Friday, 04 August 2006
There are a couple interesting security-related headlines on ZDNet this morning, coming out of the Black Hat event. The first discusses how Microsoft's handing out a beta version of Vista to Black Hat attendees and says their security testing of Vista is the largest commercial penetration vulnerability test in history. In the other article, SPI Dynamics points out that many potential threats and gaps exist today in the use and consumption of RSS and ATOM feeds, and that many feed readers don't do security checks to ensure a feed is not malicious before - for example - running script that is delivered in an entry. A large number of common feed aggregators/readers (including the one I use) are on the list. This is something for the authors of those programs to address, for sure.
Microsoft issues Vista challenge
News Focus: Software giant wins over the Black Hat crowd by stressing its commitment to Vista security--and asking for help.
Blog feeds may carry security risk
Thursday, 03 August 2006
I just downloaded and installed Zoundry's Blog Writer over lunch, a free and ultra-feature-filled blog editor. This thing is slick! I am writing this post with the new editor.
I think I found my new blog editing app that I have been dreaming of for so long. At least it's going to get a real trial run. I have fought with Rocketpost so many times (it has never worked for me, and the authors don't seem to answer email anymore), and while I love BlogJet, the feature set in Zoundry is pretty incredible.
I'll write more about it tonight, after I get a chance to play around with it some more.
UPDATE: I am having a hard time getting the app to play nicely with my web hosts's FTP. Seems to upload image files, but the "test" mechanism says it does not work correctly, which is kind of strange. I have filed a post on the support forums, we'll see how that goes. I can upload images, as witnessed at right...
UPDATE AGAIN: One super cool feature I noticed was that Zoundry totally used the newly-implemented blog autodiscovery calabilities that have recently been baked into dasBlog by Omar. None of the old manually setting up and remembering the URL for the blogger API or any of that stuff. Nice!!
Wednesday, 02 August 2006
I have a tendency to bleed a little on this blog, meaning I grab the latest source code version and compile it myself to run it on the server almost all the time. The last official release of dasBlog (which is an open-source .NET blogging server application) was v1.8 and it was born nearly a year ago (wow, that long?). But for those who compile it themselves from source, it's been changing regularly over the past year and we've been enjoying the trickle-flow of feature enhancements.
And sometime soon now, says Scott, the official dasBlog v1.9 release will be out.
v1.9 will include some significant feature enhancements. Here is a mostly complete list (at least at this point -- the list is blatantly stolen from Scott's blog):
- Much better multi-user/blogger support including a Top Posters macro and total comments - from Christoph De Baene
- TagCloud - from Scott
- Huge (100x+) speedup in Macro execution - from Scott
- Support for If-Not-Modified to speed up execution, improve RSS bandwidth and CPU cycles - from Scott
- Direct Feedburner Support with 301 redirection for RSS and Atom feeds. Don't lose a single subscriber. We're the only blog with direct support for Feedburner and Feedflare I believe. - from Scott
- Delete comments directly from your mail reader - from Omar
- New themes out of the box, 18 at last count - from Many Folks
- New XML-RPC support for newMediaObject - from Omar and Giuseppe Dipietro
- New support for RSD so client software can autoconfigure itself - from Omar
- Pluggable Rich Text Editor, choose from FreeTextBox or FCKEditor or write your own adapter - from Josh Flanagan
- Support for CoComment - from Scott
- Organized source, build, and packing for clarity - from Josh Flanagan
- New Feed Icons - from Omar
- Automatic disabling of Comments after a certain number of days. Also manual "close comments" support - from Omar
- ContentLookAhead show future dated posts - from Josh Flanagan
- Other misc fixes and suggestions from Tomas Restrepo, Jason Follas, Rene Lebherz and Steven Rockarts. Added entry CPU usage optimizations from George V. Reilly.
- Better strings and support for Portuguese, Turkish and Vietnamese from Ph?m Ð?c H?i.
If you're a sourceforge nut, know how to use Subversion and want to compile it yourself, go for it. Or wait a bit longer for the release. I am running the latest code on this weblog, and it's pretty darned slick.
