April 22, 2005

The Thief Shakes in His Shoes... From Laughter

Yesterday Michelle Malkin had a link to a story about a Berkley professor who ended his class lecture with a pretty funny, over the top, scare tactic. Apparently, the good prof's laptop was stolen from him and he was trying to scare the culprit into returning it - the return to the professor being the thief's only means of salvation. It's quite amusing. There are audio versions, but Blast Radius went to the trouble to transcribe the diatribe. For which we should thank him, since I can now easily comment on it, without having to transcribe it myself.

"Thanks Gary. I have a message for one person in this audience - I'm sorry the rest of you have to sit through this. As you know, my computer was stolen in my last lecture. The thief apparently wanted to betray everybody's trust, and was after the exam.

First of all - if he doesn't know who the thief is, how in the world does he know WHY the thief stole his laptop? Was there a note left behind... "hey dude, sorry I took your laptop, but I really wanted to get hold of the exam you have on here!" Right off the bat, the professor has stepped into it - showing he'll jump to any and all conclusions, with absolutely no proof.

The thief was smart not to plug the computer into the campus network, but the thief was not smart enough to do three things: he was not smart enough to immediately remove Windows. I installed the same version of Windows on another computer - within fifteen minutes the people in Redmond Washington were very interested to know why it was that the same version of Windows was being signalled to them from two different computers.

Please - professor, before you start talking about what Microsoft is doing... please find out how the process works so you don't sound like a complete moron. (I'm just sayin'). Now if he did try to install the same version of Windows (one assumes in this case it was XP which is the ONLY version that will do this presently) on a different computer... the result would be an inability on his part to activate his newly installed version of the operating system on the second computer. In other words - it just wouldn't work. Microsoft doesn't give a hoot in hell whether or not you can get the computer to boot. They'll just make sure that your OS won't work until YOU get in touch with THEM. Got it? They don't go to you... You have to go to them! So, there we have the second problem with the big scary lecture.

The thief also did not inactivate either the wireless card or the transponder that's in that computer. Within about an hour, there was a signal from various places on campus that's allowed us to track exactly where that computer went every time that it was turned on.

Next load of crap - man it's getting deep in here... unless the wireless card had a hard coded IP address in it - highly unlikely - there is no way (without digging into the MAC address - the actual hard coded number given out to each Network Card) to figure out which wireless card is accessing a wireless access point. You see - in large networks, it's logistically impossible to give out IP addresses individually, so network cards are set up to go to a server which then gives them an IP address to use, when they boot up or when they turn on their wireless card to access the internet. This means that everytime you hook up to the internet, you are given a new IP address - thus making it nearly impossible to distinguish which IP goes with which computer. There are ways - but they are involved and take time.

Plus - if the laptop had some sort of "transponder" that could let it be tracked - this would be separate from the wireless card... then it should be a matter of mere minutes until you find the laptop and likely the person who stole it. I'm not sure about tacking devices (think lojack) and how they would effect the workings of the computer - I'm sure there must be some sort of device like it out there - but the chances of a college prof using something of that sort are about nil.

I'm not particularly concerned about the computer. But the thief, who thought he was only stealing an exam, is presently - we think - is probably still in possession of three kinds of data, any one of which can send this man, this young boy, actually, to federal prison. Not a good place for a young boy to be.

First of all - anyone who is in college, is old enough to be considered a "young man" or "young woman" not a "young boy" or "young girl" - sorry, but they are adults now, not babies. And once again, we have another assumption.... the gender of the thief. Unless he knows who stole his computer - why is he assuming it's a man? Sounds like he's a male chauvanist to me... I think NOW should be denouncing this professor as insensitive!

You are in possession of data from a hundred million dollar trial, sponsored by the NIH, for which I'm a consultant. This involves some of the largest companies on the planet, the NIH investigates these things through the FBI, they have been notified about this problem.

You are in possession of trade secrets from a Fortune 1000 biotech company, the largest one in the country, which I consult for. The Federal Trade Communication is very interested in this. Federal Marshals are the people who handle that.

You are in possession of proprietary data from a pre-public company planning an IPO. The Securities and Exchange Commission is very interested in this and I don't even know what branch of law enforcement they use.

And after the opening idiocies - he continues to compound it by continuing to talk...

If the above 3 paragraphs are true - in other words, if this professor had all of this information on his computer AND did not have it encrypted to keep it private, then he is guilty of gross negligence. And each company he has been dealing with, should immediately terminate any business relationship with him! Just the fact that laptops can be so very easily stolen means that any sensitive data should be encrypted for protection. There are a number of progams out there that allow people to do this - so if he didn't have any sort of protection for this "highly sensitive and very expensive" data - he should NOT have kept it on his laptop.

