?

Log in

 

What's Wrong With Humanity?

About Recent Entries

F-Insecure (Or, how I learned to stop mucking with infrastructure and love the 'net) Apr. 10th, 2007 @ 07:58 pm

Aside: I'm in the wrong industry. I need a job where I get paid to shoot my mouth off about random topics. I guess that's what this 'blog is for.

Internet security company F-Secure recently proposed the creation of a new Top Level Domain (TLD) called ".safe" for banks and other financial institutions, with the purpose of ameliorating the rampant problem of phishing attacks. Their idea is that ICANN, which manages the Domain Name System (DNS), can establish the .safe TLD in such a way that only legitimate financial institutions will be able to register a .safe domain name. In this way, consumers could rely on the .safe tag in the domain name to be assured they are connecting to the proper website. This, in short, is Bad and Wrong™.

The problems with this proposal lie in a few critical areas, which are so simple, I can hardly believe F-Secure overlooked them.

  1. Phishing attacks aren't dependent on the user recognizing -- or failing to recognize -- the domain name of their bank in the URL. A well-crafted phishing message can entice all but the most experienced Web veterans by using official letterhead, emulating standard formatting, and using feats of technical legerdemain to make the links appear to be links to legitimate bank URLs. Surely, a .safe domain name could be just as easily spoofed.
  2. ICANN seems to be very pragmatic about its creation of new TLDs. For several years, ICANN has been fighting the creation of a .xxx TLD for adult-oriented websites. The reasons for creating a .xxx domain are quite similar to those F-Secure presents for .safe, primarily that by segregating a certain group of websites into a particular TLD, it is easier to identify those sites and their content. The main arguments against the .xxx TLD also apply to the banking industry and .safe: companies will be unwilling to abandon their well-known (and often hard-bought) domain names in the .com domain and other national TLDs, such as .co.uk, .de, etc; and as long as there are smaller institutions who don't want to pay for membership in the segregated domain, it will not be feasible to apply the very principle that led to the TLD shift.

F-Secure's proposal is just one of many technical proposals to a problem that cannot be solved through technical means. The malicious users that conduct these phishing attacks are 1. very technically sophisticated and 2. very savvy to the behavior of the average Internet user. Any technical solution proposed to stop phishing attacks is doomed to failure because of the nearly limitless imagination and creativity of the attackers.

The only viable solution to the problems caused by phishing is improved user education. Only when the average Internet user understands the dangers of phishing -- and other threats to personal information on the Internet -- can the problem truly be mitigated. Users must understand that their web browsers and email clients can be fooled into displaying misleading information and that it can be difficult or even impossible for even the most experienced Internet users to tell where a link might take you before clicking it. Even after clicking the link, techniques exist to obfuscate the true destination in the browser's address bar.

As a way to meet the needs of the bank to communicate with customers, and the customer's need to be secure in his online activity, I would propose the solution used by Bank of America. I'm not talking about the SiteKey, where a user is presented with some previously chosen image and textual message, which can be spoofed relatively easily, but rather their secure mailbox feature. With the secure mailbox, Bank of America never sends actual information to your email account; rather, they send you an email notification, then you visit their regular online banking website without following a link and retrieve your message from a drop-box in your account which can be used only by you and Bank of America's customer service team. This way, you never follow an untrusted link, and you never get information from outside the bank's own website which you visit by typing in the bank's well-known URL.

With a heavy dose of user education and good security practices on the part of financial services providers, we can conquer Internet insecurity without introducing unnecessary infrastructure and breaking the Internet's end-to-end service model.

Mood: annoyedannoyed

An Open Letter To Joe Kennedy Feb. 22nd, 2007 @ 11:09 pm
Dear Joe-4-Chavez,

Dear Joe-4-Oil,

I've never been a friend to the Kennedy family, so this letter will be fairly easy to write. However, your father, Bobby, and your uncle Jack were, at the very least, decent, respectable men who did their best to continue the fight against Communism as it spread into our own backyard. They may have failed to defeat Castro, but by God they would have kept trying if they hadn't been taken tragically from us.

You, however, are a disgrace, both to the Kennedy family and to the American people. At a time when it is most critical for the American people to band together and recognize the ferocity of the hatred of an insane and desperate despot, you rally with this Communist dictator, not only to rally his regime in the face of waning popular support but to line your own coffers with Chavez's filthy money, which will do no more to help the starving poor of Venezuela than will the food and aid packages -- held hostage by Chavez's bosom buddy Kim Jong Il -- sent to North Korea.

