Screenshot

I’ve been keeping track of interesting stories about security over the past couple of months for my intersession course, mostly ones that I have found through Slashdot, BoingBoing and/or Digg. As part of the process of selecting which ones will make it into the final week of the course and which ones will not, I thought I would put the whole list here, mostly without comment. If you notice anything that seems particularly interesting (especially if you happen to be in my course!) let me know and it will probably move up my list of things to discuss.

• Last year’s Hack of the Year involves a Swedish hacker obtaining passwords for a number of governmental and embassy email accounts using TOR, an open-source tool that obscures web traffic. Think TOR sounds cool? Check out this guide to using TOR to surf anonymously to learn more about how it works.
• Not surprisingly, a study of wireless networks used in retail stores shows that most of them are insecure to some degree, with 25% not even using any encryption at all.
• We have read about hackers taking advantage of default passwords back in the 80s, but it remains a problem and there are a number of lists out there of default passwords for modern hardware.
• This is a slightly older story and the infected drives were pulled off the market, but certain Maxtor 500GB hard drives are being shipped with Trojans on them that send information on them back to sites registered in Beijing. But it seems that hardware being shipped with malware installed is a growing problem with digital photo frames also recently being infected.
• We all got used to the idea of disabling Javascript or Java in our browsers to block malware, but now Flash advertisements have malware embedded in them too.
• Sometimes what you think is a virus is just Microsoft being Microsoft: “During normal operation or in Safe mode, your computer may play “Fur Elise” or “It’s a Small, Small World” seemingly at random. This is an indication sent to the PC speaker from the computer’s BIOS that the CPU fan is failing or has failed, or that the power supply voltages have drifted out of tolerance.”
• A hole in QuickTime allows SecondLife avatars to be hijacked and made to turn over their Linden cash. Huh – I am about halfway through that novel…. More seriously, though, security within MMORPGs as a subset of software security seems to be a growing topic of interest.
• A McAfee report predicts more cyberattacks against and by governments in the coming years, based on evidence that many countries, including the US, have already started to use cyberattacks. It seems the attacks are mostly for the purpose of espionage. A related article coming out of this reports frames the issue as a coming cyber cold war – interesting in the context of this report that a number of recent blackouts outside the US were due to cyberattacks. And cyber-espionage need not be just against countries; corporate cyber-espionage is also believed to be on the rise.
• There is a lot of argument about how to compare the relative safety or number of holes in operating systems or software. Recently Microsoft reported that the number of holes announced in IE was less than in Firefox, and the Head Security Strategist at Firefox responded that the count did not include holes patched in major service packs and thus not announced, and discusses the security risk this represents for users. A similar argument get made in comparing Mac versus Windows vulnerability stats, with Mac by this report having many more flaws, but there being a question of whether apples are being compared to apples or not…
• This commentary on the balance between security and usability is worth reading. Part of the usability issue here is supporting depreciated filetypes, and whether that support needs to include security patches.
• This long technical article, in PDF format, describes a Chinese black market in malware. I have only skimmed the article so far but it has an interesting classification of the different players in the black market and how they related to each other, as well as a couple of case studies. Somewhat related is this article on the emerging “malware economy”.
• If cracking WEP seems daunting (though it probably shouldn’t after reading that guide…), maybe you want to practice on the less securely encrypted wireless keyboards.
• Lots of end of the year reports, including that 3.2 billion dollars was lost to phishing attacks and anti-virus protection is less good at detecting malware when looking at responses to new attacks.
• Sometimes sneaky malware-style behavior finds its way into commercial products, such as the feature in Adobe’s CS3 that reports back usage data to a server with a sketchy name.
• South Carolina may require forensic investigators to
  have a PI license and some are concerned since the specialized skill set for forensic investigation currently has little overlap with the training and skill set of licensed PIs. The motivation, of course, being a desire to ensure that evidence to be used in trial is collected using appropriate standards.

• A recent report says that projects to find and repair security holes in open source software are proceeding well – the more interesting part of
  the article possibly being the large government supported effort to harden open source systems as their use expands. This would appear to be another “hidden” cost of free, open-source software.

• A case originating a couple of years ago and centering around the question of whether unauthorized (but unblocked) whois and DNS lookups constitute hacking has been decided in the positive (more commentary critical of the decision here).
• Worried after all of this that your computer is going to go kablooey any minute now? Keep this nifty Ubuntu LiveCD based technique for restoring your Master Boot Record in your back pocket…

I’ve been saving up news articles about security vulnerabilities for my cyberattacks class, but I’m not quite sure where to fit in a discussion of potential vulnerabilities in Boeing’s New 787. On the crazy-cool side, the plane is going to have internet connectivity in the cabin for passengers. On the crazy-stupid side, the passenger’s network is connected to the cockpit network. Solutions are being discussed, but they do not seem to include just keeping the two networks physically separate. But software solutions can, and probably will, have holes, and Boeing is treating this as a software-debugging problem. I can’t imagine what the justification would be for wanting the networks to be connected. I am a big proponent of the “if it is absolutely vital, keep it unplugged from any network” school of security. Or, frankly, if you can’t do it safely, I’ll get by without internet access on my plane flight….

