Daily Link List
I know I throw these up every now and then.. They're my way of sharing short blurbs without long blog posts... I've got a few things I want to mention (actually quite a few) so... on with the show.
The first isn't really a list... It's some interesting spam that I received today in the comments of a post...
Author : Spam Bot (IP: 128.61.82.147 , r82h147.res.gatech.edu)
E-mail : spamtester@gmail.com
URI :
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=128.61.82.147
Comment:
Please forgive this post, it is simply a test to see if your site is spamable. Code: XXXXXXXX
I've X'd out the code in case the bot is going to return to confirm it's existence. Nothing to comment, except that if someone is actually testing for research's sake, they should provide a link to explain themselves... if it's a spammer.. why not just spam like all the other spammers.. why test first..
Now... On with the links.
The first link belongs to a blog post by a good friend of mine, J_K9. It's a decent write-up introducing Metisse, which is "not just another 3D Desktop"... The description of it proves interesting... and the videos are definitely worth watching.
Next we've got the link that everyone and their brother has blogged about already, which is why I'm not dedicating a full post to it... most people have already read about it... Basically... GoDaddy is run by sniveling cowards. They also don't respect their customers... it makes me glad that they aren't my registrar.
Bill, from Bits from Bill, questions what defines a vulnerability. I enjoyed reading the post but ultimately I have to disagree with him... He looks at things like the new Microsoft Word 2000 "0-Day" Vulnerability. By Bill's definition these are flaws... His reasoning: First he defines vulnerable (Vulnerable – “open to assault; difficult to defend; capable of being wounded or hurt”), then he blames user interaction... To me, user interaction still leaves you "open to assault"... Let's look at this from another angle. Let's say the foundation of your house has a crack in it... You might say you have a flaw in your foundation... I might say that your foundation is vulnerable to earthquakes... These are both true statements.. If a flaw can make you vulnerable... then a flaw is a vulnerability. In fact, "define: Vulnerability" in Google returns this definition: "A flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity"
Up next is a post from Matt Blaze's Exhaustive Search. He's asking that security researchers and crypt-analysts stop using terms such as "breaking into" and "cracking" because of the negative connotations that they have. I like the idea... so now the question is... Can we find new terms that we can all agree on?
I guess my quick list of short posts is turning into something rather long... but I swear I'm almost half done.
One of the things I've done with my blog is join the Security Bloggers Network... which provides a nice RSS feed with several blogs all rolled into one. One of the blogs belongs to the "founder" of SBN, Alan Shimel, who has a... well... interesting blog. I'm quite often surprised, shocked and sometimes left shaking my head at posts that he writes (I've never met him, so I don't know if he's gutsy or stupid 
(although I'm going with gutsy))... but sometimes they inform me of something I didn't know. Today I thought I'd been informed of something I wasn't aware of... a secret meeting on security being held by Microsoft. Then Matasano cleared things up for me. The meeting has an agenda online (complete with information on who could register and how to register)... Then I remembered why it seemed so familiar... there'd been an email to one of the mailing lists inviting ISOI attendees to dinner and drinks (membership to the mailing list is required).
Item 1 Million on today's daily link list: A new version of honeytrap has been released. That was so short that I'm going to stick a second link in the same paragraph: An article claiming that 25% of computers on the internet are involved in botnets.
Another interesting tidbit was an article on Emergent Chaos regarding the Three Types of Authentication. The linked article (and driver for the post) is definitely worth the read.
One more site that will only get a brief mention.... Security Bullshit... weekly cartoons based around the security industry... So far there are 4 and they are all worth a laugh.
Lastly (I think), we have a small write-up by Anton Chuvakin on the ROI on Getting your Ass Whooped. It was inspired by another blog post, one with non-humourous content, but even without reading it, you're sure to get a kick out of Anton's post.
I can back up the criticisms of GoDaddy with a short story of my own. I ordered an SSL cert from them a few months ago, and received a code with which I could (supposedly) log in and download the cert. I tried the code on the GoDaddy site but it just wouldn’t work. So, in despair, in contacted them – I hadn’t found a way of sending a new code or resetting it. Can you guess what they replied? Let me show you:
Great. The guy ticked a few boxes and replied. However, that was not an answer to my question… Good job, support team. I replied again asking for help with my account (it wasn’t letting me log in with my login details – I needed specific help, not a reply generated by a few ticked boxes and a script), and they replied with a password reset form
I’d already TRIED that.
The company is useless. I don’t think I’ll be using any of their services any time soon.
Thanks for the links. By the way, what do you think of the ‘25% computers on the internet are part of a botnet‘ article? I’m having trouble believing that the percentage is that high.. Perhaps 15-20%, but 25%?
Oh, and thanks for the trackback
Hmm.. maybe we need to tell more jokes in the blog. =)
J_K9: 1and1 tech support isn’t much better… I have to explain to them how to do the tasks I’m asking about… Hostprince was the worst though… I wanted a custom application installed (a C program I wanted my page to interface with), so I asked for the hell of it… they said no problem, they’d install it… but then I had to tell them how to compile it.
DataSecurity: I enjoy your blog… especially having taken part in portions of PCI lately… which is why I still shared your blogs link
Hey Tyler,
Glad to hear you stop by my Blog and appreciate you bringing up the discussion.
I’ll admit the whole overblown storm coverage had me in rant mode. Microsoft has posted information about the new Word issue.
http://www.microsoft.com/technet/security/advisory/932114.mspx
They’re calling it a vulnerability so I guess if they admit it’s a vulnerability I can deal with it.
Bill