While I certainly have nothing but the deepest sympathy for the underprivileged Americans who would stand to benefit in the short-term from this insincere PR stunt, America cannot benefit by allowing undue influence over the American people by a Communist thug who associates with the likes of Mahmoud Ahmadinejad, Kim Jong Il, Fidel Castro, and Vladimir Putin. Hugo Chavez has the distinction of running the second-most corrupt government in the Western hemisphere, right above Haiti. Even Fidel Castro has a more open and transparent government than Chavez.

Tell your friend Hugo that if he's thinking about getting into the charity business, remember that charity begins at home. Maybe he could try sharing some of his oil revenues with his own impoverished people. None of his O.P.E.C. buddies are doing it, maybe he could start a new trend toward social justice in the middle east. Perhaps I'm being a bit too optimistic.

I ask you, Joe Kennedy, how does it feel to be the son of a U.S. Attorney General, the nephew of a U.S. President, and (as defined by Title 50 of the U.S. Code) an agent of a foreign power? What would your father say? Do you think he's proud of you for selling out to a hostile, foreign government? Yeah, I don't think so, either.

And since you've discovered a new meaning of the word "friend" to apply to Venezuela's tyrannical "president", allow me to use your new word in closing,

Your friend in Maryland,

James H.

Mood: infuriatedinfuriated

The world is still FUBAR Jan. 18th, 2007 @ 12:30 am
After a two-year hiatus, I've decided to dust off the old website and resume ranting about the massive stupidity that continues to flood our great society. I'd love to get out the soap box right away, but it took too long to remember my password, and now I'm going to bed.

Look out, Internet... James is back, and he has two years worth of saved material!

PS: I'm starting a Word of the Week segment. My bet is that it lasts exactly one week, including this one. Which is okay, since that's probably all the longer my renewed blogging spirit will last.

Word of the Week
butyraceous n. 1. of the nature of, resembling, or containing butter

Sample: The topping on this microwave popcorn could almost be described as butyraceous, but that would indicate some passing similarity to butter.

Current Location: My Apartment
Mood: annoyedannoyed
Music: Five for Fighting - Superman (It's Not Easy)

Just When I Started To Have Faith In Humanity Again... Sep. 30th, 2004 @ 01:09 am
Just when I thought I had a grasp on the level of stupidity allowed at a major American university, someone comes along and readjusts my attitude... downward.

There's a Sophomore girl who lives next door to me (a transfer, so as good as a Freshman) who is helping me redefine the stupid question. For reference, let's call her Jessica. I used to think the stupid question was the one I was asked while at work ("My Internet doesn't work!"). Now stupid questions are attacking me while I'm in my dorm room, doing boring things like homework and important things like watching TV. What could have possibly happened to irritate me enough to actually post again? Let me tell you a story...

Those of you who know me, or at least have read my 'blog, probably know that I work in tech support at my university. I have a few stories set aside that represent the Most Stupid Issues Ever In The History of University Information Services(tm). Here they are:
  • Number 4: We once received an email from a student who had become very frustrated trying to "get updates for my Mac at windowsupdate.microsoft.com". (Hint: You've already upgraded beyond any Microsoft product by buying a Mac!)
  • Number 3: A student came into our office asking about computer availability after the office was closed. I told him that there was a computer lab down the hall that is "open twenty-four/seven". His reply: "Really? Even on Sunday?" (Yes, Sunday is one of the seven days of the week.)
  • Number 2: Just before Hurricane Isabel hit our fine city (and not very hard, compared to the way hurricanes hit Florida), a student left a voice-mail message for us asking that her "Internet connection be turned on, because, like, if the power were to go off, the Internet would, like, be our only form of emergency communication". (I wish this were Number 1, because, like, it's a no-brainer that computers require - what's it called again? - oh yeah, power.)
  • Number 1: A student once called to complain about her Internet service not working. When asked what kind of computer she was using, she replied, very angrily, that "my computer won't arrive for another two weeks, but that's not important right now." Dumbfounded, the lucky tech on the phone told her, "Miss, you need a computer to access the Internet." This seemed to adequately resolve the issue. To this day, I have no clue what she was trying to use to access the Internet. My guess is that her parents bought her a really cool toaster for going to college.
With those stories laid out, I can continue illustrating how Jessica is helping me pin down the definition of "computarded". She has asked me to look at a problem with her computer (something trivial, I don't remember what it was), and prefaced her question with the assertion that it was, in fact, going to be a "retarded question". After I fixed the issue, I told her these stories to make her feel a bit better about her imperfect computer knowledge. To my horror, I had to explain each one of the stories above, with the only exception of Number 1 (I only needed to retell that one). I even had to explain that computers need power to run.

My question for any who care to respond: How has this girl not already won a Darwin Award? I'll let you ponder that.

PS: Jessica, if you happen to read this, I'M REALLY, REALLY SORRY! No hard feelings?
Well, I tried...

Mood: aggravatedaggravated
Music: Paul Oakenfold - Ready Steady Go

I Used to Have Respect For the RFC System Sep. 7th, 2004 @ 12:54 am
Ok, so I haven't posted in two months. Sue me.

In reading Hobbes' Timeline of the Internet v7.0, I found some RFCs that by all rights shouldn't exist. Here are some of my favorites:
  • RFC 968 - Twas the night before start-up
  • RFC 1438 - Internet Engineering Task Force Statements Of Boredom (SOBs)
  • RFC 1882 - The 12-Days of Technology Before Christmas
  • RFC 1925 - The Twelve Networking Truths
  • RFC 2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)
  • RFC 2549 - IP over Avian Carriers with Quality of Service
  • RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)
  • RFC 3092 - Etymology of "Foo"
Of course, I'm sure there are others that are more foolish, but I haven't had the (mis)fortune of stumbling across them yet. At least now we know what the sense of humor of the average IETF engineer is like.

Mood: amusedamused
Music: Bobby De Angelis - Stranger on the Shore
Other entries
» Happy Independence Day!
It's great to be back home for the Fourth of July. For me, there could be no more fitting celebration after my return from Europe than the celebration of our great country.

As we celebrate our freedom today, let's take a moment and remember those who fought for our freedom, as well as those who continue to defend our country and the ideals that make America great. Don't forget to say a prayer for those who are away from family and friends, helping to bring freedom to others.

God bless America and all those who love freedom.


» Swiss Security
I certainly hope Swiss security problems are limited to Wireless Internet access, especially considering the huge amount of international banking that runs through Swiss banks (mmm... secret numbered account...).

So, I have more than a couple hours to kill. I have such a long wait, my gate still hasn't been posted, and I've already been here an hour. So, to alleviate the boredom, I decided to fire up NetStumbler and see if I could find a wireless signal. Apparently, the Zürich Airport has an in-house network, but unlike the one at the Vienna Airport, this one wasn't free. Or so the network engineers thought. By a complete fluke, I found a security gap in the system of one of their new billing services (it's currently in "beta"), and here I am, the whole Internet, wireless and gratis, at my disposal.

It doesn't help, though, that I just got the "Low Battery" notice. *Sigh* Time to find a plug.


» Going Dark
Today is finally the day. I'm leaving Vienna, headed back to the good ol' U. S. of A. Of course, that also means (since I have the world's worst flight plan - VIE-ZRH-EWR-ORD-DAY) that I will be completely unavailable for the next 30 hours or so. Except by cell phone when I'm on the ground. And the Internet if I can find a hotspot.

Anyway, as I sit in the Vienna International Airport, using the free wireless connection, I have to think: what the <expletive deleted> am I going to do for the next 30 hours? *sigh*

Well, catch you on the other side of the Atlantic...


» Quick Update
Okay, quick update:
  • I'm out of GMail invites. If you didn't get one, I'm sorry. Send me an email, and I'll put you on the wait list for my next round of invitations.
  • I'm almost done with my semester abroad at the Universität Wien in Vienna, Austria. I'll be back in the States on 1 July, but only for a layover at Newark Liberty International Airport (KEWR). Let's keep it simple: New Jersey sucks. I'll actually arrive home on 2 July.
  • My final exam in Geschichte der Sowjetunion (History of the Soviet Union) is on the morning of 28 June at 0930CEDT (0730GMT, 0330EDT). Wish me luck.
  • My final exam in Rechnerarchitekturen und Kommunikationsnetze (Computer Architecture and Communications Networks) is on the afternoon of 29 June at 1400CEDT (1200GMT, 0800EDT). Wish me luck.
  • I'm still working on my term paper for Intelligence Community: Nachrichten- und Geheimdienste der Welt (Intelligence Community: Intelligence and Secret Services of the World). It's due sometime soon. Wish me luck.
  • I turned in my term paper in Europäische Sicherheitspolitik - europäische Ordnungspolitik: Prämissen und Ziele (European Defense Policy - European Regulatory Policy: Premises and Goals) on Saturday. It's never too late to wish me luck.


» You've Got GMail!
Woohoo! I just got 6 invitations to join GMail that I can give to anyone I want! If you want a GMail account, email me or post a comment. Any invitations left by, oh, lets say, 0000GMT, Sunday, 27 June (2000EDT, Saturday, 26 June), will be sold on eBay.

Invitations remaining: 6 5 4 3 2 1 0


Top of Page Powered by LiveJournal.com