December 17, 2004

Windows XP Firewall Patch

Do you run the firewall on Windows XP... the one that came with Service Pack 2? Then you will need to sneak over to Microsoft and get the latest patch for a Critical Vulnerability. Yeah, it was just released today. Bet ya didn't hear about it though, did ya?

Users who installed SP2 on their Windows XP machines and also have file and printer sharing enabled may have been sharing their files and printers with the entire Internet, according to Microsoft.

By default, file and printer sharing makes changes to the SP2 firewall to give computers on the "local network" access to shared resources. However, the definition of that local network depends on the Internet service provider (ISP). In some cases, especially with dial-up ISPs, it meant the entire Internet, according to Microsoft.

But hey, let's not tell anyone about it 'kay? Just keep it quiet and low key - no one will ever have to know...

Microsoft first discussed the firewall issue in an article on its Web site in September. A "critical" update for Windows XP SP2 was released on Tuesday. However, though issued on the same day, the update was not part of Microsoft's monthly security updates. That's because security updates are only for software vulnerabilities, according to Schare.

"A vulnerability is a software bug that needs to be repaired to avoid a security issue. This is a configuration setting that shipped with Windows XP that was not optimal, but that is not classified as a security vulnerability," he said.

You see... silly people this is a "configuration issue" it couldn't possibly be classified as a "security issue" even if everyone and their brother can see your files on the internet...

And Microsoft wonders why people don't take their security prattling seriously!

Posted by: Teresa in WebTech at 11:53 AM | Comments (6) | Add Comment
Post contains 299 words, total size 2 kb.

December 09, 2004

Government and Cyber Security

Two concepts that don't mesh well. I was wandering by Heather's place to see if she had posted anything... but alas her main page remains blank. So, I did the next best thing and wandered over to the blog of her beloved spouse BrianJ. As usual when I visit, he has lots of terrific things to say and naturally I noticed the post about the government and computer security.

From a CNN story Bush pressed for more Net security it looks as if a few more people want to climb onto the government gravy train. As Brian says:

As a taxpayer and a customer, I don't look forward to the expanding synergy between government security administration and private industry. Let's take an example from recent history: airports. Airlines, leaky boats which the government frequently bails out with buckets of taxpayer cash, and airport authorities, government bureaucracies in their own right in many cases and not very good at for-profit in others, abdicated their obligation to secure their places of business. First, they took government funds to pay for their own surly security employees, and when that wasn't enough, the government stepped in and provided its own employees, surly and unaccountable to the private sector, to grope grandma.

This is absolutely correct. When ever government comes in the door, common sense goes out the window. So what is it they want the government to do for us?

The Bush administration should spend more on computer-security research, share threat information with private-sector security vendors, and set up an emergency computer network that would remain functional during Internet blackouts, a computer-security trade group said.

Lets take the points one at a time...
1) spend more on computer-security research. First of all, there is already money being spent on this. Do we know where it goes? How effective the current spending is? After all we have the NSA, we have CERT, we have public universities getting government funding for just this sort of thing. But as usual, we get no accounting of current money going in, we get no clue as to what new money is needed for... only the ubiquitous "computer-security". Sorry guys you'll have to do better than that!

2) share threat information with private-sector security vendors. What? only security vendors? Does this mean that if you're a regular business you don't get the opportunity to find out about a threat until you pay a security vendor? Also, there is already CERT which is "funded primarily by the U.S. Department of Defense and the Department of Homeland Security, along with a number of other federal civil agencies" - to quote from their web site. Seems to me this point is already being taken care of properly. If you don't like the way CERT runs, maybe it should be changed. But, why are they trying to reinvent the wheel?

3) set up an emergency computer network that would remain functional during Internet blackouts. Apparently none of these big ole security honchos know even a little bit of the history behind the formation of the internet... might I suggest the book by Peter Salus, Casting the Net: from ARPANET to INTERNET and Beyond it was written in 1995 (they must have missed it), but he makes it clear that the Internet was started by the Defense Department in order to have a means of communication that was redundant and resistant to failure in case of nuclear attack. (some people need these things spelled out for them because they didn't pay attention the first time the information came their way) Now, there are certainly ways that the current Internet can be made more reliable and less prone to failures, but failures are why we have the net in the first place... so once again we are being asked to reinvent the wheel - this time it's a wheel from one of those big mining machines - you know the HUGE ones.

No, as far as I can see, no one is bringing anything new to the table. They simply want an influx of cash with themselves as the beneficiaries... Oh but there is one more thing they want.

One especially important move, they said, would be to elevate Yoran's successor to the assistant-secretary level within the Homeland Security Department.

Ah that political clout - that's worth some cash too isn't it. Once you get someone in at a secretary level, you get more of a chance at the cash. Sorry, but in the interest of computer security, I think we need to leave the government out of things or at least off to the side. Currently they can't secure their own systems, so putting them in charge of security would be like taking a cop who allows every criminal to escape and making him the head of the prison.

Thank you, but I'm going to keep my hand on my wallet for now. This looks like another sink hole for money of monumental proportions.

Posted by: Teresa in WebTech at 06:33 PM | Comments (1) | Add Comment
Post contains 833 words, total size 5 kb.

December 06, 2004

Pam Asks...

In my previous post I was laughing at the wording of an article. Pam asked the following...

Nobody's ever heard of backing up their data?

I don't know what type of software it is, but whenever hubby patches the huge telephone systems- or voice mail systems - he backs up the data first.

These customers don't have in house geek support? ;)

Very valid questions - I was going to answer in the comments, but it got a bit long. So, I'm pulling it into a separate post all on its own. If you don't like geek speak - I will put the rest in the extended entry so you can ignore it. *grin* more...

Posted by: Teresa in WebTech at 11:42 AM | Comments (1) | Add Comment
Post contains 665 words, total size 4 kb.

<< Page 1 of 1 >>
33kb generated in CPU 0.03, elapsed 0.0281 seconds.
69 queries taking 0.0119 seconds, 228 records returned.
Powered by Minx 1.1.6c-pink.