Tuesday, June 28, 2005

Ballmer: .NET is stalled


Picture credit: http://www.techriots.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI'm not sure exactly to what Microsoft's President is referring when he posits that .NET has been "stalled" for the last year. In corporate America, .NET seems to be making positive headway against J2EE-based solutions. It does seem, however, that in the SME and Internet hosting world, open-source and mixed-source solutions (e.g., Zend's PHP-based offerings) are dominating. And there's no reason that Microsoft, like Oracle and IBM before it, can't coexist with the increasingly popular LAMP stack.

Think .NET web services with multi-platform front-ends, for instance. Some advantages come to mind: non-homogenous infrastructure, which has certain cost and security advantages; ability to leverage pieces of the LAMP stack; less vendor tie-in; reduced licensing costs; and so forth.

Asked about the future of its .NET strategy, Ballmer admitted the platform "had stalled in the last 12 months". But there would be a renewed .NET push, he said, and this was "an assigned priority" for the government sector.

"Government has really been pushing for stronger interoperability. We can't support open source but we can support interoperability," he said.


News.com: Ballmer: We'll kick-start "stalled" .NET
 

Monday, June 27, 2005

Underhanded Code


Picture credit: http://www.irasov.com
Underhanded C ContestThe invaluable Bruce Schneier points us to an Underhanded C contest. The challenge: to create source code that looks innocent, yet provides a malicious capability. Some of the samples I've seen employ obfuscated buffer overflow attacks to launch their malevolent behaviors.

Two thoughts ran through my head after reading this:

1) What, if any, are the implications for the open-source community? Some closed-source advocates might point to this example as evidence of open-source insecurity ("...see, even with full transparency, it's possible to infect a distro..."). I personally don't buy that argument. After all, we're forced to trust that closed-source vendors thoroughly vet code and developers.

Furthermore, last year's well-publicized anti-open-source polemic (EE Times: "Linux: unfit for national security") hasn't exactly swung opinion, at least from what I can tell.

2) A previous missive on self-replicating code referenced Ken Thompson's classic ACM article: "Reflections on Trusting Trust." In it, he describes why compilers -- written in the language they compile -- can't be trusted. Why? Simply because someone could surreptitiously modify the compiler source to infect every piece of code it builds with a malicious payload. Imagine an underhanded modification to gcc  , for instance.

The Underhanded C contest is a good idea. It forces us to carefully consider code contributions in this, the golden age of Marvel Comics open-source software development.
 

Hussein's Iraq and Al Qaeda


Picture credit: http://www.husseinandterror.com
http://www.husseinandterror.comThanks to the National Review Online's Deroy Murdoch, here's a compendium of various ties between Hussein's Iraq and Al Qaeda. Andrew McCarthy also described these ties in a separate article. And, of course, no presentation is complete without mentioning Murdock's multimedia presentation entitled, "Hussein and Terror" (not for the faint of heart).

In any event, these make for interesting reading when transformed into an easily readable list of activities:

o After running an al-Qaeda training camp in Afghanistan, [Zarqawi] found his way to Baathist Baghdad, where he reportedly checked into Olympic Hospital, an elite facility run by the late Uday Hussein, son of the captured tyrant. Zarqawi is believed to have received medical treatment for a leg injury sustained while dodging American GIs who toppled the Taliban. He convalesced in Baghdad for some two months. Once he was back on his foot, Zarqawi then opened an Ansar al-Islam terrorist training camp in northern Iraq...

o According to the Clinton Justice Department's spring 1998 indictment of bin Laden, "Al Qaeda reached an understanding with the government of Iraq that al Qaeda would not work against that government and that on particular projects, specifically including weapons development, al Qaeda would work cooperatively with the Government of Iraq."

o In what the CIA nicknamed "Operation Dogmeat," two Iraqi students who lived in the Philippines tried to demolish U.S. Information Service headquarters in Manila. Iraqi diplomat Muwufak al Ani met with the bombers five times before the attack. His car even took them near their target on January 19, 1991. Their bomb exploded prematurely, killing Ahmed J. Ahmed, but his accomplice, Abdul Kadham Saad, survived and was whisked to a Manila hospital. Saad, carrying documents bearing two distinct identities, asked staffers to alert the Iraqi embassy, then recited its phone number.

o Around this time, according to former high-level CIA counterterrorist Stanley Bedlington, Hussein paired Iraqi intelligence operatives with members of the Arab Liberation Front to execute attacks. "The Iraqis had given them all passports," he said, "but they were all in numerical sequence." These tell-tale passport numbers helped friendly governments nab these terror teams.

o President George Herbert Walker Bush ignored information that Hussein "was offering state payment to terrorists," then-Senator Al Gore (D., Tennessee) declared on October 15, 1992. Gore also listed more than a dozen examples of Iraq-sponsored terrorism and said "an estimated 1,400 terrorists were operating openly out of Iraq."

o "In 1992, elements of al Qaeda came to Baghdad and met with Saddam Hussein," Abu Aman Amaleeki, a 20-year veteran of Iraqi intelligence, said on ABC's Nightline on September 26, 2002. Speaking from a Kurdish prison, he added: "And among them was Ayman al Zawahiri," bin Laden's chief deputy. "I was present when Ayman al Zawahiri visited Baghdad."

o Former Iraqi Intelligence Service (IIS) Deputy Director Faruq Hijazi, reports a reliable foreign spy agency, supplied blank Yemeni passports to al Qaeda in 1992.

o Mohammed Salameh, a 1993 World Trade Center attacker, called Baghdad 46 times in the two months before bomb maker Abdul Rahman Yasin flew from Baghdad to New Jersey to join the plot. Salameh's June 1992 phone bill totaled $1,401, which prompted his disconnection for non-payment. After the blast — which killed six individuals and injured 1,042 — Yasin fled to Baghdad, where records and multiple press accounts show he received safe haven and Baathist cash.

o Based on a 20-page IIS document discovered in Baghdad, the Defense Intelligence Agency reports that "Alleged conspirators employed by IIS are wanted in connection with the [June 25, 1996] Khobar Towers bombing and the assassination attempt in 1993 of former President Bush."

o In an October 27, 2003 memo, Defense Undersecretary Douglas J. Feith explained Hussein's bonus pay for terrorists: "Iraq increased support to Palestinian groups after major terrorist attacks and...the change in Iraqi relations with al Qaeda after the [1998 east African] embassy bombings followed this pattern." A top Philippine terrorist also said Iraq's payments to the al Qaeda-tied Abu Sayyaf grew after successful assaults.

o ABC News reported on January 14, 1999, that it "has learned that in December [1998] an Iraqi intelligence chief, named Faruq Hijazi, now Iraq's ambassador to Turkey, made a secret trip to Afghanistan to meet with bin Laden."

o On January 5, 2000, Malaysian intelligence photographed September 11 hijacker Khalid al-Mihdhar being escorted through Kuala Lumpur's airport by VIP facilitator Ahmed Hikmat Shakir, an Iraqi recommended to Malaysian Airlines by Baghdad's embassy there. The pair soon were photographed again at al Qaeda's three-day planning summit for the October 2000 U.S.S. Cole and 9/11 attacks. Three separate documents recently unearthed in Iraq identify an Ahmed Hikmat Shakir as a lieutenant colonel in Uday Hussein's elite Saddam Fedayeen.

o Ahmed Khalil Ibrahim Samir al Ani is the former Iraqi diplomat suspected of meeting September 11 ringleader Mohamed Atta in Prague on April 8, 2001, and possibly June 2, 2000, the day before Atta flew from Prague to Newark, New Jersey. Top secret Pentagon records cite a Czech intelligence report that al Ani "ordered the IIS finance officer to issue Atta funds from IIS financial holdings in the Prague office." During the summer of 2000, $99,455 was wired from financial institutions in the United Arab Emirates to Atta's Sun Trust bank account in Florida.


Murdock: Hussein and Terror

Update: SoCalPundit has an excellent set of resources that clarify the links between Hussein's Iraq and Al Qaeda.

Sunday, June 26, 2005

Iraq, WMDs, and al-Zarqawi: the Jordan Trial


Picture credit: CNN
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI haven't seen much coverage of a trial that's taking place in Jordan. Thirteen men affiliated with al Qaeda are accused of planning to detonate chemical weapons on instructions from Musab al-Zarqawi.

"They sought to disperse poisonous gases which would have caused death, illnesses and blindness," Col. Najeh al-Azam testified. al-Azam is a chemical expert in Jordan's Security Services, which investigated the group and foiled the plot in April of 2004.

Jordanian officials believe that if the attack been carried out, thousands of people would have perished.

The Guardian elaborates:

...Islamic militants planned to detonate an explosion that would have sent a cloud of toxic chemicals across Jordan, causing death, blindness and sickness, a chemical expert testified in a military court Wednesday.

...The accused include al-Qaida's leader in Iraq, Abu-Musab Al-Zarqawi, and three other fugitives who are being tried in absentia...


