Security

Mar 2 2009   1:56PM GMT

Closed-circuit TV “a high-tech Panopticon”

Posted by: Ivy Wigmore
closed circuit television, CCTV, Panopticon, surveillance, privacy, Security, civil rights, CIO

In The Guardian, Paul Lewis writes about Westminister’s CCTV system: “Using the latest remote technology, the cameras rotate 360 degrees, 365 days a year, providing a hi-tech version of what the 18th century English philosopher Jeremy Bentham conceived as the ‘Panopticon’ - a space where people can be constantly monitored but never know when they are being watched.”

I remember the Panopticon from Foucault’s Discipline and Punish. (Disclosure: I read it for a philosophy course.) Foulcault believed that the effect of the Panopticon — if not the precise design — was pervasive throughout modern culture.

From Wikipedia:
The Panopticon is a type of prison building designed by English philosopher and social theorist Jeremy Bentham in 1785. The concept of the design is to allow an observer to observe (-opticon) all (pan-) prisoners without the prisoners being able to tell whether they are being watched, thereby conveying what one architect has called the “sentiment of an invisible omniscience.”

250px-Panopticon.jpg

Bentham himself described the Panopticon as “a new mode of obtaining power of mind over mind, in a quantity hitherto without example.” … Many modern prisons built today are built in a “podular” design influenced by the Panopticon design, in intent and basic organization if not in exact form. As compared to traditional “cellblock” designs, in which rectangular buildings contain tiers of cells one atop the other in front of a walkway along which correctional officers patrol, modern prisons are often decentralized and contain triangular or trapezoidal-shaped housing units known as “pods” or “modules” designed to hold between sixteen and fifty prisoners each. In these designs, cells are laid out in three or fewer tiers arrayed around either a central control station or a desk which affords a single correctional officer full view of all cells within either a 270° or 180° field of view (180° is considered a closer level of supervision). Control of cell doors, CCTV monitors, and communications are all conducted from the control station.

Aug 7 2008   4:31PM GMT

How you can watch the Olympics live online (and what sysadmins can do about it)

Posted by: Alexander Howard
Google, Microsoft, media, Technology, Web services, video, YouTube, Internet, multimedia, useful, cool, free, feeds, event, resource, participation, wiki, IPTV, interactive media, streaming, howto, Yahoo!, Sun Microsystems, hacking, communications, Web applications, government

After years of buildup, the Olympics are about to kick off tomorrow in Beijing. As Shamus McGillicuddy reports, streaming Olympics video will drain corporate bandwidth. This year’s games are going to put substantial, perhaps even unprecedented, strain upon the Internet backbone. NBC plans to to stream more than 2,200 hours of live video coverage online.

CBS took a similar approach to “March Madness” this spring, streaming all 64 games of the NCAA mens’ basketball tournament.  Network administrators have similar challenges now in deciding where and whether to block users from accessing NBC.com, capping bandwidth use or engaging in a little proactive traffic shaping.

Personally, I like the suggestion made in Shamus’s story by Eileen Haggerty, director of product marketing with NetScout:

“An IT organization could set up a PC with a large-screen monitor in the office cafeteria that would run streaming video of the games. Instead of having 15 people sitting at their desks sucking up bandwidth individually, a savvy network administrator could bring all those people together to watch the Olympics during their break.”

Let’s assume for a moment, however, that you aren’t a bandwidth-conscious CTO and would like to be able to keep current on the standings in your favorite events or athletes. (Or that you believe setting up a few televisions is a handy low-tech hack.)

Thanks to Gina’s post on Lifehacker,Watch the Olympics Online, I found Wired’s excellent How-To Wiki for Watching the Olympics Online. (As you might expect, this link has been climbing the charts on the most popular page at delicious).

As the wiki notes, you can catch up to four different livestreams and more than 3,000 hours of on-demand at NBCOlympics.com.

World-wide, there also many other websites streaming Games footage:  CCTVOlympics.com in mainland China, BBC Sports in the U.K., Yahoo7 in Australia or CBC Olympics in Canada.

There’s a catch, however, to the livestreaming, on-demand video goodness: In most cases, users in the United States will be blocked from viewing the footage on any site but NBC.

If you’re savvy enough to follow the advice at Metafilter by setting up a proxy server or using Anonymizer, you should be able to get around location restrictions.

It’s a cinch that the millions of broadcast viewers will be recording and uploading events to YouTube on their own, of course.  NBC has tried to get out in front of the inevitable wave by partnering with Google, with plans to provide 3 hours of highlights and wrap-ups to a dedicated channel onYouTube.

