systemcall dot org

Ars Technica has a fantastic article on software patents in US, and how the process is slowly reversing to what it should be (and was) since the beginning.

They describe all the history, important cases, different points of view and how the whole thing was going nuts in this century. The system was due to fail since the big companies started paying billions for patent trolls, but it took a bit too long to actually start reversing…

Would that be Obama’s aura? Or does both events mean that the US people finally started to think on their own? Whatever that is, it’s in the right direction, I think.

What would Bruce Schneier say about the magic list that the NSA is putting together with Microsoft and Symantec of the 25 biggest errors in code that normally lead to a security flaw.

Don’t get me wrong, putting out a list of bad practices is a fantastic job, that’s for sure. It makes programmers more aware of the dangers, and as the article says itself, newbies can learn from experience before getting into a new field.

But the way that (lay) people take it makes it so magical that the practical side of such list is greatly reduced.

Order and size of the list

I understand that the order must have some sense, but which? Is it ordered by number of attacks in the last 12 months? Or by the sum of all reported losses caused by them? Or by number of such errors found in common code (on those companies’ code, of course)? Or by any other subjective “importance” factor from a bunch of “Security Experts”?

Also, why 25? Why not 30? Who says that the 25th is so important to show up in the list and not the 26th?

Real-world

We programmers know about most of them, know the problems they pose and normally how to fix them. We often want to fix them, but that normally requires some refactoring and now it’s time to implement those features that our client needs for the demo, right? We can think about that later… can we? Will we?

Than, NSA decides to make this a priority for the country and claim it as a national security problem. Big companies like fancy terms, and would strive to adopt any new standard that shows up in the market.

Then, comes down the VP of engineering and say:

“We need to make sure every programmer knows how to write code that is free of the top 25 errors.”

Done, he can put the GIF image from the NSA saying his company’s software is secure against all odds, according to the NSA and DHS.

Now, coders and technicians, tell me: Would any editor, IDE or compiler ever be able to spot those errors with 100% accuracy?

“Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors,”

Of course not, but they will try, and Microsoft will put a beta on Visual C++ and other companies will tell their clients that their software is being tested with the new product and the clients will buy, after all, who are them to say anything about that matter?

Protect against who?

Now, after so much time and effort, 30+ companies and government departments working hard to come up with a (quite good) list of the most common errors that lead to security flaws for what?

“The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent – ankle-biters if you will – would be deterred from breaking in.”

WHAT?!?! All that to stop script-kids? For heavens’ sake, I thought they were serious on that… Well, maybe I expected too much from the NSA… again…

(Note: quotes from original article, ipsis litteris)

According to BBC, the new European strategy against cybercrime encourages the police to hack the hacker.

I just wonder if the European Union has any idea of what the word ‘hack’ really means or how gray is the area between white hats and black hats and, more importantly, that both types live on both sides of the fence! Ask a hacker to define hacking and you’ll need a comfy sofa and someone else to actually hear the whole story.

The only problem with that is that it’s recursive. Once the police (and the private sector) hacks me, they become a hacker themselves, allowing me to hack them, on the interest of security based on the same law. Right?

The fast evolution of computer networks brought fantastic developments for communication and connection capacities.
We can easily see this evolution while observing the Internet, first a restricted network and now a complex and global network, where we can do a simple mail exchange or complex and elaborated financial transactions.
But, we also have the dark side of this fantastic environment: threats like virus, worms and Trojan horses, scanning, spoofing, sniffing or snooping, and so many others became the nightmare of all organizations.

Indeed, the technology can play for and against us.

A good way to make the technology works for us is using Packet Inspection. This is a tool frequently used to sniffing networks, looking for password and breaches, but information security professionals can use it to do exactly the opposite: protect the network.

With a good Packet Analyzer you can generate information about your integrated information systems, supporting the system administrator to find and solve the problems in a quick and efficient manner. It’s possible to identify attacks, non-authorized access to systems and malicious behaviors. In other words, with a good inspection solution your organization will be able to see and analyze everything that hits your network.

You can prevent problems and also reconstruct network sessions, providing the needed information for Network Forensics. It’s when the hunter became the hunted: you will be using the same method malicious threats use to put your business under risks to defend your organization.

Do you want to know what a Packet Inspection is? Watch this video for more information: Deep Packet Inspection explained or read here at Wikipedia.

After Yahoo! rejecting MS offer and all the fuzz about Yahoo! takeover now Yahoo! itself is breaking apart…

No wonder the shareholders are mad, Yahoo! has been falling to pieces since Google got into scene and now with the $31 / share offer when it was barely holding it self above $20 the shareholders saw all the return for their investment happening in a very short time, what might be the last chance they have to see any money back at all.

So here’s a bit of futurology:

David Filo moves to Hawaii, shareholders sue Jerry Yang and he’ll end up very poor on his own Caribbean island, Yahoo! is bought by Microsoft by half the price (after the lawsuits there will be few left) and the shareholders will be very happy to, at least, get some money back.

