Thursday, September 21, 2006

Yakety-Yak (Don't Talk Back)

Not long ago, I noted how the IT world, in general, seems to be far more interested in the latest cool new feature than in the risks that often accompany that feature.

You'd have thought that the September 11th attacks here in the US of A and subsequent warnings about our continuing vulnerability to cyber-attacks would have acted as wake-up calls to the IT community. Unfortunately, governments in the USA and elsewhere have simply used the attacks as a pretext for increased surveillance of ordinary citizens while doing little or nothing to actually improve security.

Meanwhile, businesses and consumers continue to gaze at the latest sparkly trinket.

Which brings me to IP telephony, a.k.a.Voice Over IP or VoIP. Gartner says IP phone shipments have jumped 53 percent from last year and I, personally, know folks who now do all their voice communications via Skype or similar products. Never mind that, according to a presentation at the latest Hack in a Box conference, VoIP systems are easily hackable and could be used for identity theft or that hackers can already download tools to attack the protocol used by VoIP handsets.

In fact, as a recent Business Week article bluntly states, "VoIP calling systems are just as susceptible to hacking and digital mischief as any other Internet-based application". That includes worms, viruses, DDOS attacks, and phishing.

That last one is especially scary. Most of you out there are probably familiar with how e-mail phishing works (the rest of you can click here). The VoIP version of this would direct you to a phone number - very possibly the actual phone number of your bank - where you would give your personal information to someone who is allegedly on your bank's customer service staff but who is, in reality, working for someone else entirely. Like, for example, the Russian Mafia. That's because your bank's VoIP system has been hacked in much the same way web sites are hijacked now.

Worse yet, the security tools for VoIP systems are far less well-developed than those for PCs and servers. In this area, unfortunately, the Bad Guys are way out in front.

Friday, September 08, 2006

(My)Space Cowboy

I've been hangin' around the IT Corral fer nigh on to thirty years, pardner, an' I've seen some pretty darn dumb ideas come down the Ol' Checksum Trail. You prob'ly even remember some of 'em, even if y'are jes' a whippersnapper:

Dead, ever' one of 'em, and planted up thar on Reboot Hill. Nights, some of the real old-timers - them UNIX guys with the suspenders and the beards, y'know - they claim they can see their ghosts a-walkin' 'round up thar, tryin' to sell ya stock options. Freeze the blood in yer veins, by cracky!

OK, that's enough of channeling old Gunsmoke re-runs, but you get the picture. In technology, as in any other field of human endeavor, the mediocre or outright stinky ideas always out-number the real winners. My nominee for the latest bad idea: social networking web sites in general and myspace.com in particular.

You've probably heard about myspace.com by now, although what you've heard probably depends on whether you're getting your information from technology news outlets like ZDNet or InformationWeek vs. mainstream media sources or propaganda services like Faux (a.k.a. Fox) News. To hear the latter two tell it, myspace is a hotbed of sexual perverts, child molesters and, for all I know, Yetis and Martians. To most of the Propeller Beanie crowd, on the other hand, it appears to be the Next Big Thing.

You know - like information push.

It's not that the idea of the Internet as a social network is inherently bad. Back before there was even a single web site, like-minded folks exchanged information and opinions and formed various types of personal relationships via e-mail and usenet newsgroups. Social networking sites have just made it easier to do so and therefore more accessible to a wider range of people.

"Aye, there's the rub."

Because the easier it becomes to create something - like, say, a web site on myspace.com - the more likely you are to have incompetent people creating it. Myspace has taken this to its logical extreme, allowing members to stick pretty much anything they want on their pages in any way they want, resulting in some of the worst web sites since the early days of Microsoft FrontPage.

I experienced this on a personal level this past weekend when, in a fit of unaccustomed leisure time, I decided to visit the myspace page of a close friend. She had recently gone through a rather nasty relationship break-up and I was curious to see how she was doing. We hadn't talked in a while and her insane work schedule make phone conversations highly unlikely.

We may have to have that phone call yet, though, since I never was able to locate her page - it seems she's using a nom de net that I didn't know about. I did, however, slog through a number of other myspace pages in the process and, to paraphrase the late Warren Zevon, they ain't that pretty at all. Most were so chaotic and so filled with junk media that they were effectively useless. Huge image files there were in abundance, along with automatic slide shows and, that most obnoxious of all features, music that began playing as soon as the page loaded. I decided that the game was not worth the virtual candle and hit the "close" box.

And let 's not even start on the abusive pop-up and pop-under ad boxes!

Besides, even with a less-cluttered interface, fewer ads, and no spyware cookies, a social networking web site is no substitute for - well - social networking. In person.

Jes' lak in the ol' days, by cracky!

Thursday, August 17, 2006

Leavin' on a Jet Plane, Part Two: The Laptop Strikes Back

In my last post on the future (or lack of it) of air travel, I noted that all personal electronics - including laptops - are being banned from carry-on luggage on the premise that they can be used to remotely trigger bombs. What I didn't mention, since it would have amounted to a major (if not augmented) digression, was the way in which this method of reducing risks on the plane is likely to lead to increase risks after landing.

