I think it’s a cyclical thing: start your career as a corporate slave, break free of the shackles to go out on your own, a few years later go back to the corporate job for a steady paycheck.  Lather, Rinse, Repeat.  It’s a pretty standard formula, base at least in part on the ‘grass is always greener’ syndrome.  Well, this week’s victim of corporate re-assimilation is none other than Security Mike, aka Mike Rothman.  Mike has abandoned his role as industry curmudgeon and taken on the role of SVP of Strategy and Chief Marketing Officer at eIQnetworks.

Mike will continue to blog some, but considering he’s now one of the bad guys (aka ‘vendor’), his blogging will lack some of the objectivity he’d so carefully cultivated over the last couple of years. And since a large part of his work will be in the dreaded and vilified ‘marketing’ arena, you can guarantee that a lot of his writing will be around eIQ and all the wonderful things they can do for your network.  Not that Mike will totally lose touch with reality, but he’ll probably have to don the peculiar rose-tinted glasses that allow marketers to only see the good their company can do.  

Good luck with the new gig, Mike.  I hope you’re able to keep some of your objectivity until the grass on the consulting side of the fence becomes green again.  Like maybe after the economy stabilizes again in a couple of years. 

Thanks to Ed and his fellow bloggers for welcoming me to the blog. I'm thrilled to have this opportunity, because as a law professor who writes about software as a regulator of behavior (most often through the substantive lenses of information privacy, computer crime, and criminal procedure), I often need to vet my theories and test my technical understanding with computer scientists and other techies, and this will be a great place to do it.

This past summer, I wrote an article (available for download online) about ISP surveillance, arguing that recent moves by NebuAd/Charter, Phorm, AT&T, and Comcast augur a coming wave of unprecedented, invasive deep-packet inspection. I won't reargue the entire paper here (the thesis is no doubt much less surprising to the average Freedom to Tinker reader than to the average lawyer) but you can read two bloggy summaries I wrote here and here or listen to a summary I gave in a radio interview. (For summaries by others, see [1] [2] [3] [4]).

Two weeks ago, Verizon and AT&T told Congress that they would monitor for marketing purposes only users who had opted in. According to Verizon VP Tom Tauke, "[B]efore a company captures certain Internet-usage data for targeted or customized advertising purposes, it should obtain meaningful, affirmative consent from consumers."

I applaud this announcement, but I'm curious how the ISPs will implement this promise. It seems like there are two architectural puzzles here: how does the user convey consent, and how does the provider distinguish between the packets of consenting and nonconsenting users? For an ISP, neither step is nearly as straightforward as it is for a web provider like Google, which can simply set and check cookies. For the first piece, I suppose a user can click a check box on a web-based form or respond to an e-mail, letting the ISP know he would like to opt in. These solutions seem clumsy, however, and ISPs probably want a system that is as seamless and easy to use as possible, to maximize the number of people opting in.

Once ISPs have a "white list" of users who have opted in, how do they turn this into on-the-fly discretionary packet sniffing? Do they map white-listed users to IP addresses and add these to a filter, or is there a risk that things will get out of sync during dhcp lease renewals? Can they use cookies, perhaps redirecting every http session to an ISP-run web server first using 301 http status codes? (This seems to be the way Phorm implements opt-out, according to Richard Clayton's illuminating analysis.) Do any of these solutions scale for an ISP with hundreds of thousands of users?

And are things any easier if the ISP adopts an opt-out system instead?

Charlie Rose:  
And so when you look at where we are going, there seems to be two issues that are apparent to me at least, risk and leverage.  We just lost sight of risk and leverage of what was appropriate?

Warren Buffett:  
Yeah.  Again, because it pays off for a while.  You know, you can lose leverage, and it's the only way a smart guy can go broke.  If you owe money, you can't pay them out.  You just pay for everything, you do smart things, you eventually get very rich.  If you do smart things and use leverage and do one wrong thing along the way, it could wipe you out, because anything times zero is zero.  But it's reinforcing when the people around you are doing it successfully, you're doing it successfully, and it's a lot like Cinderella at the ball.  I mean you know at midnight everything is going to turn to pumpkins and mice; right?  But if the evening goes along, I mean, you know, the guys look better all the time, the music sounds better, it's more and more fun, you think why the hell should I leave at quarter of 12.  I'll leave at two minutes to 12.  But the trouble is, there are no clocks on the wall.  And everybody thinks they're going to leave at two minutes to 12.

