Category: Security
March 27th, 2008
Saying goodbye to ZDNet
ZDNet blogs has been my online home since 2004. With the help and a lot of guidance from David Berlind, Stephen Howard-Sarin, and David Grober, I was brought in to the world of blogging and journalism. I enjoyed my work and
all the conversations here and I hope you found it informative and entertaining.
As of March 26, 2008, I have to say goodbye to ZDNet because of some corporate restructuring. I have no ill will towards any of my managers and I hold no grudges towards the company. This will be my last and final post on ZDNet so farewell my friends.
March 26th, 2008
55W PC power supply powering the dual-core computer
Most computer builders in the world think I’m nuts for endorsing the use of 330 watt power supplies for a high-end performance computer. Conventional “wisdom” says that anything under 500 watts is inadequate for an enthusiast PC. “My power supply is bigger than your power supply” seems to be a typical mindset for many people but I’ve always had just the opposite desire to say that “my supply is smaller than yours and it works great”. So when I started building mainstream dual-core computers with 220 watt 80 Plus power supplies, people were shocked that I would even consider such a small power supply. But since I was able to build a 50W peak power dual-core computer, why not use an even smaller power supply in the sub-100 watt range?
Pictured above is the open frame fanless AC input open frame 55 watt FSP055-50LM power supply from Sparkle Power Inc with an MSRP of $39. Typically when power supplies are this small, people often use DC input power supplies with an external AC brick. Not so with this model as it’s an all in one with the standard AC power connector you get on a normal ATX PC power supply. It’s so small that it doesn’t even bother with a fan or metal casing; you have to a system-level fan yourself and provide the bracing and shielding in your computer chassis. The really nice thing about this solution is that the entire power supply including the AC conversion part is not much bigger than a DC power supply but you don’t need an external brick.
Using this 55W power supply, I took a dual-core Intel E2140 along with the bundled ECS945-GM motherboard I bought for $90 and built a computer with it using default clock speed and voltages. Unfortunately since it was missing a 4-pin power connector for the motherboard, I had to hot-wire a 4-pin CPU power connector from an older power supply to this unit to make it work. That means 2 12-volt yellow cables and 2 black ground cables had to be soldered in to place and taped up. Since these cables are safe for 10 amps each which translates to 120 watts per cable, I’m not even close to overloading the cables.
Once the computer came up, the power consumption at the plug peak out at 70W which means the output power is around 52W at 75% efficiency which is 3W under the peak output of the power supply. That is cutting it a bit close but it shows the extreme worst-case of what this PSU can handle.
In reality, the 55W PSU isn’t practical for a mainstream dual-core computer although it would be more than powerful enough for an Intel D201GLY with Celeron 115, D201GLY2 motherboard with Celeron 120, or the Via low-power ITX platforms. The upcoming Intel Centrino Atom platform with the Atom-Diamondville CPU peaks at around 4W TDP so they’re even easier to power.
The bottom line is that this is a nice little power supply for small embedded solutions but you’ll want to stick with the bigger 80 Plus closed-frame models like the Sparkle SPI220LE 220W or the SPI270LE 270W if you’re building a mainstream PC. Note that the SPI models are 1U power supplies so you’ll either need a very custom case or one that uses 1.75″ thin power supplies.
March 20th, 2008
HDMI survival guide for home theater
There’s a lot of money to be made in the HDMI cabling and switch aftermarket and unfortunately that means a lot of consumers are getting tricked in to paying outrageous prices. I’ve spent quite a bit of time helping my friends set up their home theaters recently and I thought I’d share that knowledge with my readers. If you’re tired of paying high hundreds of dollars for HDMI switches and HDMI cables, read on.
What is HDMI?
HDMI is a high speed digital interface for the transmission of high quality digital audio and digital video. So if you plug your DVD player, your PlayStation 3, your satellite or cable TV box, or even your computer up to a modern HDTV with a single HDMI cable, then the sound and picture will all work. The HDMI plug only has a single small connector so it’s nice and simple. Before HDMI, you had to hook up three separate connectors for just the video and two additional RCA plugs for stereo sound. Instead of the two RCA plugs, you could also use an S/PDIF optical cable for the sound but it still adds a lot of cable complexity and clutter compared to a single HDMI cable.
Why are there different HDMI types?
There are 4 basic versions of HDMI. You have 1.0, 1.1, 1.2, and 1.3 and you can get a quick summary of the capability of each version here. The easy answer is the higher the number, the better. If you’re shopping now, try to stick with the HDMI 1.3 devices if you can.
Do I need monster HDMI cables?
No, HDMI monster cables are simply a monster rip-off. If a cable is HDMI certified, it will by definition offer you a perfect digital signal. Despite the fact that the electrical signals traversing an HDMI cable degrade as a cable gets longer, it will still offer perfect digital transmission so long as the signal loss or distortion is within a certain tolerance. Analog cables might benefit from extra thickness and insulation because there’s not much you can do to fix analog signal loss or distortion other than to amplify and maybe filter the signal a little to mitigate the bad side effects. But when it comes to digital technology, the signal is either all there or it isn’t. There is zero measurable difference in the digital signal quality between the $6 HDMI cable and the $60 monster HDMI cable.
Where do I buy cheap HDMI cables?
There are lots of online vendors that can be found via a quick Google search of “HDMI 1.3 cable”. These cables suppliers have always been reliable in my experience and they’re many times cheaper than the local retailer. Here’s a few examples I compiled.
- 3 foot HDMI 1.3a cable $5
- 15 foot HDMI 1.3a CL2 rated cable $24
- 25 foot HDMI 1.3a CL2 rated cable $42
- 30 foot HDMI 1.3a cable $64 (bought for friend’s project)
- 60 meter (197 feet) HDMI 1.3a CAT5e extender kit $199
<Next page - Can I split or switch multiple input/output HDMI sources?>
February 12th, 2008
Note to readers: Security content moved to Zero Day blog
This is a note to all my readers. All of my future security-related content will be appearing on the ZDNet Zero Day blog instead of here in “Real World IT”. Some of you may have wondered why I haven’t posted any security-related content in a while because I’ve been posting on Zero Day for quite a number a weeks.
Previous works posted on Zero Day include:
- Vista SP1 still vulnerable to speech recognition ‘analog’ hole NEW!
- Even SSL Gmail can get sidejacked
- Is Snopes pushing Adware? Urban legend or fact?
- Don’t assume WPA2 is more secure than WPA
- Ruckus wireless LAN security method solves usability versus security dilemma
- Mac versus Windows vulnerability stats for 2007
Please note that I am NOT abandoning this popular blog; just that I’m joining the popular ZDNet Zero Day security blog with Larry Dignan and future security content will be posted there. Thank you for reading and sharing!