The next problem with the above statements.... if true, you have now given a real data thief a good reason to get hold of this laptop. Now you've yelled from the rooftops that the value of the laptop is far in excess of the hardware one would acquire for personal use or the test data that might up one grade in this class. It would be like standing up in front of the class and announcing that the thief who stole your briefcase - also took a million dollars in diamonds with it and they better give it back before the police come knocking on the door. Yeah, pretty stupid.

And he's invoking all kinds of law enforcement agency bogey men. FBI, Federal Marshals, and whoever else might take an interest. It would be nice if we could actually get these law enforcement people to sweep in and go after the thief... just think what a deterent that would be to laptop theft. But, the sad fact is, these law enforcement offices are so completely overwhelmed by computer crime and lack of personel to handle it - what this professor would very likely get by way of response is... "call us if you figure out that the thief is actually selling the data or making it public" - then, if you can prove the dollar amounts that are at stake are large enough... we'll try to fit you in. The way most large companies handle data theft is - they employ a private company such as Pinkerton's who do the investigative work, put it all nicely together into a case and present the end result to the FBI for action. There is just too much crime - and not enough time.

Your academic career is about to come to an end. You are facing very serious charges, with a probability of very serious time. At this point, there's very little that anybody can do for you. One thing that you can do for yourself is to somehow prove that the integrity of the data which you possess has not been corrupted or copied.

Ironically, I am the only person on the planet that can come to your aid, because I am the only person that can tell whether the data that was on that computer are still on that computer. You will have to find a way of hoping that if you've copied anything that you can prove you only have one copy of whatever was made.

Yeah, he's the ONLY one who can help... gosh what a guy. It's amazing how he can just tell what data was on his computer. He just knows... all that data... all the millions of dollars worth - and he can tell whether or not it's corrupted. As I sincerely doubt (this belief stemming from the rest of his ravings) that he's ever heard of Tripwire - a data integrity checker... I wonder how he's going to verify that the files are complete and uncorrupted. Just having a list won't do it - how would he know that data in the file hadn't been changed? As for copies of data - well, sorry but there's no way to prove copies have or haven't been made - no way at all, so it's silly to even bring it up.

I am tied up all this afternoon; I am out of town all of next week. You have until 11:55 to return the computer, and whatever copies you've made, to my office, because I'm the only hope you've got of staying out of deeper trouble than you or any student I've ever known has ever been in.

I apologise to the rest of you for having to bring up this distasteful matter, but I will point out that we have a partial image of this person, we have two eyewitnesses, with the transponder data we're going to get this person."

Okay let's finish this up. I love the deadline thing. The "I'm the only hope" part is good too. Makes you feel all nicely scared for the poor thief to think that this guy is gonna help. But you have to love the very last paragraph... if they have eyewitnesses - TWO of them! And the supposed transponder and a "partial image". Then why aren't they detaining the thief right there and then in class. They must know who it is (after all the eyewitnesses aren't eyewitnesses unless they can actually identify the thief!). Since he's making this announcement and not detaining anyone - then one concludes he's just blowing smoke.

In conclusion I would say - if you know nothing about computers except how to turn them on - don't make threats involving them and their use. You just end up looking stupid. And just like they tell parents of small children - don't make threats you can't enforce - you will only lose the respect of the child. In this case, anyone with half a thimble full of computer knowledge is laughing hysterically and waiting for him to get his next laptop.

UPDATE: Since it appears that there are some who can't quite figure this out for themselves, I suppose I have to state the bleeding obvious... the thief was WRONG to take the laptop - have we got that? That has NEVER been in question. He or She if caught should most certainly be punished - expelled from the school at the very least. What I object to is the professor's grandstanding in the matter. It was a ridiculous speech all around. What the thief did and what the professor followed up with are mutually exclusive. Just because I think the professor was idiotic sounding in his diatribe - in no way mitigates what the thief did. I hope that is now clear to all those who seem to think that criticizing the professor is endorsing the laptop theft. How amazing that I even had to write this paragraph!

Posted by: Teresa in WebTech at 01:12 PM | Comments (13) | Add Comment
Post contains 2145 words, total size 12 kb.

April 13, 2005

I'm Shocked... Shocked I Tell You!

It seems that the LexisNexis customer database has had some security problems... Just a few...

WASHINGTON (Reuters) - Data broker LexisNexis said on Tuesday that identity thieves have stolen information on 310,000 U.S. citizens from its computer systems, 10 times more than its initial estimate last month.

Thieves have used stolen passwords to lift Social Security numbers and other information from LexisNexis databases 59 times over the past two years, the company said.

Um... oops!

I'm trying to remember, without going back to dig through my archives, how many times I have ranted over the problems with database security in our webby world. You may be saying to yourself... there she goes again! And I say... well Yeah! There I go again. And I will keep going because people need to be constantly reminded about just how insecure the web can be.

