Part two of Howard Rheinghold's Smart Mobs, Collective Action, Media, and Democracy has been posted on his vlog. I mentioned the first part about a week ago.
On to the video:
« January 2008 | Main | June 2008 »
May 2008
05/28/2008
Part two of Smart Mobs is up
Posted at 10:21 PM in Culture | Permalink | Comments (0) | TrackBack (0)
Vulnerabilities - eBay XSS and Flash
From XSSed, more eBay cross site scripting problems:
eBay is again XSSed! Scammers can take advantage of these new critical cross-site scripting issues. They can inject JavaScript code to redirect users to eBay phishing scam pages and to display fake auctions. Victims who click on what appears to be a genuine eBay search results link, are also vulnerable to malware infection. [From New XSS flaws within eBay sites | News | XSSed.com]
Also, a zero day attack in Flash, from Search Security:
The widely used Adobe Flash Player has a zero day flaw that is being targeted by a number of attackers who set up more than 200,000 Web pages to exploit the flaw. The current malware attack has been traced back to Chinese blackhats, who are using a zero day to infect users with password stealers. Dancho Danchev, security researcher The unspecified remote code-execution vulnerability could be exploited to cause denial of service conditions, according to Symantec, which reported the flaw on Monday. [From Adobe zero day flaw being actively exploited in wild]
Posted at 05:27 PM in News, Security | Permalink | Comments (0) | TrackBack (0)
Catching up after a brief vacation
I've been on the road for almost a week and am finally able to catch up on everything, so here are some of the more interesting tidbits that I've been reading while I'm away.
A bit on log policy from Anton Chuvakin:
I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers. BTW, LogLogic product-specific questions can be found on LogLogic website; I am not answering them here. [From Anton Chuvakin Blog - "Security Warrior": More Log Management Questions - Answered!]
Some questions about the ethics of vulnerability research from Information Security Magazine via TaoSecurity:
One of my favorite sections in Information Security Magazine is the "face-off" between Bruce Schneier and Marcus Ranum. Often they agree, but offer different looks at the same issue. In the latest story, Face-Off: Is vulnerability research ethical?, they are clearly on different sides of the equation. [From TaoSecurity: Response to Is Vulnerability Research Ethical?]
Now some Bruce Schneier on selling security:
It's a truism in sales that it's easier to sell someone something he wants than something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they don't ever buy these things, but it's an uphill struggle. The reason is psychological. And it's the same dynamic when it's a security vendor trying to sell its products or services, a CIO trying to convince senior management to invest in security or a security officer trying to implement a security policy with her company's employees. [From Schneier on Security: How to Sell Security]
I'll post the latest vulnerabilities I've been following in the next post.
policy, research, Security, Bruce Schneier, vulnerability, ethics, logs
Posted at 05:20 PM in Privacy, Security, Systems | Permalink | Comments (0) | TrackBack (0)
05/22/2008
Facebook vulnerable to XSS iFrame attack
Another major XSS vulnerability, this time with 70 million users at risk ...
... a critical cross-site scripting vulnerability affecting Facebook.com - according to Alexa is currently ranked the 7th most used site on the web.
Malicious people can exploit this issue to execute script code in the context of Facebook or obtain sensitive information from its users, such us cleartext authentication credentials with a fake login form. It should be noted that this XSS vuln leaves millions of unsuspecting Facebook users vulnerable to malware, spyware and adware infection. [From Facebook vulnerable to XSS. Over 70 million users are at risk. | News | XSSed.com]
breach, hack, Security, social networks, vulerability, web 2.0, xss
Posted at 09:30 PM in News, Security | Permalink | Comments (0)
05/20/2008
Howard Rheingold's Vlog
Howard Rheingold has posted work related to his 2003 book Smart Mobs that is as relevant today as his classic The Virtual Community was in 1995
Smart Mobs, Collective Action, Media, and Democracy, Part 1 In Fall, 2007, James Fishkin's Center for Deliberative Democracy and Jim Lehrer's Newshour program brought together 300 Americans to talk about democracy. By The People, was broadcast on PBS in January, 2008. I was invited to address this assembly. I talked about Smart Mobs in relation to the public sphere--the citizen discourse that undergirds democracy. The following video, first of two parts, courtesy MacNeil/Lehrer Productions. Site implementation by Ideacodes [From Howard Rheingold's Vlog]And here's the video:
Posted at 09:33 PM in Culture | Permalink | Comments (0)
Movable Type vs. Wordpress
I moved this blog from Wordpress to Movable Type 4 a couple of weeks ago, and I am completely sold. Don't get me wrong, Wordpress is fabulous software. If has a lot going for it:
- It has a large development community producing myriads themes and plug-ins.
- It is cleanly written and easy to customize if you're the coding sort.
- Each and every page is dynamically generated (give or take a cache), so posts and comments appear instantaneously. This is extremely friendly for conversations in the comment threads.
- There is a huge user-base making it very easy to find answers and support online.
- It's offered as a managed install by many hosting companies.
Most of those advantages, however, are a function of popularity. There are lots of people using, supporting, and coding for it. As a result, it's also very commonly targeted by vulnerability scans. It doesn't have the best security record, and older versions of the software are low-hanging fruit.
The dynamic generation of pages has it's drawback as well -- it's resource-intensive. Every time somebody hits a page, the database is queried. I use Dreamhost, which while offering a lot of value for my hosting dollars, doesn't have the fastest servers on the planet, and all those database cycles slow site response down significantly.
This is where Movable Type shines. Instead of dynamically generating pages on request, the pages are written out as flat html whenever the changes are made. This means that the server seems snappy and responsive even on a slower host. The flip side of this is that posting and commenting takes longer since it's writing changes to disk.
While there aren't as many themes out there to download and adapt, the ones that Movable Type ships are slick and very easy to modify (very tight css + a few graphic elements). I haven't found a need to do much to them other than change colors and the banner graphic.
As far as the cleanliness of Movable Type's code base, I have know idea. I haven't needed to customize it at all. The most common reason I have to modify open source projects is for custom authentication schemes, but Moveable Type supports OpenID right out of the box. Unified identity management is a difficult problem to solve, and allowing federated authentication without changing a line of code is a major feature in my mind.
Movable Type also has a very simple and easy to use "template" system that makes tasks such as generating a sitemap very easy. It might be a little steep for a non-technical user, but if you can read or write the most basic of code, there will be almost no learning curve at all.
So, in summary, Wordpress is great software, but I'm sticking with Movable Type for three reasons.
- Speed. It is the fastest load in the game.
- Flexibility. It's OpenID integration and templating system allow me to do almost anything without resorting to rewriting any code.
- Security. It has had only nine medium or severe vulnerabilities in the last five years. Wordpress has had 18 so far this year alone (according to the National Vulnerability Database).
So there you have it, a case for Movable Type by a long time Wordpress user.
Posted at 05:11 PM in News, Software, Systems | Permalink | Comments (2)
05/19/2008
Geographic Data Visualization: Virtual Alabama
The beauty of this project is that a map can be wonderfully intuitive for a human operator. Multiple data domains can be crossed very quickly based on geographic proximity even if the datasets themselves have no obvious keys in common.
I've been thinking a great deal about the challenges of intelligence gathering, and this may be a powerful way to visualize log data in a way that is quick and meaningful to business owners -- a clear summary of attack sources and methods that doesn't require much technical detail to comprehend.
From Federal Computer Week:
Virtual Alabama, at its heart, is a mash-up -- a program that pulls data from various places and presents it in a very user-friendly display. In this case, the system is based on Google Earth. It starts with a map and then it overlays the map with all types of data.
So when tornadoes struck Alabama earlier this year, officials used the system to view the damage, even comparing before and after images. Officials also were able to pull in data that showed the location of potentially hazardous materials that might have been disturbed by the tornadoes.