Charlie Rose:  
And should wise people have known better?

Warren Buffett:  
People should always know better.

Charlie Rose:  
Yeah.

Warren Buffett:  
I mean people -- people don't get -- they don't get smarter about things that get as basic as greed and you can't stand to see your neighbor getting rich.  You know you're smarter than he is, and he's doing these things, you know, and he's getting rich, and your spouse is getting unhappy with you because you aren't doing -- pretty soon you start doing it.  And so you get what I call the natural progression, the three Is.  The innovators, the imitators, and the idiots.  And that's what happens.  Everybody just kind of goes along.  And you look kind of silly if you disagree.  I mean, you know, you could have these crazy Internet valuations in the late 1990s, but they prove themselves out in the market.  The next day they were selling for more than they were the day before, and people said, you know, you're crazy if you don't get in on this.  So it's very human.  Now, with housing it's something even more dramatic than that, because most people aspire to own their own home.  And if you really think that houses prices are going to go up next year and the year after, you feel if I don't buy it this year, I'm going to have to buy it next year.  That's not true of an Internet stock.  But it's true of a home.  And when somebody makes it very easy for you to do it by saying you don't really have to put up my money, you can lie about your income a little, or we'll give you 100 percent mortgage, you're going to do it, because everybody that's done it has been proven right.  You have what they call social tools, and, you know, you're going to feel like an idiot if you didn't do it, because the house cost more.

Warren Buffett:  
Oh, I think confidence will come back.  I will tell you this.  This country is going -- be living better ten years from now than it is now.  It will be living better in 20 years from now than ten years from now.  The ingredients that made this country, you know, the miracle of the world -- I mean we had a seven for one improvement in the average American standard of living in the 20th century.  Now, we had the great depression, we had two world wars, we had the flu epidemic.  You know, we had oil shock.  You know, we had all these terrible things happen.  But something about the American system unleashed more and of a potential to human beings over that hundred years so that we had a seven for one improvement in -- there's never been any -- I mean, you have centuries where if you've got a 1 percent improvement, then it's something.  So we've got a great system.  And we've got more productive capacity now than we ever have.  The American worker is more productive than he's ever been.  We've got more people to do it.  We've got all the ingredients for a sensational future.  It's just that right now the athlete's on the floor.  But we -- this is a super athlete.

Want to ride the subway for free without having to jump the turnstiles? Well, as of Monday, you'll be able to do that by making a fake transit card.

A scientific paper detailing the security flaws in the Mifare Classic wireless smart card chip used in transit systems around the world is being published by the Radboud University Nijmegen. And a researcher at Humboldt University in Berlin has published a full implementation of the algorithm (PDF).

"Combining these two pieces of information, attacks can now be implemented by anyone," RFID researcher Karsten Nohl told CNET News. "All it takes is a $100 (card) reader and a little software."

Armed with the information in the papers, someone could steal the secret key from a Mifare Classic-based transit card and create a clone of it. As seen in a demonstration, data was collected wirelessly by merely brushing a card reader past someone carrying a card. The data was then used to create a fresh transit card that permitted free access to the London subway.

Subway systems in Amsterdam, Boston, Bangkok and Delhi, among other cities, are also susceptible, as are building access control systems in Europe.

"That's just the tip of the iceberg," said 3ric Johanson, a Seattle-based security consultant. "It's my estimation that approximately 3.5 billion cards have been issued using the Mifare Classic protocol, all subject to financial fraud. There are at least 60 or so major citywide RFID implementations that rely on Mifare Classic."

Nohl, who worked with others to break the Mifare crypto last year and received a Ph.D. in computer security from the University of Virginia, suspects that "hobby hackers who ride the metro everyday and are curious about this technology" will be the first to exploit the vulnerability, "more for fun than profit."

For the less technologically savvy among us, there could soon be mass produced devices that make it easy to forge Mifare Classic cards, Johanson said.

Johanson, an expert in RFID technology, said he has reached out to transit systems to offer help improving their security, but received mixed responses.

