Sunday, 15 January 2006

As tends to happen from time to time, some sudden attention on the 'net (starting with the Security Fix blog at Washington Post) has been paid in the last couple days to what has been misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature) is related to an understood standard computer configuration (some would say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (RFC 3927 - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment:

"The use of IPv4 Link-Local Addresses may open a network host to new attacks.  In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks.  By configuring a working address, the host may now be vulnerable to IP-based attacks." (read the spec)

Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards.

The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your wireless card can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself.

The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal.

On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below).

On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as APIPA - see this page for details on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections - like firewalls and directory security - in place.

An even better option - where available - is to have your Windows Domain administrators control the setting for any group of computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to:

Computer Configuration > Windows Settings > Security Settings >Wireless Networks

You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose "Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work).

Create_wireless_policy

Some companies use these settings to ensure the only wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences.

Note again that fixing a problem in just one place or in just one layer is most certainly not the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues.

For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task.



Add/Read: Comments [1]
IT Security | Safe Computing | Tech
Sunday, 15 January 2006 12:35:14 (Pacific Standard Time, UTC-08:00)
#  Trackback

People are certainly interesting, especially when given the ability and opportunity to say whatever's on their minds uninterrupted. Whether they should or not. Of course, "should" is a relative term, determined by both listener and speaker. And they won't always agree.

Brad Fitzpatrick - of LiveJournal fame -  has created a continuous stream of public Internet audio blog posts recorded by LiveJournal users. I think I'll call it Brad's People Aggregator. It's colorful, random, strange and interesting. Sometimes funny, sometimes just crude. And you never know what you'll hear (good, bad or otherwise).

NOTE that the language and content of the audio posts is almost guaranteed to contain loud, crude, vulgar language.

People dial in to a number that allows them to post to their LiveJournal accounts. It's apparent that elevators and airports bring out interesting behavior in people. Now, I'm not so sure recording an audio post about your marijuana growing operation is really all that great an idea - but whatever. Also not convinced that talking about the court date you just had and how you have to go to the mental health office for your appointment is a great idea, but again, whatever... It's certainly an honest and unique slice of the real world, and that means real people (along with their collective reasoning, language, intelligence and behavior).

I suppose it's a great way to discuss and complain about stuff, but in a way where no one is there to tell you why you're SO FREAKIN' WRONG. Heh. Hmmm, there's probably some serious psychology to be done there - Something about how our interconnected world actually makes us more isolated even though everyone is so "close."

Here's the link...

Enjoy.



Add/Read: Comments [0]
AudioBlogging | Random Stuff
Sunday, 15 January 2006 09:11:09 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 14 January 2006

I laughed out loud for some reasons when I read some of Trevin's comments from his trip to the Consumer Electronics Show earlier this month, where he listed a number of not-so-hot items from the super-mega-tradeshow of the gadget industry.

One of the more amusing categories in his post is "Wierdest celebrities coupling: Snoop Dogg and Donny Osmond."

XM had Snoop Dogg appear, then about 30 mins (later) they had Donny Osmond.  They had to have met at some point -- wtf did they talk about? 
 
Snoop Dogg: "Hey Don-dogg, what's the shizzle?"
Donny: "What?"
Snoop Dogg: "Fo sho"
Donny: "What?"
Snoop Dogg: "Peace out dogg"
Donny: "What?"
Heh!
 
Check out Trevin's "Oddest and Worst of CES 2006" list here, and be sure to also read his "Best of CES 2006" list. That way you'll be sure to walk away well-balanced.


Add/Read: Comments [0]
Humor | Random Stuff
Saturday, 14 January 2006 15:41:00 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 13 January 2006

Add/Read: Comments [0]
Humor
Friday, 13 January 2006 21:54:22 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 12 January 2006

From CBC in Canada comes a hilarious video from Rick Mercer's show - The Mercer Report - demonstrating the latest in apparel for the Blackberry user. Should be mandated by OSHA in all high-tech office settings:

Check out the Blackberry Helmet Video at:

http://www.cbc.ca/mercerreport/videos/blackberry.wvx

(note - in non-USA style, there's some slightly-blurred-out nudity in this, so if you can't handle it, don't click - but hey, the video is funny)



Add/Read: Comments [2]
Humor | Mobile | Tech
Thursday, 12 January 2006 23:34:57 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 10 January 2006

Ipod_blackI broke down last week and bought an iPod. I got the 60GB model (5G iPod Video, black) and its a pretty cool device. Not without its quirks, but cool for sure. I like it, and I'll be adding some of the available (expensive) accessories as soon as I figure out which of the zillion accessory manufacturers actually makes something worth buying. Talk about a zoo...

iTunes is all hooked up (pretty cool app dontcha know), a few podcasts are subscribed (small list below for people who are interested) and a couple movies have been loaded. Great video conversion information and help can be found here, by the way. I've only bought one song on iTunes so far, and that will probably change but I think it says something that after having this thing for a week I've used it primarily to load some video for traveling and to subscribe to syndicated content (audio and video podcasts).

