Srcasm

I came across a very interesting read at Marcus Ranum’s blog about the 6 dumbest ideas in computer security.  His number 1 idea was by far one of my biggest pet peeves:

#1) Default Permit

The most recognizable form in which the “Default Permit” dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked - now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. A lot of organizations adopted “Default Permit” in the early 1990’s and convinced themselves it was OK because “hackers will never bother to come after us.” The 1990’s, with the advent of worms, should have killed off “Default Permit” forever but it didn’t. In fact, most networks today are still built around the notion of an open core with no segmentation. That’s “Default Permit.”

This could not be truer.  I find every time I go into a meeting to discuss, setup, introduce or roll out the newest and greatest product, this comes into play.  Most people want to roll it out without thinking about what it actually does.  Take for example a new firewall system.  The new product could be brought in, setup and configured exactly like the old one and everything will probably continue to function.  But in the end, why bother spending $20,000 on the new box if you aren’t going to look at what you’re using it for.

Please keep this in mind while setting up your new software program, coding your new web application or simply plugging in the greatest computer you have ever owned.  Keep it closed — open only what you need.

While perusing the Internet the other day I happened across an article outlining Microsoft’s dive into the mapping world and their attempt at beating out Google on simple, fast and efficient online maps.  I laughed.  I haven’t seen a product from MS come out in a long time that beats the awesomeness that is Google.  But I may have been mistaken.  Take a look at the two different images below and after the jump I’ll tell you my thoughts.

Microsoft Live Maps

Google Maps

Continue reading »

• Twubble
  (tags: twitter tools mashup socialnetworking search friends)
• SpamSieve: Powerful Spam Filtering for Mac OS X
  (tags: spam mac osx software protection bayesian)
• Dropbox - Home - Secure backup, sync and sharing made easy.
  Online storage and sharing for both backing up documents as well as collaborating with groups of people.
  (tags: storage filesharing backup beta security)
• ASUS | Eee PC
  Tiny (7 inch), Linux, ultra-portable laptop that has a built in webcam.
  (tags: laptop eeepc linux asus ultra-portable)
• Toll Free Numbers, Virtual PBX, Business Phone Service - Virtual Phone System by RingCentral
  (tags: phone voip pbx business technology virtual)
• ModernFeed - Guiding You to the Best Programming on the Web!
  (tags: aggregator video web2.0 hulu streaming television)
• Mailinator - Let Them Eat Spam!
  (tags: spam antispam email free tools)
• Twits Like Me: Find new friends on Twitter
  (tags: twitter tools mashup socialnetworking)

I know it seems strange for me to write a post promoting Comcast but I think they might actually be on the right track here.  I recently had a short outage (maybe a few hours) when I was unable to access a large group of web sites from my home cable connection.  I didn’t think much of it but I was a bit annoyed.  An hour or so after noticing, it started to get better.  Sites like Gmail, Slashdot and Digg started loading in my browser yet again and I became a sane person.

Two days passed and everything continued to work but to my surprise an email showed up.  A section of the email is below:

Dear Valued Comcast Customer:

You may have experienced some Internet issues this past Saturday, and I want to apologize for any inconvenience this may have caused you and your family.

We detected an issue early Saturday morning that resulted in some customers having problems connecting to certain Web sites. We are staffed 24/7 and, as a result, we were able to quickly dispatch our engineering teams who identified and fully corrected the problem by early afternoon.

We know you look to Comcast to deliver high-quality service, and it is our commitment to do so. We have implemented additional preventive measures to help safeguard against a situation like this reoccurring.

Once again, please accept my sincere apology. Thank you for being a Comcast customer. We truly do value your business and appreciate your understanding.

This email was entirely unprovoked (at least by me) and I was genuinely happy that I received this.  It meant that somewhere out there in that wide world of ridiculous customer service that I had come to loathe there was a person who had the right idea — Let the customer know when something has been messed up, don’t wait for them to call you.  Now they didn’t offer me money back for this outage but hey, one step at a time.  After this, I sent out a quick tweet and soon after I received this response from Frank Eliason, someone who works at Comcast who actually cares about what the customer wants.

That’s right, a real live person responded to my post.  They may have had their issues in the past but could this be a cable company making a turn around on the customer service front?  I sure hope so — It’ll be the only way they’ll be able to keep my business when FiOS comes around.

When all of your users have decided to keep their passwords written down on sticky notes, on their hands and under their keyboards how do you protect them from themselves?  You could go ahead and rip off each of their finger nails (ouch) until they promise to never write it down again or you could take a much nicer, more humane route — teach them a way to write it down without writing it down.

I learned a trick somewhere along the way of a simple means of keeping your information handy without giving it out to the rest of the world.  It starts like this…  Choose a keyword, write it down anywhere you’d like, choose a modification system and stick with it.

So, say my keyword I wanted to use was target.  It’s simple, I could write it on my hand, on my car window or even shout it from the roof tops and besides people thinking I was crazy for the red-bullseye store no one would be the wiser.  Next, I choose a pattern or modification system to use.  I’m going to add the number of characters in the domain to the middle of my word and then write the first three letters of the site’s domain (with the first letter capitalized) to the end of my keyword.  It may sound a bit tricky at first but after using it a couple of times, it becomes easy.  When I setup my new Twitter login, I choose my username and then I create my new password.  Starting with my keyword, target, I put the number 7 in between the r and the g.  So now I have tar7get and then I add the first three letters of Twitter.com to the end of the password forming the new password, tar7getTwi.

Now I have a password with a number, a capital letter and I almost never use the same one again.  It means that my accounts can be secure, I don’t lose sleep over the 20 million passwords I have AND it’s easy to “remember” or figure out the next time I go to that site.