This has absolutely nothing to do with security but is a lot of fun: A few years ago, I read an article about Geocaching. Basically, this is a treasure hunt using GPS. Wikipedia describes it like that: Geocaching is similar to the 150-year-old game letterboxing, which uses clues and references to landmarks embedded in stories. Geocaching was imagined shortly after the removal of Selective Availability from GPS on May 1, 2000, because the improved accuracy of the system allowed for a small container to be specifically placed and located. The first documented placement of a GPS-located cache took place on May 3, 2000, by Dave Ulmer of Beavercreek, Oregon. The location was posted on the Usenet newsgroup sci.geo.satellite-nav as 45°17.460′N 122°24.800′W / 45.291°N 122.413333°W / 45.291; -122.413333. By May 6, 2000, it had been found twice and logged once (by Mike Teague of Vancouver, Washington). According to Dave Ulmer's message, the original stash was a black plastic bucket buried most of the way in the ground and contained software, videos, books, food, money, and a slingshot.

There are people who are really addicted to and found thousands of caches all around the globe. For us, it is more a family-fun-event and we are up to a few dozens till now. However, the reason why I wrote this post is more that we started to use it during vacation to get to know space we would never have gone to.

Let me give you two examples. Last year we went to a camping at Costa Brava in Spain close to Barcelona. Close to where we stayed, there was a national park where a lot of people go to. So, we went looking for a cache called Monastery of Sant Pere de Rodes, basically a really touristic attraction.

However, the cache itself was not located there (the picture was actually taken on the way up to the cache). It was about a 30 minutes hike up the mountain to an old castle up there with an outstanding view on all sides – something we would never have seen without the wish to find the cache:

Another example is just form our latest vacation in Crete. We were looking for Crete - Akrotiri - "3 Monasteries Cache" – again monasteries. The first one on that list was the one, the buses stopped. The last one was about 30 mins later… Look at the pictures:

Worth it – wasn’t it? I know that I am a simple person: I just do not want to be in the big masses of people and I love toys (like GPS). But Geocaching led us to spots we would never have gone to. We did not even know that the center point of the state we are living in (and I was even growing up here) is just about 2 km away from where we live.

So, this is definitely something I would recommend you to look into. Just visit the Geocaching website and have fun

Roger

I saw a lot of chatter on blogs and Twitter about Windows 7 E (the European edition without Internet Explorer). On July 24th, we published a new proposal on that. Read our statement yourself: Microsoft Proposal to European Commission

Roger

It is pretty typical – these things often happen, when I have a really bad Internet connection ;-). However, I am back home and the connection is kind of better now…

I guess you have seen and heard about the two out of band updates we shipped yesterday. They are kind of special and I would like to make sure you are doing everything necessary to protect you and your customers. Therefore – even before you read the bulletins – read the Advisory which goes with the updates from yesterday called Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution. Once you understand the problem space, get familiar with the two bulletins:

• Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
• Cumulative Security Update for Internet Explorer (972260)

Now, the real problem is with the applications and controls developed by you. If you are a developer, make definitely sure, you read the corresponding article on MSDN: Active Template Library Security Update for Developers. In there you have a very good flowchart helping you to understand whether your component might be vulnerable. 

Last but definitely not least, ICASI was collaborating with Verizon Business to provide a free of charge scanning service to help you figuring out, whether your component is vulnerable. you find the information here:

• The ICASI Alert
• The Verizon Business Scanner

I hope this helps

Roger

A few months ago, I already had some discussions with Eugene Kaspersky during an event of the Council of Europe on Cybercrime, how to address cybercrime on the Internet. At the moment, I am at a very, very slot connection and just got, what I saw on my RSS feed enclosure and could not verify the whole article but it is pretty much in line with the discussion we had there:

So, let me try to give you a perspective and some comments in this context. He seems to say: The short term solution is to get global cooperation with the police, because the police of different countries don’t know how to collaborate with one another. He believes the police want more successful investigations, not just to stop the criminals but to also own the list of successes. So nothing is getting done and each one is blaming the other for the problem. We have to start to work together, think globally, and create a global police force.I could not agree more with this but I am going one significant step further: We do not “only” need a better collaboration between the different police forces in different countries (or within a single country), we need a better collaboration between Law Enforcement, Judges, Prosecutors and the private sector. This requires a different way of thinking by all the parties but it is absolutely necessary. The biggest challenge here is, that there is not history of deep trust between these parties. From what I know, the Council of Europe is a great catalyst to help us all to get there. Additionally there are extremely good people in the different bodies like in Interpol, Europol who really want to move this on.

Next: The long term solution is to get governments around the globe to implement a universal list of rules and regulations for the public internet network. Well, yes and no. I am not completely sure, whether I want this. If these rules are written together with the industry, there is a certain chance that we regulate the right thing. However, knowing the different players at the moment, there is a good chance that this will not be used for the sake of a safer Internet but only to get a competitive advantage – and this would be really bad!

Finally he says: In addition, a personal ID will be required for internet access and for logging into financial websites, similar to a driver’s license or insurance card. “If you want to get connected or onto a website you will have to present an ID.” He explains. This is, where we had the discussion as I fundamentally object this idea. This is – in my opinion – not feasible as it would destroy one of the biggest advantages of the Internet: Free speech. Think about the events recently in Iran: Would the same kind of communication been feasible if we would have had strong authentication? Definitely not.

So, what we need is a model, which allows for both – and this is what we think the claims based authentication is about to deliver – it is part of the End to End Trust framework we introduced earlier.

So, I think that Eugene should stop with this claim. It does not really add to a fruitful discussion. Let’s collaborate (as stated above) to jointly work towards one goal: A safer Internet.

Roger

Well, as I am not really working, just a quick one: http://isc.sans.org/diary.html?storyid=6787&rss

Roger