Thursday, September 4, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Hyprocisy and Irony in Minnesota [The Falcon's View]

Posted: 04 Sep 2008 08:43 AM CDT

Pardon the brief rant, but I'm tired of the airtime these Republican wonks are getting for the excrement they're spewing. Minneapolis/St. Paul appear to have been turned into a police state, where peaceful protesters are attacked, and where legally booked...

Chrome epidemia globale controllata [Sicurezza Informatica Made in Italy]

Posted: 04 Sep 2008 06:39 AM CDT

Forse bisognerebbe riscrivere alcuni libri di marketing. Quale prodotto (gratuito) si è imposto così velocemente fino ad assumere le sembianze di un epidemia su scala mondiale? Nemmeno il blaster ai suoi tempi seppe far di meglio.

Le statistiche si riferiscono ad , che è un sito principalmente visitato da utenti eruditi in termini di sicurezza. E ciò è preoccupante.
Aggiornamenti dal fronte privacy : Matt Cutt ha annunciato la revisione della privacy policy eliminando il paragrafo 11 . Meno male se ne sono accorti.

Didier Stevens on the Audioparasitic podcast about old school hacking on the Apple II, BBSs, PDF vulnerabilities, DRM, mobile threats and much more [Security4all] [Belgian Security Blognetwork]

Posted: 04 Sep 2008 05:18 AM CDT

My fellow blogger Didier Stevens apparently was interviewed in the Audioparasitics podcast. Some might know Didier from the test he did with Google ads to demonstrate how it could be used to distribute malware. His blog is very interesting and also hosts several interesting tools he has written. The podcast episodes are listed below:

Episode 43 - Part 3 of 3 - AudioParasitics exclusive interview with Didier Stevens: Topics include old school hacking on the Apple II, BBSs, PDF vulnerabilities, DRM, mobile threats and much more!

Episode 42 - Part 2 of 3 - AudioParasitics exclusive interview with Didier Stevens: Topics include old school hacking on the Apple II, BBSs, PDF vulnerabilities, DRM, mobile threats and much more!

Episode 41 - Part 1 of 3 - AudioParasitics exclusive interview with Didier Stevens: Topics include old school hacking on the Apple II, BBSs, PDF vulnerabilities, DRM, mobile threats and much more!

Belgian Active political bloggers should go and listen to these people [belsec] [Belgian Security Blognetwork]

Posted: 04 Sep 2008 04:43 AM CDT

The socialist party is (after all that time) at last beginning to understand that political activism is also made online and can be bolstered online - although it wouldn't make any difference if the rest is not good.

So at its national conference it has organized a workshop with some firm that probably does some of the modernizing of their website - but still lacks the global strategic view for the movement an sich or doesn't have the go ahead to implement it - and a conference with two interesting US speakers.

The most interesting thing to see will be the reaction of the Belgian politicos.

programma 18th october

Not sure yet if I will put a Free Georgia tshirt on ..... :)

BelsecTV the future of the internet (OECD june 2008) [belsec] [Belgian Security Blognetwork]

Posted: 04 Sep 2008 04:15 AM CDT

This page has links to interviews captured during the meeting of the Organisation for Economic Cooperation and Development on the Future of the Internet Economy, in Seoul, Korea, June 16-18, 2008. Foreign ministers, business leaders, technical experts, and representatives of civil society and academia conferred at this OECD ministerial event, with the goal of comparing experiences, seeking answers to common problems, and coordinating domestic and international policies.

A series of very interesting speakers and subjects.

belsectv : internet and flood management [belsec] [Belgian Security Blognetwork]

Posted: 04 Sep 2008 04:00 AM CDT

Document of the day : does ICT production fuel CO2 production [belsec] [Belgian Security Blognetwork]

Posted: 04 Sep 2008 02:30 AM CDT

This presentation says that it does because of the fact that so many different parts of the production process are done in so many different countries.

It also talks about the globally integrated enterprise and takes as an example IBM click on the image to enlarge


freeware of the day Active@ KillDisk [belsec] [Belgian Security Blognetwork]

Posted: 04 Sep 2008 01:45 AM CDT

Active@ KillDisk - Hard Drive Eraser is powerful and compact software that allows you to destroy all data on hard and floppy drives completely, excluding any possibility of future recovery of deleted files and folders. It's a hard drive and partition eraser utility. Active@ KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M. The most secure Gutmann's data destruction method is also implemented. You can be sure that once you clean up with Active@ KillDisk, sensitive information is purged out forever. New Wipe function that wipes out all unused space on existing drives, not touching existing data. We highly recommend you to run this FREE utility for the hard and floppy drives you want to dispose of, recycle, re-use, sell or donate to somebody.

Electronic voting machines. FAIL. [Security4all] [Belgian Security Blognetwork]

Posted: 03 Sep 2008 11:13 PM CDT

In a previous post, I mentioned the risk of electronic voting machines. It seems that our doubts where not totally unfounded.


Premier Election Solutions, formerly called Diebold Election Systems, has finally admitted that a ten-year-old error has caused votes to be dropped.

It's unclear if this error is random or systematic. If it's random -- a small percentage of all votes are dropped -- then it is highly unlikely that this affected the outcome of any election. If it's systematic -- a small percentage of votes for a particular candidate are dropped -- then it is much more problematic.

I would prefer that there is a paper trail that can be audited. Have a further read at Schneier's essay: "Why Election Technology is Hard."

Also Robert Halbeer seems to share our concerns.

Previous post:
(Photo under creative commons from Squonk11's photostream)

Quoting Dilbert is a Best Practice [Emergent Chaos]

Posted: 03 Sep 2008 10:15 PM CDT

Catalyst Conversation Starter: The High Cost of “Freeware” [The Security Catalyst]

Posted: 03 Sep 2008 09:16 PM CDT

When it comes to protecting home computers, “Is freeware free?”

This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers?

I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why?

To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation.

Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience.

Get the report here:

Come join the discussion in the Security Catalyst Community here:

(and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole)

This posting includes an audio/video/photo media file: Download Now

Upcoming Presentation: The Frogs Who Desired A King: A Virtualization Security Fable Set To Interpretive Dance [Rational Survivability]

Posted: 03 Sep 2008 08:56 PM CDT

Froggystack The sequel to the "Four Horsemen of the Virtualization Security Apocalypse," is my next presentation entitled "The Frogs Who Desired A King: A Virtualization Security Fable Set To Interpretive Dance."

It goes something like this:

Aesop wrote a little ditty about some discontented frogs who lived in a pond.  They asked Jupiter for a King.  They got one.  They didn't like it.  They got a replacement. It ate them.  The moral of this story is "be careful what you wish for."

The corresponding analog is that of the future state of security in a virtualized world.  It's coming, but it's not going to look much like what security looks like today and it's certainly not what people are expecting.  In fact,it may consume us all because we're actually unprepared for what we're asking for.

You'll laugh, you'll cry.  You'll want to know what I used to make my slides... ;)

Coming soon to a disturbed audience near you (seriously.)


The Most Overused Term In Security Product Management/Marketing... [Rational Survivability]

Posted: 03 Sep 2008 08:36 PM CDT

Uniqueforks Next Generation <anything>

Sick of it.  Sucks monkey balls.  Is about as relevant and non-sensical to me as "kosher ham."

I've been really annoyed by this term since I ashamedly added it to my lexicon of "roll-off-the-tip-of-my-tongue" buzzwords years ago for reasons I can't rightly remember.  Too much TV.

I suppose temporally, anything not shipping, regardless of how (r)evolutionary it may or may not be, is technically "next generation," but it's today overly (ab)used to imply some quantum leap in capability, functionality, or saleability.  Oh, and one usually has to pay more for it.

The truth is -- and as I pointed out in my disruptive innovation presentations -- there just aren't that many "big bangs" that deserve to have this moniker hung upon the mantle, but rather a series of dampened oscillations due to punctuated equilibrium until everything settles down and looks pretty much the same.

Then version 1.17 ships and BAM!  Next generation, baby!

To all you product managers and marketers, "next generation" is so over-played at this point that the populous at large simply regards it like the features lists plastered on the trunk lids of automobiles advertising the niftiest new (but abundantly standard) set of features purchased on the luxo-barge meandering about in the lane ahead.

Whilst I am happy to know that Bob got the GLX, limited edition, R-Series with ABS, sunroof, intercooled turbo with XM radio and AWD, the suggestion that his "seats 8 but still makes him look like a dork" mini-van is a "next generation" platform doesn't really say much about Bob, now does it?


