Memoirs of a Roadie

Let Me In

Posted on 3rd April 2008

The problem with those that get high and mighty about username/password site logins, is that they often use examples where you really do want some degree of protection, not from yourself, but from others. Of the 16 Account Design Mistakes listed in Part 1 and Part 2 by Jared M. Spool, most include good ideas for developers, however, some use examples where the sites are quite right to be obscure.

Take #13 "Not Explaining If It's The Username or Password They Got Wrong", then proceeding to hold up Staples and American Express as the worst offenders. I'm sorry but if I have accounts with companies like that, then there is no way on earth I want them giving hints to crackers whether they got my username or password wrong. Those kinds of sites contain VERY sensitive personal information, not least of which is your credit card information. If Jared is that eager to share his financial information, I'm now wondering if he publishes it on his personal website. Could it be that perhaps the very security he ridicules actually protects him from identity theft?

Another is #16 "Requiring More Than One Element When Recovering Password", where a company requires some form of additional account information other than just your email address. Again this is a company that holds your credit information and by the sound of it some very personal information (such as my phone number). Does Jared post his personal phone number on his website? I doubt it as I assume he doesn't want all and sundry knowing it, thus exposing him to more identity theft.

Don't get me wrong, Jared does list some good thoughts about username/password site logins, but the context in which he uses to ridicule some sites and companies is grossly misplaced. The problem is that the author often thinks only in terms of making life easier for themselves, forgetting that you can also make it easy for those of a more malicious nature too. In all, or possibly nearly all, sites that I have a login for, the login is there to protect my account on the site from abuse. I know there are sites out there that only provide customisations with your login, but I don't use them. Even those that don't contain personal information, I would not want anyone to hack in to. If you're happy to make it easy for some one to login to your blog account and post spam, abusive or malicious content, then fine, make it easy. For the rest of us, we'd rather have some form of protection on the account that makes it a little harder for others to get through.

From Russia Infected

Posted on 6th March 2008

Yesterday MessageLabs got a mentioned on the BBC News site, under the title of Infective Art. The Metro Newspaper in the UK also ran with the story, Cyber crime art revealed.

I'm currently touring the UK with a presentation entitled Understanding Malware, which takes the six types of malware, and using the MessageLabs "Know Your Enemy" campaign images, explains a little more about what they are. The presentation has gone down very well so far and there have been some healthy discussions afterwards, with attendees trying to understand how we can get better at getting rid of malware threats from the inbox. It's unlikely to happen altogether any time soon, but with companies like MessageLabs on the case we are making it harder for the malware to get through.

I shall be taking the presentation to more parts of the UK, so if you have a user group that might be interested, please feel free to get in touch and invite me along. Note that the presentation is not a programming language or operating system talk, and is more about technology and social engineering. I shall be submitting it to LUGRadio Live, YAPC::NA and YAPC::Europe this year, so if I don't make it to your local user group, hopefully you'll be able to make one of those conferences. As an added bonus I also have some freebie giveaways for anyone who can answer the questions during my persentation, courtesy of MessageLabs :)

Do You Remember Rock 'n' Roll Radio?

Posted on 20th February 2008

LUGRadio Live 2007

LUGRadio Live UK dates have been announced as the weekend of 19th/20th July.

At the moment the guys are busy preparing for LUGRadio Live USA, so expect more details for the UK event after next month. The US event will be the first time the LUGRadio experience will have been seen on such a major scale outside of the UK. The guys seem suitably excited and I'll be keen to discover if the American event has the same manic and mayhem feel as the UK event. The UK event is very definitely about getting the Linux and Open Source communities together, to hopefully provide an opportunity to meet and greet with fellow developers or just people you meet on IRC or the forums. It doesn't have that corporate feel is much more laid back, thus having a much more social nature about it than many traditional conferences. Not to diminish the value of the talks and presentations, but the atmosphere is much more conducive to discussion, questions and feedback than more formal events. For me that has perhaps more value as I like to get feedback and ideas from others and some more corporate events often don't encourage that atmosphere.

In the meantime, if you're in the US and can make it to the West Coast over the weekend on 12th/13th April, checkout LUGRadio Live USA2008 and try and get along to The Metreon, San Francisco. As a tempter, watch the video trailer created by Tony Whitmore, AV coordinator for the UK event.

I shall be at LUGRadio Live UK, although whether that's as a speaker, attendee or member of the crew remains to be seen. I'm thinking of submitting my Understanding Malware talk, but seeing as it's about an hour long, and I definitely DON'T want to be on the main stage, I'm hoping the guys will agree to hiding me in a smaller room. They guys always manage to put me up against big names (Mark Shuttleworth and Chris Di Bona for the last two years), so this might be my chance to steal some of the audience back for the little guy ;)

As I don't specifically talk about Linux stuff, but more general Open Source stuff, I've often felt a bit of an outsider as a speaker. The Malware talk is again not about Linux specifically, and some aspects are not Open Source (for justifiable reasons), but the content, particularly for anyone interested in understanding what malware is and eager to gain some very basic hints and tips to protect your inbox, it's ideal. Seeing as most of the attendance for LUGRadio are knowledgeable Linux people, I'm hoping the talk will be of interest to a wide variety of people. I've now done the talk twice, for Leicester LUG last week and Coventry LUG last night. Both presentation went down very well and generated lots of interesting discussion afterwards. Seeing as some of these guys are very clueful sysadmins and developers, as a benchmark, I think the LUGRadio audience will love it. We'll see ;)

The UK event will be returning to Wolverhampton University Student's Union, the venue for the 2006 event. Personally I liked the Lighthouse, the venue for 2007, but I know the guys got heavily criticised for a variety of issues, that meant they had to reconsider the venue for the 2008 event. The SU venue is smaller than the Lighhouse too, which might cause some problems, as I can see the event getting a bigger attendance this year. For the past 3 years the attendance appears to have been increasing anyway, but in the last year, I am noticing more and more articles, blogs and posts about LUGRadio. I just hope there is enough space for everyone.

BTW if you're attending LUGRadio Live USA2008, please take a camera and post your photos publically. My site always gets a lot of hits for LUGRadio, and I'm sure the thirst for photos for the US event will be just as popular.

This Property Is Condemned

Posted on 8th June 2007

I spotted the story of Julie Amero on the BBC News site this morning. While I'm glad there has been some sense to provide a second trial, with more appropriate evidence, I'm also disappointed that this should ever come to trial in the way it has. While I totally agree that minors shouldn't be exposed to the kind of images these sites promote, I also don't agree that a single SUBSTITUTE teacher should be held accountable in the way that she has.

Firstly she's a substitute teacher, meaning that her knowledge of the computer security systems is likely to be extremely limited at best and more likely non-existent. Did the school fully brief her on the security measures they have in place? Perhaps she should be suing the school or the state for not reasonably putting in place security measures to prevent children being exposed to this sort of thing in the first place. However, that perhaps also isn't fair, as in far too many cases the school or the local governement don't have any idea about computer security. It's why there are specialist computer security companies that are called in to investigate and secure companies and organisations.

I work for a company called MessageLabs. We work in an industry where stopping malicious content is part and parcel of the job. When you consider that in email alone we stop over 70% of mail as spam, virus, inappropriate content or illegal images and are also seeing increasing numbers within our web scanning and instant messaging serives too, computer security is a huge and very specialised business. MessageLabs are the largest company of it's kind in the world, and as such, every minute we stop hundreds of messages with the sort of payloads that would cause this kind of content to be popped up on unsuspecting computers. Are you really expecting a substitute teacher to have that level of knowledge and skill?

Part of the problem is education, and that isn't meant to be ironic. In Julie Amero's case, if the prosecution wins, then we are now expecting every single person to be accountable for ensuring every single aspect of their work environment is not going to get them arrested. By implication, we're also now stipulating that every single individual MUST be come a security expert. That ain't gonna happen. In my opinon this focus is totally misplaced. The responsibility for protection at the workplace lies solely with the employer. In this instance the school or state should have taken reasonable steps to ensure that all computer security measures were deployed to ensure that the desktop computers were adequately protected, and that their network was also appropriately protected, both from intrusion and in restricting the sites that can be viewed by any computer in the school. But whether you take action against the individual or the school or the state, you are still prosecuting the victims.

Taking a step back, the law basically stipulates that minor should not be exposed to this sort of imagery, which I agree with. However, as the law is very bad at being able to hold those truly responsible accountable, they go after easy prey. Although I do believe the law could be better written to make this sort of thing virtually disappear over night.

This kind of promotion is typically from the pornographic, gaming and drug industries. None of which a minor should be exposed to. What if the law found the owners of those sites personally accountable for the distribution of harmful matter to minors? What if institutions, such as schools, colleges and libraries, or businesses, such as internet cafes, and maybe even individuals in the right circumstances were able to prosecute the site owners? How quickly do you think that this sort of invasion would disappear? Unfortunately, those three industries are extremely big business, and can employ people to ensure that bills don't get passed that would effect them in this way. As such the justice systems become corrupt by allowing victims such as Julie Amero to be held up as a scapecoat.

I really hope that the prosecution's case fails, as otherwise the kind of precedence it will set, really isn't something I want to think about.