Network Security Blog

So my ignition system on the 2003 Ford Focus ZX3 is working again, after spending $423 and 90% of my day waiting to get it fixed.   The folks at Economy Lock and Key did a good job of cleaning most of the metal shavings off of the car floor, though I had to reposition the upper hood assembly just a little, and they used a Ford ignition kit (SW-6285/5S4Z-11582-BB), which may not be the best solution if it’s going to cause the same thing to happen again in a couple of years.  They weren’t quite as nice to me financially as I’d hoped, charging me about $40 more than originally quoted for the part and an hours more labor, but considering it too most of their day too, I’m not going to be too hard on them.  On the other hand, I am signing up to be part of the class action lawsuit here in California, being pursued by the law firm, Fazio | Micheletti.  I had a lot better things to do with my day than spend it waiting for my car to get fixed, for a problem that was just cheap parts. 

These are not words you really want to hear.  Because they usually mean money.  I own a 2003 Ford Focus ZX3, and recently the ignition lock started acting finicky.  Last night it decided it had enough and just wasn’t going to allow me to turn it at all.  The good news is I was at a shopping center two blocks from home, getting my wife dinner, so it was only a few minutes to get home, but I decided to leave the car overnight, since I didn’t have the energy to deal with it just then.

When I called the locksmith this morning, the first words out of the dispatcher’s mouth were, “That’s a common problem, I’m surprised they haven’t done a recall on that yet”.  I realize not being able to start the car isn’t a life threatening situation, but the fact that this is happening often enough for the locksmith to not only be aware of it but actually anticipate it really burns me up. I love my little Focus, and it’s been a great car over all, but the fact that I’m about to spend money on a known problem does not make me want to buy another Ford next time I’m looking for a car.

I think my next step is to go have a short talk with the local Ford dealer.  Now I’m curious to see if there are any other ‘known problems’ with the car that I’m driving around.  It’s got nearly 100,000 miles on it already, and if I hadn’t just done major work on the car, I might be looking to replace it.  And this event puts getting another Ford a lot less likely.

Update: $260 to replace the locking mechanism on the steering column, plus the knowledge that the Focus locking mechanism is probably going to have to be replaced again in 2-3 years. Yay.

Update 2: The locksmith has 6 different locks that are supposed to work with my car. So of course, the lock barrell in my car is none of those. And the one it uses is over $100 more and may not be available until tomorrow. The good news is, the locksmith (Economy Lock and Key) is sticking with the original estimate and giving me the lock for what he originally quoted me. That’s good customer service.

Update 3: Read the comment on this post by locksmith Kim Stagg. This is a known problem that is facing a class action lawsuit here in California. Mine is one of the locks that had to be drilled out and for whatever reason a Strattec barrel won’t fit into the lock. Thanks for the information Kim.

I got permission from my better half yesterday to purchase a plane ticket to Las Vegas for the end of Black Hat and all of DefCon.  I’ll be armed with video camera and recording equipment for the podcast and an insatiable curiosity.  It’s already starting to look like most of the evenings at the events will be spoken for, in a good way.  Good thing I’m going to have several buddies with me to help me back to my room afterwards.  Or am I there to help them?  Whatever. 

Looking forward to meeting people there, it should be even more fun than Shmoocon, since I know a lot of people I’ve only met online who are going to be there.

The Information Security Sell Out has been an anonymous, outspoken critic (aka troll) of the security community for much of this year. He’s hidden behind his anonymity, attacking researchers and the security community in general. But anonymity is only an illusion on the Internet, especially when you’re attacking the people whose job it is to hunt down hackers for a living. On Tuesday, security blogger Cutaway claimed to have had the identity of the Sellout revealed to him by anonymous sources. Shortly after this information came out, the Sell Out’s page disappeared from the Internet. The Sell Out claims it was hacked, but it was suspiciously timed with Cutaway’s post and the Sell Out’s claim of having a weaponized Apple worm

Last night I was used as an example of a site that has Google ads in a blog post on the Computer Defense blog.  No offense was meant, or taken, but it got me thinking: do putting ads on your site mean you’re any less passionate about your blogging?  Does wanting to make a few bucks off of the traffic coming to your site make the content on the site any less valuable?   As I commented on the site, I don’t think there’s anything wrong with wanting to make a few bucks off of what’s basically a hobby.  I think of it as being almost exactly the same as an amateur furniture maker who sells what he makes at a local store; he’d doing what he loves and making a few bucks off of something he’d be doing anyways.

I’m passionate about security and I really enjoy blogging.  I like the minor income that Google ads bring in, but it’s not much more than enough to take my wife out to dinner once in a while.  If readers told me the ads were obnoxious and annoying, I’d remove them as quickly as possible.  But in the time I’ve had them up, this is the first real negative feedback I’ve gotten.  Maybe they’ll disappear when I eventually get around to redesigning the site, but truthfully I think they’ll stay.

I’m not going to be putting any ads in my RSS feeds, that’s one thing I can state without equivocation.  I find that almost as annoying as Ty and the other commenters do. And the extra $20 a month really aren’t worth annoying anyone.  And I have to agree with LonerVamps comment that number of ads I’ve seen popping up on different forums lately is infinitely more annoying than ads on a blog.

