Introduction About Site Map

RSS 2 Feed RSS 2 Feed

Main Page | Blog Index

Archive for the ‘Security’ Category

Improved Surfing and Browsing Notes

OVER time, I’ve accumulated a few notes about things that I bear in mind while surfing the Web or communicating with people. Here’s a quick breakdown.

Saving Evidence

Corporations, unlike us mere mortals, don’t care about preservation more than the law requires. That’s why the Bush Administration, Intel, Microsoft and many other companies purge E-mails and shred documents without any guilt or hesitation. I should really make copies of everything I cite (I rely too much on the Web Archive). A friend of mine wanted to automate this and create archives of all my posts, plus local copies of cited articles. With wget, these can be sorted nicely by URL, but I never do this. If you have any tips, please leave a comment.

WWW Privacy

A person can always use a proxy if there is fear of having IP addresses harvested. I set up this thing for myself a couple of years ago and I had to make it password protected because lots of people from Asia used up my bandwidth. Then, the only server that ever sees my IP address is mine. You’re essentially passing requests through a trusted middleman.

Since all routers are peers as well, there’s no way to get perfect independence from other people’s vigilant eye. One option is therefore to use Web mail via proxies, but then you’re still relying on the the proxy not giving away its log files (or destroying them every night).

I suppose you may have heard by now about the police demanding encryption keys from an animal rights activist over here in Britain. There’s increased mail monitoring as well, which is why I suggest that people get themselves covered. There’s also that Blogger (Google) incident from last month. Google gave away the IP to the police and used some excuse. Think of mini-microsoft (the blogger) and many others who rely on anonymity. Without anonymity, they will lose their jobs. It seems like an approaching end of an era. Authorities require greater control. They exposed too often, so they misuse their powers.

E-mail Privacy

Have you readers considered encrypting your E-mails? I do this with people who can. If you’re using Thunderbird and there’s an extension called Enigmail that will make it very simple for you to set up. It’s cross-platform too.

Remember that privacy is among your right. Don’t let people take it away from you and essentially treat you like a criminal. With less privacy, you are left powerful and exposed.

Linux Cannot be Trusted, With the Exception of Freedom

WE have entered a period when GNU/Linux desktops gradually become more widely accepted. An increasing number of people choose to migrate not only for cost savings, but also — because software takes more control of the user’s privileges over time — for freedom, which becomes attractive. To some, independence and choice are newly-realized traits and they are inherent in the software. In many cases and to many people, these traits were never understood or explored before, but they have a great deal of impact on behavioral and security. Thus, they are related to trust.

With changes in software paradigms — from closed source (proprietary) to open source — changes in mindset do not necessarily ensue. Ideological and conceptual views cannot be changed overnight. Experienced Linux users strive to find a point of balance wherein both worlds (and both mindsets) can settle and thrive together, without exclusion of peers.

It is often argued that openly sharing code leads to elegant solutions. Poor solutions perish whereas better ones evolve and spread. While many remain united by the goal of producing and supporting the best operating system and applications, there remain at least one divide; there are those who who argue in favour of full transparency and those who are more apathetic towards it.

Apathy gives more control over technical decision to parties other than the user him/herself. These leaves a door open to abuse of rights, which is usually motivated by financial interests.

Other divides involve learning curve (e.g. command-line versus GUI) and perception of intellectual property, but these divies rarely affect the development model and the quality of software. Different distributions of Linux address the needs of different users, yet there is at least one component that is shared by almost everyone — the kernel.

Computer code is hardened and bug are removed when more pairs of eyes reviewed its quality. It is a question of visibility. Visibility is trust. What happens, however, when partial visibility becomes a necessary evil? Increasingly, as the reach of Linux broadens, a desire is born to choose easier routes to working solution. As the technology-savvy crows becomes a minority among the userbase, principles are compromised.

Arguments about pragmatism arise whenever a company or an individual is unwilling to disclose secrets. If this company or individual is kind enough to meet half way, by providing a solution which enables function but insisting that this function remains cryptic, a dilemma becomes inevitable. If this gift is accepted and becomes widely adopted, it becomes difficult to beg for change.

The importance of open source drivers is largely underestimated. Due to their proximity the the core of an operating system, they can affect security, privacy, and stability. An open source platform cannot be truly understood unless subsystems are entirely visible.

A truly trustworthy system is one where there is an open route of visibility which extends downward to the lowest level. Such a system is needed to ensure that no single mind or faction is misusing its ability to embed self-serving and user-hostile code. Trust is as deep as the layer of the stack which defines separation between known and unknown — that which permits the user to access the core.

In the future, we are likely to see widespread use of free/open source BIOS, open specifications for graphics cards with an open source implementation, and processors that are open (consider Sun’s processors whose design is already licensed under the terms of the GNU GPL).

