Posts

Posted on

Phishing Fraud in 2007

Netcraft: Phishing Attacks Continue to Grow in Sophistication
http://tinyurl.com/vwmvw

“The Year in PhishingPhishing attacks are continually evolving, as
fraudsters develop new strategies and quickly refine them in an effort to
stay a step ahead of banking customers and the security community. Here
are some of the phishing trends and innovations we noted in 2006”

  • Plug and Play Phishing Networks
  • Phlashing (Flash-based phishing sites)
  • Two-factor Authentication: A July attack on Citibank demonstrated a technique that was able to defeat two-factor authentication tactics using a man-in-the-middle attack.
  • Hacked Bank Sites
  • Continued XSS (cross-site-scripting) Vulnerabilities
  • MySpace Phishing

Read the article for more details. Is safe to do online banking? I know people
who say “no”. If someone hacks into your bank account and commits fraud, who
bears the burden of proof? You or the bank? Probably you. Who limits your
liability? Not the bank. Credit card companies limit customer liability to a
reasonable minimum, but with online banking, there is no such protection. If
you physically visit a bank office and
fraud happens, at least there are
records of who did what (video camera recordings, records of which bank teller
was helping with the transaction, etc.) With online banking, most of those
audit records don’t exist.

Posted on

No-hassle online backup software

No-hassle online backup software for Windows XP: http://mozy.com and http://carbonite.com. Five dollars per month. Not bad.

I heard about these from listening to this podcast on usability of software

Why Software Sucks by David Platt
http://cdn.itconversations.com/ITC.TM-DavidPlatt-2007.01.02.mp3

What is the most important thing to the average computer user? They want their machine to “just work”. Why does Google know how to correctly translate a United Parcel Service tracking number, while the actual UPS website requires multiple entries just to get to the point where the tracking number can be entered? Programmer David Platt is the author of “Why Software Sucks…and What You Can Do About It”.

While average users are expected to use the computer as an everyday tool, programmers too often produce software that has poor functionality, especially compared to other devices used to perform other routine tasks.

One of the other major problems is that software is too often marketed to enterprises rather than individuals, and that constant updates are meant to convince companies to regularly upgrade, with little or no thought given to the end user.

The discussion is both enlightening and entertaining. While Platt believes the problem can be solved, he thinks it won’t happen unless software designers change their point of view to better consider the needs of the end user.

Posted on

Sony Clie Fixed

A few months ago, my Sony Clie PEG T-615C stopped hot-syncing and stopped charging. I would have backed up to a memory stick, but the slot was destroyed a couple of years ago when my then-two-year old son tried to jam the stylus into the wrong spot. I lost some data when the battery finally gave out. I used my multi-meter to check that the power supply cable was functioning. It was okay. A connection inside the Clie was probably broken.

Since then, I’ve been borrowing a friend’s PEG-NZ90. It mostly works and runs faster, but is an ugly beast of a machine. I liked the slim, sleek form-factor of my T615C.

Tonight, I decided to open up the broken Clie and see if I could spot anything obviously wrong, but I couldn’t. Still, seeing the innards was fascinating.

I was impressed at how tiny the parts were — the ICs, the resistors, the diodes and who-knows-what-else. The miniaturization is amazing, and seeing it with my own eyes leads me to appreciate the raw power we hold in our hands. This thing is more powerful than the first Macintosh computers were just twenty years ago… or would be, if it worked.

Past experience with computer hardware has taught me that a simple cause of problems can be bad connections between computer cards and their slots, or with cables that have come loose. After twenty minutes of tinkering, I figured out how to disengage a few of the ribbon connectors, and I reengaged them. I disconnected and reconnected the battery. I tried plugging in the power connector, and the charge light came on! I was in business!

Innards of my Clie

My backup plan was to purchase a used Clie on ebay. Looks like I won’t need to do that unless I want a faster device.

Posted on

VMWare and Upgrading to Fedora Core 6

I upgraded my desktop machine at work from Fedora Core 5 to Fedora Core 6, and since I run the free VMWare Player (the free VMWare Server is also a fine product), I knew I’d have to get it working after the upgrade. It could have been as simple as running ‘vmware-config.pl’, but it wasn’t.