And no, I'm not talking about the Air Rage likely to result from being stuck, with no form of diversion, on a transatlantic flight in the center seat between a colicky baby with the lungs of a Wagnerian soprano and a chatty insurance salesman from Topeka. What I'm talking about is the risk of damage to or theft of those laptops in the checked baggage.

I'm hardly the first person to think of this (or anything else, for that matter). Computerworld ran an article on the problem back on August 10th, along with some very common-sense advice on how to minimize the fallout from breakage (such as backing up data on a regular basis) and theft (encryption and password protection).

That advice is also, I'm afriad, very timely.

A new survey of 500 information security professionals by Ponemon Institute LLC (reported in Computerworld once again) informs us that "eighty-one percent of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months". Eighty-one percent. Worse yet, 97% of stolen laptops are never recovered.

And this happened before the new restrictions went into force. Anyone care to guess what's going to happen in the next twelve months? Corporate spin machines are probably being primed with a fresh load of excuses, diversions, fabrications, obfuscations and some good old-fashioned hooey even as this is written.

It makes the recent flap over recent laptop losses at the Veterans Administration and the Navy look less like an aberration and more like business as usual - especially when you add in the recent loss of two laptops containing "names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents" as well "fraud case files involving government contracts and grants" by the Department of Transportation. Is it any wonder that identity theft "remains the #1 concern among consumers contacting the Federal Trade Commission", according to the Identity Theft Resource Center?

What we have here, in short, is another instance of the law of unintended consequences. In attempting to reduce the risk of terrorist attacks, we increase the risk of laptop theft. That increases the risk of stolen identities, which can, in turn, be used by terrorists and other criminals to achieve their nefarious ends.

Are there steps we can take to minimize those unintended consequences? Certainly. Are we here in the USA likely to take them? Probably not. But that's a subject for a future blog entry.

Monday, August 14, 2006

Leavin' on a Jet Plane

We put up with the long security check-in lines. We sighed as we surrendered our nail clippers and penknives. We took off every possible metallic item except our fillings and shuffled through metal detectors in our stocking feet.

But we grinned and bore it because we understood the need for security and air travel was still bearable, even if it was coming to increasingly resemble the Greyhound bus experience of thirty years ago.

But now the technological sophistication of the Bad Guys has advanced, as it always does, and the bar has been raised substantially for the rest of us.

No liquids, gels, or anything remotely resembling them. Those Dr. Scholls gel insoles are right out; ditto any child's toy with gel components. Also, no books, laptops, MP3 players, cell phones, or pretty much anything else that might make a transatlantic flight bearable. Even electronic key fobs are banned in Britain.

Has long-distance air travel finally jumped the shark? History suggests that this just might be the case.

Consider: Until the spread of mass, mechanized transit in the last century or so, long-distance travel was, for the vast majority of people, a dangerous and expensive proposition. International travel was even more so, and usually, therefore, the exclusive privilege of the very rich.

Think about it. Before the advent of the ocean liner and then the airplane, overseas travel was risky business, indeed. If the weather or scurvy didn't get you, pirates (we'd call them terrorists now) would. Even on the ground, travel via coach for any distance was slow, unpleasant and, of course, there was always the risk of highwaymen.

For a while we lived in a bubble of relatively safe and inexpensive long-distance travel. As the gap between the technology of travel and the technology of travel disruption closes, that bubble may be about to burst. Safe air travel may soon become so expensive that only the wealthy - with private jets and private security personnel - will be able to afford it. Mass air transit will simply be too dangerous.

We live, alas, in interesting times.

Thursday, August 03, 2006

Who Are the Brain Police?

[With apologies to the late Mr. Zappa]

Who are they? Well, to hear some folks over at Slashdot talk, you'd think that they were the managers of the posh Canoa Ranch Resort condominium/hotel in Tucson. It seems that, along with all the other upscale amenities (salon and spa, resort pool, fitness center and “Village Center” - does No. 6 know about this?) the owners are going to provide you with wireless Internet access as well.

Oh, yeah: they're also going to require you to encrypt access to that wireless access point (WAP).

Well, once the Slashdotters got on to that one, you'd think that Jackooted Thugs were just around the corner. As Paul McNamara relates in his July 24th Buzzblog at Network World, “Silly was the least of the insults tossed at this idea.” The technorati were in High Dudgeon (just down the road from Low Dudgeon) and waxed wroth.

Then Roth waxed them for a while, but that's a topic for another blog - probably the one where I defend stealing jokes from Julius Marx.

Anyway, when asked why all the fuss, Sales Manager Bryan Welch said “We just don't want to see anybody hurt with their wireless system. If someone (unauthorized) were accessing it and an owner's information, there could be damage and a potential lawsuit.”

To which The Technology Curmudgeon can only add: “Well, DUH!”