There are options for transit authorities who don't want to replace their entire systems. For instance, they can use intrusion detection-type systems that register when a particular card has had a change in value or been cloned, according to Johanson. "I'm highly dubious about a lot of these claims because it's hard to do it right," he said of such measures.

NXP, the company that developed the Mifare Classic chip, could not be reached for comment Monday. The company sued to block publication of the Dutch University paper but a judge ruled in July that the paper could be published.

The Massachusetts Bay Transit Authority (MBTA) took legal action in August to prevent three MIT students from presenting their research on how to "hack" the Boston subway system at the Defcon hacker confab in Las Vegas. A judge later lifted the gag order in that case. Representatives from the MBTA could not be reached for comment.

Security systems like the Mifare Classic that are not peer reviewed are not as trustworthy as systems that can be openly analyzed by researchers looking for flaws, Johanson and Nohl said.

"Developing your own proprietary security mechanisms and not getting public scrutiny on it does not work," Nohl said

See original article and other great stories at:

http://news.cnet.com/8301-1009_3-10059605-83.html

As a security pro, it’s important to periodically stop, take a break, and refuel your brain. Once per month, Core Security Technologies does the same thing and invites industry thought leaders to share their insights through educational webcasts offering security testing tips, tricks and strategies.

We’d like to share some of our favorite on-demand Core Security webcasts with you. The downloads are available on Core Security’s website:

-----------------------------------
About “Hacking for Managers”
-----------------------------------
Eric Cole discusses how techniques traditionally used by attackers can be used to safely and regularly evaluate your organization’s security posture. This webcast is ideal for IT leaders interested in the management implications of penetration testing – as well as for experienced IS professionals who need to promote the value of penetration testing to their colleagues.

Click here to access “Hacking for Managers”: http://www.coresecurity.com/Form/generic/campaign/emailblast


-------------------------------------------------------
About “Penetration Testing Ninjitsu Parts I-III”
--------------------------------------------------------
These in-depth, technical presentations by Ed Skoudis look at the art and science of using penetration testing to gain visibility into your organization’s security posture.

Part I: A brief introduction to the value of penetration testing + an overview of pen testing techniques using the Windows command shell.

Part II: An introduction to techniques for performing the functions of Netcat - such as moving files, scanning ports and creating backdoors - without using Netcat.

Part III: This installment explores what can happen after the initial vulnerability is compromised and a threat becomes truly invasive – and how to proactively assess your systems against such attacks.

Click here to access the “Penetration Testing Ninjitsu” series: http://www.coresecurity.com/Form/generic/campaign/emailblast

Core Security provides comprehensive security testing software solutions based on independent, trusted vulnerability research and leading-edge threat expertise. Unlike many vendor webcasts, these are focused on educating the security community rather than selling a specific product.

You've got me all wrong

UK victims of identity fraud are being urged to use the Data Protection Act as a tool to restore their credit rating.…

SANTA BARBARA, CALIF. -- Wireless technologies like WiMAX and LTE are supposed to bring us the speed of Wi-Fi (or better) with something approaching the range of existing wireless broadband, which could replace the need for Wi-Fi hotspots. Now, Wi-Fi back at the office is under threat, too: from light bulbs!

read more

Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place.

Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.

If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.

Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:

Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.

Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.

The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.

For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist.

All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion.

This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups.

We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge.

This essay previously appeared on Wired.com.

How does an emergency call to 9-1-1 or 1-1-2 (or whatever your local emergency number may be) work in a world of voice-over-IP?

It’s not a topic we cover hardly at all here on this blog, yet it’s definitely one of the security and social/cultural aspects of our migration to IP that we definitely have to get right. If we as an industry don’t, people can die. (Or the migration to VoIP will be significantly delayed.)

To that end, a number of emergency services experts are meeting to discuss ongoing work on IP-based emergency services in Vienna, Austria on 21st to 23rd October 2008. The first workshop day is focusing on tutorials to help those interested in the classical 1-1-2 (or 9-1-1) emergency call to get up-to-speed with architectures and standards developed for next generation emergency calling. During the second day various recent activities of standardization organizations around the world will be presented. The third workshop day is dedicated to early warning standardization efforts and the outlook to future emergency services activities.

