Michael Gracie

Lucky 11 vulnerability scanners reviewed

Once you run them, you will realize that you have 2 million cross-site scripting vulnerabilities on your site that were supposedly fixed months ago by open-source hackers, and the firewall you just paid three grand for will resemble swiss cheese because your junior sys-admin is still trying to get it configured.

Nevertheless, check out the review. (h/t to Slashdot).

Month of Apple Bugs gets it’s first swat

As a result of the “Month of Apple Bugs” initiative, the first pest has been found (h/t to Slashdot). It is a buffer overflow issue that when applied very carefully, could lead to an “exploitable remote arbitrary code execution condition.”

I won’t opine on exactly what “exploitable remote arbitrary code execution condition” Mac users might face, because I simply don’t know (and the find doesn’t mention any proofs of concept in action). I’ll just take their word for it.

UPDATE: Sounds like the bugs started a while ago.

UPDATE 2: Next, please.

UPDATE 3: The quick fix is deemed a counter-attack. The Month of Apple Bugs is not really an attack, so lets just call all this by an infrequently used term….cooperation.

Gmail handing out contact lists

I have precisely three contacts in my database, and one of those steadfastly refuses being synced to the Blackberry so I’m not worried either way. But for the very popular set who also happen to be cheap enough to use a free email service and silly enough to store their Rolodex in one, Gmail might pose a problem.

Gmail’s JSON platform allowed websites to hijack users’ contact lists – the site appended what’s termed a “callback” variable in the URL, and when a user that was logged into Gmail came by the hacker extracted said information. Harvesting with a twist.

Google was quick to fix the problem, but the underlying risk remains. If you leave your data on someone else’s servers, you are beholden to their security force, however strong or weak it may be. It isn’t the first time something like this has happened at a large free email service provider, and it won’t be the last.

My veterinarian and pizza delivery guy are still safe.

Happy New Year, from the zombies

Don’t believe anyone who wishes you a happy new year, at least if the greeting comes via email.

UPDATE: The “Happy New Year” worm is still spreading on the net.

Late to the punch…I say. You’d think those worms would know something about internet time (or is that the news I should be criticising?).

The last day of the year – time for 2007 predictions

It is the last day of 2006. What better time for predictions…

From the experts:

Spamroll says:

  • Spam will not end in late January (and Bill Gates will remain mum thereafter)
  • Some spyware companies will be getting sued again by February, while the rest change their company name
  • The government will quit buying consumer data in March, after determining that who is buying TMX Elmo is in no way correlated with who has a tendency to be a terrorist
  • Everyone will be backing up their hard drives by April, but only if external hard drives are free
  • They’ll be encrypting them by May, because everyone will be running hacked versions of Vista
  • We’ll all take the summer off, since phishers already do
  • Back-to-school will piss off millions of children, and not much else
  • October will be much like September
  • Telcos will implement IPv6 for Thanksgiving, and everyone on the internet will know who everyone else is, once and for all (with the exception of MacBook Pro users, which are already being tracked via heatsink)
  • We’ll get a ton of self-serving predictions for 2008, a week early at Christmas

Happy New Year!

UPDATE: Sarcasm does work – someone is thinking about backup.

When to negotiate with kidnappers

In the movies, the law enforcement types always say that once the kidnappers get the bag of money, the loved ones are going to die. Then the swat team rolls in and everyone gets killed anyway.

But when it comes to getting your domain kidnapped, maybe the best move is to negotiate, and then cough up the dough. At least that’s the course of action Blueprint Ventures recently took. Then again, given the choice between giving the money to the kidnappers or giving it to a bunch of lawyers, it was an easy decision.

Is trust in Google headed south?

Mike Arrington wonders:

Part of the problem is that Google has always held itself to a higher standard than other companies. We took them seriously when they said their corporate motto is “Don’t be evil“. It was the right thing to say when they were young and battling the hated Microsoft. But today, as they begin to put themselves before what’s best for their users, that motto is coming back to haunt them.

Hell, I’m just trying to figure out why Spamroll is no longer in the Google index.

“I don’t care about Vista security.”

“I am shipping antivirus software for the platform anyway.” – Kapersky (another security company not worried about Vista security).

Spam “Shocker of the Year”

Are you sitting down? If not, please do, as we don’t need anyone passing out and hitting their head. Ready?

Government heeds the big encryption call

It took laptops disappearing with tens of millions of records on them, but the US Government is finally getting the hint. It’s now full disk encryption for all their computers.

Not that it really matters – they are going to have a lot less to protect as of the new year.

UPDATE: Bruce Schneier thinks full disk encryption might be overkill. I think that picking and choosing what to encrypt, in a bureaucratic environment, is probably more headache than it’s worth.