Security Software

Spyware needs federal regulation

I personally find this trend disturbing.

Claria and WhenU are making the case that their adware programs don’t resort to illegal tactics, such as exploiting security holes, to install themselves. And though this software can be annoying, adware developers argue that merely being listed in an anti-spyware scanner’s database tarnishes a company’s reputation by linking its relatively benign adware application with far more harmful and intrusive spyware programs.

In The News Politics Security

Real ID

Well obviously this stuff has been in the news a lot in the past 48 hrs. It’s interesting that it appears nobody in the senate even read this thing or they would have noticed some mistakes. According to the bill everyone must have one with their real home address on it. No PO Box, no business address, no aliases. The real deal, no exceptions. Who should have gotten an exception?

  • Police – especially undercover, and NARC’s whose lives are in danger as people are always trying to kill them.
  • Judges – we know very well that there are people willing to do harm to judges that don’t rule in their favor.
  • Prosecutors – also very hated by many people who would love for a card that has their home address
  • Elected Officials – who doesn’t hate them?

It should be noted that Title VII of the Civil Rights Act has several notable (and unethical) exceptions: Religious corporations, Bona fide tax exempt private clubs, Indian tribes, Elected state & local officials, their assistants, and immediate adviser’s, Jobs requiring national security clearance. That’s right. in 1964 the compromise was that while corporations could no longer discriminate in hiring, elected officials had the right to do so. They exempt themselves from the then controversial law so they could continue discrimination.

This time, nobody even an undercover cop or a judge has a legal means of not carrying an ID with their home address on it. Can you imagine the consequences now of a judge who accidentally looses their wallet or gets robbed?

Talk about inverted history. The Civil Rights Act should have no loopholes, meanwhile and this new Real ID bill should have exceptions for law enforcement so they can keep their families safe.

That about proves it. Nobody read the bill cover to cover. If they did: they would have at a minimum exempted judges, cops and some Homeland Security employees.

Oh yea, they are considering using RFID or equivalent technology for it. That means nobody needs to physically steal the card. Within a year or two of it coming out someone will hack around whatever encryption is on there. You don’t physically need the card, just get close enough to get the data off of it.

If I were a Judge putting the bad guy away, I’d be concerned about my own safety. That’s not a good thing.

I propose a minimum 10 year federal jail sentence for each time a lawmaker votes on (for or against) a bill they didn’t personally read cover to cover. Stuff like this episode a few months ago should result in a real jail for anyone who voted without reading (all of them, since nobody caught it). They are paid by tax dollars and entrusted to read and vote on laws. If they aren’t reading, they aren’t really voting. They are paid for nothing. That’s fraudulent.


Security Software

Windows Firewall stinks

It took me about 45 minutes, and 2 phone calls to figure out that Windows Firewall apparently suffered some corruption, blocking me from FTP to this server. Not all FTP servers (for some reason that’s beyond me). All clients failed. First I thought it was the server. Then I thought it was a networking issue (net admin said FTP was not blocked). In the end, it was Windows Firewall. Resetting it using the Default Settings button brought me back to life (for anyone experiencing this problem that may be helpful to know).

I normally SFTP these days, but sometimes FTP for some reason (likely habit more than anything).

Mozilla Security

IDN Security Hole

An interesting observation regarding yesterday’s security bug. I did this using 1.0+.

Here’s what it looks like when the exploit is presented:
Exploit: example

Now look at the title bar when you “view source”:
Exploit: view Source

Is this a temporary way to validate the authenticity of the website?
I have no clue. I’m just reporting my observations.

Funny Mozilla Security

Mozilla Security Hole: Household Emergent Behavior Vulnerability

I sent the following to the security list at 4:02 PM EST. I rate it a “critical” security vulnerability due to the harm it can inflict. This vulnerability is found in all Mozilla products to date (including nightlies).

