Month: October 2005

Something to watch out for:  From F-Secure:

Somebody has lately been seeding emails like the one pictured below.

Obviously, they are not from Symantec. And when you click the link, you end up getting redirected to a web page which will initiate an autodownload of a file called “rxBot.exe”, which is – you guessed it – a variant of the RXBot family.

A mail like this will pass most corporate email filters. There’s no attachment. There’s no masked link either, so phishing filters probably won’t detect it.

Read more here.

(Side note:  Stefan at F-Secure emailed me with a minor inadvertent error on their part — this is actually a variant of Rbot – not Rxbot, and they have a description of this naughty little thing here.)

Alex Eckelberry

Two popups on the screen — sure to increase the impact of any marketing campaign:

 

Alex Eckelberry
(Thanks Adam)

One of our techs, Jon Petita, had this come up on a customer’s computer that was infected with adware.  Internet Explorer was not open.

I presume (hope) that the Navy marketing department is unfamiliar with the fact that ads placed through certain media companies may just land on a user’s desktop through adware.

The url for the ad is

http://banners(dot)pennyweb(dot)com/E1/C18443/ifrcr_E1_C18443-3/creative(dot)html?pw_click=http://ads(dot)addynamix(dot)com/click/2-2129370-1-18443-30018-1129732382?

 

Alex Eckelberry

(Thanks Jarrett)

 

Alex Eckelberry

John Jacobsen, our IT Manager, is an admitted podcast junkie.  For a good security podcast, he recommends Steve Gibson’s weekly podcast.  Link here.  Latest podcast is on rootkits, a good subject to cover.

And while you’re there, give Steve’s ShieldsUP a whirl to test the security of your connection. Link here.

Alex Eckelberry

 

 

The Sunbelt Underground Network is now in beta.  This is a site that tries to give people a feel for what Sunbelt is like on the inside. At the Underground, you’ll find videos such as these:

Silly Putty Physics Experiment Ever wonder what would happen if you dropped 50 lbs of Silly Putty from the 7th floor of an office building? Wonder no more as our crack team of Sunbelt Scientists take the challenge. View Video | 2:03 | AVI – Low Res View Video | 2:03 | AVI – High Res See The Photos View Photos Of The Experiment

All-Access Pass Take a tour behind the doors of Sunbelt Software. View Video | 16:37 | WMV

Our corporate motto is do it fast, do it right and have fun while you do it. On the fun side, Sunbelt is also famous (or infamous, depending on your take) for its Halloween get-ups.  Halloween is a BIG day at Sunbelt, and you can see some of our past Halloween pics at the site as well.

 

 

 

Take a look and check back on a regular basis.

Alex Eckelberry

Digital media analyst Phil Leigh has held a WebEx seminar on the ramifications of the Grokster ruling. The seminar is with copyright attorneys Geoff Beauchamp and Scott Patterson. WebEx here.

From his summary:

At least one of our (copyright attorney) guests today believes that the Supreme Court decision to send the case back to the District Court was essentially a directive to accept the concept of “inducement” and to hold the defendant responsible for copyright infringement.

In the future it appears that defendants accused of “inducement” will be required to show that their product is capable of “commercially significant non-infringing uses”. Unfortunately, it is unclear just what standard shall be applied to determine “commercially significant.”

Justices Breyer, Stevens and O’Connor believe that absent evidence of “active inducement” a product or service is entitled to the Sony safe harbor unless it is used “almost exclusively” to infringe copyrights. Conversely, Justices Ginsberg, Rehnquist and Kennedy regarded such a standard as providing inadequate protection for copyright owners and suggested that a more searching evidentiary inquiry be made into the actual capabilities and uses of a product or service.

Presumably the other justices stand somewhere in between. Nobody knows how Rehnquist’s replacement, Roberts, might decide and the same applies to the as yet undetermined replacement for O’Connor.

As a result, we conclude that until a “commercially significant” standard is established, the law shall pragmatically be on the side of those with the largest legal war-chest. Thus, as a practical matter, it will favor the established companies who will be able to rain lawyers on the innovative start-ups like the Biblical plagues of Egypt.