Consider how the system might help in an event such as the 2007 Virginia Tech shootings. Were that to happen at the University of Alabama, state officials could draw from one database to get schematics on the buildings and then another for class schedules so that they would know which classrooms were in use. Finally, they could use Virtual Alabama to tap into images from cameras in the building. [From Buzz of the Week: Wowed by Virtual Alabama]
Posted at 05:48 PM in News, Security, Systems | Permalink | Comments (0)
05/16/2008
Asus to embed Linux into all motherboards
Here is another example of selling a technology as "secure" simply because it doesn't involve Windows. Linux has it's share of vulnerabilities. For that matter, so do Firefox and Skype.
Marketing any desktop solution as secure will encourage users to ignore security best practices. Additionally, Splashtop will allow the mounting of external storage; though the system's main hard drive is not being connected, it's not too hard to imagine a scenario where malware is either installed on an external USB drive and then migrates to the system drive at the next full boot or where malware installs some custom code during runtime that allows the mounting of the system drive.
Calling anything "secure" in marketing literature is just asking for trouble.
From ZDNet UK:
On Wednesday, DeviceVM, the company behind the distribution, said the hardware manufacturer would be putting Splashtop — which Asus calls "Express Gate" — into a million motherboards a month. Splashtop includes a Firefox-derived browser and the Skype internet-telephony application.
Splashtop is described by DeviceVM as a "secure web-surfing environment", and is embedded on motherboards so that it can be booted within seconds, as an alternative to booting up a full operating system. It first appeared on high-end Asus motherboards in October 2007 and has since been put onto the more mainstream M3 series, but, according to Joe Hsieh, general manager of Asus' motherboard business unit, it will now be extended to the entire range. [From Asus to embed Linux into all motherboards - ZDNet.co.uk]
Posted at 04:36 PM in News, Security, Systems | Permalink | Comments (0)
05/15/2008
The Cost of Compromised Data
There are always going to be studies that show how much data breaches cost companies, mostly because it's a factoid that security researchers think will persuade the C-level types.
The flip side is that the frequency of these data breaches among peer organizations lessen the impact when it "happens here" and that the financial downside is just a cost of doing business.
It can also promote a culture of cover-ups. If it's a common thing, then there's no reason to make a big deal of it.
From Gene Schultz over at Hightower Software:
A recent study by the Ponemon Institute shows, for example, that 55 percent of participants in this study said they had been informed of more than one security compromise involving their personal data over the last two years, and eight percent said that they have been informed of four or more of such compromises.
The Ponemon Institute's study also shows that 63 percent of the survey participants reported that the letters they received after data security compromises had occurred contained no information concerning what to do to safeguard their data afterwards. Furthermore, the majority of the respondents indicated that more than a month had transpired before they were finally informed that their personal data were compromised. At the same time, however, 98 percent of those who had fallen victim to a data security compromise actually became victims of identity theft afterwards. Most significantly, almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident. [From High Tower Blogs > Security Insights » Blog Archive » The Business Costs of Security Compromises]
Posted at 04:46 PM in Identity, Privacy, Security | Permalink | Comments (0)
05/14/2008
Over one third of Chileans' information compromised
from Adam Shostack at Emergent Chaos, 6/16th of Chileans personal information leaked by hacker:
More than a third of a nation has been compromised by this "Anonymous Coward" (Slashdot reference anyone?), making this one of the most significant data releases to date. I bet the American media ignores it completely ...A hacker in Chile calling himself the 'Anonymous Coward' published confidential data belonging to six million people on the internet.Chile has a population of about 16 million, so that's 3/8ths of the country.Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.
See "ALERTA: Se filtran datos personales de 6 millones de chilenos vía Internet" (Google translated). The blogger, Leo Prieto, gets a rude awakening when he reads the law, "¿Es privada la información personal en Chile?" (see translated version)
Posted at 06:35 PM in News, Privacy | Permalink | Comments (0) | TrackBack (0)
Recent Comments