On the flip side, I'm just thrilled to learn via press release today that "Secure Computing [is] to acquire Securify to drive [its] next generation firewalls" which oddly enough includes a list of features that are aimed squarely at competing with folks like Palo Alto Networks'* "next generation" firewalls which were released sometime ago. 

Further, someone at PAN and Secure Computing will undoubtedly be shocked to learn that Crossbeam, Fortinet, and Cisco all have "next generation firewalls" too.  Crap!  What comes after "next generation?" 

I suppose whatever it is would have to be made of pure unobtanium...

I knew I should have trademarked that...


* Speaking of Palo Alto Networks, you may have missed that a couple of weeks ago, PAN secured a C-Round of $27M.  That ought to be good for a couple more 'next generations' of something...they also finally got a new CEO back in July (Lane Bess from Trend Micro.)

Google's Chrome: We Got {Secure?} Browsing Bling, Yo. [Rational Survivability]

Posted: 03 Sep 2008 08:31 PM CDT

Googlebling From the Department of "Oops, I did it again..."

Back in June/July of 2007, I went on a little rant across several blog posts about how Google was directly entering the "security" business and would eventually begin to offer more than just "secure" search functions, but instead the functional equivalent of "clean pipes" or what has now become popularized as safe "cloud computing."

I called it S^2aaS (Secure Software as a Service) ;)  OK, so I'm not in marketing.

Besides the numerous initiatives by Google focused on adding more "security" to their primary business (search) the acquisition of GreenBorder really piqued my interest.   Then came the Postini buyout.

To be honest, I just thought this was common sense and fit what I understood was the longer term business model of Google.  To me it was writing on the wall.  To others, it was just me rambling.

So in my post from last year titled "Tell Me Again How Google Isn't Entering the Security Market?  GooglePOPs will Bring Clean Pipes..." I suggested the following:

In fact, I reckon that in the long term we'll see the evolution of the Google Toolbar morph into a much more intelligent and rich client-side security application proxy service whereby Google actually utilizes client-side security of the Toolbar paired with the GreenBorder browsing environment and tunnel/proxy all outgoing requests to GooglePOPs.

Google will, in fact, become a monster ASP.  Note that I said ASP and not ISP.  ISP is a commoditized function.  Serving applications and content as close to the user as possible is fantastic.  So pair all the client side goodness with security functions AND add GoogleApps and you've got what amounts to a thin client version of the Internet.

Now we see what Google's been up to with their announcement of Chrome (great writeup here,) which is their foray into the Browser market with an open source model with heaps of claimed security and privacy functions built in.  But it's the bigger picture that's really telling.

Hullo!  This isn't about the browser market!  It's about the transition of how we're going to experience accessing our information; from where, what and how.  Chrome is simply an illustration of a means to an end.

Take what I said above and pair it with what they say below...I don't think we're that far off, folks...

From Google's Blog explaining Chrome:

...we began seriously thinking about what kind of browser could exist if we started from scratch and built on the best elements out there. We realized that the web had evolved from mainly simple text pages to rich, interactive applications and that we needed to completely rethink the browser. What we really needed was not just a browser, but also a modern platform for web pages and applications, and that's what we set out to build.


Under the hood, we were able to build the foundation of a browser that runs today's complex web applications much better. By keeping each tab in an isolated "sandbox", we were able to prevent one tab from crashing another and provide improved protection from rogue sites. We improved speed and responsiveness across the board. We also built a more powerful JavaScript engine, V8, to power the next generation of web applications that aren't even possible in today's browsers.

Here come the GooglePipes being fed by the GooglePOPs, being... ;)


Looking for Hotspots in Antwerp [Security4all] [Belgian Security Blognetwork]

Posted: 03 Sep 2008 05:36 PM CDT

I was visiting the site of to see if there were some fun activities this month. By chance, I stumbled upon a page that contained a list of hotspots in Antwerp. After looking at the list, I noticed that they only mentioned hotspots with a (billable) captive portal. A pity, because there are other ways then *cough* DNS tunneling *cough* to get free wifi (which is reallllyyy slow and not legal).

For example, McDonalds, Foodmakers and Exki all are member of You can look on their map for these or other restaurants that will provide free internet.

The map is not up to date as the Exki on the Keyserlei and the McDonalds on the Meir is not on the map, but they do exist. They are all located in several places in Anwerp.

