Security Sleuthing, IT Mayhem, and Corporate Callings

1

December 17, 2009  6:34 PM

Are You Kidding Me? And You’re Shocked, WHY?



Posted by: Tdudeguy

The United State Military chose to not encrypt the video images sent from drone aircraft.  They are surprised that enemy fighters would intercept the images, to avoid being surprised themselves.

And we’re all shocked and incredulous. Why?  We should expect these kinds of security shortcuts.  Let’s dig in a bit deeper and see what other forces are in play.

The design for some drones goes back nearly 20 or so years ago.  At that time, the government actively surpressed learning and using encryption technologies, prefering to shovel DES and SkipJack at U.S.  This did many things, including supress knowledge of encryption and how to apply it well.  I’m not surprised that adding encryption would seem a large hurdle to product development and would be skipped.

In the early 90′s, satellite communications were esoteric, with the Internet a reseach tool only.  It seemed ‘safe’ to assume that these channels would never become 1) widely used and 2) an Achilles heel to routing the communications securely.  Ethernet bridges cost thousands; no one has access to these networks, let alone can decode the proprietary communication protocols.

(Remember when our vendors upheld the value of proprietary anything?  Data formats, communication protocols, even computer chips were perfectly secure because they were–P r o p r i e t a r y!  It’s an incantation for quick success.  Try it, “I like proprietary encryption.  I want a proprietary set of shoes.”  Feel the sense of security wash over you!)

Last, the overall design is embedded electronics, and embedded electronics are expensive.  Anything embedded must be environmentally hardened; and onsite storage and CPU power needed to encrypt a datastream was monsterously expensive then.  So security was not given serious attention.  It was too expensive.  “Besides, our back-end networks are some of the latest technologies,” they may have mumbled in 1994, “They’re PROPRIETARY!”.  Remember when you had to buy an IP stack for Windows? 

Now flash forward, with the same design.  People have grabbed unencrypted satellite communications for more than a decade.  Any planned use of IP networks lacking encryption is met with $300 laptops that have ethernet built in, with Internet access capacity that once cost thousands of dollars a month.  What’s the plan now?  “Maybe they won’t notice!”?

Embedded computers are pervasive.  They are difficult to develop because many are still custom hardware designs with little mass production involved.  They are coded up with ‘Git-er-Workin’ C code that loves the most legacy, least secure functions in too many cases.  Bounds checking?  Ha!  Client input sanitation?  Not in the specs.  Yet now our cars and appliances begin their steady march to Internet connectivity, much as PC’s did in 1993.

I get all of this information from the news and from experience with those old automation controller cards that worked via BASIC programs.  As part of my MVP award, I’ve taken a long look at embedded linux and Windows CE both.  I’ve even gutted controller code for my old WAP, only to see my root password encoded as a plaintext string! 

In all of these cases, I think it’s more surprising that people are shocked.  Wow, who knew that a whole batch of mission-critical embedded electronics were sent into the field without adequate security–in the early 90′s.

We wouldn’t do that today would we?  Remember the F-22 and all the problems it had?  Check this old post out:  http://mae.pennnet.com/articles/article_display.cfm?article_id=100159.

No the news talkinghead reports that it will be expensive to retrofit encryption onto that legacy design.  No surprise.  Unlike coding with a type-safe language like embedded Java (or my fav’ .Net Compact Framework); this is mean-green C code that might be procedural if we’re lucky.  Most likely it’s coded to the hardware vendor’s API’s.  Extensibility?  Nah, not with embedded.  Your next mobile phone design will use an entirely different processor and require wildly different calls.  You code that one in 60 days.  Nah, this is embedded ‘Git-er-Workin’ at its finest, done without .Net Compact Framework’s hardware abstraction layer.

Let me guess, they’ll implement encryption on the drones by using discarded SkipJack chips, soldered onto some daughtercard you put in the design’s slot on the PS/2 motherboard.  Ummm, smell the proprietary!

jt

December 12, 2009  12:18 PM

Where Have All the American IT Flowers Gone?



Posted by: Tdudeguy
Adult Education, Foreign Competition, IT Jobs, Pervasive Computing

It’s a wild mix of ideas in the Blogosphere and in the IT newsletters.  Some claim IT is leading a job resurgence.  Others claim IT jobs are going.  What gives?