I would not want to buck the weblogging tradition of posting some type of year-end wrap-up, and I was quite lax on the photography and book-reading this year so I thought I would tie up 2007 with a recap of some of the new technologies that I have started using in the past year.

• RSS Feeds: My general websurfing habits had been to open folders of bookmarks into my Firefox tabs and click my way through them, but I finally broke down and tried out reading feeds and it’s an experiment I’m sticking with. I started out using Sage, a Firefox extension, but I’m pretty firmly wedded to Google Reader at this point. Sure, Google is harvesting what I read when, but I can keep up on my feeds anyway, including on my cellphone and it’s support for tracking new feeds and letting you star old entries for later references is great.
• Eclipse: I had played with it very briefly before, but this year marks the first time I have really used it, and after a surprisingly shallow learning curve I feel like I’m pretty proficient with it. I’ve only tested out the Java support, and have heard that it is less ideal for C++, but it has all of the expected bells and whistles, I like the debugger, and I’m a fan of using a free tool that my students can continue to use after the end of the semester. I still think you ought to get started with a simple text editor and command-line compilation, but if you are going with an IDE this is a reasonable choice.
• Facebook: I was talked into setting up a profile and, having never gotten on MySpace or Friendster or any of those things, it’s been interesting to play with. I’m invested enough that I even have opinions on the recent changes allowing your status to not start with “is” and emailing you messages you receive, and not just notifications (both great!).
• New Toys: My laptop and lab computers all got upgraded, along with shiny new flatscreen monitors. Bonus on the laptop – all of my wireless networking problems went away, at home and in my office. I upgraded my cell phone and along the way learned to text message and access the internet using it. I think 2007 was the tipping point in my always-on accessibility.

This coming year, I’ve got modest technological innovation goals. I’m going to learn either Python or Jython. I would like to get my old laptop running Linux. And I’ll probably jump on a few other bandwagons along the way, just to keep current – so send me your recommendations of what I ought to be playing around with before next December rolls around.

I was chatting with a friend tonight about the fact that both of us are interested in learning Python, for slightly different reasons. He has noticed some job listings that indicate Python as being a particularly desirable skill, and theorizes that it would be pretty straightforward to pick up if you have a good understanding of Java. That theory is supported by the large number of books and articles written specifically to help the Java programmer learn Python. (See: Python for Java Programmers or Python for Java Programmers) In fact, if you have a background in Java, this Python & Java Side-by-Side Comparison does a nice job of not just laying out the differences, but in doing so describing what Python is. For me what is the most jarring is the lack of types. Which is weird, because I spent many years in grad school programming LISP, but I also spent a fair amount of time surrounded by proponents of strongly-typed languages. Between that and my current immersion in Java world, it makes me feel vaguely itchy to think about writing code without types. What if I try to add an int and a String? The world would end! Or at least it should!
For myself, my interest in Python comes from thinking about my upper level courses. With programming as a prerequisite, I can ask students to write Java programs, but Java can be unwieldy and I have wondered if I would be better off spending a couple of classes teaching Python and then have students write code in that. Or, even better, I could use Jython – an implementation of Python that runs via the JVM and lets programmers use the Java libraries in their Python code. I had never heard of this until my friend pointed it out, but it sounds perfect. Students can use the familiar and vast Java libraries, including nitpicky ones like Swing that take some practice, but avoid the complexity of writing a full-blown Java program. Assuming Jython works the way it sounds like it does – I guess I have a backburner project to work on now….

Are you interested in Web 2.0? Maybe you are taking a course on the topic soon. Hell, maybe you are teaching a course on the topic soon ;) Whatever it is, last month the new-to-me but old-to-the-internet Journal of Computer-Mediated Communication had a special issue on social network sites. Besides just trying to tackle the problem of defining a “social networking site” – which at least is a more manageable task than defining the mostly meaningless in my mind phrase “Web 2.0” – there is a a somewhat interesting study of who, demographically, does and does not use social networking sites. There is also an interesting article on identifying what in practice causes a reader to react to an email as a flame that connects nicely with a recent article in the New Scientist Blogs summarizing research on why people flame online when they would not behave the same way offline. Good stuff to bookmark and read when some free time comes along….