I don't think that the standards committees underestimate security threats; I just think they're too busy doing things that are more important to them -- like holding meetings and writing minutes

Awesome interview. The gist of it is:
-Security sucks because CTO's don't understand proper security, or fail to implement policies because of office politics

-The thumb is *up* the ass. Network security issues have largely been understood since the late 80s. We keep dicking around ever reinventing the encrypted tunnel instead of working on complex and interesting problems.

-IETF and other bodies are so packed with commerical stoogies that they are being ineffective.

-Security is a design, not an add-on. It must exist on all levels. Network security is pointless without host security. Security cannot exist only in layers 3 and 4. It must include the application!

-The popularity of Computers and the Internet is what's killing the industry. Too many uneducated people use it, so most companies are too busy selling them stuff to improving the quality/security of their products. (IE Microsoft's user friendly gui instead of controlled execution of code).

Interview with Marcus Ranum

One Microsoft Way
Redmond, Washington

Overheard in the office: IE Development

Public database of Google search strings to find vulnerable machines and other goodies.

Google hacks database

Nice lecture. Isn't the usual "use tables for layout stupid" and "Structure should be seperated from content" rant. This site actually shows you how to break an existing webpage down to its basic structure and built it back up with CSS, DIVs, and more.

I've been working today on using some Javascript to make the Recommendation page have more, but hidden, options. Inserting this into a page that uses tables for layouts is a bitch.

-Memestreams includes CSS defined inline with each page.
-Memestreams uses Tables instead of DIVs for layout. The main page is over 30k, most of it table formatting. I know Tom has a good Co-Lo deal, but the bandwidth savings here will help Memestreams users.

Why tables for layout is stupid: problems defined, solutions offered

[ This wouldn't have anything to do with advanced remote package delivery systems, would it? -k]

News Flash:
Most Significant Bit Labs retracts its statement yesterday regarding its interest in remote package delivery systems. This was made in junior officer who didn't fully understand the situation. The actual project is the development of high altitude weather balloons. We at MSB Labs understand how these 2 systems look very similar, and how this error was made.

Allow us to state categorically that MSB Labs has no interest in package delivery systems, especially advanced or remotely controlled package delivery systems.

Thank you for your time

Package System rumors are completely false!

The AMIS protocol was designed in the late 80s early 90s to allow Voice mail systems of different vendors to automatically transmit voice mail messages to each other.

It uses DTMF tones to communicate back and forth, establishing who the voice message is for, where it is coming from, and for the destination system to specify if the mailbox is full, to provide a forwarding number, etc. The use of timeouts, checksums and acknowledgements make this a reliable protocol, with a variable payload length. The analog voice message itself is not digitized, and is played real time. A sample session looks like:

-A dials B
-Using DTMF tones, A and B agree on a protocol.
-A tells B for the message is for, who it is from
-B confirms information is correct and mailbox is available
-A plays voice message "Hi Billy, this is Jill..."
-A signals message is over
-System gracefully terminate.

While I don't really care about forwarding voice mail, the use of DTMF tones to create a reliable datalink layer is something I was trying to do. A pair of FSR radios, some DTMF chips and some PICs and I have a reliable, low speed (~45bps) data communcations with around a mile range for under $50. This is far more flexible then the model airplane remote controls that cost over $75.

Cisco has some info on it too.

AMIS: DTMF Data Link (kind of) [ZIP]

Kevin Kelleher suggested an interesting way to compare programming languages: to describe each in terms of the problem it fixes. The surprising thing is how many, and how well, languages can be described this way.

Some of my favorites

Fortran: Assembly language is too low-level.

Cobol: Fortran is scary.

Basic: Fortran is scary.

C: Assemby language is too low-level.

C++: C is too low-level.

Java: C++ is a kludge. And Microsoft is going to crush us.

C#: Java is controlled by Sun.

Perl: Shell scripts/awk/sed are not enough like programming languages.

Python: Perl is a kludge.

Paul Graham: What Languages Fix

What follows is an overview of what's happening on the Internet right now, and what we expect to happen in the coming months.

I admire Schneier and all, but this article is a piece of self-serving shit.

We expect to see ever-more-complex worms and viruses in the wild

We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack. We expect Microsoft's IIS (Internet Information Services) Web server to continue to be an attractive target

[Worms targeted at a specific entity] are another trend we're starting to see.

We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. [...]

We also expect to see more politically motivated hacking, whether against countries, companies in "political" industries (petrochemicals, pharmaceuticals, etc.), or political organizations

Well, I predict that people will continue to make obvious predictions. These predictions (with slight modifications) could apply to any of the last 10-15 years or so.

Schneier on Security: Attack Trends

Nice archive of phishing emails and analysis of the methods used

-Email spoofing.
-URL encoding/mis-representation.
-Any validation of data entered by user.
-Suspicious parts to time people off.

Robert X Cringley has a neat article . In it he proposes the way to kill phishers is to taint their "take." The APWG provides a good data set to create an auto "anti-angler."

I'm not sure how well this would work, because I am not sure how the phishers validate the info they collect. It possible an automated attack flooding them with bogus data could quickly be filtered if I don't choose really good data.

hmmmmmmmmmmmm. [gears start turning]

Anti-Phishing Working Group: Phishing Archive

Decius wrote:

Furthermore, I want to point out that ICANN is totally inept at choosing TLDs in general. I don't think that they should be allowed to do it. They have too much power to shape the internet, they are really not accountable to anyone, and they are terrible at it.

I agree. This adoption of new TLDs with little thought and no restrictions on registering inside them is causing some serious issues.

Look at .tv. No one uses it. I should be able to type in [anytvshowname].tv and get its website. I can't. Fox, ABC, and other stations already have websites. .TV does nothing for them. It just another thing for registrars to sell.

The owner of ford.tv might have a TV show on some local cable access channel. Ford Motor Company has ford.com. There is no reason for them to need ford.tv. However, companies don't see that .tv is another TLD that is supposed to logically seperate things. Instead, they see FORD. So they sue. ICANN and registrars not having requirements or restriction to register inside these new TLDs re-enforces the idea that the .tv TLD is nothing special. From their point of view ford.tv is not any different from ford.com.

I really, really wish I could go back in time and bitch-slap the person who decided that people other than ISPs can have .net and the people other than government recognized non-profits can have .org. Structure is gone, and ICANN is piling on more TLDs.

RE: CNN.com - Stage set for '.xxx' Internet addresses - Jun 2, 2005