March 9th, 2008
Moving on
I travel a lot. It has been almost ten years since I had a job that was based in the same place I live. Whenever I get a call from friends and family the first question I get is “where are you?” People who have known me for years but do not stay in touch have a different question: “What are you doing now?” Other than a four year stint at Gartner I have never had the same employer for more than two years.
Followers of this blog will remember when it moved from the independently hosted ThreatChaos.com to ZDNet two years ago. That was coincident with my departure from Webroot Software, the anti-spyware company. (see Webroot loses voice). Well, it has been a great two years here at ZDNet. The folks at CNET (ZDNet is part of CNET not the troubled ZiffDavis. That still confuses people.) have created the most mature collection of tech blogs on the Internet and I have enjoyed being part of the ZDNet blogging community. But, I think they are pretty well covered on security now with the likes of George Ou, Larry Dignan, and newly joined Nate McFeters.
UPDATE November 6th ‘08: One more move. I hope the last as the Stiennon Security blog comes full circle. First it was at www.threatchaos.com, then it was at ZDNet, then it was at NetworkWorld. Now my blog is coming home to the re-born www.threatchaos.com!
For thoughts and coverage on hacking, cyber crime, cyber warfare, and malfeasance visit www.threatchaos.com
February 29th, 2008
Judge releases Wikileaks
All it took was a little representation. That is one trouble with the US legal system. You have to show up to defend yourself. The guys at Wikileaks.org were effecitvely put out of business by aggressive swiss bankers because they did not show up in court. At a federal appeal today in San Francisco there was plenty of representation from the good guys, including the EFF.
Victory! You will note that the domain name Wikileaks.org now resolves properly.
In transit to Australia. If you are traveling to Canberra, Brisbane, Melbourne, or Sydney next week, drop me a line mate!
Update: Stiennon’s blog has moved to here.
February 29th, 2008
Oil field data loss just common theft
Sighs of relief can be heard coming from Brazil this week as police arrested four men (port security guards) responsible for heisting some computers that had lots of data from the newly discovered mega-oil-patch off the coast of Brazil.
Way back when I was an industry analyst I remember fighting the battle against universitites about so called academic freedom and firewalls. The argument ran that places of higher learning should not erect barriers that would limit access to information. That laughable theory applied to IT security has long since been discredited but the horrifying aspect was that the idea of no-firewalls was also present in major US government agencies such as the US Geological Survey, which is part of the Department of the Interior.
The USGS IT guys proudly told me that they were a research organization made up of scientists who would not abide firewalls. In further discussions they revealed that every oil and gas exploration company was required to store copies of their GIS data with USGS. I found this frankly horrifying because in all my travels I had found that oil and gas companies have the best security of any industry and they recognize the value of their data and go to extraordinary measures to protect it. And here I find that they are all sharing that data in an unsecured repository.
This was in 2002. I am sure that by now the USGS has instituted some protections around that data. They may even have firewalls.
Update: Stiennon’s blog has moved to here.
February 27th, 2008
Declan on Wikileaks
The news today is that several free speech advocates are stepping into the fray over Wikileaks. See Declan McCullagh’s coverage. I love his syllogism:
[Shutting down Wikileaks is] like Apple not liking CNET News.com’s scoop a few years ago (which it was) about the switch to Intel microprocessors–and then trying to yank our domain name through a court injunction. Or AT&T trying to get us taken off the Internet after our story about how its lawyers filed an improperly redacted brief in the litigation over National Security Agency surveillance.
Free speech matters. First principles matter. Wikileaks may not be exactly a news organization in the traditional sense, but precedents set in this case could ripple far beyond Judge White’s courtroom in San Francisco.
Could not agree more Declan. I wish I was sticking around the Bay Area but I have a plane to catch to Australia. Would be great to be at that hearing!
Update: Stiennon’s blog has moved to here.
February 27th, 2008
Only 8,700 insecure ftp servers?
According to ComputerWorld coverage Finjan is publicizing a source in Hong Kong they have discovered that offers to sell access to hacked ftp servers. The idea is that a malware purveyor or phisher would want ftp access with admin credentials so they can quickly and easily upload there wares to the web sites served by the ftp service.
Larry Dignan thinks this may be the first “Hacking as a Service” example but he is way off. There have been sites in the past that allowed you to execute a “ping of death” against any site, or a ping storm or whatever, just type in the IP or URL and watch what happens. So nothing new there. The “new” is the financial model. Selling access piecemeal. Kind of Hacking 2.0.
The simple warning to administrators: Use ftp over secure shell (SSH) to update your servers. Yes, use the advanced authentication techniques.
Only 8,700 out of 65,000,000 active web servers? That is a good percentage.
Update: Stiennon’s blog has moved to here.
February 26th, 2008
You can keep on asking…
But you have to ask the right questions. Two senators have sent a letter to 24 US agencies asking them to report on their progress in data protection. This article at Federal Computer Week highlights the woeful state of security compliance at most US agencies.
This is great. There can be no change without someone asking these type of questions. But what worries me is that adopting policies such as NIST 800-53 is only the very first step towards becoming secure. GAO, and other agencies that are attempting to address the sorry state of security within the US fed should move on to requiring more proactive steps. Things like:
Every firewall will be set up to deny by default.
Every firewall will explicitly block high level ports.
Telnet, FTP, and TFTP may not be used unsecured.
Administrative access to be granted via strong authentication only.
These mandates would be a start. After getting over the firestorm of objections the GAO could start to work on configuration management and universal strong authentication.
Update: Stiennon’s blog has moved to here.
