F-Secure Agrees with Me

F-Secure, a Finnish antivirus vendor, has a post on their web site
that basically agrees with my earlier post about the potential dangers
presented GPhone. 
Actually, it’s really the Open Handset Alliance and the Android
platform but I didn’t know that when I blogged on Sunday.  If Android
takes off, it will be a ripe target for attacks.  It’s nice to see your
observations confirmed by reputable outside sources.   

Android – F-Secure Weblog : News from the Lab

Technorati Tags: security, f-secure, mobile handset allliance, android

An Interesting Take on Learning Language

Languages are interesting things.  You can learn a lot about a culture by understanding its language.  I’ve always wanted to learn more languages but haven’t had the time.  Tim Ferris might be able to help that a little with his tutorial describing how to understand the mechanics of language.  I have not tried his recommendations yet, but I might just have to give it a whirl now. 

That and I really enjoyed his Four Hour Work Week book and wanted to throw him a bone to get him in the Technorati Top 1000. 

» How to Learn (But Not Master) Any Language in 1 Hour (Plus: A Favor)

Technorati Tags: tim ferris, language, learning

Google Mobile Phone

Word on the street is that Google is coming out with its own mobile phone and that details will be announced on Monday.  Reportedly, Google’s main goal is to make the mobile phone environment an open platform just like the WWW.  This is an awesome goal and I can see the tremendous upside, especially for a company like Google who will just expand their market further through this initiative.   I already use Google services on my Motorola Q extensively and find myself annoyed when I can’t find a mobile service I’m looking for. 

For example, yesterday we took Cate to see Playhouse Disney Live, which took place during the Ohio State game.  I wanted to check in on the score and had a heck of a time finding a decent mobile service to check the score.  I finally found CBS Mobile Sports News, which did exactly what I needed.  I was vaguely annoyed that I had to spend ten minutes finding a mobile site to just give me scores. 

Without question, Google entering into the mobile market will make reduce the number of times we find ourselves frustrated over the fact that we can’t find what we want.  Google is exquisitely good at helping us find what we need.  They’ve even got a ton of handy APIs that allow us to automate finding that data. 

The twist in the plot comes when we consider the Bad Guys.  The Bad Guys are the folks out there who use Google services in nefarious ways that were intended to see the light of day.  An example of these unintended uses is Google Hacking. 

Part of me says that if you put a file called passwords.xls in a directory discoverable by a search engine spider, you deserve everything you get.  But the reality is that people do stuff like that all the time.  A Google mobile phone and associated services will fall victim to the same combination of nefarious intentions and predictable user error. 

Defending against this volatile combination will be interesting because mobile phones have several attack points.  Here are some I can think of off the top of my head:

• Trojan horse attacks via Google API
• Physical theft
• Bluetooth attacks
• People wanting to connect their personal Google phone to corporate email systems

That last bullet needs a little more background.  I have not read anywhere that Google intends for its phone to be an enterprise class device.  However, the iPhone is not intended as such either and how many of you have had requests to sync iPhones with your corporate mail systems?  That’s what I thought.  Depending on what services and APIs Google released for its phone, there might be a legitimate argument to use it as an enterprise standard phone, especially if the price is right.  Just kick that little possibility around a little and let me know what you think. 

To wrap up my ramble, I suppose my point is that a Google Phone would be very cool and I think that there is a tremendous convenience upside.  However, I also think that there are a lot of potential dangers that could bite us in our collective arse if we are not careful about how we implement the Google Phone. 

Tip ‘o the Hat to Trendhunter: Google Phone News – Major Revelations on Monday

Technorati Tags: google, google phone, security, mobile phone

Powered by ScribeFire.

Off Camera Lighting Experiment

_MG_6386

Originally uploaded by schauba

This was just an experiment with off camera lighting. Click on the photo and check out the comments to see how I did it.

A Little Evidence to Support My Earlier Prediction

I’m a little behind on this, but it still supports my earlier prediction. The first piece of malicious code for Macs in a long time has been released. And so it begins.

As an added feature, it looks like Leopard’s built in firewall is pretty much worthless. I predict a flurry of OS X security products as Apple continues to gain market share.

I also suspect that Apple will be handed its ass in the security arena. I have a couple of reasons for this. First, Apple has a reputation for being tight-lipped about its security issues They seem to take the Oracle approach and provide patches without much explanation. Second, while Macs have a reputation for “just working” they achieve this through what appears to be a “default allow” architecture, i.e. all services are turned on and open to everyone out of the box. Third, Macs have a reputation for not having malicious code problems. As I discussed earlier, this is mostly a function of their small market share. As the truth changes I predict many Mac users will cling to their long-held beliefs that malicious code is a Windows problem that doesn’t impact Macs and never will.

Chick-Fil-A Rocks

OK, Chick-Fil-A is something of a guilty pleasure I have. Deep fried chicken breast with tasty seasoning, put on a bun with pickles is absolute genius. Paired with waffle cut fries and a large Dr. Pepper it’s a fast food meal that’s hard to beat. Aside from being a solid business and reportedly a good place to work, it also has educational toys in its kids meals.

