January 24, 2007
Stolenidsearch.com ... are you crazy?
Is it just me, or is this a bad idea?
Let me see if I get this straight. Go to stolenidsearch.com, a web site I don't trust and whom I have never heard before and PURPOSELY enter in my credit card information to see if its possibly compromised. If it wasn't... it might be now!
Alex and the crew at Sunbelt are good guys and mean well. But the last thing we really want to do is promote activities that can put more people at risk by teaching them bad habits... like entering their cc number into sites that they do not know or trust!. How long before a malicious version from a cybersquatter is produced? According to Register.com, both stolenidsearch.net and stolenidsearch.org are available. As is stolenidcheck.com. A quick wget, a few page mods and a simple database to collect the credit cards is all that is needed.
If you want to know if your credit card is compromised, call up your financial institution and have them check. They have access to much of the same data this service may have. And if it doesn't, shouldn't the people behind the site disclose this information.... protecting those innocent people that have had their card compromised? Much easier for Visa to contact the card holder and let them know, than hoping the user will check for it on the web site.
I am looking at my calendar....it's not April 1st. So what gives?
January 22, 2007
The consequences of going to goggle.com
Sometimes, with a flare for theatrics, you can get the point across. I saw an interesting YouTube video yesterday about how unsafe browsing can be when you click without thinking, and I wanted to share that with you.
Susan blogged tonight about "dancing pigs" and how hazardous it can be to surf... especially since the adversaries are getting smarter with the pops they are providing. And she is so right. I won't even hold it against her... except for the fact see is using a Zune! :P
So make sure you are running your browser with the least amount of privileges. And for gawd sakes, trust but verify even the most unsuspecting window popups. As Forest Gump was quoted to say " You never know whut yer gonna get".
January 17, 2007
Dogbert's Password Recovery Service
Need I say more?
January 12, 2007
Doesn't really look like me... but its as close as I could get. Give it a try yourself. Have some fun with it. Maybe make yourself a dragon wizard priest or something.
January 11, 2007
Secure software education. Does it start with our tools?
I recently posted something to SC-L that I thought I would share with my readers.
Last month I blogged (http://silverstr.ufies.org/blog/archives/000989.html) about my disappointment with the fact that the new service pack for Visual Studio 2005, on Vista, suggests with a specific dialog box that you run the IDE as Administrator. (http://msdn2.microsoft.com/en-us/vstudio/aa972193.aspx).
The actual dialog box is alarming and misleading, because it really gives poor advice and the false impression that developers HAVE to be building software as Administrator. Am I being selfish in believing that this is the LAST thing we want to do when trying to educate developers to not write code with administrative privileges? I know you can simply uncheck the thing and move on, (as recommended by Michael Howard at http://blogs.msdn.com/michael_howard/archive/2007/01/04/my-take-on-visual-studio-2005-sp1-and-windows-vista.aspx), but the reality is that this guidance isn't helping us as we try to educate developers to write software requiring less privileges, when the tools we use suggest that it doesn't adhere to that!
For years we have been trying to educate developers to run with least privilege so they can build safer software in a more restricted environment. Particularly important in a Windows environment where quite a few attack vectors would be significantly lessened if the software would have simply required less privileges at design time. I fear that when developers see such guidance they will simply run all their tools in an elevated context, or worse yet turn off things like UAC altogether so they can go about their "daily business". Now, I am pretty sure that a lot of us on this list have been building software in least privilege environments for years. But what does this say to those that don't know any better when they see such dialog boxes when they start their tools?
Microsoft has even written a Vista "Issue list" for when you run Visual Studio as a Standard User. (http://msdn2.microsoft.com/en-us/vstudio/aa972193.aspx). There are plenty of examples there where the work around is "Run Visual Studio with elevated administrator permissions" when it doesn't have to be. So its clear they know this is an issue.
Am I wrong for being disappointed in Microsoft's approach at this stage of the game? We aren't talking about an old IDE written for Windows95. This was built FOR and ON Vista. With Microsoft's great strides in their SDLC process to date, should we be expecting them to lead the charge in educating developers to run as Standard Users? What are your thoughts on this?
January 09, 2007
Could Microsoft learn from Apple?
So today Apple launches the iPhone. There is such a plethora of information on the bloody thing I don't need to pollute your mind with any more comments or stats on the thing that you can get elsewhere.
But I want to bring attention to one thing that I notice in comparison to my smartphone. And its not really new, or even news. Apple makes sexier looking software. My Windows smartphone is just not that good looking for a display. And there is no google maps like that. Holy cow! That's a nice widget.
But will I ever buy one? Nope. Why not? Cuz our office uses Exchange... and my phone is a business tool... not a toy. Currently it syncs my Exchange email, contacts and calendar effortlessly. And the iPhone just isn't made for that.
To the developers of apps for the Microsoft smartphone. Take notice. Quit making such crappy looking software for the smartphone. Look how well the iPhone works. You CAN do that. Why don't you?
January 08, 2007
Defending Layer 8: How to recognize and combat social engineering
I have always loved Steve Riley presentations. During Tech Ed IT Forum Microsoft filmed a variety of sessions which are relevant to Security. One that I really liked was Steve's presentation on "Defending Layer 8: How to recognize and combat social engineering".
Here is an abstract of the presentation:
The human element is often ignored in security. Organizations will spend fortunes on technology and are still vulnerable to old-fashioned manipulation! Steve Riley takes you through the issues that are present when people, computers and networks meet. In an example-filled session we delve into the depths of user psychology and how it's at layer 8 where all security succeeds or fails.
It runs just over an hour... but is well worth the time investment for such a great presentation. Enjoy!
January 07, 2007
Bye bye Linux home server. Hello "Windows Home Server"
That's right. Microsoft is invading my house even more. I already replaced my gateway with a Small Business Server box running RWW, Exchange, Sharepoint and an internal web site. My attempt at getting MythTV working was replaced with a MediaCentre PC. My Playstation 2 is in my daughter's room now... since my XBOX is driving my HDTV.
And now... my Linux SAMBA server is going to be replaced with Windows Home Server... assuming I can get my hands on one. If you haven't heard the news, Bill Gates announced Windows Home Server today. Man am I excited. There is a great vlog post about it over at On10. There is also a blog post showing what it might look like. Sexy little thing isn't it?
Kudos to Microsoft. This is the exact sort of central storage device that I need. And one I could actually recommend for my in-laws. And that is saying a lot.
Now just to get my hands on one.
January 01, 2007
Once again awarded the Microsoft Windows Security MVP designation
Well Happy New Year!
I trust this blog post finds you in great health and good holiday spirits.
Checking my email today, I noticed one from Microsoft; I have been awarded the Windows Security MVP designation again. I am in good company with some really smart people. Will be fun to hook up with many of them at this year's MVP Summit.
For a brief moment I thought the email was informing me Microsoft was sending me a Ferrari laptop too.... but that wasn't to be. Finding out I won the award again isn't all that bad either though. Although I have to admit... I still want to be able to say I got a Ferrari from Mr. Gates :)