Due to the fact that Free Linux distributions take a lot of criticism, I’ve written an article. Free software is, sadly enough, largely misunderstood. Only days ago, Mark Pilgrim was ranting and Don Parris responded. My own 50 cents were posted in Datamation. The article could be called “The Importance of Gobuntu to the Goals of Linux”, but I chose a different (and more generic) headline. Gobuntu was born to serve specific needs. It is built for users to whom freedom is an important quality of the software they use. More in Datamation:

As GNU/Linux becomes more popular, the motives behind its inceptions are often forgotten. Linux is a free operating system, but its broadening userbase perceives this freedom as pertaining to cost, not rights and liberty.

Windows Botnets Put the Internet at Risk

WE often hear about the need to rebuild the Internet or at least rethink and revise its whole design. The problem, however, is not the Internet’s design. The Internet was built under the assumption that nodes in the network are well behaved and those that are not can be pulled out of it.

What do you get when one single node and one evil mastermind controls millions of these nodes? That’s where the poor security — a wet dream to government that wanted back doors available in every PC — comes into play. Windows is on the brink of destroying the Web. Sadly, the mainstream media does not give this much coverage, for obvious reasons. The article cited here (via one bloggers’ interpretation) talks about the Storm botnet.

“Storm” is nothing compared to the whole. Vint Cerf, one of the fathers and architects of the Internet, says there are 100-150 Microsoft Windows zombies out there. That’s a large proportion of the PCs in the world and it’s a ticking time bomb. The criminals use only a fraction of the PCs’ capacity at the moment, but they do some test runs sometimes, e.g. knocking down DNS almost, i.e. ‘killing’ the Internet. That one type of attack came from Korea about a year ago.

There were also those botmasters who were also doing some heavy spamming last Xmas (while system administrators are away). Mail servers were knocked offline and some bloggers had their accounts suspended. There is also the attack on Estonia, among many other incidents. The cyber-criminals are just afraid of getting caught, but they have enormous (and scary) potential. The only solution to botnet is probably to make Microsoft Windows obsolete. The operating system is, at present, broken beyond the point of being repairable. We are yet to suffer the consequences of this for years to come because old PCs will continue to be hijacked. They will not have secure software take over them.

Microsoft Watch Censored Polite Comment Highlighting Problems


Joe Wilcox, you should be ashamed of yourself.

Several days ago, I left a comment in his inherited Web site just to say that Microsoft hides some of its Vista weakness by secretly patching vulnerabilities. I even provided two links from very reliable source to support this. One of these sources was the Microsoft Blog at ZDNet. With further confirmations that this is true, I see no reason whatsoever why my comment should be removed. This leads to the suspicion that Microsoft Watch has turned from a professional Web site run by Mary Jo Foley into a Microsoft shilling dumpster. Several months ago, the site dropped its Windows server and had it replaced by Red Hat Linux. This is hypocritical, is it not?

It has become obvious (by admission) that many Microsoft employees visit the Web site and even comment without disclosure. I refuse to participate as much as I used to knowing that a site which once served me well has decided to lift and iron first and decide what is valid information and what is an inconvenient truth.

DRM in the Kernel

Security First, Only Then User Convenience

LockSadly, many people use a convenient argument to defend Windows’ security problems. They would like you to believe that security is failing because of relative market share, not inherent security, which one can attain through proper design. Windows was built to serve users’ convenience while neglecting to account for the subsequent inclusion of an Internet connection. Windows was very desktop centric, as Gates’ snubbing of the Internet has proven over the years. That, and only that, is why Microsoft struggles to rewrite a vast codebase in a quick and secure fashion that leads to mature and well-established libraries.

The following articles demonstrate and explain why Windows is simply insecure by design. Market share plays a relatively minor role in this equation.

Consider more secure platforms, preferably ones that confirm with the POSIX/UNIX model that has matured over many decades. Keep the cr4ck3rZ working much hard(er).


Browser Diversity and Security

Firefox in the dock

There has been a great deal of talk about browser statistics recently. Market share has become a measure of diversity, which ensures that Web developers tailor their site according to standards rather than for one particular application. Security remains at the heart of this debate, but it’s clear that the complexity of this problem is high.

All Web browsers are insecure to some degree, because they all must work with flawed code in the operating systems. There are some indications of progress, such as frequent patches from Microsoft and Mozilla to close security holes. Still, these actions may be too little too late if a zero-day exploit is the attack weapon.

It all comes down to patching speed, then number of flaws, as well as their severity (e.g. privilege escalation can be catastrophic).

Related article from the same day (and same Web site):

    Will Security Worries Dull Ajax’s Cutting Edge?

Retrieval statistics: 21 queries taking a total of 0.113 seconds • Please report low bandwidth using the feedback form
Original styles created by Ian Main (all acknowledgements) • PHP scripts and styles later modified by Roy Schestowitz • Help yourself to a GPL'd copy
|— Proudly powered by W o r d P r e s s — based on a heavily-hacked version 1.2.1 (Mingus) installation —|