Category Archives: Blog

Another Microsoft Defection

Peter Wright, best know for writing popular Visual Basic books, has defected from Microsoft, in another high profile switch of known authors abandoning ship [or at least, moving to greener pastures].

Good bye Microsoft; Pete has now left the building!

I eat, slept and breathed Windows code. I learned VB inside out. I read numerous editions of Petzold’s book cover to cover and learned how to do what I could with VB first in C, then in C++ with MFC. Technology was advancing at a stunning pace and I was right there in the middle of it. Those were giddy days.

Somewhere along the way though, things changed. I don’t know exactly when or how, but the world I loved got torn to shreds, set fire to, then mooshed into a pile of horse manure.

I found myself surrounded by power hungry muppets, the odd idiot, a few downright liars…

Everywhere I went looking for passion, talent and excitement I found myself surrounded only by politics that would make a Roman Senator shrivel in fear, and programmers whose only goal in life was to make it from pay check to pay check.

Mr. Wright now uses a Macintosh, has an Ubuntu Linux install on another system, writes Ruby on Rails code, and uses Python and Perl.

Will Charles Petzold soon follow? Mr.Petzold is the author of “Programming Windows”; the bible of Windows Programming.

AOL’s Search History Database

An “anonymized” dataset [439 MB compressed, 2 GB expanded] of 20 million web queries collected from 650,000 AOL users was publicly released a few weeks ago by AOL in a good will gesture towards the research community… Shortly after, damage control set in and the data was removed.

The great mistake here, made by AOL, was to associate each query with a corresponding ‘random user id’; hence grouping together all queries performed by a particular user.

While the ‘random user id’ might not provide a link to the actual AOL user, the search queries themselves do… Have you ever searched for your name, address, phone number, social security number, package tracking number, friends, family, or place of work? Any one particular search query, or a given combination, can reveal your identity — and much much worse: link you with your search history.

The sad fact is that everything you search for, every site you visit, and just about everything you do on the Internet is logged, processed, cross-referenced, and stored in a number of databases. This data can either be connected to you by your ISP records (directly by name/user-id), or can be crossed referenced with other data to get at your identity.

Companies want to know as much as possible about you; all to sell you products and services. Governments want to grab as much power as possible. While ISPs, SEs, and other players are more than happy to gather, use, and sell that personal/private information to anyone that will pay, via cash or credit [also know as favorable government contracts -- think ATT and NSA].

Here is a link to the mirrored AOL data…
http://www.gregsadetsky.com/aol-data/

AOL’s response…

All -

This was a screw up, and we’re angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant.

Although there was no personally-identifiable data linked to these accounts, we’re absolutely not defending this. It was a mistake, and we apologize. We’ve launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again.

Here was what was mistakenly released:

* Search data for roughly 658,000 anonymized users over a three month period from March to May.

* There was no personally identifiable data provided by AOL with those records, but search queries themselves can sometimes include such information.

* According to comScore Media Metrix, the AOL search network had 42.7 million unique visitors in May, so the total data set covered roughly 1.5% of May search users.

* Roughly 20 million search records over that period, so the data included roughly 1/3 of one percent of the total searches conducted through the AOL network over that period.

* The searches included as part of this data only included U.S. searches conducted within the AOL client software.

We apologize again for the release.

Andrew Weinstein
AOL Spokesman

Some other interesting data…

In other news…

  • AOL shuts down The AOL Research group [consisting of only one or two people].
  • The Electronic Frontier Foundation (EFF) asks the Federal Trade Commission (FTC) to investigate AOL and require changes in its privacy practices.
  • Some have disputed the usefulness of the EFF in the past, claiming a losing track record that does nothing but set harmful legal precedents — EFF’s victories and Arstechnica on the issue.

Entrepreneurship

Interesting words from some of the people behind current and past successful net-based startups…

“The Churchill Club’s annual look at what it takes to build a successful startup. This panel of five Silicon Valley entrepreneurs discuss all the challenges and critical success factors necessary to reach the promised land.”

Churchill Club

This Week In Startups

Y Combinator

Pando Daily

The Anti-Virus Industry

Recently, Consumer Reports decided to put the various anti-virus software to the test…

Using outside technical resources at ISE (Independent Security Evaluators), six categories of known viruses were used to provide the base from which 5,500 new variants were created.

The testing methodology had the goal of reflecting real-world conditions: not by testing against known viruses with already known and released signatures, but rather by testing how well that anti-virus software could detect suspicious behavior of executing code [also known as heuristic virus checking].

Both methods of detecting and preventing viruses have their shortcomings…

  • The process of updating virus signatures can take a few days, and does depend on some end-users getting infected. Testing against this method does nothing but provide the average signature update time — which tends to be about the same for all the anti-virus companies.
  • Heuristic detection methods tend to be somewhat generic in nature and do return a number of false-positives (eg., Word and Excel files that contain macros). To balance the results, Consumer Reports also tested this detection method by scanning more than 100,000 clean files.

Now, there is nothing about the above that is news worthy — except this bit from Microsoft, McAfee, Symantec, Fortinet, Kaspersky, NOD32, F-Secure, BitDefender, the various Anti-virus Labs and Security firms, Prudential, Boeing, 3M, Unisys, Trend-Micro, and more [in relation to the Consumer Reports test]…

http://www.avien.org/publicletter.htm

The more than 100 signatories of this public letter, all security professionals with years of experience in dealing with computer viruses, and who work in all sectors, wish to express their whole-hearted support of the following principle:

It is not necessary and it is not useful to write computer viruses to learn how to protect against them.

I understand the industry is largely incompetent, but to put this out so blatantly… I have to admit, is a bit surprising.

And for those that subscribe to the idea that… It is necessary and it is useful to write computer viruses to learn how to protect against them… Here are a few links…

http://www.metasploit.com/projects/Framework/

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project is a powerful tool for penetration testing, exploit development, and vulnerability research.

http://www.rootkit.com/

Rootkits are powerful tools to compromise computer systems without detection. Learn why virus scanners and desktop firewalls are not enough. Learn how attackers can get in and stay in for years, without detection.

In other related news…

  • The anti-virus industry cries foul at Microsoft for “locking-down” the upcoming ‘Vista’ operating system — claiming that 3rd party anti-virus solutions will be unfairly treated and locked out.
  • Microsoft is accused of profiting and taking advantage of the problems they have created with insecure software, as Microsoft releases their own anti-virus solution — Windows Live OneCare.

By the way, all the tested anti-virus solutions somewhat failed, with the best being BitDefender. Some brands were not tested, like NOD32… Which has come highly recommended in the past. And surprisingly, both BitDefender and NOD32 are listed as signatories on the public letter.