The first articles of my renewed freelance career are up at InfoWorld. In fairness, the bulk of the work for these was done while I was on staff, but it’s nice to see them published, especially since my friend and collaborator Brian Chee spent such an incredible amount of time working on the testing procedures and programming. We’re proud of the results, and look forward to continuing the testing regimen with new products in the near future.

The project was a review of universal threat managers (UTMs) appropriate for branch-office deployment. UTMs are like firewalls on steroids, responding to and protecting against a much wider variety of threats than can be handled by the classic firewall.

The review is in multiple parts. First we introduce the cast of UTMs, then describe the testing regimen we developed for UTMs. Next, we move on to a look at the test equipment from Ixia and Mu Dynamics that we used to run the tests. Finally we come to the UTMs themselves, with separate write-ups on the products from Astaro, SonicWall, WatchGuard, and ZyXel. Who won? Well, you’ll just have to go read the review to find out, now. Enjoy!

Categories: Enterprise, Hardware, Publications, Security
No Comments »

This morning I blogged about the Silicon Valley phone sabotage on the Inside Interop blog. It’s a great object lesson in physical security — why padlocks can be just as important as firewalls in protecting an I.T. infrastructure. It’s also a good lesson in the importance of redundant paths for critical services. We’ve seen, time and again, just how vulnerable single points of failure make a system, and this incident proves it yet again.

Categories: Security, Threats
No Comments »

There never seems to be a shortage of bureaucrats eager to take away our freedom by invoking security. In most cases, their proposed actions do absolutely nothing to promote real security, but do a great deal to make it easier to control and oppress the public.

I cover security, but it takes a real expert to make a convincing case against the proponents of fake security. Bruce Schneier has made a powerful case in his latest Wired blog post. The most important point he makes — and this is critical — is that the "choice" so often offered between security and privacy is not a choice that need be made. In most cases, the acts and systems that provide security don’t impinge on freedom and privacy.

We haven’t seen candidates asked questions about this in any meaningful way, but perhaps it’s past time for that to change. The way the next administration views privacy and security will have a significant impact on our lives for years to come.

Categories: Security, Threats
2 Comments »

I had a long conversation about the Storm Worm this morning, and it’s certainly having an impact on various organizations around the Internet. In talking about Internet security, though, we missed an obvious threat: guns. Apparently, someone shot up a fiber-optic cable near Cleveland, causing a major disruption that cascaded across Internet backbones. I can hardly wait to see how the security vendors react to this one…

Technorati Tags: security, internet

Categories: Security
No Comments »

The second article for PCMag.com is on Voice over IP (VoIP) security. Like most technologies, there are risks that go along with the benefits. Head over to the article to check out what some of the experts are saying about what you should do to protect your network if you’re deploying VoIP.

Powered by ScribeFire.

Categories: Security, Software, Threats
No Comments »

I’ve written about copy-protected software before. In general, I think it’s a bad idea. I’ve yet to meet a scheme that can’t be defeated (albeit some require a bit of knowledge and some uncommon tools), and virtually all impose at least some burden on legitimate customers. Recently, my dear wife had a run-in with software protections that had to be the most intrusive, “you paid us and we still don’t care about you” copy protection I’ve seen this side of Sony.

Now, before I get too far into this, let me say that the system she ran into is several years old: it’s entirely possible that the company has come to its senses in subsequent releases. If so, and if the company contacts me to tell me about it, I’ll post information here. Until then, on with a cautionary tale…

You need to know that Carol is superb with all things having to do with fiber, fabric, and sewing. A friend purchased a sewing machine with embroidry attachments many years ago, but had never really used the attachments. She asked Carol to see if it could be figured out and put to use. The sewing machine and attachments were made by Husqvarna — a top brand. When Carol began installing the software, she found that it required a printer-port dongle as part of its copy-protection scheme. Fortunately, her laptop has a printer port, so she installed the dongle and proceeded with the install. She next found that the application she was installing (one of three separate applications required in order to do the sort of embroidery she wanted to try) also required a special key for the dongle–a key shaped roughly like a large watch battery. She installed the key and moved on. Each of the applications, in turn, required its own key to be placed in the dongle during the software installation process. Now, things get really fun.

Once the programs are installed, they each must be used if you want to make custom designs. Each time a program is invoked, its key must be inserted into the dongle. Since creating and saving a custom design isn’t a straight-through-the-applications sequence, there are more than three key changes required for the creation of each design. Get this image in your head: The process of creating an embroidered design isn’t just an excercise in graphical design–it’s now part of your aerobic excercise program as you get up and down, twist around to the back of the computer, stretch your arms to the dongle, reverse and repeat.