I took Cate there last Friday for dinner and got her the chicken nugget kids meal. The toy inside was a puzzle set that let her put the pieces together to create the real animals portrayed on the pieces or she could mix and match to make her own creations. Heck, I even learned something. In fact, I learned two things. First I learned that there is an animal called the capybara. Second, I learned that it is the largest rodent in the world. National Geographic better watch out. Chik-Fil-A is hot on its trail.

From the ‘Well, shit.’ Dept.

The bottom line here is that Elcomsoft has figured out a way to use video cards to crack passwords using brute force faster than ever before. This quote from the article sums up the situation:

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

Brute force attacks just gained a little more credibility. My headline sums up my immediate reaction. I need to think about this one some more.

Password-cracking chip causes security concerns – tech – 24 October 2007 – New Scientist Tech

Apple’s Continuing Rise and Some Implications

Cate had a major meltdown this morning and the idiot light on my gas gage came on when I turned on the car. Those two events kept me from beating the morning rush hour commute as I usually do. Just to put the cherry on top, it’s raining cats and dogs during rush hour and my Dehydrated Idiot Theory was in full effect on the ride in this morning. All things considered, I decided accept my fate, got comfortable, and listened to NPRs Morning Edition while I slogged my way through commuter bliss. In mid slog, I was rewarded with a short but interesting article on Apple.

Apple just had an incredible quarter. Analysts were expecting earnings of $0.86 a share and Apple produced $1.01 a share. The only thing that might have helped their stock more was if Alan Greenspan publicly announced he was switching to a Mac. The other remarkable point in the piece was that Apple has historically owned approximately 2%-4% of the PC market. They are now claiming 8% of that market. Reportedly, much of that growth was driven by iPod sales. People buy an iPod or an iPhone and they run OK on Windows, but they’re made for a Mac. That connection helps people make the switch.

Heck, it’s working on me. I bought an iPod at the beginning of this year and I’m considering making the switch because iTunes is one of my most used applications. I’m also influenced because I’m starting to get into my photography more and Macs are the traditional platform for photographers, graphic designers, and other creative types. That’s my way of saying that I understand the practical and emotional drivers behind Apple’s increased Mac sales.

Macs have another benefit going for them and that is that they tend to be more secure than Windows machines. Actually, it might be more accurate to say that they are more ignored than Windows machines. A Mac’s primary security mechanism is a technique called “security through obscurity”.

I’m not convinced that Apple’s software is any more bug free than Microsoft software, but fewer people use Apple stuff. This is significant because hackers are businessmen now. They’re making money with their compromises. While it would be very cool to compromise a Mac, there just aren’t enough of them out there to make it worth while.

Here’s an example. For the sake of argument, let’s say it takes forty hours to create a remote root exploit regardless of platform. Also for the sake of argument, let’s assume that if you focus on a Windows exploit, you have hundreds of millions of systems you can potentially compromise that include both servers and workstations. If you spend that same forty hours on a Mac exploit you have millions of systems you can potentially exploit, most of which are workstations.

If Mac continues to grow in popularity, their security through obscurity edge will start to dull. That means that we will start seeing more pieces of malicious code developed for the Mac. This malcode will include both worms and standard exploits. Having not used a Mac extensively, I would guess that in addition to OS X, the iLife suite would be a likely target, and some of the .Mac services, especially the Back to My Mac service, which looks like a remote desktop tool.

If Mac’s popularity continues to grow, I suspect that they will follow a path similar to Firefox. Firefox started out as a small player in the browser market owning 4% of the market in 2004. It is currently used by 35.4% of Web users according to W3Schools.

At first you could surf with impunity because nobody was wasting their time exploiting Firefox. However, as Firefox became more popular with users it also became more popular with hackers trying to exploit it. While it is still relatively safer to surf with Firefox compared to Internet Explorer, it’s not as safe as it once was. The bad guys are starting to realize that it’s becoming worth their time to exploit Firefox too. I predict Mac could be starting down the same path.

Attorney-Client Privilege to Screen Data Breach Investigations

This is an interesting approach. If you have a data breach, hire a lawyer to manage the investigation. Theoretically, all the information they discover is covered under attorney-client privilege. I’m not sure if this is really an effective approach or not, but it would be interesting to watch someone try it. I suppose if nothing else, this technique could be used to buy some time if you find time in short supply.

This would have been an interesting question for Ben Wright when I took his SANS class. I highly recommend this class to any information security professional that deals with legal issues, contracts, etc. on a regular basis. The biggest benefit I got from the class was some insight into the thought process used in the legal environment. Ben also provides a lot of practical insight into regulation, contracting, other legal issues regularly encountered by INFOSEC types.

He and his class were the inspiration for the disclaimer on the right side of this blog.

Schneier on Security: Hiding Data Behind Attorney-Client Privilege

Daily Show Archives Available

You all probably already knew this, but I just found out. I usually miss The Daily Show because I’m either chasing after Cate or sleeping. (Yes, I go to bed early.) That has always bummed me out because Jon Stewart has some really good interviews that I want to catch. The most recent one that I’ve missed was with Alan Greenspan. I just watched it and it was very good. You can judge for yourself.