Category: Technology

Security for the Paranoid:

I use very long passwords for everything, even with the lamest accounts I have. I require my kids to use at least 14 character passwords on our home network and I’m considering issuing them smart cards. No one else, not even my wife, knows my network password.

I don’t just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

I don’t do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it’s good security. I try to run my own network the same way I tell my clients to.

Firewall to zap XML viruses:

Salt Lake City-based Forum Systems plans to announce the addition of the antivirus module to XWall on Monday. It will be available at the beginning of May, with pricing ranging from $5,000 to $40,000.

The 5-year-old company is one of several companies that make software or devices for securing applications that use XML to format data or XML-based communications protocols, called Web services.

$40,000 piece of hardware specifically to block bad XML from coming into your company? Lord, love a duck, I though XML Schema Documents (XSD) did that.

There is a need for XML-specific products, according to these companies and industry analysts, because traditional security products are designed primarily to inspect Internet protocols, rather than XML or Web services protocols.

Obfuscation is a virus, too. Those Web services protocols determine how XML messages are formatted, but they’re still sent over common Internet messages that use the same traditional Internet protocols that your native firewalls block. If someone is triggering a denial of service using SOAP against one of your public Web services, you’ll do the same thing you do when blocking a traditional DOS attack: You’ll block the IP addresses from the incoming flood or you’ll block/change the port number/URI of the Web service. No special XML-sniffing necessary.

But now they’ve expanded the service to include software that scans for XML Viruses, which are pretty common, hey?

Although they have not seen viruses written specifically for XML, these applications are still not adequately protected, executives from Forum Systems and CA said.

The only adequate prevention is heat; that is, just burning money on an XML-virus-sniffing and firewall product is the only thing that can protect you from XML! And SOAP! And all the potentially-malevolent buzzwords you don’t understand!

After all, gentle reader, your organization is at risk!

Forum Systems CEO Wes Swenson predicted that XML viruses will become common as people store Office documents in XML format and as developers use the Simple Object Access Protocol, which is written in XML, in tools for company-to-company communication.

The difference between XML files and Office document file types is that XML doesn’t execute code in and of itself. Wrapped in SOAP, an XML document can trigger the execution of a Web service, but that’s not an XML virus. Viruses need to run their contents to propogate, and if you’ve got an XML document that can propogate itself using SOAP, you’ve got a problem with your Web service.

But never mind that; spend the $40,000 and feel good about yourself.

“When you do have an XML-based virus attack, it will affect mission-critical servers as opposed to e-mail server and Web servers,” Swenson said.

The very words mission-critical indicate that CNET has passed on a press release as a news story. XML viruses don’t exist, and cannot exist unless you’ve got an XML-consuming application that’s poorly written and vulnerable to buffer overflow errors or, heaven forfend, runs code contained in XML messages. A DOS attack on a Web service will affect the servers hosting the “mission-critical” Web services, but you don’t need this guy’s product to deal with it.

But, hey, if corporations want it, let them have it.

Meanwhile, I am hard at work here in the lab to protect corporations from insidious ASCII text file viruses. Did you know that your company uses hundreds or thousands of these potentially hazardous files every day and that they can be transmitted through e-mail attachments or automatically copied from the Internet or across networks. And unlike XML files, ASCII flat files, particularly those with file extensions of .java, .cpp, or .vb, can contain malicious code that can take control of your desktop when executed.

Watch soon for the money-sucking Jeracor ASCII Virus Firewall, coming soon.

600 foreign software developers on a former cruise ship in international waters outside of Los Angeles. It’s Sea Code.

AOL is a funny animal. Hey, I’ll admit I first got onto the Internet using AOL and that I still use AOL (I’m a Web application tester, gentle reader, so I use more browsers and operatings systems on any given day than you’ll probably use in a year). But come on, some of their things are just funny.

Let’s start with this scenario. You know how AOL always warns you that no one from AOL will ever ask for your credit card information, your password, and so on? Well, if your credit card information changes (such as a new expiration date), what does AOL do?

Of course! It throws up a prompt for you to enter credit card information:

Why, oh why, would AOL expect its users to type their information into a prompt like this? Because they’re AOL customers, that’s why!

Back in the dial-up days of the mid nineteen nineties, AOL had trouble getting enough lines at its access numbers to accommodate the surging demand. Some people were leaving their computers connected when they weren’t at the computer, tying up those precious lines. So AOL deployed the Idle Message, a message that popped up for every user fifty minutes after the user logged in; if the user didn’t click OK to indicate they were still using the computer, AOL booted them. Many times, it kicked me off in the middle of a download. Handy.

Apparently, AOL’s gotten more sophisticated and has set the message to determine when the user is not doing something. I assume such because it’s called the Idle Message. I’ve never seen it, but I have seen this:

That’s right, since I have apparently turned off the Idle Message in my AOL for Broadband connection, AOL still pops up a message box to indicate I have been idle. The titlebar? Idle Message Off.

I think that AOL is trying to use paradoxes and irony to cause a rift in the space-time continuum so it can reach through to an alternate universe where its merger with Time-Warner was a good idea. It’s only a working theory, though, and I might be wrong.

Ever need to phone 7,000 people at once?

If you ever need to get in touch with several–or several thousand–people at once, Send Word Now has the software for you.

The New York City-based start-up is promoting a communication application at PC Forum that lets a user type a message on a PC that then transforms into a phone call to a few people, or a few thousand. (PC Forum is owned by CNET Networks, owner of News.com.)

Though the urgent message currently needs to be typed into a PC (or broadcast from a company’s server farm), on April 7, Send Word Now will announce that customers can broadcast messages with a Palm handheld.

Wonder how companies will use this technology, huh? Two words: Phone Spam.

In my capacity in software QA working on Web applications, I know there’s no easier means of havoc than to mess with the URL string sent to the Web application. Looks as though some “hackers” have discovered the same with a university application, um, application:

The ApplyYourself code had a bug such that editing the URL in the “Address” or “Location” field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date. This would be equivalent to a 7-year-old being offered a URL of the form http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it down to http://philip.greenspun.com/images/ to see what else of interest might be on the server.

But I bet the company saved a bundle of money by avoiding the whole quality assurance thing.

(Link seen on Outside the Beltway.)

On September 30, 2005, Teddy Ruxpin became self-aware:

The teddy bear sitting in the corner of the child’s room might look normal, until his head starts following the kid around using a face recognition program, perhaps also allowing a parent talk to the child through a special phone, or monitor the child via a camera and wireless Internet connection.

Therapists from the future undoubtedly provided the venture capital for this innovation.

And I’d like to send this little shout at to Netscape, whose 7.2 browser has a setting to block unsolicited pop-up ads, but whose default home page, http://home.netscape.com/, gets around the browser setting and throws a pop-up ad anyway.

That’s smooth, fellows. Way to destroy any brand loyalty you might have had from us old-school dogs.

Lileks on people who knock the iPod:

Let me speak for millions here who just want to listen to music: I don’t care about Ogg Vorbis. If Ogg Vorbis came to my house and waved tentacles at me demanding in a slobbery moan that I kneel and submit, I would shoot it. I don’t know what it is and I don’t care.

Ïa! Ïa! Ogg Vorbis the Infernal Codecs with a thousand bits!

Undoubtedly, certain swarthy cultists are swaying and chanting esoteric eldritch hymns even know. Probably amid a foetor, too.

To combat SQL databases that are free if you could only properly download and install the things, Microsoft announces a SQLServer price cut:

The company plans to introduce SQL Server 2000 Workgroup, a version for small businesses priced at $3,899 per processor, in the first half of this year. It will also add several features to the upcoming SQL Server 2005 update, which is due in the summer, and extend a reselling relationship with Dell, which will allow its customers to get support from the PC maker.