As the authors of the Wired wiki note (nice work, applian, apardoe, mosesofmason and snackfight!), BitTorrent is also an option for watching events after the fact, though P2P files sharing on your corporate network may land you in more hot water than simply streaming the video, given the various serious security risks involved.

What the wiki doesn’t note is what is lying under the hood over at NBCOlympics.com. NBC has partnered with MSN to stream the Olympics using Silverlight, in what will be far and away the biggest test for Microsoft’s alternative to Flash to date.

Anyone that wants to watch the Olympics will have to download and install the Silverlight plug-in, a process that certain to test out exactly how ready for “prime time” the technology is for streaming rich media online. Of special note is the fact that Silverlight encrypts a videostream, which will make recording the events considerably harder (if not impossible).

As a result, tech pundits, geeks and network executives will no doubt be watching the race to crack the streams and distribute unauthorized video nearly as closely as the games themselves.

Enjoy the Olympics!

Apr 10 2008   10:23AM GMT

Video: Install and configure SNORT on an XP PC

Posted by: Alexander Howard
Security, open source, applications, video, YouTube, useful, learning, free, downloads, screencast, tool, tutorial, howto

In this video, the instructor goes through the process of downloading, installing and configuring Snort as a sniffer and an intrusion detection system on a Windows XP machine.

For more information about Snort, see the following tips and articles:

• How can I learn more about Snort?
  Learn where to find the online resources to help you get the most out of the application.
• Network session data analysis with Snort and Argus
  Learn how flow/session data can complement the alert data supplied by the Snort intrusion detection system for network session data analysis.
  
  
• How to use shared object rules in Snort
  A Sourcefire security advisory has made using shared object rules in Snort easier for service providers.
• What does the future hold for Snort?
  Discover how the new features of Snort 3.0 promise to deliver greater functionality to Snort users and their clients than ever before.

Finally, make sure to view this expert screencast on Snort from SearchSecurity.com contributor Tom Bowers. In a step-by-step demonstration, Tom Bowers offers a brief introduction and history of Snort, and explains what it can do for information security pros and how to use it for the first time.

Apr 9 2008   11:00AM GMT

Video: Botnets, Botmasters, Zombies and the greatest threat to online security?

Posted by: Alexander Howard
Security, applications, media, video, YouTube, Internet, academics, code, hacking

Professor Merrick Furst, associate dean at the College of Computing at Georgia Tech, explains how botmasters use zombie armies for financial gain. Furst estimates that about 7% of all Internet traffic is zombie. Kraken, today’s Word of the Day, is now reported to be the largest botnet in the world, with over 400,000 machines infected.

Apr 8 2008   9:08AM GMT

Video: Secure Programming with Static Analysis

Posted by: Alexander Howard
Security, programming, software, video, YouTube, Development, discussion board

In this video, Brian Chess and Jacob West from Fortify Software talk about the importance of security at the software development level.

Mar 19 2008   3:26PM GMT

Video: Defense-in-depth with end-to-end network security

Posted by: Alexander Howard
Security, YouTube, books, hacking

Network security expert Omar Santos presents material from his latest book, End-to-End Network Security: Defense-in-Depth — Best practices for assessing and improving network defenses and responding to security incidents.

Mar 10 2008   9:13AM GMT

Video: FBI can listen even when a cellphone is turned off

Posted by: Alexander Howard
Security, email, Mobile, applications, Technology, video, YouTube, Audio, tracking, traffic, tool, information, politics, hacking, communications, government

Fox News aired a report in 2006 that described how the FBI can turn on the mic on a cellphone and eavesdrop — even if the phone is turned off.

Today’s Word of the Day, government Trojan, describes efforts by various governments to covertly survail traffic of all kinds to and from suspect hard drives, including VoIP, cellphones and email.

These kinds of measures are only likely to increase as groups of all stripes turn to the Web to organize and communicate about activity the government wants to monitor. I find the “analog hacks” used here intriguing. VoIP or cellphone conversations and email messages may be encrypted during transmission but if an agency can record a target on the microphone or by using a keylogger, even quantum encryptography could be sidestepped.

Jan 4 2008   11:40AM GMT

The future is now. And the silicon cockroach has evolved and flourished

Posted by: Ivy Wigmore
Security, hardware, messaging, Mobile, Apple, Technology, Audio, multimedia, MP3, futurism, traffic, Bluetooth, gadgets, trend, telephony, science, texting, geek, grayware

It’s sometimes said that the only constant that you can count on is change. Change is necessary, after all — “Adapt or die” being an imperative of the natural world. And perhaps even more so in the world of technology…

These are the sorts of thoughts that occur as I poke around in the definition database, reviewing likely suspects for Words of the Day.  WhatIs has been around since 1996, when founder Lowell Thing started his little “dining room table experiment in hypertext.” Eleven calendar years ago. I’m not sure how long ago that is in Web years, for which the calibration must always be ramping up. However long the years since, though, what it means for us editors is a whole lot of updating.

We try, with varying success, to make definitions as future shock proof as we can without compromising the value of current information. Today’s Word of the Day, Antikythera mechanism, lends itself to that approach pretty well. You don’t expect a lot to change on a 2000-year-old computer. But for breaking news and link rot, we’re pretty much set with that one.

On the other hand, there are those definitions that seem to have been written in a simpler time, probably in the last century. Occasionally, I review a definition that predicts future developments that have either not panned out or have proven so prescient that all we have to do is change the tenses and phrases like “might become” to “is.”

Take silicon cockroach for example. I came across that one yesterday, looking for WODs for the weekend. John Sidgmore coined the term back in ‘98 to refer to the multiplicity of small electronic devices that he predicted would prevail in the future. We added the definition in ‘01. Now, as we flip lightly over into ‘08, I see that not only do the tenses need to be changed from future to present but a host of new life forms added to the species. No mention of MP3 players, GPS , USB drives…

What does our definition say now? Well … that depends. How far into the future are you reading it?
~ Ivy Wigmore

Aug 27 2007   12:26PM GMT

Facebook: A social network evolves into a social utility

Posted by: Alexander Howard
Security, business, applications, Web 2.0, programming, data, new media, Internet, innovation, culture, education, college, public domain, portal, social publishing, interesting, creativity, Silicon Valley, entrepeneurship, startup, collaboration, community, social, discussion board, mashup, trend, social networking, directory, buzz, privacy, Web applications, buzzword, recruiting

What can I say about Facebook that hasn’t been said? Newsweek has placed Mort Zuckerberg, the founder of the social networking giant on its cover. And the press has been hyperventilating about Facebook for months.

So what is Facebook? It’s a simple idea, done well: move the “facebooks” of incoming college undergraduates online, with headshots and interests constituting a basic profile, and then create the tools for nodes on the network to interact and browse each other’s profiles.

It’s also my “latest discovery,” as I joined earlier this spring, egged on by a neighbor. Back when I went to college, we had such a thing, printed on “paper,” bound and distributed to the freshman class (and just as quickly appropriated by upperclassmen frequently interested in more than discovering who else was into rock climbing or Pearl Jam). Facebook was, at its inception, a social network for college students, with access limited to only students in the same institution. Now, Facebook has laid claim to being a “social utility,” bidding to become the platform or framework we use to organize our online lives.

Audacious, perhaps, but not unprecedented. Friendster had the early start in filling that role but never recovered from an inability of its original technical architecture to scale to massive traffic demands or challenges from MySpace and other networks.

To be fair, over the past spring and summer, the social networking phenomenon has continued to explode in popularity and innovation, but Facebook has grown much faster and pulled in the digerati like no other.

Why? There’s no single reason. While the decision to open the formerly closed network to the Internet at large is an obvious place to begin, instead of limiting membership to isolated pools of collegians, other factors are in play. Making APIs available to developers resulted in a tsunami of applications that help to further interconnect nodes within each social network has attracted enormous amounts of energy (and, increasingly) venture capital to the platform.

Choosing to keep a clean, easily navigated interface has mattered as well. While MySpace is still the biggest social network — and by most measurements, the most popular site on the Internet, the contrast between the two services couldn’t be much larger, aesthetically, as Facebook (by comparison) radically limits the visual control a user has over a profile. It doesn’t hurt that all of the young college graduates enter the workforce with profiles, either.

If you need a sense of how bound into the tech community Facebook has become, consider how Silicon Valley reacted to a recent Facebook outage.

There’s plenty of evidence too that spending time on Facebook has also evolved into a significant productivity drain (though some disagree) and security risk. (If you’re wondering which companies lead in embracing Facebook, along with the most risk, just read Elisa’s post). The trouble is that sysadmins with itchy trigger fingers may not be able to quickly shut off the flow of bandwidth by firewalling Facebook. Unlike other more informal networks, many professionals have been using to “friend” their coworkers, clients and collaborators, along with former college roommates and dorm buddies. While LinkedIn has long been the social network of choice for many professionals, Facebook has begun eating into that market. In the online social media world, the gaps between online and offline networks are continuing to close, along with whatever space remained between work and personal lives.

Netizens my age (proud members of the “XY generation” that bridges the gap between Gen X (children of the 80s) and Gen Y (folks who don’t remember life before CDs and email or who said “trust but verify“) and older may find some elements of Facebook surprising, though perhaps not more so than MySpace. Older users are joining, however, and finding a place. While privacy options for profiles exist, unlike MySpace, there’s significant potential for embarrassment and even calamity for college or career prospects for those who aren’t wary about posting photos or blog entries that don’t put them in a good light, to put it mildly. PR professionals and marketers would do well to consider the advice of social media gurus. And, as neighborhood applications crop up, there are also alarming security concerns regarding personal safety and property, given that clever criminals can posit where and when individuals are away.