February 6th, 2008
A dozen free & essential apps for Windows
Every time I build a new Windows computer, there are a dozen free and essential applications that I always install for other people. These applications all seem to fill essential functions and they all seem to be well-behaved installers and uninstallers, in other words it won’t crash your computer or drag it down with gunk. Since they’ve served me so well, I thought I’d compile the list here and share them with you. Without spending a dime of your hard earned money on software, you can now make the most of your computer.
|
|
||||||
| Image Gallery: I’ve created a gallery of screen shots of these 12 free Windows tools. |  |
 |
||||
|
|
||||||
uTorrent - This is the BitTorrent client that is a must have for anyone who wants an effective file sharing application that allows you to download large files. It was developed by a lone old-school programmer Ludvig Strigeus who wrote a BitTorrent client in a few hundred kilobytes (yes, that’s not a typo) which is a real pleasant surprise in this age of bloated Java applications with 100 MB memory footprints. It was bought out by BitTorrent Corporation which raised some concerns among the user base but the client has retained all of its functionality and the new owners have done a good job of maintaining it.
Skype - This is another killer-app for the modern personal computer. If you haven’t already heard of it and installed it, go get it. It’s the first and one of the few VoIP applications on the market that “just works”. Couple it with a good analog microphone or something like the Polycom Communicator and you will be able to send superb wideband audio which is amazing compared to the normal narrow band audio you get on a telephone. If you add Whiteboard Meeting which has a free limited version, you now have a mission critical business collaboration application.
Add a Logitech Quickcam Pro 9000, Quickcam Pro for Notebooks, or Quickcam Orbit AF for as little at $80 for the first two models and you have yourself a very high-quality 640×480 video conferencing solution. Skype’s HQ (High Quality) video conferencing is something you just have to see to believe. The only downside to the HQ mode is that Skype does not support IEEE 1394 camcorders so you have to buy those Logitech webcams if you want the HQ mode. The camcorder supporter would have allowed much longer zoom for use in the living room but unfortunately they don’t have that feature yet. Also note that you need a minimal of 384 kbps uploads to maintain HQ mode.
January 11th, 2008
Lesson from CES: Wait a few months for new gadgets
Updated 12:10PM - If you’re in the market for new gadgets, wait a few months for the new gear shown this year at CES. You’ll see items like the pocket sized Panasonic 3CCD 1080p (24p) camera at this end of this quarter as will many other items. The last thing you want to do is buy something only to see something better for the same price a month later.
Another product that really caught my eyes were the small OLED displays on devices like the $350 Samsung NV24HD digital photo camera that also doubles as a 720p digital H.264 video camera. While I didn’t get to examine the photos from the device, I saw the 2.5″ AMOLED and it shined like a jewel with the vivid contrast ratios and wide color gamut. I can’t wait to try one of these things out in photo and video mode. Update: Janice Chen notes that Kodak has a similar model that also shoots 720p for $250. It lacks the AMOLED display but it has a 3.0″ touch screen. The price makes it sound like a great choice if you can do without the more vivid preview display.
Panasonic isn’t about to cede the big screen plasma HDTV market to LCDs without a fight. Its new line of Viera Plasma displays feature true native contrast ratios of 30000:1. These new plasma displays cut power consumption by 30% while raising brightness by 30%. So instead of a 50″ plasma hogging 500 watts of power while displaying white, it now only hogs 350 watts of power in peak mode. These displays will be released around the end of this quarter.
LCDs on the other hand are catching up in the contrast ratio department but they have the advantage of better brightness and lower power consumption especially when dynamic contrast technology is included and in use. All the new large screen LCDs are coming out with 120 Hz capability and inter-frame interpolation.
December 4th, 2007
Firefox vs. Internet Explorer: No real security winner
The rhetoric coming from Microsoft and Mozilla has heated up in recent days on who is doing a better job on web browser security. I’d prefer to frame the debate in terms of who is doing worse than the other because both companies have had lots of security issues with their respective browsers. Both companies have vastly improved since the days of Firefox 1.5 versus Internet Explorer 6.0, If each one of these vulnerabilities were a zit on their faces, would they be bragging publicly that they have fewer zits or who pops them quicker?
but each browser leaves much to be desired when you look at the vulnerabilities that have continued to come out.
Microsoft came out and gave a report that showed IE has fewer software flaws than Mozilla Firefox and they want us to believe this is the most important metric. Mozilla hit back saying that time-to-patch is a more important metric. Both of these metrics are important and should be debated publicly so that the user can make informed decisions. However, “time-to-patch” (the time a vulnerability is publicly known until it’s patched) should not be confused with time-vulnerable since that is determined by the length of time a product has been publicly available to the time it becomes patched.
It is true that once a vulnerability is publicly known that this is a more dangerous time since more people know about the vulnerability but we should not assume that the software was “safe” before the vulnerability was known. This is why number of vulnerabilities plays an equally important role in determining the security level of software because it indicates the quality of the auditing done before the software is released to the public. Patching known critical vulnerabilities in a timely manner is important but that should never excuse shoddy code auditing and the converse of that statement is also true. Microsoft patches slower but has better code auditing while Mozilla patches critical vulnerabilities faster but permits more vulnerabilities to get past their auditing process. Clearly each company can learn from the other and each company is failing in overall security.
One other issue that has come up in this spat is Mozilla’s Mike Shaver who says flaw count is misleading since Microsoft hides patches in service packs. That’s a really silly argument since there hasn’t been a Microsoft Windows desktop OS service pack since 2004 with the release of Windows XP SP2 and all the comparisons that have been made are post SP2. All the other talk of silent fixes are light on actual details and it’s awfully hard to make changes to a browser without the public knowing about it and Microsoft would get skinned alive if they made a change to a product without informing their customers about it. No one to my knowledge has given a specific example of how Microsoft Internet Explorer 7 has had any silent or bundled fixes yet so we can’t really factor this in until someone shows an example. Furthermore, the difference in flaw count isn’t some small margin that can easily be explained away by bundled or silent fixes, the gap is almost a 2 to 1 ratio between Firefox 2.0 and IE7.
<Next page - Internet Explorer 7 versus Firefox 2.0 vulnerability comparison>
November 19th, 2007
Is it ethical to turn on wireless security for an open access point?
One of my readers sent me the following question and I thought it posed an interesting question on ethics. I’ll post his email and then I’ll answer his questions.