Yeah, that ONLY FOUR GRAND will surely reel in cash strapped small businesses and startups.

In a column entitled Desktop search threatens your privacy, columnist David Sheets builds a long story about how desktop search applications can threaten your privacy. His main point stems from the thought summed up in first part of the following quote:

“The thing is, somebody who sits down at your computer after you’ve just used it can go back and look at everything you’ve done, even if you’ve just used your credit card to buy something or typed in your password to your bank account,” Moore said. “If no one has access to your computer, then you’re OK, for the most part.”

You know, if someone untrustworthy sits down at your computer and wants to do bad things, he or she is not going to use your desktop search. He or she will install backdoors and keystroke loggers and can just use Windows Explorer or the freaking Start menu to go through everything on your PC at will.

But some of you want the advice of your shidoshi of paranoia, and I will dispense the wisdom. What can you do to prevent someone from sitting at your computer and finding out your innermost secrets or sitting at your computer and installing malicious software?

You must always properly secure your computer chair.

Your revered sensei of paranoia always locks his computer chair in the closet when he’s going to be away from his desk; as anyone knows, a burglar with hacking skills or an FBI agent with a court-ordered spyware kit won’t be able to work their dark magic on his computer if they don’t have somewhere to comfortably sit while doing so. Hackers, social engineers, and their ilk simply won’t abide by standing, kneeling, sitting on the desk, or bringing their own folding chairs to your computer.

This simple step, often overlooked by computer users, can render your computer more secure immediately.

AOL to expand capabilities in Web searches:

America Online is expanding its online search capabilities in an effort to establish a bigger presence in the lucrative search-advertising market.

AOL is expected to announce on Thursday that it has teamed up with several technology suppliers to help it offer expanded search functions, such as improved geographic-based searches, clustering results by topic and helping people refine their searches through suggested alternative keywords.

AOL plans to expand the advertising appearing on its search page, the article said. It will also use the unusual approach of charging advertisers based on how many telephone calls are generated by their ads.

No word about improving the customer experience; if anything, it looks like it will adversely impace the user experience with the inclusion of more advertising.

Perhaps AOL should stop the continuous loop of Field of Dreams at headquarters. Just because you build it does not mean the users will come.

I wonder what my collection of Norton Antivirus discs will have. I have quite the set, from Norton 1997 to System Works 2000 with one or more copies of Norton Anti Virus 2001, 2002, 2003, and 2004.

Joel Spolsky examines an important topic: Camel and Rubber Duckies.

It covers the vagaries of pricing computer software, which is an important decision hopefully forthcoming from Jeracor. When we get our bountiful off-the-shelf applications written, I mean.

You know, I really hate when advertisements in online papers require an additional download to view. For example, in the stories today on StL Today, the online arm (complete with swinging arm flab) of the St. Louis Post-Dispatch, an in-article advertisement needs a plug in and instead of displaying with all its clock-cycle-grabbing beauty, overlays the actual text in the story.

Here’s a quick word to you online marketing types: I am not going to download a plugin to see advertising. What were you thinking? Pinheads.

There, I’ve said it: those whack job developers in the open source movement absolutely hate technical writers and seek, in their passive aggressive ways, to make communications professionals look stupid. My proof? Recursive abbreviations.

Look, when a technical writer puts an abbreviation into a document, he or she should spell it out the first time, like this: Java Server Pages (JSP).

But these damn silly recursive abbreviations look really silly when presented this way: PHP Hypertext Protocol (PHP) or GNUs Not UNIX (GNU).

It’s designed so that technical writers cannot sound intelligent while trying to explain the esoteric and eldritch secrets of the divine open-source technology technotheocracy and so that the rabble–that is, the users, cannot fathom the depths of their geniuses.

Pathetic, that’s what it is. And I call it.