but the process is a pain. Furthermore, any further configuration hits the wall pretty quick. For example, the IE7 toolbars won't move, for me. This was so unexpected that I thought for sure my senile dementia was setting in. There I was, clicking and dragging and nothing was happening. In fact, the default UI is such a big departure from a. the norm, b. common sense, I deduced that, because I couldn't 'fix' it, I must be losing my marbles.

But no! It is Redmond that has lost its marbles on this one. How do I know? Another blog came to my rescue. I found this "Blog of Fusion" and began reading. Phew! It wasn't just me. Others were having the same "issues."

What had me really scared--before I found that blog--was an illustration in an article at See that "Classic Menu" option? I couldn't find that in my copy of IE7, as shown below. Then I noticed the article was published in June. I had installed the 'shipping' version of IE7 in December. Tthis seems to be evidence that Microsoft--at one point in the Beta--allowed what the shipping version does not allow.

Check out the screen shots. My version of IE7 doesn't allow me to drag toolbars like the article shows. Seems they must have ditched this stuff during the final build and, with breezy indifference, failed to correct their own web site. BTW, that page at is the top result if you Google: internet explorer 7 toolbar customize.

So, can you imagine how many thousands of people around the planet are going to a. try to customize the IE7 toolbar, b. get stuck, c. Google to that page, d. waste hours resolving the resulting contradictions?

I mean no offense to the poor microserf who wrote that stuff--he probably asked them to take it down and they didn't. When I was a Microsoft Vendor, everyone that I met in Redmond seemed smart, pleasant, and very earnest, but also out of touch with reality. And the entities to which they reported within the organization were more than a little messed up. In short, a classic example of how a bunch of smart, well-intentioned people can add up to a dumb bunch of decisions. (We are seeing another of these dumb decisions play out right now: "Improved security is the rasion d'etre for the next expensive Windows upgrade.)

One specific criticism of IE7 that I haven't seen elsewhere is that the row for the tabs of the new tabbed browsing feature (a feature that got me using Firefox as my main browser several years ago) seem to be fixed on the same line as the main buttons. This gives decidedly less space to the tabs than you have in Firefox. Also, if you remove the traditional menu, the View command is gone. There is no button for it. So the only way to get the traditional View menu item back is a right click in a select area of the tab/button bar.

Makes no sense to me, and thanks to fellow bloggers, I'm pretty sure I'm not senile, yet.

Wednesday, December 13, 2006

Need Help With Computer Security? Check

Just a quick reminder that you can find a bunch of free articles about computer security at the web site. Enjoy!

Note This Blog: Dare Not Walk Alone is now with THINKFilm

The civil rights film that I have been involved with for the past few years, Dare Not Walk Alone, is making progress!

A major update on the film and related projects, like the campaign to rebuild the house at 521 North Woodlawn that was featured in the film, has just been posted on the Dare Not Walk Alone blog. Check it out!

Monday, December 11, 2006

Blogs of Note: I guess scobb's non-blog made it

Apparently there is something called "Blogs of Note" and this blog was listed there today. Not sure how much of an achievement that is, but thanks to anyone who might be responsible. I write mainly for my own sanity, but it's encouraging to think some people are reading what I write. To that end may I shamelessly plug some of the other blogs I have been building. They are not all in full flow yet, but getting there.
Obviously, the idea is to group my posts around subject matter. Hopefully it is not too ambitious. Time will tell. I think scobb's non-blog will continue to be the place that I put my thoughts on security.

More Secure Windows May Not Help: BusinessWeek makes a very good point

There's a nice article in Business Week that meshes with my view of computer security. Let me spell this out.
  1. Microsoft is spending a lot of money right now to encourage people who use Windows to upgrade, for a fee, to a new version called Vista.
  2. To justify the fee for the new version Microsoft is talking a lot about how much more secure Vista is than previous versions of Windows.
  3. All this talk may be creating an expectation that computer users will encounter fewer security problems in the future.
  4. This expectation is probably false.
The only way to make computing significantly more secure than it is today? Raise the general standard of behavior of people on this planet.

This may sound like a tall order--and it is--the task is not insurmountable. Law and order can eventually replace lawlessness, e.g. the Wild West. Standards of behavior within any given geographic entity can be improved, e.g. reduced drinking and driving in UK/US/et al.

Of course, these are changes that take decades to bring about. All the more reason to commit to the process now, rather than later. Remember, technology cannot create security; the sooner people set aside dreams of security based on the false promise that it can, the sooner the root problem will be addressed, and the better the interim security strategy will be.