Awareness is our biggest challenge, but we've been doing a lot to make this happen. At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune. I like this editorial by Robert MacMillan at the Washington Post. Here's an excerpt:
I am a staunch defender of what I call the average computer user, but I wonder whether it's time to change my tune... It makes sense that the Internet service providers and other stewards of our online experience should do their part to protect people from online danger. But I need to modify that point of view. Everyone should know by now that we should never trust e-mail, mobile phone messages or instant messages from strangers who want to deal with our money. If you don't know the source, delete immediately. Some of you will be yawning by now because you know this already, but the Times piece points out a tragic reality that criminals know well already -- a sucker signs on to the 'Net every minute.
The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments. The regs are pretty good -- a 12-point checklist of areas that need to be covered. For example, Do not use vendor default passwords on IT products and Uniquely authenticate each person accessing computer systems. It's a great idea, but is yet another regulation that needs to be dealt with.
http://www.ecommercetimes.com/story/113003FF5PFJ.xhtml
More progress being made on the anti-spyware front: http://www.eweek.com/article2/0,1759,1788844,00.asp. Industry players are banding together to try and define this.
I'm not sure that this is a good idea -- while I agree that the term "spyware" has unfortunate connotations to anyone branded as such, creating a specific definition just seems to me to open the door to firms trying to work around the definition while achieving the same effect.
Although it had a terrible acronym, I really thought that "potentially unwanted software" captured the category in a nutshell.
This is one of those times that I love this company -- building a tracking system to fight kiddie porn, and giving it away to police departments worldwide. Link.
TechWeb just posted an article on DNS cache poisoning continuing. The Microsoft KB article can be found here. The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master. If it is forwarding all requests, then the data is assumed to be filtered by the upstream DNS server. If that server isn't filtering properly, then the cache could still be poisoned. This is often the case when Windows DNS is set to forward requests to an older version of BIND. The Internet Storm Center (link) has a pretty good description of the several scenarios, and how you need to protect your organization depending on your scenario.
Lesson learned: Look at the whole chain to understand how you're protected.
Interesting article: Google Yourself to Identify Security Holes by Tony Bradley. His point is that security people should be using Google and the discussed tools as one facet of a vulnerability analysis program.
Sorry, I just can't get behind this: Battle brews over unlocking PC secrets. The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights. I read the article and I still don't see Stallman's point. Then I read his manifesto and I really don't get it. GNU has come up with some good stuff in the past, and in a previous life I used to use and contribute to that effort. But this seems to be ideology taken to the extreme. Since the typical modern mobo allows users to flash their BIOS rather than remove and replace the chip, suddenly it should be treated differently? Presumably this includes video cards as well, that have extensive (and flash-able) code on the card.
It's not really a battle, more of a tempest in a teapot.
An old article, but still a good one, by Jakob Nielson (formerly at Sun, now at his own company). I strongly agree with his points, particularly: "passwords that comply with the above list of "security-enhancing" principles lead to one outcome: Users write down their passwords."
Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active. eWeek has had a couple of articles this week on this topic. In The Chaotic World of Defining Spyware they discuss issues that CA has with companies that are fighting being labeled as spyware. In Big Security Guns Should Aim Carefully at Adware, Spyware there's a discussion of Symantec's scoring system versus Microsoft's behavior-based approach documented in a recent white paper.
There is money to be made in spyware and the bottom-feeders that are using spyware and "adware" are going to be very aggressive at resisting being labeled as such. You can see this in the Microsoft white paper, where the targets are labeled "potentially unwanted software" rather than spyware.
It's all just semantics. When you install something on my PC that I don't explicitly want and ask for, you're a bad person and need to be dealt with harshly.