I don’t know whether the Husqvarna folks had “irritate the living daylights out of legitimate users” as an item on their design criteria list, but they nailed this feature. It’s hard to imagine a more annoying system that doesn’t involve physical mutilation.

Now, as I said at the top, it’s possible I’m ranting about a system that’s no longer sold. Lordy, I hope so. Whether it’s been relegated to the waste-bin of history or not, this is a product of the thinking that’s typical of copy-protection schemes. The thinking? Our customers don’t matter at all. The appropriate response? A decision to buy someone else’s product. I absolutely believe that developers (and all those who work in creative endeavours) should be compensated for their work. I’m not advocating intellectual property theft or a system in which no one is allowed to profit from their work. I am saying that these creative folks should respect their customers enough to figure out how to profit by making their legitimate products desirable–not by abusing the people who keep them in business by actually buying their wares.

OK, the lecture is over, and a tough week is done. More regular posting next week and news from a regional SPJ conference over the weekend…

Categories: Security, Software
No Comments »

I’ve known for a while that criminals had moved into extortion for their nasty cyber games. Today, though, I got my first extortion e-mail. It had all the grace and cunning of your average Nigerian scam letter, but with humorous mis-spellings and grammar manglings thrown in for flavor. It read:

hello friend

    first,i am sorry i am not a good man,I am a computer hacker,so when you seeing this email,your computer Already infected my virus.

    i want nothing,i just want a few money,so you must send 150 US dollar to my e-gold  (http://www.e-gold.com) account.

    if you dont do this, I will activate my virus in a week, then your computer will be able to be paralysed and to appear the pornographic procedure.

    this is not a joke,think about it.

    check this link to send money to me:   http://XXXXXXXXX.com

    i just can only wait you 5 days

          when you send money to me,call me at: jznglskq@gmail.com

              see you very soon

I’ve redacted the link to send money, but I’ve left the poor schmuck’s e-mail address. This sort of e-mail should forever put to rest the “all computer criminals are geniuses” meme. Needless to say, there was no malicious payload (unless you count bad grammar), and no one should ever respond to something like this.

I have left a message for the eGold security team–it should be interesting to see if they get back in touch with me. If they do, I’ll let you know.

Categories: Security, Threats
No Comments »

Fellow journalists have pointed to an interesting issue for those writing about security. In a NY Times story about shoplifters the writer talks about a “boost bag” used by shoplifters, and describes in broad terms what the bag is. The issue: Has the journalist damaged security by including information in the story? Those of us writing about IT security face this question every day, as do journalists who focus on law enforcement, military, or homeland security issues. It’s one of those issues that can bear honest disagreement because judgement is involved.

I tend to come down on the side of “more information is better” in most cases. The information on how to build bombs, put together a boost bag, defeat an alarm system, or construct and SQL Injection attack is out there anyway–none of this involves a deep, dark secret. Trying to keep citizens from understanding these things is not only self-defeating, it diminished the opportunity to enlist the help of thousands (or millions) of intelligent men and women of good will.

Are there exceptions? Of course there are. I think you have to give serious consideration to publishing the details of an on-going operation, and if the subject of the article might endanger human life then a writer must weigh the consequenced very, very carefully before proceeding. I don’t write details like IP addresses in my articles, and I’ll tend to fuzz out the details of an individual’s vulnerabilities when writing about case studies. It’s not that I won’t write about the issues, including details of what’s possible–I just won’t put the key into the lock for someone who might be trying to decide which network will host their next cyber-joyride.

Some of the folks who operate in the political blogosphere talk about groups of citizens as “a pack, not a herd.” I like that. I think that most groups will form themselves into a pack and not a herd if given the opportunity. Part of that opportunity consists in being informed about what the Bad Guys are doing, or are capable of doing. Security Through Obscurity is, in the long run, an unsuccessful strategy and I don’t feel I violate my responsibilities either as a journalist or as a citizen when I make a security issue a bit less obscure. I strongly believe that a well-educated citizenry (whether of a nation or of the world) is best capable to defend himself and help defend other citizens.

Gear up–get educated.

Categories: Security, Uncategorized
No Comments »

Today’s Dark Reading column is up, and it’s on an interesting topic; it seems that spammers have decided that there are more important things than porn to use in flooding our in-boxes. The column brought with it an even more interesting situation; Kelly Jackson-Higgins wrote her blog entry on the same subject.