I don’t claim to know what is going on.  I do see fewer IT majors lining up for the field in colleges and universities.  I also witness, first-hand, how skills become commodities.  Remember the days of $300 10 MB ethernet cards?  Remember setting interrupts, clearing conflicts, and spending thousands on hubs?

I can both provision and configure a wireless ethernet network at home, implement a firewall, and use the internet:  all with $100, built-in networking hardware, and the advice of a WalMart employee.  Don’t laugh!  WalMart often provides hi-tech employees for their electronics department.

Of course, I can chortle that these aren’t ‘Enterprise-ready’, but the fact is this:  IT topics, IT learning, is pervasive and cuts across all segments of our society.  IT has always been fast paced; but today, it moves at Internet speed.  Is your learning plan equally aggressive?

Everyone gripes about ‘foreign competition’, alleging unfair practices and all that.  How many are equally comfortable with confronting the commoditization of IT technology and knowledge?  While you’re on this topic, consider the cost savings virtualization brings.  Three hundred physicals [servers AND switches] get folded into a lovely VMWare architecture, now easily placed into a room 1/10 the size of the old computer center.  How many people you need now?

And what about those Clouds (and Cloud Computing) on the horizon?  Do companies still need to in-house any IT?  I’d suggest yes, especially for core topics like security.  But some companies are fool-hardy and willing to accept long-term, business-ending risk for Xnd Quarter gain.

Sorry if I’m so cranky.  Heard some comments about ‘foreigners’, the longtime American punching doll.  My ancestors came here with nothing and became ‘foreign competition’, often taking life-threatening jobs Americans wouldn’t take–at any wage.  For this, they were called, “Huns” and “Dutchmen”, often after tossing a brick through a living room window during the World War I–despite being Americans for more than a decade.  Their foreign accents and funny long names were ridiculed and made fun of.  Lots of immigrants had big difficulties put on them.  How ironic that immigrant grandchildren pass the same ridicule onto new immigrants…?

Today’s IT change we see is not unlike the shift from steam to diesel, from people to mechanized shovel, from LAN to Internet.  And as before, with other shifts, do we have an education plan and set of expectations on par with those rushed into being after the Sputnick launch?  NO!  Show me an Adult Learning plan put in place to help us meet the challenges of the 21st Century!  (Check the investment in people, the support for learning that other governments give their citizens…)

I could end this now.  I won’t.  It seems to make governmental inactivity ‘The Cause’.  No.  As an American, do you accept new technologies and a need to learn, with all the force given to condemning other workers?  When is the last time you took the opportunity to take an IT class, (let alone be asked to teach)?  Would you use governmental retraining programs, possibly provided over the Internet? 

If you’re looking for an easy job, a learn-once and work-forever job, stay away from IT.  We’re all moving at Internet speed, and that has made all the difference.

jt


December 8, 2009  6:21 PM

Is an IT Career Still Worth It?



Posted by: Tdudeguy
IT Careers, IT Changes, IT Employment

I teach at a local university.  I receive emails that seem to indicate declining enrollments in IT across the U.S.

My daughter needs to ‘find herself’.  We are strolling the job boards, looking over various jobs.  There seem to be quite a few IT jobs.  So what accounts for those declining enrollments?

This is an open invite to you, my fellow IT workers, to comment on today’s IT opportunities.  Are things as good as they once were?  If not, when did things change?  Would you encourage your son or daughter to study to be an IT worker?

jt


November 22, 2009  10:06 PM

New Office for Some



Posted by: Tdudeguy
Microsoft Office, Open Office, Star Office

Office 2010 beta is released to us’un’s.  Neat.  Lots of neat features in the offing. 

Some will claim now is the time to try Open Office.  You know, the ‘free’ alternative.  It’s kind of like getting a free printer, or somewhat free, or at least for the price of a replacement toner/ink cartridge.  Why was that even offered?

The idea was to corral you into a lifelong dependency on their replacement cartridges, papers, parts, and paraphernalia.  But how can this sales tool be at all related to office suite software?