A known issue with Fedora 6 is that on many single processor systems, the
installer loads an i586 kernel instead of an i686 kernel. The workaround for
this, at install boot-time, is to type “linux i686” — except that it only
works for fresh installs — it doesn’t work for upgrades. An i586 kernel was
installed even though I wanted an i686 kernel, and it created problems when I
went to configure VMWare. vmware-config.pl compiles a kernel module against
kernel headers. I had installed the kernel-devel package to get the kernel
headers. It turns out that I had an i686 kernel-devel package, and it didn’t
mesh up well with the i586 kernel that I didn’t know I had.

Run the following command:
rpm -q --queryformat '%{ARCH} %{NAME}-%{VERSION}-%{RELEASE}\n' kernel kernel-devel

This is how I figured out that I had a mismatch. Here’s what I had:

i586 kernel-2.6.18-1.2869.fc6
i686 kernel-devel-2.6.18-1.2869.fc6

Both of those should read ‘i686’. Here are the commands to run (as the ‘root’ user) to resolve the issue:

  1. yum -y upgrade # to get the latest kernel, etc.
  2. Follow the instructions at http://fedoraproject.org/wiki/Bugs/FC6Common to switch to an i686 kernel.
    • yum -y install yum-utils
    • yumdownloader kernel.i686
    • rpm -ivh --replacefiles --replacepkgs kernel-2*.i686.rpm
  3. reboot
  4. yum -y install kernel-devel
  5. rpm -q --queryformat '%{ARCH} %{NAME}-%{VERSION}-%{RELEASE}\n' kernel kernel-devel # The architecture should be i686
  6. touch /usr/src/kernels/2.6.18-1.2869.fc6-i686/include/linux/config.h
  7. vmware-config.pl

Update

I can’t recommend upgrading to Fedora Core 6 from version 5. My screensaver (gnome-screensaver) wouldn’t unlock — it never even gave me the chance to enter a password. I tried switching to xscreensaver, but it wouldn’t accept my password. After several fruitless google searches for a resolution to either problem, I gave up and decided to install from scratch. Now my screensaver behaves correctly.

When I did a fresh install, it installed the xen kernel. VMware and Xen didn’t play well together for me — I got nearly 100% CPU utilization when I tried to load a guest. I installed the non-xen kernel, booted that kernel, and reconfigured vmware. Now VMware runs great. If I remember correctly, here are the commands I ran as root:

  1. yum -y install kernel
  2. reboot into a non-xen kernel
  3. touch /usr/src/kernels/2.6.18-1.2869.fc6-i686/include/linux/config.h
  4. vmware-config.pl

KVM is the future of virtualization on Linux, from what I gather, so I’m not going to try Xen.

Posted on

Child Monitoring Software

For my job, I write corporate employee monitoring software. Some people see it as Big Brother software, and it could certainly be abused in the wrong hands. I believe that technology itself isn’t good or evil; instead it is subject to ethical and unethical use by individuals.

There are many aspects of security. One of them is auditing, the purpose of which is to verify the trust we have placed in an individual. It’s a way of managing risk. The people in whom we place the most trust can do the most damage to us and to our organization. In many cases, we have no choice but to trust. To be distrustful of everyone and everything would be unproductive. I’ve heard the saying “Trust, but verify”, and that’s where our software comes in, because it allows companies to verify the trust they place in their employees — to pinpoint and mitigate risk.

Our software is a great solution in the corporate environment, but it’s not designed nor priced for home and small business use. In particular, I wondered what solutions exist for parents who want to reduce risk to their children who use the internet. I’ll get to that in a moment, because I believe that technology alone will never be a complete solution.

First and foremost, I believe we must teach our children correct principles of safety and responsibility. Teach them what is expected of them when they go online, and what dangers to avoid.

Second, place the computer in a public, high-traffic area in the home.

Third, talk to children about what they do online.

Fourth, since it’s not always possible to be at home monitoring what they do, consider using child monitoring software. As I understand it, it’s legal to monitor children under the age of 18 without their consent.

Fifth, review what the monitoring software collects.

The most complete website I’ve found about child monitoring software is www.1-spy-software.net.
The most mature and industry recognized solution, as far as I could tell from my google research, is Spectorsoft, which is available for Windows and Mac OS X computers.

I haven’t used child monitoring software (my children are too young to use the Internet), so I can’t vouch for its quality, its ease of use, or its effectiveness. What would I look for in a home solution?

  1. Trustworthy.
  2. Widely recognized and mature. Easy to use.
  3. Doesn’t transfer collected information to a remote server.
  4. Available from a local retail store.
  5. Cost effective.

Posted on

The E-Voting Iceberg

Bruce Schneier writes in Forbes about electronic voting:

Electronic voting is like an iceberg; the real threats are below the waterline where you can’t see them. The problem is software — programs that are hidden from view and cannot be verified by a team of Republican and Democrat election judges, programs that can drastically change the final tallies. And because all that’s left at the end of the day are those electronic tallies, there’s no way to verify the results or to perform a recount. Recounts are important.

This isn’t theoretical. In the U.S., there have been hundreds of documented cases of electronic voting machines distorting the vote to the detriment of candidates from both political parties: machines losing votes, machines swapping the votes for candidates, machines registering more votes for a candidate than there were voters, machines not registering votes at all. I would like to believe these are all mistakes and not deliberate fraud, but the truth is that we can’t tell the difference. And these are just the problems we’ve caught; it’s almost certain that many more problems have escaped detection because no one was paying attention.

For the most part, and throughout most of history, election fraud on a massive scale has been hard; it requires very public actions or a highly corrupt government — or both. But electronic voting is different: a lone hacker can affect an election. He can do his work secretly before the machines are shipped to the polling stations. He can affect an entire area’s voting machines. And he can cover his tracks completely, writing code that deletes itself after the election.

You can even do away with the electronic vote-generation machines entirely and hand-mark your ballots like we do in Minnesota. Or run a 100% mail-in election like Oregon does. Again, paper ballots are the key.

Paper? Yes, paper. A stack of paper is harder to tamper with than a number in a computer’s memory. Voters can see their vote on paper, regardless of what goes on inside the computer. And most important, everyone understands paper. In today’s world of computer crashes, worms and hackers, a low-tech solution is the most secure.

Posted on

Magical Tech Support

For my first computer job, I did half tech support and half programming at Brigham Young University. I enjoyed helping people because they were appreciative when I could solve their computer problems.

It was interesting that about a third of the time, all I had to do was walk into the office of the professor that was having a computer problem, and the problem would be solved. I didn’t have to do anything. It was like magic. The same scenario occurred for the other tech support guys.

That was in 1992, and I had forgotten about that magical aspect of computer support. Last night, however, I was reminded when I went to a neighbor’s house to help with a printer that wouldn’t print. I didn’t expect to find an iMac. It seems like most people have Windows computers. Here was an exception. The first task was to power it on. Where was the power button? I felt foolish that I couldn’t find it. Although I programmed in 4D and Foxpro for four years on a Mac, the experience with legacy systems didn’t help me with today’s hardware. I searched for the power button on the keyboard, on the monitor, and on the base of the iMac. Somehow, I missed the nearly invisible power button located near the back of the base. Fortunately, the 10 year old son showed up and powered it on. He also turn on the printer. I had him print a test page, and it worked. The 10 year old was shocked. It hadn’t worked before. He had tried fiddling with USB cables, etc., but to no avail. Once I showed up, it worked, magically.

Now I hope it continues to work.

Posted on

Quotes: Problems, solutions, and change

The solution to any problem is found in the proper definition of the problem

— Doug Hale

Everything in software changes. The requirements change. The design changes. The business changes. The technology changes. The team changes. The team members change. The problem isn’t change, because change is going to happen; the problem, rather, is our inability to cope with change

— Kent Beck