Tradition is no substitute for a good reason.
Peter Tippett.
Know who he is?
Of course you don't.
He's just the vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus.
Not a bad resume.
He had some very interesting points to make recently in an article with Dark Reading.
Seriously, you should be reading Dark Reading.
Meanwhile, back at the ranch... Peter Tippett said something that I have been trumpeting for years. (I'm so validated! GRIN)
""Employee training sometimes gets a bad rap because it doesn't alter the behavior of every employee who takes it," he said. "But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn't that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?""
WOO HOO!!! Give the man a CIGAR!!!
He makes other great points as well, but this one is GOLDEN!
It's the human element that continues to be the weak point.
Why waste time guessing passwords when I can ask someone to just give me theirs?
Why pick a lock when someone will just open the door for me?
So much of what we are doing as Security Practitioners is just a big waste of time.
We're locking the barn door after the cows are down the road and in the slaughterhouse.
Why do we have mandatory "Sensitivity Training" but we couldn't care less if Joe Schmo in the mail room opens his FluffyBunny.txt.exe attachment in his email and now the whole organization is boned.
Boned, being a technical term.
We're back to the Theater of Security.
It doesn't actually do anything, but it looks great and gives us all kinds of expensive warm fuzzies.
After all, it's not how you are, it's how you feel!
Thursday, February 7, 2008
Friday, February 1, 2008
Busting the GUI for fun and profit!!!
Ok.
I admit it.
I LOVE MYTHBUSTERS!
There, I said it.
These guys are incredible. I absolutely love how they go in and tear apart all these pervasive myths about how and why things work or don't work.
We need more of that.
Worst offenders?
Our own school system.
But, I digress.
Recently, Jamie Hyneman of Mythbusters fame wrote a great article on what's wrong with current technology.
I found it to be very well written and hits the nail on the head of an industry gone wrong.
"..As machines become more complicated, good interface design becomes more essential—you can't just keep adding buttons and menus."
Modern design of just about everything in Tech is appalling.
From the interface to the backend.
To say nothing of the pointy haired bosses!
Firewalls that are a pain to configure. Routers that need special voodoo to route. Anti-virus that is a huge resource hog and is too difficult for the average user to configure. Security ends up being theater and innovation is a labyrinth of incomprehensible menus and configurations.
Does anyone wonder why so many WIFI routers are not configured with any security?
It's because it's too stinkin' hard for most people to handle and they either believe (Falsely) that it's all been done for them or that it really doesn't matter anyway!
"Hey, we bought some security. Now, you say we have to configure it? It should just know to secure us!"
Even IT Professionals fail miserably at this basic task.
If I had a nickel for every router, firewall, WIFI access point, server, etc that still had the default passwords on it, I'd be flippin' rich!
We need better associative interoperability on all our devices.
Devices should negotiate from the highest security settings they are capable of and move down by default. Currently, all too many devices start out with ZERO security turned on by default.
Why can't my wireless router see devices in the area and let me pick which ones I want to be able to connect to it? Then let it auto-negotiate the security based on defaults or mandatory settings that I choose.
Heck, why can't my router act as an intelligent and secure bridge to other networks in an easy to use fashion?
The hardware is very capable, the ideas are all around us.
Corporations and both greedy and very lazy.
A dangerous combination.
Don't believe me?
Linksys is owned by Cisco. Arguably, the top dog in networking.
They are the bee's knees in this field and you would think they would leap at the chance to make the absolute best and most affordable gear for the home market.
Frankly, they could do a LOT better.
Linksys firmware is still pretty primitive overall.
A number of third party's have come up with better firmware and they GIVE IT AWAY!
You heard me! FREE!!! NO COST!!!
DD-WRT, Tomato, and OpenWrt are just a few of many.
(Brief opinion here, been running DD-WRT on a 20 dollar Linksys WRT54GS 2.0 for a few months now and I LOVE IT! Beats the brains out of my 75 dollar SMC!)
