Security Curve Weblog

Puttin' the ASS in Assessment...

In the most recent "it's everywhere you wanna be" news, have you seen this? Apparently, CardSystems CEO presented testimony before congress stating that the people really at fault for the CardSystems debacle wasn't the CardSystems executives who decided not to take basic security measures nor was it the developers who knowingly stored account data contrary to VISA operating procedures. No, according to them the failure really lies at the feet of the ones directly responsible for securing the data - their PCI assessor. Oh clearly.

Of course, the assessors weren't there to defend themselves during the testimony nor were they brought in to discuss how the scope for their assessment was defined. They did retort to the press after the blitzkreig, however:

As to the core issue of the quality of the audit, Hancock said the improperly retained magstripe data was absolutely not on any of the machines that his team inspected; the team's mission was to inspect all of the machines that were involved with Visa transactions. "The truth is that the people who did the audit are card-carrying certified information systems professionals," Hancock said. "We examined the systems and there was nothing there. The systems were directly examined. We were very meticulous about that."

So the issue is that the assessor didn't psychically know which of those machines they weren't told about by CardSystems was operating in direct defiance of VISA regs. Nice.

Thanks to Dave N. for passing along the story, and thanks to HoffCards for the awesome service (used to generate the picture above.)

Thank you, drive through

Please wait for a site operator to respond.
Chat Information: All operators are currently assisting others. Thanks for your patience. An operator will be with you shortly.
Chat Information: You are now chatting with 'Ulises A.'

Ulises A.: Thank you for contacting iPower Live Chat. How can I help you?

Ed Moyle: Hi. Host51 is down

Ulises A.: Hello
Ulises A.: I'll be happy to assist you.
Ulises A.: I have checked your issue and regarding your issue the server on which you are hosted is having some issues and the system admins are working on the server to get it resolved. Please be assured that this will be resolved as soon as possible. We apologize for the inconvenience faced by you regarding this matter. I apologize but right now I am having no ETA for the same. But please be assured that it is been looked into and will be resolved very soon. Thanks for your understanding and patience regarding this matter.

Ed Moyle: ok... it seems to go down alot
Ed Moyle: I'll just wait for it to come back up then

Ulises A.: Is there anything else I can help you with?

Ed Moyle: nope
Ed Moyle: thanks

Ulises A.: You are most welcome
Ulises A.: Thank you for contacting iPower Live Chat.
Ulises A.: Enjoy your day.
Ulises A.: Good-bye.

Chat Information: Chat session has been terminated by the site operator.

Usability and Nancy Drew

Gordon Haff has an interesting take on usability over at Illuminata Perspectives called "Security Vs. Usability. An interesting topic - especially where he points out some new features in Windows Vista (User Account Control) that he says will help reduce malware, prevent rootkits, and so on. Since I did find this so interesting, I did a deep-dive on this - starting with the link Gordon provided to the overview of User Account Control and then to the developer-centric material on MSDN. After reading the nitty-gritty, I'm not sure it's all that.

The goal is to have it so that users don't have to be administrator, right? To do this, they've changed which functionality requires Administrator access - now your average Joe can set the time, create a VPN connection, and change the power settings. Seems to me like this should have been something laptop users should have been able to do since day one. So all that's probably good. However, I don't think this feature will drastically change the number of people who have admin access on their laptops. Desktops, maybe. But not laptops. The reason for why not is what I call the "Nancy Drew factor." Here's the logic:

You still need to be Admin to install software, right? So I can tell you that I need Administrator privs on my laptop since I have a legitimate business need to install software; if pressed, I can go into great detail about the specific business-appropriate situations where I might be required to install software and how a system admin won't be around to do it for me. I can go into all kinds of dire financial consequences for the firm if these things should happen. However, the truth is that I'm highly incented to come up with these justifications because I *want* the ability to be able to install software on the laptop - specifically game software like "Nancy Drew: Danger by Design" or "Disciples 2" (both of which were played on this laptop last weekend.) Look, if I'm going to be taking this laptop on the road, the least it can do for me is let me play the occassional murder mystery, role playing epic, or strategy game, right? And call me cynical, but somehow I think I'm not alone on this one. on the whole, it seems to me that as long as installing games requires administrator privlidges that employees will continue to come up with business-legitimate justifications for why they require administrator access. Or maybe it's just me...

On the plus side, they've also changed it so that processes with lower priviledge can't send messages to processes with higher privs, which could help with shatter attacks. I'm not entirely clear on how users will communicate with dialog boxes from system-level processes (like AV and spyware-scanner windows) but Microsoft says we shouldn't have been doing that anyway so I guess it's all good.

Please, Quantify "Safe"

I came across this article which talks about some new research from Kaspersky. I read this and I was extremely interested in how the primary material quantified "safe" in their analysis (there has to be more to it than made it to press.)

I sure would like to read the document, but I guess that's not going to happen until this goes away:

Gartner's Getting the Word Out...

So, Gartner's been busy stirring up the waters the past few days. They've made the claim that the recent move by the OMB (Office of Management and Budget) to require security incidents to get reported to the Computer Emergency Readiness Team (CERT) within one hour of discovery is nothing but a a PR stunt; of course, the way the press spins it, they make it sound like Pescatore set fire to the OMB seal and mooned their office building. Either way, pretty strong words from the ol' G-bone. Frankly, I have to admit that I'm surprised - I would have thought that they would have been completely on-board with having a central incident response body in the loop - and in timely fashion at that.

They've also gone on-record to say that firms with a high level of "security maturity" (like after your program starts to grow hair and get pimples) can spin down security spending because the whole security situation is totally under control now:

Mogull, who chaired the recent Gartner IT Security Summit in Sydney, says there are now solutions to most information security problems. “It’s just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats. While information security has become a highly specialised branch of IT, commodity security functions are often being returned to IT operations."

So, apparently the key is to implement the right technology efficiently and effectively. The article implies that the metric they use to analyze maturity is as a function of past spending, so apparently "right technology" means "technology that you've spent money on in the past." So, while I agree that their premise seems logical (mature organizations can afford to spend less on security), I disagree that "mature" is linked directly to budget; if, for example, I go out and buy ergonomic chairs for all employees with the security budget, clearly this represents "aggresive spending" of the security budget. But does that mean that as a whole I'm more mature with respect to the security program? Clearly not. Of course, I don't have access to their research (since it's 'spensive), so maybe that's totally the press and not Gartner...

By the way: the hilarious picture of the kid with the bullhorn is from the Glouster Virginia information page.

Fired for what?

Clearly I'm a fan of blogs... and bloggers for that matter. However, I had to take a step back when I saw the recent article about the CIA Blogger who was recently fired; what she was fired for we don't really know - she says she was fired because she wrote about torture and the Geneva convention, but the CIA says she was fired because she was blogging instead of doing her job... Interesting.

CA's Right on the Money

Computer Associates slapped F-Secure the other day for hyping up phone-borne malware when no real threat exists. Check it out; CA's Simon Perry had this to say:

"While F-Secure's bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market. Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice.

And he's right. Despite what McAfee told us about 2006 being the "year of mobile malware", we still have yet to see any significant traction from phone-borne malware. F-Secure's retort acknowledged this:

It's not a global epidemic, but there are real people who have got it. There have been several tens of different viruses — this is early days for mobile virus writers

Several tens? You mean about the same number of people as contract bubonic plague in the US per year? Against the backdrop of PC-borne malware, saying this is "not a global epidemic" is one whopper of an understatement. And I'm all for CA calling them on it - especially since they have skin in the game (they have an AV line for mobile platforms like PDA's.)

I'm not sure I'd go so far as CA as to say that F-Secure's actions are irresponsible. After all, consumers heed the advice of vendors at their own peril; for example, Subway claims that their subs are 1) fresh and 2) will cause me to lose weight if eaten exclusively. While I don't claim to have knowledge that either statement is explicitly false, I do tend to take them with a grain of salt. Needless to say, I won't be eating nothing but Subway in the near future (nor will many others I don't guess) but is it irresponsible for Subway to make their claims? I don't know many who would say that it is. I think the same is true of F-Secure; consumers can decide for themselves (there's data out there for consumers to read on mobile virus prevalance) but they need to take vendors with a grain of salt. Once we stop expecting vendor research to be authoritative, this will become much easier for consumers to do. In the meantime, kudos to CA for calling this out and helping consumers know what's up.

Spinnin' Yarns

There's been some serious spin in the air of late. Yesterday, Biometric Access Systems put out some serious action entitled "Biometric lock ensures ultimate security." Now, I'm not going to get on this company about the "ultimate security" thing (although somebody should probably tell them it won't have the effect the intend.) Nope - these guys are a small shop, they're in the SOHO/consumer marketplace, and they're probably not used to security outside that environment - given these factors, leaping on them about their statements (inaccurate though they may be) is probably bad form.

Verisign, on the other hand, ought to know better. They're distributing a white paper about why you should be using SGC ("international") certificates on your web server. In the paper, they make some claims about these certs. For example, they say that "... among leading SSL providers only VeriSign can provide 128-bit SSL encryption—the most powerful money can buy—to virtually every client machine that comes to your site." Reading this, it sounds like Verisign is the only one getting it done, right? The other people can't handle the competition, and just aren't getting the SGC thing done. Then they go on to say that, "SGC-enabled certificates... are the only way you can protect every SSL session with the strongest encryption available to that site visitor... do you and the people you do business with online deserve anything less?" Sounds like you'd have to be some kind of heartless uncaring slime to use an "inferior" non-SGC cert, right? Going by this, it sounds like Verisign is providing some seriously superior technology... but, of course, the truth is a little more interesting.

You see, back in the day, the US government classified strong cryptographic software as a "munition" and hence disallowed its export. Given the restrictions though, commerce was being impeded because "export-grade" encryption was insufficient to protect financial transactions. So the government (mostly via the BXA), took the position that software to provide strong crypto was OK to export - provided that the strong crypto could only be done with approved institutions. SGC certificates were part of the way that rule was made technically real - specifically, they were those certificates that allowed versions of browsers distributed internationally with crippled cryptographic components to "step up" to 128-bit cryptography during sessions established with those approved financial institutions. To control that only approved institutions received certificates, only one CA - Verisign - was granted the authority to issue SGC certs. As an enforcement measure, browser manufacturers basically "hardcoded in" the SGC CA key and this legacy software has lingered around and around... and around.

So how does that jive with the implications in the paper. First, verisign was the CA selected by the US government to fill this role; does that mean that they are providing more innovative or somehow "superior" technology? No. How about the implication that your customers deserve "the best security" and that only SGC certs provide it? One could make the argument that if they really deserve the best that they deserve for someone to tell them that they're using a browser with broken cryptography that doesn't secure the vast majority of their commerce transactions; maybe if somebody really gave a crap about these users, they could point them in the direction of microsoft.com or mozilla.com, where they can download a non-crippled version of the browser free of charge...

In other news, Lindsay says Paris h4x0r3d her machine, but it seems to me like she's got other problems.

More about vendor research

So, I feel like I'm on a one-man crusade sometimes.  Today, I came across (via HackInTheBox) a TechWorld article called "Web Apps the Number One Security Blindspot" which basically states that applications are a security "black hole" and that they're constantly being attacked with none to notice.  The article draws on a recent report from Fortify where they sampled a number of sites looking for attack patterns in the wild and drew a number of conclusions based on those findings. They point out that there's a ton of activity going on out there in terms of application attacks, and the further extrapolate relative prevalence of various attacks as a percentage of overall attacks.   The instrument that they used to collect the data of course, was their for-profit commercial tool.  

Now, I've pointed this out before, but there's an inherent problem with vendors producing research like this; particularly when that research uses their commercial tool as the detection instrument. Specifically, these vendors typically have a niche - and the reports produced within that niche are only reflective of one particular area of focus.  For example, Fortify's report doesn't have anything about phishing activity, malware, fraud, etc.  Is that to say that these things don't happen?  Of course not.  It's not mentioned because Fortify doesn't do fraud detection, AV scanning or anti-phishing solutions.  If they did, I bet it'd be in the report.  Instead, what's in the report is only what's caught by their product.  So, when they say that "On average, 50%-70% of attacks experienced by web applications come from bots and bot networks searching for known vulnerabilities", what that really means is "On average, 50-70 percent of the attacks that Fortify detects are from bots" - and that's probably because automated, consistently-formatted attacks are more likely for a scanning product to reliably detect. Plus, having a vendor publish these things tends to lead to semi-biased conclusions like, "Fortify’s technology introduces a fundamental improvement in software application security and a meaningful departure from today’s ineffective outside in approaches"? (this and a bunch of other sales stuff really is in the "conclusions" section of this report.) 

