The Weak Link in Computer Security

People often talk about the inherit lack of security in Microsoft Windows and Internet Explorer. Very seldom does anybody talk about the weakest link in computer security, the users. In the latest Pwn2Own contest, a contest where participants attempt to break into various computers to win them, 64-bit Windows 7, Mac OS X, and even the iPhone all fell. But there was a common theme running here, none of the systems feel to a direct attack.

All the hacked systems were broken into via exploits in their web browsers. Internet Explorer 8 and Firefox 3.6.2 were used to break into the 64-bit Windows 7 systems while Safari was used to break into both Mac OS X and the iPhone. Each browser was broken into by crafting a malicious web page and have the users of the system navigate to it.

But once again none of the systems at this contest were broken into without the need for human interaction. This brings up the fact that human beings are now the main component being attacked (Granted it’s been like this since the dawn of computers). The only way to protect yourself is through education. Do not click on random links that people send you regardless if you known them or not. It’s a simple thing to learn really but the motto in security is trust no one and you should follow that slogan when on a computer.

Danger of The Census

As everybody knows the United States Constitution requires the population of the United States be recorded every ten years. This is done by the Census Bureau and many of us are angry that they ask questions beyond what is constitutionally requires. Of course we’re called paranoid and asked what danger could possible exist by answering the other questions. Well that extra information has been used before to persecute a group of Americans.

The article talks about what happened shortly after the bombing at Pearl Harbor:

In the 1940 Census, the Census Bureau loudly assured people that their responses would be kept confidential. Within four days of the attack on Pearl Harbor, the Census Bureau had produced a report listing the Japanese-American population in each county on the West Coast. The Census Bureau launched this project even before Congress declared war on Japan. The Census Bureau’s report helped the US Army round up more than 100,000 Japanese-Americans for concentration camps (later renamed “internment centers”).

Yup that extra “harmless” information in the Census helped the United States Army to round up a group of “undesirables.” If something has happened before it can happen again. People need to remember every time government tries to gain more information about you they will inevitably use it against you.

Back in Free America

Well ladies and gentlemen I’m back in Minnesota. I was in New York on business and let me tell you I missed my carry piece. It felt good to strap that Glock 30 back onto my hip.

I’m sorry for the lack of updates but the Internet connectivity I had available wasn’t great. Many sites, including my own blog, were timing so I couldn’t post new stories. Likewise since I mentioned HotSpot VPN previously I would like to make a note that I was unable to get IRC to work while connected to their service. I’m not sure if it was related to lag or if they block IRC traffic but either way I wasn’t dreadfully happen about that.

In the time I was away it appears one major news item happened and that was the passing of the health insurance (It’s not care because the government isn’t doing anything there) “reform” bill. I haven’t said much about this on here because this is one of those items that I haven’t chosen to follow much. Yes it’s important since now the federal government has asserted even more control over our lives but I only have a limited amount of time in a day and hence I chose my items to follow carefully. Not to mention it was getting wall to wall coverage everywhere else and I knew it was going to pass after Obama started bribing offering deals to politicians in exchange for a yes vote. Anyways it’s through, I’m pissed about it, whatever.

The real issue though is the fact I’m a bit behind on gun news. I’m not sure if anything major happened in the gun rights arena or not but I’m going to find out. On a side note I’m most of the way through a new novel titled Daemon by Daniel Suarez (No worries it’s not an affiliate link). It’s a great title and when I’m finished I’ll do a little write up about it. Needless to say you should check it out.

Updates are probably going to remain slow for a day or two yet while I get back into the swing of things.

Nice VPN Service

Since I travel once in a while for my job I find myself in locations where a secure network can’t be ensured. My phone does have tethering software on it so I often use it but it’s slow and has issues getting disconnected at random intervals.

Thankfully this day and age wireless networks are everywhere. Hotels, Starbucks, airports, etc. But these networks are not secure and should be considered hostile at all time. This was the reason I looked into the previously mentioned Wi-Fi device that could connect to 3G cellular data networks. Of course as I previously stated they wanted a contract and honestly the devices are far more expensive than I could justify since I only really need such a device a few times a year.

