Monday, February 26, 2007

Has your social security number been stolen? 

There's a web site where you can check whether your SSN or credit card number has been compromised. You do this by typing it into their form, and they check their fraud database. They claim to have over two million numbers in there which they believe have been compromised.

This made me a bit nervous, but the parent company,TrustedID, says in their FAQ that a crook would also need your name, billing address, date of birth or other such information to commit fraud. The session is encrypted, just as it should be. I wish they didn't make me turn on Javascript and cookies. I decided against putting in any sensitive numbers of my own. I didn't have any logical reason and you might want to give it a try.

They do some real checking. 078-05-1120, the usual dummy SSN, gets an error message. Richard Nixon's SSN gets you a warning that your security is at risk and you should consider signing up for their credit monitoring/control service for $90/year.

I found out about the site from a New York Times story about an activist who tries to stop governments from publishing Social Security numbers.

|

Sunday, February 25, 2007

Security: you've got to want it 

via Stupid Security, the comments section of The Daily WTF describes some real-life incidents at hospitals and military bases.

Hospitals are regulated to protect confidential health information. But what do you think happened to the morale of employees who wanted to protect privacy and security when, as "Calli Arcale" wrote,
My brother-in-law got fired from one security job (at a hospital, no less) for upholding policy and verifying an unbadged person's identity before letting them in.

That discussion triggered a flood of horror stories, including plenty from the military:
Re: The Direct Approach
2007-02-05 13:08 • by Jethris (unregistered)

116399 in reply to 116393
reply quote
The military is good for these.

I worked in a classified data center. We had duress words to use to signal whomever we talked to that we were under duress. One of them was Scrabble.

We then had our security police come in through the building and see how many offices they could get into. They faked a pass (had a picture of a bunny on it), and then went to each workcenter.

"Hello, my name is Mr. Scrabble. I have a new employee, and we're going around to each office for the newcomer's tour."

3/4 of the offices let him in, gave him the tour (which was probably classified as well). At our shop, we actually called the security police and then was given kudos for actually following the rules.

Elaborate features don't keep you safe, what you need is to think things through:
Re: The Direct Approach
2007-02-05 14:57 • by muttonchop (unregistered)

116444 in reply to 116440
reply quote
I used to work for a large research facility. The building I worked in had two sets of doors at the main entrance, an inner door and an outer door. The inner door was locked at all times, and employees had to enter a code into a keypad to gain entry. The outer door was left unlocked during the week. Between the two doors was a window looking into the receptionist's office and a telephone, so any guests arriving could either ask the receptionist to open the inner door, or phone someone to come and let them in.

About a month after I started working there, it was decided that the keypad system wasn't secure enough and that it should be replaced with a badge reader instead. We were all issued new access badges, and the reader was installed. On the outer door. Now that it was no longer needed, the keypad on the inner door was removed, so it remained unlocked at all times.

However, we had a problem. Guests still needed to be able to gain entry to the building, so to accommodate them the outer door was left unlocked during the week. To sum up, we went from an unlocked outer door and a locked inner door to two sets of unlocked doors, because the old system was not secure enough.


See also How to break into a high security data center.

If you hire someone like me, I'll emphasize choosing a security policy that will actually get followed. It may not be the cheapest and it may not be the most impressive, but the security measure you can live with day by day are the only ones that will do you any good.

|

Saturday, February 24, 2007

Major Firefox bug, and what to do 

Yesterday, someone found a bug in Firefox which could allow a hostile web site to take over your ocmputer.

You should have seen Firefox prompt you today to download and install an upgrade.

If that hasn't happened, make sure you have automatic updates turned on. The setting is under Tools/Options/Advanced, where there's a radio button that says to auomatically download and install updates.

After the update, close Firefox completely (including that stupid Downloads window) and restart.

You should be running version 1.5.0.10 or 2.0.0.2 when you're done. Check Help/About to make sure.

As partial insurance against future problems like this one, I still highly recommend the award-winning NoScript Firefox extension.

|

Physical security 

Which is safer: a tape dispenser, or an explosion that blows up a tape dispenser?

via Bruce Schneier's blog, Police Service of Northern Ireland mistakes crime scene tape for a bomb. There's some reason to be twitchy in Northern Ireland, but still...

In the Netherlands, the Enschede bomb squad was called out and confined nearby people to their homes over one of their own transmitters.