Have fun checking your email for free (and don't send anything cleartext) !!! Use encryption.

Related posts:

What do we call Twit Spam? [An Information Security Place]

Posted: 03 Sep 2008 04:30 PM CDT

I have been blocking more and more Twit spam followers lately on my Twitter account.  Some of the accounts have been suspended by Twitter, which is great, but it is still a a nuisance.  Just one more by-product of Web 2.0 I guess.

But the real quandary is what to call Twitter Spam.  SPIT is already taken (Spam over Internet Telephony).  Maybe SPITT, with an extra “T”?  How about TWAM?  But most spam names are acronyms and start with “SP”.  How about SPER?  Uhhh, that would probably not be good.  SPITTER?  Hmmm, that might work.

Any ideas?

[UPDATE]: What about “Spittle”?


I Don’t Get It []

Posted: 03 Sep 2008 04:14 PM CDT

From the “I really don’t get it” files:

First I read that Google’s new Chrome browser & Internet Explorer 8’s features are threats to existing advertising models. And this is news? I have been using Firefox with NoScript and other add-ons in a VMWare partition that gets destroyed after use for a couple years now. Is there a difference? What’s more, there is an interesting parallel in that both are cleansing browsing history and not allowing certain cookie types, but rather than dub these ‘privacy advancements’, they are being negatively marketed as ‘porn mode’. What’s up with that?

Perhaps I should not be puzzled by this Terror database failure, as whenever you put that many programmers on a single project you are just asking for trouble. But I have to wonder what the heck they were doing, to fail this badly with the ‘Terror Database Upgrade’? This is not a very big database- in fact 500k names is puny. And they let go 800 people who were just part of the team?  Even if they are cross-referencing thousands of other databases and blobs of information, the size of the data is trivial. Who the heck could have spent $500M on this? What, did they write it in ADA? Can’t find enough good Foxbase programmers? For a couple of million, I bet you could hire a herd of summer interns and re-enter the data into a new system if need be. It’s a “Terror Database” all right, just not the way they intended it to be.

MIT develops a network analysis tool that “enables managers to track likely hacking routes”. Wow, really?  Oh, wait, don’t we already have a really good tool that does this?  Oh yeah, we do, it’s Skybox!


Google Chrome - Sicurezza e privacy che non c'è [Sicurezza Informatica Made in Italy]

Posted: 03 Sep 2008 03:44 PM CDT

Esattamante dopo 4 ore dal rilascio di Google Chrome versione beta ecco il primo Denial of Service:

Inserendo questo link in una pagina web e facendo semplicemente posizionare il mouse sul link (non occorre cliccarci sopra) Google Chrome va miserabilmente in crash nonostante l'utilizzo di processi separati per ogni tab. Ironia vuole che proprio il Tg1 oggi parlava di come il nuovo browser fosse immune da tali tipi di attacchi: "In caso di crash di una tab il browser rimarrà comunque funzionante". Così non è e complimenti a Rishi Narang

A quanto pare anche inserendo un bookmark troppo lungo il browser va in crash.

Medesimo risultato inserendo
nella barra degli indirizzi.

Più che una beta sembra una alpha release che sconsiglio di usare finchè tutti questi errori non saranno risolti, considerando che siamo solo al primo giorno e un eventuale esecuzione di codice tramite un buffer overflow è del tutto possibile a questo punto.
(A proposito, solo oggi già l'1% della popolazione di internet ha navigato con google chrome, non è poco)

L'unica vera feature di sicurezza al momento sembra essere l'esecuzione con privilegi da utente semplice (non Administrator) che dovrebbe evitare il peggio in caso venisse fuori un exploit di remote code execution.

Molti discutono sulla privacy policy che si accetta al momento dell'installazione.
Ecco un estratto:

11.1 You retain copyright and any other rights that you already hold in Content that you submit, post or display on or through the Services. By submitting, posting or displaying the content, you give Google a perpetual, irrevocable, worldwide, royalty-free and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content that you submit, post or display on or through the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.


You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence

Comprate una vocale?

All your base are belong to us

FBI Opens Anti-Fraud Hurricane Gustav Hotline [Infosecurity.US]

Posted: 03 Sep 2008 03:23 PM CDT

The New Orleans, Louisiana Field Office of the United States Federal Bureau of Investigation (FBI) has announced the availability of a Disaster Fraud Hotline to report Hurricane Gustav related fraudulent activity.