Other problems are simple issues that no one seems to notice or care about that would make a HUGE impact.
Email encryption. User education. IPv6 (There, I said it!)
What does this have to do with the topic?
VERY POOR INTERFACE DESIGN MEANS PEOPLE WON'T USE IT!
We have devices with great features that go unused, great security that doesn't get configured or even turned on, great innovations that sit and rot because it's just too arcane.
We get used to this nonsense and never demand any better.
Why not?
Because everyone just assumes that the next batch will be even more incomprehensible.
All too often, they're right.
I admit it.
I LOVE MYTHBUSTERS!
There, I said it.
These guys are incredible. I absolutely love how they go in and tear apart all these pervasive myths about how and why things work or don't work.
We need more of that.
Worst offenders?
Our own school system.
But, I digress.
Recently, Jamie Hyneman of Mythbusters fame wrote a great article on what's wrong with current technology.
I found it to be very well written and hits the nail on the head of an industry gone wrong.
"..As machines become more complicated, good interface design becomes more essential—you can't just keep adding buttons and menus."
Modern design of just about everything in Tech is appalling.
From the interface to the backend.
To say nothing of the pointy haired bosses!
Firewalls that are a pain to configure. Routers that need special voodoo to route. Anti-virus that is a huge resource hog and is too difficult for the average user to configure. Security ends up being theater and innovation is a labyrinth of incomprehensible menus and configurations.
Does anyone wonder why so many WIFI routers are not configured with any security?
It's because it's too stinkin' hard for most people to handle and they either believe (Falsely) that it's all been done for them or that it really doesn't matter anyway!
"Hey, we bought some security. Now, you say we have to configure it? It should just know to secure us!"
Even IT Professionals fail miserably at this basic task.
If I had a nickel for every router, firewall, WIFI access point, server, etc that still had the default passwords on it, I'd be flippin' rich!
We need better associative interoperability on all our devices.
Devices should negotiate from the highest security settings they are capable of and move down by default. Currently, all too many devices start out with ZERO security turned on by default.
Why can't my wireless router see devices in the area and let me pick which ones I want to be able to connect to it? Then let it auto-negotiate the security based on defaults or mandatory settings that I choose.
Heck, why can't my router act as an intelligent and secure bridge to other networks in an easy to use fashion?
The hardware is very capable, the ideas are all around us.
Corporations and both greedy and very lazy.
A dangerous combination.
Don't believe me?
Linksys is owned by Cisco. Arguably, the top dog in networking.
They are the bee's knees in this field and you would think they would leap at the chance to make the absolute best and most affordable gear for the home market.
Frankly, they could do a LOT better.
Linksys firmware is still pretty primitive overall.
A number of third party's have come up with better firmware and they GIVE IT AWAY!
You heard me! FREE!!! NO COST!!!
DD-WRT, Tomato, and OpenWrt are just a few of many.
(Brief opinion here, been running DD-WRT on a 20 dollar Linksys WRT54GS 2.0 for a few months now and I LOVE IT! Beats the brains out of my 75 dollar SMC!)
Other problems are simple issues that no one seems to notice or care about that would make a HUGE impact.
Email encryption. User education. IPv6 (There, I said it!)
What does this have to do with the topic?
VERY POOR INTERFACE DESIGN MEANS PEOPLE WON'T USE IT!
We have devices with great features that go unused, great security that doesn't get configured or even turned on, great innovations that sit and rot because it's just too arcane.
We get used to this nonsense and never demand any better.
Why not?
Because everyone just assumes that the next batch will be even more incomprehensible.
All too often, they're right.
Wednesday, November 21, 2007
How to owe money by doing NOTHING!!!
This one is just beyond the pale.
Even for these vampire banks and credit card companies.
I'm just amazed at the GALL they have, to say nothing of the outright FRAUD that is attempted.
Just read a post from The Twelve Angry Men blog.
These guys are doing some terrific work, more power to them!
Well, here's the link for the item that caught my interest.
Force-Post, or Huh? I haven’t even activated the card!
Basically, it boils down to all this "Opt Out" nonsense.
In other words, you have to tell them EXPLICITLY that you DON'T want something or they can go ahead and charge you for it!
The result of such insanity, you ask?
"In the particular case I am speaking of, customers had run up balances of $1500 or more having never activated their card. Not to mention royally screwing their credit histories at the bureaus.
A regular merchant could never post a settlement against an unactivated card as this is a principle barrier against merchant fraud. But the issuing bank, who usually also runs either an enhancement business unit, or contracts for one, OWNS the cardholder masterfile. By masking out the activation character position in the master file by means of a COBOL program,they can run the enhancement sales orders against the master file and ‘force post’ the enhancement product sale. The pretense is that this is valid and legal because the customer indicated a desire to purchase the enhancement, even though the product is an enhancement against a non-active account."
And people wonder why I go with a Credit Union???
What a business prospect!
Charge people for something they never asked for. In doing so it puts a big time hurt on them but not enough to be forced to get a lawyer.
Everyone BUT you profits!
For almost ZERO COST!!!
Educate yourselves.
Write letters to Congress and the Senate.
Write to the FTC.
Write letters to the Editor of your local paper.
STOP TAKING THIS LYING DOWN!!!
Even for these vampire banks and credit card companies.
I'm just amazed at the GALL they have, to say nothing of the outright FRAUD that is attempted.
Just read a post from The Twelve Angry Men blog.
These guys are doing some terrific work, more power to them!
Well, here's the link for the item that caught my interest.
Force-Post, or Huh? I haven’t even activated the card!
Basically, it boils down to all this "Opt Out" nonsense.
In other words, you have to tell them EXPLICITLY that you DON'T want something or they can go ahead and charge you for it!
The result of such insanity, you ask?
"In the particular case I am speaking of, customers had run up balances of $1500 or more having never activated their card. Not to mention royally screwing their credit histories at the bureaus.
A regular merchant could never post a settlement against an unactivated card as this is a principle barrier against merchant fraud. But the issuing bank, who usually also runs either an enhancement business unit, or contracts for one, OWNS the cardholder masterfile. By masking out the activation character position in the master file by means of a COBOL program,they can run the enhancement sales orders against the master file and ‘force post’ the enhancement product sale. The pretense is that this is valid and legal because the customer indicated a desire to purchase the enhancement, even though the product is an enhancement against a non-active account."
And people wonder why I go with a Credit Union???
What a business prospect!
Charge people for something they never asked for. In doing so it puts a big time hurt on them but not enough to be forced to get a lawyer.
Everyone BUT you profits!
For almost ZERO COST!!!
Educate yourselves.
Write letters to Congress and the Senate.
Write to the FTC.
Write letters to the Editor of your local paper.
STOP TAKING THIS LYING DOWN!!!
Saturday, November 3, 2007
Do you need to have permission to have rights???
I just read an outrageous article and opinion by a Detroit News Writer. A Mr. Chris McCosky.
I fully credit him and since I am a Detroit resident, I would LOVE to take him up on his challenge,
"We actually talk to, in person, the people we write about. If we rip somebody in an article, you best be sure most of us will confront that person the next day and take whatever medicine we need to take."
Please! Contact me at your earliest convenience regarding this. I will happily meet with you to discuss this.
The article as posted.
http://detnews.com/apps/pbcs.dll/article?AID=/20071103/OPINION03/711030306
Bloggers most certainly ARE journalists.
You state (and I credit you with), "It's actually getting to the point now where some (too many) of the bloggers are using cyberspace to discredit the legitimate media. "
What makes media legitimate?
The scandals? The yellow journalism? The favoritisms? The backdoor deals? The lack of ethics? Being beholden to advertisers? Endorsing popular opinions over the truth?
