FYI, I was heavily quoted in a Computer World article on email privacy in the workplace recently. The article, by Sharon Gaudin, was prompted by a recent arrest in Philadelphia when a TV news anchor snooped on a co-anchor’s email messages. Serves him right!

Cheers,

Ken

I’ve been doing information security stuff for over 20 years now. My consulting/training company just turned 5 years old. One thing I’ve seen repeatedly is how often we (security folk) make the same mistakes.

In my eSecurityPlanet/Datamation column this month, I address that problem and provide a couple of pointers to help us learn from history a bit. Hope you find it useful.

Cheers,

Ken

Most anyone who knows me also knows I spend a lot of time traveling. Ever since starting my consulting practice, I've stuck with the strategy that keeping my travel business on one set of vendors is the best approach. This doesn't always work, but most of the time it does.

In particular, as a result of my "customer loyalty," I'm a United Airlines "1K," a Marriott Gold, a Hyatt Gold, and a Hertz 5-Star Gold customer.

I really believe that this is the best approach--though not necessarily these vendors--for anyone who spends a fair amount of time on the road. Here's why.

Coming home from a business trip to Belgium on Sunday, I had booked an economy class seat on United. In fact, I was boarded and settled into my "economy plus" seat, all ready to go. (I save my gratis upgrades for really long and/or overnight flights, whenever I can.) As passengers were entering the cabin, one of the gate agents approached me and gave me a new boarding pass, in business class, and said, "thanks for all your business!". Naturally, I gratefully accepted and changed seats.

This upgrade was unsolicited and unexpected. No doubt, United did it for space management, but the point is they didn't have to do it. I truly had the feeling that they do appreciate my business. That's what it takes. (I should add that the exact same thing happened on my return from Amsterdam nearly a year ago, after my cycling tour of Holland with my dad.)

Similarly, with the other vendors I frequent, I often get unsolicited upgrades and such. Marriott also guarantees me a room. If none is available, they put me up elsewhere at their expense.

It's the little things like this that keep me coming back, and they know it.

On the other hand, I know that these vendors all have their blemishes. Sometimes I get furious at them for one reason or another. But even when things go wrong, they tend to fix them in my favor. Coming home from Mexico last July, a weather delay forced me to miss my connecting flight--the last of the day--out of Chicago. United put me in the airport Hilton, which is walking distance away, at their expense and apologized for my inconvenience.

If you must spend as much time on the road as I do, I'm convinced this is the best way to do it.

Cheers,

Ken

If you read my writings here from time to time, you've probably heard me talk about my recent experiments with email security, as well as my laments about users who would choose to select the proverbial dancing pigs instead of security.

Well, that was not the case here in Belgium this week at the OWASP regional chapter meeting. As I said here, I've been over here in Leuven, Belgium this week for SecAppDev. Well, at Tuesday's regional OWASP chapter meeting, I volunteered to assure any attendees' CAcert.org or Thawte.com x.509 security certificates, fully expecting a "turn-out" of just one or two folks. Instead, I ended up with a line of people during the session break. I ended up with some 12 identities to verify on the CAcert.org site.

I was utterly amazed and, frankly, encouraged by the experience. Admittedly, these folks were already security-minded technologists, or they wouldn't be attending a meeting of the Open Web Application Security Project, but even still, it's nice to see that there really are people who want to improve the state of email security.

Very nice, thanks guys!

Cheers,

Ken

During the SecAppDev class next month in Leuven, Belgium, there's also going to be a regional OWASP meeting on 4 March 2008.  I've been asked to join in and present a short session comparing various secure development methodologies (Microsoft's SDL, Cigital's "Touchpoints", and OWASP's own CLASP, mainly).  If you're in the area, I hope you'll join us.  Local details are available on OWASP's Belgium chapter site.

And, if any of you are in the Leuven area and care to chat, let me know. I'd be happy to meet you for a beer at one of the local pubs. My favorite is Domus, but I'll even "slum" it and go to one of the myriad of pubs serving Stella or some such for a worthy cause.

While I'm there, I'll also be doing a CAcert / Thawte x.509 "signing".  So, if you're using either of these free x.509 certificate services, and are still trying to get the 50 assurance points necessary to have your real name on your certificates, stop by with two forms of government-issued ID (and photocopies, if using Thawte -- not necessary for CAcert).  I'll be happy to help out with either/both 10 Thawte points or 35 CAcert points.  No charge, of course.

Cheers,

Ken

There's an old saying in the information security community: give the users the choice between security and dancing pigs, and they'll go with dancing pigs every single time. Perhaps it's a bit of an exaggeration, but it does make a good point.

Now, translate that to the "phishing age," and you have some insight into why phishing is so darned effective, at least from the attackers' perspectives. They are raking in the cash, and with little chance of being brought to justice. Great.

Then, a few days ago on a business trip to Prague, a friend of mine showed me the graphic image below that made me laugh hysterically. It really illustrates why phishing is so effective.



How many people do you know who might actually enter the data? What if this info came up in (say) a google search result list? What if it was delivered via email into your inbox, seemingly from your bank? How many people would fall for it? (Note: it's not a real attack. It's just an image to illustrate a point.)

Just goes to show you, old PT Barnum couldn't possibly have imagined how optimistic he was, when you factor in Internet and the unwashed masses. There's way more than just one sucker born every minute!

Cheers,

Ken

A couple months ago, I wrote here about email security and how I'd become a "notary" for the free email certificate service provided by Thawte. Well, that's unchanged, but thanks to a colleague who alerted me to another free certificate service provided by CAcert (also see their Wikipedia page here), I was able to become recognized as a CAcert identity assurer using my Thawte credentials.

More of the same, you say? Well, only to some extent. CAcert differs from Thawte in many ways. For one thing, they're a completely free and open certificate provider, which I have to salute. Using their service, I can also generate server keys, which is handy. (That's right, completely free SSL certificates for my web sites!) Additionally, they will sign existing PGP/GPG keys for their users, which is a nice addition to my GPG key signatures.

Is there a downside? Well, not much, but if one is to be found, it's that CAcert's root certificates aren't yet in everyone's browser and email certificate repositories, as shipped by their operating system or browser vendors. That's changing, but for now, CAcert users will from time to time find people who cannot verify their identities. That's disappointing, but as I said, it's changing.

Why bother? Well, if email security is important to you, the answer should be self-evident. If it's not, consider the SSL certificate argument. When you connect to (say) your bank, your browser uses SSL to encrypt your session with the bank, in all likelihood. Your browser is also validating their authenticity by looking at the bank's X.509 server certificate and ensuring that you are indeed talking to your bank, and not some rogue site run by some phishing miscreants aimed at stealing your money. With an email certificate, you can provide that same time of identity assurance to people you send emails to. It also enables sharing of encrypted emails if both parties have a certificate, but just the identity validation alone is worth the price of admission, in my opinion.

Oh, and that "price of admission," in the cases of Thawte or CAcert, is US$0. They are free services.

The question you should be asking is why NOT bother? Seriously. Some people find signed email and "dealing with certificates" to be difficult, confusing, not worth it, etc. You may be one of those people. It's my opinion that those attitudes are not well founded with the reality of how bad the state of email security is these days. Imagine if all your friends and colleagues used validated email identities, and you were able to tell your emailer to delete all non-signed emails. Voilá, no more spam. That's something that we security folk refer to as "white listing".

Enough blather for now. I urge anyone and everyone who reads this to go out and get a free certificate from Thawte and/or CAcert. Then spend the time to get your identity validated by a couple Thawte "notaries" and/or CAcert assurers. It's well worth the effort.

Cheers,

Ken

Some of you may remember my "Pigs can fly!" posting here where I explained why I've finally gone and gotten myself a Macintosh (Macbook Pro 15"). Well, it's been well over a year now of Mac bliss. I remain absolutely convinced that Macs are the right choice for me, and in fact are right for a whole heck of a lot of people. I'm certain that Apple's growth is representative of a renaissance in computing -- a new age of enlightenment. Strong words, but they're not without meaning.

In my 1.25 years of Mac-dom, I've found several pieces of software that I consider to be essential to me. Things that I really wouldn't want to be without. I thought I'd share those here, for what they're worth. Mind you, I've installed quite a bit of software on my Mac, but the list below will focus on the things that I use daily and that (by and large) are in my system dock.