As problems go, this one isn’t earth-shattering, and in many instances it wouldn’t even be a problem. It’s the sort of thing that’s easily corrected in the editing and production work-flow of a print publication, but “web time” tends to leave publications open to these little issues. The question, of course, is how to solve the problem without invoking a process that will make everyone long for the days when we could all file different takes on the same story and just laugh about it.

The whole work-process issue is fascinating. I’ve been on the team starting at least three magazines, and work flow discussions tended to involve minor tweaks to a system that apparently originated with Gutenberg. The web changed things in dramatic fashion because of the speed that has come to be associated with web publishing, the differences in the understanding of article length, and the very basic differences in how readers experience the material. The staff size is also a huge factor.

A blog like this is, generally, a one-person operation. Right now, I’m the only one posting here so the process is whatever lets me get something onto the web. I’ve had discussions with colleagues about their participation, and when they begin contributing we’ll have to work out a more significant process. If you have 20 editors, 36 writers, and an art department, you’re in a different world of process altogether.

You’ll notice that I haven’t said anything about the whole editorial oversight that’s supposed to be such a huge differentiator between Real Publications and blogs. There’s a reason I haven’t talked about it–there’s no standard to talk about on either side. I’ve written for huge print publications where my articles ran exactly as I submitted them, and I’ve written for blogs and on-line pubs where editors went over every word. Here? You, my friends, are my editorial review and so far you’re doing a good job. I liken this most to a good newsletter–there’s an on-going relationship between writer and reader that keeps things vital.

Categories: Housekeeping, Security
No Comments »

You can read my latest security column at Dark Reading. I manage to say good things about the Department of Homeland Security. So far, no porcine aviators have been seen.

The broader point around the column is that there are times and places to be on the bleeding edge of technology. Projects that involve securing the lives and personal information of, oh, everyone are in neither. I love new stuff as much as the next guy, but there have been far too many utter disasters around big projects built on new technology for me to suggest that Real ID should have anything that isn’t highly secure and thoroughly experienced as part of the spec.

Categories: Security
2 Comments »

…is up at Dark Reading. It’s a rant on the “20 worst…” lists that have become so popular. It’s not that the lists aren’t good, it’s that so many of the items on the list can be boiled down into a few basic problems. In the column I, you guessed it, bile them collards down, as the old song has it. I’ll take the pot likker and stop this string of analogies before I’m compelled to bring anything like chitlins to the table.

You know, though, a lot of the very complicated things we worry about can be broken down into very simple rules. I’ve had to mandate–and take–sexual harassment classes in various jobs. All the words, examples, and legal precedents can be summed up very neatly: Be a gentleman; be a lady; don’t be an ass. There–I’ve just saved you thousands of dollars on harassment training. In the same way, I run across so many IT problems that could have been solved if someone–anyone, actually–had applied Thomas Watson’s famous word: Think.

We’ve built such a cult around speed that thinking about the problem we’re trying to solve and the consequences of our solution gets short shrift. I’m sure you can supply your own example here; anyone who’s been in business for more than 38 minutes can. It’s time to bring thinking back into fashion. Security is a good place to start, but it’s starting that’s the key.

Think.

Categories: Enterprise, Security
No Comments »

My latest column is up at Dark Reading. I’m afraid I got up on one of my favorite soapboxes–companies trying to silence those who find flaws with their products. It’s not just security companies; take a look at the license you agree to when you use any of the major databases, for example, and you’ll find that you’ve agreed never to tell a soul if you build a test and get results.

I’m not excited about a culture built on cowardice and secrecy. This kind of thing makes no one more secure, and contributes to an atmosphere that leads to more bad surprises, rather than fewer. Let sales reps know that you don’t like this sort of thing, and that it will figure into future purchasing decisions. It’s the only real way to get the attention of the execs who think they’re doing their company a favor.

Categories: Enterprise, General computing, Security, Software
No Comments »

I grew up a child of the Cold War, when various sorts of school drills and regular tests of the Emergency Broadcast System were a part of everyday life. Yes, there was nothing like the reminder that nuclear holocaust might be only moments away to put that test on diagramming sentences into perspective…

Instapundit has done another in his ongoing series of posts on disaster preparedness. This one focuses on food, with a side glance at, errr, morale. Both are important, and I’m pleased to see anyone remind folks that it’s important to plan ahead for life’s least fun moments. I’ve been disappointed to see many conversations on disaster planning continue to assume that a cell phone is all the emergency communications you’ll need if things get truly sticky. In every significant disaster of the last decade, the cell phone infrastructure has followed shortly on the heels of the land-lines in rolling over to languidly wave their electronic legs in the air.