They deserve to be discredited when they are wrong. At every opportunity! THAT is freedom! The freedom to question, to dig, to examine, to hold up something or someone to the harsh light of the truth.
No one is above scrutiny!
Not even you.
The dictionary describes journalism as "Written material of current interest or wide popular appeal".
I would say bloggers are engaged in journalism by definition.
Since when are the rights of freedom of the press only granted to a favored few?
That is an outrage to even suggest that!
Who is to say what is legitimate media?
Who mandates that? No one does and no one should ever!
The act of writing creates the journalist and it's resulting product is journalism. It doesn't matter if you like it or not.
We are born with these inalienable rights. NOT granted them by a university or by being hired onto a staff.
Freedom of the press is universal. From the kids printing up thier own 'zines to the New York Times.
To be a journalist is simply to exercise ones rights that cannot ever be taken away.
I WILL exercise my rights that I was born with.
You CANNOT take them away.
I AM a journalist!
I fully credit him and since I am a Detroit resident, I would LOVE to take him up on his challenge,
"We actually talk to, in person, the people we write about. If we rip somebody in an article, you best be sure most of us will confront that person the next day and take whatever medicine we need to take."
Please! Contact me at your earliest convenience regarding this. I will happily meet with you to discuss this.
The article as posted.
http://detnews.com/apps/pbcs.dll/article?AID=/20071103/OPINION03/711030306
Bloggers most certainly ARE journalists.
You state (and I credit you with), "It's actually getting to the point now where some (too many) of the bloggers are using cyberspace to discredit the legitimate media. "
What makes media legitimate?
The scandals? The yellow journalism? The favoritisms? The backdoor deals? The lack of ethics? Being beholden to advertisers? Endorsing popular opinions over the truth?
They deserve to be discredited when they are wrong. At every opportunity! THAT is freedom! The freedom to question, to dig, to examine, to hold up something or someone to the harsh light of the truth.
No one is above scrutiny!
Not even you.
The dictionary describes journalism as "Written material of current interest or wide popular appeal".
I would say bloggers are engaged in journalism by definition.
Since when are the rights of freedom of the press only granted to a favored few?
That is an outrage to even suggest that!
Who is to say what is legitimate media?
Who mandates that? No one does and no one should ever!
The act of writing creates the journalist and it's resulting product is journalism. It doesn't matter if you like it or not.
We are born with these inalienable rights. NOT granted them by a university or by being hired onto a staff.
Freedom of the press is universal. From the kids printing up thier own 'zines to the New York Times.
To be a journalist is simply to exercise ones rights that cannot ever be taken away.
I WILL exercise my rights that I was born with.
You CANNOT take them away.
I AM a journalist!
Thursday, November 1, 2007
If you're not one of US, then you MUST be one of THEM!
Bruce Schneier is fast becoming my favorite voice of reason in the wilderness.
He just wrote a tremendous article on the irrational concepts of the Citizens Reporting Atypical Practices. In short, C.R.A.P!
http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html
"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats... After someone reports a 'terrorist threat,' the whole system is biased towards escalation and CYA instead of a more realistic threat assessment... If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
This will, of course, result in his immediate investiation for Journalists Investigating Internal Government Operations.
Jingo!
http://en.wikipedia.org/wiki/Jingoism
Ok, all kidding aside. The new witch hunts are here.
I see no reason to believe that these will turn out any differently from the past ones.
We already have descended to this hysteria,
http://www.bloggernews.net/18108
I found the best quote regarding this on SlashDot,
"The war on Terror is a war against an emotion... Anything which can cause fear is therefore subject to the war. In that way it's the perfect war for politicians."
Who makes money off this war on (insert today's fear response here)?
Who gets more rights then you do?
They, are your enemy.
