[SecurityRatty] tag: geeks

Please dont ever die guys, we need you!

Mon, 21 Jul 2008 15:54:41 +0000

Sadly, we have very few heroes nowadays. This time in our lives is sure different.

Commemorating the Ultimate Geek-Project: Apollo 11

Thirty-nine years ago, on July 20, 1969, two ultra-geeks landed upon Luna, Earth’s moon.? Their mission was called Apollo 11.? While the vast majority of the press at the time was devoted to Armstrong actually setting foot upon the Moon, the really crucial aspect of the landing on the Sea of Tranquility was just that, the landing.? This day commemorates the culmination of the science, technology, and massive national effort that went into the American Space Program.? In commemoration, we salute the second man to walk upon Luna, the Lunar Module Pilot of Apollo 11: Edwin Eugene “Buzz” Aldrin, Jr.

Locksmiths Hate Computer Geeks who Learn Lockpicking

Thu, 17 Jul 2008 09:30:27 +0000

They do:

Hobby groups throughout North America have cracked supposedly unbeatable locks. Mr. Nekrep, who maintains a personal collection of more than 300 locks, has demonstrated online how to open a Kensington laptop lock using Scotch tape and a Post-it note. Another Lockpicking101.com member discovered the well-publicized method of opening Kryptonite bike locks with a ball-point pen, a revelation that prompted Kryptonite to replace all of its compromised locks. Other lock manufacturers haven't admitted their flaws so readily. Marc Tobias, a lawyer and security expert, recently shook up the lock-picking community by publishing a detailed analysis of how to crack the uncrackable: Medeco locks. "We've figured out how to break them in as little as 30 seconds," he said. "[Medeco] won't admit it, though. They still believe in security through obscurity. But by not fixing the problems we identify, lock-makers are putting the public at risk. They have a duty to disclose vulnerabilities. If they don't, we will."

Listen up IT geeks and users alike!

Mon, 07 Jul 2008 16:38:36 +0000

You gotta read this great article about online security.
The author should run for president. His common sense is a breath of fresh air.
Great Article, Im reading part II now.

clipped from technet.microsoft.com

Passwords and Credit Cards, Part 1

Some days it feels like most of the security advice and many of the security technologies we inflict upon our users is inactionable, incorrect, incomprehensible, or (in many cases) some combination of the three. In this three-part series, I am going to look at some of the ways we confuse users by giving advice and deploying technologies that are guilty of one or more of these three I’s.

Do geeks make good jurors in tech cases? Not always

Thu, 05 Jun 2008 20:00:00 +0000

Should geeks serve on juries in disputes that involve high technology? Not necessarily, according to a federal judge, speaking at a computer security conference Thursday.

Dan Geer on Security, Monoculture, Metrics, Evolution, Etc.

Tue, 27 May 2008 02:23:23 +0000

Here is the text and video of Dan Geer's remarks at Source Boston 2008, basically a L0pht reunion with friends.

At the end of the day, however, we are facing a much bigger, more metaphysical question than the ones I have so far posed. That I can pose many others is of no consequence; either you are sick of them by now or you are scribbling down your own as I speak. The bigger question is this -- how much security do we want?
A world without failure is a world without freedom. A world without the possibility of sin is a world without the possibility of righteousness. A world without the possibility of crime is a world where you cannot prove you are not a criminal. A technology that can give you everything you want is a technology that can take away everything that you have. At some point, real soon now, some of us security geeks will have to say that there comes a point at which safety is not safe.

A Review of Hakin9 IT Security Magazine

Mon, 26 May 2008 01:12:53 +0000

A new issue of the Hakin9 - Hard Core IT Security Magazine is "in the wild", and since the editorial staff has been kind enough to provide me with issues of the magazine for a while now, in this post I'll review the latest issue with the idea that constructive confrontation leads to the best output achievable.

There are many different ways to review a magazine, however, I'm always sticking to the following critical success factors for a quality magazine :

- The presence of a vision
While a vision is often taken for granted, or even worse, a mission gets misunderstood for a vision, in Hakin9's case the vision could be perhaps best rephrased as "Spoiling the geeks who beg for a nerdy talk to them".

- Content quality

The magazine truly delivers what it promises, namely, hardcode content in sections such as tools review, basics, attack, defense, book reviews, consumers test, and interviews. And whereas the key topic in this issue is LDAP cracking, I really enjoyed the Javascript obfuscation article, with the practical examples provided. A bit ironic, the issue is also reviewing a commercial source code obfuscator, which just like legitimate anti-piracy tools used by malware authors to make their binaries harder to analyze, can also be abused for malicious purposes.

- Relevance of information
The information provided in the articles is highly relevant, and timely, lacking any retrospective approaches and focusing on current and emerging threats only. The same goes for the extensive external resources provided, emphasizing on the importance of self-education.

- Layout

Very well structured, and so far I haven't come across an article where the images weren't syndicated the way they should be, for instance the figures mentioned on a certain page, are the same figures available at that page. Three differentiation points make a very good impression, the level of difficulty for the article, what you should know before reading it in order to understand it, and what you will know after reading it, which you can find at the end of every article.