Regardless of the disaster’s cause and form, effective communications boost survival rates and lessen the burden on everyone concerned. It’s important that you start with a battery-powered combination NOAA/FM/TV radio like this one. There are rather a lot of these available –the key is looking for those that have the Weather Alert feature, that can be battery powered, and that have FM/AM/TV capabilities so you can hear instructions from emergency managers during and after the trouble.

Now, the weather radios solve part of the problem, but they won’t do anything to help reunite your family or let friends and family members in distant locations know that you’re OK. For those tasks you need a way to talk to the outside world without using any part of the telephone system. Now, in a limited number of cases, VoIP wins–if you get your broadband via cable modem or satellite, you may be able to get on the Internet and then use e-mail, IM, and VoIP to let the world know how you’re doing. For most people, though, when the phones go away, so does communication with the rest of humanity. What then?

For very local communications (from next door to perhaps a mile or two away), a GMRS radio like one of these may do the trick. You can give one to each member of your family or group, agree on a channel and protocol, and be in communications as you work to get back together. (One note: unlike the lower-powered FRS, GMRS is a licensed service; if you get the radios, do the right thing, and send your application and fee to the FCC.)

If you might need to reach a bit farther and talk to people who aren’t in your immediate circle of family and friends, then the old-fashioned, much-maligned CB radio still has a role to play. There are still quite a few models to choose from and any of them can be used to contact REACT or any of the hundreds of thousands of individuals who still own and use CB radios.

If you’re really serious about staying in touch through a disaster, though, nothing matches amateur radio. I’ll admit to a bias here: I’m a radio amateur (KG4GWA), as are my lovely wife and my son. We each carry hand-held radios and have used them to keep in touch in emergencies. It makes me feel better knowing that, in the worst case, I can reach people around the country if things truly go to pot. It’s getting easier to become licensed–as of February 23, morse code will no longer be required for any amateur license. Getting a Technician License, which will let you communicate throughout metropolitan areas, or across rural counties, should take most folks no more than a few hours of studying. If you’re interested, get in touch with your local ham club, or contact the ARRL.

Regardless of the method you choose, it will be far less effective if you don’t develop a plan and rehearse emergency communications on a regular basis. You can make if fun for young people, but you must make it mandatory for everyone. We’ve seen far too many cases of people who’s lives were lost or forever disrupted because they couldn’t communicate in an emergency. This is one problem that each of us can solve for ourselves and our families. Start now.

Categories: Consumer Technology, Security
No Comments »

There has been another attack on the Internet’s root DNS servers. This one would have passed unnoticed by most Internet users, because it was targeted against only a few of the servers. There are some interesting charts of the traffic levels generated by the attacks…you can see the spikes in messages that each server must cope with.

Instapundit properly, I think, identifies these as practice attacks. In that regard, they’re no different that hundreds of other attacks that take place against institutions, routers, and servers each week. The attacks are designed to show proof of concept for exploiting new vulnerabilities, and to allow the attacker to watch the response–the better to design attacks that can operate longer without an effective response.

Here’s my fearless prediction of the day: There will be a hit that people notice, because it makes some significant part of the Internet unavailable for a period of time. We’ve seen it before. I suspect that the next time, though, the Internet attack will be to facilitate or distract from some other attack, quite possibly against financial or economic infrastructure targets. This is old news to Internet security folks, but we still don’t see the level of information sharing and response coordination between different security areas that we should. It’s time more people tool these reconnaissance attacks seriously–and time we started learning as much from them as do hackers do.

Categories: Security, Threats
No Comments »

I mentioned Gizmo a few days ago. I’m going to be looking at more VoIP systems in the coming weeks, but I’m really enjoying Skype. I like the quality, I like the convenience, and I like the price. The folks at LifeHacker have found a new reason to like Skype; it can be part of your home security system. This article talks about the basics of setting up a system to check on your home while you’re away and, I must say, it looks slick. When I worked with Steve Ciarcia at Circuit Cellar INK back in the day, he built a system to do about what this setup does. The only difference is that his system cost thousands of dollars to design, hundreds of dollars to build, and required several chunks of seriously customized hardware. This, friends, is the march of progress.

Categories: Consumer, General computing, Security
No Comments »