March 9th, 2008
Moving on
I travel a lot. It has been almost ten years since I had a job that was based in the same place I live. Whenever I get a call from friends and family the first question I get is “where are you?” People who have known me for years but do not stay in touch have a different question: “What are you doing now?” Other than a four year stint at Gartner I have never had the same employer for more than two years.
Followers of this blog will remember when it moved from the independently hosted ThreatChaos.com to ZDNet two years ago. That was coincident with my departure from Webroot Software, the anti-spyware company. (see Webroot loses voice). Well, it has been a great two years here at ZDNet. The folks at CNET (ZDNet is part of CNET not the troubled ZiffDavis. That still confuses people.) have created the most mature collection of tech blogs on the Internet and I have enjoyed being part of the ZDNet blogging community. But, I think they are pretty well covered on security now with the likes of George Ou, Larry Dignan, and newly joined Nate McFeters.
Time for a change. I have recently stepped down from my position as Chief Marketing Officer with Fortinet, Inc. to pursue yet another start-up opportunity. It will be in the networking and security space. I have been traveling the world lining up the new business and hope to announce it during RSA this year. In the meantime I have moved my blog as well. I am moving to what I think of as the most important publication in the networking arena, NetworkWorld Magazine. On reflection there has been no publication with more influence on my career than NetworkWorld. From Ellen Messmer’s original coverage of my historic visit to the Pentagon to the subsequent addition of my name to the list of 50 Most Powerful People in Networking, to my inaugural column on Checkpoint Software, Network World has been a strong influence on the many twists and turns my professional career has taken.
So, I feel little regret that I am going to lose my hard to achieve ranking at Technorati, or my Google Page Rank, by starting a fresh security blog called Stiennon on Security at Networkworld. Please check the new blog often for continued thoughts and coverage on hacking, cyber crime, cyber warfare, and malfeasance.
UPDATE: Seccom Global, a managed security service provider offering all of the benefits of UTM with out-sourced security has been officially launched.
February 29th, 2008
Judge releases Wikileaks
All it took was a little representation. That is one trouble with the US legal system. You have to show up to defend yourself. The guys at Wikileaks.org were effecitvely put out of business by aggressive swiss bankers because they did not show up in court. At a federal appeal today in San Francisco there was plenty of representation from the good guys, including the EFF.
Victory! You will note that the domain name Wikileaks.org now resolves properly.
In transit to Australia. If you are traveling to Canberra, Brisbane, Melbourne, or Sydney next week, drop me a line mate!
Update: Stiennon’s blog has moved to here.
February 29th, 2008
Oil field data loss just common theft
Sighs of relief can be heard coming from Brazil this week as police arrested four men (port security guards) responsible for heisting some computers that had lots of data from the newly discovered mega-oil-patch off the coast of Brazil.
Way back when I was an industry analyst I remember fighting the battle against universitites about so called academic freedom and firewalls. The argument ran that places of higher learning should not erect barriers that would limit access to information. That laughable theory applied to IT security has long since been discredited but the horrifying aspect was that the idea of no-firewalls was also present in major US government agencies such as the US Geological Survey, which is part of the Department of the Interior.
The USGS IT guys proudly told me that they were a research organization made up of scientists who would not abide firewalls. In further discussions they revealed that every oil and gas exploration company was required to store copies of their GIS data with USGS. I found this frankly horrifying because in all my travels I had found that oil and gas companies have the best security of any industry and they recognize the value of their data and go to extraordinary measures to protect it. And here I find that they are all sharing that data in an unsecured repository.
This was in 2002. I am sure that by now the USGS has instituted some protections around that data. They may even have firewalls.
Update: Stiennon’s blog has moved to here.
February 27th, 2008
Declan on Wikileaks
The news today is that several free speech advocates are stepping into the fray over Wikileaks. See Declan McCullagh’s coverage. I love his syllogism:
[Shutting down Wikileaks is] like Apple not liking CNET News.com’s scoop a few years ago (which it was) about the switch to Intel microprocessors–and then trying to yank our domain name through a court injunction. Or AT&T trying to get us taken off the Internet after our story about how its lawyers filed an improperly redacted brief in the litigation over National Security Agency surveillance.