While much of the value of joining these networks can be found in keeping touch with friends and alumni — and making new ones from within that social network — the amount of information that many people are adding to their profiles has also been identified as a valid phishing risk, with significant potential for social engineering hacks that allow access to corporate networks.

What to do? As is the case with the rest of the Web-based applications that have made their way into enterprise and personal desktops alike (users keep outwitting IT when installing consumer apps, apparently), the key is likely to be adaptive security policies that both recognize the increasingly blurred boundaries between work and personal life while respecting both the bandwidth limitations high usage may inflict upon a network and the need to limit the leak or theft of potentially damaging proprietary or personal data. No one is suggesting that developing, implementing or enforcing such a policy is easy, but the consequences of failing to try may extend well beyond a public relations disaster to the organization or individual who doesn’t consider Facebook to be a risk.

There are also no shortages of critics who view the closed nature of Facebook with some distaste — “yet another profile to populate” is a new form of fatigue in the digital age. Personal data portability may become a online movement. It’s certainly been the inspiration for a business plan or two. The founder of LiveJournal, for instance, has published a mini-manifesto for portable, open social networking, according to Mashable. (It may help that Google appears to be backing him). Other observers have noted that Facebook hasn’t been proven to be a rewarding platform for advertisers yet either, though the model is still evolving, as described in this excellent article from Business.com, the Facebook Economy.

In the meantime, I’ll enjoy watching classmates and friends pop up on Facebook; lest you wonder, you can find me there as well. Be warned: I’m sticking with adding friends, coworkers and neighbors, lest I develop social networking fatigue myself.

Jul 5 2007   5:56PM GMT

Hacker or cracker?

Posted by: Ivy Wigmore
commentary, hacks, conversation, hacking, controversy, word meanings

Throughout the years I’ve been writing and editing on WhatIs, I don’t think there’s been another issue that’s cropped up as often or been as gnarly to try to settle as the question of whether a person who attacks computers and networks is a hacker or a cracker.

Just about everyone but the serious geeks uses hacker to mean an attacker but anytime we do we get notes from readers to the effect that a malicious hacker is a cracker and a hacker is just someone with mad computer skills. Furthermore, they feel that we should be upholding proper usage and not letting standards slide. On the other hand, when we’ve used “cracker,” we often get notes asking if we don’t mean “hacker” and suggesting that we might want to think about using the same term everone else does.

I’ll admit I’ve often tried to skirt the issue by using “attacker.” But the time comes when an editor has to take a stand. Especially in the wake of several years of wishy-washy, indeterminate indecision. So. Decision time. Let’s see what everyone else says…

Wikipedia has a fairly extensive entry for hacker. The article starts out by defining a hacker as “a person who illegally breaks into computer and network systems” but links to a better page for hacker definition controversy.

Alpha hacker Eric S. Raymond weighs in authoritatively on the topic in his article, How to become a hacker:

There is another group of people who loudly call themselves hackers, but aren’t. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn’t make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

There’s much more in Raymond’s FAQ-style article, including:

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

On the other hand, you can also find support for the use of hacker as a synonym for cracker. According to wordorigins.org, that usage goes back to the November 20, 1963 issue of The Tech, the M.I.T. student paper, where it was used to refer to breaking into the phone system:

There are those that claim that hacker should not mean someone who maliciously invades computer systems, and that it really means someone proficient in computer use. But this is not the history of the term. Hacking from its beginnings at M.I.T. has always been associated with using technology to subvert institutional systems for personal use. Besides, the meanings of words are determined by usage, not etymology. So if people use hacker to mean someone who breaks into computer systems, that’s what it means.

So, the way I see it, there are a number of fairly compelling arguments for either side, chief among them being:

• Eric Raymond says a hacker is defined by skill and good intention. And everybody loves Eric Raymond.
• The earliest reference to skill-based, non-malicious technology hacking that I could find traces it back to ham radio operators in the fifties, predating the MIT paper cited on wordorigins.
• However, as wordorigins correctly points out, common use is what drives definition. So if people use hacker to mean cracker, eventually that’s what it will mean.
• And yet… cracker is unambiguous. If one uses cracker in this context, people get it. So if we use “hacker” to mean a highly computer-literate geek and “cracker” to mean an attacker of whatever skill level…

Sigh. ‘Round and round and round it goes. I’m just not sure. I’d love some input. What do you think? ~ Ivy Wigmore