I helped a friend move, and re-established her wireless network working with a new ISP. While working, I encountered 7 wireless networks (in addition to hers), 3 of which were wide open, 2 were SSID belkin and one called linksys, etc. It was the same old problem, they plugged the router in, said “hey we’re connected” and that was it. I want your opinion on this.
I connected to each one, then using 192.168.2.1, 192.168.0.1, etc, I connected to their wide open routers, then changed the network to be WPA-PSK and made the passphrase “Secure your network, you are totally unsecure”. I did not change the router password.
Worst case, I figure geek squad will be called, but maybe, they call their router helpdesk, and learn something. I still think pressure needs to be brought to bear on router providers to default to WPA-PSK, the last “wizard I ran” never even touched on securing the link.
I have little doubt that what I did was illegal, the same way it is illegal to open someone’s car door and turn off their lights, but was what I did wrong?
Besides the fact that what you did was illegal and would get you arrested if you were ever caught, turning off someone’s car lights does cost the owner a penny but saves them a bundle by saving their car battery. But if the victim of your “good deed” needs to call Geek Squad to come and fix their router, they’re out a hundred dollars or whatever the going rate is for tech support. In many cases I think the user will simply call tech support and find out that WPA-PSK was enabled, but there are people who will suffer economic damage. Perhaps if you dropped an envelope with a letter explaining what happened with instructions on how to configure WPA-PSK for Windows or Mac, then the user won’t have to suffer agitation or a Geek Squad bill.
Using a random 10-character alpha-numeric upper/lower pass-phrase would be better since your pass-phrase would be known by everyone though the owner should be scared enough to learn how to change it themselves. Changing the SSID would also be a good ideal. That has nothing to do with security but it does prevent accidental connections between neighbors. Changing the router default password is as important as enabling wireless LAN security. Of course all these changes would have to be in the letter.
There have been proof of concept browser scripts that can go in to your router using the default password and change the router configuration. Criminals simply need to change the DNS server on your router and redirect all of your DNS requests though proxy servers that can harvest all of your browser session and snoop on all of your communications. This would be even worse than a PC root kit because it hijacks every computer on the network and you can’t clean it off the computer because it’s on the router.
Again I reiterate that breaking in to someone’s router (even if it’s to lock down their network) is ILLEGAL and you need to ask yourself if it’s worth the risk of going to prison. But if you want to continue doing this, please consider the potential economic impact to the owner of the wireless network and at least drop a letter in their mailbox explaining how to fix it. While I admit the damage is far lower than getting hacked by a real criminal, the law isn’t going to see it that way. Personally I wouldn’t be caught dead doing this because I have nothing to gain and everything to lose.
Update 12:45PM - It seems the readers have spoken in the talkback and they are pretty much universally against changing someone’s wireless settings. I personally don’t view it as negatively since I believe the dangers of leaving it open are greater, but I do think it falls on the side of unethical. Changing the Wi-Fi settings will break things for the user and most cause them some real economic damage so the ethics of doing changing the Wi-Fi security is very questionable. I think changing the password on the router so that the person doesn’t get hijacked by someone malicious wouldn’t be unethical since that doesn’t really break day-to-day operations like changing the Wi-Fi security settings. I’ll add a poll to see what all of you think.
Loading ... Loading ....
October 16th, 2007
$60 router + DD-WRT = high-end wireless router and switch
Getting a high-powered wireless router with some high-end features is a lot cheaper than most people think. In fact it doesn’t cost any more than a regular router needed to connect to the Internet which allows the sharing of IP addresses between multiple clients. With the addition of DD-WRT, you can turn a cheap commodity router in to a high-end wireless router and switch. With the addition of a high-powered antenna located high up in the air which amplifies the send and receive capability of the wireless access point, anyone can set up their own wireless hotspot service with a massive coverage area.
Pictured to the left is the Buffalo WHR-HP-G54 router that sells for as little as $60 at all the local electronics stores like Circuit City, Best Buy, and Fry’s or it can be ordered online. The WHR-G54 sells for as little as $50 and is virtually identical except for the fact that the WHR-HP-G54 has a receive side amplifier which helps the router hear faint laptops coming in on long-range connections. Both routers come with an RP-SMA antenna connector for external antennas which makes this router extremely flexible for wireless ISP and long-range bridging applications. The WHR-HP-G54 also comes with a wall mounting bracket so that you can mount the device up high.
This particular router can run DD-WRT using this specific upgrade procedure. DD-WRT can turn this cheap device in to an enterprise class product with enterprise features normally found in devices costing hundreds of dollars more. Things you often don’t get on your consumer routers are features like VLAN (Virtual LAN) support on the switch, Enterprise Wireless LAN security support, QoS (prioritization), site-to-site VPN tunneling and VPN servers, Hotspot, and advanced routing features like OSPF and BGP. You can see a full gallery here with all the important features of DD-WRT.
[Update 10/17/2007 - Readers have commented that the OpenVPN function is very nice too. I'll also be looking at adding FreeRADIUS to this device and will follow up on it.]
October 4th, 2007
Are thin clients the solution to all your security woes?
Our UNIX/Linux blogger Paul Murphy posted an interesting link to an article entitled: Information Security: 7 Data Leaks you can’t Ignore written by Matt Roedell. Unfortunately, I think Paul missed the point of it by attributing the issue to “Wintel infrastructure” and claiming the solution is to go thin client with Sun Rays. Security unfortunately isn’t so simple that it can be fix it with any single product and most of the risk vectors have nothing to do with whether you use Windows or Intel products. The cure-all solution in the security industry is one of the most ubiquitous forms of snake oil and there simply is no such thing. Let’s take a look at these vectors for data leakage.
Data leakage via removable media:
Under #1 and #2, Roedell listed USB mass storage devices and Optical drives. I’m going to lump these two things together and add floppy drives to the list. Roedell put a $0 price tag on Optical Drives because those can be disabled via Microsoft’s Active Directory Group Policy but he put a $50K price tag on 300 licenses. I’m going to set that to $0 because USB mass storage devices can also be disabled via group policy by importing this ADM file. Floppy drives can also be disabled via Group Policy not to mention the fact that we don’t have to put floppy drives and optical drives in to the computers in the first place.
Stolen laptops:
Laptop security is a huge pain point, but it’s something you’re going to have to deal with when you have mobile workers. It would certainly be a lot easier on IT if there were no laptops, but companies are not going back to the dumb terminal and mainframe days. Until there is fast, inexpensive, reliable, and universal wireless connectivity, data will have to be stored on the laptop for offline access. As long as data sits on the laptop, I don’t care what operating system you use you’re going to have to use reliable encryption software with reliable key management technology. Government regulators will not care if you tell them you lost a MacBook or Linux-based laptop with sensitive data on it.
