amarbledesk.com
a not infamous place
« Older Entries | archive for September, 2009 |
MS kills the consumer AV market
30 Sep 2009 13:28 EST
MS has just released Microsoft Security Essentials, which they call “high-quality, hassle-free antivirus protection for your home PC“. It’s free – ‘free’ as in beer, not ‘free’ as in speech. And, surprisingly, it works: independent anti-virus testing organization AV-Test GMBH says that MSE detected every virus on the WildList of viruses, and detected no false positives: “All files were properly detected and treated by the product. That’s good, as several other AV scanners are still not able to detect and kill all of these critters yet.”
Microsoft already has an AV product in the business market, OneCare, but it hasn’t really taken hold since it’s not a free product, MS does not have a good security reputation, and AV vendors are already very entrenched in most organizations. So there is not a huge threat to the AV vendors in the business sector.
There are a lot of free AV products already available in the consumer market: Avira, AVG, Avast, BitDefender, etc. These often don’t reach mainstream consumers, though. Microsoft has a huge marketing engine and unbeatable distribution channels. If MS AV is free, works, well-known, and easy to get, then people will use it.
MS has probably changed the market. Consumer AV will become free. Symantec, Trend, McAfee will keep making consumer AV but their enterprise business will just become even more important. Companies like Sophos that focus on business only will escape this one.
"Is 0 Odd or Even?" Are you serious?
29 Sep 2009 22:10 EST
Eugene Volokh of the eponymous Conspiracy took a poll of his readership, asking Is 0 Odd or Even? Look ye upon the poll results and despair!
This, gentle reader, is why we don’t do mathematics by popular vote.
An odd number of Kudos to Eugene for exposing such innumeracy. An even number of kudos to about half his readers….
Browser-in-browser virtualization security nightmare
29 Sep 2009 20:45 EST
So I’ve got five browsers running on my Windows laptop, three running on my Blackberry handheld, and at least one more on the Mac Mini. OK, this isn’t exactly typical. But all these browser choices are available on the market today to consumers who want them. Most people still use IE, but Firefox now has a respectable market share (65% IE vs 26% for FF). Apple Safari (4%), Google Chrome (3%), and Opera (2%) have a small but noticeable and growing share of the browser market. These figures don’t include the matrix of OS’s x Browsers. The browser market is finally competitive.
From an economic and feature perspective, competition is obviously a Good Thing. At first blush it seems that it would be a security Good Thing as well, since there are more competing platforms to drive security fixes and avoid a monoculture. But there’s a new wrinkle in the browser security, which may be an indication of more problems to come.
Google Chrome is a stand-alone browser — which I love for its speed and simplicity and hate for no adblock — but its technologies are also now available as a plug-in to IE. Google Chrome Frame is an open-source project which allows you to essentially run Chrome inside of IE. Geeky/neat functionality, to be sure. But what a security outcry it has raised!
In rare agreement, Microsoft and Mozilla both slammed Google on Chrome Frame. They pointed out that since browsers are now the primary route for infection on PC’s, slamming two browser’s worth of potential security flaws into one browser is asking for trouble. Each browser may have security bugs, and the combination of the two may open yet more holes. Microsoft also piles on to point out privacy implications: Chrome Frame breaks IE 8′s private browsing.
As the latter article reveals, Google’s answer isn’t good: “Google Chrome Frame is an open source plug-in that is currently in an early developer release and was designed with security in mind from the beginning…” Open-source and developer releases are not excuses for lax security. If the security isn’t there, don’t release the code. Google’s other point is that they can somehow magically secure old browsers, in particular IE6:
“Accessing sites using Google Chrome Frame brings Google Chrome’s security features to Internet Explorer users, providing strong phishing and malware protection (absent in IE6), robust sandboxing technology, and defenses from emerging online threats that are available in days rather than months.“
Again, this answer is not well thought out. There is a simple answer to improving security on IE6: don’t run IE6. Yes, it’s still supported by MS, but IE8 is out now; upgrade. Google Chrome Frame isn’t a patch to IE; if there’s a bug in IE6 allowing an attacker to gain a foothold, that bug is still there in IE+Chrome Frame.
I’m sure this little kerfuffle will blow over soon. Browser makers fighting with each other in public is just business as usual. IE6 will end-of-life, Google Chrome Frame will improve its security and its mechanisms for integrating with IE, etc. This is a harbinger of things to come, though. Browser technology is getting more complex, and complexity is the enemy of security. Chrome Frame is an early example of browser-in-browser virtualization. Just as desktop virtualization brings new security headaches along, so will browser virtualization.
Welcome to my nightmare.
Tags: apple, google, security, UI, virtualization
Posted by mark beadles in Uncategorized | No Comments »
Posted by mark beadles in Uncategorized | No Comments »
Who moved my cheesy UI? (or, an Opera by Dvorak)
29 Sep 2009 02:05 EST
The Dvorak keyboard — developed by August Dvorak, no relation to this Dvorak, but a distant relation of this Dvorak — has a very devoted following. Users like its more ergonomic design, which is different from the familiar QWERTY keyboard. Devotees claim (with some evidence) a much faster typing rate, and love using the keyboard. Heck, there are even Dvorak activists asking you to write to the local paper about the keyboard, and call manufacturers to get support.
As you can imagine, since they love their keyboard, they are miffed when it’s not available for a certain device. Today in the Wall Street Journal, there is an article by Joseph de Avila on Dvorak users who are unhappy that iPhones, Blackberries, and other handhelds only use QWERTY.
But here’s the thing: there is no advantage for Dvorak on a handheld. The layout was designed to improve two-handed touch-typing speed. There is no evidence to show that the same advantage can be found on chiclet keys that are thumb-typed, or virtual touch-screen keys. To be sure, the Dvorak users are used to that layout, and prefer it for sentimental or even principled reasons. Still, the original benefit is lost (admittedly, any traditional layout is probably not optimal on a handheld device).
My first reaction was that these Dvorakians (maybe Dvorks?) should realize this and move on. Then I downloaded Beta 5 of the Opera Mini browser…
I’ve used Opera Mini on my BB Curve 8330 for a long time; it acts and renders like a real desktop browser, not the limited default Blackberry browser. I’ve grown used to its features, such as zooming in and out on pages, using the trackball for navigation, the options key to bring up the menu, etc. Beta 5 has totally thrown my paradigms for a tangled loop. The trackball navigates on the page, but also controls navigation between pages now. The options key brings up not the standard BB app menu, but a custom Opera icon-only menu which requires further selection by the sensitive trackball. I really don’t like it. It’s not what I’m used to.
That’s when it struck me that I’m just like the Dvorks in the article. Ah well, on to Opera Mini 5 it is….
Excelsior!
Mental Health, or "Hey! If my kidneys are the problem, why do I need my head shrunk?"
25 Sep 2009 19:18 EST
You may have read my recent references to trying to go off steroids after 18 years. I’ve taken oral prednisone during that whole time, and also had occasional high doses of IV steroids as well. The reason I take steroids is of course so I can compete at a nation level in weightl…actually, no. The reason I take them is because steroids have an anti-inflammatory effect; specifically, they depress the immune system. Normally, depressing the immune system is a Bad Thing, but in my case it prevents my immune system from attacking my donated kidneys. But because of advances in medicine, immune suppression no longer requires steroids; the doctors would like me to discontinue them because they do have nasty side effects like diabetes and osteoporosis, especially over the long run. They also can cause your adrenal cortex to stop working. But either starting or stopping steroids has its effects too, one of which is “the crazies”. OK, you’ve all heard that already.
I spoke with the psychologist at my transplant clinic, who confirmed that, yes, discontinuing steroids can certainly make one cranky. She said that my regular shrink would certainly have encountered this issue before and should be able to handle it. Sure enough, at my psychiatrist appointment earlier this month, we brought this up with him, and he was very familiar with it. Evidently this is a common problem, and patients discontinuing steroids often need adjustments to psychiatric medicines at the very least.
So the outcome in my case was to increase my anti-crazy pills, to take it slow on the steroid discontinuation, and to be patient. It will pass, it will take time. This is excellent news, since with this new kidney, I have plennnnnnty of time 
I’ll editorialize now: this has direct bearing on the current American health insurance debate. Coverage for mental health conditions by health insurance companies is not comparable to coverage for other conditions. But as my example above should show, you really can’t separate the two. Physical health and mental health are so intimately related as to be indistinguishable. The body and the brain are both biology. In my opinion, if it is not medically or scientifically defensible to totally separate mind from body, then it is not morally defensible either:
Diseases of the brain are diseases of the body.
Mental health coverage should be on a 100% par with coverage for other health conditions.
Tags: health insurance, mental health, transplant
Posted by mark beadles in Uncategorized | No Comments »
Posted by mark beadles in Uncategorized | No Comments »
My security head's in the clouds
25 Sep 2009 17:34 EST
Craig Balding at CloudSecurity.org has posted a gem of a presentation on the state of security in cloud computing (it’s a presentation he gave at something called BruCon, a security (and beer!) conference in Brussels.) It’s well worth reading for an overview of what cloud computing means for security practitioners.
One item that struck me was his slide 56. The slide asks “When’s the revolution?” — to wit, when’s the revolution in web security technology to match the revolution in web application technology? The answer to web security still seems to be “SSL and Firewalls”. Way back in 2002, I sat on the security panel at the Next Generation Web Services Summit. Chad Dickerson of etsy, the moderator and back then CTO at InfoWorld, asked about the role of SSL in web services security. I answered that it doesn’t solve the problem. “If you [don't] encrypt your channel, you open yourself, but that is not sufficient.”1 SSL is an absolutely minimal level of security — and here we are in 2009 still thinking that it’s good enough. But SSL only can protect data in transit from being snooped between the customer and the provider — or more accurately, between the customer’s last proxy and the provider’s first proxy.
You think you’ve got end-to-end SSL, but in truth you don’t.
It’s not that SSL is a bad idea — it’s not! — it’s ‘necessary but not sufficient‘. It does nothing to address a host of other issues: data integrity, repudiation, data loss, data comingling, availability, and so on.
Anyway, read the rest of his presentation for a good overview of the state of things, including the implications of virtualization, why cloud computing is or isn’t just outsourcing, and the current dearth of research into cloud-specific security vulnerabilities.
1Source.
Infecting you in 140 characters or less: why the Twitter Worm works
25 Sep 2009 00:12 EST
It’s good to be concise when writing — Twitter‘s brevity is a great thing. It can force you to write more thoughtfully. Unfortunately, its simplicity can give a false sense of security.
The current Twitter Worm is sending DMs (Twitter direct messages) to people and including a link to a site that kinda-sorta looks like an official Twitter page. The message includes a link with the text “twitter” in it, and it appears to be a message from a friend. It’s enough to fool people into clicking on the link, and when they do, they are given what looks like a Twitter login screen. But when they enter their user name and password, what really has happened is that they’ve given up your password to criminals.
Look for more attacks like this to come, unfortunately.
Twitter’s brevity has come with a price: opacity. Since people cram as much as they can into 140 characters, including links, they use URL shorteners like http://bit.ly. URL shorteners do what their name says, but they obscure where the link really goes to. This can make phishing and related attacks much easier. Phishers try to steal people’s information, like passwords, by fooling them into thinking they’re giving the information to a trusted party. The current Twitter Worm relies on people not reading the link carefully enough. With URL shorteners that don’t have a “preview” function, you have no idea where the link is going. This makes it far too easy to trick people onto a fake site.
Twitter’s simplicity comes with a price as well: misplaced trust. Generally speaking, Twitter seems like a likable, simple little program without a lot of moving parts. Its user interface is straightforward. People feel comfortable with it and therefore are willing to trust it. This means people are also likely to trust messages that seem to come from friends or from Twitter itself. This again makes it easy to fool people.
So don’t get fooled again by Twitter’s brevity and simplicity. Inside those short, simple tweets there still can lurk thieves.
–
(PS: Here is an interesting explanation of just why Twitter has the 140-character limit in the first place. An accident of history, really….)
Network Access Control Appliances
22 Sep 2009 17:43 EST
SearchNetworking.com on TechTarget recently asked the question “NAC Appliance Vendors: Can You Depend on Them?“, NAC being network access control. NAC means that you don’t let anybody onto your network unless you know who they are, what they’re doing, where they come from, and whether they’re safe. A damn good idea, and seemingly obvious, but it took the industry years to come to agreement that this was a necessary idea. And NAC is, at its core, a very simple idea (though of course the implementations may not be).
So look, the answer here is simple, too. NAC as a capability will someday be found on every single network, even the Internet. It’s just too important not to determine if the people accessing your network are infected or unauthorized. So NAC is here to stay, and every network will have it.
NAC vendors are another question. John Pescatore is spot on when he says “When you look at NAC, it’s like any other market. If there’s 17 vendors, that’s too many, and if there’s zero that’s too few“. John’s analysis is how the market will look over the next 3-4 years. (Although I might extend John’s analysis even further out: eventually, buying NAC will be like buying TCP/IP.)
See how simple that is?
The Nobel, the Fields, and the …. Netflix?
22 Sep 2009 14:59 EST
Well, of course, there is no Nobel prize in mathematics. The prestigious Fields Medal is similar (although only awarded every 4 years and only those younger than 40). Notably, some prizes in mathematics and related disciplines, such as the famous Millennium Prize Problems, are awarded only for providing a solution to specific problems. In the case of the Millenium Prize, only one prize has been awarded, for the Poincaré conjecture theorem. Others, including P vs NP, are still up in the air.
This is all pretty dry stuff, although important. The Poincare conjecture is about the topology of 3-spheres; the other Fields Medals last awarded involved topics such as Schramm-Loewner evolution; and P vs NP is a computability conjecture. It’s all interesting, sometimes even exciting to math geeks like me — it’s just not of general interest or immediate utility. Unlike the Netflix prize.
Netflix? Yeah, them. The Netflix prize is a US$1,000,000 prize for better recommendations algorithms. It’s easy to recognize the general interest and utility here. Consumers get movies they like. DVD publishers get more business. Netflix gets happier customers. But what about the math? It’s real math, and an important area of research. Just check out all the papers from the Association for Computing Machinery (ACM) web site: [Google search]. Real mathematical research that’s useful and cool.
The Netflix prize was recently awarded to a team of researchers called BellKore’s Pragmatic Chaos. Their paper can be found here [PDF]. They used Restricted Boltzmann Machines (RBMs). An RBM is a kind of neural network which is able to learn how to solve combinatorial problems — the science of connections and criteria.
The result means not only a better algorithm for Netflix, but also great research being done in this area, which advances the general state of science and provides useful technology for improving our life experiences. Netflix is not sitting still; they have extended the contest to Netflix Prize 2 (The Sequel).
This is a great trend, this meeting of mathematical research with entrepreneurialism. I hope this trend picks up lots of momentum. In my opinion, this is also the way that is most likely to renew the future of space science…combine research and entrepreneurialism.
Citius, altius, fortius!
What Web Security Means? Watch Your Wallet.
21 Sep 2009 20:51 EST
You’d have to have been living under a very mossy rock during the last decade to not have noticed the torrents of spam, spyware, adware, tracking cookies, trojans, and viruses washing over the Web landscape. Admittedly, vendors — even Microsoft to some extent — have been making lots of improvements in protection. But it’s still wild out there. And the bad guys have been shifting their game over the last few years. It’s no longer about fun, or proving something, or general mischief. It’s all about the money: our credit card numbers, our bank account numbers, our mothers’ maiden names. It’s even about taking your computer, just a little bit, and turning it into a zombie that is part of a network of hundreds of thousands of other zombies in your unsuspecting neighbors’ family rooms, all ready to do the bidding of a criminal gang.
A large population now uses social networking tools like Facebook, MySpace, Twitter, and the like. These sites have done a lot of work, under a lot of pressure, to improve the privacy aspects of their services. But there’s a funny problem with security on social-networking sites. If you receive annoying spam or even a semi-malicious worm that posts inane stuff to your and your friends’ profiles, it’s quite frankly just an annoyance. Since social networking sites have historically been used mostly for leisure-time activities, advertising, and non-real-time communications, interruptions from security issues just aren’t that disruptive in real-world terms (with certain exceptions, of course). If I can’t play Lexulous for a few days due to a security issue, my lifestyle and my bank account aren’t affected (though my competitive ego is!).
But now the social networks want my wallet.
Facebook, for example, is getting into handling payments within its framework. MySpace is doing this, too. [Let me just stop there: have you seen MySpace's horrendous design and code? Do you want these same people handling your credit cards?] The ideas are surely a money-maker for them, and a convenience for users. And another pair of security nightmares…
First: worms, viruses, and trojans are going to turn from annoyances to financial risks. If social networks are somehow storing your financial data, then the bad guys (see above) are going to target this data. If MySpace and the others don’t do their jobs very very well, then they might expose user’s money, not just their blog posts.
Second, fraudsters will see an opportunity in a virtual-goods economy to sell fake things for real money, and steal real money from people hoping to get virtual goods. Again, the social network operators will have to think very hard about how to manage the interface between the virtual economy and the real economy, or real money will leak out of that interface into criminals’ hands. (It was a joke when Richard Pryor did it. Not so funny when it’s not funny money.)
So the best advice for the crowded, monetized social network? The same advice as for the crowded subway: watch your wallet.
about mark beadles
I write the things you read here. Polymath renaissance redneck. I build software, stories, and young men. More...on the desk
around the web
in the vault
-
