At a local conference, one presenter had a topic of “Blow Your Own Horn.”  The point was to be ready with some kind of success story (any kind of success story) ready for presentation.  Elevator pitch level stuff, except you aren’t selling anything specific, just success.

For example: “Last year you (the Board) approved purchase of a $50,000 licence fee for AV software on the email server.  This past month, records show it stopped 1 million viruses, which would otherwise have gotten through.  Had they been run, they would have cost $500 each (estimated industry average) to clean up.  Therefore, your prescient decision to spend $50,000 has returned $500,000,000 to the company.”

(OK, yes, any infosec professional knows the holes in that logic.  And you are turning it so that you are creditting the Board with what should be *your* success.  But you get the idea.)

I suggest everybody have a file in some readily accessible drawer, for scribbling down any idea you come up with along these lines, using company specific data.  One idea per page.  Any time you get called to the Boardroom (or, depending upon how many ideas you can come up with, any meeting) grab a sheet and read it in the elevator.  Whatever they asked you to talk about, walk in and start off with, “Thank you for your interest in X.  Before I begin, I’d like to let you know that, because of our investment in a $2,000 course in Ethereal, for one of the net sec admins, last April’s intrusion was detected within 5 hours, and we were able to ensure that all servers were hardened against that particular attack within only a further 12 hours, all within house.  Normally such an attack would be undetected for three days, and would have required outside help at a usual cost of $7,000.”

(Yes, this gets down into the weeds in regard to architecture, but security is a lot more about politics than technology.  And people love stories.)

I think I may finally be getting the hang of this XP Mode thing.  (I may also be fooling myself …)

As previously noted, XP Mode doesn’t access the “real” drive, but a virtual drive which is contained in one large file.  (Actually, seemingly a minimum of three, but only one appears to contain the drive “contents.”)  XP Mode does provide you with links to the real drives on the computer, but, while accessible from most Windows programs, since they are not mapped to drive letters, you cannot do anything with DOS programs, even though such programs run under XP Mode.

I figured I would have to create the directories, with files I wanted to work on, within the “virtual” drive, and, each time I made any modifications, remember to copy the new versions back to the “real” disk so they could be used under Win7.  Not only is this a nuisance, but it wastes disk space.  XP Mode takes up enough space as it is: starting at about 1.5 gig, by the time you get it up to speed with Windows updates, it has ballooned to 6 or 7 gig.  Any programs or file space you want come on top of that.  (And, since I no longer trust XP Mode to stay stable, I have been making backup copies as I have been doing the updating and adjusting of the virtual machine, wasting even more disk space.)  An annoyance, to say the least.

I can’t remember where I found it, but somehow I noted a reference to the actual description, within XP Mode, of the links to the real drives.  It looks just like a network reference to a shared resource.  So I tried mapping that format and creating a DOS “lettered” drive mapping (from within XP Mode).  So far it seems to work fine.

For those who’d like to try, the “network” name of the real computer seems to be TSCLIENT.  So, in order to create a link to the C: drive on the real computer, map to \\TSCLIENT\C .  (It does not seem to matter what your real machine’s name is, that name does not seem to be used in the reference.)

Well behaved anitvirus programs can safely work together in peace and harmony.

Unfortunately, relatively few AVs are well behaved.

On my new desktop, I’ve got Avast (came with the machine, has a free version, and is a pretty good product) and MSE (it’s free, and it’s pretty safe for most users, although, as a professional, some parts of it irk me).  I’ve set both to ignore the virus zoo, although they aren’t too good at taking that restriction to heart.

MSE quarantined a few samples before I got things tuned.  Of course, it doesn’t have any function to get stuff out of “quarantine.”  (As I say, as a professional this is irksome, but, considering the average user, I’d say this is a darn good thing.)

Today Avast gave me a warning of some dangerous files.  They were the ones MSE quarantined.

(In case anyone is interested, the quarantine seems to be in \ProgramData\Microsoft\Microsoft Antimalware\LocalCopy.)

In researching the purchase of the new desktop, I found/was told/noted that you needed Windows 7 Pro version for “XP compatibility.”  Naturally, I assumed that this would be built into the product that I bought.  (Actually, I was a bit worried by that statement, since one would assume that a new version of an operating system would still run stuff that the old one did.  I still use programs that I first ran on MS-DOS 2, and they were still working fine on XP.)

Not so.

Well, I’m sure that Microsoft would take issue with that statement.  After all, when you try to use the “recommended settings” when troubleshooting compatibility, it tells you that it is running “Windows XP (Service Pack 2)” compatibility mode.  (Pretty much regardless of what the program or utility is.)  And if, trying the more manual troubleshooting, you tell the troubleshooting program that it did run under previous versions of Windows, there are XP SP2 and XP SP3 options (among nine others) to choose from.

It doesn’t matter which you choose.  I haven’t found any of them to work with any program to date.

However, the advice to buy Win7 Pro is sound, if you want to have much of a chance of running anything (interesting) that you have been using up until now.  You absolutely must have XP Mode.  It solves all your problems.  (Well, it solves a bunch of problems, and you can probably fix the rest with some scripting, which is annoying, but better than nothing.)  You have XP Mode if you buy Win7 Pro.

Well, no you don’t.

XP Mode turns out to be part of Windows Virtual PC.  You don’t have it with the base install.  You have the right to have it, but you don’t have it, and you have to download it and install it.  In trying to find out why I couldn’t run stuff that had run perfectly well under XP, I found a mention in the Help system, which made me realize this was a possiblity.  Sure enough, chasing this mention down through a few related help articles, I found a link to go and get it.  So I did.

Well, I tried.  In order to install Windows Virtual PC, Microsoft wants to run MGA.  MGA stands for Microsoft’s Grasping Authenticator.  Microsoft disputes this, and refers to it as Microsoft Genuine Advantage, but there is absolutely no advantage to you, the user, in MGA.  There definitely is an advantage to Microsoft, because, if you need MGA to run or install something, and anything at all goes wrong, you have to pay Microsoft to get it fixed.  Even if you’ve paid already.  I had no fear of MGA, because a) I knew that it was a genuine product, and b) I’d already had to run MGA to get the updates to work, and it hadn’t blinked.  This time, however, it would not believe that my Win7 Pro was Win7 Pro, and would I please cough up an extra $200.

(I took it back to the store I bought it from.  They got it fixed, for no money, but it did take them two days to do it.  And all my passwords were gone.  Oh, you thought passwords were there to keep people out of your computer?  Silly you.)

So now I have Windows Virtual PC, and XP Mode with it.  And, absent the fact that it creates a virtual disk for itself, and that, if you want to work on anything on your real disk you probably have to copy it on to this virtual disk, and mess around with settings, it runs everything just fine.  Per my previous posting on compatibility, Netscape/Communicator 4.8 works.  Eudora 1.5.2 works.  My beloved WordPerfect 4.2 (yes, that old) works.  So does WordPerfect 5.1, which is what Gloria prefers.  (I’m not sure I’m going to go to all the trouble of setting up the system that allows us to print from WordPerfect to a winprinter: we really only need to get at the files for reference purposes.)  Good stuff.

I did have to do a whole bunch of Windows Updates on XP Mode itself, which seems very strange to me.  Seeing as how I was downloading it from Microsoft, couldn’t they keep it patched and up to date?  Three or four sessions with Windows Update, and something close to a hundred updates by the time it seemed to settle down.

Ceterum censeo Microsoft esse delendam.

Plenty of frustrations in getting set up with Windows 7.

One of the first things I tried to do was add some utilities into the “SendTo” folder so that they are at hand when I am working in Windows Explorer.  These used to be stored in “Documents and Settings” so that’s where I started.  It still exists.

I couldn’t get access to it.  Couldn’t even open the list of subdirectories.  Even though I am running as admin (yeah, yeah, let me get the dratted thing running, first, and then I’ll worry about trying to restrict myself) access is denied.

So, if I’m an admin, I can change the permissions, yes?  Apparently not.  When I look at the Security tab, I apparently already have full control.  When I try and edit these permissions, just in case full control needs to be confirmed, I get a bunch of messages saying that I don’t have permission to change the permissions.  I’ve tried through a bunch of different screens having to do with security or permissions or rights, or editing any of the above, and so far not one of them has worked.

In any case, all of this is academic.  These settings no longer reside in “Documents and Settings” but in a new as of Vista) folder called “Users.”   “Documents and Settings” is merely a link.  (I think I had to change the permissions on the Users directory in order to get access and make the mods I wanted, but, to be quite honest, at this point I can’t remember everything I’ve had to do.)