Of course, one must acknowledge that the vendors are the ones getting it done - I suppose this whole topic wouldn't upset me so much if there were other sources of information to turn to instead of the obviously-biased and inaccurate research.

Yankee's right... but do they know why?

Today, HackInTheBox published a Yankee Group webcast How to Detect and Remove Malicious Software Without Signatures or Scanning". Anyway, it happened to catch my eye, so I (despite my better judgement) registered with the webcast sponsor (Sana) and watched the broadcast in its entirety. And it turns out that Yankee was right on target about the future of malware scanning - although there's more to the story than they go into.

Yankee's point seems to be that malware scanning can't continue to rely on signature-based techniques because of the fact that zero-day vulnerabilities are on the increase and that signatures can't keep up. According to their analysis, zero-day threats will continue to get more and more prevalent until signature-based scanning isn't feasible as a countermeasure. That's certainly possible, although they don't really give much in the way of hard numbers or empirical evidence to back this up. All in all, it's likely by not certain. They then go on to describe that the rate of threats is increasing and that, looking forward, one can project a time where the signature volume will be voluminous to the point of being unmanageable. They speculate that the future will bring about a time when signatures just can't be done... because of delays in publication of signatures, vendors just can't keep up.

So they're right - partially. But it's not speculation; the death of signature-based scanning is predicted precisely by well-understood laws of computer science; we can tell EXACTLY when it will happen and why. I've made this point before, so if you've heard it, sorry for the repetition. However, I think it's an important point, so allow me to state it again. So let's all put on our uber-dork hats and take a trip down memory lane to our "Algorithms" class... It'll take a while to get there, so bear with me.

So, computer scientists analyze performance of a given search algorithm by representing the performance mathematically as a function of total operations required to complete the search. For example, if you were going to search the phone book linearly for a particular person's last name, you would start at the beginning of the phone book and look at each name until you found the one you want (maybe there's a mis-print and they put the entry you're looking for somewhere that's non-alphabetic.) This is an example of a "worst case n" search - the total time it takes to do the search would take - in the worst case - the number of items in the list multiplied by the constant amount of time that it takes you to complete an individual examination. To say that in an extra-fancy way, you might say that the search time is O(n) [big-Oh n] - "big O" technically means "asymptotic upper bound", but that's just a fancy way of saying "worst case".

If you were going to search the phone book to find all the entries of a particular item (all the people with the last name "Smith", for example), it changes the performance equation since now you have to examine all the entries in teh book to find all the occurances. In that case, the performance is an "asymptotically tight bound" with the number of entires - that's a fancy way of saying "exactly": you have to search exactly the number of entries - no more, no less. Formally, that'd be Θ(n). Doesn't it seem like checking for a virus signature against every file on your hard drive is like looking for a given name in the phone book? Algorithmically, it's the same thing: a Θ(n) search.

Now, say you were looking in the phone book for all the people that had either the last name "Smith" or the last name "Jones". This time your search is more complicated because you have to check each name twice - you have to check it once to see if it's "Jones" and you have to check it once to see if it's "Smith" - in effect, you're doing the same search twice. In this search, it's not Θ(n) but insead it's Θ(2n). If you have more names, you have to do the search once per item per name. Using q as an arbitrary letter to represent the number of entries, it'd be something like Θ(qn). Algorithmically, that's the same as current malware-scanning products. Really, it is - double-check me if you don't believe it.

So, the reason that signatures are dead (and right soon) is that both the q and the n values for malware are increasing exponentially over time - everybody's research seems to agree on this; the number of malware signatures is increasing exponentially and so is the number of files on a given disk. Since the seach time is a product of the two, performance will appear to be acceptable for a given period of time (the flat part of the exponent curve) and then will go from "zero" to "nigh on impossible" in a heartbeat - one day your AV scanner seems "a bit slow" and a week later it takes the age of the universe to complete a scan - at least until the search parameters are changed. That's the way exponential curves work. Now, the reality is a bit more complicated since there are things you can do to try to "cheat" the curve (not search every file or not look for every signature) - in fact, some vendors have already started "cheating" to combat the exponentially increasing scan times. But cheating won't work long-term: since the numbers are exponential, it only shaves a bit off the curve.

