Archive for July, 2010

NEWS: SonicWALL launches remote SSL VPN access products

July 31, 2010 Leave a comment

Comprising a major software upgrade (Aventail 10.5) and a new device (SRA 1200), SonicWALL’s new offerings include smartphone support for remote access to data behind the corporate firewall.

The Aventail upgrade ties the unique mobile device ID to a specific user, confirms the user’s identity and verifies the security status of the end-point. Once these security checks have been passed, the SonicWALL Aventail solution grants the appropriate level of access from any web-enabled device, including Internet kiosks, laptops, smart phones, tablet PCs or any other web enabled device.

Let’s face it: everyone is mobile these days. We are connected and work whenever, wherever. Whether you like it or not – the corporate I.T. department has already lost control of what mobile devices we use and how we use them. This issue is known as the ‘consumerization’ of IT. With the SonicWALL Aventail solution, we return control and security to IT and still give end-users total freedom of choice to select the mobile platform that’s right for them. We can determine the appropriate level of trust for each mobile device and automatically grant differentiated levels of access. We return to order and security from a chaotic and dangerous mobile environment.
Patrick Sweeney, vice president of product management, SonicWALL

The new SRA 1200 appliance provides a unified policy management interface to simplify how IT managers grant access to corporate resources. Additionally, SonicWALL has integrated a powerful, Web Application Firewall (WAF) that incorporates dynamic signature updates to protect against modern, web-based threats.

SonicWALL’s SRA 1200 introduces a wealth of new, powerful SMB-focused features that help reduce my clients’ costs, and expand the capabilities of their networks. Best of all, innovative features like ‘Virtual Assist’ help me support small businesses remotely without having to do a truck roll.
Tom Gregorski, technical manager, eDrivium Corp


Categories: All, Vendor News

BLOGS: iPad Facebook scam

July 30, 2010 Leave a comment

Rik Ferguson’s You Were Warned blog warns of a new Facebook scam. Users are being offered free iPads:

Hey guys, this website is messing up right now and sending out free iPads to everyone for free without you having to complete any of those annoying advertisements. I don’t know how long this is going to last… so hurry and get one before they fix the glitch!!!

This is followed by the link to your ‘free’ iPad. But Rik warns

If you see this posted on any of your friend’s walls, tell them immediately to change their facebook password and whatever you do, don’t click on the links – they are malicious!

Blog entry

Categories: All, Blogs

The ICO – our very own Three Monkeys

July 30, 2010 Leave a comment

You have to hand it to the ICO – its ability to sit on a fence while looking both ways at the same time is truly Vaudeville.

This is what it says about Google’s drive-by wi-fi-spy:

The information we saw does not include meaningful personal details that could be linked to an identifiable person… [but] we recognise that other data protection authorities conducting a detailed analysis of all the payload data collected in their jurisdictions may nevertheless find samples of information which can be linked to identifiable individuals.


There is also no evidence as yet that the data captured by Google has caused or could cause any individual detriment… [but] it was wrong to collect the information.


…we remain vigilant and will be reviewing any relevant findings and evidence from our international counterparts’ investigations.

Therefore our information and privacy and the privacy of our information remains safe.

ICO Statement

Categories: All, Security News

BLOGS: New DMCA rules on circumventing encryption

July 30, 2010 Leave a comment

EFF’s Corynne McSherry explains the effect of the new DMCA rules, starting with the exemption on “breaking DVD encryption in order to take short clips for purposes of criticism and commentary for noncommercial use, educational use and documentary films.”

Before this exemption was issued, the only people allowed to circumvent DVD encryption for fair use purposes were film and media studies professors. Now, that category has expanded to include all college and university professors and film and media studies students (as long as they are circumventing for educational purposes), documentary filmmakers, and noncommercial vidders. The user may take only a “short portion” of the original work for purposes of criticism and commentary, and she must reasonably believe she needs to break the DRM to accomplish that purpose.

Blog entry

Categories: All, Blogs

The Inland Revenue owes me money. Hurrah!

July 29, 2010 Leave a comment

Well! Are there no lengths they won’t go to nor depths they won’t plumb in their drive to cut costs and reduce the public sector? I’m talking about the ConDems of course!

But it’s not all bad. The Inland Revenue has finally agreed with me that I’ve been overpaying them for years. The sent me this email telling me that they needed to refund me with £1382.49. Nice!

And that’s how I found out: the Government is outsourcing the Inland Revenue. It’s actually a very good idea. Not only will they reduce costs and the size of the public sector, they are instantly improving efficiency. These new people will process my refund request in just 2-3 days!

After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 1382.49 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.

How do I know about the outsourcing? Well, there’s this Geeky trick you can do. If you hover the cursor over a link without actually clicking it, the browser displays the actual address at the bottom of the screen. I used this trick and discovered that the Inland Revenue’s offices are now in Brazil!

