Monday, August 18, 2008

Security Bytes Galore

I think that like half the news I found most interesting last week is security related, so let's get down to it!

Defcon Tidbits

Last weekend was Defcon, the Las Vegas convention where hackers and security experts gather to learn from one another and have some fun. One of the things in the latter category was that a couple of hackers were beaten by a relatively simple man-in-the-middle attack (sitting between you and the network and giving you bad packets). One of the former items was an anticipated lecture on a huge DNS security hole. A Domain Name System (DNS) server is what the URLs you write in your address bar get sent to so that you can get an IP address instead. If someone were to compromise the DNS server that you use, they could send you to phishing sites (i.e. fake bank sites and such). The particular exploit he's describing is the fact that if the DNS server you're querying doesn't have an answer, they refer you to other servers based on their response to a query for something called a Transaction ID - a number between 0 and 2^16. Of course, if a bad guy can guess this number then he can pretend to be a DNS server, and he can re-try multiple times so his odds aren't as bad as you'd think. The fix is to increase the range of this ID and not be so lenient about a bad transaction ID, but if your DNS servers (usually defaulted by your ISP) don't have the patch, then you're kind of screwed. The fix is to use OpenDNS, and they have directions for how to switch to them.

One last thing from Defcon: it's not as hard as you make think for someone to get into your Gmail account if you didn't choose the option to always use https. I was fooled, too: just because you type in https://www.gmail.com does not mean that the secure cookie (i.e. your authentication token) you have can't get stolen by someone listening in on your requests to http:///www.gmail.com, so make sure you go to your settings and look at the bottom of the general tab for that https option.

Facebook Phishing and Identity Theft

With popularity comes the privilege of being targeted by the sleazebags of the computer underworld. One such Chinese sleazebag has somehow managed to send out messages that look like they're from a friend of yours that ends up at the Facebook login page, but it's really faceilbook.com, and it takes your login information. Why would this be a problem? Because people use the same passwords on many sites, and it could be enough to steal someone's identity. These Chinese hackers do not mess around, so be wary of this. I always wondered at what point these sites would be big enough to be serious security risks (the MySpace stuff was small fry stuff), so I wonder if this is the start of something big.

Back to the bigger issue though: identity theft. Consumer Reports has a pretty good list of things you may screw up online that threaten your identity, of which the above is actually one. My favorite one is to not assume your Mac is a secure because it's a Mac. It astounds me how defensive some Mac users get when I tell them that Safari is a terrible piece of software and they should be using Firefox. As for the online shopping thing: Amazon has a lot of people dedicated to detecting and preventing fraud, so you can shop assured that there are people who have your back.

Privacy Breaches?

Several Internet firms have admitted to using tracing cookies to help drive some targeted advertising without explicitly mentioning it, but I was honestly not all that shocked. For one thing, you should be using SpyBot so these cookies shouldn't stay on your machine for long, but I also don't think that there's necessarily anything wrong with these cookies. I think people should be informed that they're taking on these cookies, but I don't think they compromise anyone's privacy. That's just me though, I can understand people getting offended and I think they should be allowed to opt-out.

You should be more concerned about using torrents without getting shut down, even if it's for legal purposes. there's now a program called TorrentPrivacy that creates a secure connection between your machine and a server that downloads the torrent on your behalf and sends the data to you securely (read: encrypted) so that an ISP can't block your download or throttle it. Pretty nifty, huh? I don't know if the ISPs can ever detect this, but maybe if they figure out what servers are doing this they can just block connections to them without discrimination? Of course, with the FCC's recent actions against Comcast (see my last post), they'd be stupid to do so without making it public. Wouldn't that be an interesting PR conference? That they're blocking out an Internet server for trying to give people data that outsiders can't look in on? That would be mutiny for VPN, which is how big companies allow their employees to work remotely, so I think that TorrentPrivacy is a pretty solid solution.

More Apple News

No matter how I try to avoid it, Apple seems to work its way into the limelight week after week. The first thing is real quick: Steve Jobs has admitted to the kill switch that I admitted to last week (to delete any of your iPhone apps). And what's his reasoning? In case they accidentally approve a malicious application. Am I the only person who thinks this is stupid? Also, it's a lie: Apple doesn't care about you past your wallets, the real reason for this kill switch is if their approval people let in an application that displeases AT&T or something in their terms of service. So the what the Hell is the point of their approval process? They're basically telling us that these guys are so incompetent that they had to build in a kill switch. By the way, if they really cared about security they would include a garbage collector in their platform to plug up the buffer overflow exploits that are likely already in the works.

I used to love iTunes, but with each new version they added stuff I didn't want and made it slower. PCWorld is running an article about what they hate from iTunes, and I agree with pretty much all of their points. The most annoying things are the update pushes that they shove down your throat for other Apple products and the fact that it won't monitor folders because it assumes that you only use the iTunes music store. I think that Media Monkey is much better, easier to use, and lighter on memory usage. I have to admit that I did like cover flow though and it has a great CD ripper.

Now for some good Apple news: they're worth more than Google. As you can imagine, this has drummed up quite a bit of controversy, but it's not that extreme when you consider the monumental success of even the newest iPhone and their surging sales in laptops and even iMacs. What has Google done that's so great lately? That being said, investors are irrational and their stock worth doesn't mean that they're necessarily a better company, but I personally believed that they're more focused and will do better in the long run as a result if they can just groom someone to be as resilient a leader as Steve Jobs (but preferable not as scary).

Final Tidbits

It's getting late so let me wrap things up. There's a new P2P game in town called Playlouder that allows you to pay a subscription fee each month to pirate as much as you want and then they pay the copyright holders the appropriate royalties, but TorrentFreak is not impressed. I agree with TorrentFreak: it's not feasible and is going to fall apart quickly.

Intel has announced that their new chip will be called the Core i7, and all will be explained later on as the first of these energy efficient chips will be due Q4 this year. I'm hoping for a bigger L1 cache and more of those architecture features that will make multiprocessors more usable.

Lastly, NBC's olympic site is pretty much only guaranteed to work for Windows users, which leaves some Apple users and all Linux users out in the cold. Given the worldwide importance of the olympics, this is just terribly ignorant. Then again, these are the companies that hate DVRs and online TV because they detract from their antiquated business model, so I guess it's too much to ask that they not exclude valuable customers.

Hack Day

That's it for my real post, but I just wanted to briefly mention that Amazon had a Hack Day last week and it was great. Needless to say, I won't be revealing anything that was created during the event, but it was a really humbling experience. I didn't manage to finish what I was working on, but I was just amazed by what some people were managed to accomplish in a 24 hour time period. It really gave me something to aspire to, and I really took a lot away from it. The main thing I learned is to never underestimate the importance of research and design in any project, no matter how easy or small it seems. Also, never underestimate a team of really bright programmers. Amazon truly has some of the best talent around, and I'm very grateful to get to work with some of them. Today's company picnic was more fun than I thought, and we ever got goodies from Amazon Fresh!

No comments: