Commercial Software Regulation

With all the push lately for security in the software and IT markets, what will it take for companys to implement secure practices? According to Richard Clarke, former Whitehouse cybersecurity and counterterrorism adviser, there must be some regulation put in place to force companys to adhere to open standards and regulations which will promote better cybersecurity:

Article with quote

"But Clarke, during one panel discussion yesterday, called on Microsoft and other software companies to become more publicly accountable in their efforts to develop secure software. He said he asked Microsoft last year to disclose the specific quality-assurance practices it was following in the pursuit of more-secure software code.

The idea, he said, would be for the software industry to collectively come up with a set of best practices for secure software development. Outside experts would then be able to judge how well each company lives up to those practices.

"There's no fine involved, there's no liability involved, but the marketplace is better informed, and the marketplace works better when it knows what's going on," Clarke said, drawing a round of applause from the crowd at San Francisco's Moscone Center. Panelists compared the concept to the effort to hold public companies to standards for financial reporting under the Sarbanes-Oxley Act."

With the creation of open standards which will be regulated by the IT industry itself, and held accountable by the government and people, the industry will be able to move forward with the security and safety of the Internet and applications that rely on the internet.

Student Privacy in Public Schools

In an elementary school in Sutter, California, the school implemented a policy to use RFID tags to track students movements throughout the school. The system was supposed to make it easier for administrators and teachers to take attendance and monitor the location of students. The initial plan included tracking students into the bathrooms, which was protested successfully by parents.

This type of automated tracking is a clear invasion of privacy. I am not suggesting that we have a right to privacy (although I do support the right to privacy), but I am suggesting that in this situation, the parents should be able to decide whether or not school employees will have access to their children at all times. I would want measures to be in place to ensure that the local pedophile would not have access to the children's location when the school was short-staffed. We all know that background checks are not 100% accurate, and that school employees are under-paid. The RFID technology is not mature enough to prevent third party reading and tracking either. There should be more planning and risk-analysis involved in a policy such as this.

The idea of monitoring our children is not a bad one, as they require monitoring by responsible individuals who care for their well being. The monitoring becomes a problem when it is automated and access may be given to individuals who the parents are not informed about. I can see this issue getting more of the spotlight as more monitoring solutions are created.

Consequences for Hacking?

T-Mobile was the victim of a hacker for a period of one year, possibly continuous. This hacker, Nicolas Jacobsen, was able to access all of the customer records and personal data of T-Mobile customers. Nicolas then offered this personal data for sale on-line, even offering the data to Secret Service agents, who were investigating him at the time. Nicolas also accessed the classified email of a Secret Service agent who was using a Sidekick for email purposes related to open and active cases. According to Kevin Poulson at Securityfocus.com, the sentencing for this crime will be a maximum of 5 years. I can hardly see this as adequate punishment for the crime that was committed. I do not think that this type of consequence will deter other criminals and prevent identity theft! I realize that Nicolas will probably be able to aid in the prosecution of other hacking cases, but the ruin that he could cause to the thousands of people whose identity that he may have stolen will follow them for their entire lives. Nicolas will serve 5 years and get out to start his own consulting company which will make him a millionaire at 30. Is this fair?

PC Simulations in Court

PC simulations are used for many studies from weather and seismic activity, to nuclear explosions. However, using PC simulations in court has not been a common practice. I found an article this morning which discusses a trial taking place in Seattle where a man is being charged with vehicular homicide and a software simulation is being used to aid in the prosecution. I wonder how far out of hand this practice will become before sufficient regulation and certification is put in place to make it fair, if that is even possible. I can see a situation where the weekly software update was done improperly and the crime will have to be re-tried due to simulation error. I wonder if the convicted would be able to make a case against the application programmer for any mistake or suffering if the case were later overturned.

In the Seattle trial, a man is being charged with vehicular homicide after taking a ride with a friend in his new sports car. Witnesses saw the pair leave with the friend driving the car, who was then killed in an accident involving a tree and a mailbox. The prosecution is using PC-Crash, a computer simulation, to try to prove that the occupants switched roles and that the survivor of the crash was driving and caused the crash.

Finding Rootkits

I was reading Bruce Schneier's blog today and found a post on the Ghostbuster, which is an idea from Microsoft that would check a system for rootkits and other hidden software. The application would reside on a CD with it's own OS and once inserted would check the system for hidden files and folders that may belong to a piece of malware or exploit.

The idea seems very efficient, except that the system would have to be stopped to perform the check... A solution to this problem would be to have several servers load-balanced so that the sysadmin could check each system while there were other servers there to maintain the load.

This idea could also be accomplished using Knoppix, albeit not as quickly or efficiently unless the admin had written a script or program to check it for them.

Slashdot Discussion with Martin Taylor

There is a very interesting discussion on Slashdot with Microsoft's Martin Taylor that I recommend reading. It is always good to hear from Martin Taylor, as the politically correct spokesman for Microsoft. I don't agree with everything that he says, but he does speak well with the information that he has. While reading this article, it helps me become less biased and see the idiocy of trying to use or avoid a specific vendor for emotional reasons. The most valuable IT person will be the one who knows how to analyze a situation and use the best tool for the job. I don't want to be a Linux or Windows expert, I want to be a security expert who knows how to use Windows or Linux and make either of them as secure as they need to be for the situation at hand. On another note, the Linux professionals that Martin talks about get paid a lot more than the Windows professionals, which tells me that if I want to get paid more I don't need to work on becoming a Windows expert as much as I should just continue with my Linux/Unix skill-set.

Transport Layer Protocols

While reviewing some API documentation on network programming I was alerted to the fact that TCP and UDP are not the only transport protocols in use (as defined by IETF). I did a little bit of reading on SCTP, or Streaming Control Transmission Protocol, which allows a multi-homed host to establish a stream or session with another host. The big picture scenario here is that a multi-homed host can establish a session that will allow it to use any number of it's interfaces throughout the communication, allowing for one or more of it's interfaces to fail. As long as one interface remains, the host can continue the communication.

More documentation can be found in the RFCs which describe it:

RFC 2906
RFC 3309
RFC 3758

10 Computer Security Laws

I have recently begun reading posts from crime-research.org, and read an article this morning that discussed 10 constants in the IT security field. The ideas presented in this article should be part of the training program of any IT shop and all System Administrators and those who are in charge of Sys Admins should be aware of these concepts as well. The article lists the laws as follows:

• Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
• Law #2:If a bad guy can alter the operating system on your computer, it's not your computer anymore.
• Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
• Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site anymore.
• Law #5: Weak passwords trump strong security.
• Law #6: A computer is only as secure as the administrator is trustworthy.
• Law #7: Encrypted data is only as secure as the decryption key.
• Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
• Law #9: Absolute anonymity isn't practical, in real life or on the Web.
• Law #10: Technology is not a panacea.

I highly recommend reading the article located here or the Microsoft article located here.

Dial-Up Internet is Terrible!

I have been using dial-up internet connection for a few days now, and it is terrible. I wonder how many people really don't have broadband internet yet. I have not been without broadband for nearly 8 years and would not go without it unless my home physically were incapable of it. At least I now know that the modem in my laptop is functional.