EFS folder-level encryption comes free with Windows XP but that only works if you don’t give the user admin rights (a good idea if you can get management to sign off on it) and encrypt all the user folders with an automated policy. Vista Enterprise Edition and Ultimate Edition comes with Bitlocker and EFS. There are companies that sell add-on products both with software only or software/hardware solutions. There are even hard drives from companies like Seagate that have encryption technology built in to the firmware. Whether that’s $200 per station or less, that is the cost of running laptops and it isn’t IT’s job to tell the business what they need and what they don’t need. The business tells IT what they need to do their job and it’s IT’s job to solve the problem.
Stolen data from backup media:
I don’t care what OS you use or computing model you use, you will have data one way or another and it will have to be backed up and stored off site for safe keeping. Thin clients or Sun Ray clients won’t change any of this. Encrypting the tape media doesn’t cost “$800 per server” if you’re doing the encryption transparently on the backup server.
Leakage via Internet Web Access:
I don’t care what OS or computing model you use if you allow web access. Unless you block all Internet access, you’re going to have to deal with information leakage over the web. There are no full proof solutions for this and the most you can do is due diligence by implementing the proper check points and user policies. Scan everything only covers unencrypted traffic or traffic you can decrypt and policies are only good if people follow them. We can take it a step further with rights management software such as Active Directory Rights Management Services which blocks users from performing actions that might compromise data. User policies and software can help keep users from making honest mistakes but a determined leaker will find a way to leak data even if they have to use the analog hole and take photographs of the monitor. The human aspect of security is the hardest challenge of all.
Layer 2 access switch port security:
This is one of those aspects of security that most companies and organizations fail to implement even though many already have all the hardware and software in place. They should look at my comprehensive guide on locking down Layer 2 security.
Security vulnerabilities:
Again as with everything else, it doesn’t matter what OS or computing model you use, you’re going to have to deal with security vulnerabilities. This affects every hardware and software vendor on the planet. Most people only hear about Microsoft vulnerabilities but they’re currently one of the better companies in the computer industry when it comes to auditing their own code. Their vulnerabilities affect the most number of people because they’re used by the most number of people but the statistical occurrence of software flaws is relatively low.
Are thin clients the solution?
There certainly is some merit in the security implications of thin clients; but there’s also a lot of merit in handing people electric type writers or VT100 terminal emulators from a security and maintenance point of view. Now I am saying that a modern Sun Ray or thin client device to a type writer or text based computer terminal, just that people do associate thin clients in general with fewer features and a “demotion”. I’ve met a lot of people who think that thin clients are just wonderful until you want to take away their computer and give them a thin client. Thin clients are generally associated with data entry tasks and not office productivity. It’s not that you can’t do those tasks with modern thin clients, it’s just that it doesn’t work the way people have grown accustom to and the flexibility afforded to them by the modern personal computer. Until businesses clamor for the days of the main frame and thin clients, it won’t happen any time soon.
September 28th, 2007
More facts and less hysteria on Vista, please!
In the latest round of hysteria to be written about Windows Vista, Don Reisinger regurgitates the usual hysteria about Windows Vista mixed in with a pinch of facts here and there. Don spouts off the usual nonsense about sales, UAC, and even DRM. Despite the fact that bashing Vista is quite the popular sport these days, I’m going to see if I can set him straight with an honest and factual assessment of Windows Vista.
Are Vista sales really poor?
Everyone knows that Windows Vista retail box sales are poor, but does that matter when Microsoft relies overwhelmingly on sales to OEM PC makers? If you focus only on the retail box sales, you’re missing the real picture because Vista has sold more than 60 million licenses and ~78% of those sales are Vista Premium edition. Don complains about Windows Vista Ultimate edition and I actually agree with him that it’s overpriced and under delivers but Microsoft doesn’t need to “save itself” if Vista Ultimate fails, more like an “oh well”.
Does it matter if a few people revert to XP?
Even if a whopping 20% of computer buyers downgrade and revert to Windows XP for whatever reason, that still leaves 80% who stay with Windows Vista. That means hardware makers and ISVs (Independent Software Vendors) have to deal with Windows Vista now or later whether they like it or not if they want to stay in business. The fact that 60 million copies were sold in the first 6 months since launch pretty much confirms Vista will become the dominant OS by default.
How about Vista drivers?
There are no questions about it, a fair number of Vista drivers during the first 2 months stunk badly. Vista implements a brand new driver model which offers a little more separation between the driver and the kernel so that a bad driver is less likely to crash the entire system. The price for this is that there is a brand new learning curve and it took a few months for the hardware companies to get it right. For the most part, everything is working well but there are still some older devices that don’t have drivers and will never get drivers for Windows Vista and much of that is because the hardware vendors want you to buy new hardware.
Is it fair to expect a hardware company to write drivers for a 3+ year old device? Probably not. Is it fair to expect users to buy new hardware because they can’t get Vista drivers for a one year old device? Definitely no! Reputable hardware companies that want to keep customer loyalty will go back as far as they can to create drivers for older hardware. Was it Microsoft’s fault that the drivers didn’t work well at first? Technically no but that isn’t going to matter to consumers and they’ll take their anger out on Microsoft and the hardware maker. Fortunately, the driver situation has stabilized but it’s always good to check for drivers before you upgrade a computer to Vista and before you buy a piece of hardware.
How about application compatibility in Windows Vista?
There’s no question about it, applications will break in Vista and it’s probably the #1 reason some people are reverting back to Windows XP. This is primarily due to the fact that many applications never followed Windows development guidelines set since 2000. One of the worst offenders is Intuit which refused to properly write QuickBooks right up to the 2006 version. Intuit never followed Windows development guidelines that have existed since Windows 2000 and XP for Windows logo certification and they - like many other software makers - used Vista as an opportunity to sell a new version of QuickBooks 2007. If you bought QuickBooks 2006 or earlier, you were out of luck and it wouldn’t run on your new computer and you had to buy QuickBooks 2007.
Microsoft asked developers for 7 years to clean up their act but drew the line in the sand with Windows Vista which comes with UAC (User Access Control) on by default. That finally forced vendors like Intuit to properly code their application and not violate security best practices. If UAC does nothing else and even if people turn it off, it has had the desired effect of cleaning up the Windows development community.
