Michael Gracie

Past tense: John Thompson has openly mocked Microsoft’s security initiatives. His company is showing no fear, and I am sure there are a lot of folks snickering along with him. Microsoft is acting squirrelly. Then there’s the flying lawsuits and Mac endorsements.

I say the battle hasn’t gotten started just yet, but when it does it should be fun to watch.

***UPDATE***

If the combatant shows up with a lawn chair, goad them some more: Symantec says Vista could be less secure than XP.

Companies need a phone tree to deal with stolen laptops full of personally identifiable data, according to this report over at eWeek.

How about a simpler “tree”:

- Keep important data off of laptops and on in-house secure servers, followed by…

- Keep laptops full of data out of the back seats of cars standing in dark parking lots, followed by…

- Keeping laptops full of data out of the hands of foolish employees who think said laptops are safe in the previously mentioned location (as well as safe unattended in crowded wi-fi enabled cafes).

If you don’t make contact, repeat the above steps until you do.

Information Week says you don’t have to wait for Vista to get its enhanced security - you can do it all now with Windows XP.

That tells me two things:

1) Vista’s security enhancements can’t be particularly mindblowing if you can replicate most of the behaviour now; and

2) Before you get started, you should ask yourself whether you can make the process less of a hassle than a top-shelf security guy could.

I’m not holding my breath.

***UPDATE***

Your best bet would probably be to attend the BlackHat get-together, and watch as Microsoft shows you how it is all done. I just hope the power doesn’t go out.

Whitedust Security talks honeypots, and all the fun you can have with them. For those just joining, a honeypot is a system put online to entice hackers - once they break in you get to study what they are up to. You can also set up a honeypot in the form of an email box, catching spammers coming to you and reporting them to blacklists.

My first thought is that’s what research groups are for - sys admins generally don’t have time for that stuff

The first Slashdot participant on the matter brought the point home:

“In addition to all of the things on the network I normally have to do at the office let me set up an entire phantom network just to “jack” with hackers. Yeah, I’ll get right on that.”

Like security pros, these folks need a little more respect. So researchers, why don’t you get to work on that?

Fact or FUD? According to firewall vender Agnitum, Microsofts Kernel Patch Protection initiative may do more harm than good.

The issue at hand? Third-party security vendors’ ability to keep up with patches on Windows PCs, and at a stretch, the idea that hackers would benefit more than commercial software developers.

Is this an attempt by Microsoft to force people to use their security products? Who knows, but it’s an idea I can’t get my head around. It sounds like something Microsoft might try, but why they would want to expose themselves to further regulatory scrutiny is beyond me.

Either way, it is likely not the best move, as other computing platforms hit their stride, but then again, neither notion bodes well for third-party vendors. The fact that Microsoft security man Jesper Johansson walked out the door only leads to further confusion. What are the folks in Redmond up to?

According to recent report by Sophos, phishers are persistently targeting PayPal and eBay users. The reason? Ubiquity of the services. eBay is available in 27 countries, and I doubt there are many people who haven’t bought, sold, or at least browsed for goodies.

That’s a big market to go after. Add the fact that there are probably a lot of casual internet users (i.e. not so technologically sophistiicated) on eBay, and you have a big, targeted market for phishers.

I love stating the obvious.

The US House of Representatives has passed a bill requiring federally funded schools to block MySpace and other interactive sites from students.

MySpace is running around fixing problems with their system, some of which are user related anyway, and politics trumps the efforts with an overly broad bill that could turn half the internet into a stale, single-sided show for kids. No surprise - these are the same types of people that assure us the internet is “not a truck”, that Microsoft should produce WindowsGameLite (sans solitaire), and think we all run around with our IP addresses stamped on our foreheads.

I’m going to go out on a very fragile limb here and bet that when it comes down to enforcement time (which will be a “virtually” impossible task), they’ll be pointing fingers at someone else for their ineptitude. I can’t imagine who will be paying for it (hmm), but I can imagine that kids won’t be much safer.

***UPDATE***

Slashdotters had a lot to say on this subject. I find particularly interesting the part about how all this may distinctly affect the homeless and/or other poor people. Sounds on target, although I highly doubt it was intentional (even though someone will say it was sooner or later).

A law which went into effect in Indiana requires companies to notify citizens when data breaches occur.

Public Law 125 excludes companies cover by federal laws, including the Patriot Act, the Federal Driver’s Protection Act, the Fair Credit Reporting Act, the Federal Financial Modernization Act, and HIPAA, meaning all companies are exempt. If the breach affects more than a half-million, or the notification process is expected to cost more that $250,000, the company in question can have a $15/hour junior webmaster post a “conspicuous notice” on their website, and they can make fifteen $0.02 calls to local media outlets - all companies will be taking this option.

But the mandate does ensure that when more than a thousand people are affected, the company must notify credit reporting agencies. No word if the cost containment measures apply to this halfway decent portion of the measure, or how long the company has to wait before they actually opt-out of the law based on the federal exemption and/or make that “conspicuous” web post sans RSS feed.

The Washington Post says AOL is evolving, with an image makeover at Netscape leading the way.

What I see so far is them copying digg, and getting picked on by script kiddies.

If that is the first step in the evolution of a former web giant, I’d say they have “issues.”

***UPDATE***

Can’t blame hackers for this. I wonder how that “everything’s free” thing is going to work out, now that users realize their search results are free to everyone else too.

Everyone is jumping on the social bandwagon, and the latest and purportedly greatest (with dreams of a million members in six months) is Utherverse. Of course, it is touted as a place to “live your fantasy,” but looks a lot like an amatuer pornography site. No surprise there, as its mothership is something called the Red Light Center, a virtual playroom where you can change your underwear without anyone bothering you. Huh. Additionally, you have to download software to create all this fun - I doubt there is anything spyware laden in it ;-).

In the grand scheme of having no clue, the site is using T&C acceptance and credit card numbers to verify ages. I wasn’t kidding when I said that wouldn’t work. But why would Utherverse care anyway?

***UPDATE***

On a lighter note regarding MySpace, spyware company Zango (whose nasty spyware has been showing up on the site), is still doing its song and dance.
***UPDATE 2***

Zango’s tune? You’re a liar… (compliments of Sunnyboys).