He just wrote a tremendous article on the irrational concepts of the Citizens Reporting Atypical Practices. In short, C.R.A.P!
http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html
"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats... After someone reports a 'terrorist threat,' the whole system is biased towards escalation and CYA instead of a more realistic threat assessment... If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
This will, of course, result in his immediate investiation for Journalists Investigating Internal Government Operations.
Jingo!
http://en.wikipedia.org/wiki/Jingoism
Ok, all kidding aside. The new witch hunts are here.
I see no reason to believe that these will turn out any differently from the past ones.
We already have descended to this hysteria,
http://www.bloggernews.net/18108
I found the best quote regarding this on SlashDot,
"The war on Terror is a war against an emotion... Anything which can cause fear is therefore subject to the war. In that way it's the perfect war for politicians."
Who makes money off this war on (insert today's fear response here)?
Who gets more rights then you do?
They, are your enemy.
Saturday, July 7, 2007
If the product is so great, why not stand behind it?
Just had a very inspiring read from Charles Cooper at Cnet's News.com
http://news.com.com/8301-10784_3-9740409-7.html?part=rss&subj=news&tag=2547-1_3-0-5
The simple question at the heart of it is, Why don't companies warranty their product for a reasonable time anymore?
Sure, you can BUY an extended warranty. Corporation LOVE the profit margins on those!
But, why not a reasonable warranty?
Case in point,
Sooner or later, shoddy quality is going to bite you.
HARD!
When it does, it costs big.
About a BILLION DOLLARS big.
http://games.slashdot.org/games/07/07/06/1330228.shtml
Demand more, demand better!
Write to your congressional representative.
I even made it really easy right here on the website!
Nothing will get fixed if we don't start demanding something be done!
But, at least they're saving money, off-shoring your job!
http://news.com.com/8301-10784_3-9740409-7.html?part=rss&subj=news&tag=2547-1_3-0-5
The simple question at the heart of it is, Why don't companies warranty their product for a reasonable time anymore?
Sure, you can BUY an extended warranty. Corporation LOVE the profit margins on those!
But, why not a reasonable warranty?
Case in point,
Sooner or later, shoddy quality is going to bite you.
HARD!
When it does, it costs big.
About a BILLION DOLLARS big.
http://games.slashdot.org/games/07/07/06/1330228.shtml
Demand more, demand better!
Write to your congressional representative.
I even made it really easy right here on the website!
Nothing will get fixed if we don't start demanding something be done!
But, at least they're saving money, off-shoring your job!
Monday, July 2, 2007
Better security, eh? Sure it is!
Oh great!
Microsoft is at it again.
More reporting back to the mothership of your data.
From the article, http://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Features-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml
"The Redmond company emphasized numerous times the fact that all information collected is not used to identify or contact users. But could it? Oh yes! All you have to know is that Microsoft could come knocking on your door as soon as you boot Windows Vista for the first time if you consider the system’s computer information harvested. Microsoft will get your "Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software." But all they really need is your IP address. "
When is this going to end?
When are the consumers, especially the corporation, going to stand up and refuse this type of spyware?
One simple solution?
Go Open Source.
Frankly, I'm seeing less and less reason to not switch to Linux.
It's YOUR computer, YOUR data, YOUR security.
You deserve better!
Microsoft is at it again.
More reporting back to the mothership of your data.
From the article, http://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Features-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml
"The Redmond company emphasized numerous times the fact that all information collected is not used to identify or contact users. But could it? Oh yes! All you have to know is that Microsoft could come knocking on your door as soon as you boot Windows Vista for the first time if you consider the system’s computer information harvested. Microsoft will get your "Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software." But all they really need is your IP address. "
When is this going to end?
When are the consumers, especially the corporation, going to stand up and refuse this type of spyware?
One simple solution?
Go Open Source.
Frankly, I'm seeing less and less reason to not switch to Linux.
It's YOUR computer, YOUR data, YOUR security.
You deserve better!
Subscribe to:
Posts (Atom)
