Category Archives: security

amazon, security

Amazon’s cloud services growing up, sending out spam

1 Comment

Amazon made multiple cloud announcements yesterday, just ahead of anything Microsoft might be pitching at PDC next week. The Elastic Compute Cloud is out of beta; there’s beta support for Windows 32-bit or 64-bit at $0.125 per hour; there’s a new web-based management console; and new automatic load balancing and scaling.

The last points may be the most significant. Smooth scaling is one of the toughest problems for any enterprise or busy web site. On demand scaling is totally compelling.

There’s still something missing. What if the service goes down? SLAs, sure, but saying to the boss “we’ve got an SLA” is little help if your business is losing thousands every hour through unavailability. I’d like to see something about failover to a non-Amazon service, or some convincing reason why we won’t see repeats of the downtime that has afflicted Amazon a couple of times already this year.

Here’s another sign the service is growing up. WordPress comment moderation shows me some basic info about the source IP of comment posters, and I noticed an item of spam yesterday that was sourced from an Amazon EC2 server:

No, it wasn’t one of the new Windows VMs! I traced it to a Swedish site running Plone, emailed the company to point out the problem but haven’t yet had a response. The spam itself makes no sense; probably a test.

Update: I received an explanation from the site:

We have been running a proxy on EC2 that rewrites certain websites for demo purposes. It has just been up for a few days, but it seems that someone thought it was a nice way to relay spam (we only proxy port 80, so just the message board kind).

Technorati tags: , ,
security, software, vista

Don’t tell me to turn off Vista’s UAC

1 Comment

I’ve been looking at music servers and music ripping software, and came across Ripfactory Micro, a fast and easy to use solution.

Unfortunately when I ran it on Vista it came up with this message:

Then it exits. I looked at the support pages and found that this is a documented problem:

If you are trying to run our software on Vista and get an "Unable to enable autorun" message, you have to turn off the User Account Control (UAC) as the program requires access to a registry key to determine autoinsert status.

It’s true. I checked using Systernals Process Monitor. The app asks for access to HKLM\System\CurrentControlSet\Services\cdrom\autorun. If it finds it disabled, it throws up this dialog:

This is such nonsense.

First, if the app finds autorun enabled it doesn’t need write access; and read access comes by default, so why break the app on Vista for this?

Second, there is no need to disable User Account Control to run the app. You can either set it to run as administrator (right-click the shortcut, compatibility tab); or else grant the current user read-write access to that specific registry key – not ideal, but either of these would be better than disabling UAC.

Third, a support note like this should at least hint at the implications of disabling Vista’s primary security feature.

Otherwise the app seems to work well, faster then iTunes, and downloads cover art. I still prefer dbPowerAmp though, because it links to AccurateRip to check the integrity of your rip.

Technorati tags: , , ,
apple, security

Apple accused of security blunder; highlights cloud risks

4 Comments

According to this post, someone at Apple committed a huge security blunder, giving the password to someone’s Apple ID to a third party. How was this accomplished? Someone emailed from an email account not associated with the Apple ID, and asked for the password. Apple apparently just reset the password and emailed it to the enquirer.

I haven’t verified the claim; but even if it is false, it highlights the risks of living the cloud life. Here’s what victim Marko Karppinen emailed to Apple:

Apparently based on a single-line email inquiry, you have allowed a third party access to:
– My personal details
– My personal email
– All the files stored on my iDisk
– Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
– My credit card details as stored in my Apple Store profile
– My iTunes Music Store Account
– My ADC Premier membership, including the software seed key and other assets
– The iPhone Developer Program’s Program Portal, including details of our development team

Frankly, this makes me so angry that I can’t see straight.

Simon Willison, whose blog alerted me to the incident, mentioned a few weeks ago the security problem inherent in any site which will email you a password:

I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a “forgotten password” feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider.

Let’s bear in mind too that email mostly travels through the internet as plain text, vulnerable to interception.

Thought for the day: how much of your data is protected only by a simple username/password combination, and presuming there is some, how well protected is that password itself?

I imagine Apple will be tightening up its procedures, if the incident above is confirmed, since it was easily avoidable.

Technorati tags: ,
security

More AVG nonsense

3 Comments

AVG found a virus on my Vista system this morning:

I was puzzled at first: what is Scratch? Then I remembered: it’s an innovative visual programming language aimed at education. Virus, or false positive? I checked the file, which seemed unchanged since 2007, but of course these things can be deceptive. Still, why this file, and how had this virus arrived? I looked here; other Scratch users have had the same problem, and other anti-virus software does not detect any virus, so it seems that this is indeed a false positive.

Most anti-virus software is based on a broken concept, the idea that you can detect malware by comparing files against a “known-bad” list of signatures, and occasional false positives are inevitable. I’d like to see that possibility properly recognised in the UI that the a-v software presents.

Not good for AVG, following its ill-judged LinkScanner problems.

Technorati tags: , , ,
ebay, google, internet, search, security

Why you can’t trust a Google ad

1 Comment

An interesting facet of the recent problems with UK non-supplier Zavvi Direct is that all the purchasers I spoke to found the fake web site via a Google ad. Put another way, without the ease of advertising through Google and eBay, it is likely that far fewer people would have found the site and potentially lost their money.

That raises the question: does Google do anything to verify that its advertisers are genuine? Here’s the answer, from a Google spokesperson:

Google, along with other online and offline advertising platforms are not able to proactively check the legitimacy of each and every advertiser. Consumers should always check the validity of what is being sold to them and how they are asked to pay for items. If Google is alerted to a potential fraud then we will work with the relevant legal authorities to help them resolve such matters.

This was clarified to me as follows. Google will assume ads are OK unless it receives complaints. If it receives a few complaints it might pass them on to the merchant. If it receives numerous complaints it might warn the advertiser and eventually disable the account.

I guess it is unreasonable to expect Google to conduct checks on every advertiser. Still, there is a related point: does Google do enough to highlight the difference between advertisements, and links identified by its famous search ranking algorithms? Here is a snapshot of a search I just made:

I’ve sized the browser small to get everything in; there are more search results than I’ve shown. However, it shows three panels of results. The top left is tinted and marked in unobtrusive gray type “Sponsored links”. The top right is narrow, not tinted, and also marked in gray type “Sponsored links”. The bottom left is what most tech-savvy folk think of as the main results area.

Judging by my interviews, some people are not really aware of the distinction between a “sponsored link” and a search result. In some cases, the buyer could not tell me what kind of link they clicked. To them it was just “Google”.

It would be easy to make the ads more distinct. Google could use the plain English “Advertisements” rather than the “sponsored links” circumlocution. It could use something bolder than gray text to identify them. It could use a different font and colour for the links in the right-hand column. It is good that the top left links are in a tinted panel; yet some may perceive this simply as best-match links, rather than links in an entirely different category than those that follow.

Overall, it seems to me that Google deliberately makes its ads look the same as search results. Which is good for advertisers, but can be bad news for buyers.

Technorati tags: , ,
.net, microsoft, security, software, software development

Native code client coming for CardSpace as .NET runtime too demanding

I spoke this morning to Paul Mackinnon and Steve Plank at Microsoft, about Information Cards and CardSpace. CardSpace is part of .NET Framework 3.0 and higher. It enables uses to authenticate on web sites by presenting a virtual card, instead of typing in a username and password.

The CardSpace concepts strike me as sound, but as far as I can tell adoption has been minimal. I expressed my frustration; why is it that 18 months after the 1.0 release even Microsoft is not using it to any noticeable extent? I still see username/password dialogs whenever I need to sign into a Microsoft property like MSDN subscriptions or Live Mesh. Actually there is a beta service which lets you sign in with CardSpace – but I believe my point is still valid – how many people even know about this?

I was told that it is still early days and that we will hear more about the Live ID service when it comes out of beta. Mackinnon also mentioned that Microsoft is working on a native code client for CardSpace. Currently users need at least .NET Framework 3.0 which is a huge download and can be problematic. A native code client will be a small download with few dependencies. There is no firm date for release, though it is at least a year away (maybe previews before then).

Technorati tags: , ,
.net, ruby, security, software development, web authoring

Ruby interpreter flaws make the case for JRuby?

1 Comment

The official Ruby blog reports:

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

More discussion here and here. The community is fixing the problems energetically; but they do appear serious, and some are struggling with compatibility issues.

Since these seem to be bugs in the interpreter, it strikes me that this makes a good case for JRuby or in due course IronRuby, on the grounds that the Java and .NET runtimes are more mature. When I spoke to ThoughtWorks about its extensive Ruby work, I was told that JRuby is almost always used for deployment, partly because enterprises are more comfortable with it.

Technorati tags: , , ,
microsoft, security, windows

Microsoft MSMVPs blog site taken over by malware

Susan Bradley is blogging about a break-in on the server that runs numerous blogs for Microsoft MVPs (Most Valuable Professionals).

She describes spotting a service that turned out to be the W32/Rbot-GOS work with IRC backdoor functionality.

Currently she doesn’t know how it happened, but promises to let us know; it’s also being investigated by Microsoft support.

Kudos to Bradley for being open about this. It’s embarrassing for someone with deep expertise who blogs about security; on the other hand it demonstrates what a tough problem this is. I’ll be watching with interest for the further analysis.

security, software

Taming AVG

5 Comments

AVG is a reasonable anti-virus product as these things go; it is also available in a free version for personal use. The recent version 8.0 release however has some problems, as The Reg points out. The trouble with the anti-virus vendors is that they cannot resist adding bloat to their products, even when customers prefer them to be as lightweight and efficient as possible.

In AVG’s case the team dreamed up a feature called LinkScanner. The idea is that that AVG verifies the safety of an Internet link before you visit the site. Sounds good; but how does it work? Well, it seems that when you have a page full of links, such as those from a Google search, AVG visits all of them, just in case you click, and gives them a pass or fail based on some combination of malware reports and perhaps direct detection. It’s desperately inefficient; and overlaps with functionality built into FireFox and Internet Explorer. FireFox 3 has a phishing and malware protection feature, while Internet Explorer has a phishing filter which is evolving into a Safety Filter in IE8. There are also privacy issues with any system that depends on sending your browsing history to a third party for review.

I tried this new feature in AVG 8.0, didn’t like it, and disabled it. Unfortunately although AVG allows you to disable it, it then treats it as an error condition:

 

Although in reality everything is fine, the little icon in the system tray sports an exclamation mark, disguising more serious problems such as a failure to download updated virus signatures.

Fortunately you can avoid the LinkScanner by removing and reinstalling AVG. It is no longer necessary to use the /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch arguments; with the latest version, just choose a custom install and uncheck the Safe Search feature (Safe Surf is a feature of the paid-for version).

If you don’t see the Safe Search option, re-download AVG and try again.

I also disable the daily scan, which slows down the computer excessively while it is running and which strikes me as unnecessary. How are viruses going to get on the computer, if the on-access scanner is working? Then again, almost nothing about anti-virus software works reliably (the task is too difficult) so I suppose there is a case for it.

Technorati tags: , ,