My list of essential Mac software (other than the basics that come with the system), in no particular order:

• Firefox with no-script. Let me first say that I really like Apple's Safari browser. I'd be using it now except for one little thing -- control over JavaScript. In my opinion, JavaScript, is responsible for the vast majority of web-related security bad things. I need to have control over what sites I want running JavaScript on my computer. Mozilla's Firefox, combined with the No-Script plug-in give me exactly that. No-Script starts off disallowing all JavaScript, but you can add sites one at a time into a "whitelist" of sorts. That way, you can turn on JS for the sites that you want running it, and all the rest can't run scripting at all. Not perfect, but it's a LOT more control than I had under Safari.
• Newsfire. I read a lot of news sites on a daily basis, from tech news to Mac stuff, wireless stuff, and even world events. Oh, and news from the wine/culinary world as well. My only hope of keeping up with all this information is RSS. I was introduced a while back to Newsfire, which is an absolutely splendid RSS reader. Now, I should note that I'm currently experimenting with Apple's own Mail program's RSS reading capabilities -- which is a new feature of Leopard. But I still have my Newsfire and may well go back to it if/when Mail fails me. It's commercial, but not particularly expensive.
• Parallels. I was a VMWare user way back in the day, and I loved it. When I moved to the Mac, I needed a way to occasionally run another OS. So, a few months ago, I added Parallels to my list of apps. I now run a Windows XP box in a virtual machine. It's great for the training I do. I can load up XP, install stuff on it, hurt it, make it beg for mercy, cry like a baby, or whatever -- and then go back to the pristine XP configuration at the click of a mouse. And it's quite fast, too. Absolutely fantastic for my needs. It's commercial, but isn't very expensive -- look for it on Amazon for a discount.
• Callwave SMS widget. I do a lot of text messaging. Although my phone plan includes a huge bucket of messages for U.S. numbers, international SMSs are still quite expensive (in the quantities I send). This little SMS widget provides me with free messages. There's a daily limit, but I rarely hit it. Great stuff, and it's really easy to use. Oh, and it's free.
• Rapid Weaver. This one is my newest addition to my must-have list. But I've come to really like Rapid Weaver. What a great tool for building and maintaining web sites like this one! It is commercial, but not very expensive, and there are some coupon codes floating around the net that can get you a few dollars off the retail price.
• MacGourmet. Another inexpensive and highly worthwhile commercial tool, I've come to really like MacGourmet for organizing my favorite recipes. (I'll be putting at least several of my recipes on this site in MacGourmet format shortly, by the way.)
• Missing Sync for Blackberry. I used a Blackberry years ago, and now I'm back. I love the email comms, and my provider (T-Mobile USA) has a great all-you-can-eat data plan and an all-you-can-eat international roaming data plan that are fabulous. This essential (and commercial, but cheap) app enables me to sync my Blackberry data over to my Mac. For various reasons, the iPhone isn't yet ready for me, but the Blackberry serves my needs very well. Without Missing Sync, I'd be sunk.
• Spanning Sync. As a small business owner, I don't have a calendaring/groupware server for my company. I have an email and file server hosted externally, but not a calendar server (yet). Google Calendar came along and helped me with that enormously. Spanning Sync takes Google Calendar to the next level -- it syncs bi-directionally with my Apple Calendar data. Awesome add-on! It's sold on an annual service subscription basis, but is way cheaper than a calendar server. Finally, Caren and I can share a calendar.
• Chicken of the VNC. I use Virtual Network Computer a lot for administering the computers on my internal net. Chicken of the VNC is a great and free VNC client for the Mac.
• Macports. One of the things I like so much about Apple's OS X operating system is its UNIX underbelly. I've been a UNIX guy for over 2 decades, and I'm just more comfortable there than I ever was on MS-DOS (or its derivatives). Macports is a collection of (mostly) BSD-UNIX derived applications that have been ported to the Mac. All open source, free, and excellent!
• TiVo Desktop. I love my TiVo. I love my Mac. A few months back, we upgraded our old Series-1 TiVo to a Series-2, thanks to TiVo's offer of transferring our lifetime service subscription over. Now, my TiVo is finally on my data network, and I can move things back and forth between the computers and the TiVo. TiVo Desktop is the piece that enables me to share movies, shows, etc., from my Mac over and play them on the TiVo. Absolutely essential, and it's free from the wonderful folks at TiVo.
• TiVo Download Manager. I still love my TiVo. This enormously useful piece of free software allows me to download files from my TiVo onto my Mac -- and convert them into MPEG-2 format at the same time. It's actually a front-end to curl and TiVo Decoder, but it puts everything in one easy-to-use bundle. I can now grab anything from my TiVo and put it on a big honkin hard drive on my Mac, and then watch it whenever I choose to, without taking up valuable space on the TiVo itself. Great stuff.
• iWork '08. As you might expect, I require the ability to read/write MS-Word, Powerpoint, and Excel formatted files quite frequently in my work. I've been a fan of Apple's iWork for some time now. When '08 came out a few months ago, I grabbed a "family pack" (with 5 legal installations available) for about $100 on Amazon. That's $20 per seat, and it's some of the best money I've spent. I still keep MS-Office around, but I find myself using iWork more and more instead of Office. Keynote (the Powerpoint equivalent) alone is worth the price of admission. I build presentations with it that look worlds better than any I've ever seen in Powerpoint.

