Why I don’t carry a smart phone, and maybe never will

We Need More Things To Worry About Department:

With thanks to faithful reader LJ, I now find my irrational fear of smart phones totally rational. I have a friend who calls all phones “spy chips,” and the more I learn, the more convinced I am he’s right.

CNN.com carried an interesting article about how our mobile phones are becoming Frankenstein’s monsters, just smart enough and totally out of our control: http://www.cnn.com/2012/02/28/opinion/mobile-frankenstein-keen/index.html?hpt=hp_c2.

And it’s striking coincidence that both the Scientific American Book Club and the Science Fiction Book Club selected When Gadgets Betray Us (http://whengadgetsbetrayus.com/). The line between “science” and “fiction” is getting awfully thin.

My analyst friend Herbbie also passes along a nice article: “Hackers Can Follow You Via Your Cell Phone”: http://www.smartplanet.com/blog/thinking-tech/hackers-can-follow-you-via-your-cell-phone/10415?tag=nl.e660. So who cares? Well, some of my clients might just care a whole lot.

10 simple tips for new Linux admins

Many of my students express an interest in Linux, both for the capabilities it offers and because it’s a good job skill in your toolbox. When you’ve been in it (ahem) for decades, it’s easy to forget some of the simple problems you faced when you started. For instance, how many Windows desktop users have ever combed through logs?

Pinehead.tv (“Fighting for Smarter Newbies”) has a nice little list of “Ten Things I Wish I Knew When Becoming A Linux Admin” at http://tuts.pinehead.tv/2012/02/24/ten-things-i-wish-i-knew-when-becomming-a-linux-admin/. Linux students: head straight there.

Can Anonymous really pull off a DDOS attack on the whole Internet?

In a word, yes.

Which is to say, it’s technically possible, and using software specifically designed to take advantage of a “reflection” flaw in DNS itself. Whether Anonymous actually commands the skill to pull this off is debatable, for the moment. It’s not likely to remain theoretical for much longer, however.

Read a discussion of their announcement at http://prohackingtricks.blogspot.com/2012/02/anonymous-launches-ddos-attack-on.html.

See the actual declaration by Anonymous at http://pastebin.com/NKbnh8q8.

Freedom is Layer 2: Mesh networks in Vienna, Athens

They can’t take it away if they don’t control it:

Let us never forget that the easily-cowed ISPs of Egypt bent willingly and cut off Internet access during Egypt’s Arab Spring revolution. Fortunately, the heroics of people who brought Internet-in-a-suitcase rigs, the cleverness of dial-up networking to foreign ISPs, and some fascinating cell-phone-buried-on-a-hill tactics got the people back in touch with each other well enough to coordinate their efforts. (See http://www.scientificamerican.com/article.cfm?id=the-shadow-web)

We may well need some such heroics in the future.

How about putting a Linksys router in a Tupperware box on your roof? People are doing it in Vienna, and a similar project has been underway for years in Athens. Everyone joins a common network, no ISP required, no special software, just plain old 802.11 wireless. Read about the Vienna project at
http://nakedsecurity.sophos.com/2012/02/24/activists-creating-decentralized-mesh-network-
that-cant-be-blocked-filtered-or-silenced/?utm_source=Naked+Security+-+Sophos+List&
utm_medium=email&utm_campaign=ad6a3a0271-naked%252Bsecurity

And how about larger scale networking, like an alternative Internet routing layer? See http://freedomboxfoundation.org.

Or maybe a complete alternative Internet? It’s not just a dream, it’s Project Byzantium: http://wiki.hacdc.org/index.php/Byzantium.

All of this is to say, we’d better be thinking about this, if we really value our freedoms on the Internet. Fortunately, at least a few people are. Are you?

What The Senate CyberSecurity Bill Means

Big Brother Wants to Watch You More Closely Department:

We are getting the shit hacked out of us. China peels us like grapes. Russia lies, defrauds and steals. Gangstas the world around see us as juicy targets.

So is the solution giving management of the Internet to the NSA? Controlling the security of major Internet corporations from the Federal level? Monitoring all traffic (directly violating Federal wiretapping laws)?

If any of these things give you a chill, take the time to read “What You Need To Know About The Senate Cybersecurity Bill” at:
http://www.fastcompany.com/1821032/what-you-need-to-know-about-the-senate-cybersecurity-bill

And to evaluate the success and good engineering of past efforts, read about “the awful mess of Homeland Security’s social media surveillance program.” “[O]ne thing is for sure: If you’re the first person to tweet about a news story, or if you’re a community activist who makes public Facebook posts–DHS will have your personal information.” (http://www.fastcompany.com/1816814/department-of-homeland-security-explains-social-media-monitoring-project-to-congress)

Firefox Add-Ons You Must Have

In Search of Some Safety on the Internet(s): Firefox Add-Ons

Governments around the world, including our own, are looking for ways to cut off their people’s access to information. These same entities are also seeking to gather far more information about each of us, rules of law or Constitutions be damned. Not to mention the many, many online entities that want to collect, own, buy and sell information about you and me. Have you heard about the teenager whom Target knew was pregnant before even her father did? This is not a good situation.

There are things you can do to make your Internet travels “safer,” though I use quotes on  purpose with that word. Some of the best, at least for getting started, are Firefox Add-Ons that can prevent some of the tracking and hacking. These are my favorites.

NoScript

This long-time protector keeps web sites (and third parties) from running scripts on pages you visit. Obviously, sometimes you need programmed interaction: when you’re filling out a survey, for instance. NoScript gives you a nice icon to click when you want to allow some or all scripts, on some or all pages, temporarily or (don’t be silly) forever. Get this one immediately.

Ghostery

Despite the unusual name, Ghostery is a simple tool. It disables tracking bugs. Ever visited a page with a Facebook icon? Guess what: assuming you’re a Facebook user, that page just got access to your Facebook account information. Without you doing a single thing. Even more insidious are the 1×1 pixel clear GIFs and Flash animations that give third parties the opportunity to track your web travels and store everything of interest. Ghostery shows a purple pane when you first land on a page, listing the disabled bug(gers). You will be surprised at how many entities want to follow you around.

Flashblock

Don’t even let Flash, one of the most hacked platforms on the Internet, run at all. If you want to see a video (for instance, because you’re on YouTube), you can click the familiar VCR-like Play button; otherwise, forget it. Suddenly the Internet seems twice as fast! And it’s safer.

FoxyProxy

Used by political dissidents in China, Iran, Syria and the USA, FoxyProxy lets your browser “dive” into the encrypted TOR network, so that you seem to be somewhere else (say, Canada). All your traffic is hashed, and even your location is hidden. The underlying TOR protocol is constantly revised, so that people in Iran, for instance, can hide their browsing inside seemingly normal traffic.

Click&Clean

Have you used CCleaner for Windows? This add-on integrates with CCleaner, or can do its own housekeeping: cleaning up your history, cache, etc. after browsing. Useful for keeping your wife from finding your favorite porn sites, or otherwise obscuring your web tracks. I haven’t tried this against my forensics tools yet, so it’ll be interesting to see how well it works.

And don’t forget Private Browsing

This doesn’t even require an Add-on; just pull down the Tools menu in Firefox and choose Start Private Browsing. You’ll be covering your tracks at least on your own computer.

Nortel breached for almost a decade

Ultimate Catastrophic Breaches Department:

Once again Herbbie and DarkReading.com put me into conflicting urges to laugh and to break down crying. This is the kind of breach that would make me commit hara-kiri if it were on my watch. Talk about your persistent threats.

Hackers breached Nortel security in 2000 and were able to maintain “widespread access” to the company’s computer systems for close to 10 years, according to a report.

Nortel did not immediately respond to a request for comment about the breach, but the extensiveness of the hack — and the apparent lack of an effective response by Nortel — has raised eyebrows. … The Wall Street Journal reported that hackers based in China were able to breach security using seven stolen passwords belonging to Nortel executives. Using spyware and the compromised credentials, the attackers were reportedly able to gain access to technical papers, business plans, research and development reports, employee email, and other documents.

http://www.darkreading.com/advanced-threats/167901091/security/antivirus/232600858/nortel-breach-gave-hackers-access-for-years-report-says.html

Almost a decade. They had access for almost a decade.

Chinese Hacking: The F-35 Fighter Hacked

No doubt about it: everyone from Anonymous to the Chinese are listening in on “secure” conference calls. They listened in on some, regarding the F-35 Joint Strike Fighter, about three years ago. Which is dismaying.

They got details on control software (designed with no security in mind), as well as special communications and antenna arrays. They snooped into government systems, and propagated their attacks to infect contractors to the project, who then had serious problems of their own.

But no! The Chinese are our friends and trading partners. We can trust them, right?

Read this and decide: http://defensetech.org/2012/02/06/did-chinese-espionage-lead-to-f-35-delays/

Linux developers and sysadmins are in huge demand, big raises, bonuses

Department of What Have I Been Telling You:

Companies adopting the free, open-source Linux operating system are having trouble finding developers and system administrators skilled in Linux, according to a new survey to be released next week.

The tight job market has driven up salaries and bonuses and prompted companies to increase their training and outreach to meet recruiting needs, the survey finds. The median salary for Linux-skilled technologists rose 5% to $84,000 last year with median bonuses at $5,000….

“It’s hard to find talented people because there’s extremely high demand,” says Dustin Larmeir, a support manager at Dallas-based FireHost Inc., a provider of secure public cloud hosting. The company, which has openings for seven Linux system administrators, is scouring all of the U.S. to find skilled hires, Larmeir says.

Get it from the horse’s mouth at http://blogs.wsj.com/digits/2012/02/10/linux-popularity-sparks-salary-jump/?mod=WSJBlog&mod=.