Consider, for example, that many tend to equate the term P2P as synonymous with the illegal practice of trading copyrighted files. However, it is actually a network architecture that has proven to have commercially significant non-infringing uses. For example, Skype uses P2P software to facilitate Internet Telephony. It has been wildly successful and was recently sold to eBay in a (presumably) “commercially significant” transaction valued at $2.6 billion. What is less well known is that the founders of Skype are the very same individuals who created – and later broke their connection with – the KaZaa software that ultimately became a popular P2P vehicle for trading copyrighted files. 

Thus, it is important to recognize that the first applications of a new technology may not ultimately become the dominant ones. To strangle in the cradle a newborn technology that may eventually have considerable legitimate applications merely because the first users have been “bad guys” is contrary to the public interest (my emphasis).

I skimmed through the Supreme Court ruling and it was clear that the Justices were primarily opposed to Grokster’s apparent support of piracy — it was not an attack on p2p technology.  Nevertheless, the point is very well made.  If vibrant and exciting p2p applications are not released because of fear of litigation from the luddite crowd, it puts a chilling effect on vital technology innovation.

As always, I wish to make it clear that I am not a supporter of piracy and condemn it.  My concern is that the technology industry as a whole has benefited from relatively unfettered and dynamic growth, and that the specter of further litigation may cast a shadow over future innovation.  When we get to the point where the biggest legal war chests can win over the brightest minds, we are in trouble. 

Alex Eckelberry

 

Related SunbeltBlog posts:

Supreme court rules against Grokster
Grumbling about Grokster
Round 1: Luddites 0, Mothers 1
Another take on the Grokster ruling
So they aren’t all luddites?

Well, this is interesting…

Commission Junction, arguably the world’s leading payment network for e-commerce traffic, has permanently banned one of its largest “loyalty” programs, according to CJ officials.

The affiliate is Shop At Home Select, a subsidiary of the Belcaro Group of Greenwood Village, Colo. The company promises small rebates on Web purchases consumers make while using the Shop At Home site or its memory-resident software.

I wrote on Sept. 13 about complaints that Shop At Home software was silently installed to users’ PCs when some associated Web sites were visited. Computer experts also accused the company of keeping commissions that were automatically generated — even if a user had never registered and therefore no “rebate” could be issued.

The story behind Commission Junction’s action against Shop At Home provides a fascinating look into a rarely seen world. It reveals an ongoing war between “loyalty” programs — which install monitoring software on users’ PCs — and e-commerce merchants that want to pay only for genuine traffic they wouldn’t otherwise receive.

Link here.

Alex Eckelberry
(Thanks Ben)

If you have a minute, take a quick look at this Powerpoint presentation by Microsoft IE guy Tony Chor. Link here via Donna.

Highlights:

– IE security sucked in the past.

– It’s better now.

– It will be even better in the future.

And to their credit, it’s an honest assessment of the situation with IE.  There’s also a lot of interesting information on the new Protected Mode in IE.

Plus, there’s even a cool looking hamster wheel!!!

 

 

Alex Eckelberry

GoogleSightseeing.com — interesting things founds on Google maps.

 

The 100 oldest domain names… Link here.

Alex Eckelberry

The Federal Financial Institutions Examination Council — FFIEC, a coordinating regulatory agency for US banks, has issued “guidance”, moving banks toward two-factor authentication.

While this is termed “guidance”, the FFIEC does say “Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.”

The FFIEC makes a strong point about single-factor authentication, saying “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

From the FFIEC document:

Existing authentication methodologies involve three basic “factors”:

• Something the user knows (e.g., password, PIN);

• Something the user has (e.g., ATM card, smart card); and

• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include “out–of–band”5 controls for risk mitigation.

…Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.

Good.

Alex Eckelberry
(Thanks Adam)

Related SunbetBlog posts:

Yah, that’s a good idea.

Spyware countermeasures by banks

Are banks moving off https?

 

 

Wayne Barnes, Associate Professor at Texas Weslayan University School of Law, has just written a powerful dissertation called Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance.  Download it here.