Well, I’m just off for a cup of tea, and then I’ll be filling in my refund form.


While having that cup of tea, the nice Mr Cameron, a great fan of this blog, phoned me. He said, whoa! Hold on a minute. This has got to be a scam. In fact I know it’s a scam. We have no plans to do any such thing. There’s no way we’d ever give you any money back.

There it is. Sorry, but if you get an email from the Inland Revenue offering you a refund, bin it. It’s probably a prank perpetrated by the remnants of the last Labour government.

Categories: All, Security Issues

Reputation-based processes are democratic but insecure

July 29, 2010 Leave a comment

A couple of days ago I commented on a weakness in reputation-based systems:

At the very least it shows the danger of any reputation-based warning system. Reputations can be manipulated, either by lowering the bar (as in this case), or seeding the system.
When is a scam not a scam – or when is marketing a scam?

Here’s an example of seeding the system. All Facebook is reporting a flood of rude messages (in Spanish) on Facebook. This appears to have been achieved by tricking the Facebook translation application.

Due to a flaw in the Facebook Translations application, if enough people vote on an incorrect translation, that phrase will be replace [sic] what was previously a legitimate phrase.
Spanish Facebook Hacked Resulting In Widespread Vulgarity

Categories: All, Blogs

Forget full disclosure; forget responsible disclosure; sign up for Microsoft’s new Coordinated Disclosure

July 28, 2010 Leave a comment

This is clever. Microsoft has taken some stick over Tavis Ormandy and full disclosure (not as much as Tavis, but some): the whole issue has raised the possibility that companies like Microsoft might sit on vulnerabilities, sometimes for years, if the researcher doesn’t go fully public.

No company likes that sort of accusation floating around, so Microsoft has come up with a new disclosure policy. It’s not ‘responsible disclosure’ (a term and approach that is ridiculed by many serious security researchers), nor yet is it the fearful ‘full disclosure’ (a term and approach that is ridiculed by many serious security vendors). It’s a new one. It’s ‘coordinated disclosure’.

The idea is this:

Definition of coordinated vulnerability disclosure. Microsoft believes coordinated vulnerability disclosure is when newly discovered vulnerabilities in hardware, software and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Frankly I can’t see much difference between this and responsible disclosure, except that a CERT-CC becomes involved. This is the clever bit. CERT-CCs are pretty well trusted by the general public (well, they’re often ‘government’, so they must be trustworthy, right?). It’s a bit like David Cameron inviting the LibDems into government: if it goes right, it’s the Conservatives what did it; but if it goes wrong, we can blame the LibDems. Ah, but it’s more than just sharing the blame. The CERTs I’ve come across all have a policy of not going public with a known vulnerability until the vendor produces a patch.

In other words, there is no actual difference between this new ‘coordinated disclosure’ and the old ‘responsible disclosure’ except that we are given the false impression that the whole process will be policed by a CERT. That’s clever. And, of course, it’s followed by pretty standard emotional blackmail:

Microsoft calls on the broader community — from security researchers to vendors — to move to coordinated vulnerability disclosure. The need for coordination and shared responsibility has never been greater, as the computing ecosystem faces an unprecedented level of threat from the criminal element. To overcome that element, we must work together to improve the security of the entire ecosystem — and, as always, making customer protection our highest priority.

I suspect this will make not the slightest difference in reality. Existing full disclosure proponents believe that full disclosure is making user protection the highest priority; just as responsible disclosure proponents believe in their procedure. Coordinated exposure is just meaningless new semantics: but it does make good PR.

Categories: All, Vendor News

The FTC and Consumer Privacy – and a simple solution

July 28, 2010 Leave a comment

The FTC has been testifying before the U.S. Senate Committee on Commerce, Science, and Transportation about FTC efforts to protect consumer privacy. Now don’t get me wrong, I think the FTC has done a better job on consumer privacy than most of its counterparts – especially, shall we say, the ICO here in the UK.

The testimony also described the FTC’s recent initiative to take a fresh look at consumer privacy protection in light of new technologies and business models. The testimony noted that the FTC’s reassessment of privacy, through a series of roundtables, highlighted issues in three areas – integrating privacy into everyday business practices, simplifying consumer choices about commercial data practices, and increasing transparency of those practices. The Commission plans to release a report on this initiative later this year.

The bit that I never quite get about consumers’ privacy is, well, what’s the difficulty? If the information collected is always stated, if the use of that information is detailed, and if acceptance of this arrangement is confirmed by the user’s explicit opt-in, then where is the problem? It’s a simple agreement. An informed contract between the user and the collector. Problem solved. Simples.

Of course it does require one other aspect. If the data collector breaks the agreement – takes more than agreed or does other than what is agreed, then the law needs to come down on that collector like a ton of bricks. Not so simples. Governments don’t like upsetting business – and the bigger the business, the less it likes it.


