It would be funny if it weren’t so damn plausible.

Diebold Accidentally Leaks Results Of 2008 Election Early

I got my IPhone the day after the last post I made.  I must admit it was worth the wait and by the far the coolest device ever created by humans.

Now all I need is SSH and RDesktop clients for.  They have VNC and mainframe/midrange term-emulation, so it can’t be far off.

My wife and I waited in line early morning the day of the IPhone 3G launch.  By the time we got in the AT&T store they had sold out of all 16gig models so they put them on order for “direct fulfillment”.

She got the white model and received hers two days ago.  I got the black one and still have not received mine.

My buddy, Billy, went into the same store after work the day of the launch and signed up for the direct fulfillment of the same model I ordered.  He just received confirmation that his is at the ATT store ready to be picked up.

So why did I wait in line?!

Missy and I hopped in the line at our local AT&T store this morning at 7am to try and get ourselves two iPhone 3Gs (16gig).  At this point the line already wrapped around the side of the building.  We finally got into the store at about 11am to find that they had sold out of the 16G version.

They set us up with “direct shippment” of the phones so they should arrive within 5-10 days.
I can’t wait!

I installed Windows XP service pack 3 yesterday and found today that wireshark would not detect any of my network interfaces.

Reinstalling winpcap fixed it.

FYI

If you have been living in a cave for the past few months you may not be aware of Comcasts recent practice of “shaping” bit-torrent traffic.

Specifically they insert RST packets into, what they believe to be, bit-torrent sessions and forge them to look like they came from the host at the other end of the session. For those of you not familiar with hot TCP/IP works, a RST packet is normally sent to tear down an established session. If this is erroneously sent in the course of a communication (as is the case with Comcast) your computer will get confused, drop and have to re-establish a connection.

The primary issues with this are…

1. In order to associate the RST packet with your bit-torrent session they have to forge it to make it appear as if its from the other host you are communicating with. This violates a number of U.S. computer crime laws.
2. They do a pretty crappy job in determining what bit-torrent traffic is. A number of reports have surfaced indicating the Lotus Notes and a number of other protocols are being improperly “shaped” as a result of this.
3. A large number of legitimate software packages are distributed ONLY via bit-torrent. This is often the case with open source and free software as the developers are usually unable to afford the bandwidth required to distribute their works.
4. I have yet to receive an sort of “Terms of Use” update informing me that this traffic is being mangled.

Another things that irks me regarding Comcast’s media handling of this is a position often stated by their PR and Executives.

Cohen also reiterated Comcast’s position that it doesn’t block traffic. “Comcast does not, has not, and will not block any websites or online applications, including peer-to-peer services,” he said, pledging to work with the FCC to “bring more transparency for consumers regarding broadband network management.”

They don’t seem to understand that inserting a RST packet is “blocking” traffic. A number of hardware Intrusion Protection Systems use that method to block intrusion attempts when they are not configured “inline” and have the ability to kill a session normally.

The folks at consumerist (excellent site, btw) just posted a copy of the disclosure letter geeks.com (aka computergeeks.com) sent to customers informing them that their credit card data may be compromised.

A few items that concerned me about the disclosure are…

Genica Corporation dba Geeks.com
1890 Ord Way Oceanside, CA 92056
January 4, 2008

[snip]

The purpose of this letter is to notify you that Genica dba Geeks.com (”Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number.

Two things immediately jump out at me in this first chunk of text. The first is date of letter compared to the stated date of discovery.

Being a PCI-DSS guy I know that most merchant gateway providers require disclosure within 1 day of “a suspected compromise”. Granted, that is disclosure to the merchant gateway and not customers. However, computer geeks operates out of California which is on the forefront of disclosure laws. In fact the California Security Breach Information Act (SB-1386) states…

Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery

The other troubling part was “and card verification number”. This is the CVV2 that is NEVER to be stored per PCI directive 3.2.2.

3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions

I am troubled by the fact that vendors still remain clueless on best practices and regulations that govern their actions. I am even more disturbed with the fact that (despite these regulations) implementing proper safeguards and demonstrating caution is in their customers best interests, but yet is still not done.

I recently posted a comment on FOSSwire.com in response to other comments condeming the author for suggesting moving ssh to a port besides 22 was “security through obscurity” and a worthless security measure.

I have argued this topic many times with many different people and felt that comment bears repeating for my downgrade.org audience.

– snip –

Gah! I have heard that argument over and over again about changing ssh to a non-standard port.

“security through obscurity is no security at all” Says the broken record.

I believe heavily in security metrics because numbers are awfully hard to argue with.

In a university environment a machine with ssh on port 22 in my DMZ would receive an average of ~100 invalid login attempts per day (averaged over the course of 2 months).

This same machine in the same DMZ running SSH on port 51234 received an average of zero… no, not a average of zero… just zero.

This effectively eliminates all scripted attacks, worms, Trojans, bots and most uninitiated real attackers.

In fact if you run it on a very high port — say 51234 — most people won’t even find it with a port scanner.

One would have to statically define the port range as most port scanners quit far before 51234.

At that rate scanning ports 1-51234 would take an insane amount of time per host, and most attackers scan huge blocks of hosts.

At that point hopefully an IDS/IPS would pick up the port scan and make the whole thing moot.

Seriously. Its not a fool proof security measure and I certainly wouldn’t use it as the only means of protecting SSH, but its an effective layer. And those same people that are so quick to spew out the “Security through obscurity” cliche are also the same that are quick to pull out the “Layered Security” ones.

– snip –

Best of 2007

• Gizmodo’s Most Popular Hits of 2007
• LifeHacker.com - The Best of 2007 Roundup
• Break.com - Top 10 Internet Videos of 2007
• arstechnica.com - 2007: The year in review
• Search Security - Top 10 Security Headlines of 2007

Tech

• IANA and ICAN rolling out IPV6 on Root Name Servers

Security

• Business Week - Homeland Insecurity

Privacy

• U.S. is “Endemic Surveillance Society” Says Electronic Privacy Information Center and Privacy International
• Eavesdropping on Bluetooth headsets

Apple

• Appletel - Ultimate Leopard Tweaking Guide

Thats right! On Dec 12th it was released to manufacturers and the 15th it will launched during MacWorld.

Details are available on the MS Mac Biz Unit blog.