Inner Drive Software

(Via Bruce Schneier.) I'm really not sure what to make of this, or what, actually, they're selling:

Via Talking Points Memo, this reminder that on the Internet, nobody knows you're a dog...but they do know what terminal you're using:

In late August, someone with an IP address that originated from the National Institutes of Health drastically edited the Wikipedia entry for the National Institute on Drug Abuse, which operates within NIH. Wikipedia determined the edit to be vandalism and automatically changed the definition back to the original. On Sept. 18, the NIH vandal returned, according to a history of the site's edits posted by Wikipedia. This time, the definition was gradually changed, presumably to avoid the vandalism detector.

People forget about this quite a bit. On the Internet, your browser must send a request to a Web server to get a Web page. In order for the Web server to respond, it has to know where to send the page; ergo, every time you hit a Web site, you tell that site who you are. Wikipedia uses this simple fact to help determine the value of contributions. In this case, it worked perfectly.

Security expert Bruce Schneier finds some cases of appropriate and helpful security theater:

Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.

The New York Times picked up the ongoing story of botnets, networks of computers that spammers and other miscreants have taken over:

According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm. That indicated that machines of the service providers' customers had been woven into a giant network, with a single control point using them to pump out spam.

Users, ISPs, users, software vendors, and users contribute to the problem:

Serry Winkler, a sales representative in Denver, said that she had turned off the network-security software provided by her Internet service provider because it slowed performance to a crawl on her PC, which was running Windows 98. A few months ago four sheriff’s deputies pounded on her apartment door to confiscate the PC, which they said was being used to order goods from Sears with a stolen credit card. The computer, it turned out, had been commandeered by an intruder who was using it remotely.

Note that Winkler's computer probably ran slowly because it had already gotten infected, and the ISP's security software had a lot of work to do because of this.

At least with the Times picking up the story, perhaps more people will notice.

Bruce Schneier today posted a fascinating (and, in a way, sad) analysis of passwords gleaned from a MySpace phishing attack:

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long.

If you want to be as secure as possible, however, you should check out Schneier's own Password Safe (free download). I swear by it.

We are now rebuilding the next-to-last server in our great infra-restructure project. Since the first step in blowing away a server is to restart the server, I got the Windows 2003 "why are you doing this to me?" dialog box. Now, the comment I wrote has ceased to exist due to reformatting the system partition; so what was the purpose of this comment?

Rebuilding an entire set of servers is tedious. I'm now in the phase of trying to determine the least security required to run all my web applications. This involves testing a feature, finding out that Windows Server 2003 R2 has blocked it, looking at the event log, loosening the security setting the tiniest bit to fix it, rinse and repeat.

So, this isn't a real post. It's just a test of the blog engine. Or...maybe it's both...

We've now got our new application server running, and we're moving all of our Web applications over. The new server uses Windows Server 2003 R2, which has tighter security than the previous version, and that has slowed us down a little bit.

CNet raises an interesting problem: what happens if you die without telling anyone your passwords? It could be a real problem for your heirs:

"He did not keep a hard copy address book. I think everything was online," said [San Francisco poet William] Talcott's daughter, Julie Talcott-Fuller. "There were people he knew that I haven't been able to contact. It's been very hard."

"Yahoo (his e-mail provider) said it wouldn't give out the information due to privacy laws, but my dad is dead so I don't understand that," she said.

One solution is to use a secure password storage facility, like Bruce Schneier's Password Safe, and then put the master password in trusted escrow like a safe-deposit box or your attorney's office. Of course, you'll have to keep up with this, because you'll change your master password at least every three months, right?

I've been helping a client get a custom database application working for a while. The previous vendor never quite completed it, then got testy when the client brought me in.

There are two unbelievably bad things about the vendor's data design that I want to share.

I just found out about a server crash at a friend's old company. It seems one of the staff members sent a 2.7 MB graphical file (wrapped in a PDF, wrapped in a MIME email) to 900 people. For some reason, that crashed the Exchange server creating 8.5 GB of transaction logs in just under 20 hours, which overflowed the system drive, which caused the entire server to collapse. At last report, a consultant had cleaned out the transaction logs and most of the message queues, but Exchange was still re-trying some of the addresses.

This problem was, therefore, between chair and keyboard. Whose chair and whose keyboard is difficult to tell.

I wonder what spammers are actually thinking almost as much as I wonder why they bother me.

I've had a blog-spam problem for about three weeks now targeting my referral logs. Spammers with robots use robots that act like people browsing the blog, but they appear to come from gambling sites so that the site URLs show up in the system logs. Some blogs' referral logs are searched by Google and other sites, so the theory here is that the referral spam will generate a lot of inbound links into their sites driving up their search rankings. Sadly for all concerned, this doesn't actually happen; Google is too smart.

Then there's comment spam, like this thoughtful thing I got from a vistor in India this morning:

Remember to let her into your bedbug, then you can start to make it partial.

I don't care about Christopher Fargis, he is vivid, pubescent, and anatomic and I am not going to refracture about it. Dyno-blast Jason Chan hunch our lettering. Our hydraulic corer guard a specious otherness Sammy Schenker is a scornful chelicera? Then Mazen Nesheiwat skyjacks a blurriest nunnery. We will commend on the glitter; we will generalize on the commissure; we will never flick.

My to go cardiograph overconcentrates in the hole. Harmonic Airy Phanhyaseng lip the ambidexter. Therefore unless Gerald Cheatham solemnify Minh Nguyen, she westernize my fattiness but disvalue him

The trick here is that someone is monitoring the spammer's email address, and the subject of the spam comment suggests that anyone emailing the spammer will get information about a gambling site.

Some actual person had to enter the comment, though. The IP address of the comment shows that actual person to be in India, where I can only assume he or she was paid a few cents to copy the nonsense into the comment and submit it to the blog.

It's sad, really. But, in an absurd way, interesting poetry.