Apparently Firefox has been making sexual advances towards Roomba’s (as seen on slashdot 02/05/2005), causing them to lock themselves in rooms in order to avoid being molested by the otherwise innocent looking Mozilla Products. Similar problems have been reported with other electronic devices: Toasters, VCR’s, Cell Phones, Alarm Clocks, Rosie the maid from the Jetsons, Johnny 5, R2D2, and Al Gore. I suspect people with pacemakers may be at risk, but I have yet to find any direct evidence or testimony.

The vulnerability seems to be in nsISEXUALadvance, though libPr0n may also be problematic. There are actually 3 distinct problems with nsISEXUALadvance:

  • Doesn’t check to see if object.sexualDesire is of the same platform type
  • Doesn’t check to see if object.sexualDesire is >= age Of Consent
  • Doesn’t check to see if object.sexualAdvanceCount <= 1

I have yet to find if libPr0n has any influence on this bug. There is some research that suggests it many influence this behavior, though some ideological bias may be influencing that conclusion.

Products Effected
This vulnerability effects all Mozilla products tested.

I’d suggest this block Firefox 1.1, as well as Mozilla 1.8b until it’s resolved.

Provided and/or discovered by:
Robert Accettura Feb 5, 2005

This fufills a statement that I gave Asa over IRC that I could beat some of the other goofy stuff that comes in to

Security Software

AOL to issue SecurID to customers

SecurIDAfter pestering AOL employees with the damn things for years, now they want to charge customers for the same pain in the butt.

I hate these stupid things. Keep them on your keychain, and you know it’s going to break, and your going to have login problems. Don’t keep it on your keychain, and you know you’ll forget, and be unable to login. No matter what, you loose.

I won’t say they are ineffective, since they do work. But they are the biggest pain in the butt.

Internet Security

Spyware disabling itself in Spybot S&D

Well, I found this rather alarming. Apparantly some Spyware is learning to disable itself from Spybot S&D. Unfortunately, I went through the list real quick and unchecked all so it searches for everything… but didn’t make note of which made the list (just got home from work, tired, hungry, and not thinking). Blasted, would have been nice to post here and see if just had a corrupt preference file (I just upgraded to 1.3), or if this really is Insurgent Spyware fighting back.

Anyway, I’ll be keeping an eye on this with all systems I have it installed on. With any luck, if it’s really the next generation in Spyware fighting, it will happen again, otherwise, most likely a false alarm.

So more later if I think this is real. Please don’t set off a public alarm, just take a look yourself and see if you find this. Lets not get our panties in a knot. Thanks.

Google Security Tech (General)

Why people shouldn’t be afraid of Gmail

There has been a ton of buzz lately about Gmail, Google’s free email service. 1000 megabytes of free storage, Google Search Technology, and of course all sorts of Google usability improvements. I’m sure Google has stuff still in the labs to enhance it at some point in the future as well, I could see searching attachments, viewing Word, and Acrobat files as HTML, all in the works.

How will they pay for this quite amazing offer? “relevant text ads”. I think most already know what I’m talking about when I say, this, if not check out which has Google’s text ad service on the homepage.

What is it?

Here’s a really simple summary. Google sells a ton of advertising. And I mean a ton, they sell for their own website, as well as many others. To make sure the ads are effective, they like to “target” the ads. This is similar on other forms of media. For example, on TV, you will find sports and fitness related ads on ESPN, while the Food Network may not necessarily carry the same ads. Why? Because the audience on ESPN is most likely into sports, and fitness. The ads are most effective when people interested in the products. Makes sense right?

Well, Google does the same thing. When it sells ads on a Macintosh Website like, it targets them towards Mac users, hence you see ads like “Expert Macintosh service”, “Macintosh Support”, “Mac Service & Support”. Because those ads will do good on a Mac website, rather than a PC website. These ads are now worth more to the advertiser, who will pay more to Google, who will in turn payout more to Google does the same on it’s own search engine (the right hand side), relevant ads are worth quite a bit, since it’s perfect real estate for advertisers

How do they know what to show?