OK, it’s reasonable that you shouldn’t be able, from a mere link, to change permissions on the actual directory.  (I think.  I’m having trouble thinking of anything you could actually do, but, on basic security principles, I’d have to agree that there is potential risk, at least.)  But, if so, then why have the link at all? As it is, it is completely useless, and only serves as a distractor for people like me who know some of the internals.

I’ve also got to say that the dialogue boxes for the “Security” and permissions are extremely odd.  You get to see what they are, but you don’t get to change anything, that is on a separate dialogue under edit.  And if you have selected a certain user or group, and then go to the editing dialogue, it is easy to miss the fact that the user or group chosen is no longer selected on that dialogue.  By default what is selected is “Everyone.”  If you are not paying attention, it would be really easy to grant full access to the entire world.

While doing the massive numbers of Windows Updates (it took about seven update sessions [including almost a gigabyte download for SP1], and four reboots, before the system seemed to settle down) I installed MSE.  I still like it for almost all users, and I’ve had some experiences cleaning up other machines where MSE worked well, and other AVs almost crashed the system.  However, as a professional, I’m still annoyed at some aspects of it.  I marked my “zoo” as excluded, but that setting does not, apparently, apply to the “Full scan,” nor to the real-time scanning.  (And, apparently, simply pulling up a directory in Windows Explorer counts as “opening” all the listed files.

Ceterum censeo Microsoft esse delendam.

We’ve had means of expressing our opinions on various things for a long time.  Amazon has had reviews of the books pretty much since the beginning.  But how do we know that the reviews are real?  Virus writers took the opportunity presented by Amazon to trash my books when they were published.  (Even though they used different names, it only took a very simple form of forensic linguistics to figure out the identities.)

More recently, review spam has become more important, since many people are relying on the online reviews when buying items or booking services.  A number of “companies” have determined that it is more cost effective to have bots or other entities flood the review systems with fake positive reviews than it is to make quality products or services.  So, some nice people from Cornell university produced and tested some software to determine the fakes.

Note that, from these slides, there is not a lot of detail about exactly how they determine the fakes.  However, there is enough to indicate that sophisticated algorithms are less accurate than some fairly simple metrics.  When I teach about software forensics (aspects of which are similar to forensic lingusitics, or stylistic forensics), this seems counterintuitive and surprises a lot of students.  Generally they object that, if you know about the metircs, you should be able to avoid them.  In practice, this doesn’t seem to be the case.  Simple metrics do seem to be very effective in both forensic linguistics, and in software forensics.

Looks like a nice one:

The Hacker’s Choice announced a security problem
with Vodafone’s Mobile Phone Network today.

An attacker can listen to any UK Vodafone customer’s phone call.

An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.

The technical details are available at http://wiki.thc.org/vodafone.

News article:
http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html

ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.

A company called Autonomy, which has been selling image search technology, has launched an apparently freely available (open?) project called Aurasma.  At the moment only available on iPhone 4, this allows you to “augment” the reality (that the mobile device sees) by adding video to overlay it.

In this article, a BBC reporter/commentator opines that this is a cute trick, but only that.  I’m going to go out on a limb and predict that this assessment is short-sighted (albeit only if the technology expands to other platforms).  Given that YouTube users are uploading 48 hours of video to the site every minute of the day, I suspect that the ability to create video graffiti, and “tag” it to any vista, location, or object, will be irresistable.

Apparently the company thinks this will be a platform that companies will use to create ads, to promote their products or shops at related locations.  They probably will.  However, myriad users will be creating other content, for the same images, and we will have SEO (Search Engine Optimization) battles that will make the malware and phishing sites we see now pale in comparison.  The Tokyo Chamber of Commerce or tourism board may wish to overlay video over certain landscapes or landmarks, but how will they stand up against thousands of geeks who’ve all seen Godzilla?

BKBLKSWN.RVW   20110109

“The Black Swan”, Nassim Nicholas Taleb, 2007, 978-1-4000-6351-2,
U$26.95/C$34.95
%A   Nassim Nicholas Taleb
%C   One Toronto Street, Unit 300, Toronto, ON, Canada  M5C 2V6
%D   2007
%G   978-1-4000-6351-2 1-4000-6351-5
%I   Random House/Vintage/Pantheon/Knopf/Times/Crown
%O   U$26.95/C$34.95 800-733-3000 randomhouse.ca www.atrandom.com
%O  http://www.amazon.com/exec/obidos/ASIN/1400063515/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1400063515/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1400063515/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   366 p.
%T   “The Black Swan: The Impact of the Highly Improbable”

I was irritated into reviewing this book.  I knew that the title referred to events which are rare, and therefore seen as unlikely or impossible, but which, once observed, are obviously true.  I had heard this book (and idea) discussed in terms of risk analysis, but the mere fact didn’t strike me as terribly useful.  To a certain extent we deal with such issues all the time in business continuity planning.  So, when, during yet another conversation on risk analysis, one participant insisted that we should all read this text, I responded that the earth might fall into the sun, soon, and therefore I couldn’t see risking what little time I had left reading Taleb’s work.