There they are. Great stuff, each and every one. I run all of these (as noted) on Leopard, which I'm absolutely thrilled with. Nothing I ever experienced in PC- or Linux-land ever came close for me. I'm a believer.

It is the age of enlightenment.

Cheers,

Ken

The first "Internet" application I ever used was email, circa 1983. Seeing computers used to communicate (and not just solve scientific equations) was an epiphany to me. But, I was shattered to later learn that email isn't secure. In fact, it is about as far from secure as anything we know in the electronic world.

So, for about the past 2 years, I've been slowly -- but increasingly loudly -- advocating secure email. I've been a PGP user since it was introduced to the public in 1992, and more recently, I've been an S/MIME user. I started digitally signing all of my outgoing emails as of about 2 years back. It was an experiment, and one that hasn't entirely succeeded, I should add.

Then, about a year or so ago, I learned about Thawte's free email certificate program. They use a certificate signing mechanism not entirely unlike PGP's web of trust. When you get a free (!) Thawte email certificate, you start by only being able to include your email address in the certificate. Then, you get your identity verified by Thawte notaries, who are community volunteers who help the effort. Once you've gotten sufficient (50) points, you can include your real name in your (still free) email certificates.

This seemed like an interesting and novel approach to me, so I went ahead and took the plunge. In the last couple months, I've gotten not just the 50 points I needed to have my real name in my certificate, but the 100 points needed to become a Thawte notary. I decided to put my money where my mouth is and be part of a solution and not just whine about all the problems.

In order to notarize a Thawte certificate, the notary must meet the certificate holder in person and verify her identity via two forms of national identification (e.g., passport and driver's license).

I am now a Thawte notary. If any of you are interested in this free (!) and useful service, start by going out to the Thawte web site and getting yourself a freemail certificate. Most modern emailers and browsers can handle X.509 certificates just fine. Follow Thawte's instructions (admittedly, their web site isn't entirely intuitive) and start using your certificate. Then, go out and find a couple notaries in your area, again via the Thawte web site. It only takes a few notarizations and then you'll be up and running with a free X.509 certificate.

I'm happy to notarize any of you who want to make use of this -- after following the proper procedure, of course.

Big deal, eh? Well, the big deal is that now you can send email that your recipients can validate with a high degree of confidence came from you. Believe it or not, that is a big deal. If you want to be able to trust the email you receive, then this little bit of infrastructure is essential.

Cheers,

Ken

So, way back on 9 May 2005, I posted an entry here saying that I'd gotten and was very happy with SunRocket's Voice over IP (VoIP) service. Last week, while I was traveling on business in Mexico, I saw a headline saing that SunRocket was going out of business. I immediately signed up with one of their competitors (Vonage) and, as of today, my account is active and my old number has been transferred over.

Here's the thing. Well, maybe more than one thing... As a very (!) small business owner, I have grown to rely on VoIP for my business phone line. They're relatively cheap, easy to work with, and overall very good. My opinion on that has not swayed, despite this bad experience with SunRocket. I wouldn't advise many/most people to get VoIP as their ONLY phone service at home, however. But, as a second number, they're fabulous.