So can you beat the curve? Not with signatures you can't. As long as search times stay constant (or increase arithmetically according to Moore's law), the fact that the two relevant search variables are exponential means the handwriting is on the wall. Or you could listen to Yankee and use Sana.

Gettin' spanked over two-factor

OK, so I've been getting some flak from my post the other day about two-factor authentication and phishing. Pete Lindstrom over at spire gives me the wagging finger on the issue, saying that just because there is one phishing site using two-factor, it still has value; Mike Rothman over at Security Incite sides with Pete, pointing out that there is a security benefit to two-factor and saying that we shouldn't downplay it because of one event. In light of the criticism, I thought it would be a good time to point out why I hold the position that I do - since I didn't really do a full job of explaining my point in the previous post (at the time I wrote it, I didn't think it would be so controversial) I think it makes sense to more thoroughly explain it.

Anyway, let me start by saying that I think both Pete and Mike are very astute analysts. More than that, I think they're right: two-factor does have tremendous value from an overall security perspective. And suggesting that two-factor has no security value whatsoever would not be accurate or useful to our industry. However, I think it's important that we, as users of these systems (and ultimately the folks who will bear the cost) stay focused on where the value of two-factor is - and where the value isn't.

Historically, vendors have told us that two-factor will eliminate the phishing threat. For example, Microsoft said "If you get two-factor authentication to the consumer level, you reduce the phishing threat", RSA said "Providing consumers with two-factor authentication... protects against phishing and identity theft" and Entrust told us that their solution would "provide identity theft protection and protection from phishing attacks." Journalists told us that "The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat" and the Anti-Phishing Working Group told the DHS that two-factor auth was a key step in preventing phishing attacks. When somebody suggests "forced use" of something, you probably want to make sure that it does in fact solve the problem in question. So does two-factor do these things? The answer to this question is the crux of the point I made the other day.

You see, just because a tool is good at doing one thing doesn't mean it's good at everything. For example, a pipe wrench is useful, but probably not for changing your tires. Sure, a pipe wrench can be used to turn nuts and all, but try to twist a lug-nut with it and you'll get frustrated pretty quickly. It's all about choosing the right tool. I think two-factor is like a pipe-wrench: a good tool for one thing (authenticating users), but not for doing other things (authenticating institutions). If the reason phishing exists is because of insufficient client authentication, it would be a great tool for phishing. But that's not the cause of phishing. The cause of phishing is lack of server authentication. In other words, more authentication of the user doesn't solve the problem. Sure, maybe it helps a little bit - maybe it makes it harder for a phisher to attack a given institution - and in so doing causes phishers to go after "the other guy." But does it, like RSA and others said, "prevent" it? Clearly the answer is no, since somebody pulled it off the other day. Is it really our "only hope" like we were told by SecurityFocus? I hope not...

So, while I'm not saying that two-factor is completely valueless, I am saying that we should probably re-evaluate our assumptions about whether or not it solves phishing - particularly in light of direct evidence to the contrary.

Garr... Comment Spam

My apologies. I was deleting the hundreds of spam comments this afternoon, and during that some legitimate comments accidentally got deleted and I can't figure out why. And I can't figure out how to undelete them (or if they can be undeleted.) Apologies to anyone who had comments deleted, and I promise to do my best to not have this happen again.

OpenSSL FIPS Status Revoked

Wow, I'm still in shock about this. Believe it or not, the FIPS status of OpenSSL has been pulled by NIST. Sure enough, if you cruise on over to the NIST site and click right under the big red sign that says "revoked" for the cert, you get a page saying that there ain't no cert.

Apparently, here's what happened: some vendor (I still have yet to find a reference to which one) couldn't take the competitive pressure in the marketplace and decided to complain to NIST - citing a technicality about which code is or isn't interpreted to be inside OpenSSL's "cryptographic boundary." And now, OpenSSL needs to be heavily modified in order to get recertified.

My take? This is dirty pool. Why? First, any software product is going to be open to debate about which underlying libraries can or can't be considered inside the software's "cryptographic boundary." Commercial products, however, are more difficult for competitors to reverse engineer in order to make a complaint like this one. I'd bet that a similar complaint could be lodged against any commercial product distributed as a binary image out there. Maybe a similar complaint could be made about CAPI. Who knows? But reverse engineering CAPI is hard (no source) so competitors don't go there. Reverse engineering OpenSSL, on the other hand, is easy.

