Menu

Michael Gracie

Spy agency help Microsoft build Vista

It may have been a good move to get some hardcore security guys involved in the development of Vista, but a lot of people are going to question why Microsoft looked to the NSA, which has been under fire recently for spying on people at the request of the Bush Administration.

Adding fuel to the upcoming fire…

The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system.

Then again, maybe the idea was to position the upcoming operating system to be used by political bloggers, and/or throw a bone to the 110th Congress…

The NSA also declined to be specific but said it used two groups — a “red team” and a “blue team” — to test Vista’s security. The red team, for instance, posed as “the determined, technically competent adversary” to disrupt, corrupt or steal information. “They pretend to be bad guys,” Sager said. The blue team helped Defense Department system administrators with Vista’s configuration .

So the “blue team” were the good guys.

I guess I’m wondering whether the only one that is going to turn out bad or good is the Microsoft PR Team, when the whole concept spins in or out of control.

UPDATE: Bruce Schneier asks: Is this a good idea or not?

Saddam Hussein, posthumously an ID theft conspirator

ID thieves are using the now infamous video of Saddam Hussein’s execution as a trojan horse for ID theft enabling malware. The former Iraqi dictator may have been a lot of bad things in life, but I’ll bet one of them wasn’t a malware writer.

And for those who have been hiding under rocks for the last few weeks, here’s a roundup of Saddam execution/video stories.

StopBadware needs to HoldPresses

StopBadware, the powerhouse coalition brought together to warn folks about dangerous internet sites, doesn’t seem to be working too hard. As Techdirt points out, it doesn’t take much to get on the list, but it is a pain in the ass to get off.

Add to that the fact that Google (in cooperation with WebSense), is warning people via their site, can really put a damper on your traffic even if you aren’t guilty.

I previously mentioned that StopBadware should probably agree on a scope for what constitutes “XYZware” before they got rolling, but I guess I was wrong. They are just taking everyone’s (and anyone’s) word for it.

Terrorist threat alerts via email

The British Security Service MI5 is going start issuing security threat updates via email.

How long until spammers start emulating these alerts, and the alerts themselves wind up in the filters?

Getting bugged by your Acer?

I’m not going to opine on the validity of this discovery, but I’ll throw in my two cents on the Slashdot commentary.

Some folks noted that when they receive their machines, they immediately reformatted the drives and reinstalled (or installed alternative) operating systems. When I was part of the Windows world (using Dells) I did the same, never quite trusting the factory install. And I always had a retail (or MSDN Universal Subscription) version handy to do it.

Do all Windows machines come with manufacturer images nowadays?

What social networking needs is less PR

I hope online predators are too busy hiding from the cops to read the latest Pew study.

The premise remains – kids are smarter than their parents think. But maybe what we need is a little misinformation now and then to quell the concern.

I’d like to see a study released that says “85% of all social networking profiles are created by beer drinking, football-crazed men aged 35-45 who have concealed weapons permits and moonlight as undercover agents.” What would the scumbags think then?

Imagine the botnet problem, now and then

If you think the whole botnet issue is bad now – zombiefied computers galore spewing more virus-laden pharmaceutical spam than you can shake a stick at – imagine what it will be like when everyone has one of these.

I guess the bright side is…if it is stuck in a closet with no monitor, you have an excuse when the police show up.

UPDATE: Here’s a roundup on the home server, for the curious.

Apple’s month it is, but controversy remains

This is where the whole security by obscurity thing really comes into play…

MacWorld is starting, and concurrent with it is comes a beautiful step-child – the Month of Apple Bugs. People are finding bugs in OS X, and others are busy fixing them. That’s great, but you can never make everyone happy – some are questioning the concept of telling the world about the security issues before notifying Apple.

“In the long term, this project is making OS X more secure,” said Gus Mueller, a developer who sells his software through his company Flying Meat. “However, in the short term, these bugs, once shown, can be used destructively.”

So hackers are going to run out and build new exploits, then co-opt their zombie networks for the purpose of capitalizing? Is that what someone is suggesting?

First, that process would be like trying to find a needle in a haystack – Apple computers still make up a small percentage of installs worldwide. Then, you have to target a handful of slightly obscure exploits. If you’re the malcreant, you get started, but have to race Landon Fuller & Co. while they are fixing the exploits. All the while, you are hoping every Apple employee is at MacWorld (i.e nobody at Apple is paying attention to the finds or the fixes).

An unlikely scenario.

Meanwhile, I don’t hear anyone at Apple bitching about this. For those in their security department (if they have one), it should be a party. They’ve got others doing their job for them!

Botnets hit the Sunday paper

I can’t help but smile with glee over this…

The issue of zombies and the problems they cause on the networks has hit the New York Times.

No, I am not happy because the New York Times is my favorite paper or anything; my joy comes from the awareness it is providing. Too many people just don’t get it (until the police show up)…

Serry Winkler, a sales representative in Denver, said that she had turned off the network-security software provided by her Internet service provider because it slowed performance to a crawl on her PC, which was running Windows 98. A few months ago four sheriff’s deputies pounded on her apartment door to confiscate the PC, which they said was being used to order goods from Sears with a stolen credit card. The computer, it turned out, had been commandeered by an intruder who was using it remotely.

That’s one way to find out your computer has been hijacked. And while reading the paper isn’t going to fix the problem, at least it might make you aware that one could exist.

UPDATE: Bruce Schneier agrees – popular attention is a good thing.

Acrobat bug biggest of 2007!

Now that is saying something, since it is presently January 6th. No, I’m not the one saying it – some security researchers are, and those researchers are implying it could be the biggest bug of the whole year (but I think that is only because they know Acrobat Reader has a huge install base, and most people are too dumb to bother implementing a patch when it does arrive).

Adobe has been on a decent streak as of late, so no better time to try and kick them down. The bright side of this is that it is free software we’re dealing with, so at least you didn’t pay to have your computer screwed up.

Note: Spamroll wins, however – a new category has been started – Software Bugs! Report quirks at your leisure.

UPDATE: Speaking of free software in need of patching…OpenOffice. I need to do it too, OpenOffice being a great tool for parsing small database tables when readying for import – Excel for Mac does a crappy job at it.

UPDATE 2: Since I’m on a free software binge this morning (while the dog pesters me for a walk), Dr. Dobbs notes that the free TrueCrypt encryption software is a hell of a way to thwart phishers. Check it out.