- Visual materials
The surplus of visual materials is perhaps what won me as a reader from the first moment. In fact, the issues are so rich on visual material illustrating the topic covered in such details, that you can actually take entire sniffing, and javascript obfuscation sessions offline with you, and never ever have to picture the output of a certain process in your mind again.

- Ads

Highly targeted, and primary security related, and best of all, very well spread across the magazine, so you're exposed to more content than ads.

Overall, the magazine successfully delivers what it promises to deliver - hardcode technical content from the geeks, for the geeks. Informative reading!

Cyber Command Goes LOLCATS

Thu, 22 May 2008 10:06:21 +0000

USAF Cyber Command: We don’t know what our mission is, much less our organization or where we’re going to find lots of smart geeks who don’t mind being E-1s. We have some really good commercials, though. =)

But hey, that’s why it’s still “Provisional”.

Bookmark to:

Vendors aren't changing focus, you were just blissfully unaware

Thu, 08 May 2008 04:09:41 +0000

My friend Michael Farnum besides being a comic book nerd, blogs over at ComputerWorld. Michael writes today about his opinion that vendors have changed focus from concentrating on the tech geeks to focusing on the business decision maker. Michael's proof is rather subjective, but revolve around the fact that when he was a geek not in management, vendors use to wine and dine him to influence him to support their technology and tell his boss to buy their products. As he moved up to become a geek in management, he noticed the vendors shifting focus away from the technical stakeholder to the business stakeholder. Michael has a theory on some of the reasons for this shift of focus. The dotcom bubble, the evolution of IT, people making decisions on sound business principles, not on what technology is cool.

Michael I say rubbish! I think that sales techniques haven't really changed that much from the 90's. Good selling always involved courting the three stakeholders - technical, business and financial. It is just as a green (meaning new, not environmentally friendly) geek, you were not even aware of the vendors courting you, also reaching out to your management team and the business and economic stakeholder. You were blissfully unaware that the vendors you were dealing with had a full court press going on. Instead you went to a nice dinner, a ball game and got some t-shirts and other swag and thought you were making it happen for them. In the meantime your boss was getting tickets to the game too (I bet even better tickets) and nicer schwag than you were! As you started to move up the chain, you just assumed that everyone must be moving up with you. That Ptolemaic or geocentric model of the sales process, with you at the center is just your view from the inside, but sales people have been multi-threading into accounts for a long time.

Yes during the dotcom era and even before that sales teams used to spend a lot more on wining and dining. I still remember fondly the EMC sales teams of the mid to late 90's partying with their customers like it was 1999 (it was 1999). I was on the receiving end of many of those great dinners and other perks. With new economic times, it became less fashionable to lavish money in trying to buy business. But that more economically austere model did fundamentally shift the focus in sales from the technical to the business stakeholder.

Some companies like Symantec for instance have always concentrated on the business stakeholder more than the technical stakeholder. But Michael in sales there is little new under the sun. Just because you have begun to become aware of it, don't assume it has not always been so.

Its a trade show in Vegas, you know the booth babes are out

Wed, 30 Apr 2008 05:23:03 +0000

I know it is Vegas, but overall the booth babes were not out in force at Interop. The biggest defender was Blue Cat networks, who once again had a frat boy set up with girls dressed in very skimpy skirts and leggings inviting giddy geeks in to play some virtual golf. Of course this follows past years where Blue Cat had girls dressed in skin tight jump suits putting you in flight simulators. Of course the girls scanned your information while they strapped you in. This sort of exploitive behavior from Blue Cat has become expected. I don't know if I were a woman, if I would want to work at that company. For the most part, the booth babes are employed by companies looking to put fannies in seats at presentations. These woman are usually good looking but not dressed to crazy and try to to get you to sit down, listen to a presentation and maybe win a prize. I don't have a problem with this, depending on how they are dressed.

In the you never know category though is my experience with this potential booth babe from D-Link. A quick look at the picture to the right would indicate, yes a booth babe for sure. However, I had a chance to speak with this young lady and was surprised to find out that she was an expert on 802.1x. She knew all of the potential radius attributes supported by every single Cisco switch. She also was able to set up the DHCP server on the D-Link Routers and to top it off explained to me exactly how D-Link was using the data stored in a MAP server to provide greater security utilizing the new TCG IF-MAP standard. Of course you believe all this right and know she was not just a booth babe. What do you think?

Online intruder makes off with SwimwearBoutique.com customer data

Sat, 26 Apr 2008 20:22:24 +0000

Technorati Tag: Security Breach

Date Reported:
4/16/08

Organization:
Swimwear Boutique ("SWB")

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, email address, SWB account password, and credit card information

Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.

Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.

We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.

These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?

We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.

We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.

SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.

We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.

We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.

Notification letters will be sent out on April 23, 2008.

Affected customers also can contact us for more information at 1-866-SWIMWEAR.

In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.

We are committed to helping our customers affected by these criminal acts.

We deeply regret that a valued customer like you may have been affected by the criminals.

Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.

A tip for online consumers:
Check out PayPal's Virtual Debit Card. "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.

Past Breaches:
None