Archive for January, 2008

IT Security – people are the weakest link

Saturday, January 26th, 2008

Your computer – how does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn’t suddenly jump in and exist. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its “magic”.

There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It’s in front of it.

Hackers: Nuisance or Necessity?

Friday, January 18th, 2008

Here’s a report I wrote back in 2002 for an Composition class. It’s kind of interesting to look back and read some of this stuff, so I thought I’d post it as well. Enjoy!

The word “hacker” brings several images to most people’s minds ranging from sweaty, pimple-faced kids with too much time on their hands, to malicious programmers who feel great satisfaction when defacing web pages and stealing credit card numbers. Near the middle of the 20th century, the word “communist”, to a lot of people, represented all the evil things in the world, and now at the beginning of the 21st century, hackers have been labeled the new age communists. For years, the media has helped to mislead the general public into thinking hackers stand for everything that is evil and unlawful on the internet.

Since the mid-1980s, media attention to technology has increased just as the industry of technology itself has increased. Media sources such as television, newspapers, and movies have used the word “hacker” in a negative way for as long as many individuals can remember. Media resources often have been the first time the vast majority of people had ever publicly heard the word “hacker” being used, which has been detrimental to how hackers are perceived. Unfortunately, many people feel there is a clear consensus that most of the stereotypes given to hackers are true. Only through the realization of what truly defines a hacker, examination of how hackers have contributed to the internet, and learning what hacking really is, can there be any chance of replenishing the soiled name that hackers have been given in the past.

It would appear to be pointless to attempt to change the minds of millions of people by skewing opinions to believe hackers are welcome users on the internet or hackers should be considered acceptable in todays growing internet-influenced society. The US Department of Justice has created several laws regarding hacking on the internet including their own interpretation of what a hacker is. Newspaper articles are printed daily describing how hackers have illegally obtained credit card numbers, illicitly distributed copies of copyrighted proprietary software, and even obtained and used personal identities to perform unlawful acts in the internet community. In addition, according to Security Space, an internet security company, advertising networks such as Double Click, Link Exchange, and America Online benefit from “web bugs” placed on web sites to gather e-mail addresses and online purchasing habits.

Perhaps the most common misperception about hackers has been the word “hacker” itself. Popular, although negative, descriptions of hackers have included “a malicious meddler who tries to discover sensitive information by poking around”. The best choice for a negative description of the word “hacker” would be the word “cracker”. According to Eric Raymond, the President of the Open Source Initiative, a non-profit corporation that promotes and distributes free, open source software, the word cracker would be more fitting for the description of what most people envision a hacker to be “one who breaks security on a computer system or computer network. The definition of hacking originated back in the 1950s as “a teenager who operates ham radios or tinkers with electronics” which pre-dated home computers by over 20 years. Presently, the correct definition of the word “hacker”, as supported by many long-time internet users, is “A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary”. One of the most appropriate ways to help reverse the stereotype that has shrouded hackers would include computer professors to start teaching the difference between “hackers” and “crackers” in public schools and universities. Discussion of hacking in a positive manner in a learning institution would help curb the trend of naming hackers as destructive internet users.

Countless internet users have been led to believe hackers have nothing to offer other than ways to steal credit cards and various methods to break into computers; on the contrary, hackers have always been an immeasurable asset to the internet community by creating software to aid in securing computers. By creating programs to check for vulnerabilities within networks and server computers, hackers have helped system administrators and network administrators find ways to more efficiently and effectively do their jobs. Notable creations by hackers are Linux, a free open-source operating system, and the Apache web server, a free open-source software. As of 1999, there were 12 million internet users using Linux as their primary operating system, and 63% of all web servers were Apache web servers. Linux and Apache have been tested several times against vulnerabilities and security, then directly compared to Microsoft’s operating systems and web server software, continually resulting in Linux and Apache being superior in comparison. Perhaps if more internet users and web site owners switched to using alternative operating systems and superior web server software such as Linux and Apache, the internet would be more secure against crackers.

Online privacy breaches, that have resulted from several credit card number databases being broken into by crackers, have also been a concern to many internet users. The ignorance of system and network administrators who are not imposing strict security measures on corporate and student databases have often resulted in even the most novice internet user accidentally stumbling into “protected” databases by typing a wrong character when entering a URL in a web browser. A disturbing fact associated with virtually unsafeguarded databases ran by corporations that is most corporations sell personal data given to them in confidence by customers making online purchases, signing up for e-mail accounts, or running programs created by online businesses. In addition to the sale of personal information by corporations, personal information is also stolen via a “backdoor” in some programs built by large corporations often without a typical internet user knowing a program they’re using is stealing information from the internet user’s computer. If a typical internet user decided to create a program that steals information from another internet user, the program is then considered a virus by United States Cybercrime Laws. If hackers had not discovered the devious methods used by corporations to gather information, it is unknown what other illegal methods to gather information a corporation could have been presently using. In order to resolve the issue of corporations stealing information through “backdoored” programs, laws need to be enforced equally against corporations as much as the average internet user by the US Department of Justice and FBI.