Bruce Schneier argues that throwing money away on false alarms hurts security. The contrary point of view would be that they keep bomb squads in practice.

|

Friday, February 23, 2007

Before and after that "please enter your account details" scam 

Researcher Guillaume Lovet explains the economics and organization of criminal activity online.

There's a whole marketplace of skills and labor behind online scams. According to Lovet, when you get one of those emails telling you that your account at Third Second First Bank will be closed unless you log in immediately with your account number, banking password, Social Security number, all of these people will have been involved:

Developer -- This is the person who writes up plausible-sounding scam email and makes the tools to set up a phony web site that looks like your bank and records your password.

Operator -- the person who sends out the spam telling you to log in. This person uses the tools from the developer and is often a juvenile.

So, the operator winds up with passwords for a bunch of bank accounts. What to do with those? Transferring the money to the operator's own bank account would be astonishingly stupid. So the usual approach is to sell the account information to the

Launderers -- based on some country with vague or poorly enforced laws, these people buy the passwords from the operator (maybe $400 for a large account), log in, steal the money, and maybe send a cut back to the operator if they're honest, which by definition they aren't.

All these people get together in virtual bazaars in chat rooms, though there's some suspicion that organized crime may have some permanent infrastructure. Money changes hands outside the normal banking system, by Western Union or some of its virtual equivalents.

Stolen credit cards are a separate market. They typically come from breakins at merchants and are sold in blocks of 10, 100, or even more. They're laundered by buying and shipping resalable goods to confederates and selling them on eBay.

The paper also explains why people try to put adware on your computer.

There aren't any really new security lessons for end users. Remember that you're up against organized crime when you pick a place to type your banking password, and remember that if you're rich and anyone finds out about it then it's worth $400 to somebody to trick you out of your login information.

|

Thursday, February 22, 2007

Why isn't your security consultant recommending something shiny? 

If you hire someone like me, take it in stride if your office doesn't look like something out of James Bond when I'm done.

There are some security measures that not enough people pay attention to, and I'll certainly let you know about those, but sometimes a problem just isn't worth "solving".

Someone I hadn't run into before, Darryl Burling, has an insightful and profound article about security in a mobile phone payment system (mobile wallet). In a nutshell, there aren't many security precautions at all in the system he talks about. But, the risk is low since the target customers keep tight control over their cellphones, the payment system can be turned off if the phone is reported stolen, and the maximum transfer is $125/day anyhow.

Sometimes your security consultant may tell you something just is not worth the effort to protect.

But beware of jumping to conclusions. What if someone figures out a way to impersonate any cellphone they choose and writes a program to drain the payment accounts of all the cellphones in the system? That is worth some real effort to prevent.

|

Wednesday, February 21, 2007

How to read security news: if it sounds strange, 

it probably is.

via Bruce Schneier's blog, a Vancouver police officer warns that a city-wide wireless Internet service could facilitate terrorism.

When something like this comes along, you want to ask the usual critical-thinking questions like whether the Internet is that important to terrorists, whether terrorists are any better off on a citywide network than at a coffee shop, and whether the police would be better off because once they get a warrant it's really easy to eavesdrop on a city-wide wireless network.

The best point the officer makes is that some medium-important government functions could be using the same network, in which case you want to ask why those would be left vulnerable to tampering by others on the network.

|

Tuesday, February 20, 2007

How to read security news: Microsoft antispyware criticized 

The Register asked all the right questions about recent reviews of Windows Defender antispyware.

A couple of recent press releases claimed that Microsoft's antispyware product only caught half or less of the dangerous spyware on the Internet. My eyebrows went up: MS bought the software and at the time it was one of the best on the market. Had it gone downhill?

One news story was that Windows Defender had failed to block 84% of a sample of malware. The Register asked the question you should have, namely who picked the sample. It was the same firm that did the testing, namely Webroot. Webroot makes a competing antispyware product (a highly regarded one, by the way). You might prefer to look for a more independent study.

Enex Testlabs is an independent firm that tested several antispyware products. They reported that the Microsoft product only caught at best 53% of threats, far behind the 89% score of Spyware Doctor from PC Tools. Here you want to ask who paid for the testing. According to The Register, PC Tools did.

Well, you can't jump to conclusions here. For all we know, PC Tools knew they had the best product on the market and knew that by paying for an honest test they'd get great data for sales. Certainly I've never heard a word against their product.