I’ve run Open Office for many years, alongside Microsoft Office.  I even have a Star Office manual somewhere.  I generally got the evil, commercialized version of the Microsoft offering ?for free? with most new computers.  I at least got Word.  Good thing.  In my role as a Technical Editor of textbooks and consumer computing books, most of the projects were Word documents, with Word macros.  I tried Open Office and compatability was not assured, with mildly complex files, let alone those time-saving macros.  No, I seem to make money with the commercial offering office suite. 

And this is my advice to those of you considering a switch to a more generic office suite of tools.  Do you use Microsoft Office Macros or VBA extensions?  Have you created VSTO (Visual Studio Tools for Office) offering for your customers?  Do your documents include tables, custom bullet shapes, etc?

If so, getting Microsoft Office just might be worth it–only you know your data.  Changing data formats is never easy.  I have old poetry on 5 1/4″ floppies, typed with WordStar.  I just completed transferring a lot of video cassettes to DVDs (the wedding, the kids, etc).  Data conversions are very difficult to manage.  Committing your graphics to PCX versus JPEG may be something you regret.

Lots of things change; technologies and formats come and go.  They Stumble That Run Fast.

I am a Microsoft MVP who teaches Visual Basic .Net and has seen the power of VSTO as a way to knit really nice applications from those swell Office Objects.  I’m not an Office MVP, so I’m not sure this is relevent.  But I offer it regardless.

jt


November 12, 2009  10:01 PM

What We All Need to Do



Posted by: Tdudeguy
Financial Fraud, Security Design

Yesterday, I sanctimoniously proclaimed that we all must manage our accounts better.  Tonight, let’s explore another angle:  the growing convenience factor decreasing actual security.

Wired had an excellent article on a hacker who was, he alleges, an FBI informant.  In this story, one I can’t find, there is a sub-plot that revealed how a man had his investments stolen by a different hacker, one who monitored the investor’s life, through the his online postings and emails.  Once the man left for a trip, the hacker realized s/he had opportunity to take the money from the distracted investor.  And that’s what happened.

How did this happen?  How is it so many thousands of dollars can be vacuumed away in an online session lasting minutes?

We’ve exchanged many traditional safeguards for online convenience.  Paper checks are destroyed, not returned.  Paper checks themselves, once physical records for transactions, are seldom used, in favor of ‘authorized’ electron flows.  Financial and banking systems are created and designed with big dependencies on ‘consumer’ online systems, systems outfited with consumer-grade security, (such as challenge questions whose answers lie littered on your Facebook page).  Credit card fraud and identity theft crimes only grow in frequency and in damage, but so long as easily faked cyber transactions produce money, no one says, “Stop!”

What does happen are those frequent sanctimonious writings, like mine, chiding us all for weak or dated passwords; all the while no one challenges the notion that critical financial systems can be secured reasonably with artifacts as ancient as user-maintained passwords.  New passwords that guard your finances, that critical bundle of transactions that take the place of physical records (and equally physical authentications at the local branch); these new passwords and reset codes are sent to email systems that may or may not lock an account out after repeated password guessing attacks. 

What We All Need to Do is think through where the responsibilities for secure systems lie.  Is the problem common people who make common mistakes, or does the responsiblity lie with financial security experts, experts who knowingly trade off established security systems and principles for convenience and cost savings for the financial institution?

jt


November 11, 2009  9:06 PM

What I Need You To Do



Posted by: Tdudeguy
internet community

People rebel against the thought of Internet Accountability. 

Nothin’ doin’, I’ll do what I want.  No harm if I don’t change my email password.  It’s my email, and I don’t care who sees it.  Mumble, Grumble.

But think outside of your own sphere of self-involvement, huh?  Right now, buckets of spam are thrown onto the email flames burning up bandwidth because of poor security practices giving spammers free reign to your account.  Viruses you didn’t send still sneak into your friends’ systems because people think you might be trustworthy.  And are you really surprised to find out that someone, not you of course, used your eBay account to bid $9000 for an old doll?

It’s time to think of more than ourselves, to think to those connections on this thing called Internet that weave us together. 

I agree with others who are upset with naive security practices in place at social networking sites, sites that leak more information than they disclose by security design; but I’m not writing about some vague organization.  I’m writing about you; you, that reader out there.