CNN discusses the links between the suspects and al-Zarqawi in more depth:

Photo
Azmi Jayyousi (CNN)

Jordanian intelligence suspects Jayyousi returned from Iraq in January after a meeting with al-Zarqawi in which they allegedly plotted to hit the three targets in Amman.

In a series of raids, the Jordanians said, they seized 20 tons of chemicals and numerous explosives. Also seized were three trucks equipped with specially modified plows, apparently designed to crash through security barricades.

The first alleged target was the Jordanian intelligence headquarters. The alleged blast was intended to be a big one.

"According to my experience as an explosives expert, the whole of the Intelligence Department will be destroyed, and nothing of it will remain, nor anything surrounding it," Jayyousi said.


John at Powerline notes:

...after the fall of Afghanistan at the end of 2001, Zarqawi and other al Qaeda veterans made their way to Iraq, where, secure under the wing of Saddam Hussein, they plotted chemical weapons attacks on countries friendly to the U.S., as well as the murder (successfully carried out) of an American diplomat. And yet, to this day it remains an article of faith on the left that Saddam's Iraq was a kite-flyer's paradise with no connection to international terrorism, no relations with al Qaeda, and, of course, no chemical weapons. Maybe the current trial will reveal where the chemicals assembled for the attack on Jordan came from; maybe it won't. But we don't need any new information to understand that Saddam's regime protected and supported the deadliest of al Qaeda's terrorists.


And how do we know Zarqawi ended up in Iraq after the fall of Afghanistan? From numerous reports, including those published by the traditional neocon press outlets including the New York Times and al Jazeera:

According to Jordanian court documents, after the U.S. invasion of Afghanistan, Zarqawi left for Iraq via Iran, eventually settling in the corner of northern Iraq controlled by Ansar al-Islam.[79]

The next known sighting of Zarqawi came from Jordanian officials, who claim that they spotted Zarqawi on Sept. 9, 2002, when he illegally entered Jordan from Syria.[80]

A month later, senior American diplomat, Laurence Foley, was murdered outside his home in Amman. Jordanian agents arrested three men involved in the killing who claimed that they had been recruited, armed, and paid by Zarqawi. He was sentenced to death in absentia. Court documents claim that Zarqawi planned and financed the operation during his stay in Iraq.[81]


So, just to recap, a major terrorist leader affiliated with Al Qaeda used Iraq as a base of operations prior to the U.S. invasion. Not only did he orchestrate the murder of a senior American diplomat, but he was knee-deep in a WMD-attack designed to kill thousands.

No, there's no story here. Just go about your business.

PowerLine: Pay No Attention to the Terrorists Behind the Curtain
 

Parliament of Obstructionists


Picture credit: http://www.willisms.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIn other words: the Democratic party circa 2005. Michelle Malkin points us to WILLisms' all-too-revealing summary of senior Democratic officials' rhetoric. I laughed. I cried. It moved me to post this entry. Here's a taste, but read the whole thing:

When [Nancy "Majority Insurance" Pelosi was] queried on her plan for saving Social Security, [she] offered this eye-opening comment:

"...why should we put a plan in? We will go — our plan is to stop him from — stop him. He must be stopped."


Yes, the Democratic party... ensuring its minority status for years to come.

WILLisms: Rabid Donkeys On The Loose
 

Saturday, June 25, 2005

The Hub of Digital Media Convergence: Lawrence, Kansas


Picture credit: http://www.robcurley.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's true, Virginia. Lawrence, Kansas is the hub of digital media convergence. Why? Because it's home to Rob Curley, the Lawrence-Journal World's director of New Media. Arguably the most visionary convergence journalist in the world, Curley has orchestrated the construction of:

The Lawrence-Journal World - the newspaper's online presence, winner of the 2004 Edgie award for best overall news site (under 75,000 population), another award for most innovative visitor participation, and an EPpy Award for the Best Internet News Service.

Lawrence.com - a gen-Y entertainment site, which has won both an Edgie award for best entertainment site and an Eppy award for best overall design.

KUsports.com - the Kansas University sports site, which has won Edgie awards for best sports site and most innovative use of digital media.

Curley's tenet is to ignore national news, because he doesn't want to compete with CNN. Instead he provides an unbelievable level of local detail - at one point even covering age 9 to 12 sports like T-ball as if it were the major leagues. Boxscores, interviews, pictures of the fields.... one little kid even had a classic quote during an online interview: "I'm really seeing the ball well now... I'm in a groove".

To give you a sense of Curley (and his team's) creativity, consider the following KUsports features:

Weather - a game-time weather mapper that modifies the conventional local weather maps to add local landmarks ("...the wind's blowing straight past Joe's Pizza into the stadium...")

Simulations - Curley's team simulated the entire Kansas football schedule using an X-Box, created broadcasts of the simulated games, and even generated a complete database of online stats (Curley: "...and just like in real life, our virtual kicker sucks...").

Statistics - the team hired an intern to enter the boxscore of every Kansas game since the 19th century into a complete, searchable database.

Want to hear from the visionary himself? Take the time to listen to this highly entertaining interview with Curley. Then visit his blog from time to time. Creativity and a laser-like focus on the business are rare traits in a single person.
 

Friday, June 24, 2005

The Google AdSense Mystery: Revisited


Picture credit: http://www.google.fr
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI have some questions regarding my AdSense reports. Whoa, let me back up a bit. I use Google AdSense, primarily to familiarize myself with context-sensitive ad networks. I place AdSense text ads on my blog, a discussion board, and a newsletter that gets sent out from time to time. Check this report out of advertising performance over the last few months:

Date rangePage ViewsClicksRevenue
Dec 1 - Dec 22, 2004282,50483$23.73
Jan 1 - Jan 22, 2005328,126131$32.48
Feb 1 - Feb 22, 2005318,90880$12.95
Mar 1 - Mar 22, 2005379,831474$63.81
Apr 1 - Apr 22, 2005280,116544$60.10
May 1 - May 22, 2005281,606454$55.48
June 1 - June 22, 2005228,743307$36.94


Okay, so here are my questions:

1) What in the name of Rowdy Roddy Piper caused the "click-through explosion" between 2/05 and 3/05?
2) What in the heck happened to my traffic in June?
3) And what ever happened to Marie Osmond?

In all seriousness, I really wonder about #1. Were my astounding improvements in click-through typical for most Google AdSense outlets? If so, it's no wonder Google had breakout earnings last quarter.

And is my drop-off in click-through percentage typical for the Google network? And, if so, what are the implications for Google's results this quarter?
 

Scotus: Property Rights


Picture credit: http://www.getusout.org
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Supreme Court decision known as Kelo, which is concerned with the seizure of private property for the public good, has raised the veritable firestorm of controversy. Argue with Signs has an extensive collection of reactions from the blogosphere:

The Supreme Court has ruled that cities can seize homes through eminent domain for lame purposes such as “economic development.” ...

Bryan Costin: So now, apparently, the only justification the government needs to take away your house and land is that the government wants more money. Have you ever met a government that didn’t want more money? Me neither.

Dan Melson: This is about fat wallets, yes, but it isn’t intrinsically and unavoidably linked solely to fat wallets. Below that, more importantly, is the ability to move things politically. Once the public taking of property depends upon who has the loudest political voice, no one is safe. Down this path lies madness. Stark raving insanity.


Putting the decision in context, John at Powerline notes:

...a Minneapolis suburb condemned a stretch along the metropolitan area's major beltway to serve as the new headquarters for Best Buy Company. This was prime real estate, which was already occupied by other profitable businesses--a major car dealer, restaurants, etc. They resisted the taking, but it was upheld.

My point is not that these decisions were correct--I have considerable sympathy for the other side--but rather that the Kelo decision shouldn't come as a shock to anyone who has been following this area of the law...


Argue with Signs: Scotus: Property Rights
 

Kennedy vs. Rumsfeld


Picture credit: http://one38.org
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThere's just something fundamentally disturbing about this transcript of SecDef Rumsfeld's appearance before the Senate. It's not just the corrosive tongue-lashing from Senator Kennedy. And it's not the 55-gallon drum of vitriol or the pandemic talking points (soon to appear in an Al-Jazeera  op-ed piece). It also appears to me as a blatant hip-check of Durbin stage left. Radioblogger sums up the transcript in concise fashion:

What is truly amazing about Kennedy's rant is what the alternative, [Kennedy]-controlled universe would be today.

Saddam Hussein would still be in power, he would still be bribing his way out of the U.S. sanctions, and he would be continuing to reconstitute his WMD program, with the full intent on being a regional, if not global, threat. He would still be writing checks to families of Palestinian suicide bombers in Israel. His sons would still be literally raping and pillaging the landscape. Graves would still be filled, people would still be persecuted. Libya would not have turned over weapons information, and Syria would still run Lebanon. But I guess to Ted Kennedy, the world would be a much better place.