Media sources such as television, newspapers, and movies continue to use the word “hacker” in a negative way and may not change their attitudes toward hackers unless people are more informed about what hackers are and what they have done for the internet community. The hacker community has lost much of the respect it has earned over time because of inaccurate journalism and unfair stereotypes; meanwhile, hackers have made the internet safer and more enjoyable for anyone who goes online. Unfortunately, persistent negativity being reflected on hackers and the hacker community continually tarnishes the way hackers are viewed by the general public.

In conclusion, educational institutions and media resources need to be persuaded to educate and inform individuals about what being a hacker means and what hackers have contributed to the internet. Over half of all web sites have relied on what hackers have freely given to the internet, so it could be said that the internet may not have grown into what it is today without the aid of hackers. Also, federal laws regarding “hacking” should be clarified by having computer experts help write laws, rather than rely on politicians who only know basic computing, and then rigorously enforced by law enforcement agencies such as the FBI and local police. Perhaps after professors and reporters have been familiarized with the word “cracker”, it may change their usage of the word “hacker” to include the various online definitions in which the word “hacker” had actually been intended, and hackers could finally command the respect they deserve.

Department of Homeland Security mandates REAL IDs in drivers licenses

Friday, January 11th, 2008

Article here.

An argument I’ve seen in favor of the REAL ID is “How is this any different than without Real ID? What does Real ID change?”

Because this now will be tracked on a national database. Now…all your movements will be tracked starting with air travel. Where you went, how long, etc.

Next, who is to say what information is tracked? National healthcare? Maybe you are penalized in healthcare since they now know you go to a bar 3 times a week. Cashing checks? Well, they can now associate what you buy each time…tsk tsk…you’re still smoking, eh?

Do you now have to swipe it each time you use a credit card? Why not…it’s not an infringement…it just ‘proves’ you are the person on the credit card. Heck, why bother with a separate card at all? The credit card companies just start using your swipe to associate it with an account with them. Then all the databases are hooked together nicely, and a great picture of your life can then be assembled.

But, what problems would that cause? I mean, we’ve known the government doesn’t make mistakes. Especially ones that are near impossible to get cleared up in a reasonable amount of time, if at all. We all know there hasn’t been anyone misuse their government powers to personally screw with someone life before…so no worries there, right?

I guess think of it this way. Have there been many laws passed for one reason, that haven’t been used for other things? RICO laws used to be just for gangsters. Now they’re being used in creative ways these days for numerous other prosecutions. Patriot act laws were just for terrorists, right? Haven’t we seen articles already alluding to them now being used for less dangerous domestic infractions?

Sure, I paint a slippery slope picture with what the REAL ID could lead to, with its national database, but is it THAT far fetched? Who is to stop the next administration from adding a “little more” functionality to the system?

Employee loyalty

Tuesday, January 8th, 2008

When you wonder why the employee loyalty your business needs (or you even crave) isn’t there, this is the reason. You look at people as cogs in your machine and not fellows. They’re there to be exploited and not to be part of the company.

A business isn’t one man or one man’s risk no matter how much you’d like to put it in those terms. Your business belongs not only to you, but to everyone who works for you.

Let’s put it in realistic terms. Your client has a relationship with your company, and not just with you. He has a relationship with the salesmen who talk to him, the support people he calls when he’s got a problem, and the people who manufactures the product he’s buying.

When you eliminate any one of those people for anything but the most important of reasons (no, not profit. The long-term survival of your company is what your eyes SHOULD be focused on) you are diminishing your company’s relationship with that client.

When your client says he has a problem with a single member of that team, you need to think long and hard about why. Is your client prejudiced? Is your client sane? More importantly, is your client looking out for your company’s best interests? Almost certainly not.

Don’t agree? Fire your important employees and replace their jobs with cheaper, less-experienced people. ‘Outsource’ if you dare. Watch your clients start to complain. Their money is about to go elsewhere.

Instead, why don’t you learn to treat your employees as not only cogs in a machine, but individual people with cares and concerns of their own who are also important parts of your company? Your company’s long-term health will show you the value of that. Profit will follow.

So what’s going on in America today (why you should vote)

Tuesday, January 1st, 2008

Lets’ see…

There’s no money for fixing schools. My property taxes have gone way up due to the fact the current Administration is cutting school aid nationwide. Lucky for my kids we are in a “rich” area so the parents can still pay.

We are pissing away cubic dollars in Iraq on a scheme to keep Iraqi oil off the market, protect OPEC, and keep prices high.

But, we can set up an entire law enforcement apparatus to protect the richest industry on the planet ? Oops, almost forgot, that industry also owns the media outlets (thank you FCC for allowing mass ownership of media) which the assclowns rely upon to be re-elected.

Corporate America has gotten just about every Christmas Present it wanted under the Bush Administration. The Bankruptcy Bill was the first shot. Next, continue to subsidize Oil and Gas companies. Make sure that all worker protections, or public protection, is de-fanged, or given to the person who used to lobby against it. Flat top mountains in West Virginia. Allow utilities to continue to build 1950’s era generation plants.

Meanwhile, block stem cell research, push “abstinence”, and raise the prices of contraception for poor women while making abortion less available.

Bush was honest, once, when he stood before a gathering of huge corporate benefactors, and said “Some call you the elite…I call you my base”.

Next up – roadside execution for speeding.