Ads are the staple for some sites, mostly sites that get a lot more traffic than I do on a daily basis.  Some people even make a living due to the ads they have on their sites.  Does that make their contribution any less valuable?  I don’t think so, though if the author starts concentrating more on revenue stream than post quality, both will suffer.  Are ads to distracting to the other information that’s on the site?  This is a definite possibility if done poorly, which I admit may be the case on my site.

I’m interested in knowing what readers think.  Do you think the ads are distracting or obnoxious?  Or are they just part of the landscape of the blogosphere?  Do you filter them out unconsciously, or read each and every one?  Or are you like me and have installed NoScript and AdBlock in Firefox and don’t even see most of the ads.  Heck, I don’t even see my own ads most of the time for exactly that reason.

Technorati Tags: security, blogging, ads, Goolgle

Okay, it probably has absolutely nothing to do with Cutaway, but he is suspicious that the Information Security Sell Out page was wiped clean just a couple of minutes after he posted the identity of the Sell Out.  Or maybe the LMH and the Phrack High Council didn’t want to leave any more evidence on themselves available than they absolutely had to.  Personally, I’m more than a little glad to see them outed, especially since they’ve been generally rude and obnoxious because they thought they could hide behind their anonymity.

I haven’t been watching the Sell Out’s site very closely, so I wonder what they had up there that they decided needed to be pulled from public view.  Of course, Google probably has each and every page archived, so pulling it is more than a little pointless, but I guess it’ll keep casual browsers from viewing the page any more.  Or maybe they just annoyed another hacker group enough that someone took down their page for them. 

Technorati Tags: security, sell out, cutaway

I’m still getting back into the swing of doing the podcast, but I can feel the mental muscles I use to talk for 30 minutes at a time loosening up a little.  Tonight’s a little heavy on the Apple front, but given the amount of press some people have been giving the iPhone recently, I figure one podcast containing a iPhone story isn’t all that bad.  Part of me still wants an iPhone whether it has vulnerabilities or not.  Of course, I just realized that I still haven’t seen an iPhone in person, so maybe I’ve just fallen for the Apple marketing.

Show notes:

• Computerworld – Report:  Data breaches don’t often result in ID theft
• SPI Laboratory – SPI Labs advises avoiding iPhone feature
• Networkwold – iPhone flooding wireless LAN at Duke University
• Threat Level – Google Changes Cookie Policy but Privacy Effect is Small
• Information Security Sell Out – Oh Look. An Apple Worm
• InfowarCon 2007
• Tonight’s Music:  Grace Potter and the Nocturnals – Oh Mary

Network Security Podcast, Episode 69

Time:  27:36

In May, I caught up with Michael Farnum at the Texas Regional Infrastructure Security Conference in Austin, Texas. Michael is a fellow blogger and writer for Computerworld, who gave a presentation on the importance of reading blogs to secuity professionals today. Even in a high-tech career like computer security, there are still too many people who give a blank stare when you mention terms like “RSS feed” or “newsreader.”

I’m not a big fan of the Information Security Sell Out, but I have to admire the fact that he’s created a ‘weaponized’ worm for Mac OS X.  He’s (or they) are refusing to show a proof of concept or release the vulnerability, so all we have so far is a claim, but I’m willing to believe that this is something real.  I’ll be interested in watching my Mac Book Pro over the next few months to see what patches are released and if anyone is given credit for discovering the vulnerabilities.  Not that I expect Apple to give anyone credit.  Or the Sellout to do anything as obvious as putting his own name on a vulnerability after posting that he’s got an exploit.

Stephen Toulouse has been one of the most visible security people at Microsoft since 2002.  If you go to any major convention, there’s a good chance Stephen would be the one organizing the meetings with bloggers.  Or at least thats how I met him.  I was talking to Richard Bejtlich at RSA 2006, the first time I’d actually talked to Richard one on one, and he mentioned he was heading to a lunch put on by Sunbelt Software and Microsoft.  I tagged along and Stephen immediately made me feel welcome at the lunch and a great conversation was had by all.  Unluckily, I didn’t get a chance to meet Stephen again until RSA this year, and now it appears I won’t be seeing him at any Microsoft lunches any time in the foreseeable future.

Stephen is still working for Microsoft, he just won’t be with the security team any longer.  If there’s one thing that’s geekier than being a Microsoft security guru, it’s becoming an X-box Live guru. I’m not a console gamer, but from what I’ve read on his site, that really is Stephen’s passion.  And if you can get a job doing your passion, I say go for it!  I know from recent personal experience, it may not always work out as planned.  But it’s better to have tried and failed than to live your life regretting the chances that slipped through your fingers.

Congratulations Stephen.  The security teams loss is Xbox Live’s gain.  Of course, this means you’re off the list for RSA 2008′s Security Bloggers Meetup, but there has to be a price to pay for your dream job.

Technorati Tags: Microsoft, Stephen Toulouse, Xbox Live