David Kirkpatrick

March 4, 2010

Microsoft wants to tax you …

Filed under: Business, Technology — Tags: , , , , , — David Kirkpatrick @ 1:03 pm

… to help pay for correcting its sieve-like OS and application coding. Now I’m not saying Microsoft is the only reason malware, phishing, botnets and other cybercrime goes on out there, but its shoddy and ubiquitous products are to blame for a very large majority. And that statement comes from a Microsoft user and supporter.

This internet usage tax idea from MS’s “trustworthy computing” veep is the height of stupidly ballsy statements. Maybe Microsoft should remunerate every computer user whose identity has been stolen, data compromised or computer files corrupted or lost due to yet another security fix that came a little too late.

Taxing internet usage to fix a problem largely caused by a single entity? Not a good idea. Try again, Scott Charney.

From the link:

How will we ever get a leg up on hackers who are infecting computers worldwide? Microsoft’s (MSFT) security chief laid out several suggestions Tuesday, including a possible Internet usage tax to pay for the inspection and quarantine of machines.Today most hacked PCs run Microsoft’s Windows operating system, and the company has invested millions in trying to fight the problem.

Microsoft recently used the U.S. court system to shut down the Waledac botnet, introducing a new tactic in the battle against hackers. Speaking at the RSA security conference in San Francisco, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney said that the technology industry needs to think about more “social solutions.”

Update 3/8/10 — Looks like I’m not alone in condemning this crazy idea.

October 1, 2009

Cloud computing and security

Filed under: Business, Technology — Tags: , , , , — David Kirkpatrick @ 4:16 pm

An interesting overview from Bill Brenner at CIO.com.

From the link, the conclusion:

Having said that, I also agree with Mike Versace that we should offer some basic approaches that ease the learning curve and ask some basic questions. The approach that I’ve been using is what I coined RAIN, which is just a plain old tried-and-true planning and analysis approach with emphasis on interfacing.

  • (R)equirement: understand your business requirements, and derive technical, non-technical, regulatory and security requirements.
  • (A)nalysis: from your requirements, analyze what tasks or services you want to or can outsource, and clearly define which party is responsible for which tasks, to reduce confusion and conflict later; perform risk analysis, especially with respect to cloud connectivity, mutli-tenancy, local data privacy regulations (of your providers), and business continuity.
  • (I)nterface: clearly define system and human interfaces. Who and how to contact providers for services or problems? What API or webpages to use and how, what the returned result should look like? The more interfaces/touch points, the higher the risk for breakages or problems.
  • e(N)sure – verify and ensure services are performed according to agreements. (Validate and boundary) Test the results sent from providers to ensure that they are in the correct formats and are what you expected; audit or pen test services; perform practice runs with your providers.

This is nothing new or fancy, but I’ve witnessed light-bulb moments without glassy eyes when I explained cloud computing challenges with this approach.

In more cloud computing news today, here’s Technology Review and CIO.com on Amazon’s cloud services.

April 16, 2009

As if you didn’t have enough …

Filed under: Technology — Tags: , , , , — David Kirkpatrick @ 2:41 pm

… to think about with computer security.

You don’t have to don a black hat and prowl the murkier waters of the internet to find an app as dirty as a password stealer — just hit download.com.

This is the extreme edge of controlling your security, but it is a useful bit of advice from the linked article, ” …  always assume that any login entered on any public computer is compromised and should have its password changed as soon as you’re back at a trusted PC.”

More from the link:

A simple search can turn up a keylogger program available for download on numerous sites, including PCWorld.com, with the idea that the tools are offered for personal use to catch someone messing around on your own PC, or perhaps for concerned parents. That may be a thin veneer, but Christopher Boyd posted on the SpywareGuide Greynets Blogthe he came across a tool available as a free download at the oft-visited download.com that exists solely to steal passwords for IM accounts.

The app presents a fake IM app and captures usernames and passwords that are typed into the window, according to Boyd. It’s a bit of a stretch to think of how such a tool might be meant for personal use to catch snoops on your own computer, especially with a description like “This is perfect if a visitor is coming round who wants to access their IM account.”

January 16, 2009

Ten ways to make Vista more secure

Filed under: Technology — Tags: , , , — David Kirkpatrick @ 3:55 pm

And who doesn’t want to make their computer more secure? If you’re running Windows Vista here’s some tips and tricks from CIO.com.

From the link:

Check Your Work

Now that you’ve tweaked Windows Vista, you can keep tabs on your system’s security with the System Health Report. This diagnostic tool takes input from the Performance and Reliability Monitor and turns it into an information-packed report that can spotlight potential security problems.

  1. Open Control Panel.
  2. Click System.
  3. In the Tasks list, click Performance (near the bottom).
  4. In the resulting Tasks list, click Advanced tools (near the top).
  5. Click the last item on the resulting list: Generate a system health report.

The report will list any missing drivers that might be causing error codes, tell you whether your antivirus protection is installed, and declare whether UAC is turned on. You may want to run this report once a month just to make sure everything’s still good.

August 10, 2008

Google gadgets can open backdoor

Filed under: Business, Technology — Tags: , , , , — David Kirkpatrick @ 4:55 pm

I guess the message here out of Mountain View is “downloader beware …”

From the link:

Software that hackers can trick people into installing on “iGoogle” home pages can track users’ activities and control their machines, SecTheory chief executive Robert Hansen showed AFP on Friday.

“I could force you to download child porn or send subversive material to China,” Hansen said. “The exploitation is almost limitless. Google has to fix it.”

Google lets people customize iGoogle home pages with mini-software programs called “gadgets” such as to-do lists, news feeds, currency converters, and calendars.

Hackers can program malicious code into proffered gadgets or break into systems hosted by engineers providing legitimate mini-programs.

“It turns out a lot of people who develop these things aren’t good at security,” Hansen said, citing research he and Cenzic security analyst Tom Stracener shared at a notorious annual DefCon hacker gathering in Las Vegas.

“We pretty much break into anything we try.”