Monthly Archives: March 2008

Letter to a Young Turk

I’ve been arguing for the last few weeks that what’s needed most for Vanuatu is to invest significant time and effort into the creation of a new crop of technically savvy individuals who can help Vanuatu bridge the growing gap between life in the information age and life as we’ve always known it in the islands.

There’s a pressing need for people to assist with this transition. The barriers have begun to fall that once allowed life in the village to remain consistent, with change seeping in slowly and in tiny doses. Very soon, most everyone in Vanuatu will have access to mobile telephony. We’re already hearing stories about Tannese in Middle Bush bringing their mobile to the garden with them, just in case someone wants to reach them.

Only weeks ago, nobody really got fussed about waiting days or even weeks to hear a bit of news. But now that we can actually get it, we want information immediately. It’s a universal human trait to want to keep caught up on the latest. In the past people here have been content to let information and gossip arrive at its own pace, confident at least that nobody was getting the jump on anyone else. But now, someone who owns a mobile phone holds a distinct advantage over those without. In this culture – and most others – knowledge is power, and in Vanuatu, a new arms race has begun.

Continue reading

Walk Like a Dinosaur

Michael Krigsman’s most recent entry in the IT Project Failures blog is an interesting, colourfully-illustrated and upside-down look at the relationship between IT and traditional business.

His question, based on numerous similar postulations, is whether IT is becoming extinct. His answer (you knew it was a rhetorical question, right?) goes like this:

Since the days of punch cards, IT has believed itself to be guardian of precious computing resources against attacks from non-technical barbarians known as “users.” This arrogant attitude, born of once-practical necessity in the era of early data centers, reflects inability to adapt to present-day realities. Such attitudes, combined with recent technological and social changes, are pushing IT to share the fate of long-extinct dinosaurs.

The list of arguments he offers in support of this thesis are all valid to some degree, and all supportive of what he’s positing, but he somehow manages to miss the point that means most to business:

Monolithic, top-down, IT-as-bureaucracy approaches are being subverted by recent changes in technology and services, but so too is business in general.

Continue reading

No Borders

I made a mistake this week, or rather a misjudgement. I wrote about a new threat called Goolag, in which a malicious person could use Google to find servers on the Internet that are vulnerable to attack. The servers are infected with malicious code that causes anyone who visits them to be exposed to compromise. This is how many an innocent person’s computer becomes a spam-bot, remotely controlled by hackers and used to send spam, and sometimes to infect its neighbours as well.

I wrote, “Making simple mistakes is the easiest way to expose yourself to attack…. You won’t be targeted so much as stumbled across.”

Within two days of writing about the issue, an online security blog reported a wave of attacks affecting approximately 200,000 web servers. The single most important part of comedy, as they say, is timing.

This latest wave of attacks is important to us for a couple of reasons: It demonstrates that the democratising effect of information on the Web respects no single set of ethics or morality. The very same information-sharing tools that have so empowered people everywhere are being used by vandals and criminals for their own selfish ends as well.

It also means that there are no safe havens online.

Continue reading

Gooooolag

UPDATE: How wrong could I be about the severity of this threat? Very wrong, apparently. I haven’t confirmed it yet, but it’s hard to imagine how this week’s mass server hack could have happened without tools like the one described below. I’ll write more about this in this week’s column….

Heh, cute:

Cult of the Dead Cow Announces Goolag Vulnerability Search Engine.goooooolagOnce you get past the Chinese porn silliness, there’s a real story here:

Google’s effectiveness as a search engine also makes it an effective… well, search engine. Common website weaknesses are exposed by search engines such as Google, and anyone can access them by using specially crafted queries that take advantage of Google’s advanced searching capabilities. As the cDc press release indicates, there are approximately 1500 such searches published and readily accessible on the Internet. And now the cDc has built a(n a)cutely satirical web front end and are offering a downloadable desktop search application for Windows, giving script kiddies the world over something else to do with their time.

What effect has this had on website security? It’s difficult to tell. The principle of using Google as a scanning tool has been common knowledge since at least 2006, but according to Zone-H, who record large numbers of website defacements every year, the only significant increase in website attacks since then was the result of an online gang war between various Russian criminal factions, back in 2006. Ignoring that anomalous rise in activity, the rate of attack actually fell slightly in 2007 compared to recent years, relative to the number of active websites.

Zone-H’s latest report proves only that the percentage of insecurely configured websites scales on a roughly linear basis with the number of available websites, and that the choice of technology has almost no bearing on the likelihood of a successful attack. Indeed, most exploits are simple attacks on inherent weaknesses: guessing admin passwords or copying them when they’re sent in cleartext, misconfigured shares and unsafe, unpatched applications. Attacks requiring any amount of individual effort are not very common at all. Man-in-the-middle attacks rated only fifth place in the list of common exploits, representing only 12% of that total. But researchers have elsewhere noted that cross-site-scripting attacks are on the rise, and are being used mostly by spammers to increase the size of their bot nets.

The lesson here is fairly obvious: Making simple mistakes is the easiest way to expose yourself to attack. And search tools like Goolag make finding those mistakes remarkably easy. You won’t be targeted so much as stumbled across. Given the recent rise in the number of websites being used to inject malicious software into people’s computers, spammers and other online criminals appear to have a strong incentive to use even the less popular websites to ply their trade.

Your choice of technology won’t save you, either. Most popular web servers are fairly secure these days and though not all server operating systems are created equal, the big ones have improved markedly. But the same cannot be said of the applications and frameworks that run on them. The old adage that ease of use is universal still applies. When you make things easy for yourself and your users, you are liable to make things easy for other, less welcome guests as well.

The lesson for the average website owner: Do the simple things well. Don’t waste your time trying to imagine how some intrepid cyber-ninja is going to magically fly across your digital alligator moat. Just make sure your systems are well-chosen and properly patched, pay attention to access control and treat authentication seriously. Statistically, at least, this will drop your chances of being Pwned to nearly nil, or close enough as makes no never mind.

Splash and Ripple

Drop a stone in the middle of the pool. Watch its ripples spread wider and wider across the surface. Inevitably – sometimes sooner than later – the ripples mingle and apparently disappear among the others. Cause and effect: A simple action creates immeasurable, unpredictable and unforeseeable results.

Among development professionals, this provokes roughly equal amounts of fascination and frustration. Fascination, because anyone with a mote of interest and natural curiousity is quickly engrossed by the flow of events as human cultures mingle and change. Frustration, because at some point it will be necessary to say to a donor, ‘Your money will have exactly this effect.’

And that will be a lie, of sorts.

Continue reading