Network Security Blog

Any other security bloggers or podcasters going to this event?  All of the security bloggers I know about are on the East Coast, except Steve Gibson.  It’d be good to meet some more security bloggers/podcasters face to face.

Technorati Tags: security, McKeay, PodCampWest

You may not have the time to read Brave New Ballot, but you need to take the time to read How to steal and election by hacking the vote.  I’m not convinced that this hasn’t already happened, and this article isn’t making me feel any better.  Jon Stokes goes into great detail about how an even moderately skilled attacker could take control of an county or state election without anyone ever being the wiser.  The wholesale theft of our votes is entirely possible with the current paperless voting systems, and because of how the tabulation is being done there would be no way we could track  what the real vote was.

Technorati Tags: security, McKeay, DRE, e-voting

I spend a lot of time thinking about ethics.  I figure it’s part of being a security professional.  So when I saw that Chris Heuer was having a talk on disclosure in the blogosphere, I thought I might have one or two things to add to the conversation.  Turns out to be a good thing I did, because my little iRiver and Giand Squid Audio mic saved the day.  Okay, maybe not the most lofty of contributions, but we all do what we can.

Bloggers need to disclose when they have a relationship with a company or product.  I try to do that explicitly any time I talk about a product, whether it’s a Nokia 770, a Astaro Security Gateway or a trip to Southern California.   Most bloggers know the importance, but once in a while you get people and companies who try to game the system, like Edelman or Strumpette.  They’ll usually get away with it for a while, but when they’re caught, there’s a big outcry and the blog or blogger suffers a huge hit to their reputation.

I took two things away from last night’s meeting: first, bloggers need a code of ethics; second, we need to educate the blog consuming public.  The code of ethics needs to be fairly simple in order to cover the widest possible spectrum of blogs and bloggers, but it’s needed.  This shouldn’t be something that can be trotted out every time someone makes a mistake, but should be a short list of generally acceptable guidelines bloggers around the world can follow.  It needs to encompass issues like disclosure, but will hopefully include a wider spectrum of acceptable behaviour.  Of course, some people will always go out of their way to ignore or go aginst the code of ethics, but they’d do so with or without the code.

Users need to be educated about the dangers of accepting everything they find on a blog.  Not in the way some media types have been doing, painting all bloggers as liars and cheats, but in a way that makes people they need to be just as cynical of bloggers as they do any other type of press.  One comment that was made by Rafe Needleman several times last night is that bloggers are journalists, and as much as some people might dislike that characterization, it’s true.  We are the 21st century journalists, though with our own unique twists and turns.

Add your voice to the conversation.  Let the folks at the Social Media Club know what you think about blogger ethics.  This isn’t a new discussion, it’s been going on as long as there have been public pontification.  But the nature of the blogosphere makes this discussion of ethics much more important, since the repurcussions are immediate and loud.
 
Edited for clarity since I was writing this at 05:30 in the morning.

Technorati Tags: security, mckeay, Blogger+ethics

I hate discussing politics.  There are very few things that people can talk about that are more emotionally charged then politics.  Very few people can talk calmly and rationally about politics, letting facts and reason take precidence over emotions.  I don’t count myself amongst those people, so I rarely talk about politics.

Tuesday night, I was talking about Diebold and the upcoming election and I said a couple things that I knew I should edit out as soon as I said them.  But I was tired and forgot.  Now a few of you are taking me to task for what I said, and probably rightly so.

What I said came out along the lines of “If the Republicans don’t lose seats or gain seats in the upcoming elections, then the Diebold machines are obviously broken and the Republican must have fixed the election.”  If you heard it that way, I apologize, that’s not at all what I meant.

The Republicans have been taking a beating lately, both over the wars in the Middle East and over several scandals, including Foley.  The Democrats have several scandals of their own, but most people have been concentrating on the Republicans.  They’re down in the polls; if the Republicans don’t lose some seats on Capital Hill or gain some seats I’ll find it a little suspicious. 

This was not meant to be a political statement against Republicans or an accusation of possible fraud by the Republicans.  If fraud did happen in a race that involves DRE machines, I personally think it’ll have less chance of being a party or a politician and more chance of being a programmer inside one of the DRE machine manufacturers.  Another possibility would be that the polls have been wrong for the last several months, and there’re other possiblities.

So do me a favor and take my statements on the last podcast as a tired guy mis-speaking himself, not as a political statement.  If I do make a political statement, I like it to be firmly grounded in fact and reality, not based on something that might happen in the future.

I think the Social Media Club folks probably have a slightly different idea of the concept of ‘disclosure’ than those of us in security do, which is why I’m going to the discussion tonight in San Francisco.  And there’s always the San Francisco Podcast Meetup later in the evening if I have the energy. 

All kidding aside, this really something that needs to be discussed and I think I’ll be able to bring a slightly different viewpoint to the table than the average blogger.  There’s a certain amount of security in knowing the person who’s blog your reading is actually coming from an honest opinion, rather than being paid to give you a company’s opinion.

Technorati Tags: security, McKeay, disclosure, transparency

No interviews tonight, I just talk for a little while about my recent experiences with the IE7 party and my trip to Symantec in Southern California.  It’s still a little hard for me to wrap my head around the fact that when you do a search on ‘security blog’ in Google, this is the second blog you find.  Because of this, more security companies are coming to me asking to be interviewed or just to talk to them.  Mike Rothman poked fun of me a little bit today in his blog, but I’ll try to take it with a grain of salt.  If nothing else, Mike will keep my ego from getting too big.  Hopefully I can count on you guys to keep me honest too.