Vista and Internet Explorer 7 also breaks a lot of applications in the name of drawing a line in the sand for security. Microsoft will get criticized for not getting rid of things like Active X but they’ll also get criticized for breaking dangerous coding techniques and the vast majority of Active X controls have been disabled in Windows Vista by default. There are still plenty of web applications that don’t work inside Windows Vista and Internet Explorer 7 and vendors like Kodak will try to drag their feet but they will have to deal with it sooner or later unless they want to alienate the 60 million (since summer) and growing Vista user base. My colleague David Berlind questions why Microsoft needs to break so many legacy applications and the answer is security. It’s a known fact that until something is hard broken, no one will change anything. Is this going to be painful? Certainly. But it has to be done if we want a more secure computing environment.
September 27th, 2007
Nike fixes e-commerce site by implementing HTTPS
After weeks of emails bouncing back and forth between me and Nike representatives about the lack of HTTPS SSL security on Nike.com, I finally got an email yesterday that Nike has fixed the problem. I was first made aware of the issue by fellow blogger David Berlind’s post on Nike’s e-commerce failing to implement HTTPS which makes it impossible for shoppers to know if they’re looking at the real Nike.com or if they’re feeding their credit card information to a criminal posing as Nike.com.
There was a similar case with a large number of American banks that did the same thing and failed to implement HTTPS for their online banking site and most of the banks silently fixed the issue after a few months without informing anyone that anything was wrong in the first place. I wasn’t sure if I was getting through to Nike and I was just about to write a blog exposing the situation when I got the email explaining that Nike fixed the problem after some internal meetings and tests to verify nothing would break with their flash-based e-commerce site. Now you go to Nike.com and pick out what you want and right and hit the check out button, you’ll be redirected to an HTTPS site before you are asked to enter your credit card information.
There was some initial concern that this couldn’t be done while maintaining the session so I was going to suggest encrypting the entire shopping session since encryption is basically free (from a hardware standpoint) these days but that wasn’t necessary. I am happy with Nike’s overall responsiveness to my complaints and I hope every online site learns from this incident and not make the same mistake again.
September 13th, 2007
Why the ban on mandatory RFID implants should be Federal
The California legislature recently banned employers from mandating RFID (Radio Frequency Identification) implants for their employees. While I’m glad I’m covered in my state, why isn’t this ban being implemented at the Federal level to cover every citizen? I’m not suggesting that we ban the devices; I’m suggesting that no one should be forced to stick on of these in their body just to get a job. I’ve covered the issue of RFID many times before and I’m not fundamentally opposed to RFID technology or RFID implants, but I do oppose the idea that anyone should be forced to implant one in their body and it would be just as offensive if my employer asked me to tattoo a bar code on to my forehead.
It would be just as offensive if my employer asked me to tattoo a bar code on to my forehead
Verichip RFID implants are worthless from a security standpoint because they’re essentially passing clear text data over the radio waves and it can easily be cloned. If it’s cloned, you’ll have to undergo knife treatment to get a new one unless the chip is reprogrammable. Even if Verichip stopped using clear text authentication and switched to strong NSA Suite B grade crypto, I wouldn’t want it inside my body. Is any material item in this world worth life or limb? If someone wants my access device and password at the point of a gun, I’d give it to them. I don’t want them to have to cut it out of my body.
Last summer there were some issues raised about the privacy and safety of RFID enabled passports. While the scenarios were arguably remote and the privacy concerns overblown because someone can copy the same information from a regular passport, there is no reason to have the RFID in the passport since an optical or contact based system would have the same effectiveness. RFID in the traditional sense gives you more flexibility and convenience because of its long wireless range but the usable range for RFID passports is literally a few millimeters away. RFID in the Passport implementation is effectively a contact based solution that has none of the flexibility but all of the security liabilities of a wireless solution.
What about the argument that we need RFID implants for our children? I have two kids and I can tell you that RFID isn’t going to make me feel any better. First of all, that RFID implant isn’t going to be a “LoJack” device for children and you’re not going to be able to track them down if they’re abducted unless you’re within a few feet of the child. Second, having the RFID implant might mean the abductor will cut it out of your child to take out the implant. I might consider an external device hidden in a watch or something that has an active transmitter with some effective range but implants are simply out of the question.
As critical of RFID as I am, I’m not so sure why some people are so anti-RFID that they don’t even want the devices to exist in the first place. RFID implants can make sense in medical areas. If it makes it easier for emergency workers to identify a patient’s special needs, that’s great so long as the consumer gets to voluntarily place it in their own body. There’s also new technology being developed for diabetics where the RFID sensor can wirelessly report glucose levels without you having to prick your finger every day. RFID inventory tracking and logistics can simplify and automate many things so we must distinguish between good RFID devices and bad ones.
August 20th, 2007
Why watermarking is a bigger devil than DRM
There’s been much news lately about the record industry getting ready to give up on DRM. DRM (Digital Rights Management or some call it Digital Restrictions Management) is a form of copy protection that protects the rights of content owners and restricts the usage of the customers it it’s probably one of the most hated technologies in the consumer world. That hatred doesn’t necessarily stem from a fundamental opposition to copy protection; it’s because DRM impinges on the consumer’s right to fair use. So when news came that record companies are looking at dumping DRM, consumers cheered. All it takes is a single stolen credit card buying a bunch of songs and uploading it to break the entire schemeBut we might be celebrating a bit early because the record companies are sneaking in a bigger devil in the form of watermarking. This was confirmed by Wired Listening Post.
You can say a lot of bad things about DRM, but one thing it didn’t do was ruin the quality of the content. Watermarking advocates will tell you that their technology is “inaudible” or “invisible” to the human ears or eyes, but that’s fundamentally impossible if the watermarking is to be effective. If the watermarking was truly inaudible, then it can be removed through analog filtering without affecting the quality of the image or audio. Since that would make the watermarking useless, it usually is visible or audible which means you’ve irreparably changed the content. It’s bad enough that downloaded music and video are worse than audio CDs or DVDs (even so-called HD video downloads are worse than DVD quality) because the bitrates are too low, but mucking it up with watermarking is just too much to bear.
One other potential usage of watermarking is user tracking. A. L. Friedman (writer for Contentinople) says that there will be no user tracking. That may very well be the case initially since music would have to be individually encoded for each customer, but it doesn’t rule it out in the future. Friedman noted that some of these fears are rooted in Apple’s embedding of the buyer’s name in the DRM-free music from EMI. The justification for these watermarks which are unique to each track but not unique to the user is to track which songs are being pirated on peer-to-peer networks like BitTorrent and how often they’re traded. But if that’s all they want to do, then it would be just as easy to leave the watermark out of the track and simply track the hash of the file.
Quick definition of hash: A hash is a number created by a hash function from a data file. This number is effectively a digest of the original file that can be used as a digital fingerprint for identification or integrity checking purposes. Hashes generated from quality hash functions like SHA-256 are for all intents and purposes unique. Hashes aren’t truly unique, but they’re unique enough that the odds of finding a different file that generates the same hash are astronomical. A good hash function is resilient enough that even the best crypto researchers in the world can’t find two files with the same hash.
While I don’t particularly care for DRM, I’ll put up with it like most consumers. I’m not even so sure I have a problem with my name being embedded in the music file since it doesn’t restrict me from doing legal things with my content so long as the record companies have to prove I uploaded it illegally and that it wasn’t merely a case of theft. But I definitely have a problem with my music being polluted with watermarks no matter how supposedly inaudible they are.
[Update 3:05PM - There's some debate as to whether watermarking causes perceptible noise or not and I think that misses the whole point. If it's not perceptible, then it can be stripped out and watermarking is pointless. If it is perceptible then I don't want it. But the most compelling argument against this entire watermarking scheme is that all it takes is a single stolen credit card buying a bunch of songs and uploading it to break the entire scheme. The whole scheme is pointless.]
Loading ...August 17th, 2007
Skype still down - Published DoS exploit may be culprit
[UPDATE 8/18/2007 - Another Russian site is claiming this was a DoS attack against Skype's authentication servers. Skype continue to deny.]
It’s been a day and Skype is still down for me. The task tray Skype logo never turns green for me and it keeps trying to connect. The service was intermittently up on Thursday afternoon Pacific Standard Time but it hard down now.
Valery Marchuk of SecurityLab.ru may have an explanation for this world wide outage for Skype. Marchuk posted the following message on the full disclosure mailing list:
Valery Marchuk: On SecurityLab.ru forum an exploit code was published by an anonymous user. Reportedly it must have caused Skype massive disconnections today.
The PoC uses standard Skype client to call to a specific number. This call causes denial of service of current Skype server and forces Skype to reconnect to another server. The new server also “freezes” and so on … the entire network.
Marchuk posted a link to the PoC (Proof of Concept) code for the exploit which I’ve left out. If this is true, this sounds like the kind of low-cost non-brute force DoS (Denial of Service) attack that can bring down an entire service. Since Skype is still down, this may be a very plausible explanation.
Skype is denying this is some kind of attack and posted the following note:
Hello everyone,
Apologies for the delay, but we can now update you on the Skype sign-on issue. As we continue to work hard at resolving the problem, we wanted to dispel some of the concerns that you may have. The Skype system has not crashed or been victim of a cyber attack. We love our customers too much to let that happen. This problem occurred because of a deficiency in an algorithm within Skype networking software. This controls the interaction between the user’s own Skype client and the rest of the Skype network.
Rest assured that everyone at Skype is working around the clock — from Tallinn to Luxembourg to San Jose — to resume normal service as quickly as possible.
August 6th, 2007
How to protect your online privacy
If you want to avoid being compromised when using typical Wi-Fi hotspots that have no security, you can use the following table as a reference of protocols you should and shouldn’t use. The insecure protocols should be banned and never used again; the protocols on the right are the secure alternatives. Anyone who doubts this is a problem should look at the DEFCON Wall of Sheep.
Note that in order to use these secure protocols properly, only Digital Certificates that are signed by publicly trusted Certificate Authorities like VeriSign, Entrust, GeoTrust, or GoDaddy should be used on the server side. Here’s a tutorial on how to acquire, purchase, and install a Certificate on your Server for less than $20 a year. The use of expired or self-signed Certificates is forbidden because it forces and conditions the user in to ignoring Certificate warnings which is extremely dangerous. Clients don’t usually require Digital Certificates and they just need to be configured to point to the secure services.
| Insecure protocols (BAN usage) | Secure protocols |
| HTTP | HTTPS with SSL |
| POP (TCP: 110) | POP with SSL (TCP: 995) |
| IMAP (TCP: 143) | IMAP with SSL (TCP: 993) |
| SMTP (TCP: 25) | SMTP with SSL (TCP: 465) |
| FTP | FTPS or SFTP **** |
| Telnet | SSH *** |
| PPTP VPN | PPTP over SSTP VPN |
| ICQ | IM client configured for SSL |
| Skype (Proprietary PKI) | |
| SSL-VPN, L2TP*, IPSEC** | |
| SSH VPN tunneling *** |
* L2TP requires Server and Client side Digital Certificates.
** IPSEC can use Server and Client side Digital Certificates or pre-shared keys.
*** SSH is not SSL based but is very similar to SSL in principle.
**** FTPS is an SSL version of FTP, SFTP is SSH based version of FTP.
Unfortunately this is all probably too complex for the vast majority of users and the infrastructure needs to take a lot more responsibility by blocking the usage of insecure protocols. Services like HTTP can automatically be redirected to HTTPS but very few online services will do this. Google supports HTTPS mode if the user manually types in https://mail.google.com which almost no one does so that really doesn’t help the vast majority of users who don’t know any better.
Almost none of the so-called “Web 2.0″ providers care about your online privacy. For example, the following services have zero support for HTTPS and they’re all vulnerable to side-jacking.
- Google’s YouTube service
- Google Video
- Google Maps (you want people knowing where you live?)
- Google’s Blogspot
- Microsoft Hotmail
- Yahoo mail
- MySpace
What is going on here? I challenge these online services to start protecting people’s privacy and start using HTTPS for everything! [Update 8/8/2007 - Robert Graham of ErrataSec noted that SalesForce.com defaults to SSL mode and even lets companies block non-SSL connections to their own data. I would add that this is to be expected of any corporate Application Service Provider which charges a substantial monthly fee per user. What I'd like to see is every online service regardless of whether it's a subscription service or Ad driven service should protect people's privacy.]
Note: Anyone who tells you SSL and encryption is too expensive is living in the 1990s. Moore’s law has given us 2.4 GHz Quad Core processors from Intel for $280 and there are thousand-dollar encryption off-loaders that can encrypt multiple gigabytes of data per second! I don’t want to hear Google saying they can’t afford a cheap gigabit encryption off-loader for their Gmail service. I’m tired of hearing all the excuses.
As people’s lives become more and more centered around these online services and more and more people start using Wireless networking, this is a disaster waiting to happen. My voice isn’t enough and you the reader need to demand better security from your online service providers. I challenge the big three (Google, Microsoft, and Yahoo) to see who will be the first to provide secure HTTPS services by default. If they want to have an insecure version, let them host that under something like insecure.gmail.com and make people go out of their way to be insecure.
The first ISP that becomes secure-by-default will get my praise. I also want to see which major Hotspot provider or Municipal Wi-Fi service will implement the Secure Wireless LAN hotspot for anonymous users. Will it be T-Mobile or AT&T? I hope other bloggers, Journalists, and Editors to all do the same.
August 6th, 2007
DEFCON 2007 - Wall of Sheep (shame)
It’s time to count sheep again and I don’t mean the ones in your sleep. I’m talking about the ones on the Wi-Fi Hotspot that are using insecure protocols and getting their online accounts compromised. What you’re looking at below is the DEFCON 15 Wall of Sheep.
What do I mean by compromised? Usually that means username and passwords are being transmitted in the clear for anyone to see or it means your account can be hijacked such that an attacker can get in to your account anytime they want after they copy your online Web session. In the above screen shot, a VERY large number of Gmail accounts that failed to use secure HTTPS (https://mail.google.com) were hijacked. This is despite the fact that they logged in using HTTPS because Gmail by default automatically kicks you back in to HTTP mode.
The Wall of Sheep team hunts down the sheep in their command bunker
Robert Graham and David Maynor side-jacking sheep with Hamster
Learn how to protect your online privacy here.
August 3rd, 2007
Undercover NBC Dateline reporter bolts from DEFCON 2007
Undercover reporter Michelle Madigan (Associate Producer of NBC Dateline) got a little more than she bargained for when she tried to sneak in to DEFCON 2007 with hidden cameras to get someone to confess to a felony. When DEFCON staff announced the “spot the undercover reporter” game and told the audience that an undercover reporter was taking video to catch someone confessing to a hacking crime, Madigan bolted from the conference premises followed by a pack of ~150 DEFCON attendees and reporters trying to photograph and video tape her. DEFCON officials never got the chance to bring Madigan on stage to offer her a press badge so that she could cover the rest of the event above board.
DEFCON organizers caught wind of this from undisclosed sources and casually contacted Madigan to see if she wanted official press credentials and a press badge to cover DEFCON. Reporters in the pressroom were then fully briefed on the situation before the “spot the undercover reporter game” so that they could cover the event.
According to Senior DEFCON official “Priest” who works for the Government in his day job, Madigan declined press credentials on four separate occasions (twice on phone and twice at DEFCON). Madigan proceeded to register as a regular DEFCON attendee and even told a DEFCON staffer that she was going to the bathroom to get her hidden camera ready. When a DEFCON goon (staffer) explained to Madigan that secret video taping wasn’t allowed, Madigan not knowing she was speaking to a goon replied that she didn’t think it wasn’t a problem. The staffer then followed Madigan around and watched her as she panned her hidden camera around the entire “Capture the flag” room to get unauthorized video of the members.
Madigan was apparently trying to do a shock piece for NBC Dateline to show middle America how criminal underground hackers had descended on DEFCON Las Vegas to learn tricks of the trade and how Federal Agents were tracking them down. When a DEFCON staffer spoke to Madigan posing as regular attendee, Madigan commented that people in Kansas (reference to middle America) would be very interested in what was “really” going on in DEFCON. DEFCON official “Priest” also had reason to believe that that Madigan was planning to out uncover federal agents attending DEFCON and expressed some serious concern about the safety and privacy of those agents. Because of this, staffers used this to lure Madigan to the room where they planned to out her instead in front of DEFCON attendees in the “spot the undercover reporter” game but Madigan bolted from the scene before her photo was put up on the projector.
The sad part of this story is that Madigan was given every opportunity to get a press pass and get access to any of the speakers and attendees above board. Even after the secret video taping she was offered a chance cover the rest of the conference with an official press badge. This is my second year covering DEFCON and I’ve never had any problems getting photos or video from willing attendees and speakers but that’s not what Madigan was going after. She wanted to paint a picture that would shock “people in Kansas” about DEFCON and that’s not what DEFCON is about. The Feds, Press, and hacker community have built up a level of mutual trust at DEFCON so that we have a place to talk openly and honestly. After taking an unofficial poll in the press room here, not one person appreciated Madigan’s antics.
August 2nd, 2007
Hamster plus Hotspot equals Web 2.0 meltdown!
Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today. The audience erupted with applause and laughter when Graham used his tools to hijack someone’s Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot and his Gmail account just popped on the large projection screen for 500 or so audience members to see. Of course had the poor chap read my blog about email security last week he might have avoided this embarrassment. But for the vast majority of people using Gmail or any other browser or “Web 2.0″ application, they’re all just a bunch of sheep waiting to be jacked by Graham’s latest exploit.
I caught up with Graham after the show and we went over more of the details of this Web hijacking exploit. First he captures the Wi-Fi signals using his laptop and a tool called Ferret which he wrote earlier this year. The tool grabs Cookies and Session IDs from your Web Browser session sent over the air and stores it.
Next, Graham fires up his new tool called Hamster (which he will post within the next week) which will process those Session IDs and Cookies so that they’re ready to clone.
Captured Session IDs and Cookies
Hamster hosts a local proxy server that allows point-n-click hijacking
The attacker can then go to his local Hamster proxy server to clone other people’s Web identities and hijack their Web accounts.=
Once the identity is cloned, the attacker is able to jump on to online services like Gmail masquerading as the victim with full access to read and send email on behalf of the victim. Furthermore, the attacker can go to maps.google.com and find the victim’s personal information like home address if it’s saved in to Google Maps.
I volunteered to set up an account on Gmail called “GetMeHacked” and allowed Graham to perform the attack. I then got a test email to Humphrey Cheung (Sr. Editor TGDaily) who was also watching the attack. Cheung posted his story here.
Before I knew it, I got hijacked and Graham sent an email on behalf of me.
What makes this even scarier is that Graham can go back in to my Gmail account for at least several more days using the same hijacked Session ID and Cookies. In fact he doesn’t even need to perform the hijacking immediately because he can record all the Wi-Fi Hotspot data and process it with Hamster at anytime before the Cookies expire. In one fell swoop the attacker can steal the identities of every Wi-Fi Hotspot user within a few hundred feet or a lot more if a larger antenna is used.
If you weren’t already scared of using public Wi-Fi Hotspots before, this should drive the point home. Graham even mentioned the dangers of Municipal Wi-Fi the use of Anonymous Secure Hotspots to solve this problem which I wrote about a few weeks ago. For the time being however, there isn’t much that can be done on the vast majority of Web 2.0 services. Gmail fortunately allows the user to manually force SSL mode which would solve this problem but unfortunately they don’t turn it on automatically for all users so the vast majority of users are wide open to session hijacking. For now, a user’s only effective solution is to use some sort of VPN gateway to encrypt all of their data but most people won’t do that. Tools like Hamster and Ferret will hopefully raise awareness and get the public to demand more secure Hotspots and SSL-enabled online services.