Despite the fact that one Slashdot poster (as quoted by McNamara) took the position that the decision to provide encryption on your WAP was no different from the decision on whether or not to lock your door, the stakes here are clearly higher. Failure to secure your home can result in loss and misery for you and your family, but that's about as far as it's going to go.

Failure to secure your WAP, on the other hand, is more like driving under the influence in that you create a public nuisance, if not an outright menace. An unsecured WAP is an invitation for war drivers to use that access point for a variety of nefarious purposes, including the dissemenation of spam, worms and viruses - all of which cause damage to the community as a whole.

Cruising the Information Superhighway unsecured, in short, is not that different from cruising the Interstate with a fifth of Jack Daniels in your bloodstream.

So, while nobody is seriously suggesting (yet) that There Oughta Be a Law, I don't think you can say of wireless security (to quote “Fats” Waller in a totally different context) “'tain't nobody's business if I do”.

Wednesday, August 02, 2006

I Can See Clearly Now

Or not. Being a dissertation on the process of making lousy decisions.

Ever wonder how some big-time decision-makers wind up making such lousy decisions? It's easy (and not necessarily wrong) to chalk some of them up to a combination of arrogance, greed, and simple immorality. The Vioxx and FEMA debacles come immediately to mind as examples. In an article in the Harvard Business Review earlier this year, however, Max H. Bazerman and Dolly Chugh suggest that there may be another factor operating. They call it "bounded awareness"; most of the rest of us would probably call it "tunnel vision".

According to the authors, "bounded awareness" happens "when cognitive blinders prevent a person from seeing, seeking, using, or sharing highly relevant, easily accessible, and readily perceivable information during the decision-making process". This can cause decision-makers to miss important information just because it's not readily available or because they don't appreciate its significance. It can also result in a failure to share that information because, again, someone has failed to notice that it is, in fact, important.

In a January 9th interview for Computerworld, Bazerman elaborates on these ideas and offers examples of the phenomenon from the lab of Cornell's Ulric Neisser (a key figure in the study of human perception and the guy who coined the term "cognitive psychology" back in 1967, for those of you keeping score) that involve the use of visual illusions. In one study, subjects asked to focus on one particular aspect of a video - how many times a soccer ball is passed among the players - completely miss another aspect that would be obvious to anyone not focused on that first aspect. In this case, it was a woman holding an umbrella walking right through the middle of the game.

Now, this sort of stuff is fascinating to me because, before I became a Technology Professional (and got my official Propellor Beanie, complete with MP3 player, webcam, 1 gigabyte of VRAM and Windows Beanie Edition), I was, among other things, a psychology grad student specializing in visual and auditory perception and statistics. I was also an amateur magician. Findings like this, therefore, are no big surprise to me. What was a bit of an eye-opener was this quote from the Bazerman interview: "In Neisser's study, only 21% saw her. My experience with executives is closer to 3%".

Yup, that's right: according to Bazerman, the guys making the big decisions at the big corporations/governments/whatever are roughly seven times more likely to succumb to tunnel vision than us ordinary mortals.

Of course, anybody can fall prey to this. I have found myself doing it more than once. Unfortunately, the skill to focus and concentrate on a single task - a vital one, especially in IT - is at war with the ability to step back, take a look at the larger picture, and ask yourself whether or not you might be missing something that's right under your nose.

So we all need to make sure we're not missing the woman with the umbrella. She might be trying to tell us that it's going to rain.

Monday, July 31, 2006

There ain't nobody here but us chickens

There ain't nobody here at all. Honest. Now just look the other way while we write anti-spyware legislation.

Everybody remember the Federal "CAN SPAM" law (official title: Controlling the Assault of Non-Solicited Pornography and Marketing Act) from 2003? It was supposed to stop Evil Spammers dead in their tracks and was signed with much hoo-rah.

Unfortunately, not even the Feds really believed it would help. FTC chairman Tim Muris, in fact, opposed it. Why? Because it would make it easier for the companies who hire spammers to claim ignorance of the spammers' business practices. According to Muris, "the FTC would have to prove that the seller (who hires a spammer to advertise a product or service) knew, or consciously avoided knowing, that the third-party ailer intended to violate the law. This standard requires proof of both the seller's and spammer's level of knowledge...These requirements to prove intent pose a serious hurdle that we do not have to meet to obtain an injunction under our current jurisdiction". It also negated existing state anti-spam laws, many of which were more restrictive.

And, of course, we all know what a significant effect the law had on spam, right?

Never content to let well-enough alone, however, Congress is now out to follow up on its anti-spam success with anti-spyware laws. Never mind that, once again, the FTC told Congress over two years ago that it already has the laws it needs, thanks very much. A new law means new photo ops. Let the games begin!

Cynicism aside, there are good reasons to be more than a little wary of this effort. For one thing, major adware and spyware vendors such as WhenU think Federal legislation a good idea - strongly suggesting that this particular chicken coop will have foxes on the no-bid contractor list. CAN-SPAM overrode stricter state laws. Any bets as to what effect new anti-spyware regulations might have on often-stricter state laws like those in Utah?

Ain't nobody here but us chickens.