What is Digg?8 Comments
- TheSwashbuckler, on 11/07/2009, -0/+4While that's necessary, it's really just the very tip of the iceberg.
A bad actor anywhere in the supply chain can cause problems. Consider:
- A rogue programmer at your company
- A rogue programmer at a 3rd party component supplier's company/organization
- A rogue programmer at a tool vendor's company/organization (which in turn inserts malicious code into your product)
- A bad actor who hacks an open source site to post something with a problem (this can happen in either the source code repository or a code download)
- A bad actor at a disc duplicator company
- A bad actor at a CDN company (if a product is downloaded)
The list goes on and on... And that's just for malicious actions! - TheActivedigger, on 11/07/2009, -1/+4Staying updated on protective software like Norton, McAfee, Trend Micro, etc.. Staying updated will protect you from the latest viruses your current version won't recognize. Same goes for Windows updates, for security patches, and so on.
- JohnnySoftware, on 11/08/2009, -0/+1Here is a model that any lay person can understand that illustrates the hazards and ways to protect the stream of technology that ultimately converges into a product that is used.
Think of food. It is a good analogy. It is timely - the US has had serious problems with food safety in the past several years. Ironically enough, as we faced problems with bacteria/virus tainted food from suppliers and distributors - we faced the directly parallel problem of Trojan/worm/virus tainted software and data files from the food delivery pipelines' equivalent over in the world of computers/networks/media/devices.
There is another way the analogy fits. In food safety, proper production & handling prevents tainting the item or an ingredient with some contaminant. In food safety, cooking or treating something that has or may have certain types of contaminant - perhaps by cleaning/scrubbing/rinsing it - may make it safe again. At least temporarily, that is. After a given amount of time, it may need treatment again. It certainly will if it is recontaminated too.
Every human being understands food and sickness. Well, at least the ones old enough to use a computer or make decisions about computers.
Growers in Mexico, for example, were found to be irrigating jalepeno peppers on a farm by using waste-contaimnated water. That is a production flaw.
In the US, vegatable farms in the Salinas Valley were getting a bad reputation because the valley was repeatedly noted to be the source of a deadly e.coli bacteria strain. The cause, hopefully the only one, was found after years of outbreaks & investigations, to be a cow pasture on a hill above the farms in the valley. That is a production problem.
There was an outbreak of salmonella across the US. A peanut distributor in the US was found to have salmonella tainted peanuts. They had holes on their roof, birds overhead, insects inside, and their product had tested positive by independent tasters before it had shipped. That is contamination in the distribution channel.
If you bring a raw chicken or other meat home, it may have any of several types
of bacteria on it. Using proper food handling - cleaning hands, surfaces beforehand, perhaps during, and also certainly after - you keep the preparation area safe and prevent creating or reintroducing contamination. By cooking the product you remove or at least neutralize contamination that quite possibly was there in or on the meat to begin with.
If you do something like use the knife you cut a whole chicken up some before cooking as a carving knife afterwards, without a thorough cleaning before carving - then you are reintroducing some or all of what contamination you got rid of by though cooking and careful food-handling.
You went through a lot of efforts perhaps, but then you undid them all in the end - right before you and your guests put the food in your mouths.
When I prepare food, I have a pretty good way of deciding what I can set down where, what I can use without cleaning/re-cleaning, and when I need to wash my hands.
At the outset, I imagine what things are possibly contaminated: the meat and my hands, generally. I visualize it in my mind's eye as tainted with a removable paint or dye. I wash my hands and take care where I set the raw meat down.
Now, I visualize my hands as clean and where ever the meat lies as tainted. The meat is still tainted. i cut it, and the knife I use is now tainted and mentally, I visualize it that way. I place it in the pot or pan, and visualize my hands or the untensil I used as now tainted. So, I clean them off - whichever I used.
Now, I cook the meat. When it is done cooking, I remove it with something that is not contaminated - something I do not mentally visualize as having the imaginary dye tainting it. I serve it with non-tainted utensils and then I or we eat it with non-tainted utensils.
This is exactly the way that computers/components/software/networks/equipment and storage/communications media should be treated but it is really, really clear they are not much of the time. We all need to visualize the invisible "taint" that appears and is removed, perhaps over and over, as it moves through our suppliers, organization/household, and is used.
We know how important this is with food and as many cooks in many households & restaurants can attest, it is important and possible to do. Many unlucky diners and their doctors can tell you what happens when you do not do proper food preparation & cooking, or a supplier messes up badly. So every household and thus every business has someone in it that can understand safe computing with a little extra coaching.
Perhaps the only ones who will have a lot of trouble are those who never cooked raw meats before. Be aware of that and take extra time to explain things to them because they might not be able to visualize things the way a good, safe cook can. Maybe they will get it when you explain the imaginary dye analogy to them. - JohnnySoftware, on 11/08/2009, -0/+1Updating will protect you from many malwares. It will not protect you from all.
AV software is ad hoc. Firewall is proactive. So is creating the software products right in the first place - not baking the vulnerability into them in the first place. You cannot put all the responsibility on the user's shoulders.
Safety begins at home and most malware spreads because of badly written software - OS, apps, or both - with plugins & documents also contributing problems. But good apps and OS are supposed to be constructed in such a way that this cannot happen without a user being warned, or at all - ideally.
If the problem never gets corrected, then it is up to buyers - customers, officers, and purchasing agents to buy different things. - nyxerebos, on 11/08/2009, -0/+1Is it just me, or does the use of outdated buzzwords like 'cyber' make this seem less credible.
- JohnnySoftware, on 11/08/2009, -0/+1Yeah, these are real concerns. Who knows what protective measures are being done by vendors, customs inspectors, government regulators, public/private security researchers, and law enforcement to look for attacks unlike any we have heard of being used before to make sure they do not go undetected when they do?
Realistically, what if a bunch of PCs were shipped in from another country with a stealth Trojan embedded in its main/graphics/whatever BIOS? Software debuggers would not catch it. ROM readers would and ICE debuggers would but do inspectors check them that way at the US border? True, they might not survive an update if they were in flash memory not ROMs but would the parties responsible even care at that point? You only have to throw a brick through a window once to break it.
MS-Windows malware has shown up pre-installed in consumer electronics devices lots of times; a few brands of non-Apple MP3 players, then a short 1 or 2 week run of iPods from one factory - and then USB digital picture frames, of all things. There are probably others, those are just the first ones that come to mind - probably because they were covered in the news so much.
Malware with a rootkit was intentionally manufactured into over a hundred music CD titles by one of the biggest labels in the music business and went undiscovered for over a year, infecting millions of computers.
That was pretty shocking, actually - in both the perpetration and the lack of detection. At the time, the Windows security team was talking much more loudly about the "imminent" wave of Mac OS X worms and viruses than they were about the rootkit they had not thought of looking for on millions of MS-Windows PCs - let alone on the audio CDs that spread it in classic Trojan horse fashion.
Web advertising is a whole subject onto itself. You might completely trust a site's personnel, their security measure, and the company/brand that owns it. But, do you trust every advertising broker/server/supplier that injects ads onto that site? Well, you probably do not even now who they are and probably cannot find out. You're not only extending trust to the principle party - you are trusting their ability (or luck) at delegating trust. It hast not worked out so well in the past several years, specially this year (2009).
Malware being delivered via web ads was an obvious risk years ago when the first graphics rendering vulnerabilities were discovered in the most popular image file formats on the most popular operating systems.
Infected ads did indeed come after that and no warnings went out publicly to point out the risk to web users. It is not like hackers would be unable to put 2+2 together for themselves.
When Flash showed itself to become a steady supplier of vulnerabilities, malware ad authors moved onto that platform. Flash is bigger and more complicated than parsing/rendering logic for individual graphics files. The number of programmers who are allowed to read that source code to check for errors and repair them is surely quite small. It surely takes less time to find one vulnerability in Flash without source code than it does to find and fix all vulnerabilities in Flash with source code. Especially when there are probably lots more hacker programmers in the world than there are programmers auditing the Flash code full time at Adobe.
Flash has an embedded programming language in it too, so vulnerability searching is neither a purely manual nor purely black box task, unfortunately. It will be hard to dislodge hackers from it because of this combination of circumstances.
The press protects sources and also withholds information it possesses to protect individuals or even national security. The major news companies have been infected by malware before too because employees brought laptops home to do work at night - which is kind of what they are for - and came back to office with malware because they did not bring an IT support guy and an armful of security protection home from the office.
Also, lots of major/trusted news media organizations serve malware infected ads on their site and presumably a lot of their stuff looks at their own news site in the course of a day. If the organization's systems are infected with malware inside and out more or less by accident then they are certainly vulnerable to attacks intentionally directed at them.
All of a sudden withheld information can escape without being published. Yeah, people can keep a secret but look around - computers can't. There would be leaks even though N or N-1 individuals in the organization was totally committed to prevent them.
Paid, undisclosed shills have turned up in the journalism/commentator industry. If those people will violate the most fundamental aspect of professional trust for their profession then they might do something to compromise the computing/networking integrity of the organization. Nobody expects them to do such a thing but unfortunately, nobody suspected they would sell out their published "opinion" to the highest bidder without disclosing it either.
Also, they can be duped. Well meaning product reviewers have been given products to evaluate that they might not have been required to return. Another concern is some have been given free computer repairs and maybe, at some time or another, complimentary "virus removal" or some kind of computer service/repair as a small favor. Well, if the person supplying the service or the supply chain of the people/environments supplying the computer product being evaluated are not 100% safe then it could be just another Trojan horse to the media organization.
Clearly, this would bypass firewall protections and might bypass the antivirus scanning rules of the organization. Even if it was not hooked up, these days simply putting a thumb storage drive into one Windows PC and then a different Windows PC will often spread a virus/worm hybrid malware that inducts it into the Conficker botnet or whatever.
Not only confidential information but the identity and/or location of confidential sources would be at risk in the event of a serious news media internal cyber security breach. And, hey, this is just one offhand example of this kind of problem. Other industries have analogous problems.
So the "chain of custody" concept put forth in the article is very important. Think about it in the context of the historic, current, and potential security breakdowns I mention.
These would be less of a concern if malware was not such a problem due to not only coding errors but seriously risky architectures and design goals being pervasive in PC products.
We think of hackers and their nemesis computer security professionals virtually walking around with flashlights, tweezers, and magnifying glasses to find cyber vulnerabilities. In truth, they are probably wading through them.
That gives hackers way too many ways & tries to do something bad and that gives cyber security gurus way too big a border to patrol. Clearly, huge things slip through, as you realize if you go back and read some of the examples above. Clearly, they are not all the fault of reckless users or laxness in installing what are billed as "critical security" updates. That may usually be the case but as you are reminded by some examples above, that is not always the case.
And because of the difficulty in communicating about kind of inevitable risks in a comprehensive & convincing way to someone who goes not grasp the workings of computers, that is clearly going to slow them down. So with the cost of checking "checking everything" in every way that is prudent, a lot of prudent checks are not likely happening.
The only solution is to design stuff safer and conceive of how something might be exploited by a wrong doer at the very beginning of product design. That means during the product goals definition process - not just architecture, design, or worse coding but at the VERY start of the project. That will not solve all the problems but it will drastically reduce problems. That in turn will make it easier to deal with what is left by reducing the "insecurity overload" that is totally obvious today. - antdude, on 11/08/2009, -0/+1One print page: http://www.informationweek.com/shared/printableArt ...
- hereticoftruth, on 11/07/2009, -2/+1Apparently the site was having cyber supply chain issues as it would not let me finish reading. I found Norton, Trend Micro and McAfee unreliable two years ago and Kaspersky much better. But I am not a genius in this area, just a customer who found what worked better for me versus the unreliable competitors.
© Digg Inc. 2009
— Content created and posted by Digg users is