Archive for the ‘Security’ Category

The dreaded switch from Windows to Linux

Monday, March 16th, 2009

When I saw how bad XP really was as far as handling spyware/viruses no different than 2k, I decided to just move to Linux, kill my Windows partition completely, and have been happy ever since. That was exactly my reasoning for staying with Windows 2000 while Windows XP was being introduced.

Previously my attempts to move to Linux had been unsuccessful because I had problems getting certain hardware working (obscure sound card, video drivers) and was concerned about what software would be available (certain emulators I had grown fond of, video codecs, etc), which was what most people worry about. “Well does it have Nero?”. No, but it has 6 or more different types of burning programs to choose from – all for free and with a self-explanitory GUI. “But it won’t run Nero?”. Those are the people who simply don’t want to even give it a chance. Well fine and dandy. The spyware/adware/viruses/trojans/worms are worth putting up with so you can run Nero – that’s your choice (actually, the makers of Nero were kind enough to make a Linux port). Anyway, even Windows 2000 was giving me some problems, such as booting into a blue screen telling me my registry had become corrupt, and also getting infected by viruses/worms such as Blaster.

I had everything up to date, all patched up, antivirus installed, and I have enough common sense not to click on strange things, but still contracted the virus. All because of an exploited flaw in Windows that I could do nothing about except wait for Microsoft to issue a patch…when they felt like it. A few reinstalls later and I just figured it wasn’t worth it putting up with all the headaches.

When I started running Linux, I quickly saw the advantages. Installing software didn’t require the usual “Next, Next, uncheck every checkbox, delete desktop and quicklaunch icons, uninstall additional software installed along with the software I actually wanted, check for hidden startup items, make sure program doesn’t phone home”. When I started my PC I wasn’t greeted by millions of splash screens, applications that couldn’t make a connection popping up and letting me know, I didn’t have to readjust settings that kept resetting for some reason (volume levels, icon positions on the quicklaunch). Linux is about using your PC and not just working around problems to get what you want. Then I realized that upon discovering all this I didn’t even have to worry about viruses at all, and I had no problems with crashes. Even if programs didn’t behave in a way I expected I found it simple to find solutions since the error messages meant something (not the typical “FATAL EXCEPTION IN 0x011a43”) and I could see exceptions thrown if I launched an application from a terminal.

Microsoft needs to start shipping installs secured from the start. Require an admin/install user account for new system wide applications, sandbox user installed software in their home directory/profile. Users then don’t trash everything when they kill their profile or home directory. Windows has all the necessary features to do it. It’s had them since the first versions of NT.

Microsoft frankly can’t be bothered with it and there’s no profit in a secured system when they can instead continually be selling you upgrades as security fixes. It isn’t rocket science, it’s just segregation of responsibility. Unix has been doing it for 30 years.

For instance, Vista’s new “People Near Me” feature, which searches over a Wi-Fi connection for other Vista users nearby and then sets up a peer-to-peer network with them. Yeah, that sounds pretty secure. When they have things like the WMF flaw in the designs, which ended up in Vista as well as XP and 2000 all the way down to 3.1, they are NOT about security. This has little to do with MS bashing – it’s just that MS doesn’t think much about security and most IT people know it whether they’re Windows fanboys or not.

Since “upgrade or keep crashing” was one of XP’s marketing points, it makes me wonder exactly what they’ll come up with to market Vista. Maybe something along these lines. The funniest thing is that Microsoft has no problem telling you how bad their past products are when they’re offering a new version of their software. It’s amazing how it was “the best thing ever” when it was first released and until it end-of-lifed. They never admit to making a bad product until it’s time to shell out some cash for an upgrade. Amazing how that works. Ah well, I guess it makes good business sense, right?

