Wednesday, February 24, 2010

Exploitable Third Party Software

The company that is the target of 80% of the Internet desktop exploits uses a third party software downloader to distribute it’s product.

The downloader turns  out to be exploitable.

In this case, I have no sympathy for Adobe. Based on their track record, it’s safe to assume that if they’d have written the downloader instead of buying it, it’d be exploitable anyway.

But for the rest of us? What do we do when our dev team wants to integrate third party software into our home-made applications?  How do we know that widget-kit6 is not going to be the exploit path that leads us to our RGE? Let’s pretend that we’re writing the worlds best code and that we’ve got a sound design. What about that pie-chart wizard thing that we downloaded from the net and included in our build?

I don’t want to think about it right now. I need to check all my online bank accounts & make sure they haven’t been hijacked in the hour since I checked them last.

Wednesday, February 17, 2010

O Broadband, Broadband, Wherefore Art Thou Broadband?

The FCC Chairman wants faster broadband. Perhaps as much as 100Mbps to 100 million households (out of about 115 million total households).

Google wants to see what happens if we have Gigabit to the home. They could ask University students. Gigabit to the dorm room isn’t unusual. Instead they’ll wire a community or two and try to figure it out themselves. (What they’ll find is that when you have gigabit to your residence, you plug in a wireless access point, step it down to 50Mbps and share it with your friends).

Broadband deployment is rising, but only 2/3rds of households have it.

Some people don’t want broadband. Others want it but can’t afford it.

Some people can’t have it. I’ve taught network management courses at a nearby community college the last couple years, and each semester I have at least one student who can’t get terrestrial service at ‘better than dial-up’ speeds at any price. The students live within an easy commute of a  metro area with 2.5 million people. Something’s wrong there.

I have a relative that lives 2.5 miles from the city limits of a community with a significant higher than average income, brand new police cars and fire trucks and a community theater, whose only non-dialup connectivity is 3G from Verizon. There is no DSL and the cable company wants a couple grand to extend their infrastructure.

I’m not really sure what broadband is, other than it’s faster than dialup. I’ve heard that some people think broadband is 768Kbps. I think that’s a bit on the slow side. On the other hand, having daily access to network speeds from 200Kbps(EDGE) to gigabit, for general browsing I don’t think that there is a use case for Internet speeds much greater than 4Mbps or so. I’ll argue that running a fast browser with a smart Javascript interpreter, combined with noScript and AdBlock+ makes browsing at any speed above 768Kbps or so as good as any other speed, and I’ll argue that my significant other and I can watch two different ordinary media streams at a reasonable quality at the same time on 6Mbps; so that speed or something similar should be a floor (not a ceiling). High def is nice, but even Cisco’s TelePresence at 1080p is only a 15Mbps stream.

I’ll also argue that the Internet is essential form of communications and will replace all other forms of electronic communications and most mail/paper based communications, and therefore must be ubiquitous. Network access today is comparable to rail access in the 19th century, to electricity in the early 20th century and interstate highways in the mid 20th century. If you are bypassed, your community will die. If you do not have access, you cannot compete.

Assume that a society is willing to spend resources on universal network connectivity. Where should the resources be focused?

  1. Medium speed (4mbps) to all of the population (think electricity).
  2. High speed (100mbps) to 85% of the population?
  3. Gigabit to .1% of the population?

I think that:

  • Network access should be ubiquitous.
  • Moderate speeds and ubiquitous coverage is more important than high speeds with 85% coverage.
  • Low access costs are essential - under $40/month, for example.
  • Broadband should be national policy, supported by something similar to the US’s 1930’s Rural Electrification Act.
  • There will have to be REA like government ‘participation’.
  • There have to be reasonable quotas. Comcast’s 250GB/month quota is quite reasonable. Others are not.

In other words, the focus should be on coverage and cost, not bandwidth.

High Definition streaming television is a luxury. Basic 4Mbps internet access is as much a necessity today as electricity was in the 1940’s.

Let’s stay focused on necessities.

Sunday, February 14, 2010

Items on your computer may not yet have been classified for risks.

I finally figured out the problem with the Internet. Microsoft has not yet classified the risk of installing Flash’s OCX control:


It would be nice is there was a way of giving Microsoft a hint. A minor modification to the dialog box would be sufficient:

 Flash-Classficiation - Corrected

I can dream, can’t I?

Thursday, February 11, 2010

Only My Manager is Authorized to Comment....

In a somewhat tragic story, an Uzbek  photographer has been convicted of "slandering and insulting the Uzbek people" by publishing pictures of unhappy Uzbek citizens. Apparently all Uzbeks are actually happy, so the pictures were considered slander. 

Repression and totalitarianism aside, there is an amusing bit:
"An employee of the Uzbek general prosecutor’s press office said that only his manager was authorized to comment and that the manager’s position was at present unfilled."
I'll have to remember that one.

Friday, February 5, 2010

Payroll Processor Hacked, Bank Accounts Exposed

From the Minneapolis Star Tribune:

“A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide”

A corporation gets hacked, ordinary citizens get screwed. It happens so often that it’s hardly news.

This is interesting to me because Ceridian is a local company and the local media picked up the story. That’s a good thing. I’m glad our local media is still able to hire professional journalists. The executives of a company that fail like that need to read about themselves in their local paper and watch themselves on the evening news. They might learn something. If we’re lucky, the hack might even get mentioned at the local country club and the exec’s might get a second glance from the other suits.

We aren’t that lucky.

In a follow up story, the Star Tribune interviewed a man who claims that he has not had a relationship with Ceridian for 10 years, yet Ceridian notified him that his data was also stolen. The Star Tribune reports that Ceridian told the victim that the compromise of 10 year inactive customer data was due to a ‘computer glitch’:

“a Ceridian software glitch kept it in the company's database long after it should have been deleted.”

Sorry to disappoint the local media, but computer glitches are not the reason that 10 year old data is exposed to hackers.

Brain dead management is the cause.

But even brain dead management occasionally shows sings of life. According to the customer whose 10 year old data was breached:

"The woman from Ceridian said they're working on removing my information from the database now,”

Gee thanks. What’s that horse-barn-door saying again?

Given corporate America’s aversion to ‘DELETE FROM…WHERE…’ queries, my identity and financial information is presumably vulnerable to exposure by any company that I’ve had a relationship with at any time since computers were invented.

That’s comforting.