But what really fries my bacon is that this kind of action is detrimental to the user community - the users are left holding the bag. Users of the product in the federal government, suddenly finding themselves using a non-validated product (and now out of compliance with FISMA), are left scrambling to find a way to meet their accredidation requirements - all at healthy taxpayer exense. I think it's reprehensible that a vendor would look to get ahead at the expense of users - healthy competition is fine, but making the users pay for your own failings isn't.

Just my two cents.

I told you so - two factor does nothing for phishing.

Apparently, a phishing site has been found that allows phishers to take advantage of users even when two factor authentication is employed. Here's what happens - you get an email telling you to follow a link to "your bank" (really a bogus site.) You connect to it and enter your two-factor authentication data. The site then opens a connection and uses your credentials to log in. The result: your bank account gets drained even though you used a second authentication factor. It's a little more complicated than a regular phishing scenario, but not rocket science.

This proves the point that I've been trying to make for the past two years - namely, that the reason that phishing works is not because we don't have sufficiently robust user authentication. No, the reason that phishing works is that we don't have sufficient authentication of the server. Mark my words - you could use as many user authentication vehicles as you want and phishing is still a possibility.

Man I love being right.

Iris Scanning for Sex Offenders?

I am not in the habit of defending sex offenders, and I'm not about to start now. I do, however, have to question whether anybody has seriously thought through the ramifications of North Carolina's plan to use iris scanning to register sex offenders. I came across this gem via the Biometrics Discussion Email list (what arose out of the ashes from the Biometrics Consortium forums) and did some digging around. Apparently, the system they are planning on using is called SORIS (Sex Offender Registry and Identification System) which positively identifies sex offenders based on their iris.

Granted, identifying sex offenders is important, but for the life of me I can't figure out why iris scanning helps. Look, the argument is that this iris scanning will help locate sex offenders, right? How exactly are we planning on doing this identification? I can't remember ever having been asked to have my iris scanned outside of biometrics tradeshows or specific iris-scanning pilot deployments. Where exactly are we going to introduce the iris scanning "checkpoint" to locate these sex offenders? Are we going to start requiring mandatory iris-scanning for people moving in to a new state? Iris scanning at the DMV? Iris scanning as part of standard employment background checks? I hope not. However, it seems that unless there's a plan for more iris scanning somewhere, that this registry is all but useless. Just some whiz-bang gadgetry that the North Carolina taxpayer has to pay for.

I mean - is it me or does this not make any sense? Compare it with fingerprint. Don't we have fingerprinting already for just about everything nowadays? Get a job, get fingerprinted. Get arrested, get fingerprinted. Go to the DMV, get fingerprinted. We already have fingerprints for every convicted sex offender on file, therefore allowing the creation of a database with no new enrollment and no change to current processes. We also have people actively checking people's fingerprints occassionally (not commonly, but it's out there.) Why not use (oh let me think about it) FINGERPRINT to track the legions of roving chesters loose in suburbia? Is it because the iris is supposedly more "unique"? Hype. It is theoretically more unique and maybe more accurate - but I haven't seen any tests to back this up. Actually, the tests I've seen show better performance for fingerprint because fingerprint is easier to use and train people on. Even if iris was marginally better than fingerprint, you're talking about fractions of a percent. Is that fractional percentage increase in accuracy worth the tremendous extra expense, inconvenience, and use of police resources associated with deploying an entirely new recognition infrastructure?

Oh, and it's expensive all right - training costs are high as is processing time. At one point in my career, I piloted an iris-scanning system let me tell you - you actually have to *work* to use an iris scanner. It's not like fingerprint where you roll your finger around in some ink and slap it on a pad. You basically have to stare into this tube at an LED and adjust your eye muscles in such a way that you bring two concentric circles into alignment. It's hard to do, it takes learning on the part of the scannie to use it properly, and it gives you eyestrain with frequent use. It's hard to do with a willing participant - which your average perv isn't likely to be. So, ante up Charlotte residents and when you figure out that you bought the proverbial "alaskan refrigerator" you'll know who to thank.

Wow. Go Go Gizmodo...

