Many people have probably already seen this... (since it made the front page of digg) but if you haven't here you go...
http://www.loconet.ca/?p=64 (Linux over the Vista logo in a Toronto Subway Station)
The New York Times Computer Security blog has an article entitled "Study Finds Security Flaws on Websites of Major Banks"... They couldn't have picked a more misleading title.. The original study, entitled "The Emperor's New Security Indicators", was a study to see how many users monitor things such as the disappearance of SSL (HTTPS) and changes to their "site authentication images"...
For those of you that are unaware, or haven't seen "site authentication images" the concept is that a user selects an image from a Library of thousands, along with a phrase... and they are displayed that image and phrase every time they visit the web page... The idea being that they would not see the image/phrase on a phishing site and would not login... The technology was originally rolled out by a company called PassMark who was acquired by RSA... they market the technology as RSA Adaptive Authentication for Web.
The study found that 100% of users still entered their username and password when SSL was removed from the equation (Although I'd love to see them try again with IE7 and High Assurance Certificates ( IE 7 Blog | SpywareSucks Blog Overview | Verisign Information ) to see if the green address bar makes a difference). They also found that 92% of users still entered their usernames and passwords when the "site authentication images" were removed. The study calls this method of protection ineffective... I'd argue that ~10% success is better than not trying... perhaps user education isn't up to par... but if you stop 1 in 10 phishing attempts with technology A and 1 in 10 with technology B you may eventually protecting 10 out of 10 users... After all isn't layered security a common concept?
The study however isn't my concern... my concern is with the NYT article... It's misleading to readers... There's no flaw in the websites of major banks... and if I were these banks I'd be rather upset at the NYT for the equivalent of slander right now... As I said in the title this article could have been called "Common Knowledge: Users Regularly Click-Thru"... This is where the problem lies. Users will common click next.. Call Tech support, what do they say, "Click next until you're done" (This is negligence on the tech support companies part)... Instructions on websites will commonly say, click next until you're done... Users have come to accept, "Click next until you're done" as the standard... in an effort to make computers easier for the average user... we've made them more vulnerable... we've been complacent in our duties to keep the end user informed.... to pass along knowledge... Basically, we've failed them.
The problem now is how do we re-educate them... The NYT should be addressing and answering that question... addressing the issue of users that "Click-Thru"... This study is alarming but not for the reasons that the NYT addresses... it's alarming because so few users know how to act and respond... They want the ease of use...
While it removes the simplicity of daily banking... I would propose this solution. The technology should randomly display an incorrect picture... Should the user click through without confirming is indeed incorrect the account would be locked until the user called the bank and had the lock removed... To ensure that phishing sites don't duplicate this... the second picture shown would then be the users correct picture so they would know they can proceed safely... After a user locks their account out once or twice, they'll learn to start looking at the image. To ensure they don't always indicate that the initial image is incorrect, they should also have their account locked if they say "Not my image" to their image...
Re-education isn't always an easy task... and the end-user is going to have to learn that to safely use a computer in 2007 they're going to have to give up a little bit of the convenience... Just as Vista is introducing UAC, which adds a few clicks.... banks should modify their systems to properly notify users and ensure that we desensitize them to the "Click-Thru method"...
Donna's Security Flash has also mentioned this briefly.
[Update] It appears as though the NYT has changed the article of the column to "Study Finds Web Antifraud Measure Ineffective"... I emailed the author (Brad Stone) and pointed him towards my blog post... I am however, disappointed that he didn't credit me for the name change, or at least say why he did it.
Sometimes... when I'm sitting around unhappy or maybe just feeling a little blue, I find myself jealous of DaringFireball.net and John Gruber... Now I know most people are probably shaking their heads and wondering why... but the answer is quite simple... "Ignorance is bliss"... and if that statement is true... that John Gruber must truly be the happiest man alive.
The latest debacle needs no response as it has already been answered, however I will provide the links required to read it through in it's entirety...
We'll start with Bill Gates and his comments in a recent Newsweek article... you know the one that's got everyone up in arms... If you haven't read it yet... Welcome Back... How was the Coma? If you have... proceed to the next paragraph (this is kinda like those old Choose Your Own Adventure books).
Your next choice is even more difficult... Do you:
Welcome to the next section.. This is where your ally, one of the Hero's enters the story...
If you weren't afraid the first time... now is where the real challenge comes...
Finally... You can now join the Hero of our story inside the cave of insanity...
As I said... some days I wish I was the DaringFireball.net... but all it takes is a couple of seconds of that to realize I'd rather have some knowledge and properly formed opinions instead of being a fanboy who likes to rant.
Anyways... Enjoy the read.
There's a great list of online Malware and Security scanners available from the Grand Stream Dreams blog (HatTip: Sunbelt Blog).
One thing that I noticed is that while it has the Norman Sandbox Information Center.. it doesn't contain links (unless I missed them) to CWSandbox.org (which requires verification to upload a file (entering a 4-digit number from an image)) and the Sunbelt Sandbox at Sunbelt Software Research. Now my assumption is that they're all powered by the same engine... but still.. no harm in having all the links available in case one is down for an unknown reason.
They're here... I'm on my Mac and don't feel like booting a Windows PC to check them out at the moment, I'll most likely experiment with them later... but this is definitely a step forward in security...
