Friday Summary: June 22, 2012
I have been wanting to write a bunch of blog posts for the last few weeks. No, not the heavy research work we have been in up to our eyeballs, but about some of the strange and interesting stuff currently been reported. We used to do a lot more commentary and I miss it. I have a little time this Friday, so I though I would comment on a few of the past week’s articles I think warrant discussion – in many ways as interesting for what was not discussed. Here we go: The first was Google saying that the Internet is a Dangerous Place. OK. Why? Actually, “Why Now?” is a better question – Google has been making a lot of noise lately about security and privacy. I have been getting a dozen or so Google Safe Browsing warnings when visiting web sites, where Safe Browsing has supposedly detected ‘malicious’ or unreliable content. The problem is that every single one of the alerts was bogus! If you look at the details of why Safe Browsing thinks the site is bad, you ll find that all the checks Google lists were passed without detecting any unusual certificates, scripts or content. Take a look at the JavaScript or anything else in the page source, and everything looks sound. I instinctively tend to agree with Google’s assertion, but when I look at the basis for their claim, my own experience with Safe Browsing’s complete unreliability makes me question its validity. I don’t think their assertions are based on solid data. Amrit Williams made a similar tweet a couple weeks ago, saying “Chrome should just be called ‘Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.’”, and The New York Times ran an article on the same subject. My problem is not that I believe or disbelieve the existence of state sponsored censorship, but I don’t understand the recent hype. It appears to be all FUD, but what is the point? Why is Google being so noisy about security and data integrity? The cynic in me believes that they must be positioning security as a value add, or possibly looking for a legal angle to keep data pure – otherwise why the sudden clamor for attention? Which leads to the second post I found very interesting, on Bruce Schneier’s site, called Apple Patents Data-Poisoning. It appears that the US Patent and Trademark Office believed that poisoning profile data was novel and granted Apple’s patent request. In 2004/2005 I used to provide prospective customers for database activity monitoring a demo script to run against competitive products. The script would simply push SQL queries to both real and non-existent databases over the network. None of the queries would execute successfully because they we not actually part of an active database session. But competitors’ network monitors only looked for SQL queries on any known database port – without regard for whether they were actually going to a database – the monitor would capture all this fake activity. I could poison competitors’ logs with bogus activity, or flood it with false positives. It was a terribly effective way to demonstrate how early database monitoring products that watched network activity sucked. But I would never have tried to patent that idea – it feels like trying to patent network packets: good packets and bad packets are just normal network traffic. Similarly I would not patent my attempts to create “False Adrian” by showing non-random but totally bogus interest in products or services to see what sort of anti-profile I can create, a hobby I have been experimenting with on and off since 2006. This seems like a patent awarded for “urinating on the floor”, or anything else that occurs naturally but fails to identify genuine user intent. From an intellectual property standpoint, I hate to think someone could patent something like this. But from a product standpoint, if Google (and other marketing firms) surreptitiously capturing all your activity for profit pisses you off, would you buy an Apple product that poisons your activity trail? I would. A cloud based iRandomizer for browser traffic over an encrypted tunnel would be ideal! Finally, a post on MSNBC said some hacked firms are “fighting back” by hacking the hackers. Forgive me, but ‘Cloudstrike’ has a very Team America feel to it; well-intentioned but wide of the mark. First, there is a big difference between “active defense” and “strike-back” capabilities. Active defense is not an attack against hackers – it is an active scan of activities on the Internet for clues that someone is, or is about to, launch an attack against your site. Something like the CIA or NSA gathering intelligence to detect someone plotting a terrorist attack. Some large firms use this type of service for advance notice, and they hope to get an early start on their response, whatever it is. But “strike back” capabilities are totally different, and the goal of damaging an alleged attacker would certainly be outside the law. I doubt any of these plans will be effective – the New School blog raises the same question in Active Defense: Show Me the Money. The concept seems well intentioned – some of you are probably unaware that a handful of recent electronic attacks against major companies have been accompanied by physical threats against employees. So I get the desire to induce the same fear in hackers, but it seems unlikely to work, and it’s definitely illegal. Really, you can either locate the attacker(s) or you can’t, but if you can you have a good possibility of scaring them with law enforcement. Otherwise you’re pretty much out of luck. I know some attacked firms have conducted reconnaissance and analysis to help law enforcement locate the attacker, but that seems like the reasonable limit of effectiveness for counter-strike computer security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on the Security Generation Gap. Mike quoted on the “Renaissance Information