July 26th, 2007
Confirming the flat-earther's myths doesn't serve anyone
My colleague David Berlind just can’t seem to stop barking up the wrong tree when it comes to email security. In his latest blog, Berlind accuses me of a “reality distortion field” which really isn’t productive. While he has some legitimate complaints - which I’ve complained about too - Berlind is barking up the wrong tree when he should be joining me in my criticism for those individual companies that don’t make it easy for consumers to deploy good security rather than indicting the entire Internet and the protocols that it encompasses. [Update - Awesome and informative response from Ani Shrotri]
David claims there is no interoperable email cryptography standard when in fact we have S/MIME which is baked in to every reputable email client in the last decade. The fact that Berlind can cite a specific email client that doesn’t work with S/MIME is proof that that specific email client needs to be shamed; it’s not an indictment on S/MIME. If we applied Berlind’s “reality field” logic, we can just throw our hands up of every single protocol on the Internet because we can find rare implementation-specific incompatibilities on every protocol used on the Internet. Heck there are implementation-specific issues with SMTP and HTML, would David suggest that it’s a reality distortion field to dare suggest that SMTP and HTML are universal standards? Is David Berlind suggesting we come up with a better alternative to S/MIME and start the entire adoption process again when we’re already 99% of the way there with S/MIME?
David says that secure email from Server to Client is too hard when in fact it’s as easy as a click away. So David’s rebuttal to me is: OH MY GOD the user has to do something to turn it on. What next David? Are you going to complain that you have to strap yourself in with your seat belt to save your life in a car accident? As I recall, it took decades to get people to get in the habit of putting on their seat belts and ultimately it didn’t happen until we started fining people big money (even bigger for children) for not putting on their seat belts. When it comes to enabling SSL on an email client, it’s a ONE TIME SETUP which is even easier than strapping on the seat belt in your car which you have to do every time you get in your car. At least you don’t have to enable SSL for your POP/SMTP mail client every time you launch your email applications.
David then points out that even I admitted Hotmail (and Yahoo) didn’t support encryption on the entire session while Google Gmail did. But why attack me or the state of technology and call it a reality distortion field? What productive purpose does that serve? Why not join me in criticizing Microsoft and Yahoo? Why not join me in criticizing Google for not automatically redirecting to secure SSL mode so that the remaining 99% of Gmail users can benefit? Why not join me in criticizing ISPs for not disabling insecure POP3, SMTP, and IMAP mode?
The other side of the equation is that user perceptions need to be challenged and we can’t just continue perpetuating inaccurate perceptions that security is a “black art” and that it’s just too difficult. Furthermore, users bare some of the responsibility for the lack of security because vendors are often punished for mandating security. It’s not entirely their fault for shying away from doing the right thing to avoid a beating from certain pundits. Heck it wasn’t long ago that Microsoft absolutely got slaughtered in the media for including a Firewall in Windows XP Service Pack 2 and so much FUD was thrown about that issue that many people to this day are afraid to even try Service Pack 2.
David also incorrectly cited the fact that Gmail doesn’t support S/MIME. But there is an S/MIME plug-in for Firefox for S/MIME signing. Reading digital signatures on the other hand whether that’s a web mail client or a traditional email client doesn’t require any action on the part of the end user. David wants a simple solution where he won’t have to manually sign documents and buy a fax machine and I’ve given him the solution. But again he’s barking up the wrong tree complaining that the technology doesn’t work because the businesses that he deals with won’t accept these solutions and complains “oh but they can’t print out those digital signatures”. But please stop for a moment and think about that statement; why do you even need to print it on paper in the first place when the digital signature is acceptable in court? Since when did the Government mandate that Digital Signatures have to be printable (a technologically impossible feat)?
Think about how retarded it is to require 10 MB digital scans of paper per legal document when a 256 BYTE hash would equally suffice.Berlind’s argument is that Digital Signatures don’t work because you can’t print them out. But this is really a laughable argument even if you ignore the technical reasons. For obvious technical reasons, you can’t realistically do Digital Signatures on paper because changing a single white space or capitalization would change the hash. For obvious common sense reasons, there is also no requirement by the Government that Digital Signatures must be accompanied by paper versions because that would defeat the entire purpose of making Electronic Signatures legal in the first place which is to get rid of the cumbersome paper process. The NSA has a whole suite of standards that includes a Digital Signature and Hashing standard that’s acceptable for Government use, why shouldn’t it be good enough for David Berlind and the companies he deals with? So instead of calling these technologies “black art” and propelling the flat-earther’s myths, why don’t you join me in saying “there is a better way!”. Think about how retarded it is to require 10 MB digital scans of paper per legal document when a 256 BYTE hash would equally suffice.
So the technology is there and I’ve done everything I can to lead you to the clean water, now you just have to drink it. There is no tooth fairy and there is no magical pixie dust - which is what David Berlind seems to be asking for - but the technology is mature and deployed. So David Berlind should stop complaining about the technology and tell his business partners to get out of the dark ages. Is that going to be an easy transition to educate people and change human behavior? Of course it is but you’re not helping the situation by tearing down perfectly good technology.
Comment: A few readers are complaining that it’s terrible that we have editors at ZDNet disagreeing with each other and that we should somehow speak with one voice. We view this as a healthy thing that shows the diversity of spirited opinions at ZDNet blogs. We do not “script” these debates out ahead of time. As much as David Berlind and I disagree on this particular topic, we both agree that giving the reader all sides of the debate serves everyone’s best interest. These debates extend to the blogosphere outside of ZDNet and the readers are welcome to chime in on the talkback. We don’t even censor the talkback (short of adult material and vulgar language) and readers are welcome to criticize any of the bloggers here at ZDNet any way they like. This is simply a testament to the fact that ZDNet respects intellectual freedom.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
SponsoredWhite Papers, Webcasts, and Downloads
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
- Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
- Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
- See why AND is the new OR. Watch the video.
- The Creeps Are Coming: Are You Ready?
- See how much space you can save with our calculator.
- Stay current on the latest trends in our blogs.
Recent Entries
- Saying goodbye to ZDNet
- 55W PC power supply powering the dual-core computer
- Fixing the unfairness of TCP congestion control
- HDMI survival guide for home theater
- The cheapest way to do VoIP is still analog
Blogs From Our Sponsors
Top Rated
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- The more you simplify, the more you save
-
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
- Learn more >>
Archives
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Technology and the Global Supply Chain
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
White Papers, Webcasts, and Downloads
- The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
- Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
Popular Sanity Saver Videos
