The Arbor Networks Security team has posted some analysis and graphs of the recent DNS flaw:

Given that this vulnerability was partially disclosed on July 8, I suspect a great deal of this traffic is name server vulnerability scanning, as opposed to malicious cache poisoning attempts, although there may well be a mix of the latter.

Nice visualization. The flaw was more officially known or “in the wild” on the 24th, and certainly known by the 27th, so a critical week is missing here.

A new site for the George W. Bush presidential library has been identified. It is an area north of Baghdad that the AP describes as “a chronicle of U.S. government waste, misguided planning and construction shortcuts costing $40 million and stretching back to the American overseers who replaced Saddam Hussein.”

The idea for the modern-style prison began with the Coalition Provisional Authority running Iraq after Saddam’s fall.

On behalf of the authority, the U.S. Army Corps of Engineers awarded a $40 million contract in March 2004 to global construction and engineering firm Parsons to design and build an 1,800-inmate lockup to include educational and vocational facilities. Work was set to begin May 2004 and finish November 2005.

Nothing went right from the start, the report says.

Dare we call this a fitting monument, a testament, to American leadership during this period?

Al-Husseini says he walks the perimeter and wonders what can be salvaged. A housing development is not possible, he said. Many concrete walls lack proper iron reinforcements and “can collapse at anytime,” he said. Birds and small animals have found homes in the towers and crannies.

“But some of the cell blocks are good,” he suggested. “So maybe it can become a factory. I don’t know. It’s depressing.”

A library. It can become the official presidential library.

People say Bush has done no good for the environment, but just look at the shining example of a $40 million bird and small animal sanctuary project.

The contractor who failed to deliver on time or budget, claims that they were misled. Misled, as if such a thing were possible:

But the report said Parsons had argued that the U.S. government misrepresented the security conditions. Parsons said that its subcontractors faced threats that either shut down or slowed work almost daily. In August 2005, the site manager for one of Parsons’ subcontractors was shot to death in his office.

The no-contractor-left-behind program initiated by Bush in Iraq has certainly had its hiccups, but the millions spent on Khan Bani Saad was all part of the Mission Accomplished campaign. A fresh coat of paint, some books on existentialism, and maybe even a librarian or two who can explain how to see the bright side of life in this conflict unlike any other…just think of the tourism dollars, the souvenirs.

I love stories like this. The AP gives a humorous look at identity in Germany:

No one had ordered strippers for the 30th birthday party — but the two policemen who arrived after midnight to quiet the raucous celebration found themselves greeted by a round of applause.

Female partygoers in western Germany mistook the real-life officers for fake ones who entertain parties by peeling off enticing man-in-uniform outfits.

How will the German police respond to this clear and present danger of impersonation? Presumably not at all since the risk is low. While the threat might exist vulnerabilities are non-existent and the assets…well, let’s just say the assets are probably safe.

The Register comments on the state of things, based on a 2006 study that was just released:

In a paper titled “Analyzing Web sites for user-visible security design flaws,” researchers from the University of Michigan found 75 percent of bank sites surveyed had at least one such design flaw. The report was presented Friday at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” said Atul Prakash, a professor in the university’s Department of Electrical Engineering and Computer Science, who initiated the study. Doctoral students Laura Falk and Kevin Borders also participated.

The flaws aren’t bugs, but rather features built into the design of the sites.

Why so long to announce? Many of the flaws are user interface related, such as not letting users know when they are being redirected and not telling them when SSL is disabled. Those are tough issues to baseline, since there is hardy a consensus on the best way to educate users about page and site safety. One thing is clear, however, the US regulators could be doing far more to protect consumers. It should not require a university study to find weak passwords and non-unique IDs.

Google has been kind enough to extend SSL to an entire mail session, not just the authentication page. This helps a little, as the sensitive information your bank foolishly sends in email now could be encrypted in transit, but banks should know better and their examiners/auditors should get on the ball.