Frederick Giasson’s Weblog

This week many interesting articles about security have been published by Microsoft. I just write this little post to let you know about them. The most important publishing was the MSDN magazine issue of November 2004. All articles are about computer security. Articles cover a wide range of subject from cryptography to .NET technology. After this, there was another really interesting article called The Security Risk Management Guide. It was written to help Microsoft?s client to type, build and maintain a security risk management program.

Always on the computer security subject but on another topic: passwords and pass phrases. There are 2 articles written by Jesper M. Johansson: Part 1 and Part 2, and another to come soon.

Finally there is the Security Application section of the .NET framework on MSDS that is always a good reading.

This is all I have to say on this today. Then good reading on Microsoft!

I was wandering around Google Desktop for another day. I was questioning myself of pros and cons of the usage of this product. The fan of my laptop is crying to death. Indexing finish after 3000 hits. If I reinstall the thing it stops after 10000 hits. It seems to have a problem of indexing; normal it’s a beta version.

I came along a new thing that I didn’t saw before. It’s in relation with the AIM. I’m not normally using it, I prefer MSN Messenger. Everybody knows that Google Desktop index all messages from AIM. It’s not really news in itself. The thing that most people don’t know is that if you turn off the logging property of your AIM it seems that Google Desktop index your messages anyway. Is anyone can confirm me this? It seems that there is no solution to the problem and that the only way to get rid of this bug is to uninstall Google Desktop.

There are some excerpts that I took on the webpage of the Google Desktop that seems to confirm this observation:

“…An AIM chat window for that person opens. If you’re not signed on to AIM, Google Desktop Search will try to sign you on…”

“…When you look at a web page, read an email, open or edit a file, or have an AIM chat, Google Desktop Search does two things. It indexes that item’s content so it can find the item later. It also copies the item’s content into its cache, so that you’ll be able to find and see long-finished chats and older versions of files and web pages…”

This is a problem because you don’t have any power on this. If you use Google Desktop you bypass the ability of AIM to don’t log conversations.

So, if they are doing this for AIM, they’ll probably also does it for MSN Messenger and further products that they will support.

There is a last question pending in my mind: Why are they doing this? Is this for future plans or only because they didn’t see this like this?

Today a great tool has been release by Google: The Google Desktop.

Now think about it. Someone do a program (legitimate or not). This program gets an access to the search index of the Google Desktop. He builds a distributed network with theses indexes. This distributed network can be browsed like the Kazaa network or any other distributed network. Think about the implication of such a network. Think about the information that you can search for. The perspective is awesome but also fearful. It’s probably an overview of the future world, fully networked and searchable.

Okay, comeback on earth. One problem is that it centralizes de information and made search really easy and fast. Problems can arise if anybody can have a physical access to your computer station. Then, your coworkers, boss or any other person can really easily search for a specific thing on your desktop. Have in mind that they need a physical access. It’s why doing a WindowsKey-L to lock your computer when you are not at your desktop station is a good security/privacy habit to have. As long as your computer is secure, you’ll not have any problem with the software.

One good point for your privacy is that you can choose what you want to include in the index. Go to your preference page and read the help to know how. Another one is that when he cache files he get a reference on it and don’t duplicate the information so if you delete the file he is no longer in the index file. It’s sure that there is possibly some information in the index but I doubt that this can cause problems. Finally you can manually remove individual items of the index when you perform search on it. Take in mind that Google add the information of the search result of google.com and the search result of your desktop when the browser gets the information back from Google. This said, Google never know what the search result was for your desktop, and then your privacy is safe.

I’ll do the same advice as the one I provided with the A9 post, be aware of what you are using on your computer. By the why I’m already converted to the Google Desktop and I’ll use it for sure (for the moment a less).

First, I want to excuse me for the lack of posts in the last 4 days, I had other things to do and had a shortage of time. So, the article that I’ll comment is 5 days old but I want to comment it anyway.

There is an article that I need to comment on. The problem with it is that he doesn’t focus on his subject, go everywhere and try to cover a wide question in a little article. The title is “Know your enemy” — cliché. He writes on 3 main subjects: Companies resources (new network technologies), third world hackers (money as motivation) and others obscure ones (custom software and social engineering). There is what he said about the second subject and I want to comment on:

Should US companies worry about hackers in Russia and other countries?
Hackers from countries where the economy is less developed than the US
are more motivated by money than by pride when they start trespassing
on US companies - as opposed to US hackers, who are motivated more by
pride than money. (There are many other ways that you can make money
in the US.)
Also, money is a stronger motivator than pride. That’s why people
motivated by money are more dangerous. Hackers are businesspeople [if
they are motivated by money]. In most cases, they are probably just
having difficulties in their countries finding and exploring
opportunities to work.
If a company that is hacked into can explore with a hacker his or her
talents in a more peaceful way, the victim can only benefit. If these
hackers are businesspeople, they can be redirected by being offered a
better deal than the one they might get by creating pressure through
hacking.
I deeply believe in this point. It is hard, however, to generalise too
much because every case involves different kinds of people and
different circumstances.
What security measures offer the best protection against hackers?
Keep the hackers occupied if you recognise them as a threat. This
might be similar to what some countries have done with their nuclear
scientists - Russia, for example, keeps them under close supervision
and treats them well, but above all keeps them busy professionally.

The problem is that he make too emphasis on the typical hacker of Hollywood. Really, he is not a threat. The real threats are the criminal groups. They begin to see benefits with cyber crimes and they exploit it. They exploit the internationalisation of the Internet and the lack of law applicability of many countries. This is the real problem. It’s true that the motivator is the money in this case too, but good luck to employ them after. I think that he talk about a minority of cases, and by doing so, he’ll not get rid of the real problem, the real danger, the criminal groups implication in the cyberspace.

It’s my 2 penny to the discussion.

[In addition to the post: 12 October 2004]
—————————————————
I just read Bruce Schneier’s October blog posts. He talks about this subject the 4 October with Bill Brenner from SearchSecurity.com. It’s interesting to see that I’m not alone to share this view. I know that many other people do too. There is the excerpt from his post:

“What’s the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We’re seeing a huge increase in identity theft and associated financial theft. We’re seeing a rise in credit card fraud. We’re seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there’s a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we’re seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.”
———————————————–