Participation from those working in standardization organizations as well as persons with interest into the subject is highly appreciated. The event is open to the public and anyone may attend.
For socializing an evening program has been organized. There is a nominal fee of 120 Euros charged to cover the facilities cost, food, drinks, etc. Arrangements are also being made for participants to join remotely.

More information about the workshop can be found behind the following link:

http://www.emergency-services-coordination.info/esw5.html

This page also points to previous workshops that took place in New York, Washington, Brussels and Atlanta.

(Thanks to Hannes Tschofenig for providing the majority of this text.)

Technorati Tags:
emergency, 911, voip, sip, standards, ietf

Zlob Trojan Distributing site:
91.203.92.11 Vmpupdate. com

Once the Trojan is installed it further downloads and installs VirusResponse Lab 2009 rogue security product.

66.232.113.62 Virus-labs2009. com
66.232.113.62 Virus-response. com
66.232.113.62 Virusresplab. com
66.232.113.62 Virusresponse2009. com


Scam Internet Security Page:
91.203.92.11 Homepageroze. com

404ErrorpageScam:
91.203.92.12 Dnserrorz.com

Security Guide Scam Page:
91.203.92.11 Linkondezktop. com

Ad-Server-Gate Pages:
91.203.92.12 Fghin. com
91.203.92.11 Pbkjh. com

Protection Center Scam Page:
91.203.92.12 Asecurevillage. com

Scam Security Toolbar site:
91.203.92.12 Toolbarfornew. com

IE AntiSpywareStore site:
208.72.168.92 Iexplorerfile. com

Please stay clear of all these sites.

Bharath M N

Fraud reporting recommendations ignored

Members of the House of Lords Science and Technology Committee will this Friday call on ministers to do more to battle security threats online.…

They don’t give out a video blog on Kremlin.ru just to anybody. Russian President Dmitry Medvedev started an official video blog, addressing Russians regarding his upcoming trip to an economic forum in France. The video is Flash-encoded, supports embeds, but is also downloadable as Windows Media Video file.

A few more things about Medvedev’s office:

• Dual monitor setup running Windows XP with default theme
• A view of St. Petersburg for a desktop wallpaper
• Looks like MS Internet Explorer is preferred, but there’s no full-screen view to figure out what he’s running in that open window. The site in question is Kremlin.ru

Delta has mid-air reversal on filtering Web content: Delta said it wouldn't filter its in-flight Internet system (not yet launched), but now says it will have a short list of inappropriate sites that no one would disagree were inappropriate. That might work. While filtering is impossible to enforce on a broad scale, choosing a small list of sites the airline feels are off limits, that might balance some basic interests.

Wi-Fi attraction for students: Nearly half of students surveyed would prefer Wi-Fi over beer at school. Three-quarters think Wi-Fi makes helps them get better grades. Take that, Lakehead University!

MetroFi antennas won't fall like autumn leaves: Portland, Ore., must wait until April 2009 to declare MetroFi's Wi-Fi nodes abandoned and take them down. While MetroFi gave the city a deposit, it will cost the Oregon metropolis $36,000 of its own cash to remove them, although the city's wireless go-to guy says they'll try to recover cash from MetroFi. To my knowledge, MetroFi has not filed for bankruptcy, even though the company no longer has working phone lines and hasn't returned comments.

Copyright ©2008 Glenn Fleishman. All rights reserved. Please notify us if you find this content anywhere but at wifinetnews.com or wimaxnetnews.com. Reproduction of full articles from RSS feeds is prohibited without permission.

MessageLabs has released their Intelligence Report for September 2008. A press release summarizing the report is here. The full report is here.

Symantec released a SyKnApps update last week for Symantec Endpoint Protection 11. The update notice I received didn't say much, just that "The new revision of
SyKnApps improves the performance and overall functionality of TruScan." The email also said the update was available through liveupdate.

I had been wondering if the update would reach SEP clients who get their updates from a corporate SEPM server. By comparing file versions, I found that it appeared my internal clients did get c:\documents and settings\all users\application data\symantec\syknapps\syknapps.dll updated.

A Symantec KnowledgeBase article confirms this belief. It specifically says running liveupdate on SEPM will update the clients. It also confirms that this update fixes the cosmetic bug where the SEP client GUI displays the Proactive Threat definitions as July 30th.