From the FBI’s announcement: Members of the public can report fraud, waste, abuse, or allegations of mismanagement involving disaster relief operations through the Disaster Fraud Hotline at 866-720-5721, the Disaster Fraud Fax at 225-334-4707, or the Disaster Fraud e-mail at Individuals can also report criminal activity to the FBI at 1-800-CALL-FBI or the FBI site.

Cisco Security Advisory VPN and SIP Vulnerabilities [Infosecurity.US]

Posted: 03 Sep 2008 03:12 PM CDT

Cisco (NasdaqGS: CSCO) has released a significant security notification focused on their PIX and ASA product line. Revolving around a remote access exploit utilizing VPN and SIP conections, we consider this announcement critical.

NIST Hosts 4th Security Automation Conference [Infosecurity.US]

Posted: 03 Sep 2008 03:03 PM CDT

The National Institute of Standards and Technology (NIST) will host a conference and accompanying workshops demonstrating the utilization of open standards to automate computer security tasks. The 2008 Security Automation Conference and Workshop will take place at the campus in Gaithersburg, Md. from Sept. 22-25, 2008, and is co-sponsored by NIST, the National Security Agency (NSA), the Defense Information Systems Agency (DISA), and the Department of Homeland Security (DHS).

General registration closes on Sept. 16. More information on the conference can be found at the NIST Conference Page.

Carnegie Mellon Releases New Firefox Security Plugin [Infosecurity.US]

Posted: 03 Sep 2008 02:50 PM CDT

The College of Computer Science at Carnegie Mellon University has released a new Firefox addon, targeting certificate based authentication. Entitled Perspectives : Improving SSH-style Host  Authentication with Multi-path Network Probing, the addon is available at the project site. Crafted by Dan Wendlandt and Ethan Jackson, under advisement by CMU Advisers: Dave Andersen and Adrian Perri, the project is supported by the National Science Foundation and  Carnegie Mellon’s CyLab.

From the posting site: “Perspectives is a new approach to help clients securely identify Internet servers in order to avoid “man-in-the-middle” attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by “network notaries” located in multiple vantage points across the Internet.”

[1] CMU Perspectives

Carnegie Mellon’s SEI Published New Forensics Report [Infosecurity.US]

Posted: 03 Sep 2008 02:31 PM CDT

Carnegie Mellon University’s Software Engineering Institute (CMU SEI) researchers’ Cal Waits, Joseph Ayo Akinyele, Richard Nolan and Larry Rogers have released a new report entitled: Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis. (SEI Technical Note CMU/SEI-2008-TN-017)

(Disclaimer: Infosecurity.US is a Platinum Level Member of the Software Engineering Institute)

Security Industry in a Nutshell? :) [The Falcon's View]

Posted: 03 Sep 2008 02:11 PM CDT

Me certainly thinks so! :)...

Danchev - Indian CAPTCHA Solving Economy Exposed [Infosecurity.US]

Posted: 03 Sep 2008 01:37 PM CDT

Dancho Danchev’s superbly written and researched report on the evidence pointing to illicit CAPTCHA solving and the industry revolving around this underground economy in India.

UPC (Austrian ISP) started using Sitefinder Service [Robert Penz Blog]

Posted: 03 Sep 2008 01:06 PM CDT

The Austrian ISP UPC (Chello, Indo, Telesystem) has activated a system which sends your browser to UPC site if a domain could not be resolved. They say that this helps their less tech-savvy customers but I believe it helps them more. Because they can put some ads on this site. They are not the first to try this. 2003 Versign tried something similar (called Sitefinder) but it was stopped by ICCANN and user protests. But that was not a provider.

The system is an Opt-Out one and not Opt-In. You need to perform 5 clicks, fill out a form and time to wait for a support employee to get it deactivated. You should really Opt-Out as the system can lead to problems if an DNS server is responding too slow and the system tells you you’ve a wrong domain name. The other question is what happens with the data gathered by the search engine on this site, which tries to guess what you meant.

My first issue. [IT Security: The view from here]

Posted: 03 Sep 2008 12:59 PM CDT

I read a post somewhere last week (it may have been one of Rich Mogull's?) where a simple question was asked about what people liked about IT Security blogs. The (rather ironic) answer from one commenter was that they didn't like all the complaining that went on - and preferred it when people explained answers to security problems.