Free speech matters. First principles matter. Wikileaks may not be exactly a news organization in the traditional sense, but precedents set in this case could ripple far beyond Judge White’s courtroom in San Francisco.
Could not agree more Declan. I wish I was sticking around the Bay Area but I have a plane to catch to Australia. Would be great to be at that hearing!
Update: Stiennon’s blog has moved to here.
February 27th, 2008
Only 8,700 insecure ftp servers?
According to ComputerWorld coverage Finjan is publicizing a source in Hong Kong they have discovered that offers to sell access to hacked ftp servers. The idea is that a malware purveyor or phisher would want ftp access with admin credentials so they can quickly and easily upload there wares to the web sites served by the ftp service.
Larry Dignan thinks this may be the first “Hacking as a Service” example but he is way off. There have been sites in the past that allowed you to execute a “ping of death” against any site, or a ping storm or whatever, just type in the IP or URL and watch what happens. So nothing new there. The “new” is the financial model. Selling access piecemeal. Kind of Hacking 2.0.
The simple warning to administrators: Use ftp over secure shell (SSH) to update your servers. Yes, use the advanced authentication techniques.
Only 8,700 out of 65,000,000 active web servers? That is a good percentage.
Update: Stiennon’s blog has moved to here.
February 26th, 2008
You can keep on asking…
But you have to ask the right questions. Two senators have sent a letter to 24 US agencies asking them to report on their progress in data protection. This article at Federal Computer Week highlights the woeful state of security compliance at most US agencies.
This is great. There can be no change without someone asking these type of questions. But what worries me is that adopting policies such as NIST 800-53 is only the very first step towards becoming secure. GAO, and other agencies that are attempting to address the sorry state of security within the US fed should move on to requiring more proactive steps. Things like:
Every firewall will be set up to deny by default.
Every firewall will explicitly block high level ports.
Telnet, FTP, and TFTP may not be used unsecured.
Administrative access to be granted via strong authentication only.
These mandates would be a start. After getting over the firestorm of objections the GAO could start to work on configuration management and universal strong authentication.
Update: Stiennon’s blog has moved to here.
February 24th, 2008
Pakistan removed from the Internet
4:30 PM Eastern (US).
The telecom company that carries most of Pakistan’s traffic, PCCW, has found it necessary to shut Pakistan off from the Internet while they filter out the malicious routes that a Pakistani ISP, PieNet, announced earlier today. Evidently PieNet took this step to enforce a decree from the Pakistani government that ISP’s must block access to YouTube because it was a source of blasphemous content.
I cannot let the irony pass with out commenting. A religious state, Pakistan, identifies a content provider, YouTube, as the source of blasphemous, seditious content and orders, King Canute style, that the Internet tides be stopped. A zealous ISP ignorantly decides the best way to comply with the decree is to re-route all of YouTube’s IP addresses to whatever site they thought was more appropriate. The first repercussion was that YouTube disappeared from the Internet for almost an hour. I suspect the second repercussion was that Pakistan’s Internet access crawled to a halt as all of a sudden they were handling IP requests for one of the busiest sites in the world. As of this writing YouTube has announced more granular routes so that at least in the US they supercede the routes announced by PieNet. The rest of the world is still struggling. So, while working on a fix that will filter out the spurious route announcements, PCCW has found it necessary to shut down Pakistan’s Internet access. The leadership of Pakistan just created a massive Denial of Service on their own country.
I could say: “be careful what you wish for” to those elements that object to free and open access to information and expression of ideas. But to put it in terms they might understand better: Do not anger the Internet gods or you will suffer their wrath!
Update: This blog points out that the “blasphemous content” claim may be a red herring. There may be more political motivations behind it.
Update: Stiennon’s blog has moved to here.
February 24th, 2008
Pakistan declares war on YouTube
What could at first have been just one of those days on the Internet where some newbie engineer accidentally announces a spurious route and takes out a segment of the network has turned into an international fiasco. But no, Pakastan has ordered all ISP’s to block YouTube. From Yahoo news:
ISLAMABAD (AFP) - Pakistan has ordered all Internet service providers to block the YouTube website for containing “blasphemous” content and material considered offensive to Islam, officials said Sunday.
YouTube because it contained “blasphemous content, videos and documents,” a government official told AFP.