All in all, I’m glad I switched. My girlfriend, however, gets upset a lot when I mention how much more I like Linux than Windows – I mean downright pissed off on occasion. Yeah, I bash Windows a lot. I don’t mean to “rub it in” or whatever, but I find quite often that people are just so used to putting up with Windows problems, it becomes part of the norm and they don’t realize the problems any more because it’s an everyday thing when using Windows. For instance, spyware bogging down a Windows PC – the response is to immediately run Spybot or Adaware to clean things up. Ok, you’re running those for half an hour to fix a problem that you shouldn’t have to put up with to begin with. Some say Linux hasn’t been targetted because it holds such a small part of the market, but it comes down to security again. Internet Explorer is embedded so deep into the OS, you simply can’t uninstall MSIE. You just can’t. With this deep integration, it makes it very easy for spyware/adware/viruses/trojans/worms to do their thing – especially when, by default, you have admin rights given to you on the machine as well. All you need to do is visit a web site in order to get any of these ran on your Windows PC – all without user intervention…it’s all nice and automatic. This doesn’t happen on a PC running Linux because you’re forced to create a secondary user account during the install and run under that user (with most Linux distros). That and programs just don’t install without prompting you for your root password.

Perhaps Windows 7 will be better, but barring a complete re-write, I don’t believe things will change much in the spyware/adware/viruses/trojans/worms realm when Windows 7 is released. Vista only added a “are you sure you want to do this” popup that becomes incredibly annoying to assist in “security”. I hear that Windows 7 allows you to disable IE, but we’ll see what it looks like when released. But why listen to me, I’m just a Linux fanboy/zealot 😉

Windows security – there are no guarantees

Friday, February 20th, 2009

This isn’t some sort of pro-Linux rant, but rather a general security rant so take it as such.

With regards to security, Windows is provided “AS IS”. Show me one place where Microsoft even makes the slightest guarantee about security. The product was never engineered to be secure from the beginning, and barring a complete rewrite, it never will be. They’re not dumb, they know it’s not very secure, and they don’t advertise it as such. They don’t need to “disclaim liability”, the courts need to prove why it should be assigned to them in the first place.

Anyone who has an expectation of security in Windows is a sucker, plain and simple. Think about the common excuses: “99% of our customers use it so we have to also.” “We store all our data on it, it OUGHT to be secure.” “It’s too expensive to switch to something else.” You choose to use Windows, you get what you pay for. If you failed to do proper research and just created an assumption of security inside your head, it’s your own fault. Quit whining about it.

Everyone wants to sue Microsoft just because they exploit human stupidity, and they’re really good at it. Great use of the court system.

Unix security is generally not an issue because it was designed with security in mind from the very beginning. Windows was never set up with multiple user accounts in mind, nor was it set up with security in mind. This is not necessarily a bash on Windows, it’s just a fact of how it was designed. Multiple user accounts seperated from the root account and manditory secondary user account creation are definitely two very strong points that assist in Unix security. The Linux and BSD family were based off of Unix, so those two “variants” were also designed with security in mind from the beginning as well.

Now that Windows is, and has been, pretty much the most used operating system amongst home users and businesses, Microsoft has to backport their operating system to obtain the security that the internet demands. Since home users and businesses rely on Windows now and are pretty much locked in to requiring Windows and Microsoft software, Microsoft knows that they can just keep patching their shoddy software rather than doing what should be done – a complete rework from the ground up.

What’s worse is that even if a security flaw is found, Microsoft still only releases patches on “patch Tuesday”. That’s right, you have to wait for them to create the patch rather than having several agencies able to view their source code and create a patch for them or work with them toward creating a patch. If you think about that for a second, a virus writer could take advantage of a flaw and create a worm/virus and take over thousands and thousands of Windows machines in no time…all while waiting for Microsoft to create a patch. Yes, this has happened several times in the past and has had devistating effects on everyone using the internet. From “slowing down the internet” because of bandwidth-consuming worms (think Code Red, Blaster), to receiving tons of spam in your inbox every day (think Beagle, Sobig), to computers being rebooted every few minutes without user intervention (think Zotob). So while worms generally don’t directly affect Unix-based machines, they indirectly affect Unix-based machines by consuming resources by worms attempting to propogate and by receiving the payload (spam) of worm-infected machines.

Outsourcing and where the U.S. is heading

Monday, December 22nd, 2008

I entirely agree that individually you need to be as valuable as possible. That’s why all the CCNPs I know are working to finish their CCIEs and the CCIEs are working on their Juniper/Avaya certs. All of this is on top of their technical degrees.