Having written a post just beforehand having a good old moan about things that people do stupidly, I thought I'd try and redress the balance in the force by starting to discuss a few issues, and how I would solve them. I hope to get some input as to why I'm wrong, and as many complaints about my stupidity as my comments can hold.

Issue of the day for me is secure email. Without discussing any more politics, let us assume that we have a business requirement for secure email. I can't tell you what we are sending out, because then I'd have to kill you, just rest assured that we need to. We need to send out to lots of different domains, and we want to initiate that exchange every time. Users of the system must be registered with us.

The solution that was proferred to me was one of the IBEs (Identity Based Encryption). There are 2 that I know of, Trend and Voltage. I'm not going to say which one has been picked, because they are much of a muchness as far as I can see, and neither is right for me.
Requirement - must be standards based.
IBE isn't a standard as yet. It's a great technology, lots of fun, and has some great applications, but it isn't something that's tried and tested. I'm worried by it.
Requirement - must not add complexity of management.
plus Requirement - zero download option.
IBE isn't as simple as you might think. Key management is still the major issue, especially when you are dealing with external clients coming into your network to pick up decryption keys.
Requirement - Blackberry compatible.
Those people who have a requirement for Blackberries probably have a requirement for secure email. It's bad planning not to be addressing this immediately.
Requirement - must integrate with current architecture.
As with the 'standards based' requirement, this is going to be hard work. Anything so new is going to be crowbarred in. The only thing it integrates with is Exchange and Outlook, but then all email solutions do... how about working with certificates, protecting attachments end to end, and being able to vary the levels of security via policy.

Which reminds me - who's writing the policies on this thing. I don't really understand who needs to be encrypted to, or in fact... why?
Requirement - fully audit when this data is sent out of the network.
You just can't do that with the system which created it. If it's being emailed, an internal user can email it out, but there is no reliable automated process to log this. It's either a manual process by the user - so more policy writing, more holes for errors to slip into - or it's nothing. That's scary, especially when the next step is emailing data out of the network.

Which brings me back to the politics I'm afraid. Why does anyone need secure email? Email is NOT secure. The only reason you need secure email is because another process is broken, it is a sticking plaster option to my mind.

Better to create a secure extranet, register your users there, use a third party PKI if you need to use keys at all, and use the certificates to authenticate your users too whilst you're at it. Use a CMS type too to publish pages to individual users as and when they require to download data from your network. That way you have a full audit trail too...

In short, no matter how hard a security person tries to be helpful, they will always end up moaning. It's kind of my their job.

Hidden Firefox feature and the plugin Pencil [Robert Penz Blog]

Posted: 03 Sep 2008 12:38 PM CDT

I found something interesting, which I guess some already know, but still I though its a nice feature. Copy following into your Firefox browser address bar and hit enter.

javascript:document.designMode='on'; void 0

You can now change a homepage by deleting stuff or replacing some text to test something or making a faked screenshot. I think this can be really handy sometimes and it is build in. Something more sophisticated is following Firefox 3.x plugin, called Pencil (You can also download it here). Pencil is a Firefox add-on to do GUI prototyping and simple sketching, take a look at this blog post which shows what Pencil can do. As a teaser I put a screenshot at the end to this post ;-)

DIRECTI Demands Takedown of KNUJON Post [Infosecurity.US]

Posted: 03 Sep 2008 12:30 PM CDT

The following is an email transcript, of a message I received this morning from the CEO of DIRECTI - Bhavin Turakhia.

The email essentially demands the ‘takedown’ of the Infosecurity.US post, reporting on the KNUJON discoveries pertaining to the DIRECTI Group’s Internet Registrar activities. Also, attached to the email from DIRECTI, is a point by point refutation to the KNUJON research. We have redacted Mr. Turakhia’s cellular telephone number in the email (which he so graciously supplied us).

As always, we welcome posted commentary from both sides of any issue. This includes Mr. Turakhia’s response, if he so desires to publicly make one here at Infosecurity.US.

