Web Of Trust: RIP

It's official. I just received an e-mail from Thawte notifying me that, as of November 16, 2009, the most innovative and useful idea in PKI since its inception, the Web of Trust, will die. Thawte was founded 14 years ago by Mark Shuttleworth. The primary purpose was to get around the then-current U.S. export restrictions on cryptography. Shuttleworth also had an idea that drew from PGP: rather than force everyone who wanted an e-mail certificate to get verified by some central entity – and pay for the privilege – why not have them verified by a distributed verification system, similar … Continue reading Web Of Trust: RIP

Microsoft Poland Empowers White People

In an absolutely astonishing move Microsoft's Polish subsidiary decided to do some photoshopping on its Business Productivity Infrastructure page to tailor it to the Polish market. Here you can see the U.S. original. In one of the least sensitive moves this year, the Polish subsidiary decided that black people in Poland do not need to be empowered, so here you can see what its version of that page looked like for a few hours today. As you can see from the current version on the Polish site, someone with a bit more human sensitivity than a teaspoon, and an I.Q. … Continue reading Microsoft Poland Empowers White People

Warning: The software you are installing does not match your mental model

This morning I talked to my dad. After a few minutes of polite small talk, I heard the 10 little words I have come to dread: “I had some problems with my computer the other day.” The video card on his laptop had died. The screen was just black. He has a Dell Vostro, so he called Dell Technical Support. They sent a contractor technician out; with a motherboard. The technician, having no real qualifications other than the need for a job; and no real training other than how to fill out the repair paperwork, installed the motherboard. Three days … Continue reading Warning: The software you are installing does not match your mental model

Is MS08-067 Wormable?

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067. Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have not already installed this security update, you should stop reading this right now and return after you have installed the update. The problem fixed in MS08-067 is eerily reminiscent of the vulnerabilities that resulted in the Blaster and Sasser worms. Therefore, for obvious reasons, the question arises whether MS08-067 is wormable or not. Microsoft claimed in various … Continue reading Is MS08-067 Wormable?

Anatomy of a Hack 2008

A few years ago I delivered a very popular presentation I called "Anatomy of a Hack." Well, actually, I called it "How to Get Your Network Hacked in 10 Easy Steps" but the marketing department at my previous employer thought that title was a bit, edgy, so they renamed it. The Chinese called it "Anatomy of a Hacker" at TechEd China in 2005, but that's another story altogether. The presentation, which is actually documented in Protect Your Windows Network, had me wandering through an entire network once I got a foothold on one computer. For the past couple of years … Continue reading Anatomy of a Hack 2008

How Not To Build a Highly Available Web Site

Here's what I just got when I went to http://www.technetmagazine.com: Here's the kicker: it's not TechNet Magazine that is down, nor even TechNet. It is Microsoft Live Sign-in, nee Passport. To get to TechNet it attempts to sign you in to Passport/Live sign-in. Accounts are apparently distributed across servers, and the one holding my account is down, so I can't get to anything that uses it, including the Microsoft.com homepage! If you want to decrease the uptime on your web site, take a run-time dependency on an unreliable and unnecessary service.

Thoughts on Security by Obscurity

This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld, on Security by Obscurity. It is another one of those point-counterpoint pieces like we did in the Vista Security book where Roger argues one side of the issue, and I explain why he is wrong; or, rather, argue the other.

Quantum Security

The May 2008 issue of TechNet Magazine is out. It has an article in it that I have been wanting to write for a long time, called Quantum Security. In it I posit the argument that there are some fundamental laws of security, similar to the laws of physics, which we must not ignore in our risk management practices. I also got to include a revised version of the age-old Annualized Loss Expectancy (ALE) equation. Anyone who has taken the CISSP exam should be familiar with ALE. I believe the equation in common use is outdated and fails to account … Continue reading Quantum Security

Help us Nellie! Please, help us!

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base. Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule … Continue reading Help us Nellie! Please, help us!

Help us Neelie! Please, help us!

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base. Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule … Continue reading Help us Neelie! Please, help us!