The next question you want to ask is whether the best product is good enough. If you download software indiscriminately or incautiously visit a lot of web sites run by greedy people, 89% coverage is not enough. I still recommend running more than one antispyware package. Free ones can't afford to buy ads or tests but are often technically excellent: Spybot Search & Destroy and AdAware are both good choices. To protect yourself, beware of random goodies: you might be avoiding porn and gambling sites, but there are a lot of useful-sounding toolbars and utility programs that come with spyware included, and the most dangerous places to visit are actually the ones offering "free games".

And in answer to your next question, I'm not getting anything except news and software from any company mentioned in this post.

|

Monday, February 19, 2007

Really, don't give our your password 

via Frank Hayes at Computerworld:

Sometimes it seems convenient to give out your password. That was apparently the reasoning used by the county coroner in Lancaster, Pennsylvania, who decide the simplest and most efficient way to answer questions from the news media was to give them his login information.

He may not have stopped to think about how sensitive the information was. He let the reporters in to confidential police information.

Ever considered calling 911 to report a drug dealer?
According to the grand jury report, the results of those password leaks weren’t trivial. In one incident, a 911 caller reported suspicious drug activity in his neighborhood. His name was supposed to be kept confidential. Because of the password leaks, it wasn’t. “That caller’s name was made known on the streets, and the caller was severely beaten in retaliation,” the grand jury report said.


The information under your own password may not be that dramatic but it's probably more important than you expect.

|

Sunday, February 18, 2007

Voting machines get examined, despite the manufacturer's efforts 

Techdirt has a funny story, which they wrote up so well I can't think of a way to add value to it:
Want To Examine E-Voting Machines That E-Voting Companies Won't Let You See? Do You Have $82?

The term "security by obscurity" used in the article is shorthand for acting like an ostrich, pretending that security problems are OK if you keep them secret, or that nobody will break into a system if they don't know how it works. Security pros believe that security comes from having lots of clever people able to examine (and therefore critique and propose fixes for) a system.

UPDATE 2/18:

The first results are in from the Princeton study of Sequoia voting machines. The company says the results are "not based on ...reality" because the attacks couldn't happen at a polling place while the machines were being watched. OK, but plenty of jurisdictions have let poll workers store the machines at home, and the anti-tampering seals on some machines have been way too easy to remove and replace.

|

Saturday, February 17, 2007

Undertakers and your default router password 

An undertaker was the man who invented the first automatic telephone switch, and that's related to why you should change one of your default passwords.

In 1891, you made a phone call by calling a human operator at the central office who would put a wire in a patch panel to make a circuit with the person you were calling. Theoretically, a crooked operator might take a request for "Strowger's Mortuary" and connect it to a different undertaker's circuit.

Nobody knows if that was really happening, but Almon Brown Strowger ("eccentric, irascible and even mad") believed that the phone operators were diverting incoming calls from his undertaking business. So he invented a fully automatic telephone exchange.

On the Internet today, the equivalent of the correct plug to connect to somebody's phone is a numeric address, one of the things you've seen written as four numbers with dots in between. There are computers which do the job of the old phone operators, taking a request for "strowger.com" and turning it into 67.19.21.202.

What if those computers were as dishonest as the long-ago phone operators were feared to be? You could be sent to the wrong site no matter what precautions you took about using bookmarks or checking the human-readable addresses.

So it's important to talk to the right computers when you want to use a human-readable name on the Internet. For most home broadband users, the choice of what computers do that work is made by that little box plugged into your DSL or cable line. It might be from your ISP, it might have a name like D-Link, NetGear, or Linksys, it might double as your firewall, but in any event you probably ignore it most of the time.

Which leads us to the problem that security firm Symantec is publicizing now. That little DNetLinkGearSys box can be reprogrammed from your computer with a simple web interface. The reprogramming could put you in touch with computers that lie about Internet addresses. And the cap on all of it is that a hostile web page could trick your browser into going to the little box's web page and making the changes, with nothing standing in the way except the little box's password.

A password which you've never changed, in all probability. If you haven't changed it, then it's still a factory default value that is available to everyone in the world.

What happens next, if crooks are behind it, is that the next time you think you're going to yourbank.com, you get redirected to a copy of your bank's web site on the crooks's computer and the crooks record your password. If that sounds farfetched, it isn't -- crooks are playing the same game already but with different tactics.

