Michael Gracie

I’ve picked on Symantec way too much, so I will keep it short. Researchers found a hole in Symantec’s anti-virus product suite that could allow complete control of a computer to be had.

See, I kept it short - it’ll get fixed soon (we hope).

UPDATE: Symantec gets kudos for plugging the hole in record time. Now if they could only help me with my problem.

Blue Frog didn’t fare too well, but that doesn’t mean the concept of fighting spam with spam has completely died. The Okopipi Project has arisen to “continue the legacy of the Blue Frog anti-spam tool.”

While I never liked the concept, I love open source, so I’ll just call this post quits right about now (but not without leaving you with what Slashdotters had to say about it).

A debate is brewing as to whose fault it is if someone else’s spam filter catches your important email.

Techdirt’s example (link above) was a company losing a project contract because a last minute bid request was made, and the response disappeared. Whoops. Mine is responding to an attorney, agreeing to a waiver of conflict so a filing can get out the door today. In either case, who is responsible if that email doesn’t make it?

I’d say it is the sender’s responsibility to make sure its emails are clean, and that its systems are not on blacklists. Clean means free of overzealous amounts of HTML, oft used slang, etc. And I recently moved hosts for another site because the shared server I was on was on a blacklist itself. I used the email address from that server for everyday communication with my 2.4 0.4 friends, and some joker I was sharing the server with was obviously doing some spamming. Arghh.

Of course, this declaration won’t end the debate - inept internet users have to have someone else to point fingers at, don’t you know.

If you are the white-hat type, it may not be worth your while to report a security vulnerability - you could wind up a prime suspect if the system in question is ever hacked by someone else.

I think this is a law enforcement/investigations issue - they have a set of rules they follow, and those rules really don’t apply in a world where people create software and then give it away. I’m talking rules like “the criminal always returns to the scene of the crime” kind of stuff. Investigators are natually incredulous of help - they have a dirty job to do, so it is not all their fault. They’re jaded.

Conclusion: all the more reason to keep on reporting holes, in order to change the mentality. Cooperation benefits everyone, at least in the long run.

That is, of course, not a wise move if your vulnerability outing plans include extortion.
Read more »

Email Battles noted that a Veterans Administration laptop with 26.5 million social security numbers was stolen, and that the VA responded by saying the thieves may be..

“..UNAWARE OF THE INFORMATION WHICH THEY POSSESS OR OF HOW TO MAKE USE OF IT.”

Uh..were the thieves “unaware” before or after they cased the situation, noting where the laptop might be and at what time? Or maybe they were “unaware” until they realized how stupid the VA was, and that just such a major announcement was forthcoming, and then they would become “aware” of what was on said machine. No, they were probably just regular readers of these pages, and became “aware” of what prime targets laptops were.

My bad.
Read more »

Sony’s rootkit debacle didn’t turn out that bad for them after all. Despite the lawyers jumping on the opportunity and Microsoft putting the product on its spyware list, the company comes out smelling like a rose (at least if your nose is that of a shareholder).

The settlement - if you jump through hoops, joining the class group and getting on a list, you get a free CD and a few restricted downloads. Wow!

Some people likely spent days (if not weeks) cleaning up systems as a result of this issue - lots of lost productivity and likely lots of lost money. A new CD? Some folks are pissed. I ask “what did you expect?”

Fortune outlines some of the dynamics of the Nigerian 419, calling the “business” a major attraction for the disenfranchised. Very interesting, but the notion that there is only one kingpin above the scammers surprises me. The whole thing sounds a lot like the street drug trade, and with that we know there are always bigger fish there.

Even the malware!

Facetime Security Labs discovered a new worm affecting Yahoo Messenger which installs new browser function over IE, and redirects the user to a new spyware-laden home page.

Facetime called it:

“..the first instance of a complete web browser hijack without the user’s awareness.”

I call it “thank goodness for iChat.”

In the face of an identity crisis going on around the internet, The Register asks: “Whatever happened to PGP?”

Well, it is still on MY desktop, although I must say a few things about it’s use:

1) It does a fine job of encrypting virtual disks, so I know my data is safe (and I like the container concept);

2) The email encryption is not often used - I don’t know too many people in everyday life who know what a public key is and how to use it to read my scrambled messages; and

3) I sign my messages with a free Thawte certificate, because it is easier on everyone else.

None of this means I am I am trying to play down PGP - in fact I have been a loyal, paid, consistently upgrading (and patient on migrating to OS X) user for years. It is just hard for someone to explain how a public key or an encrypted file works, when the party receiving the information doesn’t have the program. I think PGP is simple enough to use, priced appropriately, and readily accessible - its just that everyday joes don’t seem to know about it. And sorry, but OpenPGP is not going to take the thing mainstream.

Nevertheless, for those who have an interest in protecting their bits and bytes with PGP, here’s a little more.

Note: all the good things I say about PGP doesn’t mean I have some deal with them, but that’s not for lack of thinking about it. In fact, they never returned my emails suggesting a partnership…maybe that’s the problem!?

Hot on the heals of the Symantec dissing (and then suing) of Microsoft over the whole idea of security in perpetually delayed upcoming Vista operating system, another security industry leader has announced they are not worried either.

David Moll, CEO of Webroot, says the security in Vista will be akin to “locking half the doors in your house.”

After reading about this guy Moll’s scrappy background, I’ll just bet Microsoft is in for a fight, and I suspect that fight won’t be in a courtroom.