That meant either continue using my unreliable phone tethering or use hostile wireless networks. Hostile wireless networks can be used securely though through a protocol called Virtual Private Networking (VPN). VPN is a mechanism where you connect to a remote VPN server. The VPN server acts as a proxy which all your traffic is sent to and from there is sent to its actual destination on the Internet. The key here is all VPN traffic is encrypted so other people on the same network can’t see what you’re doing. So even if you’re connected to an insecure wireless network you can encrypt all your traffic by sending it through a VPN connection.

Most companies that send people around the country provide a VPN connection for their employees. Mine is no exception but I thought I’d try an experiment and see what solutions I could find for those traveling and not having a company provided VPN service available to them.

The easiest, cheapest, and most secure (In the form of privacy of your traffic) method of using a VPN is to set a server up at your home. This way you can remotely connect to your home network through the VPN. Unfortunately for me this is impossible since I live in an apartment complex that also provides me service as an ISP (It’s free so I don’t argue). The downside is this ISP also routes all my traffic through their firewall meaning I can’t actually connect to any of my computers there remotely. Due to this fact I decided to look at using Amazon’s EC2 service to setup a VPN server. Overall it would be a good idea but it’s kind of pricey since Amazon charges you for the number of hours your EC2 instance is running.

Finally I looked into a service mentioned by Leo Laporte on This Week in Tech quite a few times call HotSpot VPN. HotSpot VPN is simply a service that sells VPN connections. It’s not a secure as using a server setup at your home since all your traffic does get routed through their VPN server. But it’s a damned side better than being on an insecure network since HotSpot VPN as a reason to maintain your privacy, money (Granted that’s absolutely no guarantee and in the security business the phrase is trust no one. But security is also a balance between having secure systems and convince.).

What I like about HotSpot VPN is you can but a yearly subscription, monthly subscription, or a few days worth if you only travel sporadically like me. For this test I bought a three day pass for something around $5.88. That’s pretty cheap and well worth it in my book. Setup in Mac OS is simple (I’m not sure about other operating systems since I’ve not done much with VPNs in them) and requires you only enter your e-mail address for the user name and the password they e-mail you. It’s working great on this hotel wireless network and isn’t dropping my connection constantly like my phone does. I tested it on my home network before taking it out into a hostile environment and the data is encrypted so other people listening on the network aren’t going to be able to see what you’re doing it. Speed is so-so since all your data has to go to their servers and then to its destination but tethering my phone always yields even slower connections.

Overall I think it’s a good service for those who travel, don’t have a company provided VPN connection, and are unable to setup a VPN server at their home. There isn’t much else to say about it since it’s a pretty straight forward service that performs and straight forward feature.

Also since this is a review I need to give the FCC required disclaimer. The FCC can go sodomize itself with a retractable baton. That is all.

Some Scary Stuff Going Down in Wisconsin

The NRA just threw out an alert for those of you in Wisconsin. Two anti-gun pieces of legislation have been introduced. I haven’t read through them as of now but here is what they apparently cover:

* Require that all firearm transfers be conducted through a federally licensed dealer except to family members. That means if you wanted to sell your firearm to a friend, you would have to find an FFL and pay whatever transfer fees they felt appropriate.

* Go WAY beyond federal restrictions for firearm possession and prohibit individuals convicted of misdemeanors. This provision is a blatant constitutional violation. In Heller v. D.C., the ruling states that only felony convictions are justified in restricting this constitutionally guaranteed right.

* Also require that all firearms transfers be reported and all guns registered into a centralized database.

* Establish no limitations on who would have access to this database.

So those of you across the Mississippi from me may want to get on the horn with your representatives.

I Hate the TSA as Much as Anybody But Come On

OK I hate the TSA just as much as everybody else, possibly more. But after seeing a story on Dvorak Uncensored I have to call bullshit. Let’s see if you can find what’s wrong with this story. The story is titled, “Child rape charge rocks TSA.” Here is the story opener:

A Transportation Security Agency worker who pats down members of the flying public was charged with multiple child sex crimes targeting an underage girl yesterday.

