security

A cautionary viewpoint concerning the unintended consequences of the current Information Age from Bruce Schneier. I think it's worth reading.

Data is the pollution of the information age. It's a natural by-product of every computer-mediated interaction. It stays around forever, unless it's disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after-effects are toxic.

Cardinal Richelieu famously said: "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." When all your words and actions can be saved for later examination, different rules have to apply.

I'm always interested in security tips for Linux. This article is short and sweet and contains brief snippets of advice from the likes of Ted Ts'o, Andrew Morton, Linus Torvalds, and Fyodor (yes, he of Nmap fame) on how they secure their Linux desktops and networks.

Bruce Schneier is a security advisor for whom I have a lot of respect. He is one of the keynote speakers at Linux.conf.au 2008, and he is being interviewed here prior to that event.

When this guy speaks, if you're interested in security, then it's well worth listening. You don't have to be technically minded. What's important is if you can be open to Bruce Schneier's mindset, it will change the way you think about security. He just comes at it from a completely different angle.

One other site of interest for the security-conscious is Bruce Schneier's blog, Schneier on Security.

There's an alarming post on the Ubuntu forums warning of a recent trend whereby new Ubuntu Linux users are being tricked into running dangerous commands which will delete home directories, or overwrite the system disk, or the like.

One of the great strengths of Linux in particular and Open Source software in general has been the approachability and helpfulness of the community, and it seems some dweebs think its funny to exploit this openness and trick a new user to trash their system.

It's made me think. A significant part (**) of the security of a system lies in the users. Linux and Unix have always been professional operating systems, written by professionals, for use by professionals. When you use the command line to ask a *nix system to do something, the assumption is that you know what you're doing. That system won't ask you if you're sure you want to do what you've typed. It'll just do it. I don't think that should change. For me it's part of the attraction.

I've only used Ubuntu once. I was impressed, but not that much that I would leave the distro I currently use . It seemed to me that the Ubuntu people have made it possible to do pretty much anything you might want to do using the GUI, and this is the attraction that has brought in many (welcome!) newcomers to Linux. However the command line is far more powerful and flexible than any GUI, and as people slowly come to realise this and naturally start experimenting, I feel more issues of a similar nature may arise.

If you want your PC (running Linux or Windows) to remain safe and secure, you need to have a particular mindset. "Wary" probably describes it. "Keeping it simple" and experience definitely helps.

(** This is not to say that all systems are equal. Not by a long shot.)

Yes, I know that Windows flaws are ten a penny. It's just that this one is quite amusing.

The bug ... resides in a feature known as Web Proxy Autodiscovery (WPAD), which helps IT administrators automate the configuration of proxy settings in Internet Explorer and other web browsers.

So far so good. But wait, Microsoft fixed this problem years ago!

... the flaw affects every version of Windows including Vista and is actually the continuation of an old vulnerability that Microsoft supposedly fixed years ago.

Oops.

Microsoft appears to have released a patch for the vulnerability in 1999. But the patch only protected domain names ending in .com, so WPAD servers using all other addresses have remained vulnerable.

Hilarious! These idiots would have you believe that the security of Microsoft products rivals that of Linux? Unbelievable.

This is a fascinating analysis of a cracked Linux host. The cracker seems to have made a number of fundamental mistakes which led to the owner becoming concerned as to why some services weren't running. The owner then called in a friend (the author) who started to analyse why the server was behaving so unusually. Well worth a read.

Well, no surprise. Microsoft uses Vista to gather information about you. I've made many posts about this, just type "Vista" in the Quicksearch text field and press enter. So what? What can they tell?

... in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company.

Geez, 20? That seems rather a lot. Those twenty features and services all use CPU and RAM on your PC, to snoop on you. You'll have to read the full article to find out exactly what those 20+ data mining techniques are (plus how you can bypass some of them). But surely Microsoft are a responsible company. (Actually, I couldn't type that last sentence without grinning.) Well, the Vista license agreement clearly states:

"By using these features, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you."

And they say they're not going to identify you. All they say they want is your:

"Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software."

Heh, if they have your IP address, they have you. But they clearly stated that they won't identify you, so, problem over? Not quite.

"Microsoft may disclose personal information about you if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with the law or legal process served on Microsoft; (b) protect and defend the rights of Microsoft (including enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety of Microsoft employees, users of Microsoft software or services, or members of the public,"

The good faith belief? Microsoft? Come on.

There is a concise, but interesting history of spam on the NineMSN site. I guess its release has been timed to coincide with the news about the Italian ISP Tiscali being blacklisted as spammer-friendly.

Going back to the NineMSN article, I find it a little ironic that MSN is publishing an article based on a problem which in no small part is caused by the lax security of the software produced by it's parent company:

Like many other spammers, Robert Soloway sent out his bulk emails using so-called "zombie" computers: these are usually ordinary home computers that have been inadvertently infected with a virus that opens them up to spammers.

What authors always fail to stress in these articles is that the "ordinary home computers that have been inadvertently infected with a virus that opens them up to spammers" are invariably running Windows.