I've got a few unanswered questions on the technical aspects of this, but the countermeasures are all good ideas anyway:
o Change the default password on your router/firewall/wireless access point. Actually, change all the default passwords.
o Install and run the NoScript extension in Firefox.
o Avoid sleazy web sites that might be the source of attacks.

|

Friday, February 16, 2007

Yet another "but so what" article 

Allegedly, employees who will later commit sabotage have identifiable behavior traits in advance of the incident. A Carnegie Mellon University security study has details.

So, what is it that you're supposed to be afraid of?
Nearly all the cases of cybercrime investigated were carried out by people who were disgruntled and paranoid, generally showed up late, argued with colleagues and generally performed poorly

Is that true because it's a description of IT people in general? The people doing the job of laid-off colleagues are disgruntled (and who disgruntled them? They must have been gruntled sometime in the past). Any effective security administrator is going to get called "paranoid" by somebody. Computer people are seldom morning people: they work late into the evening when things are quiet and don't come back in until after 8:45. Arguing with colleagues is downright healthy unless the colleagues are infallible, and nobody can perform well in the typical understaffed corporate environment.

The value of the study is that the majority of "insider" crime is by recently fired people who still have sensitive passwords. So revoke the passwords on termination. This is a lot easier if you have separate passwords for every employee, something that also makes accountability easier to achieve.

But one source in the article disagrees:
Macleod's solution is password management. This means ensuring that policies and standards are in place to control administrative access by containing the number of privileged accounts to three or fewer.


I'd also recommend not poisoning the relationship between you and your IT employees, and listening to them when they warn you about dangers like laptop theft and missing backup tapes. But no, according to the article you're not supposed to listen and in fact you're supposed to treat anyone who speaks up as an enemy:
Macleod concluded: "So as far as doing the right thing, I’d suggest that you start from the basis that your IT [staffers] are the biggest risk to your organization's security, and if [any] of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack.


That attracted a rebuttal on the geek forum Slashdot from user "millionthmonkey", who quipped:
You should assume witches are the biggest risk to your organizational security.

If any of the witches in your organization denies being a witch, remember that arguing with colleagues about it is one of the clear signs of impending witchcraft.

Another poster there, "glas_gow", wisely noted "If they'd turned up on time, were cordial with their colleagues and performed better, they'd never have been caught.".

The constructive approach is to run background checks before hiring people for sensitive positions. If that's not enough, do what banks do and require two people for important operations. There are plenty of other ways to prevent or contain damage from malicious insiders that don't say "I fear and despise you". Many of those ways also protect against just plain normal errors.

|

Thursday, February 15, 2007

Word documents. Again. (pounds head on wall). 

Last year the people who enjoy hunting for security problems found some in Microsoft Word. The upshot was that bad guys could build a file that Word would open and which would send Word off the rails in such a way that the bad guys could make it run a program of their choice. Microsoft's first of their Ten Immutable Laws of Security says "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore".

Bad guys took advantage of this Word problem. Meantime another one got discovered, then another, then a fourth. (Two of them turned out to be the same, so it was really only three critical bugs). Microsoft didn't have a fix tested and ready to go until this Tuesday.

Guess what happened today?

Another announcement of a security bug in Office 2000 and Office XP.

Bad guys are reportedly using the bug already, but not on a large scale. Not yet, anyway.

Do run an antivirus scan of new Office documents you get from others, but you can't depend on it totally. Do follow up with the sender on Office documents that you weren't expecting before you open them. Consider asking to get documents in RTF format, which may be simple enough to avoid triggering the bug.

|

Pockets threaten your wireless network 

There's a Pocket-sized tool that will scan for and join Wi-Fi networks, crack their security if possible, read any shared folders from computers on the network, and launch attacks against them from a library of attack techniques.

The only thing new here is that it's small and doesn't require technical knowledge. People have been doing the same thing with laptops and free software for years.

The target market is government. So this doesn't affect you unless you're doing something illegal, like downloading music, or something suspected of being terrorist, like protesting the war.

There's no change to how you need to secure your wireless network. Ignore anything called "WEP" in the configuration screens, use strong passwords if you use "WPA", and since secure setup is such a pain with today's gear consider scrapping everything and buying new gadgets that support "WPS", a setup standard that's supposed to make the process feasible for people who have other things to do.

|

Wednesday, February 14, 2007

Reminder: Microsoft Patchday. This is a big one 

There are many, many fixes that take care of problems Microsoft rates as "critical". Don't put this one off. Log in as an administrator, pick Windows Update from the Start menu, etc.

|

I've quoted the New York mother 

who taught her daughter, in a city with many dangers, "Be alert, be aware, but never be afraid".