On Wed, Sep 3, 2008 at 01:09, Bhavin Turakhia <bhavin.t@directi.comwrote:
Hi Marc
We came across your article on based on Knujons
factually inaccurate and baseless report. Directi is not linked with any of
the activities described in that report and Knujon, in their research have
never bothered to get their facts straight from either ICANN or us. The
article you publish is false and defamatory and hence I urge you to take it
down immediately.
Feel free to connect with me for any clarifications - my cellular number is
<<REDACTED>> and I will be happy to share the actual facts with you -
something that Knujon has not bothered to do so far. Find below our email to
Knujon concerning the gross inaccuracies in their article
Warm Regards
Bhavin Turakhia
Founder, Chairman & CEO
T: +91-22-66797600
M (IN): +91 <<REDACTED>>
Dear Garth (from Knujon),
This is with regards to the numerous articles on your website
that frivolously implicate the Directi Group. Before I move to the
specifics, Id like to comment on the challenge you’ve thrown open to us, to
take a lead in the endeavor of suspending every illicitly run domain name.
Please understand that Directi continues to be one of the most proactive
Registrars today in terms of combating abuse and implementing strict AUPs
and we have a significant investment in terms of manpower and processes to
achieve just this. We do so, not because were contractually obligated, or to
protect our own business interests, but because we sincerely believe in the
ideology of making the internet a safer and more secure medium for
conducting business. Its really unfortunate that your analysis misrepresents
the details, and conveniently ignores all of the active measures we take
regularly against spamming, phishing and other forms of abuse activity on
the internet. As a matter of fact, we have a ZERO tolerance policy towards
unscrupulous activities, and therefore extremely shocked to learn about the
baseless allegations made in your report.

Given below, is a list of all the false information, conclusions and
accusations that you have repeatedly made about our organization:

1.     EST is NOT affiliated to the Directi Group in any way: EST just
happens to be one of the several thousand service providers that use our
technology to provide domain registration services. Therefore all of the
claims that EST is a part of our Group is grossly incorrect.

2.     Your claim that the accredited companies we own are: a) Phantom
Registrars (ex: Jumbo Names) that are not incorporated or Do Not Really
Exist and b) somehow involved in supporting the fake pharmacy business in
some way, is not only grossly incorrect, but also seriously defamatory. You
may not be privy to the strategic reasons why several of the top web
services cos. need to invest in multiple registrar companies. However, there
is absolutely no substance in suggesting that these companies are somehow
involved in illegal activities. Not only do these registrars operate
legitimately, but they also implement the strict AUPs for all sponsored
domain names.

3.     You claim that the Directi Group is somehow closely linked with
Atrivo, which probably is a false conclusion drawn from pt. 1. above.

4.     There are several other domain names that you have listed for various
issues - software piracy, for instance - and claim that they are privacy
protected. These domain names and their sponsoring registrar have not used
privacy protection services for several months now; it is unfortunate that
you did not choose to verify your data before making these accusations.

5.     The statement “While Directi claims they will suspend illicit
domains, KnujOn has found on many occasions Directi sponsored domains being
removed temporarily only to be restored after a brief period with the same
content” is incorrect, but we do acknowledge a technical lapse that may have
led you to believe this. The domain names that you’ve listed were not
intentionally restored, but did not get suspended in due process because of
a technical error. When vigilant netizens alerted us about the situation,
the domain names were suspended immediately.

6.     The statement “If a consumer complains to
Directi/PublicDomainsRegistry about these sites they simply direct them to
the ISP host that serves the content. If and when the site content is closed
by the ISP host, Directi/PublicDomainsRegistry just helps them set up at a
new IP.” is baseless and seriously defamatory. We do not condone any abusive
behavior using domain names registered through us, much less facilitate it.
There are cases where we forward complaints to the host to pursue in
accordance with their AUP, but in no circumstance do we enable purported
abusive registrants to setup in any fashion.

7.     On several prior instances, we have attempted to explain to your
organization the motives and mechanism behind Privacy Protection as a
service. Privacy Protect isn’t intended to harbor miscreants, but to protect
genuine domain owners from them. This service, provided through a network of
registrars, is essentially free and has no affiliation with any domain names
that use it.

8.     Also, as a Registrar, we must categorically state that we have no
association with the domain names registered through us. The insinuation
that we as a registrar benefit in any form through abusive domain names is
grossly incorrect; on the contrary, we invest considerable resources toward
mitigating such abuse of our services.

