Longtime readers of my weblog are no doubt familiar with my preoccuptation with security, which lead to my working in that field of endeavour, and also my interest in personal privacy. A couple of weeks ago, some of my readers asked me what they, as computer users who aren't experts but aren't starting from square zero either could do on a personal level. I thought and thought for a couple of days and put together a list of things, and then realized that making all of it make sense would take much more than a single post because it's not …
Whenever I plan on using my laptop at a convention, in particular at hacker cons, it's practically assured that an unknown number of attendees will be monitoring the wireless network in some manner for nefarious purposes. Because many application protocols in use do not use cryptographic systems to protect traffic (like instant messenger and webmail), it's possible to record what people are doing as they do it, or worse record the credentials used to log in. The software to do this is trivially easy to acquire because protocol analyzers (more commonly called packet sniffers) have legitimate uses when troubleshooting networks …
Just a few scant minutes ago I boarded the Acela express train out of Union Station in Washington, DC destined for the city that never sleeps. Yes, once again New York City is my destination, and I sincerely hope that it's prepared for the advent of Hackers On Planet Earth, the biannual convention held by 2600 Magazine at the Hotel Pennsylvania.
Taking the train is probably one of my favorite ways to travel. It's quiet, it's fast, and the scenery is something that you don't often get to see in the DC …
I haven't been writing about the beginning of the presidential campaign season because I've been busy with other things, but I thought that this should be spread around a bit more widely... Barack Obama's security detail ordered on-duty police officers at a rally in Dallas, Texas to stop searching attendees for weapons as they filed in.
You read that correctly, the were told to stop looking for weapons. D.W. Lawrence, Deputy Police Chief of Dallas went on the record as saying that the order 'apparently' came down from the US Secret Service because they wanted to "speed up the …
If I ever get around to having children, I might name my first boy after Bruce Schneier because he's got a lot more on the ball than I ever will. This time around, Schneier has weighed in on the privacy versus security debate in US policy and why it's not really debatable in the manner it's being presented in because personal privacy and national security are not, in fact, opposed to one another. His commentary was provoked by Michael McConnell (Director of National Intelligence) stating in the 21 January 2008 edition of the New Yorker that he wanted to monitor …
0814 EST5EDT - Writing offline on Windbringer, high above the state of Virginia, I believe.
Somehow I managed to get to bed at a decent time last night in preparation for my trip to the LayerOne conference in Pasadena, California this weekend. However, that should not be construed to mean in any way that I had an easy time of falling asleep... being naturally inclined to life as a night owl (professionally and otherwise), retiring before midnight is often problematic, unless I've run myself into the ground and really need the rest anyway. Still, somehow I caught a few hours of …
Oracle is best known for its database system, which many thousands of companies make use of in some capacity or another. It's big, it's bad, it's complex, but it's also got some amazing features, like clustering and replication that many other databases (open source and otherwise) can't hold a candle to, assuming that you understand it well enough to make it work. It's a complex beast, no two ways about it. That complexity, however, is no excuse for them taking two years to patch a security vulnerability in Oracle 10. It's a cross-site scripting bug in the enterprise search subsystem …
A couple of days ago, Microsoft released a security bulletin regarding a vulnerability in the DNS server component of Windows Server 2000 and 2003. In it, a remote attacker can cause the DNS server system service to spawn a shell that one can then connect to and execute commands because there is a bug in the RPC (Remote Procedure Call) interface. Ordinarily, Windows is designed to be operated from the GUI that we all know and love, but if you open a command shell, there's an excellent suite of command line utilities that can perform the same operations, usually much …
Am I alone in thinking that wearing a shoulder holster designed for your techno-toys is a bad idea these days? Sure, it reduces your batman factor by redistributing the gear, but these days security guards (especially in office buildings) are much more aware of possible threats, including weapons. At a glance, one shoulder holster looks pretty much like another, and no matter what that bulge under your arm might be, a bulge under the arm is still suspect, and any police officer or security guard worth the name is going to check it out. At the very least, airport security …