Well, they're as good as your broadband is. I'm fortunate to be in an area where my cable modem speed is superb -- I regularly measure 20 Mbps download and 2 Mbps upload. VoIP has NO problems with that.

And I can sympathize with SunRocket's circumstances. They were heavily VC-backed, and their VC investors were unwilling to put any more money into the company. I've been there, done that. But wow, they sure handled the situation in a horrific manner. The fact that I learned of their demise from a magazine headline is inexcusable. The fact that I had to turn to another provider and make arrangements myself to transfer my service is inexcusable. I really wish I hadn't given them any of my business, but that's water under the bridge.

I do hope that their actions haven't tainted the entire VoIP community, though, but I think the damage has been done.

As anyone who actually reads this web site knows, I travel quite a bit, both on business as well as for pleasure (whenever possible). What's more, for various reasons (primarily convenience), I tend to fly mostly on one airline -- United.

Now, United isn't the best airline -- or the worst -- without a doubt. They have more than their share of warts. But, as an "elite" (1K) flyer on them, when something goes wrong, I tend to get it resolved pretty quickly and easily. Usually.

But I just got back from a trip to Rome yesterday. (See this link for some pix.) My customer tried to pinch a few pennies and I ended up on US Airways instead of United. Mistake #1.

I left Washington Reagan airport on the day after a northeastern US snow and ice storm. Not surprisingly, things were delayed. I'm completely understanding of the situation at this point.

But US Airways had, I'm told and have verified via news reports, recently upgraded one of its main computer systems. Not sure what went wrong behind the scenes, but at the front counter, it was pandemonium. The check-in line at DCA was hundreds of yards long. No kidding.

After a couple hours in line and nearly giving up, a couple US Air employees came through and grabbed those of us who might still make today's flight. I was among the lucky. Got to Philly just fine, but ended up missing the Rome flight.

Then -- and I have to give due credit here -- a couple of wonderful US Airways employees in the US Air Club helped me re-route my trip via Munich. Looks like I made it. But more delays...

I ended up in Rome without my bags and had to go to my customer site in smelly, dirty jeans/rugby without a change of clothes. Bags finally arrived late Monday.

But that still wouldn't get them into my Never Again Club (NAC).

On my return from Rome yesterday, I picked up my bags in Philly. Everything was on time. Two hours in Philly to catch my connection to DCA. No problem. Get to DCA and, you guessed it, no bags.

In fact, not only were my bags lost, but about 2/3 of the people on my flight were stranded without their bags as well. We waited pathetically at the baggage carousel only to have about 10 bags come out from our flight and then the carousel shut down. No more bags.

I just can't believe this. How could an airline be so blatantly mis-managed to make this kind of mistake over and over? It just boggles my mind and forces me to spotlight them here, for all that's worth ;-\, in my Never Again Club, with honors.

Oh, and I'm typing this the morning after I arrived home. No bags yet, and I'm waiting for my ride back to the airport to leave on yet another business trip (on United!). I've had to pull together a replacement dop kit and such, but I'll make it. And I'm confident that United will live up to my expectations, but who knows.

I'm a cable modem user (on Cox Communications) in Fairfax County, Virginia for several years now. Recently, Cox offered a higher speed option (15 mpbs by 2 mbps), so I jumped right on it.

The upgrade went smoothly, but I was only measuring speeds of around 10x2. After a bit of searching, I found out that I ought to upgrade to a DOCSIS 2.0 modem, so I did that. Now, I'm regularly measuring speeds of 16-19mbps down and 2-2.5mbps up. I've tested at various times of the day and those numbers have been quite consistent.

I should add that the modem swap was painless and that Cox support was entirely effective. In one phone call, I gave them my new MAC address and fired up the modem. I did experience a couple of network problems, but it turned out to be a router problem at my end, so I can't fault Cox for that.

I also noticed that the voice quality of my VoIP service (Sunrocket) immediately improved as well.

So, put me in the "highly satisfied customer" group. Kudos to Cox for offering this service!

Quite a few years ago, I became a "Mac hater". Long story, but the short of it is that a Mac net used by our publications department (at a company where I was working) let me down at a critical time. It caused me a lot of grief. Then, when Apple killed off the Newton, I swore eternal hatred.