RadioBlogger: Kennedy vs. Rumsfeld
 

Thursday, June 23, 2005

Book Review: MoneyBall



MoneyBallI just posted the following review on Amazon:

You need not be a baseball fan to appreciate Michael Lewis' MoneyBall. Lewis tracks Oakland A's GM Billy Beane, who built a series of powerhouse ballclubs with a major handicap. Despite having a payroll that was petty cash to teams like the Yankees, Beane's clubs excelled. A series of excellent finishes, culminating with a playoff series that took the Yankees to the limit, solidified Beane's reputation. But how did he do it?

Beane's unconventional methods were the key. Using Bill James (of Baseball Abstract fame) as an inspiration, the A's GM hired the best and brightest statisticians and dispensed with the conventional wisdom of opinionated scouts. So what if a college catcher had a "bad baseball body"? Beane didn't care. He was concerned with metrics like on-base-percentage, which turns out to be a much better predictor of major league success than any scout.

Dealing with players as business units, each with measurable ROI (return on investment), Beane bought low and sold high. If a closer cranked out a bunch of saves, Beane figured he could trade him for higher value than he was really worth. Saves were a misleading statistic: strikeouts, walks, and home-runs-allowed were the only true ways to measure a pitcher's performance. A "superstar" was simply a stat-generating machine and if the same amount of money could be leveraged on someone else that could yield similar stats, why not make a trade?

In retrospect -- and like all great ideas -- Beane's tenets are remarkably simple. It's just interesting that it took baseball over a century to figure out that stats such as ERA and RBI are pretty much meaningless. What matter are stats that historically prove to be predictors of baseball victories: on-base-average and slugging average for batters, for instance. A quick, fascinating read, MoneyBall is an elegant look at a smart GM and his godfather: Bill James.
 

Oh, those  dangers of outsourcing, part V


Picture credit: Online Sun
Online SunHave a seat. Please. Ready for yet another identity theft debacle? Here's another assault vector: outsourcing, which we also discussed in May.

Following closely on the heels of the Indian call center fraud scandal, the Pakistan telecomm strike, the Bangalore bomb scares at Wipro and Infosys, and various terrorist threats, the offshored backoffice is a dangerous place. And I don't mean just for the workers, but for citizens abroad whose data is handled by firms with questionable vetting practices.

The Sun reports:

Crooked call centre workers in India are flogging details of Britons’ bank accounts, a Sun probe has found. Our undercover reporter was sold the top secret information on a thousand accounts, and numbers of passports and credit cards.

An undercover reporter was able to buy the details thousands of UK banking accounts, password particulars and credit cards numbers from crooked call centre workers in India...


The article isn't online yet, but The Register picks up the story:

The paper says one of its journalists bought details of 1,000 UK banking customers from an IT worker in Delhi for £4.25 each. He was also able to buy the numbers of credit cards and account passwords. An unnamed security expert hired by the paper verified that the details were genuine. The information sold could be readily exploited by ID thieves to apply for credit cards or loans under assumed identities or to simply loot compromised accounts. The call centre worker bragged that he could sell up to 200,000 account details each month.

The Sun handed over a dossier on its investigation to the City of London Police. In a statement, the City of London Police said: "Unfortunately we have no jurisdiction to prosecute this in the UK. However we have passed information through Interpol to the Indian authorities and will be working with them to secure the prosecution of this individual.".

Amicus, the union, said the case highlighted possible data protection risks about moving financial services overseas. "Companies that have offshore jobs need to reflect on their decision and the assumption that cost savings benefiting them and their shareholders outweigh consumer confidentiality and confidence," Dave Fleming, senior finance officer, told the BBC.


For those firms utilizing offshore resources to handle consumer identity data, an alarm claxon just went off. Again.

Update: The eminent Bruce Schneier takes exception with this general viewpoint in his latest post. In a nutshell, his take is that the problem is with people, not offshore/onshore. But a commenter notes differences between the legal framework between countries that can make pursuing remedies noticably different.

And here's another difference. In the U.S., there are accepted standards for employment. A typical call-center worker will be vetted through a standardized background-check process, a drug-screen, and so forth.

Can a firm that offshores consumer data describe the vetting processes of their offshore firm? And the reliability of those doing the vetting?

IMO, it is far riskier to pipe sensitive and valuable data offshore than it is to keep it onshore, all other factors being equal.
 

Security as competitive advantage


Picture credit: http://www.cumberlandgroup.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting snippet from a roundup of the recent spate of identity theft debacles (i.e., CardSystems, Bank of America, Lexis-Nexis, Harvard, ChoicePoint, Cal-Berkeley... *yawn*... *hrnggh*... sorry, dozed off there):

...A May 2005 survey of 8,200 consumers conducted by Lightspeed Research showed that over 80 percent of respondents felt threatened by online identity theft and online fraud.

The survey also indicated that 80 percent of respondents would have more trust in their account provider -- and greater confidence in transacting online -- if their provider offered a hardware-based strong authentication solution.

In addition, 44.5 percent of those surveyed said they would be more likely to switch account providers if a competitor offered hardware-based two-factor authenticators...


I'll take the latter two assertions with a grain of salt. I'd be shocked if 40% of respondents could even define "strong authentication" or "two-factor". But I believe the first contention: people feel increasingly threatened by the tide of cyber-crime washing over the Internet.

So what happens next? Yep, you guessed it! Prepare yourself for a spanking new marketing blitz by companies hoping to pitch identity tracking solutions for consumers. Coffee mugs... tee shirts... USB key fobs... towels (oops, just ignore that Holiday Inn towel I'm drying off with)...

...Take the new product launched by credit information management company Intersections. Called Privacy Protect, the service will keep tabs on credit information as well as public information like DMV, criminal, and mortgage and real estate records. In addition to tracking a person's credit information, such as who makes queries against it, it tracks how other unique information, which can be used for fraudulent activities, is accessed...


Opportunistic, eh? The offering appears to be, in essence, a credit data aggregator with timely alerts.

...For a subscription fee, the service will aggregate and track not only a person's credit information but other unique forms of information that can be used for fraudulent activities... If new applications are made in the customer's name, or address changes at banks, the service alerts go out, for example. In essense, the service monitors publicly-available information that many companies use today to run background checks on prospective employees or customers. After all, if businesses can access your data, then why can't you track how they track it? ...


Seems like a reasonable idea. Especially if the following Gartner estimate has any validity at all:

...According to Gartner (Quote, Chart), 9.4 million online U.S. adults were victimized by identity theft between April 2003 and April 2004. The losses amounted to $11.7 billion...


Wow. ID theft is as common as halitosis at a garlic growers' convention.

So, where's the business opportunity? It's a quality and differentiation issue, in my opinion.

Companies that can demonstrate compliance to standards will likely have a competitive advantage. If your firm handles credit-cards and meets PCI, why not emblazon that fact on your marketing material?

Slap the PCI-certified logo on your web site and stationary. Actually, I really don't know if there is a "PCI-certified" logo. But if there isn't there should be. While PCI is certainly no panacea (as Bruce Schneier has already pointed out), I'll bet CardSystems wishes they'd implemented it 100%.

...The standard, called the Payment Card Industry Data Security Standard, or PCI, consists of 12 requirements (PDF), such as installing a firewall and anti-virus software and regularly updating virus definitions. It also requires companies to encrypt data, to restrict data access to people who need it and to assign a unique identifying number to people with access rights in order to monitor who views and downloads data...


PCI is a good start if only because firms can use it to their competitive advantage. You can bet the major merchants and the credit-card companies will be asking the PCI question of their processors.

The next step? Any firm that handles or accepts sensitive consumer data should voluntarily adopt the principles of PCI on its own. And, hopefully, new and more comprehensive standards will be in place as part of a regulatory framework designed to force companies to better protect identity data.

InternetNews: Fronting a Fix on Data Breaches
 

Wednesday, June 22, 2005

Phishing Variants: Popups and Visual Spoofing


Picture credit: http://www.cbc.ca
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf you're at all concerned about the rampant epidemic of phishing emails sweeping the Internet, here are a couple of additional approaches to be aware of:

Popup scams: News.com (and the usual security sites) are reporting that most current browsers are susceptible to popup scams. That is, a malicious site uses Javascript to pop-up a window in front of a legitimate web site (say, bankofamerica.com). The pop-up appears to be linked to the legitimate site and challenges the user for credentials (or other sensitive data). A typical user might assume the popup to be legit, since it appears over the backdrop of the real site. Rest assured, it's not: it's a scam. Real sites will authenticate you on the secure page itself.

Visual spoofing: Netcraft reported this scam a year or so ago and it's still something to consider. The basic visual spoof uses Javascript to launch a new browser window without the traditional scroll-bars, menus, toolbars, etc. (the classic example of this is a popup ad banner). The spoof uses images to replace the traditional browser, such that the address bar, navigation buttons, "secure page" lock, and so forth all appear normally as they would on a secure page. Skeptical and want to see an example? Don Park has a good demo of visual spoofing here.

The bad guys are more diabolical than Macgyver on a Starbucks bender. Always be suspicious.
 