The premise of the document is:  Just because we got you to agree, does it make it ok that we are doing what we’re doing?   The paper then describes, in painstaking detail, what the various applicable laws are in the area.  While I don’t entirely agree with his definitions of spyware (he does make it seem like practically all spyware is a keylogger), there is some powerful information in this writeup.

Some snippets:

…the proposition that a consumer may contractually consent to the installation of such software is accepted almost without any serious debate… However, once the consumer initially clicks “I accept,” she may never again be aware of the fact of the surveillance and transmission of her private web browsing data. These arrangements have been championed by many in the software industry, and resistance against them is sometimes weak since the consumer is perceived to have granted contractual consent …

The purpose of this article is to question the propriety of that contractual consent, given the privacy implications of spyware. Part II of this article discusses the history of spyware in the greater context of the development of the Internet generally. It also discusses the debate about the definition of spyware, and the importance of the perceived grant of consent in that debate…. On the other hand, some observers believe that the spyware/adware distinction is spurious. Ben Edelman, perhaps the foremost researcher of spyware in the United States, stated: “From the perspective of users whose computers are infected, there is nothing hard about (defining spyware). . . .

If you have adware or spyware on your computer, you want it gone. Maybe the toolbar is Mother Theresa, but it’s Mother Theresa sitting in your living room uninvited and you want her gone also. . . . You don’t need a committee of 50 smart guys in D.C. sipping ice tea in order to decide that.”49 Many people, fed up with the epidemic of spyware and adware, say that it’s not the label that’s given, but rather it’s “what you don’t want on your PC that matters.”50 In considering recently proposed spyware legislation, a United States congressperson remarked, in an analogy of spyware’s intrusive tactics to the “real” world: “If somebody walks in my house without my knowledge, without my permission, they’re trespassing. I don’t understand, I really don’t understand, why we’re having a . . . debate about this issue that everyone is outraged about.”

… I would submit that no one actively seeks out to have such surveillance-enabled software placed on their computer, for its own sake. Rather, the consumer is only thinking of getting the desired application, such as KaZaa or a computer game. True freeware still exists on the Internet, as well as “trial versions” of programs, or shareware, which allow the downloading of a program for limited purposes, with payment required in order to get the full version.331 Thus, it certainly is not a given that consumers always know there “must be a catch” in the form of consent to constant surveillance

….In short, consumers don’t usually expect spyware. This is further evidenced by a recent survey of Internet users conducted by America Online and the National Cyber Security Alliance, which was released in October 2004.332 That survey revealed that 80% of all computers tested had spyware or adware installed on them; even more notably, 89% of the same users were completely unaware of the presence of the surveillance software on their computers.333 The fact that 89% of users are completely unaware of the spyware on their computer supports an inference that the installation of such software – if it had been discussed in a EULA to which the consumer manifested some type of superficial assent — was clearly beyond the range of reasonable expectation, in terms of the operation of Restatement section 211(3)

…Thus, from the privacy principles generally, and the sanctity of one’s home, it can be argued that spyware contracts which obtain purported consent to surveillance should be unenforceable as against the public policy favoring privacy. Unlike contracts where the invasion is a merely incidental aspect of the bargain, the spyware bargain purports that the full consideration flowing from the consumer is the allowance of unfettered, continuous online surveillance of the consumer, which could conceivably include all of the most private aspects of the consumer’s life. The invasion effected by the spyware is a “virtual” trespass into the consumer’s home – the usual location of the consumer’s computer used for web browsing.

Alex Eckelberry
(Thanks to Ben Edelman for sending me this link).

This article writes about how one study shows that violence in video games is linked to increased aggression. In a test done at Michigan State University, researchers found that “playing violent video games leads to brain activity pattern that may be characteristic for aggressive thoughts.”  

 

Widely reported, this study will inevitably become part of a larger discussion on violence in video games.  Now, that may not be a bad thing, but I’m not so sure of the science behind the study itself.  In my opinion, the premise, methodology and conclusions of the study are deeply flawed.

 

Furthermore, I get really uncomfortable with research such as this, because inevitably it leads to some politician grandstanding about how bad video games are for society and then some type of legislation gets put into place.   Or, more realistically, anti-violence attorneys like Jack Thompson sue more video game companies.

 

TechDirt starts the discussion with some very, very good points: 

“…researchers from Michigan State say that violent video games cause brain activity characteristic of aggression — or at least it did in 11 young German video gamers they tested. The study looked at the effects of a first-person shooter game on 13 German males between the ages of 18 and 26 that play an average of 15 hours of games a week — hardly a comprehensive sample, and one made up of subjects that are probably already somewhat aggressively minded.

 

But aggressive thoughts directed at the game itself — what some might call being engaged by it — aren’t harmful. It’s a question of acting on aggressive thoughts outside the game, something the study doesn’t touch on [my emphasis]. It misses the point: while video games may cause feelings of aggression while they’re being played, it’s what happens to those feelings afterwards that can become problematic. It seems like most of the instances of violence blamed on video games happen after kids play, not during.  

Right.  You certainly do (and should) feel increased aggression as you’re blowing some poor alien to smithereens.  And that brings in the “so what!!!!” factor of the study. 

 

But let’s move to the science behind the study.  In light of the fact that we only recently saw a study published that showed that most published research findings are false,  one also has to look at the methodology, which itself is troubling. The study used a type of brain scan called fMRI. According to researcher Dr. Grace Jackson, there are two types of brain studies done by scientists:  Anatomic studies — using Computed Tomography (CT) and MRIs, to capture images of the brain, and are widely used by doctors to identify static things like tumors, cysts and blood clots. Then, there are functional studies, which use techniques like Functional MRI (fMRI) and Positron Emission Tomography (PET). These methods attempt to evaluate brain processes when a person is doing various things (thinking, eating, sleeping, playing video games, etc.).

 

These types of functional studies are incapable of measuring brain activity. Rather, what these technologies actually reflect are transient changes in blood flow. In the Michigan study, there was also no reference to the numerous correlation problems which undermine the validity of most comparison studies, as researchers commonly fail to control for the influence of age, gender, body size (weight and height), drugs (licit or illicit), medical conditions, physical activity, education, and diet. Finally, there was no acknowledgment of the fact that the use of these technologies remains controversial. Due to theoretical and practical limitations, the application of studies using fMRI and PET are restricted to research settings at this time.  In other words, one should not make public policy out of it. 

 

To wit, Professor Mark Griffiths at Nottingham Trent University, had this to say about the study: 

“…I do not think that this alone proves that there is definitely a link between watching violent video games and people being aggressive or violent in their actual lives….there are too many other of what we call ‘conflicting and confounding variables’ – people may also be affected by such things as the amount of violence in their lives or the violence they watch on television. We need more research before we draw up definitive conclusions.” 

Notice he uses the term “confounding variables”.  A confound is a term describing the ambiguity that results when correlations are made between relatively unimportant variables and important variables.

 

In other words, since what fMRI shows is simply transient changes in blood flow, one could as easily argue that these fine Teutonic males were, in fact, simply suffering from a well-deserved case of flatulence after eating too much bratwurst.  With no controls in place (where were the people who didn’t play the video games?) and a research methodology that is known to be controversial and experimental, one truly starts to cast a doubtful eye on the study’s sweeping statements.

 

I recall playing Doom years ago and getting some pretty intense adrenaline kicks, but I certainly didn’t become more aggressive.   It stands to reason that when you’re playing them, you get into the game.  But we’re increasingly finding that violence in schools, etc. are related to a whole raft of other factors.

 

Now, I am not in favor of violent video games and as a father, I honestly don’t see much good in video games in general compared to reading, sports, programming, etc. I have two boys and both of them have played their share of video games.  Aggression was certainly not a problem.  If anything, it almost muted them, which was more disconcerting.

 

My solution to any aggression problem with my boys has always been fairly pragmatic — the family has strict rules for respect and decency, and from a physical standpoint, caffeine is absolutely banned in the house (for the kids, not the adults!), they are fed a healthy diet, given lots of love and we get them outside to play sports — certainly the best form of therapy for any child.    

 

 

Alex Eckelberry

 

Earlier, I blogged about a site that has Windows XP Sp3 information.

On that site is an “unauthorized preview” of SP3.

From a Network World article, Mike Brannigan at Microsoft blasted it on a newsgroup (forum link here) saying:

“You would be well advised to stay clear of this FAKE SP3 package. It is NOT suitable for testing as it is NOT SP3.

If is just a collection of hotfixes and other updates we have released.  It will not update your Windows XP system to SP3 It also contains a number of private ” hotfixes that are usually only issued  to users with a specific identifiable problem.  The hotfixes are not as rigorously tested at public released ones this is why we ask you to call PSS to get them  so we can track you and provide further assistance such as new versions of the fixes etc as they become available.  Just installing all the “privates” on your PC may make you machine LESS stable and will also put you out of support from Microsoft or an OEM as you are installing incorrectly issued private hotfixes.

Frankly this “package” should be avoid and you should continue to use Windows Update and the download site to get the most up-to-date and correctly issued Microsoft fixes and patches.Anyone who installs this thinking they are getting SP3 (even as a preview) is being grossly mislead and is posing a significant potentially non recoverable risk to their PC and data.”

This SP3 pack game from the site I earlier mentioned, TheHotFix.net.  In Network World’s article, a post on The Hotfix says this:

“Our pack is indeed a preview to what the official service pack will be, as these hotfixes will be in Service Pack 3 as proven by Microsoft’s own knowledge base,” according to a post by Allen on TheHotfix.net. “Each of these hotfixes can be obtained for free from Microsoft by calling their support lines.”

However, there is also this:

Allen also wrote that while there is a possibility the SP3 on his site will make a user’s machine less stable, it is not the fault of The Hotfix, because the software came from Microsoft, not the site itself.

Allen put together the preview of SP3 from software updates he received from an internal Microsoft source.[My emphasis] In an interview Wednesday, Allen said that Microsoft has not contacted him directly about the hotfixes he has posted, but his Microsoft source told him the company was conducting an internal investigation to find out who was leaking the hotfixes to his site.

What would I do?  Stay the heck away from it, and wait until the official SP3 comes out. 

Read the Network World article here (via Donna).

Alex Eckelberry

20% reduction, as user base remains flat and revenue growth slows.

Link here.

Alex Eckelberry
(Thanks Suzi!)

Great cartoon… Link here.

Alex Eckelberry

We’re seeing more of this.  Lloyds Bank is going to trial 30,000 security tokens with its banking customers.

This quote from the article caught my eye:

The bank says it is guaranteeing that they will not suffer from losses even if their PCs are compromised, as long as they have not – for instance – given their password away intentionally.

This stance contrasts with warnings from some other banks – notably HSBC – that in future customers could be held responsible if they do not keep security up to date on their machines.

Oh, umm, if that’s true (and I haven’t been able to verify it), that’s rather off-putting and sure to keep people away from online banking.  Doesn’t online banking actually save banks money, with the added benefit of not having the Great Unwashed standing in line at the teller?  Hmmm?

The banks are very much part of the security equation and relying on Grandma to make sure she stays up-to-date on her security patches is a bit ridiculous.  Something as simple and inexpensive as a token goes a long way toward good security practice.

Link here via Catherine.

 

Alex Eckelberry

Andrew Jaquith at SecurityMetrics.org has collected what he calls “Hamster Wheels of Pain”.  These are those circular charts that so many security vendors use to describe their service.

To my immediate recollection, I’m not sure I’ve ever used a Hamster Wheel in a slide at at Sunbelt.  I recently used a “cake” format to describe our security strategy  (I’d show it to you but I’d have to carpet bomb you with non-disclosure agreements, not altogether a pleasant thought). 

Anyway, all in the interest of humor, here are some pics from his blog:

 

See the article (with more pics) here (originally discovered on ToaSecurity). 

Alex Eckelberry

Slick pics here via Microsoft Watch.

Alex Eckelberry