Tuesday, 01 August 2006
Yesterday I was in Seattle and had a couple extra hours between
appointments, so I headed over to Kirkland to check out the Smart Cars being sold at the Green Car Company. I climbed in a few of the ones they have on the lots there, and then I took one for a test drive.
Obviously, there's something appealing about a small two-seater that
the EPA states will get 42 MPG, but which real-world people say they
actually get anywhere from
45 to 60 or so MPG. Seriously - 60 miles to the gallon. For someone
like me, which commuted 80+ miles a day in a full sized pickup that
gets about 15 or 16 miles to the gallon, that's a big difference.
The Green Car Company gets these cars from ZAP in California. ZAP
imports them into the United States from Europe, where you see these
little things quite literally everywhere. When I was in Germany earlier
this year I saw bunches of them.
You might think safety would be an issue, but not really - check out a crash-test video here.
ZAP does all the "Americanizing" retrofit process so it is legal to
license in the states, and the emissions stuff has also been taken care
of. All those changes add to the price, though - the Smart ForTwo sells
for just under $27K - and the convertible is $2K more than that.
Anyhow, about the car. I was impressed. It's well put-together and
if you ever get a chance to sit in one you will be shocked by how much
room is inside. I mean, there's a lot of room - much more than I need
to fully stretch out. Even a person much taller than me should be able
to sit comfortably. The seats are good and the finish is what you'd
expect to get from a real car. In other words, this is not the Yugo or
Metro style little car. It's for real. A number of modifications to
meet the U.S. auto standards have been made, and overall it appears to
be a solid, well-made machine.
After staring at these things for awhile, then sitting in them and
being more impressed than I had planned on, I asked if there was one
that could be taken for a test drive. Truth be told, after sitting in
one and hearing the gas mileage stories (and even after hearing the
sticker price), I wanted to see what they're really all about. The
car has - get this - a 0.7 liter engine (heheh) that's (not get this) superturbo-charged.
It has an electronic shifting system, and you can run in in automatic
mode or shift by hand using the electronic lever that has become
common in many cars these days. A step-up option on the car includes
shift paddles behind the steering wheel, for those who don't want to
move their hands the 24 inches from the wheel to the shifter.
This car is fun to drive, for sure. It will do 85 miles per hour, so
highway driving is perfectly realistic. In fact one of the employees at
Green Car Co. drives one four days a week on his long commute (his is
much like mine - lots of miles each way), and he is getting around
65 miles per gallon on the highway. Wow. It also turns on
something smaller than a dime, and can fit in the smallest parking spot
you can imagine (in fact you can fit two of them, at least, in a
standard parallel curb spot by parking them nose-to-the-curb).
So, the test drive. After being shown the controls (nothing unusual)
and handed the keys, I took it out on the road to cruise some corners,
neighborhoods and hills. Kirkland is good for that sort of terrain. I
headed out the lot and stepped on the gas, and the car wrapped up and
took right off - with a bit more power than I'd assumed it could
muster. This was going to be fun, I thought.
The car handles well. The wheelbase is quite long and wide for
such a small car, and I felt completely comfortable driving it around
corners and in all the street conditions.
There are two things that stand-out as somewhat unusual about this car when you drive it for the first time.
The first thing in the brake pedal, which feels quite strange when
you apply it because the pedal is attached to a mechanism that lowers
into the floor rather than being hung from above on a pivot. So when
you step on it, its kind of sinks down as you push it with your foot.
It's not bad, just unusual.
The second things that stood out is the automatic shifting, which
lags between gears. I mean that as it shifts, a clutch mechanism (there
must be a clutch in there somewhere) disengages and the transmission
shifts, then the clutch re-engages. The result is a period of a second
or less when the engine is not powering the drive train. It's weird
feeling, but not that big of a deal. This car is designed differently
than any other I've driven, so I can accept the fact that it's
different. And in this case different is not bad - it's just not what
you are used to. By the way, if you are doing electronic shifting using
the floor shifter or the paddles, you don't experience the lag between
gears. And if you're interested in maximizing both power and fuel
economy, electronic shifting by hand is the way to go anyhow.
