Friday, July 15, 2005

Internet Security

Over the past month or two I have noticed a number of questionable security practices by different companies. On local news, I frequently hear how hackers are responsible for much of the information theft on the Internet. I think the problem has to do more with poor security policies by organizations. About a month ago on Off the Hook, Emmanuel Goldstein was talking about how Citibank lost a backup tape containing millions of customers information. The tape was shipped by UPS and lost some how. The credit card company failed to even encrypt the information that was contained on the tape. In the latest Wired magazine there is also a picture showing a number of lost records by corporations and about half of them were the caused by a careless organization.

On the net to achieve security one usually has to go through a lot of effort. One thing I don't understand is when I want to get my email through a web mail account, I usually have to click that I want a secure transaction. If I forget to do so my password and message will be transferred as clear text. Sites should bring the user to the secure sign-in in the first place. Most users I see never uses this option and log on through an insecure method.

A few months ago I switched my ISP to Comcast. When getting the account I was given an email through Comcast. I was given a default password which I attempted to change to a stronger password. I tried to change the password a few time and each time I tried to change it I would get an error message. The problem I was having is I could only use letters and numbers and I was attempting to use other characters in my password. I really don't understand why Comcast users are restricted to only letters and numbers. Almost any literature concerning choosing a good password says that other characters besides letters and numbers should be used. I tried to address this problem by sending Comcast technical support an email, asking them about their password policy. The answer I received is the person told me that they aren't in any position to answer that type of question and would pass my concern along. I never did hear back from any one at Comcast.

Last week I had to change some of the DNS information for my web site. In the process of getting everything sorted out, the the people at the web hosting company had to verify my identity. I was given the option of giving them my credit card number or password for verification. That made me wonder why would a the hosting company even have password? The company could store a secure hash of the customers password and validate the password that way, instead of storing every customers password as clear text. If someone was able to get access the database containing the user information, they would be able to access all the accounts on all the servers of the company. I asked the technical support person why aren't the password stored as a hash? I think he basically didn't like the question and said that he isn't in charge with making the policy.

These are just a few of the incident, I have noticed recently, where the security policies concerning the users information comes into question. Most of these companies like to blame others when their users accounts are compromised but they make them easier to compromise in the first place.

The End of BinRev?

About a year ago I found the Internet radio show binrev. The show is a weekly radio hacker show, hosted by StankDawg, that discusses technology. I was sad to hear in the latest episode(#104) that the show is coming to an end. While there are still a number of good shows on the net that discuss technology, this one happened to be my favorite.

The first time I listened to binrev I didn't really care much for the show. It seemed like StankDawg would spend a lot of time going over the listeners' email. But the more I listened to the show, the more the show grew on me. Each week a new topic would be discussed on the show such as cryptography, relational databases, programming languages, VoIP and other interesting topics. The one thing I liked about the show is StankDawg always looked to learn new things and to bring guest on the show to teach these topics to his audience.

The show will be missed. Hopefully in the feature Stank will put a new show out on the net.

Thursday, July 14, 2005

Linux Not Ready for the Desktop?

I came across an article the other day where the author claims that Linux is not ready for the desktop. I have to disagree with most of what the author has to say. A large number of users currently use Linux and the number of users is increasing all the time. Both Gnome and KDE have improved over the year and make it very easy for a new users to use Linux and be productive. While the programs are different there are programs to do most anything that can be done on Windows. The problem I see is that some site may be developed that are targeted to Windows users. Even these are becoming less common. It is probably not in the best interest of a company to develop a site that works only with IE, since a lot of users today are using either Linux or a Mac. From the authors point of view for Linux to be a successful in the desktop market, Linux distros should be created so the features are more familiar to Windows users.

The author of the article wants to give Linux users the feel of being on a Windows machine. Why bother to moving to Linux in that case? The users would be better off using windows instead of creating a Windows environment out of Linux to save a company some money on their cost of software. For instance in the article the author feels that Window's users are used to using "my documents" and shouldn't have to worry about home directories. The author basically wants all users to abandon the the UNIX traditions and to mold Linux into a free Window's OS. Most of the incompatiblity issues that come from moving applications and data over to Linux has to deal with the use of close protocols that are used with Windows.