Security Podcasts

Someone just sent me this list of podcasts from a Masters on Information Security course at USF. Listen to them and you too may be able to get a Masters Degree, in Information Security. Thought I should share:

“OASIS Identity and Trusted Infrastructure Workshop at Catalyst
Conference Europe.”
http://podcast.burtongroup.com/

CERT’s Podcast Series: Security for Business Leaders
http://www.cert.org/podcast/

Pauldotcom Security Weekly
feed://pauldotcom.com/podcast/psw.xml

Secthis.com
feed://feeds.feedburner.com/secthis

Secure IT Live
feed://feeds.feedburner.com/SecureItWithEricGreen

CNET Security Bites
http://www.news.com/2030-11424-6052904.html

Security Now
http://www.grc.com/securitynow.htm

Security Roundtable
http://www.securityroundtable.com/

Still Secure
http://stillsecureafteralltheseyears.com/

Symantec
http://www.symantec.com/podcast/index

I’d rather see a John Stewart-like nightly newscast of security events.

Police to License Access at Mumbai Cyber Cafes

Mid-day news reports that Mumbai Internet access is under heavy surveillance and supervision:

Vijay Mukhi, President of the Foundation for Information Security and Technology says, “The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity.”

“The police needs to install programs that will capture every key stroke at regular interval screen shots, which will be sent back to a server that will log all the data.

The police can then keep track of all communication between terrorists no matter, which part of the world they operate from.This is the only way to patrol the net and this is how the police informer is going to look in the e-age,” added Mukhi.

Seems like a good theory, but as we all know the “no matter which part of the world” and “every key stroke” phrases are absolutes. Absolutes and security rarely go well together.

All cyber cafes in the city will now need a police license to keep their business going. All cafes need to register at the police headquarters and provide details on the number of computers installed, type of computers and technical details like the IP address of each machine.

They will have some trouble when they realize how IP addresses are increasingly dynamic and spoofed.

I wonder how much of this type of cafe clampdown, if successful, will push anonymous network seekers onto the weaker wireless signals in residential neighborhoods.

Will police require home users to use a grade of security to prevent intrusion, and/or to report the number of computers, type, etc. when they run wireless networks? Will home users be held liable for weak security like WEP, or the providers, or even the manufacturers? The new Snoop law in England, if it survives public concern, may help provide answers.

Amazon Loses One-Click Patent Lawsuit

Interesting David v. Goliath story in the New Zealand news. I have not seen it anywhere else yet:

An Auckland man who defeated internet giant Amazon in a copyright battle, hopes his example will inspire others to challenge big corporations.

The United States Patents Office has ruled that Amazon does not have the exclusive rights to what is called one-click shopping – the technology that allows shoppers to buy goods with just a single click of a mouse.

Peter Calveley used internet archive sites to prove the one-click shopping idea was pionnered by a now defunct internet company called Digi Cash.

Calveley has said that he pursued the suit as a game, or in other words to make a point, but he financed it with donations. Suing Amazon for profit? His blog has more details:

Many thanks to everyone who helped out with the funding and promoting the blog.

Please don’t send any more money

(unless you want to contribute to my personal consumption ;-) ).

Should lawyers, or even laymen, solicit funds from the Internet to attack corporate interests? This is an interesting model I had not thought about. I wonder if it might someday alter the definition of “public defender”. Calveley reported some sources of support, but most are anonymous.

Firefox and iPhone vulnerabilities

Firefox 2.0.0.8

MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)

I would jump to 2.0.0.8 ASAP if I were you, where ASAP means no more than a month or two. I mention this because of what comes next…

In other news, Apple’s phone apparently failed to patch the ages-old libtiff vulnerability.

“I started Safari on my iPhone, browsed to a Website, and a few seconds later, HD was able to get root on my phone, without a wireless connection. Being able to run your own machine code pretty much opens the gates,” Finisterre said.

“I think it’s pretty serious — and even more so, ironic — that a year-old bug would get rolled into a semi-recent product,” added Finisterre.

It is definitely ironic. Where is the quality, Apple? Where is the quality?

In an interview with CMP Channel at Black Hat, Miller said Apple regularly uses outdated versions of open source code in the OS X platform, much of which contains known security flaws.

Outdated because of a pokey release cycle? Shame they do not develop release candidates in parallel to security fixes so the product is safe to use the day it reaches the public, or at least not prone to failure when a new product is tested for known bugs over a year old.

Disclaimer: I’m not a fan of the iPhone. While I have liked and owned Apple products that were different in meaningful ways from the competition (e.g. the original laptop keyboard pushed back to the screen with palm-wrests up front — genius) the iPhone strikes me as a lot of flash with not much practicality.