The problem is that you and your “invaluable” skills really aren’t being taken into account. It doesn’t matter if firing you would cripple the company because we’re typically thinking 90 days at a time. If you replace a $150K CCIE with a $20K wannabe, then you as a manager can claim a $130K dollar “savings.” Hooray for you, here’s your bonus. When that $20K wonder takes all of your customers down — and here’s the beauty part — you aren’t blamed for it. No one is currently drawing the line between your $130K savings and the customers that walked with their millions of dollars.

The really scary part? I know a couple of people who work on municipal, hospital, and 911 systems. Infrastructure disasters there can cost lives. They’ve watched the cheap guys take down emergency systems, and tried not to think about the calls that were getting dropped as they fought to get them back online. They push the frantic calls for help out of their mind because if they let their imagination run with what an unanswered 911 call could mean…

The cheap guy’s response as they berated him for putting lives at risk? Basically, what do I care? It’s not my country.

Every one of the guys I know are putting in 60-hours weeks routinely. Hours like that mean divorces. They mean early heart attacks. They mean neglected children left to raise themselves. They mean broken homes with the societal carnage that goes with it. It’s the classic tragedy of the commons. The people who lead our country are insulated from the carnage associated with gutting our workforce. In the meantime, my country is falling apart. I’ve got a CS degree from a good University, a couple of certifications, and a decade of experience and even I am feeling the heat. I weep for those not as lucky as I.

We’re gutting our middle class. We just are, and if you don’t see it, it’s probably because you’re young. I hear your “Well, it’s not a problem if you’re the best of the best” bravado, and I wonder what you propose to do with the other 99% percent of the population, because they’re not just going to just disappear.

During the LA Riots of ’92 Rodney King and Daryl Gates might have been the spark that set it off, but that riot burned on the fuel of unemployed people. Anyone who has been to LA, more than a decade later, has seen that the damage still hads’t been repaired. I’d really prefer not to see that happen on a country-wide scale. But me and the other people around my age are worried. We’re getting that “vibe” again.

Things are stretched beyond breaking. Our teachers have flat-out given up. Our cops are showing the sort of violent and unstable behavior you would expect from PTSD. The wave of earnest enlistees that flooded the military after 9/11 have become the sort of weary jaded bastards that could put the most burned-out Vietnam Vet to shame. We are, for the first time in history, routinely using mercenaries in almost every level of our military and law enforcement. I’m seeing military families, families with generations of service, hang up their uniforms and forbid their children from serving.

Our hospitals are literally allowing people to die from neglect in the ER. Our bridges are falling down. Our electrical grid is one snapped breaker from going dark. Katrina should have been our moment of clarity. The fact that it so clearly wasn’t scares me to death.

But you go ahead, and keep humming that “I’m the best, I’m the best, I’m the best” mantra. Keep closing your eyes as tight as you can and shut your ears tighter. Find a good teddy bear, because the old man, the old man has seen all this before.

I’m terrified of where this train is going.

“Think of the Children” legislation

Monday, September 8th, 2008

And why am I not surprised when the public buys the “think of the children” pitch hook, line and sinker; when previous measures passed on this logic have done little to anything to address the problems they’ve supposed to have fixed while at the same time introducing new issues?

If only people would seriously think of the children when they consider legislation that would sacrifice liberties: what kind of society do you want to leave to you’re children after you’re gone? Already I hear parents reminiscing about a time when they could play pickup baseball or hang out by the lake until well after sunset without a care in the world. Even though the activities may be different (e.g. playing Madden 2008 instead of touch football on the street), why can’t children today get to enjoy the broad freedom to play that their parents enjoyed? And more directly on this topic, a generation who grew up with a rite of passage of driving around with friends and boyfriends/girlfriends at 16 years (and younger in certain areas) is increasingly pushing to raise the driving age to 18. The hazards of our society haven’t changed that dramatically in the past 40 years; on average in the U.S. violent crime rates are signifcantly lower than they were in the early 1970s, a time considered to be the “good old days” by many Baby Boomer parents. Child abduction and pedophila have existed for much longer than the past few decades, and I’m curious to see whether there’s really been an increase in incidence of these problems or just an increase of coverage of them.

