General: April 2005 Archives
Does Apple have trademark attorney's or do they just ignore what they say?
The company seems to have a long history of selecting names without regard to other rights holders. Apple has had problems with the Beatles for the name Apple itself.
Ars Technica recounts a list of other questionable product names.
Bundled remote control software named Rondevoux even through there was already software existing with that name that did the same thing.
OS release named OS-9 even through there was already an Operating System by that name.
Now their new version of the OS is named Tiger, which isn't making Tiger Direct very happy.
General security advice would tell you to stop your credit card company from sending you those darn convenience checks. Besides the incredibly high use fee they seem to always have, there is a real threat that someone will steal them.
As seen in infosec news blog , Hints from Heloise today reports that is easier said than done.
"I wish you "good luck" in trying to get your credit-card company to stop sending those pesky checks. I called and wrote trying to get them stopped because of my concerns about identity theft. The checks just kept coming. I finally requested that my account be closed and told the company that the reason for this was the checks. In return, I received several letters urging me to keep the account open. Finally, I got a letter that said my account had been closed, regrettably.
One month later, I received a letter telling me that even though the account was closed, the company would keep it on its "inactive list." To reopen the account, I only needed to use my card again or use one of the enclosed checks! It seems to be a battle that cannot be won."
Not too long ago a colleague was arguing that Internet Explorer was like Vioxx. Vioxx had recently been recalled for known side-effects. Why take something with known side-effects when aspirin is available.
I wonder if the analogy isn't the reverse here. It is commonly believed that if introduced today Aspirin would never make it to market. Too many side effects. There have even been deaths from Aspirin. Where as until recent years, Vioxx was seen as a great thing.
I don't know. The mind kind of wanders as you read about critical Firefox security vulnerabilities.
SARC Website back to normal... but for how long.
http://myitforum.techtarget.com/blog/cmosby/archive/2005/04/24/5440.aspx
This one is making the rounds.
A Berkeley professor had his laptop stolen. In attempt to get it back he warns the class that he had important papers on the laptop and if it isn't returned soon the FBI, CIA,NSA, DoD, GRU, NASA and the space aliens will all be working hard to get the theif. lol
I learned this morning from Chris Mosby's blog that Symantec had performed a site redesign. This was news to me because everything was normal last night at 1am.
Normally I'd say hopefully this is a sign Symantec is migrating from Lotus Notes and we wont have to deal with slow site updates (replication) and incredibly long URLs anymore. Unfortunately what has replaced it is worse.
Normally my entrance page to Symantec's antivirus information is www.symantec.com/avcenter. This now redirects me out to the main page.
Virus page URLs used to be somewhat predictable. This made it possible to find a writeup before it was posted to the main page and before it was searchable. Now virus links look like http://www.symantec.com/enterprise/security_response/risks/advisories/virus.jsp?id=32736 You cant tell at a glance what that link is for. Once you are at the writeup page, instead of having everything you need on one page, there are now four links. Overview, Removal, Technical Details and Recommendations. I'm so glad that Symantec already sends me these writeups through the DeepSight Subscription service. I'd hate to have to load 4 pages when one would do.
I'm getting 404s from the site, so hopefully they are still in the process of working out the kinks.
Feedback related to the Symantec website can be posted here
I mentioned a few posts back that I was going to a local SANS conference.
We're 2/3s of the way through the SANS - CISSP + S conference and its been a great experience. Because it is a prep course, by nature it avoids two of my main annoyances in training. No one is signed up for the class who doesn't have a clue. (ISC)^2 has experience requirements associated with the CISSP so there is a lower threshold on the type of people who will be in the course.
Also because the course is about prepping for a test, there isnt' a lot of debate and side issues. People recognize that there is (ISC)^2 world and then everything else.
Its a long day with a lot of tough material, but thus far its been very enjoyable. We return for the final two days next Thursday and Friday.
Tomorrow I'm heading off to a SANS conference in Herndon VA. I'm taking a CISSP course from Eric Cole. Its not really the best time for this. SANS conferences are kind of like drinking from the firehose of knowledge. Actually it will be interesting to see if that is still my opinion. My last SANS conference was three years ago. Typcially I find that sources I once found informative become tired and pathetic when I return to them with more knowledge and experience. I cant got to techrepublic.com or labmice anymore for that reason. Hopefully I'll still find SANS to be an incredible conference.
School is coming up on the end of the semester. I am already kind of stressed out. I've got a ton of things to do for cyrpto and databases. I dont need to be doing something so mentally rigorous during the day as well.
Now to top it off, I find that this program has "extended hours." I cant be at this conference from 8am to 9pm. I've got stuff to do for school. I'm not sure if its a saving grace, or the last straw, but the conference is 6 days spread across three weeks. So its thurs/fri this week, tues/weds next week, and something else the week after that. At least it doesn't ruin an enitre week worth of studying. Just a couple days.
I'm also stressing because I'm cutting out at 3pm tomorrow. I'm going to miss some training because I'm heading down to opening day with dad and my brothers. Opening day for the Nationals return to town is once in a lifetime. But it still bothers me to miss part of the training for it.
Here is the conference link for those interested: http://www.sans.org/cissp_dulles05
An article by David Joachim over at securitypipleline (3/24/2005) highlights the ten worst security practices. A good article. We do learn by laughing at other peoples mistakes. :)
His first item, left me thinking. His first "worst security practice" is "if you find a security hole, buy a product to fix it". He argues that we feel secure in our security products. We've seen this attitude from some. If we upgrade to Windows XP we will be secure. If we load this months patches we will be secure. If we buy desktop firewall, then we will be secure. If we buy anti-spyware software then we will be secure. The bean counter wants to see tangible results from the large expense of new security software. He/She doesn't want to instead get the next bill for the next solution.
The main problem is the mistaken assumption that security is something that is purchased rather than something that is done.
The secondary problem is if the software is purchased but not implemented or implemented but not maintained. This can happen with security products that bug the users too much like a personal firewall or it can happen with overly complex things like a NIDS.
My spidey sense kind of perked up at this. Is the author trying to say security products are bad? Should I not be wanting to buy IM antivirus to address the problem of IM security? Yes we all know that every dollar spent on user education is worth 10 spent on security products. But we've got these holes that I want to block!
Where I've gotten in my thinking is that the author is correct. Tools are not an end in themself. Tools are something to solve a problem. They should not get in the way of the security big picture. This doesn't mean we dont need the tools I'm looking at. It means that we as techs are pretty gadget oriented already. We shouldn't let these new tools be our new toys that distract us from the goal of security.