“The site will remain blocked till further orders,” he said.
So an ISP in Pakistan decided to announce a route that would re-direct anyone trying to get to YouTube to some other site that probably hosted a warning about the blasphemous content. Results were predictable. YouTube itself disapeared from the Internet, And, I suspect that most of Pakistan is experiencing performance issues as they are receiving ALL of the YouTube requests from around the world. By 2:30 the Internet watch guards had alerted the backbone provider for Pakistan to filter out those malicious route announcements and alerted YouTube to announce more granular routes that would supercede the Pakistani routes, at least in the US.
As of this writing, 3:30 Eastern most of the rest of world can still not get to YouTube.
February 24th, 2008
Pakistan takes out YouTube
Like I said in a recent post, the Internet is a series of tubes. Sometimes that helps route around malicious legislation and regulators, sometimes it causes big problems. Like today at 2 PM eastern when someone in Pakistan announced a more specific BGP route announcement for the block of IP addresses that YouTube uses. Routers default to the more specific route announcement. Now all YouTube traffic is being routed to Pakistan.
Our trusting routers are the BIGGEST security hole. Malicious attackers can easily disrupt the entire Internet by betraying that trust.
Thanks to Barrett Lyon at Bitgravity for tracking this.
Update: Stiennon’s blog has moved to here.
February 22nd, 2008
Get a clue Morocco
Do you ever get the feeling that the people around you are missing out on a major shift in the way the world works? Try explaining lolcats to your grandfather for instance. I feel sorry for the powers that be in Morocco who have sentenced Fouad Mourtada, a guy with a clue, to three years in jail for spoofing a Facebook site for a member of their so-called royalty.
I feel sorry for the backward thinking elements of the world as we enter an accelerated phase of how humans communicate and works. Let Fouad go. Hire him to instill cluefulness in your government.
What’s next? Arresting somebody for Leroy Jenkins syndrome?
I am compiling a top ten list of government stupidity when it comes to the Internet. This qualifies.
Update: Stiennon’s blog has moved to here.
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
Recent Entries
- Moving on
- Judge releases Wikileaks
- Oil field data loss just common theft
- Declan on Wikileaks
- Only 8,700 insecure ftp servers?
Top Rated
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- ZDNet News Videos
-
Tech news covering the latest in products, conferences and blog commentary, from ZDNet video.
- Watch the latest video >>
- Meetup Mashup: Sun and MySQL Around the World
-
Sun and MySQL meetups are coming near you, bringing together the expertise and technology know-how directly to you. Be sure to keep checking back to find out when the meetups are going to be in your city.
- Get more details on dates and locations >>
- Intel forum post: vPro is great, but who has the best vPro agent?
-
"Some agents have remote control and power issues with Vista; some agents server consoles don't work with 64 bit servers; some agents don't do IDE redirect. I have staged two companies with VPro machines, but have not installed an agent until I find the complete solution. Help!!"
- Follow an interesting discussion about the Intel® vPro™ technology platform >>
Archives
Favorite Links
Blogroll
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- The Core Truth
- Dev Connection
- Digital Cameras
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Alley
- Enterprise Anti-matter
- Enterprise Web 2.0
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Irregular Enterprise
- IT Facts
- IT Project Failures
- John Carroll
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- The Social Web
- Software as Services
- SOHO Networking
- Storage Bits
- Team Think
- Tom Foremski: IMHO
- The ToyBox
- The Universal Desktop
- Virtually Speaking
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Popular white papers
- Releasing Resources to Support Growth - The Long-Term Benefits of Finance Transformation Concur Technologies
- Executive Report: The Path to Sales Effectiveness AchieveGlobal
- Avoiding the Compliance Trap for Travel and Expenses Concur Technologies
- Travel and Procurement: The Convergence Concur Technologies
- One Touch Business Travel and the End of the Expense Report Concur Technologies
- Enabling Software as a Service OpSource
- Business Software Center
- The Customer Collective: Join the online network for sales and marketing executives
- From our sponsors
- Oracle White Papers
-
- Data Grids and Service-Oriented Architecture »
-
- What's Required to Secure a Service-Oriented Architecture »
-
- Business Intelligence and Enterprise Performance Management »
-
- Making the Case for Oracle Database on Windows »
-