While some measures like educating children about not getting into a car with strangers and our present Amber Alert system are good, imposing a surveillance society does little to improve actual safety from the ostensible hazards that prompt such measures and at the same time creates new hazards of abuse by government and corporations.

It amazes me that so many a generation that grew up in a time where the defeat of Nazism and fascism were fresh in our collective minds (their parents experienced World War II firsthand) and our freedoms were cherished as our distinguishing feature from totalitarian Communism can turn its back on the values they were raised with and build an increasingly restrictive society for their children. The same holds true of our fiscal values; a generation raised on thrift is now building an unimaginable amount of public and private debt to leave to their heirs.

While not every Baby Boomer is guilty of this type of convenient thinking, apparently there are enough who do to cause these measures to take effect. When someone says to you “think of the children,” you really should think of the next generation. I’ll accept a 1-in-1000 chance that my children would be abused by a teacher, priest or any other adult over a much higher chance of being abused by a know-it-all government any day of the week.

Why use anti-virus software?

Wednesday, August 20th, 2008

Here is a secret for you: You do not need AV software.

Actually, let me clarify that statement. You might need AV software if you are a very uninformed user who likes to open email attachments from unknown people or download lots of useless software from questionable sources. However, if that person I described is not you, then you do not need AV software, and it is just taking system (and apparently network) resources.

The reason you don’t need AV software is because there are only two ways to get virus on your computer: 1) Network-related software you use is exploited. 2) You willingly (although accidentally) run the bad software yourself. Yes, I’m simplifying things, but it is hardly any more complicated than this. Since you are an informed user, you have learned not to run bad software, so #2 doesn’t apply to you; and since you patch your system regularly (right?), #1 is very unlikely.

However, there may be a tiny window between the time that an exploit is found and the patch being made available where you could potentially be vulnerable. Theoretically, AV software can ‘protect’ you in this scenario since virus definitions are made available sooner than patches. The solution here is, again, to be an informed user. If a piece of software you use becomes vulnerable to a new exploit, you should know about it and take the necessary precautions yourself during the time before a patch is released, in order to protect your system. This will protect you much better than any AV software will, and it’s not difficult since there are not many pieces of software which could even be exploited (the main ones are your browser and other internet-related apps).

Now, I’m a user of Linux, BSD, and (rarely) Windows. I have been running Windows for years without a hitch by being an informed user. Actually, I also usually install patches long after they are available because I turned off the automatic download/install feature (I like to know what’s using my internet connection), and for some reason it doesn’t even notify me of the availability of patches so I often forget. Nevertheless, I’ve never been compromised mainly because I don’t run questionable software or read unknown emails, and the security of the software (and patches) has been good enough.

In my opinion, AV software is a scam. It might be useful for grandmas and other clueless users who open email attachments indiscriminately, but I cannot see how anyone informed enough cannot also manage their own security. Not that all users are informed, but I should think that you should be informed enough to be able to live without AV software quite easily. Bottom line: run a firewall (preferably a hardware firewall), patch often, be informed, and ditch the AV software.

Punished for a fake identity on the net

Tuesday, July 8th, 2008

From Slashdot: “Recently a MySpace user, Lori Drew, was charged with a felony for the heinous crime of pretending to be someone else on the Internet. Using the Computer Fraud and Abuse Act, Lori was charged for signing up for MySpace using a fake name.”

I have used fake identities and fake information to sign up for user accounts since I have been on the internet. Thanks, but I don’t like spam in my inbox or my snail mailbox giving me “offers” from your business associates. You can continue sending it to Howie Feltersnatch at 1313 Mockingbird Lane somewhere in Ohio.

I really don’t give a flying fuck if IMDB wants to sell my personal info in order to allow me the privilege of posting a review saying that some movie sucked.

I really don’t give a flying fuck if Myspace or Youtube or Facebook want me to provide personal info they can use or sell in return for the privilege of showing me advertisements.

If Meijer’s required me to let them photocopy my driver’s license for the privilege of buying groceries from them, I’d give them a fake ID just out of principal. When stores want me to sign up for a “shoppers card” so they can track me just for the privilege of being able to pay normal prices instead of the inflated ones, I sign up with a fake address and the name Seymoure Butts. Out of principal.

If they don’t like that and don’t want my business and want to ban me – fine, I’ll shop somewhere else. If they don’t ban me, then I’ll patronize them and continue to flout their bullshit and intrusive policies.

But if they want to have me arrested, then we have a serious problem.

A few ways to detect social engineering

Saturday, July 5th, 2008

I think we’re pre-programmed to trust and assist everyone in our tribe by default, and distrust anyone not of our tribe. The problem is that this doesn’t work well anymore, since we don’t know everyone in our tribe. It’s likely quite useful when you hunt wildebeest, but not as useful when you work for a hospital, protecting patient records.

Most of us don’t think of trust at all, but assign perceived trustworthiness automatically, and only by being reminded of trust do we pay it any thought. Social engineering takes advantage of this. You get the victim to draw the conclusion (without being told – it has to be subconscious) that you belong to the same work tribe as them, and thus trust becomes implicit.

Some warning signs that you may be subjected to social engineering:

– The person starts using your first name without you having ever met.
– The person refers to an authority figure in a jocular/friendly way, in order to make you draw the conclusion that the authority figure knows and trusts this person.
– They will try to appeal to your vanity. E.g. they may imply that they called YOU because you’re so friendly and helpful. Ask yourself whether, if it really was this urgent, they would be calling you instead of those whose job it is to deal with this sort of situation. If you believe for one second that it’s because of your demeanor, you’re not only stupid but vain too.
– They mention a common foe. “You know how accounting is…” Yeah, everyone knows that accounting are bastards to anyone not in accounting, in every company in every country. That doesn’t lend credence to you being on the same side.
– They mention an interest of yours. “I had planned to take my son fishing this weekend, but I guess I’ll be working, trying to fix this”. Why would they tell that to a stranger? (Especially if you have a sticker saying “BITE MY BASS” on your car.)
– If face to face, the person smiles a lot. Nothing disarms suspicion as easily as a smile.

And yeah, cops learn this, and with time become pretty good at it too. My main advice is to never trust a person who smiles. Ever. That invariably means they want something. Yes, this includes loved ones too; what they want might be something you’re willing to give, but they’re still unconsciously trying to lower your defense by smiling. A smile is always a mechanism to disarm the one who sees it.

Privacy argument – “I have nothing to hide”

Saturday, June 14th, 2008

I had never questioned my privacy over telephones or online until I started hearing rumors about Echelon all over the internet years ago. Then Carnivore was announced and basically confirmed all the suspicions. Everything that’s happened since is just in the wake. There’s more than that though. Even if you have nothing to hide, you can still be mistakenly thought to have something to hide. All it takes is one false positive to ruin your day.

People who say “I have nothing to hide” realize they have already lost the argument and so try to turn it into a veiled personal attack to change the discussion. A good counter to it is “so why would you tolerate someone spying on you if you have done nothing wrong?”

Another argument I use against “I have nothing to hide” is “so when do I come to your house and install a webcam in your bedroom?” It’s shut quite a few mouths. Bedroom is good. Toilet is even better. If they have no modesty, ask them to hand over the account numbers and passwords to their bank accounts. Also ask for their full medical history. If that doesn’t shut them up, ask for the same for their entire extended family.

In light of the people deciding that people don’t have anything to hide, I ask that everyone answer the following questionnaire:

1) What is your bank account PIN number?
2) What is your annual salary?
3) What is your Significant Other’s phone number?
4) What are your passwords to various email and web accounts?

Some people believe that the government does (or could) know my bank account information, my medical history, my cell phone calls, etc etc. The problem is you’re seeing “government” is a single abstract entity. But government is made up of all those petty civil servants at the local council, policemen, judges and so on. Would you be happy to have a file with full details of your children sent to every policeman in your city? Presumably only if policemen were incorruptible, absolutely trusted, and none of them were themselves abusers. If you believe that about the police, well…

So this is why it’s not a question about should “the government” have access to this data. It’s about should all these random people have access to it? Is it really necessary for anyone but one person (my family doctor alone) to have access to my medical history? Or should that be shared with every single snooper at the local council? Should I give the firemen plans to my house, when it’s possible that one of them has a sideline in burglary?

Sure, criminal behavior has changed because of the government’s newfound monitoring power. Instead of using regular cell phones, professional bad guys now use nice untraceable prepaid cell phones…and discard them regularly. So, the data retention has indeed brought on a change – but the change makes the data retention useless.

What the data retention does do is to trip up the only-vaguely-criminal acts of the amateur. For instance, it is now much easier to track down the affairs of an unfaithful spouse, and to win a nice fat divorce settlement. Somehow I doubt that was the original aim of the data retention.

The thing to remember is privacy is not just about moral or immoral behavior. Privacy is the right to control the personal aspects of your life and who you share them with. Privacy just is.

Windows vs. Linux – security and privacy

Saturday, June 7th, 2008

Germany is a place that knows what wiretaps and domestic spying is all about. Everyone’s grandfather can tell them what the Nazis did to friend and foe alike. Public display of Nazi symbols is still against the law because it outrages so many. People who lived through the East German Police state have more recent and personal reasons to fear this kind of monitoring. Domestic spying is about eliminating political opposition and the only way to save yourself from that is to run away. Eventually, even those who manage to keep out of sight by doing nothing are destroyed by the schemes of those in power. States that do this are out of control.

If you understand these things and how computers work, you have no choice but to use and advocate free software. Non free software has the ability to end freedom of press and every other right. We are well down that path, with newspapers raided, citizens spyed on, an unpopular war of aggression, torture and other evil things. You can have your privacy with free software and should demand it.

If you have complete control over your software, as free (as in freedom) software guarantees by definition, you can enforce your own privacy and security. If you have a solution you cannot modify, you are completely restricted to its ideas of privacy and security.

Human freedom has to extend to freedom of information and freedom of control over our own tools, including software and hardware. If we allow our corporations and governments to control our tools, they move on to controlling our media (DRM’s already here) and eventually our legal freedom (DMCA raids?!)

The vast majority of people have no way to verify that their software is secure, even if it’s open source. And even the people who do have the ability aren’t going to. Are you really going to read through every line of code in the Linux kernel looking for backdoors? Well, of course not, however, freedom means that you can do all of that and teams of people do for both cooperative and competitive reasons. All of the usual guards for non free software apply. People are watching their computers and will report suspicious communication. Then come all of the free software checks. The code gets checked upstream by the team that creates it and then downstream by many distributions that use it before finally being checked by the much larger number of users. The free software community is able to verify code from creation to desktop use and it’s a fairly competitive place. For every kind of check you have in the non free world, you have more and better in the free world as well as greater competition and willingness to report wrongdoing. This makes it unlikely you will be caught by malicious code.

The Social Security Number problem solved (sort of)

Wednesday, May 14th, 2008

The Social Security Administration doesn’t accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits.

Once you switch your SSN, never use it. Then use the fake one of 078-05-1120. It’s a specimen number from the Eisenhower era. No need to give your correct number to the cable or phone company. They don’t need it. Period. Of course it’s possible that someone else has used this number already, but so what.

The only people who need your SSN is your employer because they have to make the contributions. Your bank doesn’t need it – they, as well as your mortgage company , broker, etc., can use a Taxpayer ID # to create 1099s and such for the IRS. And health insurance companies have no shittin’ business with your SS#, not to mention the galactic stupidity of putting it right on your ID card.

When someone asks me for the last 4 digits of my SSN, I ask them to use another secrity key. if they can’t, I don’t do business with them.

Anyway, using a SSN+address for authentication is as ridiculous as using a username+IPAddress alone for online banking.

I wonder why more companies/organizations don’t realize this, and any step to educate them is a step in the right direction.

The answer is easy: They do realize it.

They just don’t care because the current system minimizes their financial losses by transfering those losses to the individual who has his/her identity “stolen”.

Making any changes would cost money which reduces profits.

Any changes that improved the situation could be used to find them responsible when/if their new system is defrauded.

So, fixing the system is, from the individual company’s point of view, all loss and no gain.