9.     During the Prescription Addiction Radioshow, you claimed that the
registrar community is unable to effectively police illegal activities and
hence most registrars are in violation of the ICANN RAA. This is factually
incorrect since the job of policing the internet cannot be the sole
responsibility of registrars, and the Registrar Accreditation Agreement
doesnt state any such obligation either. Most registrars, purely out of
moral reasons, build AUPs to ensure that they proactively prevent their
services from being used for any illegal activity.

Based on all of these false assumptions, misrepresentations and factual
inaccuracies, you have referred to our organization as beastly, rogue,
irresponsible, immoral and a supporter of the illegal narcotics industry. I
hope you understand that this sort of frivolous victimization and public
abuse is intolerable for our organization, and always tackled with utmost
severity. However, since we believe that your intentions are not wrong, we
would like to resolve this amicably by requesting all necessary corrections
to the information published. We would also need a public clarification
which explicitly states that the Directi Group is in NO WAY harboring or,
being in any way involved, in any form of illicit activity.
On another note, I request you to understand the limitations registrars face
in tackling these issues. Despite having a dedicated abuse complaints
processing team, it is impossible for us to deploy the necessary resources
and expertise to manually authenticate the legal status of each of the 4
million + sponsored domain names. A false positive could lead to a
significant loss for an innocent customer, for which we will be squarely
responsible. Things get even more difficult when other registrars that use
our platform, are less sensitive towards their moral responsibilities. Sure
wed like to pull the plug and permanently close our business with them, but
how does one protect the several thousand innocent website owners that also
happen to use their services?

I believe you understand as well as we do that a true cleanup process
requires the concerted involvement of several industry participants
including ICANN, registries, brand owners, law enforcement agencies and
registrars. You can be assured that from a registrar standpoint we continue
to extend our full cooperation to the community at all points in time. We
have always taken this issue seriously and will always continue to do so.

Well also be glad to clarify your doubts on the above mentioned facts, over
a conference call which can include the relevant people from our side. Were
open to a constructive dialogue with you, and are all ears to any specific
suggestion that you may have for us. If youd like that, do provide us with
an appropriate time and number on which you can be reached.

Considering the defamatory nature of the content in your posts and the
inaccuracy of several accusations, we hope that the requested corrective
measures will receive utmost priority and reflect immediately on your

Best Regards,
Sandeep Ramchandani
Strategic Partner Manager  The Directi Group

Hans Monderman and Risk [Emergent Chaos]

Posted: 03 Sep 2008 12:04 PM CDT

Zimran links to an excellent long article on Hans Monderman and then says:
When thinking about human behavior, it makes sense to understand what people perceive, which may be different from how things are, and will almost certainly be very different from how a removed third party thinks them to be. Traffic accidents are predominantly caused by people being inattentive. Increase the feeling of risk, and you increase the attention. I know when I am in traffic on my bike, I'm hyper-vigilant, and this has made me a better car driver.
Some interesting quotes from the article:
Without bumps or flashing warning signs, drivers slowed, so much so that Monderman’s radar gun couldn’t even register their speeds. Rather than clarity and segregation, he had created confusion and ambiguity. Unsure of what space belonged to them, drivers became more accommodating. Rather than give drivers a simple behavioral mandate— say, a speed limit sign or a speed bump— he had, through the new road design, subtly suggested the proper course of action. And he did something else. He used context to change behavior. He had made the main road look like a narrow lane in a village, not simply a traffic- way through some anonymous town.
On Kensington High Street, a busy thoroughfare for pedestrians, bikes, and cars, local planners decided to spruce up the street and make it more attractive to shoppers by removing the metal railings that had been erected between the street and the sidewalk, as well as “street clutter,” everything from signs to hatched marks on the roadway. None of these measures complied with Department for Transport standards. And yet, since the makeover there have been fewer accidents than before. Though more pedestrians now cross outside crosswalks, car speeds (the fundamental cause of traffic danger) have been reduced, precisely because the area now feels like it must be navigated carefully.
We talk about Monderman's thinking about risk in the New School, and I wanted to talk a little about the implications for computer security. The idea of giving a user experience a sense of place is a great one, if we could constrain it to the good guys. Unfortunately, bad guys can design their websites to look like a narrow lane in a village, a welcoming mall, or whatever else they want. The designer of a space can make you feel safe or feel like you must navigate carefully.

What do you think phishers are going to do?

No comments: