Mar 20, 2001

.Net demystified: What you must know
Privacy from Companies3/20/2001; 8:52:06 AM 'Suppose, for a moment, that everything could talk to everything else. Your calendar could get information from and supply data to your documents, or your cell phone, or someone else's calendar and cell phone. Your computer's desktop could tell you that your dry cleaning is ready or your bank account is overdrawn....''To do this, Microsoft wants to know everything: the information in your user profile, address, and application settings; what devices you use; what's in all your documents; your favorite Web sites; where you are at any given moment; your credit card numbers and payment information; the contents of your personal calendar, contact list, and e-mail inbox; and probably a few things I've left out.'The article discusses the possibility that somebody will hack this datastore because it's a tempting target. Do the basic analysis: "How hard is it to get into?" and "How tempting is the target?" Remember, security is never perfect, so this analysis is based on the idea that you need enough to make what's being protected not worth breaking the protection.The answers aren't encouraging. "How hard is it to get into?" Not to bash Microsoft, but security has never been on their priority list. Granted, there are exploits for every system, but at least the BSDs care about security, and the Linux people do on some level as well. Microsoft does not really have a track record for caring. I'd guess security will be relatively easy to crack, at least at first. (Actually, this would be sort of fun. Maybe I should learn more and do some white-hat work for .Net. Then again, my plate's full as it is.) How good they can make it will be an interesting to watch. Also note that it's not just Microsoft's security that can be breached. Depending on the software being run against Microsoft's services, you might be able to crack that somehow. If enough people are using some third party solution, that third party solution could open holes, even if Microsoft does their job perfectly. It's an awfully large system, with an awful lot of ways into the primary datastore... surely one of those ways will end up being insecure."How tempting is the target?" Let me ask it another way. "Can you imagine a more tempting target?" I can... Microsoft's servers probably don't have your social security number... but that's about it! Credit cards, buying history (if you're going to commit credit card fraud, buying histories are a great help; you can try to fit into the pattern of spending on the card so nobody notices anything amiss), e-mail (which isn't always just saying hi to friends; think industrial spying), what more could you ask? With a target this tempting, .Net will be the target of every cracker worthy of the title. What are the odds Microsoft will stop every last one of them?With a target this tempting, rock-solid security will be necessary, security to challenge the likes of the NSA and CIA. I for one definately won't trust anything important to Microsoft.I must admit I'm surprised at this centralization business. When you can buy a 40 GB hard drive for 100$ and have it on site, with the extremely high bandwidth and great low latency that only a hard drive stuck in your actual computer can provide, why move so the data off the desktop machine? It's great that you can, there's power and flexibility in this architecture, but there's nothing in the architecture that necessarily implies that the data has to be housed by a central repository. You should be able to set up a net-connected desktop as your data-store, and tell any .Net component to use it. Maybe you can and I just haven't heard about it. I sure hope so.

Mar 19, 2001

Human Justice for Human Beings
3/19/2001; 12:41:45 PM 'The 1950's science fiction authors were half-right. We will be enslaved to machines, but it won't be because they rose up and overthrew their creators. We will voluntarily enslave ourselves to the machines because it is cheaper in the short term.'

Mar 17, 2001

Glenn Fleishman on Gilmore and Censorship
3/18/2001; 12:28:38 AM

Glenn Fleishman saves me the effort of writing that essay Suffice it to say I agree wholeheartedly.

'Crying for a commercial contract violation is also ridiculous. Verio's not the government. They're not restricting your friggin' freedom of speech. They're preventing you from doing something that violates their commercial interests, as well, incidently - just by the way - feeds into the ability of spammers worldwide to continue their hideous mission.'

The most disturbing part of this is that as a Big-Media-acknowledged "leader", Gilmore affects the credibility of all of us who fight alongside the EFF by crying wolf over this.

Mar 17, 2001

Defeating E-mail bugs and Spyware on Windows
Protecting Yourself
3/17/2001; 7:28:09 PM

You can't quite eliminate spy-ware with these techniques, but you can make a massive dent in them.

About a year ago I found a product called Zone Alarm, which bills itself as a free personal computer firewall program. It's not quite what I'd call a firewall, though, in that it takes a decidely non-traditional approach to the problem. Basically, it grants and denies permission to access the internet on a per-program basis, independantly for home networks and the Internet. For instance, you can tell this program to allow your browser full access to the Internet, yet some internal corporate program access only to the local net. Or you can allow programs to go out to the net, but not accept connections (or vice versa).

When last I left this program, it was very good, but not quite useful enough for what I wanted to do. That has changed. I strongly recommend that you download and use Zone Alarm if you are using a Windows computer. It protects you from a large number of security issues simply by the virtue of its design.

In order to access the Internet, programs must first get permission from you in an explicit pop-up box. Thus, when Zone Alarm pops up a question asking about some program you don't think should access the internet, or about some program you've never even heard of, you can say "No", preventing the spy-ware from reporting back to whatever it's reporting to. This means the only "spyware" that gets through is spyware that has legitimate reason to access the Internet, like Real Audio.

To prevent e-mail bugs, add your e-mail server to the local network zone (with Security->Advanced->Add->Host Site, type "Mail Server" and the host name, accepting all IPs that may come up), and then grant your mail client permission to only access the local net. Now, if your e-mail program tries to download an image or something, it won't work, so the spammers won't be alerted to your presence. (Unfortunately, this won't work with Netscape, as both web access and mail access occur in the same program, so you can't differentiate between them.)

It's great!

Mar 17, 2001

Spam Laws, 107th Congress
Spam & E-Mail
3/17/2001; 6:50:55 PM Slashdot has an article today on yet another spam law proposed in Congress. Rather then make a news article out of that, I'd rather take this opportunity to point you at the Junk Email pages at the Center for Democracy and Technology.

<- Future Posts Past Posts ->


Site Links


All Posts