So, I accidentally stumbled across the Gizmodo's parodies of the "I'm a Mac" commercials this morning and I can't stop watching it... 100 percent pure hilarity. Check it out, but be careful of 1.3 since it's not fully work-compliant:

http://www.youtube.com/watch?v=UA3NyRr4Eng.

More McAfee Benchmarks

I've been reading this book, recommended by a colleague, called Crimes Against Logic - it's a very readable catalog of logical flaws and nonsenical conclusions; I highly recommend the book, by the way. Anyway, I was reminded of this when I came across the recent malware numbers published by McAfee after seeing it in the press. Now, as many of you know, I am de facto critical of industry-wide research put out by AV firms - more often than not because the results are reflective of the methods they use to gather the data rather than anything having to do with the industry at large. And guess what? These are no exception.

In case you haven't read it, the research basically says that in the last two years, the same number of "threats" have been discovered in the last two years than in the previous two decades (you'll see why threats is quoted in a minute). Check out their findings:

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000. Eighteen years to reach 100,000. Less than two years to double. Looking ahead, our researchers expect yet another doubling in a similar timeframe. So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

So what's wrong with this? The first problem is in how they define the word "threat"; now, they don't spell out precisely what is or is not a threat in their article. They do, however, refer to motivation by financial gain so clearly they DO mean spyware; perhaps they also mean certain types of spam. Look, Gator is spyware that may or may not collect some aggregated data about me to send back to the mothership while the casino virus deletes my hard disk; are they the same? I would argue not. But guess what? There was spyware before McAfee added the capability to scan for it. So, once again, the growth numbers are reflective of changes to the McAfee software rather than actual growth of malware. Not useful.

The second problem lies in the conclusions drawn from the results:

Another area of concern is the growth of malware targeting mobile telephony... it will grow... When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

"When the phone is the standard means to transfer money?" Did I miss the new RAZR feature that lets you open a checking account? Look, you can't just "slip that in there" - if you are going to predicate results on a major paradigm shift, you need to give some evidence for that shift. It's like me saying, "once I've replaced my eyes with webcams, I'll be able to broadcast my life to the web" without also prognosticating some sort of advance in cybernetics.

Anyway, just my humble two cents.

Sophos Says Switch to Mac

So, in case you didn't notice, I've been on vacation - so sorry about the slowdown in blogging activity. I'm back in the swing of it now, so the activity on this humble forum should once again increase. Anyway, in reviewing the million or so news or stories that collected in my box while I was relaxing in the sun, I came across this tidbit from last week where Sophos warns all computer users to switch to Mac. Check it out:

Macs will continue to be the safer place for computer users for some time to come... [That is] something that home users may wish to consider if they're deliberating about the next computer they should purchase.

Interesting. I'm surprised by this for a few reasons. First of all, it's reflective of a mixed-message from Sophos. If 10 out of 10 viruses don't infect Mac, why is Sophos warning Mac users that they need virus protection? Seems like a bit of a muddle, doesn't it?

Second of all it's myopic; here's Sophos giving generalized advice based on one very narrow view of the facts. Yes, it's true that Mac's have traditionally had less malware. However, they're also slower to patch vulnerabilities than Microsoft by a wide margin, thereby increasing the attack surface for a malicious user. So while it might be less likely to get spyware, it might be more likely to get h4x0red. So, is it Sophos' position that users are better off getting hacked than getting malware? Or is it just that Sophos (being an anti-virus company) has too narrow a focus to include this other information in their analysis? I'm going with the latter, in which case it begs the question, "what else are they not considering?" For example, Larry Seltzer, Gartner and others tell us that the Intel Mac - via bootcamp and parallels - is a veritable breeding-ground for malware. Of course, I'm not convinced they're right, but what if they are? Has Sophos investigated these technologies to support their analysis or are they just shooting off the cuff?

Look, I've said this before and I'll say it again. I think it's irresponsible for AV companies to give generalized advice to users based solely on perceived trends in malware. They do it to get press, which is understandable; saying that everyone should switch to Mac is something guaranteed to get you a front-page somewhere. But what about the users that listen to it? What about the folks who'll hear this advice and actually heed it. If they did, they'd be buying a system they're unfamiliar with, requireing tens or hundreds of hours to learn how to use it, they've had to potentially invested thousdands of dollars, and they may or may not be better off overall. After all, they certainly could get malware anyway from the windows side of Boot Camp. Were they well served?