The participant insisted that we weren’t going to fall into the sun for a long while, and therefore I should read the book.  Having now read it, I can say that this person didn’t understand one of the author’s main points.

In the prologue, Taleb describes a Black Swan event as one which is rare, has an enormous impact on the world, and is explainable after the fact.  During the course of the work he presents a number of examples.  A great deal of the text, though, discusses, disparages, and even rants against efforts to predict future events or outcomes, particularly those which rely on models.  The author notes that many of these models fail to take certain factors into account.  This is quite true: a model, by its very nature, must be limited.  A map of Canada, the full size of Canada, would be accurate, but not very portable, and thus not useful.  In the same way, any model is a heuristic, giving a quick indication of operation on the basis of a very limited set of factors.  Taleb’s thesis about rare events seems to take second place to his assertion that you can go badly awry by relying on a model which fails to take all factors into account.

My “earth into the sun” example, therefore, fits well into the theme of the book.  As far as we understand, we have probably billions of years before we spiral into the sun.  On the other hand, some rare event may make this happen much sooner, and we’ll all be impacted (if you’ll pardon the expression).  And, if it does happen, you can bet that, in the few weeks or hours between the event and our incineration, there will be plenty of people who will be building models to explain why it did happen.

This statement is undoubtedly true.  But is it helpful?  Much of the author’s work is addressed at the issue of investment, and particularly “playing” the stock market.  He notes that an investor, by betting on black swan events, can make a large return (since black swan events have a large impact).  This declaration is also true, but you can’t bet on all possible events, so which ones do you choose?  For example, computer equipment retailers who “bet” on tablet computers last year would, this year, be in a very strong position.  Those who did the same thing twenty-three years ago would have been stuck supporting the Newton.

Taleb keeps repeating (and repeating, and repeating, and repeating: his few points are duplicated many times over through nineteen chapters) that just about everyone tries to avoid risk on the basis of what they have seen in the past.  In fact, not only many studies but also common observation show that this isn’t the case.  The general public loves to gamble.  Studies of “successful” people (business leaders, etc.) indicate that they are more prone to gambling and risk-taking than the general public, and, in fact, foolishly so.  (“Leaders” have a strong tendency to gamble even when it is quite clear that taking the small but sure return is the better deal.)

Is this, in fact, evidence that Taleb is correct, and that we all should be risk-takers, betting on black swans?  No.  As he, himself, points out in a different context, some risk-takers win, and become “successful,” while a lot of risk-takers lose, but disappear into the general population.  (Or just disappear.)

The central point about making predictions on the basis of insufficient knowledge is emphasized most repetitively in regard to investments and finance.  The author does suggest a method for ventures: keep 90% of your funds in the most conservative undertakings, and invest the 10% in wildly speculative “positive” black swans.  Of course, this doesn’t guarantee that any of your wild investments do pay off, but at least you will have your 90%.  Unless a “negative” black swan comes along and wipes them out.

The book is, actually, fairly fun to read, but annoying to review.  Taleb has good facility with language, and writes in an amusing, if scattered, manner.  As a means of passing the time, the text is fluid, entertaining, and even has some points worth thinking about.  However, in terms of this review series, I must consider whether the tome is useful or not, and I’m not certain that it is.  Taleb presents some salient warnings, but makes any number of statements ( several of them outrageous) without going to the trouble of backing them up.  (This fact is rather ironic in view of his repeated denigration of academics and technical authors who cannot write clearly and “properly.”  He even admits, almost up front, that a friend “caught [him] red-handed” by challenging him to “justify the use of the precise metaphor of a Black Swan,” and he had to confess “this book is a story.”)

To take a page from the way Taleb writes, I could point out that his “Extremistan” bears a strong resemblance to the age of the dinosaurs.  They developed the largest land-dwelling creatures ever to walk on earth, lasted much longer than we humans have, and, some models show, were able, simply because of their immense numbers, to effect climate in ways that we have only recently been able to do by pumping their remains out of the earth and burning them.  They were also subject to a black swan event in the shape of an asteroid, which left, as their descendants, only Taleb’s much maligned turkeys.