The Wikitorial Experiment


Picture credit: http://aphgcaen.free.fr
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe LA Times has called a halt to its commendable Wikitorial experiment. The groundbreaking attempt at an interactive, user-edited op-ed piece was defaced repeatedly with obscene photos, according to the New York Times.

Imagine an editorial that anyone can read and modify -- along the lines of the outstanding Wikipedia online encyclopedia -- and you pretty much have the general idea.

Of course, with that sort of openness comes a certain level of risk, as the Times discovered:

...During most of Friday and Saturday, readers thoughtfully altered the editorial. By Friday afternoon, hundreds had weighed in. Some did add profanity but just as quickly a Web master from the paper took it down.

"Nothing bad happened really until after midnight on Saturday," said Michael Newman, deputy editorial page editor...


This is an idea that deserves some refinement and a few more chances. Here are some tactical suggestions for the folks who could back another pass at Wikitorials:

  • Force contributor registration - many newspapers already require that users open a free account. Force Wikitorial editors to open an account. If the user's account ends up abusing the Wikitorial, lock the account out. Since the account registration process takes upwards of a minute or so, editors can make it somewhat painful to deface content. In addition, allow users to rate other users.

  • Ban images - simply don't allow images to be posted or linked. That gets rid of the obscene image issue.

  • Solicit trusted editors - just as Wikipedia relies upon trusted contributors, use the rating system described above to create and nurture a community of trusted editors. Then let the editors worry about cleaning up the content and banning abusive users. It works for Wikipedia... and it can work for Wikitorials.

  • I commend the Times for their experiment. While I usually disagree (vehemently) with much of their op-ed content, this is an idea with stunning potential. Here's hoping they continue to work out the kinks and allow a new idea to germinate.

    N.Y. Times: Postings of Obscene Photos End Free-Form Editorial Experiment
     

    Tuesday, June 21, 2005

    Largest Security Breach Ever Revealed: 295 million identities stolen!


    Picture credit: http://www.howstuffworks.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe largest case of identity theft in United States history was reported late yesterday. A conglomerate of large retailers revealed that their wide-ranging consumer databases had been compromised and that all 295,734,134 residents of the United States have had their identities stolen.

    Conglomerate security coordinator Rich Batch stated, "We are still in the process of discovering the nature of the security breach and adding protective measures to prevent this sort of thing from ever occurring again. However, our investigators have discovered that the records of nearly three hundred million U.S. residents have been copied from our systems to external parties."

    Batch went on to describe the fact that social-security numbers, names, addresses, dates-of-birth, credit scores, and a variety of other sensitive fields had been stolen.

    Investigators found that the criminal activities had begun in 2003 and were accidentally discovered when a custodian tripped over a power cord. One of the major bastion servers became unplugged, at which point an unknown person called the data-center. Speaking in a heavy Russian accent, the caller claimed to be the CIO of the organization and demanded that the bastion server "be plugged back into wall, damn you, we are doing much business important work with computer." The custodian became suspicious of the caller and alerted the organization's security staff.

    Reacting swiftly to a swath of fraudulent transactions sweeping the country, the Department of Homeland Security issued the following statement late yesterday:

    Effective September 1, 2005, your old social-security number will be shifted to a randomly selected social-security number (SSN). You will be notified of your new SSN on September 1 and all government systems will be updated on that day to reflect the changes.

    We foresee this becoming an annual anti-fraud effort, given the rampant insecurity of many companies that handle SSNs.


    Continued on page A12

    p.s., This is, quite obviously, satire. But it would be nice to have DHS coordinate a serious attempt to curtail the conventional approaches to identity theft.

    Update: Bruce Schneier weighs in with his take on the CardSystems disclosure. Read the whole thing.

     

    The New James Bond


    Picture credit: http://www.dancewithshadows.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe clasically trained British actor Daniel Craig is reported to have won the coveted role of James Bond, replacing Pierce Brosnan. Do we really need another Bond who weighs a buck fifty and would likely take a butt-whooping from my brown-belt niece?

    Photo
    (adorocinema.cidadeinternet.com.br)

    I was thinking more along the lines of Christian Bale. He's got the sophisticated, yet hard-edged, look and even the accent, for goodness' sake.

    Plus, from his devastating tour in American Psycho, we know he can handle all of the requisite weaponry: from 9mm handguns to chain-saws and everything in between.

    Daniel Craig to be new James Bond
     

    Which Science Fiction Writer Are You?



    I am:
    Gregory Benford
    A master literary stylist who is also a working scientist.


    Which science fiction writer are you?



    I took the quiz and ended up with Gregory Benford. I'll have to look him up on Amazon. I was kinda hoping for Robert A. Heinlein. Ah well, dare to dream.
     

    Monday, June 20, 2005

    How SQL Injection Works



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's true that we don't quite know the attack vector that was used to install trojan(s) on the CardSystems network. In my opinion, the three most likely possibilities are:

  • Social engineering: imagine one day you receive an official looking CD from your company's IT department. It's been snail-mailed to you directly, professionally emblazoned with the company logo and a pompous demand that you install the CD to ensure that your machine's security patches are current. This sort of thing may be what happened in the Israeli corporate espionage case.

  • Inside job: an insider, motivated by money, revenge or other factor, intentionally installed a trojan to expedite delivery of sensitive data to criminal parties.

  • SQL injection: a web application (say, a merchant access system) was compromised through SQL injection and a remote command execution hack (e.g., SQL Server's xp_cmdshell command or similar). Remote command execution offers the possibility of loading a malicious executable from an external FTP site... frightening, eh?

  • If you've ever wondered how SQL injection works... and how best to protect yourself against common web application attacks, this overview from UNIXwiz is one of the best I've seen.

    UNIXwiz: SQL Injection - by Example
     

    More CardSystems Tidbits Emerge


    Picture credit: http://www.massmenus.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting information on the CardSystems' security breach... carefully gleaned from multiple reports:

    Item 1: MasterCard announced the breach, which had been detected in May, probably to the consternation of CardSystems. What were the reasons for MasterCard's disclosure? Displeasure with CardSystems in general? A requirement to disclose the breach in a timely fashion, since CardSystems had had over a month? Or was it simply MasterCard demonstrating that it -- not CardSystems -- had discovered the intrusion?

    MasterCard traced the breach to CardSystems based on an unusual pattern of fraudulent transactions...

    "I don't have the detail on what type of fraud it was," Antle said. "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system. ... We have tracking systems in place to find the common point of interaction."

    FBI spokeswoman Deb McCarley would not confirm the intrusion was the result of Internet hacking.


    Sketchy reports indicate that, indeed, a trojan was placed on at least one of CardSystems' computers.

    Item 2: CardSystems said that the FBI asked them not to disclose the breach... but the FBI denies that claim, according to this report. What the... ?

    Item 3: According to the New York Times, CardSystems wasn't even supposed to have this data  ! While CardSystems processes the transactions, it isn't supposed to retain any records, per its agreements with MasterCard and Visa. It appears that CardSystems somehow kept all of the data, perhaps for its own "research purposes":

    The chief of the credit card processing company... acknowledged yesterday that the company should not have been retaining those records... He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

    ...Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

    "CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

    ...Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

    It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

    ...MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

    CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing.


    How did the intruders enter the system? Perhaps a processors' web application for merchants:

    "They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system."

    Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes... In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence...

     

    Security? What Security?


    Picture credit: http://www.regiononline.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIT-Director's Robin Bloor has some choice commentary on the news that CardSystems may have exposed some forty million accounts to cyber-crooks:

    ...The secret is out "corporate America is inadequately protected against data theft." I think there's a crisis in the making – in fact, there is. The news is not good for you and I, but it is for the IT security vendors, who have clearly not been selling enough of their fine products to stop the rot.

    On Thursday of last week the US FTC (Federal Trade Commission) pronounced judgment on BJ Wholesale a company that had failed to protect customer data from identity theft. Its judgment was that BJ Wholesale should undergo a security audit every 2 years for the next 20 years. This doesn't sound like much of a penalty, but there can be little doubt that BJ Wholesale is going to have to spend heavily on IT security. It will cost them many green dollars, and woe betide BJ if it fails any of these audits...

    [CardSystems' stolen forty million accounts] ...sounds more like a spirited attempt to get into the Guinness Book of Records than a security breach ("What, ChoicePoint only exposed 140,000 identities? We'll show them").

    The press reports suggest that CardSystems was targeted by hackers, which seems highly likely. However, it is all a little confused as some reports claimed that the vulnerability was caused by a virus attack. Right now the full details may not be known. It was MasterCard that uncovered the problem. In investigating fraudulent transactions, it was able to deduce where the data was being stolen. Hats off to MasterCard. Visa and American Express, who also had millions of customers affected, should thank them.

    MasterCard is, however, deeply unimpressed with CardSystems. It says that CardSystems was storing card holder's account numbers and security codes on its computers in violation of MasterCard rules...


    Robin Bloor: Security? What Security?