Before I go on, I should note that I still use my Newton 2100 every day. It still has the best "to do" list handler I've ever used. Despite the jokes about its handwriting recognition -- which were ALL about its first generation of software -- it still recognizes my handwriting better than I do. It remains the best PDA software ever written, as far as I'm concerned.

And then, slowly, several other things happened:
1) Apple put BSD UNIX under the hood in OS X.
2) OS X has matured through a few major releases and is now a superb OS.
3) Apple put Intel CPUs into the Macbook Pro line. "Boot Camp" added the ability to boot/install NATIVE Windows XP. So, I have that as a fall-back if I simply can't get something running under OS X. (I haven't needed to use it.)
4) I get a nice educational discount via CMU, along with a fabulous rebate on an iPod -- which I gave to my wife.
5) I've been listening to numerous people's opinions that I value who all say that it's time to try Mac. You know who you are...

So, I switched a week ago. Now, I'm hopelessly, unapologetically, completely a Mac guy. It has unified my computing needs/desires in a way that nothing else has been able to. UNIX where it matters and the world's best user interface in front. It talks with my Linux servers and my windows desktops/laptops just fine.

Plus, the Macbook Pro, with a 2 Ghz dual-core Intel CPU, DDR2 memory, SATA hard disk, etc., is the fastest computer in my gaggle. This thing absolutely ROCKS! People complain about Macs costing more than their PC counterparts, but you really do get more for the money. I'm fine with that. I've never minded paying a bit more and getting a bit more.

As a result, my laptop is no longer a traveling copy of my data. My Linux servers now carry a non-traveling backup of my work. As it should be.

The Mac talks wifi, bluetooth, usb, firewire, infrared, VPN -- you name it. I can connect up to _something_ nearly anywhere on the planet and securely connect to the net.

And, one of my favorite things about Apple, from the first day that I used my first (of 3) Newtons, is the cross-application data integration. My Macbook hasn't let me down. My IM package (iChat) gets its real names from my rolodex (Address Book). My email program (Mail) shows me a green icon next to any of my contacts (from Address Book) who is logged into IM at the moment. THAT is cross-app data integration. I haven't felt that feeling since I first learned to love my Newton. No Windows or Linux set of apps has ever provided that feeling to me. Apple GETS IT. Their software guys and gals know software like no one else. Kudos!

I now think of "PC people" as those that haven't tried a Mac. Once you try, you will never accept anything less. Redmond should be quaking in their shoes (but they're not).

Well, I've been living the VoIP experience now for a couple of months (see below). Oddly, I've settled in on a hybrid approach that includes the wildly popular Skype along with SunRocket and even newcomer Stanaphone. Why all the confusion, you ask? Well, my SunRocket service has become my primary business phone when I'm in my SOHO office; Skype is great for making calls when I'm on the road; Stanaphone allows (free) incoming faxes, which then get delivered as .JPG files to your email address. I forward my 2nd SunRocket phone number to my Stanaphone number, which enables me to receive faxes anywhere via email. (I'm trying to phase out my eFax service, as it costs me almost as much as I'm paying for SunRocket.) So, there's a reason for each of the services.

The verdict? For me, I'm really happy with SunRocket. If/when they come out with a "soft phone" service, I'll phase out Skype. Likewise, if they offer a fax service, I'll phase out Stanaphone. If you're looking for good VoIP, check out SunRocket before making your decision, IMHO.

My only service-related issue on SunRocket is that the voice quality sounds choppy if I'm really moving a bunch of data through the cable modem while I'm on a phone call. Even though the SunRocket "gizmo" does QoS, there's still some chop in the audio quality. Note that I do have my gizmo connected inside my new MIMO (802.11(pre)n) router, but the router supports QoS; and, in any case, I had the same problem with the gizmo outside of the firewall.

Speaking of MIMO, my new Belkin MIMO router that I bought at Buy.com is fabulous! (Buy.com's price was better than anyone else that I could find--I'm a fan.) Anyway, with a compatible MIMO card, I get 108 Mbps wireless speed anywhere in my house. Even on a standard 802.11g card, I get 40-56 Mbps anywhere in the house. Just don't do the AES encryption--it's horrendously slow.