Google hasn’t disclosed the technology in real detail, but one could assume, their technology assigns keywords to the ad campaign. It then looks at the text of the page that needs an advertisement. If the examines that page for relevant keywords, and places the highest ranking advertisement that fits the page.

So what’s the deal about privacy?

That’s the question of the day. Google’s system is undoubtedly automated. It would be impossible to hire enough employees to screen all data and figure out relevant ads. Your mail is technically handled by many systems that process/analyze it anyway. From virus scans, spam filters, to your mail client just figuring out if it should make certain text bold, underlined, or italics. Or how to process an inline image. Lots of software looks at your mail.

Personally, I don’t see the difference between Google, and Yahoo, Hotmail, or any other mail provider’s technology, except that Google is being smart, and providing a superior service, by selling relevant ads. How is this any more invasive? All Google did was put things together.

Personally, I think some people worry to much about privacy, and not enough about security. Instead of crying because a company put ads on a free service that you choose to use… Why not apply some patches to your buggy Windows computer so a hackers/spammer isn’t using it to flood my email with spam. To me, that’s much more invasive.

Just my $0.02.

Mozilla Security Software

Spyware Blaster Supports Mozilla

Spyware Blaster has been updated to version 3.0. This popular Internet Explorer tool blocks most Spyware ActiveX components and Cookies. New to version 3.0 is support for Mozilla. Since there’s no ActiveX support, it blocks some cookies. Perhaps in the future it will protect against malicous XPI’s.

In any regard, it’s great to see a popular product making Mozilla a priority to support. It makes Mozilla even better for those who want security (without disabling all cookies).

Apple Security Software

Apple’s Life Cycle and Security

I don’t think I need to say I’m a Mac lover. I’ve been very satisfied with my Macs, and love OS X. But I got to agree with CNET about Apple’s recent trends.

Product Life Cycle
Apple’s been pretty firm about the 5 year rule for hardware. After that period, your not really getting hardware support. It’s a pretty solid rule, and one you can depend on (for good or bad). Developers, both hardware and software are well aware of it.

Unfortunately, there is a lack of an official product life cycle for software. Microsoft has a clear product life cycle. I sincerely hope Apple matches Microsoft and adopts a similar policy. For at least that length of time (if not longer), and sticks to it. The mystery involving product life is a real turn off for companies. How can you evaluate what Macs will cost? A good security issue may require the entire office upgrade their OS version. In such cases, a product cycle would allow an IT department to know very well what it will cost to keep Macs afloat. And dispel some cost myths.

I would like to propose a Security/Product Cycle Policy for Apple to adopt:
A product will be officially supported for 5 years after general availability. During this time, full support will be provided. This is the same as Microsofts policy. During this time. All security and bug fixes are available. No new features are required (though could be offered). For example, a WebCore update would fall in this category. Keeping Safari up to date and fixing rendering bugs. New OS X features such as Exposé, would not. That’s for a new product, and new product cycle.

A Security Phase would proceed for a period of minimum 2 years, during this time, only security bugs will be fixed. Keeping Safari up to date, and fixing crashes wouldn’t qualify. Only bugs that provide a security risk.

So in theory, a company can have a system for 7 years, and be able to maintain it for the original cost. Of course they will most likely want new features, and would upgrade in that time. But they have a buffer up to 7 years. This compares with Windows XP’s current product cycle.

A very inclining offer for IT departments. Buy a pretty powerful computer, and know for 5 years you have hardware support for new OS versions. For 7 years, your current OS will be secure. And we mean Mac OS X secure. Not Windows Secure 😉

Apple needs to use it’s strong point. A solid UNIX security model. Take advantage of the fact that it can do so. Security is a big advantage the Mac platform has. It will cost more to support older OS’s. But in the end, will make the OS much more attractive than it is now.