All FreeBSD / Apache / PHP will be converted to Windows 2003 Server / .NET / C# and Yahoo! services will be even worse than they used to be, Microsoft will take the users and force them to start using Google services (no one likes to eat crap anyway) and Google will be the last hope of the Internet.

Fortunately Google is by far more efficient than Microsoft and Yahoo! together (it’s not that hard anyway) and it’ll be piece of cake to take them both down while still holding their hats with the other hand. I just hope Google doesn’t try to dominate the world as Microsoft is attempting for decades, they probably know by now that it’s like reaching the speed of light, the bigger you are the more energy you need to increase speed.

Microsoft and Yahoo! will still exists for a loooong time and Google will have a bit of competition for a while, at least until the “next-Google(tm)” shows up and put all three in the sack “with a wave of her hand(tm)” and the cycle will start all over again.

Let’s hope for the best, whatever that is…

Welcome to the February 3, 2008 edition of information security carnival. And what can I say… This could be the USB Security Edition.

articles

bennie presents What technological things should you have? posted at Technology Matter, saying, “A list of technological things you should have.”

Host comment: This is not exactly a Infosec article, but it’s a good list.

DJ presents Bluetooth spamming gets green light posted at Bluetooth Insight.

Brian Terry presents 7 Website design mistakes to avoid (at all cost!) posted at Big Selling Website Design.

reviews

DJ presents LG Vaccine USB posted at USB Insight.

gs presents IronKey posted at The Tech-Investigator, saying, “Outlining the critical elements of information security for the mobile Professional Investigator.”

DJ presents Yoggie launches Gatekeeper Pico posted at USB Insight.

tips

Tutor presents 0tutor.com: 10-steps-to-a-secure-wireless-network posted at 0tutor.com tutorials blog.

Host comment: “Great tips!”

Sai presents Keeping Your USB Drive Safe: Part 1 posted at American (Tech) Sai-ko, saying, “Tutorial on how to keep your usb drive encrypted and safe.”

Host comment: “Wonderful Article! Now we are waiting for the Part 2″

BeThisWay presents You Dont Have To Be Gullible To Be a Victim of a Check Scam posted at Are You Going To Be This Way The Rest of The Time I Know You?.

Host comment: “Social Engineering and how to avoid it.”

That concludes this edition. Submit your blog article to the next edition of information security carnival using our carnival submission form.
Past posts and future hosts can be found on our blog carnival index page.

Technorati tags:

information security carnival, blog carnival.

Welcome to the October 28, 2007 edition of information security carnival. We have frauds, ID thiefs, virus, spywares, privacy invasion and more.

articles

Marc and Angel presents 6 Digitally Traceable Tracks We Unconsciously Leave Behind | Marc and Angel posted at Marc and Angel, saying, “I have compiled a list of 6 digitally traceable tracks we unconsciously leave behind as we trek through our daily routines. I have also included a hypothetical example of how easy it can be to track someone down online by tracing their online affiliations and dabbling with the information that is found.”

Wenchypoo presents The Shocking Ease of Breaching Corporate Security posted at Mental Wastebasket, saying, “Written last year, but the info is (sadly) still relevant.”

Falando pelos Cotovelos presents Airport (In)Security posted at Falando pelos Cotovelos, saying, “Airports are a major concern nowadays.”

Doug Woodall presents Its Halloween! Spooks, Specters and Spyware! posted at The Spyware Biz Blog.

Wenchypoo presents Barking at a Hole in the Fence posted at Mental Wastebasket, saying, “Written last summer, but still relevant today.”

reviews

Renata Vincoletto presents Dangerous Files you Have to Avoid posted at systemcall dot org.

tips

Scott M presents How to Change the Root Password to Get Into a Linux Box posted at System Notes Org, saying, “Get Into a linux box when you don’t have the password. Requires physical access.”

Wenchypoo presents Credit and Identity in Shreds posted at Mental Wastebasket, saying, “A shredder isn’t enough!”

MT presents Safeguard yourself from internet frauds | MT Herald Dot Com posted at MT Herald Dot Com.

Wenchypoo presents No Rest from Identity Thieves–Even After Death posted at Wisdom From Wenchypoo’s Mental Wastebasket, saying, “I experienced this myself when helping my husband clean up his parent’s estate.”

Karl Sultana presents Keeping Children Safe From Online Sexual Victimization posted at NoAdware Blog.

Wenchypoo presents Wisdom From Wenchypoo’s Mental Wastebasket: Choice versus Privacy Invasion posted at Wisdom From Wenchypoo’s Mental Wastebasket, saying, “More to do with consumer information security than anything else.”

tools

Infosec presents Managing your Information Security Projects on line posted at Infosec.

information security carnival, blog carnival.

A friend sent me a link about the new monopoly/patents bastards: Apple Inc.

Apple was never worried about open standards, never tried to hide their intentions to block the Mac market by building a closed architecture-operating system-applications scheme. In that sense, Microsoft is almost open source. They were the first supporters, together with IBM, of the open architecture, the PC. In the past, it was quite easy to develop programs for DOS (using the magnificent Borland’s Turbo C++) etc, it was, in a sense, an open world.

I may say, in fact, that Microsoft tried to become the new Apple and failed miserably, to our own sake, because Apple never had much advantage in the market, only to those few posh non-hackers or weird designers. Today, Microsoft is being forced to open it’s servers’ protocols, more and more third-party compilers and IDEs (good free ones) are being added to the list, etc. It’s not a closed world in the strict sense, at least not as closed as the Mac world is.

But Google, always defender of freedom, openness, transparency (?) and good craftsmanship, fighting hard to end with the awkward and stupid patent system in US here and there ended up filling their own patent.

What happened? Not enough resources? Or are you playing on their (MS/Apple) own terms? Apple think the latter is more probable, so do I… They are now in direct competition with Microsoft, desktop search, Google Docs (with presentation) and they must fight in a field where MS and Apple dictate the rules and the rules are monopoly and patents, unfortunately…

Well, lets hope that the part of Google that wants to break with patents win before the other part (that are filling patents) get more damage to freedom…

Fingers crossed!

Welcome to the August 12, 2007 edition of Information Security Carnival.

It’s amazing how wonderful submissions we have. We have tips, tools, articles, and even cartoons!

Jeremy Hitchcock sent us a great cartoon about Brain Spam… Can you imagine that?

Well, let’s go to our submissions:

articles

Noric Dilanchian presents Dilanchian Lawyers – Checklist of 51 hints for data and IT security posted at Lightbulb, saying, “Based on “the experience and wide reading of the lawyers at this law IT law firm, here is a list of 51 computer security problems and in each case a brief statement on solutions.”

“Amazing article, well-written, with tips for beginners and advanced Infosec Professionals.“

Jeremy Hitchcock presents WTTF: Welcome to the Future – Telepathy by AT&T posted at WTTF: Welcome to the Future, saying, “How hard it’ll be to secure our thoughts in the age of telepathy.”

“Hum… that’ll be my project… secure our brain waves…”

Infosec Group presents InfoSec – How to create a security policy posted at InfoSec.

“General tips to create a Security Policy.”

Falando pelos cotovelos presents Security Breaches posted at Falando pelos Cotovelos.

“Re-think your USB drives, flash drives, MP3 players and even your Digital Cameras’ memory cards.”

reviews

A Geek Family presents How to recover files deleted with Shift Del posted at A Geek Family.

“Yeah… Shift+Del is not the end of the world…”

tips

Slaptijack presents Username / Password Authentication in Cisco IOS posted at Slaptijack.

“Think security isn’t that hard. With a few steps you can improve your router security”.

techsack presents Fight spam while learning Linux posted at TechSack.com.

“Use Linux and improve your spam-filter capabilities”

SmallTownBS presents Yet Another Identity Theft Article posted at Small-town Big-shot, saying, “A highlight of social engineering and other hacking methods that hackers use to steal money and identity; in addition, ways to protect you from these things.”

“Hack your brain is still something for the future… but, right now, some people can stole you identity”.

Ted Reimers presents College Students and Identity Theft posted at CampusGrotto.

“Universities became a target for hackers. How can we protect our students?”

Geek Sisters presents Bluetooth and bluejacking posted at Geek Sisters.

“Nice explanation and video about bluejacking”

Your Hostess presents How to keep your Internet Life Browsing in a secure way posted at > systemcall dot org.

” Just a few tips about browsing.”

That concludes this edition. I want to say thank you for all those great articles, and please, keep your great work!

Submit your blog article to the next edition of information security carnival using our carnival submission form.
Past posts and future hosts can be found on our blog carnival index page.

Technorati tags:

information security carnival, blog carnival.

When Techie guys talk about backup, maybe you don’t know exactly what they are talking about. So, let me explain a bit about backup.

Backup is a copy you made from a device to another with recovering purposes, in case you have problems with your original files. That’s an essential procedure for those using computers and others digital devices, such as digital cameras and MP3 players. Nowadays, most known backup types are CR-ROM, DVD, HD and Magnetic Tapes.

All important Operational systems have tools to implement your backup, but, there are thousands of powerful softwares out there, to create and restore your data.

Here’s an excellent article explaining all types of backup, history, and what type of backup is the best for you.

The following graphic shows a Backup Time Line, covering the most important backup strategies in the history. (click in the picture to maximize it)

You will learn how Punch Card Backups are a Reference Point in Backup History, and why they were replaced by Magnetic Tapes and Tape Backup.

The article also feature Backup using hard-drives and floppy disks, until our times, when people are using flash drives, Blu-Ray and HD-DVD to keep their data safe.

The article is a time travel, and you will learn when network backups began to be used, and why online backups are growing so fast.

It’s a interesting article for techie and non-techie people.