Categories: All, Security Issues

Let the spectre of Stasi bring trust to your business

July 28, 2010 Leave a comment

It’s hard enough for me to choose which security VAR to use – but then the VAR has to decide which of the many products he provides is best for me. What a conundrum!

I know. I’ll let him spy on my staff. Then he’ll be able to demonstrate, because he’s been spying on my staff, that I have security risks. And my staff, knowing that I let other people spy on them, will trust me even more and will have even more loyalty to my company. Trust. It’s the basis of security. Trust me.

But why didn’t I see this earlier? Why did I have to wait for SpectorSoft’s Mark Inda, to tell me

…this type of detailed analysis [the spying], which would typically cost thousands of dollars to conduct, is helping resellers break into new accounts and immediately gain credibility by offering a valuable service that analyzes how a customer’s own employees ‘work’ and how individuals or groups are driving greater ROI within that organization. Once in the account and able to show that security, productivity, and compliance risks exist, the reseller can propose a broader solution—leveraging the strengths of multiple products in their portfolio to solve specific problems, which in turn, can yield more revenue for the reseller.

Will it work? You bet. SpectorSoft has told me about one of these VARs, Network People in the greater Tampa, FL area, who say

Thanks to Spector 360 as a featured part of our company’s new, focused security strategy, we have sold more security and monitoring product in the last quarter than in the previous 14 years combined. It has changed our whole culture.
Nate Freeman, Network President

So there you have it. Spy on your staff and change your whole culture. Who needs trust when you can have Stasi instead?


Categories: All, Vendor News

The Future of Digital Content – a Beacon Report

July 27, 2010 Leave a comment

The Creative Industries Knowledge Transfer Network (CIKTN) has just released its final Beacon Report: The Future of Digital Content. The report seeks to explore the challenge to the creative industries by the rise of new media technologies in general and the internet in particular. But it, like so many other similar studies, misses the basic point. It still talks about the role of the creative industries; but the creative industries no longer have a role. In fact, there never were any creative industries — they were merely the publishers for, and leaches on, creative people. Today, creative people can do it for themselves. And they are doing it. New technologies allow the inexpensive creation, and the internet allows the inexpensive marketing and distribution, of ‘creative works’ by creative people. Who needs those big publishing companies that call themselves the creative industries?

They are now desperate companies, desperately seeking something to justify their continued existence and maintain their continued profits. One well-known route is ‘copyright protection’. The creative industries believe that by eliminating piracy and illegal downloads they will return to the halcyon days when they controlled the creative people and took the majority of their earnings. Dream on. Even if they succeed in persuading governments to use draconian powers against illegal downloaders they cannot change the new emerging paradigm of creative people doing it for themselves. This is the ‘threat’, not downloaders. Indy music is fast becoming the most dynamic area of new musical creation – it is no longer the route of desperation for bands that could get no contract, but is increasingly one of choice; and as creative tools get better and cheaper, this will only increase. The same model will apply to all forms of creativity.

Here’s an example of what I mean, taken from this new report:

The challenge is not to defend established business models [brilliant - they're finally getting it], but to understand where the value lies as defined by the user, and how to optimise experiences around these points [same as it's always been]. For example, how can record labels seek to monetise the experience and allow the music to act as an advert for the experience [oh dear, here we go again, how can we defend the status quo and maximise our profits from the existing business model?].

Well, they can’t. As Roy Orbison succinctly put it: It’s over. But that won’t stop them trying. There is one particular example from this report that highlights precisely what I mean: Area of Opportunity : Privacy.

One area that offers growth potential is to explore the idea of monetising metadata, where users are ‘paid’ to provide metadata and contextual data akin to a ‘Clubcard’ scheme thereby making the transaction explicit.

monetizing privacy

Let us use your privacy to maintain our profits

That is, you give the ‘Creative Industries’ your privacy so that they can sell it to the big marketing companies for money and in return you get access to the music or films controlled by those said Creative Industries. It’s the same old thing with those companies trying to maintain their existing business model: they own the creative people and all of their creations, and we have to pay through the nose so that they and their shareholders continue to enjoy huge profits at the expense of the creative people and their audience: you and me.

It won’t wash. The times are changing. There is now only one hope for the existing creative industries. It is for them to change their view of ‘owning’ creative works to one of ‘enabling’ creative works. Creative people will no longer be willing to sell their souls and their works to the industries in exchange for promotion and distribution. But they may be willing to sell a percentage of profits on individual works in exchange for help with funding individual works. But attempts to demonize internet users will not prevent piracy, and the reduction of piracy will not delay the new creative paradigm. This latest idea, stealing internet users’ privacy and trying to sell it back to them, is absurd and obscene. Those companies that currently call themselves the Creative Industries need to change themselves to suit the emerging marketplace, not try to change the marketplace to suit themselves.

The Creative Industries KTN
The Future of Digital Content – a Beacon Report

Categories: All, General Rants

Get every new post delivered to your Inbox.

Join 137 other followers