The air conditioning was better than I thought it would be on a tiny
car. The stereo was adequate but not something that will blow you
away or anything.
Overall, this was a fun and interesting car. The fuel economy is
insane, it handles very well, and it sure got stares and waves even
during my 15 minute test drive. If it was less money I'd buy one
without hesitating, but the thousands of dollars that are added to the
sales price of a European one (one assumes to cover the cost of the
"Americanization" and then some more dollars added on for the "new
and cool" factor) cause me to have to do some serious math. I could
save lots of money every week in fuel costs, but to get to $27K, it
would take a huge amount of savings to justify the purchase.
But chances are I will be sitting down and doing the math.
And this video shows just how, uhh, versatile the car can be...
Sunday, 30 July 2006
SPI Dynamics is one of the companies mentioned in the article. They're discussing the results of their research at the Black Hat event this week, but they have also posted the article and a sample ("proof of concept" as they say) web page that does some of what they've discovered for all to see, use... and copy for that matter.
SPI Dynamics, by the way, has a quality set of expert articles, white papers, webcasts, and more on their web site.
... "We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks" ...
Friday, 28 July 2006
Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.
You may already be familiar with the term "phishing" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent web site they've set up, in hopes you'll think it's legitimate and "update" your banking or other private information there. In reality you're not communicating with the actual bank or e-commerce company at all, and you're not really updating anything - Rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it.
The general technique of convincing you via trickery to give up your private and sensitive information is called "social engineering." Bad guys act in ways that cause you think you're communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets. More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not.
You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information, and you need to update your information by clicking a link to go to the bank's web site. But those emails are fakes, and so are the sites that load when you click the link. They're sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?) , the bad guys win and come out ahead - big time.
Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information - things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news. You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes completely - impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it.
You get the picture.
So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip.
We've covered some of the basics of phishing fraud - just the first thin layer of the problem, actually. Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with "ph" but which are really just about the farthest thing from cute you can imagine.
There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, prevention is the golden key here - we need to know and understand much, much more.
For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?
Do you have any idea who the bad guys are?
That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.
© Copyright 2012 Greg Hughes
This work is licensed under a Creative Commons License
This page was rendered at Sunday, 03 June 2012 12:15:24 (Pacific Standard Time, UTC-08:00)
newtelligence dasBlog 2.1.8015.804
"Computers used to take up entire buildings, now they just take up our entire lives."
"So how do you know what is the right path to choose to get the result that you desire? And the honest answer is this... You won't. And accepting that greatly eases the anxiety of your life experience."
Syndication [XML] and .net Alerts
For lazy, highly-technical or enlightened people, get this site's content without the use of a web browser. I use FeedDemon
for this, but you can choose your own. Subscribe - click the icon for my feed
... or sign up for Microsoft Alerts to receive updates through your MSN Messenger, e-mail, or mobile device. Click the orange button thingie to sign up with your Passport account:
Drop me an email:
Add me to MSN Messenger
|November, 2011 (1)
|October, 2011 (7)
|July, 2011 (1)
|May, 2011 (1)
|April, 2011 (1)
|January, 2011 (2)
|December, 2010 (3)
|November, 2010 (2)
|October, 2010 (1)
|September, 2010 (1)
|July, 2010 (1)
|June, 2010 (13)
|May, 2010 (4)
|April, 2010 (10)
|February, 2010 (1)
|January, 2010 (2)
|December, 2009 (1)
|November, 2009 (2)
|September, 2009 (2)
|August, 2009 (1)
|July, 2009 (2)
|June, 2009 (4)
|May, 2009 (7)
|April, 2009 (3)
|March, 2009 (5)
|February, 2009 (1)
|January, 2009 (10)
|December, 2008 (7)
|November, 2008 (7)
|October, 2008 (18)
|September, 2008 (18)
|August, 2008 (18)
|July, 2008 (35)
|June, 2008 (16)
|May, 2008 (12)
|April, 2008 (16)
|March, 2008 (22)
|February, 2008 (32)
|January, 2008 (9)
|December, 2007 (6)
|November, 2007 (4)
|October, 2007 (19)
|September, 2007 (36)
|August, 2007 (19)
|July, 2007 (17)
|June, 2007 (16)
|May, 2007 (13)
|April, 2007 (11)
|March, 2007 (5)
|February, 2007 (14)
|January, 2007 (16)
|December, 2006 (16)
|November, 2006 (4)
|October, 2006 (23)
|September, 2006 (14)
|August, 2006 (21)
|July, 2006 (34)
|June, 2006 (25)
|May, 2006 (20)
|April, 2006 (20)
|March, 2006 (17)
|February, 2006 (34)
|January, 2006 (30)
|December, 2005 (23)
|November, 2005 (39)
|October, 2005 (30)
|September, 2005 (49)
|August, 2005 (31)
|July, 2005 (21)
|June, 2005 (35)
|May, 2005 (53)
|April, 2005 (54)
|March, 2005 (60)
|February, 2005 (27)
|January, 2005 (59)
|December, 2004 (70)
|November, 2004 (58)
|October, 2004 (55)
|September, 2004 (64)
|August, 2004 (53)
|July, 2004 (65)
|June, 2004 (50)
|May, 2004 (49)
|April, 2004 (26)
|March, 2004 (20)
|February, 2004 (26)
|January, 2004 (28)
|December, 2003 (12)
|October, 2003 (8)
|September, 2003 (11)
|August, 2003 (1)
On this page
Search and Translate this Site
Blog Posting Categories
| Scott Adams' Dilbert Blog
Scott Adams is the creator of Dilbert, and his blog is an incredibly smart, clever and often funny (sometimes very serious) look at the world. Everyone should read this blog.
| Alex Scoble
Alex is a former coworker who blogs about a variety of IT-related topics.
| Brent Strange
Brent is a cool dude and a great QA guy that I used to work with. His blog is, appropriately, focused on QA and testing technology.
| Chris Brooks
Chris was formerly my boss at work and is an avid board gamer and photographer. He always has some new info about top-notch board games you may have never heard of, so if you're into them, you should check out this blog.
| Chris Pirillo
Lockergnome by trade, Chris is always up to something new. If you are not familiar with the Lockergnome newsletters, be sure to check them out, too.
| Matthew Lapworth
Matt's a software developer and friend. He seems to enjoy extreme sports. That's fine as long as he doesn't, like, die or something.
| Milind Pandit
Milind writes about all sorts of interesting stuff. We worked toegther for eight years, and he worked at our employer longer than I, which pretty much makes him old as dirt in company time. :)
| MSFT Security Bulletins [RSS]
RSS feed for all Microsoft security bulletins provides an always-up-to-date list of updates along with complete descriptions of each.
Rory Blyth is one of the funniest and most thought-provoking bloggers I read. And I blame him for everything. Literally.
| Scott Hanselman
Scott's computerzen blog is a popular spot for all things .NET and innovative. I used to work with him, but then he went off to Microsoft. He's one of the smartest guys I know, and arguably the best technical presenter around.
Who Links Here
Total Posts: 1888
Android (7) Apple (67) AudioBlogging (42) Aviation (2) Blogging (154) Fireworks (5) Geek Out (130) GnomeDex (20) Google Voice (1) Helping Others (27) Home Servers (5) Humor (144) IT Security (217) Kineflex Artificial Disc Surgery (16) Management (8) Microsoft Office (4) Mobile (139) Movies (31) Mt. St. Helens (13) Office 2003 (52) OneNote (29) Personal Stories (163) Photography (29) Random Stuff (642) RSS Stuff (47) RunAs Radio (28) Safe Computing (38) SharePoint (56) Tablet PC (42) Tech (1035) Things that Suck (69) Windows (6) Windows Media Technology (27)
This Year: 0
This Month: 0
This Week: 0