ragged blog

So, AT&T have suffered a major breach. Several things come to mind:

1. Stress on the Card Issuers
2. Stress on the acquiry services
3. End user personal loss (in time at least)
4. Security implications globally

BBC NEWS | Technology | Hackers steal AT&T customer data

The last point above being the really important one, and is somewhat dependant on the above three. The problem is panic, the problem is desire, the problem is lack of understanding, the problem is culture. What is going to ensue from this is a significant wave of activity in the region, putting stress on all infrastructure and ‘best practices’. During these times, it could be abused in a similar manner to hiding a hack attempt inside of a flood; something which may well be considered more strongly now the data is marked.

Banking and acquiry companies really need to setup a PKI payment system globally, such that companies which require the holding of credit card information can store it in an encrypted (not just obfuscated) form, with the encryption base working only for the companies and individuals involved. - Poor description, but those of you versed in PKI +/ password handling over ‘plain’ links will probably have an idea of what I’m talking about. The modern ATM standards call for your pin to be encrypted as it leaves the keys on the keypad, why should your credit card details not be handled in a similarly protective way by businesses?

The point is, the banks and acquiry services should be solving this problem BY DESIGN, as it’s not just AT&T. They are big enough to notice and react promptly, furthermore they are significantly sized enough to be practically capable of reparations. Many many other similar scenarios go unnoticed on a daily basis in smaller environments. If all a hacker could gain access to was an encrypted version of your credit card details which may only be used for payments from the AT&T servers, then this kind of situation would render no losses.

Yes, we’ve skipped around the issue of AT&T security quite conveniently, however this really is not the point. Anyone with experience will tell you what may have helped, or new choices in software which may have changed the outcome. It is possible however that the exploit vector was newly designed instead of being some known issue - if this is the case, then the only defense is ‘perfect’ software, an ideology which at present is highly unlikely (although some seem to think they’ve done it: http://cr.yp.to).

This takes me back a little way to the recent issue over here in the UK with our script kiddie the US want to jail for life. One does have to wonder how much of his ‘research’ which he talks about was actually delving deep into military grade honeypots full of classically controversial and misleading information, aimed at keeping the hackers coming. I mean if someones going to get in through a mighty battle, then you want them trying as soon as possible, while and where you are watching. I have long suspected that what happened with our script kiddie friend was that he finally hit some real infrastructure in one of the “thousands” of computers he was connected to. It is also interesting to note that he found some ‘gems’ of secret information in particular computers he chose to look at out of the so very many, and he was not alone, by his own admission. I still find it amusing to hear his certainty in pushing out the information he saw and read. I find it quite upsetting in his case that his suggestions for ’securing’ systems against the type of attack he used is so brutal to many business infrastructures, and without thinking he made the suggestion in a non-technical interview. This caused a large number of corporate executives amoung many other people, to desire disabling core infrastructure services, and wasted quite a few hours of exec and IT staff time through careless and commonly confusing statements. Furhtermore he didn’t even mention the suggestion of simply turning on a firewall, which is significantly more important, as Remote Registry is not the only important thing to keep closed; as I would imagine AT&T will gladly inform you right now.

Fix your security by design people, please for the love of humanity, or at least (shudder) money.

Need to clean up my desktop, so dumping a bunch of links here, some of which I wanted to talk about, but it’s a waste of time at present, so here’s a ‘dump’ instead.

http://news.bbc.co.uk/1/hi/sci/tech/4797521.stm - This is a pathetic state of the world. These ‘Holy Wars’ are doing direct damage to the world. Now where you can interpret these religions however you like, and this may direct you to an interpretation of lack of respect for the lives of ‘Heathens’ or/and etc. None of these religions as far as I know condone the irresponsible destruction of the environment. This is simply fuel for my belief that these ‘Religious Wars’ or ‘Retribution Wars’ are being driven by unclear thought with certainly no genuine consideration on the surrounding environment, human, natural or otherwise, at any level of granularity. To ‘not care due to the height of emotion from historical events’ is simply hipocrytical given the outstandingly commonly stated paradigms against the rest of the world. Not to say the rest of the world is any better, but this point still stands.

http://digg.com/offbeat_news/eBay_Kid_Auctions_Off_2_of_His_Income_for_the_Rest_of_His_Working_Life - Whilst this guy had left an appallingly presented auction for himself, it got me thinking that the idea is not a bad one in general principle (I think his price points were a bit wrong too), mind you, that’s why so many large corporations offer sponsorship, whereby they actually stand a good chance of making the money back from their investment. One good point wrt this kid is that he shouldn’t really be searching for investors on eBay, and a truly driven individual should know where to look, successful results being another ballpark entirely.

http://www.csharp-architect.com/csa06082006.aspx - Why I’m not even going to bother considering obfuscation in my current developments, this was written by a good guy I’ve spoken to recently. The point is as it has always been, if content is to be delivered to the processing unit in plain form at some time, then it must be possible to make it plain using libraries that already exist. One can take the approach of doing something like “Assembly.GetCallingAssembly()” and/or “Assembly.GetExecutingAssembly()” to aid in security, but all these things are slow and unreliable, furthermore the approach taken in this entry is by looking at the IL decompiled. If you recorded the decompilation, one could simply strip out such calls. Attempts to obfuscate the calls through invokers could also be done, but fundamentally you will end up in a fight between optimisation and obfuscation. There are several more important approaches to prevent actual ‘casual’ usage of your libraries:

• protect your bindings.
• scope your variables and functions properly, use internal where appropriate instead of public.
• package important code in ‘optimised’ executables, as these are not as easy to read.
• do not publish debugging information with your assemblies.

http://www.codeproject.com/csharp/tracetool.asp?df=100&forumid=28124&exp=0&select=1589506 - Useful trace tool. Not good enough for a logged and stateful invoker based command prompt, but it will do. On a side note I still haven’t had time to create any nice binding logic for my invoker prompt. If anyones interested in helping create a top notch ‘live’ debugging environment for C# please give me a shout and I’ll help you get started on the design front and point you at some code and a few APIs to learn.

http://technobabylon.typepad.com/tb/2006/08/who_runs_micros.html - Interesting article, I think by the head of eEye although I’m uncertain, the point that’s interesting is the focus on Microsofts efforts to really make up ground in security, and the fact that they are now seen to generally be acting very sensibly. Hopefully this kind of understanding is going to slowly spread to the harrassing common-news reporters who get it all wrong simply because they don’t speak to the right people or understand. A perfect example are the reports pertaining to ‘3rd party fixes’ when Microsoft delays a critical patch. The point is, people who do not understand this clearly don’t understand software engineering principles. Sure there are many ‘Just do it’ IT Projects which are very successfull, but I’d like to point out the obvious, but commonly missed fact; Windows is a VERY complex codebase with a significant number of race case conditions, the maintenance of which I wouldn’t wish on any programmer, although I understand it’s getting alot better nowadays with many refactors and now it’s version 5, it’s starting to be resemble a real mature product. (Please don’t mistake this for a gripe, writing good software from version 1 can be difficult for even simple products, Windows is not a simple product).

http://www.esa.int/esa-mmg/mmg.pl?topic=&subtopic=&subm1=GO&keyword=nebula - Lamper pointed me at the ESA Gallery, some lovely photos on here, aswell as some artists impressions.

http://www.youtube.com/watch?v=gwZD59Ic9T8 - I’m not sure which university this is from, or even if it was at a university, but this is quite an interesting experiment involving extending animals senses using mechanical devices. The point of the study is that small neural networks (brains) don’t really know the difference, they think about the world in too abstract a way to know that they are not interacting with it directly.

http://www.breaksblog.biz/ - Lamper pointed me here too, a good site for tracking new DnB mixes and news.

http://www.beautifulagony.com/ - From the cesspit of b3ta i think, although it may also have come from DSI, eitherway, this was pretty random. It’s almost porn, but without the imagery, for the mind, or imagination, or I don’t know, empathy? That’s it, empathics porn. Lol. To be honest, it’s just amusing.

http://techdirt.com/articles/20060625/2222255.shtml - Christ I’m glad I’m not involved with any projects like this anymore, and certainly not on that scale, although some have been not far off, scary scary world.

http://video.google.com/videoplay?docid=5914999402901911766&q=genre%3Acomedy - So this guy can fly a chopper, although I wouldn’t sit in one as he does. Some very impressive RC chopper skills.

A quick quote as I don’t have an appropriate other place for it yet:

14:08 raggi: DB2: bind into the object to see it’s private members
14:08 * raggi feels dirty

I was on IRC asking for some help looking for a couple of bits in the .NET API which I knew must exist but are so drastically differently named than in many other languages. A conversation sprung up about binding into objects using the Reflection framework, and that sentence just popped out.

Desktop clean again.

Peace.

I’m being spammed again, so once again I’ve disabled comments on this blog.

Fair enough, I’m running an archaic version of Wordpress, but it has to be said, this kind of spam is not really very directed. The commonality and consistency of the content produced by these spamming applications is far from advanced or clever, and to be honest it is this side of the situation I find most upsetting. I know I could write some awesome blog spamming softwre, if I were so inclined, however I think my involvement in marketing is ALREADY too strong, and I certainly don’t want to increase it, especially in unsolicited form.

Anyway, as above, comments disabled for now, pending a wordpress upgrade, as always I’ll probably be neglecting the site anyway. Expect a change of address soon too (although don’t worry, I’ll add redirects for the relevant articles (the ones that people actually read)).

This article has raised some recent interest and is worth some consideration:

eweek.com news article

The era than many professionals have been waiting to see start, as we are now coming toward the end of the spyware/malware half-decade, although it will take at least the next half to finish up. Now we move into the next stage in malware evolution; it is coming to those well connected pocket devices - mobile phones.

Read more »