The bust outraged privacy and passenger advocates who say it justifies their fears about Logan International Airport’s full-body scanner.

So what do you think happened? If you answered the TSA agent used his authority to take a child to the back interrogation room and raped the child you would be completely incorrect. Here is what happened (Buried towards the end of the article):

The 14-year-old victim watched a movie at his house, Okeeffe said. She said during the film, he massaged the victim’s thigh and touched her under a blanket, then during the February school vacation the girl stayed at his house with his daughter.

So what’s the point of this article? The huge majority of the article makes a big fuss about the fact that the TSA have naked body scanners attended by agents. It makes a huge fuss about one of these TSA agents being a pedophile. But the fact the perpetrator was a TSA agent is COMPLETELY irrelevant here since everything he did was done at HIS house not the airport. At no point was any evidence brought forth stating he made initial contact with the child at the airport or through his “authority” as a TSA agent. In fact the kid was apparently friends with his daughter. Yes instead of focusing on the crime it’s made into a hit piece about the TSA.

I hate the TSA with a passion. The entire organization is nothing more than security theater run by people given a badge and just enough authority to feel they can toss people around. But this hit piece is fucking stupid. It’s akin to making a hit piece about a police department because on of the officers committed a crime off company time and at his place of residence and didn’t in any way use his position or authority to commit the crime. The fact that a man committed statutory rape and was also a TSA agent are completely irrelevant. Yes the article focuses almost exclusively on the fact the person was a TSA agent and purposely misleads you to believe the crime happened at the airport. Finally the fact that the crime happened at the agent’s house is briefly mentioned in the second to last paragraph. Fuck!

Oh and since I’m on a rant I might as well point out the following bloody obvious:

TSA spokeswoman Ann Davis said Shanahan had passed two background checks, neither of which picked up any record that would prevent him from getting a job.

That’s right background checks don’t determine if you’re going to commit a crime, only if you have committed a crime and got caught. But Dippity Dipshit says:

“It’s a huge, huge issue,” said Kate Hinni of “The TSA needs a complete overhaul… If you have a pedophile looking at those naked pictures, they’ve got all your information, it’s a gross violation of their authority…. They should make sure none of them is corrupted in any deviant sexual manner.”

So how in the Hell are those hiring TSA agents suppose to make sure any applicant isn’t corrupted in any deviant sexual manner? Answer me that. What you don’t have an answer? Maybe that’s because it’s fucking impossible. This article is just full of stupidity from start to end.

Dear Microsoft Please Copy Good Features And Ignore Bad Ones

I mentioned earlier this week that Microsoft was eliminating multi-tasking from Windows Phone 7 Series Ultimate Extreme Wordy Name That Makes No Sense. Well the guys over at Engadget have audio recorded proof of no multi-tasking and better yet no copy and paste. It seems Microsoft’s whole idea behind their new phone operating system with a horrible name was to copy everything bad Apple did with the iPhone.

I know I’m a niche users in that I want a phone that allows me to listen to music, download a file from a website, have an open SSH connection to another system, and have an application monitoring wireless traffic but come on. Now Microsoft will allow their own software to multi-task on the device much like Apple allows their included software to multi-task. But lowly third party developers will not be granted such permission from Microsoft.

When did people decide that their smartphones need to be less powerful? Even my Palm Treo 755p can do some basic multi-tasking and Palm OS isn’t even officially capable of multi-tasking. But that’s fine with me since Palm OS was developed back in the day when multi-tasking wasn’t feasible due to the lack of power in handheld devices (The first Palm Pilot had a 16Mhz processor and 128 KB of RAM which was used to both run applications and store them). But phones today have plenty of power on board. WebOS shows multi-tasking on a phone isn’t difficult nor impossible. Android can multi-task as can a Blackberry. We should be looking for more power and functionality in our devices not less.

Also is copy and paste really that difficult? Seriously my Palm OS based PDAs could do that! Even the iPhone can do it now. There are plenty of times where I want to copy an exert from a web page and paste it into a document elsewhere.

Why is it these new fancy phones have less capabilities than my phone released almost three years ago that is based on an operating system (Palm OS 5) released almost eight years ago?