Anyways, there's a great write-up (for the end-user) over at the Spyware Sucks blog... Those of you who have been questioning if you should install the Root Certificate Update... This is why you should.
There's an excellent post over on Michael Sutton's blog on the prevalence of XSS Vulnerabilities (Hat Tip: ha.ckers.org blog). The looks first to Mitre's numbers on XSS and then moves on to searching Google to find XSS, potential search strings, how to automate the process, the actual detection and then provides results.
The raw results are below:
Unique sites identified by Google 288 Unique sites accessible at time of testing 272 Sites with confirmed XSS vulnerabilities 47 Percentage vulnerable 17.3%
From start to finish... it was a great read.
Seeing that in the past I've done my fair share of tech support roles, I was surprised that I had never stumbled across this site before... The Calendar of Updates website. The website tracks releases and updates to all major software (in the home security market anyways)... For example... The list for Saturday, Feb 3rd, 2007 includes:
You can follow these updates (and check on the latest ones) on their Calendar page... or via the RSS feed. In addition to the Calendar of Updates, the page contains forums with basic end-user help and support... Not the place for an InfoSec Export... but definitely a great RSS feed to keep in mind... Also great for the home user...
There's an interesting article on Wired News (Hat Tip: PCI and Data Security Compliance Bog). It tells the story of David Thomas, a fraudster turned FBI informant for an 18-month period from 2003 - 2004. I find parts of this story alarming... Thomas was living in an apartment paid for by the FBI... he was a free man... Not rotting in jail as he should have been. At a time when phishing and cyber scams are at an all time high, we're publishing stories telling these criminals that you can cut a deal and avoid jail time... I'm not sure I overly agree with that concept but either way... it's an interesting story to read.
Disclaimer: This isn't tech related but after all, it's my blog 
Something I have a big problem with is the "Theory" of Global Warming... There's no evidence to support Global Warming... just as there is no evidence to support the effects of nuclear winter, the existence of aliens or that second hand smoke is dangerous (To understand my choices, read a lecture given by Michael Crichton at the California Institute of Technology entitled "Aliens Cause Global Warming".) A section of his lecture covers "consensus science" and while many people try to say that consensus science is used to prove Global Warming and for that reason it must not be true, I don't agree. However, I do think that consensus science is partially responsible. As Crichton says, "Nobody believes a weather prediction twelve hours ahead. Now we're asked to believe a prediction that goes out 100 years into the future?"
SEED, an education development program, has published an article on global climate change, which includes an image based on the Vostok Ice Core data published by the NOAA. The image is rather interesting. It shows that we're in a repeating cycle and we're actually right on track with past data. Yes this is proxy data but it's really all we have to go on. Even this data is for a considerably small period of timing consider the age of the Earth is accepted to be somewhere around 4.5 billion years. The period represented by the image covers 425,000 years. That's ~0.0094444% of the history of our climate... A very small portion, however, large compared to those who support Global Warming... Let's take NASA, for example, who uses a ~50 year baseline... or ~0.0000011111% of the history of our climate... How are they supposed to make a valid prediction about the stability of our climate and any changes that it's undergoing. Now we also have to remember that these are the same people who said in 1997, " The most recent glaciation, 20,000 years ago, is called the Laurentide, and Earth is still recovering from it."
So what does this tell us... That 10 years ago we were still recovering from an ice age... that would mean that our temperatures were continuing to increase... That's pretty accurate when you consider the small scale of data that NASA presents, and it holds true when you look at the larger picture using the NOAA data. It also tells us that we're not experiencing the "Terror of Global Warming" but rather a natural and unavoidable climate change cycle. In 2002 there were published studies that Antarctica was getting colder and the ice was getting thicker... again this doesn't sound like Global Warming.
Now I'm not a scientist... nor do I claim to be one... but common sense can be great when you're trying to dissect information. Here's what my common sense is telling me... but first.. the knowns:
So what is my common sense telling me? It's simple... we're in a continual climate change cycle... this is natural... We're coming up on the warmest point in the cycle's natural progression... Now it is time to start cooling... And what were we told in school, when the ice age came the ice came down from the poles (I guess it would be up from the south pole)... We're seeing evidence of this already with the poles getting colder and thickening. The poles have long since been an indicator of change... We fear them melting from Global Warming and that would have catastrophic results... Now they are indicating change yet again and this time the change in in line with what history shows us... My prediction: The poles will get colder... They'll thicken and start to extend.. we'll have our hot years and then gradually cool as well, allowing the poles to precede forward even further. This is the natural cycle of things...
One last thing to take into account... The Cold War, the Cuban Missile Crisis, The War on Terror... The US Government has always been able to instill fear in it's people using war and nuclear threats... That ability is starting to run out and suddenly Global Warming is back in the picture... The Doomsday Clock, which used to measure only the threat of Nuclear war, now suddenly measures the threat from Global Warming. It seems to be that consensus science is working again, and everyone is buying into the "Theory" of Global Warming, when all of the evidence points to a natural change in climate.
It turns out that Network World published a list last week of the Top 10 Network (or Computer) Movies... Mitchell Ashley had some issues with this list and decided to create his own.
Since I have issues with both of these lists I've decided to create my own which contains movies from both of them, as well as a few of my own. There are really in no specific order
So that's it... I moved more to the computer side in some cases but I figure that's acceptable..