Periodically we get proposals by different people for different reasons to create large comprehensive databases. These same databases that will put all the info we could need at our finger tips, make life safer, easier, and worry free - have a huge drawback, how do you keep the information secure? The short answer is - you can consistently try, but there is no guarantee of security.

From the above quote, you can see that this database had been unsecured for at least 2 years - and has likely been insecure since its inception. Back in the day... (after all LexisNexis has been around for a while) security was not an ongoing concern in regard to databases. Most db administrators thought it was quite silly to expend time and effort on security measures. After all who would break into their computer? Other than defacing a web site, there was no money in it (little did they know) and therefore the extra hassle was completely unwarranted.

And let's face it - computer security is a HUGE hassle. Here's a small sample of what an admin faces if they want to secure their systems.

- making passwords hard to crack (remember it's a computer doing the cracking NOT someone sitting and trying to guess the password at another computer!) Setting it up so passwords must be changed - then dealing with the fallout when legitimate people can't get in their systems.

- scanning your system for holes. Sounds easy right - there's lovely software that can do it for you... of course it can also crash your systems while it's doing it, slow everything to a crawl and maybe even disable some systems totally... but hey - no problem you can do it during the off hours (just give up your nights and weekends)

- Install intrusion detection software - network based and host based (on each of your important servers). Then spend the next several months tuning it to get rid of false alarms. Also look at the huge amounts of data gathered to see if you can find any problems - this can be up to gigabytes of info daily.

- Install firewalls - this is one that most places do without too much grousing. But the firewalls themselves produce log files that should be checked at least daily. There are alarms that either need to be discarded or acted on. Mostly people will install a firewall and think nothing more about it.

- Install antivirus software and keep it up to date. Many companies do this too... and they hope that the updates of software will be in time to prevent the next virus or trojan from bringing down their system. (AV software is reactive not proactive - so there is always a time lag between a new outbreak of something and a signature being available)

- Scanning your system for illegal entry points - Wifi set up by someone who really wants to be able to go wireless (cause you know it's soooo much easier if I don't have to be plugged in). Unfortunately - wifi is very insecure even with all the security features turned on... and when people set up rogue access points - they generally go with an out of the box approach - plug it in and go. This means that anyone with a wireless card can now connect up behind your firewall with access to your system. (and they can do it from a car either in the parking lot or even blocks away with proper antennas installed)

-don't forget checking for old fashioned modem cards. People will install those - leaving the door open for "war-dialers" to get into the system. This means you have to run war-dialer software yourself to check out your phone number range. Yet another little thing that should be done on nights or weekends. (who needs a day off anyway?)

- and let us not forget those lovely patches that are released on a weekly or monthly schedule by most companies producing operating systems (it's not just Microsoft). Unlike most home users though... companies have to make sure that if they install a patch, it's not going to break something else they have up and going that is crucial to company survival. So, test systems have to be set up and the patches checked and then rolled out to the company computers when it's determined they won't do any real harm.

- and then there is staff training... don't give out passwords, don't leave them written by the computer, don't give out info to people who tell you they are there to fix your system, don't put in wireless access points....DON'T DON'T DON'T --- and then hope against hope that they actually listened!

Now everything you've just read - is a portion (a small portion) of the work that should be done to secure systems. As you can see, this is a full time job in small to medium sized companies and may even require an entire staff to get it done right. In many companies - this job is dumped into the Sys. Admin's lap - with a comment of "here - take care of this in your spare time would ya"... It's almost laughable.

Even with every precaution taken and a good security staff - there are so many holes in operating systems, that a breach will occur at some point. Rather like, even with all the precautions taken, banks are still robbed.

Since I place little confidence in most security precautions - with good reason it seems - anytime someone wants to start up a large database I cringe because it will be a disaster of monumental proportions and it will be intentional... sadly far too many people consider me to be a total paranoiac... until their information is stolen.

Hat Tip : Ron Coleman via Instapundit.

Posted by: Teresa in WebTech at 07:01 AM | Comments (7) | Add Comment
Post contains 1130 words, total size 7 kb.

April 12, 2005

Patchy Patchy!

Okay you Microsoft users... a whole bunch of new patches came out today. So, head on over and get your systems shaped up! There are 18 patches in all - some are for critical vulnerabilities in the system - especially with IE (yeah - I know you're all just shocked to your little toes over that one) . Then, if you run office, go to the office update page and get those patches too!!! Don't forget - get on it by this weekend at the latest.

Thank you for listening to this public service announcement.

Posted by: Teresa in WebTech at 05:07 PM | Comments (2) | Add Comment
Post contains 97 words, total size 1 kb.

<< Page 1 of 1 >>
56kb generated in CPU 0.04, elapsed 0.0372 seconds.
69 queries taking 0.0141 seconds, 242 records returned.
Powered by Minx 1.1.6c-pink.