That came to mind again when a writer I usually like, Scott Granneman, wrote about the abuse of fear to sell computer products.

His poster child example is Bill Gates trying to frighten people away from the Macintosh: "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally." Completely false, worse than any good-faith exaggeration could be, but it will stick in people's minds regardless.

Reason is your best ally in staying safe online. When I advise you to avoid all version of Microsoft Internet Explorer before version 7, it's because of the security bugs listed at Secunia and the prevalence of web pages that are dangerous to IE users (and the sheer extent of the damage they can cause you). But don't be afraid: install Firefox with the NoScript extension and enjoy the treasures of the web.

|

Monday, February 12, 2007

Review of 6 rootkit detectors. Six what?! 

A "rootkit" is a program that blinds you and other programs on your computer to its existence. It can conceal other files and programs. If you can't see what's on your computer, you're not really in control of it.

A rootkit might be part of the nastiness installed by other unwanted software. A rootkit might conceal malicious software from antivirus or antispyware products.

Infoworld reviewed six programs for detecting infection by a rootkit.

"The best things in life are free" applies to software. The reviewer's top choice is a Russian programmer's free product, "Rootkit Unhooker". It detected all the test cases and wasn't too hard to use.

Is this something you need? I'm torn about how to advise you. A rootkit detector is potentially as troublesome as antivirus software, the results may be harder to understand, and the threat isn't overwhelming yet.

More information


There are no files on your computer

Some religions teach that all the world is an illusion. On your computer, that's a simple everyday fact. Your hard disk is just a set of magnetic patterns. Electronics on the disk makes it look to your operating system like a bank of data with addresses for each piece. Your operating system assembles chunks of the data and makes it look like files to you. Not just to you, but also to the programs you use. Your word processor sees the illusion of files that the operating system creates, and then adds another layer of illusion by making the file look like a paper document.

I've oversimplified. The operating system itself is an onion, with layers of illusion wrapped around each other.

Every time you hear words like "virtual" or "abstraction" it means someone has created an illusion.

If a layer of the onion closer to the middle chooses to hide something, then none of the outer layers can see it.

Rootkits try to get closer to the center of the onion than any program that might detect them. It's an arms race. The most dangerous rootkits are the ones closest to the center of the Onion of Illusion, and are called "kernel rootkits".

As your computer reboots, it builds a new Onion of Illusion. The only way a rootkit detector can work in the long run is if it's on a CD-ROM and you reboot to use it. Once an infected computer is up and running, nobody can guarantee detecting an organized deception like a rootkit.

Other metaphors: the dishonest interpreter

Each layer on your computer is doing a translation job. Your word processor translates "Save" to the operating system as "write to a file". The operating system translates that to the disk drive as a series of commands like "store these 512 bytes at sector 1b440cde".

Have you ever read one of those stories where someone is in a foreign country and gets a crooked interpreter?

Other metaphors: embezzlement

Each layer of management gives orders and takes reports from the layer underneath. If somebody at the bottom of the heap is falsifying data by creating ghost employees (and cashing their paychecks). The corporate equivalent of a rootkit would be infiltrating the company with people falsifying reports. Then anything could happen and the executives couldn't stop it, because they wouldn't know about it.

Watchguard has some videos with more information about rootkits and how they work. (Disclosure: they bought an article from me once).

|

Sunday, February 11, 2007

You could call this computer security 

Usually the worst thing your computer can do to you is to destroy your work and your memorabilia.

Hardware problems can be worse. According to the first reports from the authorities, one person's Dell laptop was the source of the fire that burned his house to the ground. He's tried to call Dell about it. He's tried more than once. He says Dell has hung up on him.

I'll give you my usual advice that includes important things that have nothing to do with your computer as well as technical measures.

|

Saturday, February 10, 2007

Records of your Intenet activities 

What would you think of a situation where your internet service provider ?

Would you think that was a reasonable way to meet the needs of police investigating crimes, or would you think it went too far toward compromising privacy?

According to the Attorney General, it's not enough. Attorney General Gonzalez, and recent legislation, would require ISP to store records of your activity for years or indefinitely, whether you were under investigation or not, in case someone came along later and wanted to read all your correspondence.

The backers of this legislation are spouting about child pornography investigations. Is the scope limited to that? Of course not. Records retention would apply to all users, the records could be used for any reason, and in fact since the law only says "court orders" it could apply to lawsuits as well as criminal investigations. Think about your ex-spouse's lawyer fishing through your 'net activities N years back, and you've got an idea where the problem is here.

As a security issue, spying on hundreds of millions of people in the hope of catching a few hundred is usually a losing proposition.

|

Friday, February 09, 2007

When the security software is dangerous: Trend Micro bug 

Trend Micro makes a well-respected antivirus program that often shows up as a top performer in independent tests. But it just turned out to have a bug, one of the worst possible kinds, which can completely take over your computer even if you don't have administrative access yourself.

Trend Micro has already fixed the problem and released a fixed version as a free download. If you're running their product, upgrade. Upgrade very soon. Sometimes the bad guys jump on these almost instantly.

Things like this have happened before, to other companies. It seems to be easy to build security products with bugs in them, and certainly they're a high-profile target for people who like to find security bugs.

There's really no way to tell ahead of time what products are likely to be safe: there isn't enough track record yet and there's no feasible way for you to evaluate a product's resistance to all possible attacks.

The best defense against this kind of problem is to keep updating your software on a regular schedule. Most vendors will roll out an upgrade with a fix once they find out about a security issue.

|

Wednesday, February 07, 2007

Voting machines: please talk to your Congresspeople 

There's a good bill in the House that would fix the worst problems of today's voting machines. It outlaws secret voting systems and requires the authoritative record to be on auditable, guardable, tamper-evident paper.

It's H.R. 811, the Voter Confidence and Increased Accessibility Act of 2007. If you go to http://www.house.gov, you can get contact information for your Congressperson at the top left.

It's not perfect: not everybody will check computer-printed ballots: but it's a huge step up, especially since it makes it easier to check that machines are honest.

|

Do as I say, not as I do 

In case you're not following Brian Krebs's Washington Post column about security, he has a good column about a security gaffe at the high profile RSA Conference for computer security pros.

The lesson to take away is to think three or four times about typing any valuable password into a computer you don't control.

|

Tuesday, February 06, 2007

Physical security: details count. Airports again. 

Baggage handlers, law enforcement agents, and others who need to get onto the tarmac have special electronic badges to unlock gates. Somebody probably thought carefully about the technology of the badges.

But procedures count, too. When an employee leaves, there had better be some procedure to get the badge back, or at least deactivated.

via Infosec News, a Chicago CBS affiliate reports that badges are lost, unaccounted for, and not always deactivated when an employee is terminated.

From the article:
CBS 2 tracked down some former employees. One is Obang Omat from Sudan. He says he quit in September, but the Department of Aviation’s database shows his badge was still active until Nov. 14.

“I sent the badge and my uniform back to the company in the mail after Sept. 22,” Omot said. “That’s when I quit and moved to Minneapolis.”

Omot has two aliases associated with his criminal record in Cook County and, since 2001, he has been arrested seven times for crimes including aggravated assault with a deadly weapon and for exposing himself. He was convicted on charges of resisting arrest and reckless conduct. His badge is still listed as missing.

|

Sunday, February 04, 2007

More hazards from Microsoft Office documents 

The latest affects people running XP Service Pack 2, earlier versions, and it's alleged to affect people running Microsoft Office on the Mac though the description sounds like it shouldn't work there.

Excel documents can carry attacks.

Attacks are happening in real life, but so far have been limited and targeted.

Antivirus may help. Meanwhile beware of unexpected Excel spreadsheets in the mail.

|

Friday, February 02, 2007

Physical security: responding to terrorism 

Here's one recent quote:
"We therefore have to avoid falling prey to the terrorist propaganda which would have people believe that this is a clash of civilizations or cultures or religions"

and
"Over-reaction to terrorism, it should be remembered, is a fundamental objective of most terrorists in history. We should not accommodate their goals in this regard."

Who said that? Some liberal? Some armchair theorist who doesn't understand the threat?

Those quotes are from Jim Judd, director of the Canadian Security Intelligence Service.

|

Thursday, February 01, 2007

This story is overblown 

It's funny, though. If you turn on the Vista feature that lets you give voice commands to your computer, it will obey voice commands from sound files on Web pages. If you needed another reason to hate web pages with obnoxious noises that play without your permission, now you've got one.

This kind of news catches everyone's attention because it's easy to understand and sounds scary, but here's why it's not particularly newsworthy:

|

This page is powered by Blogger. Isn't yours?