Security
No chance for true security?
by Sky on Jan.28, 2010, under Our networked world, Security, Software and online tools
Is security dead on the Internet? Yeah, it probably is—as long as we rely on software other people have written[1]. Unless you’re capable of writing all of your own software, without any errors, and keeping it isolated from software written by anyone else, you’re never going to have a secure digital life[2].
But there are things you can do to protect yourself. NGO-in-a-box has developed Security-in-a-box, a set of tools and tactics for your digital security. Worth taking a look!
It’s often said that “if we can envision it, we can create it,” but in the world of computer (and network) software this is only partially true. We can attempt to create it, but it will always have bugs in it. And those bugs are the chinks in the armor that allow malware to work and cyberwarfare to succeed.
[1] That’s because I can write a perfect program with no bugs, but nobody else can.
[2] See also The Social Graph of Malware, my site where I explore ways in which social engineering is used by the bad guys to get malware onto your computer.
Improved my Cable Broadband speed 3x (DOCSIS)
by Sky on Jan.20, 2010, under Security, Technology and geeky stuff
Sound like spam? “Improved my cable broadband speed 3x?”
Here’s the punchline: I got a 3x improvement in speed on my cable broadband service, but had to find and avoid a technical problems that is probably a security feature. And the DOCSIS 3 standard and modem is great. Read on… (continue reading…)
Google.cn in again out again
by Sky on Jan.19, 2010, under Human Rights, Our networked world, Security
I pulled together a page of references on the Google China issues, beginning with their 2006 announcement that they would begin providing filtered search results at google.cn and ending “today” with speculation about exactly what has been going on that caused them to announce they would stop filtering results and see whether they could reach an accommodation with the Chinese government about providing unfiltered results in China. The summary page is at The Social Graph of Malware, not here. Go read it. And I’ll try to keep it up to date.
Its clear that the decision to filter was tough. And it probably took less to get them to reverse the decision than if the original decision had been clear cut. The issues that I see are involved include these:
- Censorship – even if mandated by local laws;
- Censorship – on more universal grounds (such as censorship of hate speech, etc.);
- Increasing Chinese cyberaggression – hacking servers, looking for industrial secrets (supposed Chinese, because it’s almost impossible to really know);
- Aggressive attacks against minority communities and free speech advocates (cited by Google, but I’ve seen them personally);
- Drive-by malware insertions in free-speech web sites, and whether this is targeted or not;
- Whether an equivalent of the Geneva Protocol (which deals with weapons as opposed to prisoners) can be developed for cyberwarfare.
The Social Graph of Malware is a site I started a few months ago, and sporadically contribute to, that describes how social engineering contributes so much to the spread of malware. The Google incident that sparked their “reversal” decision to stop filtering (just a week ago) was largely a piece of social engineering. We have been seeing targeted attacks on the Tibetan exile community (and others) recently, utilizing social engineering tactics to get people to open poisoned files that then infect their computers. So I’ll continue to track the Google.cn issue on The Social Graph of Malware because of this connection.
Adobe Reader under attack again
by Sky on Dec.17, 2009, under Debris, Security, Technology and geeky stuff
Adobe Reader is one of the most oft-used programs in the world. (Probably next to MS Word and other word processors.) And we all think it’s safe because it just reads a document format and displays it.
To our surprise, we learned earlier this year that the Adobe Reader processes JavaScript that can be embedded in its PDF documents. Once again, here in December 2009, another vulnerability allows JavaScript can be exploited to turn a PDF into a malicious piece o’ stuff.
The fault won’t be fixed until mid-January 2010. Big companies have long turnaround on fixing software. Yes, they have to test to be sure everything still works after they make a fix – but meanwhile we can’t safely open PDF documents unless we have JavaScript turned off.
The attack vector is to send a poisoned PDF file to intended target individuals, purporting to be “From: a friend” and hoping that they’ll open the attached PDF thinking that it’s safe. Wrong again. You won’t be caught by this, will you?
-
Welcome!
I hope you'll enjoy this mix of topics stemming from my ongoing experiences in the world of online communication. Oh, and sometimes the inspiration comes from face-to-face communications too. Many are sparked by my work as Chief Technology Officer of The Dalai Lama Foundation.