What I Need You To Do Is This:  think through the myriad numbers of accounts and accesses you have across dozens of applications and systems.  Are they reasonably secure?  Are you checking on their use, possibly closing them if no longer needed?  Do you routinely send email with nebulous subject lines like, “offer enclosed”, “read this; it’s funny!”, or other lines a phisher might use?  What I need you to do is think about your ties to us other Internet citizens.

jt


November 1, 2009  7:01 PM

What do people know about you just now?



Posted by: Tdudeguy
Internet II, Personally Identifiable Information, PII, Privacy, Social Networking

I enjoy reading Dilbert, the cartoon.  It’s fascinating to what degree Scott Adams, the writer (and illustrator, of sorts) of the comic.  The other weekend, I was deeeee-lighted to read how Dilbert and Wally convinced the pointy-haired boss to post everything, his very whereabouts even, on Twitter.  While claiming the purpose was to provide inspiration, far more sinister was the use of Twitter to know where the boss was and when he was likely to return.  I raise my cup of decaf in their honor.

I remember someone remaining at our home the day of my father’s funeral, so very long ago.  Ours was never a ‘great’ neighborhood, but the run down of it, that neighborhood, in the late 60′s meant that we had these and other precautions in the early 70′s.  There were those who’d read the obituaries and then rob the home during the funeral. 

What do you broadcast with your attempt to turn your life into a low-cost reality show?  If someone explored your social networking patterns, would enough information be gathered, information enough to answer those challenge questions needed to reset your passwords on a dozen sites?

It’s amazing to me, this twist to the privacy movement.  People object to companies collecting information on us, their zombie-like customers.  And yet the same will provide dozens of vignettes, some embarassing, on Facebook.  They will enroll on dozens of sites that spell out the minute details of their lives.  They will give freely what once cost Info-Brokers a lot of money and pre-texting.

What do people know about you, just now?  Should you be worried?  Why not?  Leave a comment or two.

jt


October 26, 2009  7:56 PM

Blogger ethics & the FTC



Posted by: Tdudeguy
change, ethics, Internet, product evaluation

Let me Introduce myself.  I am a blogger with a lively interest in the IT and IT Security fields.  These blogs will bring together more than a decade of experience with so many IT events and happenings.

As you know, the FTC recently made it important that we bloggers own up to anything that might sway our judgment.  I am a Microsoft MVP because of my work teaching Visual Basic .Net at the local university.  This means I get a free copy of MSDN so as to keep track of new developments with Visual Studio.  I even get free access to another development environment called Eclipse, one that can run gcc, a !free! compiler.  Did I mention I got Apache and Linux approved for use at a big organization once, so I may be partial to those technologies? 

Last, I got a small, !FREE! box of Tide detergent in the mail.  I must confess that I use perfume-free All detergent.  My indoctrination didn’t take I guess.   

Meanwhile, the number of bank failures is something like 106 during last year’s crisis.  The banking industry got untold billions of dollars to prevent an out-and-out collapse, one caused by lousy ethics and even worst inspection of business practices.  Much of that money went for bonuses or was never properly accounted for.

Meanwhile, we Internet Bloggers must confess that the candy machine once dropped TWO bags of Peanut M&M’s onto the platform, and this explains why we favor those candies more than others.  We’re in the middle of an Info-mercial epidemic but it’s the blogger community needing inspection?  Medical claims for herbs and plants are routinely provided by actors who only play doctors, but it’s ‘those Bloggers’ we should beware of…

I applaud the government’s willingness to clean up a growing problem, but the approach seems all wrong.  Does anyone really think you Internet-savvy readers are so easily duped or that we Internet-driven bloggers are so easily swayed that anything we get freely will drop our objectivity?

I think this reveals the gap between the Internet and the traditional societal structures.  If FREE were able to so conclusively sway we Internet Experts’ views and opinions, we’d mention nothing other than Open Source technologies, I suppose.  So just what will this column cover? 

I have a deep fondness for efficient and cost-effective IT tools that work well.  You’ll read about them here.  Just remember, though, that we’re both easily swayed by such transparent tactics…  This intial blog hopes to set the record straight regarding what may be influencing our views on many information technologies.

jt


1

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: