This week there was protesting going on about SOPA and PIPA. The real question is, what happens now?

Congressmen are removing their support. the people who introduced the bills are removing the DNS blocking provisions. What more needs to happen is the question that they will ask.

First, lets start with this, a politicians promise is like a prostitute’s kiss. It is slimy and is not something you can believe. The fact that non of the congressmen who have backpedaled have given any clue as to what they now find objectionable outside of their constituents not liking the bill, is a worrisome sign. One that shows that they don’t really want to back off, and they are putting on a face until the fervor dies down. This is why we need to press the advantage right now to get these bills changed.

Karl W. Palachuk rightly claims in a Facebook post that 99% of the people who signed the petitions don’t know much about the bill. He though, like a lot of the people for the bills, try to make it about infringing versus not infringing. That is not the real problem. People like him who say that not supporting SOPA/PIPA is akin to being a pirate yourself are short sighted and wrong. The real issues are Cybersecurity, letting the foxes (RIAA/MPAA) guard the hen house, and no oversight. The Censorship angel is being used as a way to disguise these other issues that have been brought up.

For instance, there is a provision in SOPA that “bars the distribution of tools and services designed to get around such blacklists.” This is dangerous because sites such as Tor, which is used by people in places such as China and Iran to get around their firewalls, could create problems for VPNs, which could be used by people who work for multinational companies to get around the blacklists, and encryption which would prevent people from seeing what you are requesting on the net. Heck, to bypass some of the blocking/filtering, you could just modify your hosts file. Does that make every operating system illegal under SOPA?

Also think about this. The punishments in SOPA do not fit the crimes. Overbearing on the fines front, making these crimes a felony and setting jail times longer than those who beat up their wives or kids is just not right.

Now to further the argument, there is the Megaupload takedown which happened yesterday. this 2 year investigation with international cooperation sets a standard for taking down sites that are helping pirate stuff knowingly. Yes they have servers on American soil, but they are a multinational company, and Kim Dotcom was arrested in New Zealand. That right there shows that the DCMA combined with current law can take down pirates.

Yes Piracy is a problem. Then again its always been a problem. Should we shut down libraries because people might not (and do not) return books thereby getting them for free. Heck they read them for free through the library. You can get movies, music all of it for free from a library. Why not shut them down? The point being that no matter what, there will be it. I have yet to see confirmable numbers on what it actually is doing to the entertainment industry, but with the amounts of money the execs get pain in bonuses, it really can’t be hurting them too much.

You can go to sites like ArsTechnica.com and find a wealth of information about SOPA and PIPA, what they could do with the laws, extreme examples such as I have posted, and more. There is a wealth of good information out there, and people do need to actually take time to make educated decisions about these sorts of laws.

Finally, think about this. How often do the worst case scenarios come true? Look to the past, see what controversial laws have been enacted without oversight, and how they have been abused over the years. See what groups like the RIAA and MPAA have done in playing the role of Chicken Little (Cassette Tapes, VCRs etc..) over the years, and how they have been proven wrong. We have to decide at some point our own future and not let it get silently dictated to us by a bunch of corporate goons.

People don’t listen. I recently did a little test on my personal Facebook account. I posted a quote from a Republican candidate, said how the quote sounded like Pre-WWII Nazi propaganda and waited. I was not disappointed as people pointed to only part of the statement.

It was an interesting experiment that confirmed what I feared. Most people see and hear only what they want to, and are blind to the rest.  So what does this have to do with the world of IT? Plenty. think about when you deal with a customer/client/user. Do you only hear party of what they are saying,or do you hear the whole thing? Is the client only hearing certain things you are saying? Where is the disconnect and how can one get past it?

Now this disconnect is shown in all its glory with SOPA and PIPA. Congress is listening to the entertainment industry. the refuse to hear what the tech industry has to say. It is a sham that could make us more unsecure. The techniques of domain blocking they are talking about are not only used by oppressive regimes to control what their citizens can see on the Internet, but is used by the very same people that they are trying to stop.

Think about this, you get an e-mail from what looks like a legitimate source, and get sent to a good forgery of the website. The link showed the right address, until you really dig into it. Next thing you know, you have become a victim of identity theft. This is the sort of misdirection that SOPA and PIPA use. Redirecting and falsifying the DNS records. This is what DNS-Sec, which has been years in the making, is supposed to curb or stop.

The RIAA and MPAA, who are so knowledgeable and innovative in the tech world that they are still trying to avoid it, swear that these laws won’t harm security and won’t damage DNS-Sec. Yet the experts who have been DENIED a chance to talk to the committees about the technical issues, are saying the exact opposite. Congress still won’t listen.

Don’t get me wrong, as much as I don’t like the RIAA and MPAA for overextending copyrights so that they don’t have to innovate, they have a right to want help in controlling piracy of their work. To me its not for the Artists who make millions of dollars, but for the lowly engineers, the secretaries, the people who make normal wages and want to keep their jobs. Yes piracy is not as big as it once was, and as more and easier legitimate means come to get entertainment, it goes down. Also, you will never be able to completely stop it. The pirates always find a way around things.

In a world where Identity Theft is a larger problem than Piracy, where something such as DNS-Sec and other security measures that are impacted or killed by bills such as SOPA and PIPA, what is the right solution. SOPA and PIPA definitely are not.  Feel free to e-mail this to your congressmen and senators, for them hearing from us, the people who employ them, is the only way to truly stop it.

We all talk about it. We all know that it is important. We also get frustrated about the lack of it. Security, one of the most important things needed with technology, really is a never ending battle.

The world is a much different place now than in the past. We are all interconnected. Computers, iPhones, Social Media, and much more have taken the world to a place where we live in two worlds simultaneously. We integrate our lives, our status, and our personal information into the digital world. Meanwhile, there are those that look to get a hold of it. Others to shut down the flow, to slow down the information available, or to just plain steal what they can. So what do we do? How do we stay secure?

Any technology company that produces anything, be it software or hardware, does not want their product to be a backdoor for those with malicious intent. Yet, the more simple a device or a piece of software is to use, the more likely there are security holes in it. We all know that, and we all cringe for those who do not patch, or are unwilling to spend the funds to help secure the technology. So if this is all so important, why does it seem that the infosec professionals can’t get through to people about it? The answer is simple, and that is a disconnect.

We as people working the technological side of things are one of the biggest problems. We talk about DDoS, Phishing, Social Engineering, Hacking and still we have to fight the battle on two fronts. One agains the malicious people out there, one against the people we are protecting. You look through the lives of people like Kevin Mitnick and Kevin Poulsen and the books they have written, and wonder how can we stop people from stealing lives, stealing credit cards, using the technology in our hands to do harm to others.

There is the whole patch and write better software approach. You can get the best firewalls, log trackers, and policies if you are lucky to help mitigate it. Make the footprint smaller. So why is it such a struggle for so many businesses and individuals who are not in our line of work to understand that? Its the disconnect.

The disconnect can be likened to a layman reading a law brief or even a EULA. the wording is not in terms or ideas that people normally comprehend. The world of IT is a fantastic world, and communicating with each other on a technical level is fantastic, but that is because we speak the same language. Its just like lawyers can understand all the legalese that they write. Its meant for them, and yet they have to break it down for their clients to an understandable state, at least the ones who care about their clients do.

In the corporate world, larger size businesses seem to have a better understanding. They worry about their products, their secrets and know those have to be protected. The small and medium businesses, not so much. I will recommend hardware, software and policies to help them, and they come back with the same old line, “We are small, no one would want to break into our systems. Most people don’t even know abut us.” That is a disconnect. A disconnect from reality, and a disconnect from what we are trying to tell them. Overall there are a lot more small and medium sized business (and way more individuals) with this thought process than there should be.

Now I’m not a genius, but I can understand that trying to tell one of these clients that it doesn’t matter what size, doesn’t quite fly with them. They need proof. Once one of them is hacked that one all of a sudden will take security more seriously. Not always to the extent that we would like, but it is a start. So how can we get the others to understand. How can we get them to realize security is not an end, but a process?

That is the real job we have to do. Not try to ram technospeak down their throats but find a way to communicate with them in layman’s terms, in a way that they understand. We all know that no matter what nothing technology wise is going to be completely secure. We need them to understand that no matter what nothing is 100% secure, but we can lessen the chances. So here are some terms we use, and think about how you would explain it to a non-tech person. I’d love to hear your responses.

Smaller Attack Vector

Social Engineering

Zombie Machines

Packet Filtering

Just taking some small terms like that, I am sure you can think of other terms that need to have some sort of layman term assigned to them. The more we think like an average person when talking about what is needed to make their technology more secure, the better chance we have of getting it more secure, and the more time we can spend on actually proactively fighting those that wish to be malicious.

Years ago I use to think McAfee was a good Anti-Virus program. Then they got bloated. Now McAfee is becoming chicken little.

You can see the reports regularly. New exploit in this, new trojan here, new zero-day exploit, and on. The world of securing your information and your identity, either individual or corporate, is a complex and never ending battle. Nothing is going to be 100% secure. you know it, I know it and the bad guys know it. Its a matter of mitigation. The smaller area of attack we give the bad guys, the more chance that they will pass us up for an easier target.

It becomes more complex every year. New devices come out, connectivity becomes better, people become more greedy. In fact the more complex things get, the easier it is to break into them with simplicity. You may ask how is that the case. Simply put you just showed how. We tend to gloss over the simple items for the more complex ones, including bugs and holes. That is a discussion to have another time though.

Right now, in the security field, McAfee has been making a lot of headlines lately. From a RAT Report that other companies are calling “shady” to the latest report from them about cars becoming the next hacking target, McAfee keeps getting their name out there. The problems with these reports is their are either obvious or disputed. That McAfee look more like an attention hound than anything else.

This grab for attention comes on the heels of a decade of McAfee putting out worse and worse products. Suites that are so bloated that you machine drags to a crawl during start up. Anti-Malware products that let too much Malware through. Software that is difficult to remove from a system should you prefer to go with one of their competitors. How the mighty have fallen.

Most companies in the consumer security field, especially those that make Anti-Malware software, can run into these same pitfalls as the become more popular. Norton has, although they are slowly turning things around, they still have a long way to go. Kaspersky is doing its best not to fall down that path, but it does seem to be getting more resource intensive. AVG, well they put out a decent product but we are about due for another bad patch that messes machines up. None of them are perfect, but some are better than others, and McAfee has been considered part of the bottom of the heap for a while now.

So McAfee throws up a smokescreen. Instead of improving their product, they try to show that they know more. Sorry but knowledge of what is happening, and the ability to translate that into a decent working product do not have to be equal. In fact, McAfee has shown me that you can have the knowledge without the product. Then again, McAfee lately has been more like Chicken Little. Just remember, the sky isn’t falling, things are just progressing. We as the ones in the field need to keep our wits about us and it will all be fine.

Google uses the moniker, “Don’t Be Evil,” but is that the truth behind the company? A look at Google Plus might change your mind.

Google+ is an interesting creature. One that is gaining popularity rather quickly. It is also one that might not last due to Google’s own policies.

The buzz around Google wanting people to only use real names in Google+ is gaining more and more steam. People are not happy with this idea. Everyone thought that Google+ would be better than Facebook. It definitely has the potential to compete with Facebook. The naming issue is turning into a stumbling block.

I will not go into depth on the whole idea of hiding from stalkers using a pseudonym in a social media setting. Instead I look at it from a natural way to know people. I have a great deal of online friends. I know them by their names from games, from forums, form other places that you don’t use your normal name. So when I see that Joe Shmo instead of DJ Cool J has added me to their circles, I have to sit back and wonder who the heck is following me? For that matter, Google+ is only as usable as the people you have in your circles, and if I cannot find them easily, which means nicknames, pseudonyms, etc, then I am not going to use the site.

Google though, sees the whole Social Media world as data. Just like search, just like AdWords, it is all data that can be used with algorithms to extract bits of information. That information can then be used to send targeted advertising to you. This increases the chance that Google and the company who is advertising can make some money off you. Its all about making a buck.

So should it surprise anyone that Google wants to mine what you say in Google+. What you Link to? Who you are? The amount of data that Google can dig up on each one of us through public means can really give a good profile of us. That can be used for Advertising, or worse, should Google decide to use it for “Homeland Security” purposes.

The book In The Plex by Steven Levey takes a good look at Google. Brin and Page (Google’s Founders) are all about the data and search. Data especially, because they want to have everything in the world indexed in one spot. Just imagine if that data fell into the wrong hands.

Lulzsec, a group that some people applauded. The were showing security holes. Well, truth is they are a bunch of bullies and jerks.

I love music. More so, I enjoy some Internet Radio Stations. I find a lot of the smaller ones tend to play all sorts of stuff I have not heard before, and broaden my musical tastes. These independent stations will go through the FCC to make sure they are compliant with the outrageous Licensing fees that the music industry puts on them. The FCC is even willing to help pay for that licensing, in turn for a few small things such as playing 5 minutes of real news every so often. Its something the government does right.

So when a few of the stations I listen to all of a sudden had problems with their web sites, and a few had problems with their streams, I figured I would talk to the tech people and see if I could help. Each one of them gave me a similar story of what was going on. Lulzsec was trying to blackmail them. Yep, these independent stations, all of whom get some help from the government, were facing DDOS attacks from Lulzsec. That was not the only thing. They are getting automated phone calls from Lulzsec demanding the admin password for their radio streams so Lulzsec can break in whenever they want to and take over the station.

I won’t mention the names of the stations, since they have called in the FBI on this. I just look at this and go, what a bunch of script kiddie jerks. I mean if Lulzsec were the “Elite” hackers they claim to be, couldn’t then have just hacked the servers that host the radio stream and taken it over that way? Heck, most Internet Radio Stations use either IceCast or Shoutcast stream servers. those servers tend to be Linux based, and usually have Apache on them. How do I know this? Well, I help some volunteer radio stations with tech at times, so I have learned the setup. Heck for that matter, I set up a Shoutcast server at my house so I could do some testing, and stream music to my different devices around the house. It isn’t that difficult.  If Lulzsec wants to broadcast over the Internet, and they are such high end people, then why not just make their own server for streaming, like they do for their IRC?

Think about it. If a group is so boisterous, it wants the press. It wants to be heard. The most elite in the hacking world though, you will never hear a peep from. They lurk in the shadows. They keep their egos in check. They create things for those kiddies that want the attention. Those are the tough ones to find. Until then, we have to keep dealing with jerks like Lulzsec.

Last week Facebook announced a new video chat powered by Skype. The question is, what does this mean for privacy?

Facebooks announcement last week of now having the ability to have video chats with friends was a big announcement. It meant that Facebook was doing something other chat systems have had for years. The partnership with Microsoft/Skype (that deal is still pending approval), is logical. The problems that Facebook can face though, have me wary of it.

First off, Facebook doesn’t enforce its own TOS, which has an age limit. We already have heard about cyber bullying cases. The video chat can take this to a new level. What about people pretending to be your children’s age, but really being pedophiles? This now takes on a different issue. There are 2 other things though that bother me about this.

First, encryption of calls. I haven’t had a full chance to play with the system, but nowhere have I seen any mention that the calls will be encrypted. Skype itself uses encryption on the client end, but Skype also is a P2P system, so the encryption happens at a person’s machine. Facebook looks to be a server solution, so are these call being encrypted, or can someone easily look in on them? I know some people are looking into this aspect.

The other troublesome part to me is a patent that Microsoft has from 2009 to silently record calls over a network. With the pending acquisition of Skype, it can be very easy for Microsoft to toss this technology in Skype, and the Facebook chat. think of it, your calls, your video, your “private” conversations, recorded without your consent, without your knowledge, and possibly without a warrant. This is not to say that they will, but the opportunity is there. Not only that, but think of Facebook’s stance on privacy. They have already said that they don’t care about it. People will get used to not having privacy. Imagine the information they can get from your phone calls.

I am not saying that these scenarios will happen, but they are possibilities. Some more likely than others, but they all must be taken into consideration.

“I’ll make them an offer, they can’t refuse.” Remember that line? Well it seems that the TDL-4 botnet is using the same line, and very effectively.

TDL-4 has over 4.5 Million Zombies according to recent reports. It removes Malware it doesn’t like. It hides in the MBR of a machine, making it difficult to remove. All of these statements have been going around, and you can read more about the inner workings of TDL-4, all over the web. Kaspersky has a real good look at it. All that said, why am I looking at this phenom of a botnet? The botnet they claim is nigh indestructible.

to tell the truth, I’m looking at this from another angle. You see the ads on the sidebar of my page (unless you have an ad blocker). Yes, I put ads up on my site, in hopes of someone clicking on that ad, and then purchasing from the site. Its called affiliate marketing. I get a kickback if anyone does. I personally would love for those ads to pay for this blog, but so far, I haven’t made a cent. That is fine, this blog isn’t going away, and that is not the point of my rambling. The point is Affiliate Marketing.

Affiliate Marketing, is used by some people to great success. There are people who make millions of dollars per year through Affiliate Marketing. There are states which are writing laws to stop online companies from not paying taxes, claiming that Affiliate Marketing means the company has a physical presence in their state. It a big deal.

This brings us back to TDL-4. TDL-4 not only is a nasty nasty bug, but it gets spread through its own form of Affiliate Marketing in the underworld. In fact, people can get anywhere from $20 to $200 dollars per 1000 infections according to the Kaspersky article. These Affiliates can get credit for infections through multiple methods. Man in the middle Hijacking, Fake ads, Phishing scams, you get the picture.

So the botnet expands, the criminals all get a chunk of the cash, and we, the normal users get stuck with PCs that wind up slow, or mail servers that wind up blacklisted. It becomes a headache for IT. We can patch, run anti-viruses, have firewalls, and follow best practices to our hearts content, and we still are going to be vulnerable. We need some way of getting ahead of the curve on the whole issue. Unfortunately, that would rely con companies being forthcoming about their shortcomings, and letting people see code. That isn’t going to happen for a long time. So instead, TDL-4 will keep making deals the criminals can’t refuse.

Mozzila decided to be aggressive with Firefox releases. Not a problem, just keep the old version till add-ons are all compatible. Doesn’t work that way if you want to be secure.

Mozzila announced that Firefox 5 is the security update for Firefox 4. There will be no other updates unless there is a major, and they mean major, security hole. Fine, I have no issues with doing that, keeping people on the latest version, making sure people know that is the way it is. Except for one thing. Only about 80% of the add-ons out there are going to work on Firefox 5.

The issues I have are now pretty simple, but extremely important. They are also why I think Firefox is trying to push itself to extinction. First, Firefox 5 came out today, same day as the announcement about Firefox 4 security updates. Second, one of the add-ons that don’t work in Firefox 5 is for LogMeInRescue, which I use on a very regular basis. I am now forced to use a different browser for supporting clients, because Mozzila decided that to be secure I had to update and break what I need. Not very smart on Mozzila’s part.

This also leads to another issue. People will stop upgrading, just so their add-ons will work. Of course, if they don’t upgrade, they are open to more security problems. Firefox becomes a security threat due to its aggressive upgrade policy. Someone better explain this to the keepers of Firefox.

We all know that Mac fanatics claim how secure Mac OSX is. Is it really that secure though?

The last couple of months have not bee kind to OSX. The Mac operating system has seen its first round of widespread malware. Apple has been busy playing whack-a-mole trying to stop it. The Mac fanbois have been denying it. Apple is still more secure they claim. If this is true, then how did Apple top the Stack of Shame this week?

The reality of the situation is that Apple is entering uncharted territory for OSX. Not only does it have enough percentage of the market to make it a more viable target for the underground Internet, but it doesn’t have a true plan in dealing with such issues. This was shown by Apple’s response to the MacDefender malware. The denials, the bad press, and finally a solution that keeps getting circumvented. Yes, overall the amount of people infected might be small beans, but it is a larger outbreak than ever before, plus it shows that it can be done.

The next question comes in with these 26 vulnerabilities, how quickly will they be patched? That is the key to preventing exploitation of said holes. Is Apple ready to do monthly patches, weekly patches, out of band patches? How will they respond to all of this?

No Operation system is 100% secure. There is too much code, too many different vectors to attack from, and there is always the end user who is the biggest threat to security. Apple response to the OSX security issues should enlighten us to the iOS plans for security issues. No, there aren’t many now, but there will be.