The reality is Apple enjoyed security by obscurity. Its market share wasn’t worth the attention from hackers. Now Apple is worth the attention. Where’s the glory in taking out a smaller computing player when you can take out the big dog—Microsoft?

As a result of Apple’s lack of hacker interest, the company could talk about being more secure even as it tended to rewrite QuickTime and plug security holes every time it launched a new product or generated buzz. While you were playing with your latest greatest Apple software release the company would patch vulnerabilities.

Here’s Apple’s chain of events over the last month:

• Mac Defender malware attacks Apple users.
• Apple remains mostly silent and tries to thread the customer service needle.
• Apple then announces a fix and that a future update will put Mac Defender to bed with an update.
• Evil doers launch a new renamed version just a few hours later. The new malware is renamed (predictable) and split into two parts, a downloader that delivers a payload similar to Mac Defender (not so predictable).

Being a non-mac person, and talking to mac fai-boi’s, you get used to hearing the spiel about how Macs supposedly don’t get viruses. Meanwhile, folks that have experience crafting and being on the receiving end of exploits know full-on that malware comes in popular waves. Now, I haven’t had first hand xp of the MacDefender malware – maybe someone can enlighten me, but i’m glad this latest string of malware finally broke the Mac security bubble. The author is dead-on about security through obscruity. I’m not saying proprietary vendors like Microsoft doesn’t practice the same poor security model – but it certainly feels a bit vindicative to see the tides finally turning.

http://www.zdnet.com/blog/btl/apples-malware-challenge-usability-as-its-security-world-changes/49378?tag=nl.e539

The former head of America’s most powerful and secretive intelligence agencies thinks the U.S. government classifies too much information on cybersecurity vulnerabilities.

When you work on the offensive end of Information Security space, you quickly become familar with the traditional argument of proper disclosure; disclose the vulnerability and hopefully vendor will patch and other relevant IT folks have full knowledge to build in defensive mechanisms. Don’t disclose and you decrease your risk internally while increasing the impact of exploit for everyone else. And this is disclosure in an unclass world, without regard to policies in place for private corporate or the classified gov world. I imagine those vulnerabilities would be unlikely to see the light of day since much of the focus in that sector continues to be security through obscurity.  

From a unclass defensive network security monitoring perspective, we’re fighting with both hands tied behind our backs. There is a huge push behind cyber security in the DoD and Intel space, the fruits of labor; tools, intel, and computer network defense mechanisms that the unclass world is not privy to. We need to bridge that gap with more formal programs. http://www.fiercegovernmentit.com/story/dod-mounts-program-exchange-cybersecurity-personnel-private-sector/2010-12-16 

Right now private industry vendors are exploiting that information asymmetry with appliance products promised to be silver bullets. “Why yes, this NextGen^TM security appliance does cure cancer”. This has led to FUD (Fear, Uncertainty, Doubt) focussed information security which has created an atmosphere of CYA (Cover-Your-Ass) security, and buying up supposed products and appliances which are going to prevent your network from getting 0wn3d, instead of sound InfoSEC engineering/architecture. A lot of the work funded in gov, particularly defense and intel, should be published into the public domain, to produce the much needed transparency for this field.

http://www.wired.com/threatlevel/2011/03/hayden-cyber/

The so-called Internet “kill switch” bill was introduced in June 2010 by US senators Joe Lieberman and Susan Collins. The bill wasn’t passed into law in 2010, but the legislation — known in Washington as the “Protecting Cyberspace as a National Asset Act” — is now making a comeback in 2011.