Last year, I posted a link to an article about proposals by the Swiss government to surreptitiously install trojans onto people's PCs.

Now it seems that the German government has similar ideas.

German Interior Minister Wolfgang Schaeuble has confirmed plans to seek a change to the constitution to allow the state secret access to the computers of private individuals, in an interview published Thursday.

"Under certain conditions it must be possible for the Federal Criminal Police Office to search computers in secret," Schaeuble told the Handelsblatt newspaper.

To be honest I felt I was somewhat restrained in my analysis of the previous article. This sort of thing (surreptitious searching of a PC) can happen in two ways:

• The government secretly installs a trojan
• The vendor installs a backdoor

The problem with the first option is getting the anti-virus people on board. Only one of them has to step out of line (and proudly boast about it) to stop this from working. So this leaves the second option. With the second option (and with the first option, to be honest), only one or two possible candidate OSes spring to mind. Windows and MacOS. It simply isn't going to happen with Free/Open Source operating systems, because anyone can see the source and adjust it as they see fit. Furthermore, vendors who need to please their shareholders, and desperately want sales would love to have a "government approved" sticker on their product.

Either way, tech-savvy people will find ways around it. It's too risky not to, since crackers will find ways to use these loopholes for their own purposes - if there's a door, there will be a way to open it. By referring to the "tech-savvy", I also mean the people that the German government are supposedly targetting, so ultimately only the "innocent" will be running infected PCs. But as many of these types like to say when civil rights get eroded for political ends, "if you've got nothing to hide ..."

What the article really demonstrates is how stupid politicians and civil servants are when discussing anything other than their own field of expertise, which is politics, not IT. I wonder if the plans allow for police officers' and politicians' PCs to also be compromised in this way.

An interesting run down of Vista from The Inquirer. This is actually part two, part one is here.

The article repeats a few things that often seem to get overlooked or ignored:

Windows is a security nightmare. The reason we all get thousands of spams, the reason that we have to run virus and anti-spyware checkers that slow our high-power electricity-guzzling scalding-hot PCs down to the speed of the ones they replaced, the reason that the whole Internet is bogged down with sending all those spams, the reason that criminals hold websites to ransom for millions of dollars a year: it is all Windows' fault.

It's because of the hundreds of millions of compromised PCs that form zombie armies, sending spams, participating in distributed-denial-of-service attacks and so on, all without their owners' knowledge. They still work, they're just a bit slower. Who notices? Next year, you just buy a faster one. (With Vista on it.)

Depressing how people will settle for mediocrity, isn't it?

It's a "huge conflict of interest" for one company to provide both an operating platform and a security platform, Symantec Corp. CEO John Thompson said during a keynote speech at the Cebit trade show in Hanover, Germany.

The vendor is, of course, Microsoft.

I don't think there's any conflict of interest here at all. Well, maybe there is as far as the consumer is concerned, but does that really matter? Sell a deficient product, then sell another deficient product which purports to make the first deficient product less deficient. Hey, why bundle it if you can make an extra buck by selling it?

This is Bruce Schneier's view of DRM in Windows Vista. As usual, he has lots of very interesting points to make.

Windows Vista includes an array of "features" that you don't want. These features will make your computer less reliable and less secure. They'll make your computer less stable and run slower. They will cause technical support problems. They may even require you to upgrade some of your peripheral hardware and existing software. And these features won't do anything useful. In fact, they're working against you. They're digital rights management (DRM) features built into Vista at the behest of the entertainment industry.

And you don't get to refuse them.

Phew. Well, that's just for starters. I'll try not to spoil the whole thing for you, but here's a tasty tidbit:

... after Vista is firmly entrenched in the marketplace, Sony's Howard Stringer won't be able to dictate pricing or terms to Bill Gates. This is a war for 21st-century movie distribution and, when the dust settles, Hollywood won't know what hit them.

Just how stupid is the MPAA? Read the news, check out how they're alienating their customers.

Poor Bill. Is he feeling a little stressed, to be making such outrageous statements?

Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.

He's a clever guy. What is his game?

A graphic illustration of why Windows is less secure than Linux. You know that old saying: "A picture is worth a thousand words"? Well here are two pictures! Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.

This first image shows the system calls that occur on a Linux server running Apache.

And this second image shows the system calls that occur on a Windows server running IIS.

It's kind of self-explanatory, but there is a little more detail (including larger pictures) on the originating site.

This article has been prominent in technology section of the BBC News page.

Windows Vista is "dramatically more secure than any other operating system released", Microsoft founder Bill Gates has told BBC News.

When I first read that statement, I burst out laughing. It had to be a joke. OpenBSD sprang straight to mind. It couldn't be a serious claim. Further on, the article says:

Security analysts have praised the improved tools in Vista but many feel that holes in the operating system eventually will be exposed and that Microsoft will continue to need to update it through online patches.

Well, you know what? The first service pack is already being built! That means that there are known bugs. "How long before Vista SP1 is released" = "How long before known Vista bugs are patched". Well, here's a rough guideline for you; with Windows XP, it took 11 months.