Devin Ganger, my cow-orker at 3sharp and coauthor of the Exchange Server Cookbook, is on the scoreboard again– this time with an ebook on discovery, compliance, archival, and retention. The first chapter‘s now available, so go check it out.
Disabling removable devices through Group Policy
I’ve been asked several times about ways to disable the use of removable storage devices to protect against pod slurping and related attacks. XP SP2 has a way to prevent writing to USB devices, but there’s another solution that’s described in this MVP-contributed KB article.
Comments Off on Disabling removable devices through Group Policy
Filed under General Stuff, Musings
Massive HDTV recording tip
I wish I’d thought of this: a smart guy came up with the idea of creating a TiVo wishlist with “2004” as the search term to catch all movies released in 2004. That’s not the cool part– now I can create a wishlist for a video type of “HDTV” and have instant access to the list of what’s on in HD. W00t.
Comments Off on Massive HDTV recording tip
Filed under HDTV and Home Theater
A Rocket to Nowhere
Wow. This essay is a stinging, and entirely accurate, assessment of the current state of the Shuttle and ISS programs. Too bad NASA won’t do anything about it. Excerpt:
In the thirty years since the last Moon flight, we have succeeded in creating a perfectly self-contained manned space program, in which the Shuttle goes up to save the Space Station (undermanned, incomplete, breaking down, filled with garbage, and dropping at a hundred meters per day), and the Space Station offers the Shuttle a mission and a destination. The Columbia accident has added a beautiful finishing symmetry – the Shuttle is now required to fly to the ISS, which will serve as an inspection station for the fragile thermal tiles, and a lifeboat in case something goes seriously wrong.
This closed cycle is so perfect that the last NASA administrator even cancelled the only mission in which there was a compelling need for a manned space flight – the Hubble telescope repair and upgrade – on the grounds that it would be too dangerous to fly the Shuttle away from the ISS, thereby detaching the program from its last connection to reason and leaving it free to float off into its current absurdist theater of backflips, gap fillers, Canadarms and heroic expeditions to the bottom of the spacecraft.
Filed under Smackdown!
Christmas in August
Well, not really, but today Microsoft announced the pricing for the Xbox 360. $299 for the base unit, or $399 for the console plus a controller, the hard drive, some cables, and some other goodies. Time to start scouring the sofa cushions for loose change…
Comments Off on Christmas in August
Filed under General Tech Stuff
The man who invented the neutron bomb
BoingBoing has a long profile by Charles Platt of Sam Cohen, the man who invented the neutron bomb. It’s on my reading list, though I won’t get to it for a while. (I downloaded the PDF file, just to be on the safe side).
Comments Off on The man who invented the neutron bomb
Filed under General Tech Stuff
Bulletproof Wireless Security (Chandra)
 |
“BULLETPROOF WIRELESS SECURITY : GSM, UMTS, 802.11, and Ad Hoc Security (Communications Engineering)” (Praphul Chandra)
I asked for a review copy of this book because I understood it to be a guide to implementing security. The problem is that “implementing” is a loaded term. I wanted a book on how to set up and configure security, and Chandra’s written a book about how to engineer products that implement these solutions. In that light, this is an interesting book because it covers GSM, UMTS, and 802.11 security. The writing style is clear and direct. However, there’s a problem: for a book billed as comprehensive, there’s not enough depth to actually help an implementer build an implementation of any of these protocols. For example, the first 60 pages or so explain some basic security concepts and algorithms, and the next 25 pages cover how security protocols are applied at various OSI layers. There’s a chapter dedicated to GSM and UMTS security, and one on 802.11a/b/g security that (IMHO) pulls some punches about how bad WEP is. In a book targeted at implementation engineers, it would have been helpful for Chandra to go deeper into the reasons why we got stuck with such a crappy security implementation. |
Overall, this book is probably most useful to those who need a quick survey-level introduction to wireless security because they’re working in the wireless industry. It’s pretty much useless for system administrators or developers (particularly because there’s only vestigial coverage of code security/quality issues) except for folks who have a general interest in the topic.
Comments Off on Bulletproof Wireless Security (Chandra)
Filed under Reviews
Bulletproof Wireless Security (Chandra)
|
“BULLETPROOF WIRELESS SECURITY : GSM, UMTS, 802.11, and Ad Hoc Security (Communications Engineering)” (Praphul Chandra)
I asked for a review copy of this book because I understood it to be a guide to implementing security. The problem is that “implementing” is a loaded term. I wanted a book on how to set up and configure security, and Chandra’s written a book about how to engineer products that implement these solutions. In that light, this is an interesting book because it covers GSM, UMTS, and 802.11 security. The writing style is clear and direct. However, there’s a problem: for a book billed as comprehensive, there’s not enough depth to actually help an implementer build an implementation of any of these protocols. For example, the first 60 pages or so explain some basic security concepts and algorithms, and the next 25 pages cover how security protocols are applied at various OSI layers. There’s a chapter dedicated to GSM and UMTS security, and one on 802.11a/b/g security that (IMHO) pulls some punches about how bad WEP is. In a book targeted at implementation engineers, it would have been helpful for Chandra to go deeper into the reasons why we got stuck with such a crappy security implementation. |
Overall, this book is probably most useful to those who need a quick survey-level introduction to wireless security because they’re working in the wireless industry. It’s pretty much useless for system administrators or developers (particularly because there’s only vestigial coverage of code security/quality issues) except for folks who have a general interest in the topic.
Cheap Samsung laser printer
Newegg has the Samsung ML-2010 laser printer (review here) at $127.95. Scroll down to “Combo Specials” and pickup a free Rosewill Wireless Keyboard and Mouse combo. Enter promo code “sam2010” during checkout for $40 off the printer. Send for the Newegg-exclusive $50 rebate. Shipping is $14.95. Your net cost: $53 or so.
Filed under Friends & Family
Unbelievable VERITAS security hole
Wow, this is hard to stomach. CERT is reporting TA05-224A: “VERITAS BackupExec Uses Hard-Coded Authentication Credentials”. It’s astonishing that any company could be so stupid as to ship a product that still uses hard-coded credentials; it’s a wonder that it’s taken this long for an exploit to start circulating. (Note that this is different than the vuln-o-rama announced last month.)
According to Symantec’s page on the vuln, only BE versions 8.0, 8.5, and 8.6 have the flaw. I’d bet that’s a significant portion of the installed base, so a) I hope they’re protected and b) I sure would feel more comfortable if the page also said “hey, don’t worry, we fixed the problem in BE 9”. My concern is that BE 9.x and 10.x have the same, or similar, problem but that attackers haven’t found the creds yet.
Update: Symantec updated the vuln page last night with this additional page. Turns out that BE 9.0, 9.1, and 10.0 are vulnerable too. Sheesh. Making things worse, to fix the remote agent you have to uninstall the remote agent, reboot, install the new version of the agent, and reboot again. There’s no hotfix.
HA vs BC
From an article I’m working on, the difference between high availability and business continuance succinctly expressed:
Availability measures how much use we get out of a system before it fails, or between failures. Business continuance (BC) is different; it means being able to continue business operations (possibly with some degraded capacity) while a recovery operation is in progress. A simple example might help: if your building has an automatic emergency generator, that’s HA. If you have to bring in your own generator from home, that’s BC.
Filed under General Stuff, Musings
Reversal in Councilman decision
Last year, I wrote about US v. Councilman, a court case in which the initial ruling seemed to indicate that it was OK to intercept others’ email under certain conditions. Yesterday the First Circuit Court of Appeals issued a new ruling, essentially reversing the old one. Councilman was indicted in 2001 for violating the US federal law covering wiretapping because he was using procmail to copy inbound messages to hosted users on his server. The case was originally dismissed based on Councilman’s claim that the messages he copied were in “electronic storage” (which has a narrow meaning under the 1968 wiretap law), and that what he did wasn’t technically “interception” as defined in the law. The government appealed, and now the Court of Appeals is siding with them. Read their ruling for yourself; after I have time to dig into it a bit more, I’ll have more to say (bearing in mind, of course, that I’m not a lawyer and don’t give legal advice.)
Filed under General Stuff, Musings
Red Cross blood drive, 8/20, Rossford
The Greater Toledo chapter of the American Red Cross is low on blood… again. They’re operating a blood drive at the St. George Orthodox Cathedral building (738 Glenwood Road, Rossford) on Saturday, August 20, 2005. Hours are from 0830-1330. If you’re eligible to donate (over 17, over 110lbs, good health), please come by and donate– donated blood saves lives. If you want to reserve a specific time, you can make an appointment on the GiveLife web site– just use TOLEDOROTARY as the sponsor code.
Comments Off on Red Cross blood drive, 8/20, Rossford
Filed under Friends & Family
Super-useful site for flight delays
The FAA has updated their air traffic control (ATC) flight delay information page. The big news: you can now search for a particular airport directly from the page. Here’s what things look like for Toledo, Atlanta, and Seattle. This is extremely useful for frequent travelers.
New Mac Messenger client does LCS
Finally! Microsoft’s released Microsoft Messenger:mac 5.0, which can use both the MSN Messenger service and Live Communications Server 2005. It fully supports TLS and Kerberos (although you’ll need to read this reskit paper to turn Kerberos on). It also supports PIC for LCS if you’re using it. In my tests over the last few months, I’ve found it very stable. It just works. If you’re using a Mac, give it a try. (now, if we could only get a new version of the suck-a-delic Windows Media Player for Mac…)
Filed under General Stuff, Musings
Paul's Down-Home Page 