I really, really wish - every time I look at an apple product package - that they would at least tell me what is included and what's not. I know, I know... I could just ask any random human being on the street what came with their iPod and the zoo of accessories they own, since I am like the last person in the world to buy one of these things, but seriously - no compact wall charger? Leaving out the iPod dock is crazy enough, but I figured there would at least be an AC-outlet-to-USB thing in there.

One thing I learned early on: When it says "do not disconnect" on the screen, regardless of the fact that the message stays there for-freakin-ever, it's best not to disconnect it. If you do, and your iPod starts an endless cycle of reboot, power up, power off, flash the display, reboot, power up, power off, flash the... Yeah, anyhow the iPod updater has a "Restore" option that nukes the iPod, reformats the hard drive and installs all the software from scratch. Works wonders.

Oh and another thing - I can only sync this $400 device to one computer? Seriously? Ok, so I can hook up to a second computer and as long as I don't choose auto-sync, I can manually move files to the iPod. But this is not so good: Mac and Windows synced iPods are not compatible? Jeez, there's something worth spending some serious dev time on. Using the iPod updater to reformat the thing so I can use it on the Mac mini doesn't solve any problems, it creates them. And there's no way I'm buying Apple computers just to work with the iPod.

Oh, and copy-protection and all that RIAA crap aside, iTunes is a service, and it should flow from computer to computer with the authenticated user's settings and content, and I should be able to sync to the iPod anywhere I am logged in. In other words, some content everywhere, and associate the device with my user account, not my computer.

Anyhow, in the accessories department, it's pretty clear I need an iPod dock. I'll have to break down and ask my friends if it comes with a USB cable, or if I have to purchase that separately, too. I won't be shelling out the $20 for Apple's video cable so I can play content on my TV or projector - I think I'll just use one of the almost-exactly-the-same cables I already have lying around the house and just mix up the plugs as described at the Mac Dev Center site:

  • Plug the red RCA plug into your TV's yellow RCA jack.
  • Plug the yellow RCA plug into your TV's white RCA jack.
  • Plug the white RCA plug into your TV's red RCA jack.

Pure. Freakin. Genius. If it works.

But don't get me wrong here. I'm complaining a bit about the proprietary, non-standard and closed nature of the Apple way of business, but this is a terrific piece of hardware, as the marketplace has clearly proven. Audio quality is great. The user experience is simple, flows and just works. But you already know that.

HKCarPlayI stopped by a couple stores the other night between appointments and checked out the plethora of radio-transmitter accessories. I spend a lot of time driving (two hours of commute time daily), so having something that does a good job of transmitting relatively high quality audio to my FM car radio would be nice. On the higher end of the car-audio purchasing spectrum (about $200), the Harman Kardon Drive+Play looks really cool. Not sure if it's video iPod compatible, but I have emailed them to ask. The Monster iCruze also looks nice and it is confirmed to work with the iPod Video models, but I need to make sue my car stereo is compatible - And it's on sale in a huge way as of the time of this writing: $99 for a complete kit. A FAQ page is here.

Oh, and (sidebar comment here) you gotta check out the videos on this page at the HK Drive+Play site - especially the "Title and Registration" one. Heheh...

Below are the few podcasts to which I've subscribed so far. Now that I am coming back to podcasts (my first round with them was more geeky in nature than practical, which is my approach nowadays) the number of shows I am interested in subscribing to is relatively small. I'm pickier. You'll note these all tend to be either professionally produced shows or well-produced indi ones, and that the only common denominator is that they're relevant and matter to me. And none of them are podcasters talking about podcasting. Thank goodness we moved past that phase.

Note: The iTunes interface makes it pretty much impossible for me to figure out where the real home pages are for these podcasts, so it's hard to link you to them, sorry. If someone knows a trick, please tell me (hey Apple - seems like easy access to a phobos.apple.com subscription link plus a standardized "home site" URL in the iTunes XML and UI would be a nice thing to do for sharing subscription links?).

  • Diggnation (video and audio podcasts) - these guys sit around and discuss what's hot on Digg.com
  • Ebert & Roeper - movie reviews from the top critics, weekly audio from the broadcast television show
  • Engadget podcast - ultimate gadget geek site and podcast show (but their RSS feed is broken and iTunes is out of date, ugh)
  • Major Nelson Radio - podcast from inside the world of the XBOX and XBOX Live!
  • NASACast video - this Week at NASA video podcast - just a cool, short video update on what's happening at the space agency
  • Security Now! podcast - Consumer focused security audio show - We really need more security-focused podcasts
  • Superman Returns, Bryan Singer's Journal - The director of Superman Returns video-blogs lots of interesting stuff in the process of the creation of Superman Returns, which is set to hit theaters this year. Professionally produced video shows (I don't think Bryan is shooting any of these, but hey...)


Add/Read: Comments [6]
Random Stuff | Tech
Tuesday, 10 January 2006 10:15:04 (Pacific Standard Time, UTC-08:00)
#  Trackback