The idea of the bill is that during a “national cyber emergency” (e.g. Internet-based attacks on the power grid or hacking into US weapons systems) the President of the United States and the Department of Homeland Security would have the authority to shut down private systems across the country, essentially bringing down the Internet to stop the attacks until everything could be secured. (Because the Internet is a distributed network and the US is a huge country, it’s unlikely that the government could take down the whole thing but it could knock out a big chunk.)

http://www.zdnet.com/blog/btl/takeaways-from-egypt-kill-the-kill-switch-and-decentralize-the-internet/44417?tag=nl.e539

I’m glad someone has realized the obvious here. As InfoSEC engineers, we all silently knew this was a “bad idea” the moment we saw it hit the press. What Egypt did was exemplify essentially how easy it was to “pull the trigger” on the worse case scenario. How it was done? Telegraph has a basic explanation: http://www.telegraph.co.uk/news/worldnews/africaandindianocean/egypt/8288163/How-Egypt-shut-down-the-internet.html.

Since the US is a central hub of internet traffic, something like this would be a lot more difficult (http://arstechnica.com/tech-policy/news/2011/01/how-egypt-or-how-your-government-could-shut-down-the-internet.ars).

Bruce Schneier also has some pre-Egypt thinking on the topic: http://www.schneier.com/blog/archives/2010/07/internet_kill_s.html

There are parts of the legislation that I do favor; defining critical infrastructure, evaluating vulnerabilities. I also admit I haven’t read the bill in full, (http://www.gpo.gov/fdsys/pkg/BILLS-111s3480rs/pdf/BILLS-111s3480rs.pdf), but have read enough to know that something like this must be implemented carefully. Freedom of information must be protected in the way that freedom of speech is protected. The liberty of many must be protected from its suppression by the elite (as in the case of Egypt). Anways, i’ll have an update when i drill down into the bill itself.

Cheers,

-AF

Fact check:
http://www.wired.com/images_blogs/threatlevel/2011/01/Myth-v-Reality.pdf

Take Action:
http://www.wired.com/threatlevel/2011/01/kill-switch-legislation/

Subject: DPRK has carried out nuclear missile attack on Japan

Office of the Director of National Intelligence
INTELLIGENCE BULLETIN
UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO)

DPRK has carried out nuclear missile attack on Japan

05 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 05, 2010 at 01.41 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People’s Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization:

CENTRAL INTELLIGENCE AGENCY
Phone: (703) 482-0623

DEFENSE INTELLIGENCE AGENCY
Phone: (202) 231-8601 Email: DIA-PAO@dia.mil

With all this talk about the advanced threat, and foreign countries attacking us, the nominal question then becomes…what are we doing to them?

Software supplied to run a Russian pipeline was deliberately planned to go haywire, causing the biggest non-nuclear explosion the world had ever seen, says a book published this week.

http://news.zdnet.co.uk/software/0,1000000121,39147917,00.htm

For a sneak peak of what this will look like, recommend watching “Die Hard 4, Password swordfish, War Games”…or any other movie where people mash the keyboard really really fast as they pretend to hack things

On February 16, at about 10:00 am ET, the U.S. will be hit by a massive, crippling cyber attack from an unknown entity. Key players will convene in the White House situation room and plan the response, from mitigation to (possibly) retaliation. It’ll be live on television — G.N.N.

http://politics.theatlantic.com/2010/02/_recreating_a_s_ituation.php

www.gamerevolution.com/blog/entry.php?id=5511

No pun intended. You know, when MS has an outage (cough) (c0ugh) XBOX Live, you never hear the end of it…or at least, there’s instantly hundreds of folks immediately jumping to gloat over the schadenfreude. But when something serious goes wrong with Google, there’s a general hesitation to judge. There shouldn’t be - what i got out of the gmail outage was the same thing everyone else got; no indication, no explanation, and no status on when the service was expected to be up and running again. This is a problem, and i’ll let the Google PR folks dig themselves a hole with their own words on this one:

According to Ben Treynor, VP Engineering and Site Reliability Czar, Google “slightly underestimated the load which some recent changes”. How could a company with seemingly unlimited investor resources, coupled with the brightest system engineers underestimate and not forsee the domino effect of servers going down?

This transferred the load onto the remaining request routers, causing a few more of them to also become overloaded, and within minutes nearly all of the request routers were overloaded… The Gmail engineering team was alerted to the failures within seconds (we take monitoring very seriously).

If Gmail engineering realized within seconds the effect of what they had done, why did it take over 100 minutes for Gmail service to recover? Don’t be so quick to let everyone know how quickly realized your problem, when the fact of the matter is it took Google way too long to recover; that’s just bad form.

After establishing that the core problem was insufficient available capacity, the team brought a LOT of additional request routers online (flexible capacity is one of the advantages of Google’s architecture).

Yeah so much for that flexible capacity. Now the overarching question, do your cloud services also take hours to bring back up in a service industry where reliability is measured in seconds? Yobie Benjamin asks that very good question in his Is cloud computing ready? article.

But maybe i’m being too harsh on Google, after all it is a free service. To that point, i’ll take a page from Info Sec guru Bruce Schneiders book:

There are two different types of cloud computing customers. The first only pays a nominal fee for these services — and uses them for free in exchange for ads: e.g., Gmail and Facebook. These customers have no leverage with their outsourcers. You can lose everything. Companies like Google and Amazon won’t spend a lot of time caring.

Much of our infatuation with Google has been built on their “Do no evil”. Unfortunately, what has started to occur here is, a consistent downplay of Google’s failings. I find this scenario fairly disturbing.

No one judges Google’s interface because it has become the defacto representation of “simplicity”. UI is obviously a very subjective topic, but has anyone looked at the Gmail UI lately and really asked “Is this the most intuitive UI?” It may be the most simple way, what i wouldn’t consider it revolutionary in any way. The fact that Google is reading through all my email and parsing it for directed advertisements is a bit concerning to me; all privacy issues considered.

As consumers, let’s not miss out on the big picture here, Google wants to turn your search terms, your email content, and your browser history into a monetizer. The fact that they’ve kept up a “we’re doing this for the public interest” image needs to be piereced, and hopefully those in our industry can begin to see this. Whatever happened to all the “transparency” we were promised? For the business consumers, they got a phone call from Google, probably not a very reassuring one for say a trader that lost his connectivity at the closing bell. Those industiries aren’t as tolerant of failure as some others may be: (http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=219501181).

But for the rest of us “little people”, we were written off like any consumer, as secondary. I’m not saying that this is wrong – this is business, and all the Google Fanboys need to come around to this; Google is just like any other company, and needs to be held to the same level of accountability, questions, and scrutiny as every one else. Let’s make sure that “transparency” is real.

http://gmailblog.blogspot.com/2009/09/more-on-todays-gmail-issue.html

Now I can have my cake and eat it too. The developers of Windows Mobile 6.1 lived in the stone age where people used the stylus to navigate their phone. The iPhone…sucks. WinMo 6.5 won’t be released until at least 1/2 of all cancer is cured, so a couple weeks ago i decided to make the jump…The result? A must faster, usable touch interface on my otherwise aging AT&T Tilt.

The only other option was to sell my soul for the iPhone, which I didn’t enjoy using or find intuitive anyway. Now, I have a completely open phone, with a kick ass UI. Some people complain that I don’t have an app store. Well guess what? My app store is THE INTERNET. I can install any programs, games, and load any music/ring tones I want. for free. Thanks to Mike for giving me the idea.

Now, before moving to the WinMo 6.5 roms, i should point out I was using SPB shell  w WinMo 6.1(http://www.spbsoftwarehouse.com/products/mobileshell/), which was neat and all… but the combo of WinMo 6.1+SPB made my phone come to a crawl. It’s responsiveness was just not on par, and it gobbled up RAM like nobody’s business.

AFAICT, WinMo 6.5 is much more efficient, fluid, and less buggy. Seriously, never being able to set the backlight timer even with multiple hacks was just…unacceptable.