February 24th, 2008
Pakistan removed from the Internet
4:30 PM Eastern (US).
The telecom company that carries most of Pakistan’s traffic, PCCW, has found it necessary to shut Pakistan off from the Internet while they filter out the malicious routes that a Pakistani ISP, PieNet, announced earlier today. Evidently PieNet took this step to enforce a decree from the Pakistani government that ISP’s must block access to YouTube because it was a source of blasphemous content.
I cannot let the irony pass with out commenting. A religious state, Pakistan, identifies a content provider, YouTube, as the source of blasphemous, seditious content and orders, King Canute style, that the Internet tides be stopped. A zealous ISP ignorantly decides the best way to comply with the decree is to re-route all of YouTube’s IP addresses to whatever site they thought was more appropriate. The first repercussion was that YouTube disappeared from the Internet for almost an hour. I suspect the second repercussion was that Pakistan’s Internet access crawled to a halt as all of a sudden they were handling IP requests for one of the busiest sites in the world. As of this writing YouTube has announced more granular routes so that at least in the US they supercede the routes announced by PieNet. The rest of the world is still struggling. So, while working on a fix that will filter out the spurious route announcements, PCCW has found it necessary to shut down Pakistan’s Internet access. The leadership of Pakistan just created a massive Denial of Service on their own country.
I could say: “be careful what you wish for” to those elements that object to free and open access to information and expression of ideas. But to put it in terms they might understand better: Do not anger the Internet gods or you will suffer their wrath!
Update: This blog points out that the “blasphemous content” claim may be a red herring. There may be more political motivations behind it.
Update: Stiennon’s blog has moved to here.
February 24th, 2008
Pakistan declares war on YouTube
What could at first have been just one of those days on the Internet where some newbie engineer accidentally announces a spurious route and takes out a segment of the network has turned into an international fiasco. But no, Pakastan has ordered all ISP’s to block YouTube. From Yahoo news:
ISLAMABAD (AFP) - Pakistan has ordered all Internet service providers to block the YouTube website for containing “blasphemous” content and material considered offensive to Islam, officials said Sunday.
YouTube because it contained “blasphemous content, videos and documents,” a government official told AFP.
“The site will remain blocked till further orders,” he said.
So an ISP in Pakistan decided to announce a route that would re-direct anyone trying to get to YouTube to some other site that probably hosted a warning about the blasphemous content. Results were predictable. YouTube itself disapeared from the Internet, And, I suspect that most of Pakistan is experiencing performance issues as they are receiving ALL of the YouTube requests from around the world. By 2:30 the Internet watch guards had alerted the backbone provider for Pakistan to filter out those malicious route announcements and alerted YouTube to announce more granular routes that would supercede the Pakistani routes, at least in the US.
As of this writing, 3:30 Eastern most of the rest of world can still not get to YouTube.
February 24th, 2008
Pakistan takes out YouTube
Like I said in a recent post, the Internet is a series of tubes. Sometimes that helps route around malicious legislation and regulators, sometimes it causes big problems. Like today at 2 PM eastern when someone in Pakistan announced a more specific BGP route announcement for the block of IP addresses that YouTube uses. Routers default to the more specific route announcement. Now all YouTube traffic is being routed to Pakistan.
Our trusting routers are the BIGGEST security hole. Malicious attackers can easily disrupt the entire Internet by betraying that trust.
Thanks to Barrett Lyon at Bitgravity for tracking this.
Update: Stiennon’s blog has moved to here.
February 22nd, 2008
Get a clue Morocco
Do you ever get the feeling that the people around you are missing out on a major shift in the way the world works? Try explaining lolcats to your grandfather for instance. I feel sorry for the powers that be in Morocco who have sentenced Fouad Mourtada, a guy with a clue, to three years in jail for spoofing a Facebook site for a member of their so-called royalty.
I feel sorry for the backward thinking elements of the world as we enter an accelerated phase of how humans communicate and works. Let Fouad go. Hire him to instill cluefulness in your government.
What’s next? Arresting somebody for Leroy Jenkins syndrome?
I am compiling a top ten list of government stupidity when it comes to the Internet. This qualifies.
Update: Stiennon’s blog has moved to here.
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
Recent Entries
- Moving on
- Judge releases Wikileaks
- Oil field data loss just common theft
- Declan on Wikileaks
- Only 8,700 insecure ftp servers?
Top Rated
Archives
Favorite Links
Blogroll
ZDNet Blogs
- A Developer's View
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Community, Incorporated
- CRM 2.0: The Conversation
- Dev Connection
- Digital Cameras
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Alley
- Enterprise Web 2.0
- Feeds
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- Irregular Enterprise
- IT Facts
- The IT Grind
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Software & Services Safari
- Software as Services
- SOHO Networking
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- The Universal Desktop
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
SponsoredWhite Papers, Webcasts, and Downloads
- What a Next-Generation Office Phone System Can Do for You Cisco Systems
- Extending the benefits of BladeCenter beyond the data center IBM
- Learn What VoIP Can Do for You Cisco Systems
CIO Sessions
- Check out our video interviews with leading CIOs today!
-
What it takes to stay on the edge of innovation
PARC VP, hardware systems laboratory: Scott Elrod
12:38
-
Going green and managing costs during tough economic times
State of California CIO: Teri Takai
10:28
-
Taking chances with the core brand
Mozilla CTO: Brendan Eich
10:38
-
Transforming the company and developing new delivery platforms
Netflix Chief Product Officer: Neil Hunt
11:25
- All CIO Sessions »