There’s not a lot of show notes tonight, since almost everything I talked about is already on the blog somewhere.  The only site I want to draw additional attention to is the PCI and Data Security Compliance site.  I’ve added them to my news reader and if you have reason to be interested in PCI I would suggest you consider doing so too.

Network Security Podcast, Episode 49, October 24, 2006

Time: 24:38

Tonight’s Music:  The Hero and the Heroine by Vanessa Peters and Ice Cream on Mondays

Thanks again to Astaro for sponsoring the podcast.  Call them at 877-427-8276 to get your free demo unit.  I’m no Leo Laporte, so thanks for sponsoring the podcast.

I’ve been using Firefox 2.0 since yesterday, which doesn’t give me a ton of experience to draw on, but so far I’ve found more to dislike than like.  First of all, about a third of my extensions don’t work in FF2.0; nothing I can’t live with out, but it’s still annoying.  Second, I don’t like the setup for the new tabs.  I liked having my tabs resize as I added more and being able to see them all the way across the screen.  Now I have to scroll down the line to get to them all. 

The memory usage does seem to be a lot better though; I used to see my memory usage start at 250 megs and creep upwards until it took up to many resources and I had to restart.  Now, after a full day’s usage, it’s still hovering at 275 mb.  I haven’t had to use the anti-spam tools yet, but everything I’m reading says their pretty capable.  What I really like is the new spellcheck capabilities, since I obviously can’t think and spell at the same time.

I’ll probably upgrade the rest of my machines over the next week or two (did I mention I’m testing it on my corporate laptop?) and I’d suggest most people upgrade.  It’s not a ‘must have’ upgrade but it has a couple features that are pretty nice.  Now if I can only get the tabs back the way I like them and get the close tab button on the toolbar rather than the tab, I’ll be happy again.

Edit:  As soon as I wrote this I found the updated Tabbrowser Preferences extension, which gives me back control over most of the things I wanted.  Yay!

More often then not, I agree with the folks at Techdirt.  But once in a while, they just get it wrong, like today when they claim that that researchers at University of Massachusetts are crying wolf about RFID credit cards.  First of all, the folks at Techdirt believe the credit card companies over the researchers; while the researchers do have some vested interest, it’s nothing compared to the self-interest Visa and Mastercard have in the report.  I would be interested in knowing what the success rate was, and I’d like to see the pool of tested cards go up significantly.  But since it sounds like they’re using the local professors’ cards, they probably got all they could.

This talk about the technical difficulty of creating a RFID reader is false, since I can probably name half a dozen security professionals off the top of my head who can create such a device, and given a few weeks, I’m willing to bet we’ll see a ‘HOWTO’ on the net for creating your own.  The researchers already say they can build the next model for under $50, and I believe them.  At that cost, it’d be worth it for a thieve to build a small fleet of these devices and just attach them to mailboxes or paper boxes around San Francisco or New York and leave them for a week.  A little creative camouflage and they wouldn’t even stick out.  Even if the the range is only a few feet right now, I can think of a few mailboxes in San Francisco that get at least a thousand people a day that walk within three feet of them.  I’m willing to bet someone figures out how to make the readable distance of these cards much greater than just a few feet in the very near future.

What really burns me about the article is the dismissal of the identity theft as a trivial event that the end user shouldn’t worry about.  First of all, if it’s your credit card information that’s stolen, it’s far from a trivial event: it takes time and energy to get this straightened out, not to mention the amount of stress.  And so what if that person is only charged for the first $50 of the transaction?  Who do you think pays for the rest of it?  Visa and MasterCard make sure they don’t; either they pass the cost back to us as higher interest rates and fees, or they charge the incident back to the merchant.  Banks are being given the choice of enabling all the protective features of RFID enabled credit cards.  Guess what, some of those banks are going to make the wrong choice, selecting ease of management over security. 

Technorati Tags: security, McKeay, credit card, RFID

Friday morning I had to get up at the ungodly hour of 3:30 am to fly down to Santa Monica, CA to visit the Santa Monica site of Symantec.  Maybe ‘had to’ is the wrong phrase to use, since I’d been anticipating this trip for over a month.  I chose the time, because it meant I could avoid as much traffic as possible.  Next time I’ll take my chances with the traffic.  The Symantec office is part of a very nice but unassuming complex, that just happens to also house Yahoo’s.  Did you know Yahoo has a company store with all sorts of branded clothes?  Neither did I.

I’ve got pages of notes from the visit, and I’ll be writing most of it up for my Computerworld blog, but there will be bit’s and pieces of it I’ll release here.  For instance, Symantec’s working on a raw disk virus scanning technology.   In order to hide themselves better, malware is starting to bypass the OS disk systems and writing to the hard drive at block level and the AV companies have to follow them to the same level of disk reading.  There’s a lot more, but that’ll have to wait.

One question put to me had little to do with security:  how can Symantec reach out to other bloggers?  They understand blogging and podcasting and would like to talk to more bloggers.  They have the same problems internally that any corporation does as it explores Web 2.0, but they’re trying to adapt.  If you’ve got some ideas for them, let me know and I’ll put you in touch with them.

I’m a long time listener of the For Immediate Release podcast, and I got to meet Dan York at the Portable Media Expo last month.  So when Dan asked if he could use some of the audio from the interview with Shava Nerad, I said yes without a second thought.  Dan was very impressed with Shava’s story about how she fought the rumor that the Tor project was being targetted by the German police for child pornography (it wasn’t, so let’s not start the rumor again).  If you haven’t listened to the inteview yet, you can hear it at about the 20 minute mark in the latest FiR podcast #182.

Thanks Dan

Technorati Tags: security, McKeay, interview