There are certainly holes in this argument, but it is as entertaining, and as valid, as much of what Taleb writes in the book.

In the end, I have to agree with Taleb’s mother: there is some use in this book, but an enormous disparity between what the author thinks it is worth, and what it is actually worth.

(No ballet dancers were mentally harmed in the reviewing of this book.)

copyright, Robert M. Slade   2011     BKBLKSWN.RVW   20110109

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.

Security wanted to open up my suitcase and look at the bag of chargers, USB sticks, etc, and was concerned about the laser pointers.  He decided they were pens, and I didn’t disabuse him of the notion.  Why disturb the tranquility of his ignorance?

BKEISCPR.RVW   20101023

“Enterprise Information Security and Privacy”, C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9, U$99.00
%E   C. Warren Axelrod Warren.Axelrod@usccu.us
%E   Jennifer L. Bayuk www.bayuk.com
%E   Daniel Schutzer Dan.Schutzer@fstc.org
%C   685 Canton St., Norwood, MA   02062
%D   2009
%G   978-1-59693-190-9 1-59693-190-6
%I   Artech House/Horizon
%O   U$99.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1596931906/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1596931906/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931906/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   231 p.
%T   “Enterprise Information Security and Privacy”

The authors of this collection of papers were told to examine and challenge current and traditional approaches to information security and suggest alternatives overcoming noted deficiencies.

Part one looks at history and trends.  Chapter one traces privacy attitudes and legislation in the United States over the past century, and suggests that privacy and information security are related.  Data protection should be supported by a defined, multi-factor, holistic security system, says chapter two.  (As the editorial comment notes, this is hardly surprisng news to security professionals.)  Security faces pressure from operational concerns, and chapter three states that security departments that help the business rather than hindering (in other words, planning security properly) are more likely to succeed.  Chapter four notes that information classification based solely upon confidentiality concerns is limited, but the suggested structure still relates only to that aspect.  The article singularly fails to examine any possible form of multilateral classification scheme, incorporating integrity and availability issues.  Chapter five delves into human factors, which are vitally important to security, but limits the discussion to privacy, which is already pretty human.

That piece finishes off with some examination of risk, although it doesn’t say much about human factors in risk, but I suppose makes a nice lead in to the fact that part two is concerned with risk.  Donn Parker makes his usual contrarian argument against risk-based security in chapter six.  The author of chapter seven notes this objection, but claims that it is only applicable if you fail to account for all the proper factors (totally missing Parker’s point that you can never know all the factors).  A hodge-podge of legal topics goes into chapter eight, but the emphasis (if there is any) seems to be on new “compliance” standards such as the Payment Card Industry Data Security Standard (PCI-DSS or just PCI).  Chapter nine takes a brief and focussed look at the most important changes in the telecommunications arena.

Part three turns to specific idustries: finance, energy, transportation, and academia.  Chapter ten lists US financial regulations, and then offers vague suggestions of new regulations.  A number of questions about the security of enegery providers or infrastructure are raised in chapter eleven, but there are few answers.  In terms of transport, chapter twelve mentions SCADA (Supervisory Control And Data Aquisition) systems and alarm sensors.  Chapter thirteen doesn’t really appear to examine academia: the “case studies” may be formal, but are really just reports of malware similar to those in the general user population.

If the authors were supposed to present new ideas for security, they have failed.  There is nothing wrong with any of the pieces contained in the book, but they are simply “more of the same.”

copyright, Robert M. Slade   2011     BKEISCPR.RVW   20101023

A few days ago, I noted a very silly news story about someone getting hit with a computer virus. Well, maybe the administrators don’t know all that much about malware, and maybe a smaller local paper reporter didn’t know all that much about it, either.

But now the story has been taken up by a company that makes security software. A “Microsoft Gold Certified Partner,” according to their Website. A company that makes antivirus software. And their story is just as silly, or even worse.

They say the local admin “stated that, the virus is classified as harmful and they are being quite alert.” I suppose that is all well and good, but then they immediately say that, “[a]ccording to him, the anti-virus firms were not able to recognize it …” So, AV firms don’t know what it is, but it is classified as harmful? Oh, but not to worry, “the good part is that it doesn’t seem to do extensive harm.” So, it’s harmful, but it’s not harmful. Well, of course it’s not harmful. It only “collects information and details, such as bank accounts and passwords …” No possible problem there. (Oh, and, even though nobody knows what it is, it’s Qakbot.)

Right, then. Would you be willing to buy AV software from a firm that can make these kind of mistakes in a simple news story?

At the BC ISMS User Group meeting last week we were concentrating on the relationship between the ISO 27000 family of standards, and the PCI-DSS (Payment Card Industry Data Security Standards, usually just known as PCI).  PCI-DSS is of growing concern for pretty much anyone who does online retail commerce (and, come to that, anyone who does any kind of commerce that involves any use of a credit card).

It kind of crystalized some ideas that I’ve been mulling over recently.

Over the past year or so, I’ve been examining some situations for small charitable organizations, as well as some small businesses.  Many would like to sell subscriptions, raffle tickets, accept donations, or sell small, specialty items over the net.  However, I’ve had to consistently advise them that they do not want to get involved with PCI: it’s way too much work for a small company.  At the same time, most small Web hosting providers don’t want to get involved in that, either.

The unintended end result consequence of PCI is that small entities simply cannot afford to be involved with credit cards anymore.  (It’s kind of too bad that, a decade ago, MasterCard and Visa got within about a month of releasing SET [Secure Electronic Transactions] and then quit.  It probably would have been perfect for this situation.)

Somewhat ironically, PCI means a big boost in business for PayPal.  It’s fairly easy to get a PayPal account, and then PayPal can accept credit cards (and handle the PCI compliance), and then the small retailer can get paid through a PayPal account.  So far PayPal has not created anything like PCI for its users (which is, again, rather ironic given the much wilder environment in which it operates, and the enormous effort phishing spammers make in trying to access PayPal accounts.)  (The PayPal Website is long on assurances in terms of how PayPal secures information, and very short on details.)

This is not to say that credit cards are dead.  After all, most PayPal purchases will actually be made with credit cards: it’s just that PayPal will handle the actual credit card transaction.  Even radical new technologies for mobile payments tend to be nothing more that credit card chips embedded in something else.

These musings, though, did give a bit more urgency to an article on F-commerce: the fact that a lot of commercial and retail activity is starting to happen on Facebook.  Online retail transactions aren’t new.  They aren’t even new in terms of social networks or a type of currency created within an online system.  Online game systems have been dealing with the issue for some time, and blackhats have been stealing such credits and even using them to launder money for a number of years now.  However, the sheer size of Facebook (third largest “national population” in the world), and the fact that that entire population is (by selection) quite affluent means that the new Facebook credit currency may very quickly balloon to an enormous size in relation to other currencies.  (We will leave aside, for the moment, the fact that I personally consider Facebook to be tremendously divisive to the Internet as a whole.  And that Facebook does not have the best record in terms of security and privacy.)  Creation of wealth, ex nihilo, on a very, very large scale.  What are the implications of that?

I really don’t know who is more ignorant here, the city authorities “protecting” the computers, or the journalist writing up the story …

If you know anything about the technology, this is howlingly funny (or, it would be, if it weren’t so sadly representative …)

“Officials at Nanaimo city hall are desperately working to find out how a virus attacked their computer system Wednesday afternoon.”

(Oh, oh!  Pick me!  I can tell you!  You didn’t tell people NOT TO CLICK ON RANDOM ATTACHMENTS THEY GET IN STRANGE EMAIL MESSAGES AND SUPPOSED E-CARDS!!!)

“Per Kristensen, director of information and technology, said he was shocked by how quickly the virus infected the system.

“The first time anyone anywhere in the world noticed this new virus was on [March 15] and then it hit us on the 16th,” he said Thursday.”

(How many new viruses are “created” every day, these days?)

“People can be assured that all their information is secure. Protection of their personal information is a priority. The city’s system won’t be turned on until we are confident we have this solved,” he said.

(Ummm, how are you going to clean up the computers if they are turned off?)

“Kristensen said the virus is so new, it has no signature that security devices can recognize.”

(Let me guess: a certain antivirus in a yellow box couldn’t recognize it, so you figure that nobody can, right?)

“We’ve got multiple levels of protection and firewalls, but nothing recognizes this.”

(Yeah, firewalls do a GREAT job against viruses …)

“We may have to shut down throughout the weekend and we won’t put the system back up until we know we have this under control. And right now, we don’t know how long that will be.”

(Based on this, I’m not holding my breath …)