Anyways, here’s the guide to flashing a new bootloader, unlocking your phone, installing a new radio, and flashing the new ROM: http://gizmodo.com/5281397/how-to-install-windows-mobile-65-right-now

Quick note before installing a new radio/flashing a new ROM… the first time i flashed a new ROM my camera stopped working, and my phone calls had intermittent sound… that is likely if your ROM is incompatible with the radio version, so check that the radio/ROM matches (this usually written in the ROM description in xda-developers forum):

FWIW, I used a WWE Rom, so you might give this rom a shot if you are not sure what to pick. It was quick, and incorporated TouchFlo. http://forum.xda-developers.com/showthread.php?t=543276

For those of you with Android phones:
http://lifehacker.com/5339901/get-root-access-in-android-with-one-click

Feel free to comment if you run into any issues, though my knowledge is really limited to dealing with the Kaiser!

With all this talk about cloud computing, it’s hard to resist being a little cynical about all the hype discussing the Google Cloud. This is an interesting article that describes some of the inherent limitations. Afterall, cloud computing is what mainframes were in the 1980′s, except, now they’re on the internet. So no, IMHO, cloud computing isn’t actually going to change how we essentially do business. And i’ll highlight why.

Take for example Gmail – that handy webmail app that you know, that hasn’t actually *changed* since it was first released?! Oh, sorry, task lists were just implemented earlier this month – something that’s been in Outlook since, as far as i’m concerned, the beginning of time. It’s lightweight…kind of, but the UI is arguably, horrendous and too text-based. Additionally, how many folks out there actually use gmail webmail as a primary? Sure, I know of plenty of folks that are using thunderbird/outlook to pull pop3/imap from gmail…but an outright replacement? Never. Has anyone attempted to collaborate on a word document using Google Docs? The words limited functionality, unintuintive, frustrating and counter-productive come to mind.

For those that haven’t, this is a typical issue when more than 2 people work on a document: You spend 15 minutes putting your thoughts together, and when the collaborative document refreshes, you get slammed with a “Someone is writing, therefore the paragaraph you just entered has been deleted” synchronization error. This is Google’s equivalent of Microsoft Vista’s UAC prompt in terms of implementation FAILURE. Again, Microsof’ts Office 2010 Online looks way more promising…

What about videos and mp3s? music , well sure, we can stream that over broadband at a fairly decent rate… But what about when i’m in east bumblefrack, PA, trying to reach my data on a trip. Good luck getting 3G there. Anyone that’s tried streaming video anywhere, knows it’s hard enough to do on a LAN when you’ve got 54-1000Mbps of bandwidth. I don’t think 10Mbps up and down is a realization in the US yet.

Where this cloud is really useful might be for developers. As applications scale, more computing power is required. To be extra cynical i’ll rephrase that with, “As developers create bloated, B-level code in a slow, performance handicapped language called Java”, we need to throw more processors to address what is actually an inherent programming issue…. But when is the last time you saw a company throw their source code onto Google and call it a day?

Any company with sensitive, proprietary, information, (we’ll ignore any government entitity dealing with classified, or For Official Use Only data), should have legitamite apprehensions about throwing their applications on an inherently internet accessible site. Assuming that Google has securely segregated the development environments, using a cloud service is the equivalent of throwing an internal server on the DMZ and counting your blessings till you get hacked, isn’t it?

And in the event of an incident? who does the incident response? How do you get to your data? Do you trust, say Google to collect forensics? How does that work? How do they know what sort of application threats to look for and protect against? Outsourcing the IT team might sound attractive to a business-line manager, but something with secure coding issues that has to be addressed first. Who has ownership of that data at rest? If I stop paying money, what happens to all that potential corporate/personal information (think when the CLEAR flight program got pulled). Does it get stored somewhere for eternity?

For all the other users out there? does it make financial sense to jump on the cloud bandwagon? Is it worth paying extra $$$ to stay on the cloud? And really, it is extra, because no one in their right mind would not keep local backups at this stage of “the cloud”. The utopia of people throwing data onto far away servers and “forgetting” about data as we know it, not to mention connectivity issues of getting to the cloud, that vision that Google execs are dreaming up of atm, just doesn’t seem like something that can be realized right now. Anyone that has tried to use a thin client before (cough)(cough) CITRIX, already knows what a hassle/sorts of latency/performance issues that will just compound on the cloud.

So, with all that said, the next time you’re on a plane and you want to do anything… just remind yourself that you thankfully have a thick client, and aren’t connected to some cloud you’ll can’t actually have access to.

 http://www.pcmag.com/article2/0,2817,2350133,00.asp

…Now let me enlighten you on why this really much ado about nothing. Just another attempt at some sensationalist journalism, ‘cept on a whole new level. When it comes to international news, journalists tend to sway readers because short of flying over to say Iraq and getting a first-hand view of wtf is going on, we pretty much have to accept whatever reporters say point blank…. Tech news on the other hand, well, let’s just say CNN and TechCrunch are running out of news, and once again, we have a bunch of amateurs reporting on something they clearly know nothing about.

Google Chrome OS is not going to replace Windows XP, or Vista, or 7. I predict a respectable throng of early adopters that usually suck on the tip of the Google ****. However, very shortly, when you know, users begin to actually use the OS, they’ll soon discover as soon as they try to run some ::insert arbitrary programs you’ve grown accustomed to using without thinking twice about compatibility::, that, oh wait, I can’t run that with Google OS. This will soon be followed by, oh wait I can’t play my games, I can’t connect to my home windows network, or “why doesn’t this interop properly?”.

Basically, I predict “game over” for Google OS if you’re a gamer or business user. If you even interface remotely with developing on the Windows platform, “game-over” for you too. In fact, pretty much do anything outside of “productivity and browsing”, you are bound to face doesn’t work, not intuitive, or isn’t compatible issues that continue to plague Linux to this day.

Why the comparison with Linux? Well, let’s just say that hell rained down from the sky last year when netbooks started getting popular. Linux had an almost 25% market share (http://www.cnn.com/2009/TECH/07/08/google.chrome.challenges/index.html). Meanwhile those linux haxX04z were busted a nut when they realized recently, that their market share dropped to 4.5%. I’m not saying that Google Chrome OS is going to repeat the mistakes that linux distros have traditionally made (complete lack of usability -> what i have to recompile my kernel? wtf are all these security updates, i thought linux was secure!? uh wtf is the root user, and this MS-DOS looking console).

What I am saying however, is the huge exaggerations of what is expected of the actual OS. All “normal” people are going to wonder why they can’t do the same things they can do in Windows. Everyone tech mis-guided, i mean savvy enough to accept those limitations, already has a good alternative to Windows XP; Linux. AFAICT, this Google Chrome OS offers NOTHING NEW.

That’s right, you heard me right, i said Google Chrome OS’s main competitive advantage, “a OS built for web applications” is NOTHING NEW. Asus laptops already ship with an “instant-on” embedded Linux distro (http://promos.asus.com/US/website/Spotlight/July2008/ExpressGate.html). ExpressGate allows you to surf the web, listen to music, skype, access your hard drive, photos, chat, etc, without booting into Windows. Sure Chrome OS may offer more features, but adding features to existing embedded linux distros shouldn’t exactly be difficult. Both are open source installations that can be configured/appended to. I also suspect that the more you add to Google Chrome OS, the more bloated/insecure it’s going to get anyway.

The only thing Google Chrome OS is really adding to the table here is that technologists seem to have a “trust in Google” mentality; one that will undoubtably prove dangerous should ChromeOS gain any type of decent market share, which I suspect, just like the embedded Linux usage, likely won’t, and sooner, rather than later, I suspect that this whole OMFG GoogleOS is going to become just another relatively, but still significant, inexpensive paperweight.