Tom Olzak

Archive for February, 2013|Monthly archive page

The death of text CAPTCHA? I hope so…

In CAPTCHA, Computers and Internet, Security Management on February 22, 2013 at 20:25

In a Yahoo article posted yesterday (Internet advertisers kill text-based CAPTCHA – Yahoo! News), Mike Wehner writes about possible changes to text CAPTCHA hell.  Yes, I said hell.  I am nearing my sixth decade of life on this planet, and I sometimes have to give up and make a phone call when trying to use some of the inane CAPTCHA  implementations I encounter.  I am willing to suffer a second or two with ads to select.

I am not alone in my journey through the CAPTCHA quagmire.  According to Wehner, negotiating a CAPTCHA takes an average of 14 seconds.  Some take much, much longer.  This is leading some companies out of the swamps and toward ad-based verification.

Solve Media is the big player in this space, and the graphic below demonstrates how ad-based CAPTCHA works.  Instead of typing meaningless drivel, she enters text related to the displayed product.  Easy and designed to drill product messages into our heads.

From Solve Media Video

From Solve Media Video

I know.  Just one more way to commercialize the Web… but I don’t care.  If I can cut CAPTCHA frustration while helping vendors carry out Turing tests, I’m OK with this.  How about you?

 

 

IDCATU strikes Google, Apple, and Microsoft…

In apple, Business Continuity, Firefox, Google Chrome, Internet Explorer, Microsoft, Safari on February 21, 2013 at 20:47

The Register published an article today describing Adblock Plus angst over Google seemingly trying to take down their ad blocking software on Android.  See Ad-titan Google blocks Adblock Plus in Android security tweak • The Register.

While reading the article, I began to get the feeling that Google is intentionally blocking Adblock because it interferes with Google store functionality.  Interesting…

This is one more reason I am very pis… uh… angry this week.  When I first purchased my iMac last year, I was able to do 99% of what I could do on my Windows 7 laptop.  Today, Google Chrome for Mac is significantly crippled on many sites.  Further, I have to use IE 10 on my Windows 8 laptop to have access to several features I use during research.  We seem to be going backward.

When I started in IT (1983), I encountered a score of different standards from the same number of companies.  It was a compatibility nightmare until business simply accepted the IBM PC and MS-DOS as the de facto standard.  Vendors got on board or went out of business.

During the growth of the Internet, browser choices had gotten to the point that I could use the browser of my choice–the browser I felt most comfortable with–and I could be fairly confident that I would be able to be productive.  This was until recently…

Speaking only from personal experience, I believe I am suffering from a disease spreading across Microsoft, Google, and Apple: IDCATU syndrome.  As it spreads, market share and out doing the competition become more important than user productivity.  Those suffering from I-Don’t-Care-About-The-User use double-talk to assuage the unwary into believing incompatibility between solutions is for their own good. BS.

I am seriously considering moving everything to open source.  The problem is that IDCATU also forces the big players to force the creative and unafflicted to the sidelines.  Some people are simply getting too uppity for their own good… and ours.

Nyuh-uh… wasn’t me…

In Business Continuity, China, Computers and Internet, Critical Infrastructure, Cyber Espionage, Cyber-warfare on February 20, 2013 at 18:48

Read this article first. Unit In China’s PLA Behind Massive Cyber Espionage Operation: Report | SecurityWeek.Com.

Now we can talk…

It should come as no surprise that China is aggressively hacking into anything it can.  In 2009, Gurmeet Kanwal wrote in the Journal for Defence Studies,

“The Chinese call their pursuit of information warfare and other hi-tech means to counter Washington’s overwhelmingly superior conventional military capabilities “acupuncture warfare”, a term that first surfaced in a 1997 PLA National Defense University publication entitled “On commanding Warfighting under High-Tech Conditions.”  Acupuncture warfare (also called “paralysis warfare”) was described as ‘Paralysing the enemy by attacking the weak link of his command, control, communications and information as if hitting his acupuncture point in kung fu combat.'”

So the Chinese have hacked, wheedled, and otherwise slunk into our national infrastructure.  They seem to be expanding on their initial acupuncture approach with theft of information needed to catch up with or impede Western technical and financial progress.  Of course, the Chinese deny they are anything but victims.

Yes, it is naive to believe we aren’t just as aggressively going after the Chinese.  However, public and private organizations still fail to understand the threat.  In China, the government has no problem applying pressure where needed to protect national infrastructure.  In fact, it is highly probable the Chinese government can disconnect China from the Internet on command.  In both areas, Western nations are at risk.

The path we must take in the West is to force government, financial institutions, utilities, healthcare organizations, and other critical service providers to secure their networks or face severe sanctions.  After all, we can do little about what China sees as behavior in support of its national security.  What we can do is remove the vulnerabilities it exploits and closely monitor for what is obviously continuous malicious activity.  We’ve waited long enough for government and private management to do the right thing.  It’s now time to pick up Teddy’s big stick and domestically whack some heads.

It isn’t the algorithm, it’s the admin…

In Access Controls, Password Management, SHA on February 18, 2013 at 19:04

In a recent Threat Post article, Dennis Fisher writes about a competition to find a new password hashing algorithm.  Actually, I thought we had enough.  Let’s see… we have SHA-2 and SHA-3 (just approved by NIST), so what is the rush for a new one?  It seems the supporters of this competition believe their efforts will help stop use of unencrypted password stores.  Really?

The problem is not with hashing algorithms.  Rather, it is with the questionable reasoning of administrators or business managers that can’t seem to understand the need to scramble passwords in storage or in transit.  It also exists in the mental voids where managers seem to justify weak passwords and weak prevention, detection, and response controls.  We have the hash algorithms we need; we just need to use them. But even if a better algorithm is found, who is going to make people use it?  SHA-1 might be weak, but it’s betting than nothing.  SHA-2 is still effective, and SHA-3 is waiting in the wings for deployment (http://valerieaurora.org/hash.html).

Yes, faster is better.  Stronger is better.  But getting people to do the right thing requires more than a better, faster algorithm.

Executive Order: Improving Critical Infrastructure Security

In Control Systems, Critical Infrastructure, Cyber Espionage, Cyber-warfare, Government, Regulation on February 15, 2013 at 21:03

President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States.  You can read the order here...  In theory, it’s what we need.  In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?

The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc.  Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets.  Nothing in the order specifies process or technology needed to give timely notifications.  Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.

The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate.  Incentives?  Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time.  If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess.  It wasn’t yesterday that security became an issue for anyone with a computer.  There is no excuse for our current situation except heavy lobbying and political career survival practices.

I do hope there is progress on the president’s plan, but I’m not hopeful.  My faith in business and government doing the right thing left the station long ago.

 

 

%d bloggers like this: