2,500 Blog Posts and Counting
That's 2,500+ blog posts if you count all my posts across all my blogs and those of my employer (ESET). My blogging is now very infosec-oriented, but I'm still spreading the word about the silent genetic killer, hereditary hemochromatosis, on the Celtic Curse blog and the largely-self-sustaining Facebook hemochromatosis page, which now has over 1,750 followers. Of course, all views expressed on cobbsblog.com are mine and not those of my employer.
Happy New Tech Year
Just a quick post to say that most of my technology-oriented blogging in 2012 will be happening over on the ESET Threat Blog.
I am enjoying being part of the ESET research team which extends from Singapore to Slovakia, through the Netherlands to the UK, on to Montreal and Buenos Aires, then San Diego, which is where I am located these days.
This international distribution of research resources provides exceptional ability to gain insight into emerging threats to data and systems, notably but not only in the computer virus arena. And the depth of talent in the group is outstanding, producing in-depth technical analysis of malware (malicious software) and the things that purveyors of this stuff get up to, always with an eye to defeating the bad guys and protecting as many honest Internet users as possible. Here is a page of recent and relevant resources.
iTunes - Podcasts - DEFCON 3 - Feat. Me
If you are into hardware and software experimentation you might have noticed, with some amazement, that 2012 is the year of DEFCON 20. That's two decades of hacker convention fun and games. I missed the first two but was invited to speak at DEFCON 3 which was held August 4-6th 1995 at the Tropicana in Las Vegas. So I was delighted to encounter this link recently: Past speeches and talks from DEF CON hacking conferences in an iTunes friendly m4b format. I took a listen to my session (on Why Hacking Sucks) and was pleased to find it still sounded pretty sane. A helpful interaction is how I would characterize it, at least for me.
Will Christmas Kindles Torch the Internet and Evaporate the Amazon Cloud?
I got an Amazon Kindle Fire from my wife for Christmas and I'm a bit worried about the effect on the Internet. I should explain that I got my Fire a few weeks ago because my wife and I like to give each other digital gifts before Christmas Day so that by the time Christmas Day arrives we have said devices fully configured and can actually play with them (I got her an iPhone 4S).
The problem I see is that Amazon has been selling about one million of these Fire things a week and many of them may not be fired up, so to speak, until Christmas Day. Here's what happened after I fired up my Kindle Fire: It gave me instructions on how to put my music in the cloud, and store it there for free, and those instructions were very easy to follow, so my laptop was soon engaged in uploading 6,471 files. Engaged as in "I need to spend several days trying to do this."
When it was done, those files added up to over 30 gigabytes of data, sitting in the cloud somewhere, ready for me to listen to them at the tap of a screen. Now imagine 2 million people getting a Fire for Christmas and accepting that invitation to put their music in the cloud. Suppose they each have, on average, 20 gigabytes of music. That's 40 million gigabytes or 40 petabytes added to the cloud and Internet traffic on Christmas Day. I hope Capacity Planning at Amazon.com has been doing some planning. And those folks who manage the tubes, they better be ready to put out some fires.
The problem I see is that Amazon has been selling about one million of these Fire things a week and many of them may not be fired up, so to speak, until Christmas Day. Here's what happened after I fired up my Kindle Fire: It gave me instructions on how to put my music in the cloud, and store it there for free, and those instructions were very easy to follow, so my laptop was soon engaged in uploading 6,471 files. Engaged as in "I need to spend several days trying to do this."
When it was done, those files added up to over 30 gigabytes of data, sitting in the cloud somewhere, ready for me to listen to them at the tap of a screen. Now imagine 2 million people getting a Fire for Christmas and accepting that invitation to put their music in the cloud. Suppose they each have, on average, 20 gigabytes of music. That's 40 million gigabytes or 40 petabytes added to the cloud and Internet traffic on Christmas Day. I hope Capacity Planning at Amazon.com has been doing some planning. And those folks who manage the tubes, they better be ready to put out some fires.
Mac OS X Help: Specifying criteria in Spotlight
I just updated this post with a Mavericks screenshot, but the basic point holds true for the past few versions of OS X: the Spotlight search tool on Macs can be very powerful, but a surprising number of people don't seem to know how to tap that power (and for a long time that included me).
Apple has a good basic article on Spotlight. Remember that you can always press Command+Spacebar to pop up Spotlight. And you can use the Spotlight pane in System Preferences to change these categories around, their order, and even which categories appear.
You can type calculations into Spotlight and find that 256*2-680 is 168.
You can get the definition of a word by typing it into Spotlight and then checking the Look Up section of the results.
Enjoy!
Apple has a good basic article on Spotlight. Remember that you can always press Command+Spacebar to pop up Spotlight. And you can use the Spotlight pane in System Preferences to change these categories around, their order, and even which categories appear.
You can type calculations into Spotlight and find that 256*2-680 is 168.
You can get the definition of a word by typing it into Spotlight and then checking the Look Up section of the results.
Enjoy!
The Google-SOPA-PIPA-DNS-Copyright-Oil-and-Gas Link
What does copyright infringement have to do with scraping oil from the bottom of a barrel and an acronym soup like SOPA, PIPA, DNS and DNSSEC? The answer lies with Google, not the search engine but the company.
More specifically, the answer lies with Google's Executive Chairman, Eric Schmidt, who said the following at the University of Minnesota last week when asked about legislation (SOPA/PIPA) which would--in the name of protection against copyright infirngement--give the U.S. government the power to mess with the Domain Name System (DNS) that forms the backbone of the Internet:
Mr. Schmidt is entirely correct, and I love the expression "making it more explicitly illegal to make money from..." because it covers a range of actions that governments and law enforcement agencies can take without interfering with the way the Internet works.
For example, the act of distributing pirated movies would be more explicitly illegal if the pirates were identified, arrested, extradited or extracted, imprisoned, tried, convicted, and given 20-year sentences in maximum security facilities without the possibility of parole. The same goes for the makers of malicious software. Let's put a bunch of them in jail with long sentences and see if that reduces the malware problem.
I just don't see a downside to this hardline approach to making something like software piracy or handbag counterfeiting "more explicitly illegal" except that some people will say it costs too much money. Au contraire, if you do this right it will actually make a lot more money than it costs. Consider the numbers put out by supporters* of the Stop Online Piracy Act: "IP theft costs the U.S. economy more than $100 billion annually and results in the loss of thousands of American jobs" (The Austin Statesman).
If you gave me a budget of one percent of that amount ($1 billion), I would most assuredly, and within a period of 12 months, reduce the cost of that theft by at least 15 percent ($15 billion). In other words, backing the effort to crack down on piracy to the tune of $1 billion in fresh money would pay huge dividends, save thousands of U.S. jobs, and actually create jobs (without messing with DNS).
Why am I so sure of this? My answer is not a lot of hot air, but it is a bit oily, as in petroleum production taxes. Thirty years ago I was criss-crossing America auditing the state oil and gas taxes paid by petroleum companies, firms with names like Koch, Hess, Ashland, Texaco, and Hunt. During that time I learned a lot about the ways in which we humans try to cheat each other.
Consider the sludge that forms at the bottom of a crude oil holding tank such as you see next to wells in oil fields where the wells are not connected to a pipeline. Some of that sludge is recoverable oil and, from time to time, someone goes into the tank to suck it out. How much of the sludge is oil? How much gets pumped out? Where is it taken? How much of it gets there? These are all points in the oil production process where numbers and readings and measurements can be fudged, to the advantage of one party and the disadvantage of another.
Not that every case of missing petroleum tax dollars was a case of cheating. Oil companies were sometimes being cheated by employees and contractors. And every time the production output of a well is understated that also cheats the royalty owner, the person who owns the mineral rights to the land from under which the oil and gas is being extracted.
Operating on a shoe string budget my auditing team raked in millions of previously unpaid taxes within the first 12 months of operation. We used no new laws or fancy gimmicks. We just followed the money, which is what Eric Schmidt is saying when it comes to cracking down on copyright infringement. In oil production areas you don't close down the roads in and out of every county where production is apparently going missing. You go to the top of the organization, the people getting the money, and you figure out how they came by it. You examine the paperwork. You audit the heck out of the operation. If the organization is shady, you shed light. If it is in another country then you remind that country of our mutual interests.
We have already seen positive results when private dollars are used to help enforce public laws, as in the Microsoft and Pfizer funded action against the Rustock botnet. (If you're wondering why a drug company got involved, read the story, it really is a big deal.) So why not an anti-infringement posse formed and funded by the likes of Google, eBay Facebook, and Yahoo! The backers of Protect Innovation could really make a lot of friends in high places, and on the High Street, if they were seen to spearhead a new effort to put cyber-criminals behind bars.
* Note: Here are some of the fine companies and trade groups that back SOPA (I respect and admire many of them, I just think they are wrong about SOPA): National Cable and Telecommunications Association, National Association of Manufacturers, Pharmaceutical Research and Manufacturers of America (PhRMA), Business Software Alliance, Screen Actors Guild (SAG), the U.S Chamber of Commerce, Independent Film & Television Alliance (IFTA), National Association of Theatre Owners (NATO), Motion Picture Association of America, Inc. (MPAA), American Federation of Musicians (AFM), American Federation of Television and Radio Artists (AFTRA), Directors Guild of America (DGA), International Alliance of Theatrical Stage Employees, (IATSE), International Brotherhood of Teamsters (IBT), Comcast/NBCUniversal, National Songwriters Association, the United States Conference of Mayors, National Sheriffs' Association, International Brotherhood of Electrical Workers, International Trademark Association.
More specifically, the answer lies with Google's Executive Chairman, Eric Schmidt, who said the following at the University of Minnesota last week when asked about legislation (SOPA/PIPA) which would--in the name of protection against copyright infirngement--give the U.S. government the power to mess with the Domain Name System (DNS) that forms the backbone of the Internet:
“There are a whole bunch of issues involved with [SOPA] breaking the Internet and the way it works. The correct solution, which we’ve repeatedly said, is to follow the money...Making it more explicitly illegal to make money from that type of content [pirated movies, software, or other counterfeit goods] is what we recommend.”
Mr. Schmidt is entirely correct, and I love the expression "making it more explicitly illegal to make money from..." because it covers a range of actions that governments and law enforcement agencies can take without interfering with the way the Internet works.
For example, the act of distributing pirated movies would be more explicitly illegal if the pirates were identified, arrested, extradited or extracted, imprisoned, tried, convicted, and given 20-year sentences in maximum security facilities without the possibility of parole. The same goes for the makers of malicious software. Let's put a bunch of them in jail with long sentences and see if that reduces the malware problem.
I just don't see a downside to this hardline approach to making something like software piracy or handbag counterfeiting "more explicitly illegal" except that some people will say it costs too much money. Au contraire, if you do this right it will actually make a lot more money than it costs. Consider the numbers put out by supporters* of the Stop Online Piracy Act: "IP theft costs the U.S. economy more than $100 billion annually and results in the loss of thousands of American jobs" (The Austin Statesman).
If you gave me a budget of one percent of that amount ($1 billion), I would most assuredly, and within a period of 12 months, reduce the cost of that theft by at least 15 percent ($15 billion). In other words, backing the effort to crack down on piracy to the tune of $1 billion in fresh money would pay huge dividends, save thousands of U.S. jobs, and actually create jobs (without messing with DNS).
Why am I so sure of this? My answer is not a lot of hot air, but it is a bit oily, as in petroleum production taxes. Thirty years ago I was criss-crossing America auditing the state oil and gas taxes paid by petroleum companies, firms with names like Koch, Hess, Ashland, Texaco, and Hunt. During that time I learned a lot about the ways in which we humans try to cheat each other.
Consider the sludge that forms at the bottom of a crude oil holding tank such as you see next to wells in oil fields where the wells are not connected to a pipeline. Some of that sludge is recoverable oil and, from time to time, someone goes into the tank to suck it out. How much of the sludge is oil? How much gets pumped out? Where is it taken? How much of it gets there? These are all points in the oil production process where numbers and readings and measurements can be fudged, to the advantage of one party and the disadvantage of another.
Not that every case of missing petroleum tax dollars was a case of cheating. Oil companies were sometimes being cheated by employees and contractors. And every time the production output of a well is understated that also cheats the royalty owner, the person who owns the mineral rights to the land from under which the oil and gas is being extracted.
Operating on a shoe string budget my auditing team raked in millions of previously unpaid taxes within the first 12 months of operation. We used no new laws or fancy gimmicks. We just followed the money, which is what Eric Schmidt is saying when it comes to cracking down on copyright infringement. In oil production areas you don't close down the roads in and out of every county where production is apparently going missing. You go to the top of the organization, the people getting the money, and you figure out how they came by it. You examine the paperwork. You audit the heck out of the operation. If the organization is shady, you shed light. If it is in another country then you remind that country of our mutual interests.
We have already seen positive results when private dollars are used to help enforce public laws, as in the Microsoft and Pfizer funded action against the Rustock botnet. (If you're wondering why a drug company got involved, read the story, it really is a big deal.) So why not an anti-infringement posse formed and funded by the likes of Google, eBay Facebook, and Yahoo! The backers of Protect Innovation could really make a lot of friends in high places, and on the High Street, if they were seen to spearhead a new effort to put cyber-criminals behind bars.
* Note: Here are some of the fine companies and trade groups that back SOPA (I respect and admire many of them, I just think they are wrong about SOPA): National Cable and Telecommunications Association, National Association of Manufacturers, Pharmaceutical Research and Manufacturers of America (PhRMA), Business Software Alliance, Screen Actors Guild (SAG), the U.S Chamber of Commerce, Independent Film & Television Alliance (IFTA), National Association of Theatre Owners (NATO), Motion Picture Association of America, Inc. (MPAA), American Federation of Musicians (AFM), American Federation of Television and Radio Artists (AFTRA), Directors Guild of America (DGA), International Alliance of Theatrical Stage Employees, (IATSE), International Brotherhood of Teamsters (IBT), Comcast/NBCUniversal, National Songwriters Association, the United States Conference of Mayors, National Sheriffs' Association, International Brotherhood of Electrical Workers, International Trademark Association.
Security and Privacy Links: Marketing cybersecurity
As some of you know, I hit the ground running when I landed in San Diego at the beginning of September, happy to be back in California, wrestling with my first love, information security.
Okay, so that prose was a trifle purple--not to be confused with a delicious purple trifle--and information security is not, strictly speaking, my first love.
But hopefully you get the point: I was ready to up my game in the fight against digital malfeasance after three fun years focused on the marketing of marketing software to marketers (three highly successful years, I might add, because the marketing software, Monetate, was clearly headed for best of breed from day one and can now be found on major websites from PETCO to QVC).
There were a number of happy congruencies in this latest development. My marketing skills had been honed, my marketing experience broadened, just in time to sell a fresh message of cybersecurity awareness to a deeply digital world. That message goes like this: "The bad guys are badder than ever, better funded, more organized, but there are simple steps we can all take to make cyberspace a lot safer tomorrow than it is today."
For me, this was just the right time to run into ESET, a Slovakian company with a growing presence in North America and a strong commitment to the public good, as evidenced by a pioneering community initiative called Securing Our eCity. I spend part of my time working on this initiative and the rest on research and publication, in all its forms, including blogging, tweeting, and speaking. Here are just a few of my efforts so far:
Okay, so that prose was a trifle purple--not to be confused with a delicious purple trifle--and information security is not, strictly speaking, my first love.
But hopefully you get the point: I was ready to up my game in the fight against digital malfeasance after three fun years focused on the marketing of marketing software to marketers (three highly successful years, I might add, because the marketing software, Monetate, was clearly headed for best of breed from day one and can now be found on major websites from PETCO to QVC).
There were a number of happy congruencies in this latest development. My marketing skills had been honed, my marketing experience broadened, just in time to sell a fresh message of cybersecurity awareness to a deeply digital world. That message goes like this: "The bad guys are badder than ever, better funded, more organized, but there are simple steps we can all take to make cyberspace a lot safer tomorrow than it is today."
For me, this was just the right time to run into ESET, a Slovakian company with a growing presence in North America and a strong commitment to the public good, as evidenced by a pioneering community initiative called Securing Our eCity. I spend part of my time working on this initiative and the rest on research and publication, in all its forms, including blogging, tweeting, and speaking. Here are just a few of my efforts so far:
On TV:
- On Digital Pros Fight Cyberspace Predators on NBC
- On What to Bring When Buying Online on NBC
Speaking:
- On Cybersecurity in the Workplace for Excelsior College
- On Information Security Policies for SMBs and several more webcasts
- On Becoming a Security Detective by Dark Reading and InformationWeek
Quoted:
- On Cyber Monday threats in SC Magazine
- On Attackers Gearing Up for Cyber Monday With Scams, Deals by eWeek
- On Online anonymity hard to achieve but not impossible by ZDNet Asia
- On Apple Shoots the Messenger by PC World
Published:
- Video blog on Search Poisoning of McCartney and Gaddafi
- Blog post on Malware Delivery via Canada Post
- Cybercrime column on Freezing assets and turning up the heat
- Many more security blog posts
- Various articles ESET Global Threat Report
Bonus Security Video: Malware Delivery Scam:
CyberMonday SmartPhone Shopping Tip: Avoid CA, MA, RI, and maybe others
This is a quick tip for anyone looking to buy a new iPhone or other smartphone this holiday season:
Don't buy in California, Massachusetts, or Rhode Island.
If you are in one of those states and can cheaply get to another state, or happen to be passing through another state on business or to visit family, you can save $40 or more if you purchase your phone out of state.
Why? The answer is in small print at the Apple store and--possibly in different words--on some mobile provider sites:
In CA, MA, and RI, sales tax is collected on the unbundled price of iPhone.
In other words, you might be getting a great deal on the phone but these states charge you sales tax as though you did not get a great deal, and that's a bum deal.
Consider that the Apple iPhone 4S series has unbundled prices of $649, $749, and $849 for the 16MB, 32MB, and 64MB models respectively. That means a sales tax of 7.75% on the 16MB 4S you buy from AT&T or Apple for $199 comes in at $50 versus the $15.42 you were probably expecting. That's sticker shock if you have not been through this process before.
Don't buy in California, Massachusetts, or Rhode Island.
If you are in one of those states and can cheaply get to another state, or happen to be passing through another state on business or to visit family, you can save $40 or more if you purchase your phone out of state.
Why? The answer is in small print at the Apple store and--possibly in different words--on some mobile provider sites:
In CA, MA, and RI, sales tax is collected on the unbundled price of iPhone.
In other words, you might be getting a great deal on the phone but these states charge you sales tax as though you did not get a great deal, and that's a bum deal.
Consider that the Apple iPhone 4S series has unbundled prices of $649, $749, and $849 for the 16MB, 32MB, and 64MB models respectively. That means a sales tax of 7.75% on the 16MB 4S you buy from AT&T or Apple for $199 comes in at $50 versus the $15.42 you were probably expecting. That's sticker shock if you have not been through this process before.
RIP: The Golden Age of Unlimited Internet, It's Been Capped
The golden age of unlimited Internet is over, capped usage is now the norm. Alas for uncapped bandwidth, uncapped bandwidth is no more, and this has serious implications for everything from programming to data security and economics.
Soliloquies aside, the pleasure of making a prediction that comes true--I have said for some time that all bandwidth will eventually be capped and metered--is often undermined by the reality of what one predicted. (For example, about every new form of data abuse I have said "Typically, this is going to get worse before it gets better" and I am, sadly too often, correct in that assessment.)
Soliloquies aside, the pleasure of making a prediction that comes true--I have said for some time that all bandwidth will eventually be capped and metered--is often undermined by the reality of what one predicted. (For example, about every new form of data abuse I have said "Typically, this is going to get worse before it gets better" and I am, sadly too often, correct in that assessment.)
I have written extensively about bandwidth capping in the context of both satellite Internet service and 3G Internet service. I have lived with daily bandwidth caps in the 400 megabyte range, courtesy of HughesNet's premium $80 per month satellite service. I have lived with the AT&T MiFi 3G cap of 5 gigabytes a month or 166 megabytes per day (for $60 per month). Apparently I am now going to live with the 200 gigabytes per month cap of Cox Cable Preferred Internet Service, currently $40 per month.
Of course, it is clear that 200 gigabytes for $40 is a better deal than 5 for $60 or 12 for $80 (if you multiply the 400 megabytes per day that HughesNet 'gives' you by 30 days you get 12 gigabytes, but in reality you seldom get 12 gigabytes because you keep daily use below that, worried that you will exceed your cap, which costs $10 to reset every time you blow through it with a big download or streaming audio/video).
What is wrong about Cox Cable's cap, and I have to use wrong rather than a softer touch like "questionable" or dubious" or "unfortunate," is that Cox Cable does not disclose its cap before you contract for Cox service. I know this because I just went through the labyrinthine process of getting Cox Cable service in San Diego. While everyone from Cox with whom I have spoken has been very polite, friendly, and helpful, nobody said "That comes with a 200 gigabyte per-month cap and we reserve the right to charge you more money if you go over that."
What is wrong about Cox Cable's cap, and I have to use wrong rather than a softer touch like "questionable" or dubious" or "unfortunate," is that Cox Cable does not disclose its cap before you contract for Cox service. I know this because I just went through the labyrinthine process of getting Cox Cable service in San Diego. While everyone from Cox with whom I have spoken has been very polite, friendly, and helpful, nobody said "That comes with a 200 gigabyte per-month cap and we reserve the right to charge you more money if you go over that."
Nobody. Not the first time I placed my order, nor the second time I placed my order because the first order went astray. In other words, Cox had ample opportunity to mention the cap and the consequences of exceeding it. They did not. Given the otherwise articulate and engaging nature of the service personnel that Cox puts on the line, I tend to assume they are trained not to say anything about the cap.
So, the cap is here. It is not disclosed. And next I fear, it will be reduced. Once we are all hooked on whatever bandwidth consuming activity floats our boat, be it streaming video, audio, online gaming, hi-def photography, video calls, or something as yet not deployed, the bandwidth providers will start clamping down, shrinking the cap and raising the rates. So here are some potential implications:
- Using the Internet will cost more in the future, not less. We will pay per gig, not per month.
- Deployment of any security services that use bandwidth will meet resistance or get turned off if people are paying per gig.
- The rich will get more Internet than the poor (and of course the poor will get poor and the rich will get richer, a golden rule pretty much everywhere, from the USSR to the US of A).
- Programs that use bloated code or content will be penalized by bad reviews.
- Apps that are coded efficiently and elegantly will prevail.
I recently had the honor of speaking to a group of computer science students at the Jacobs School of engineering at UCSD. One topic we got into was the need to keep code lean. I mentioned to them a very interesting article that was mentioned to me by my good friend (and computer scientist extraordinaire) David Brussin and written by someone in Australia who also has to deal with bandwidth limitations, Troy Hunt.
The amount of 'bloat' that Troy found in iOS apps will surprise many, but it really wasn't a surprise to me. Why? Because my wife and I have used an iPad on a capped--and thus closely monitored--satellite Internet connection for over a year. We know how far the needle jumps when you add an iPad to your wireless Internet device mix. I fear the time will come when we pay dearly for that, by the megabyte.
p.s. Just noticed this report: Sprint is slowly but surely killing unlimited data
The amount of 'bloat' that Troy found in iOS apps will surprise many, but it really wasn't a surprise to me. Why? Because my wife and I have used an iPad on a capped--and thus closely monitored--satellite Internet connection for over a year. We know how far the needle jumps when you add an iPad to your wireless Internet device mix. I fear the time will come when we pay dearly for that, by the megabyte.
p.s. Just noticed this report: Sprint is slowly but surely killing unlimited data
Regulator unveils plan for universal broadband - Science & Technology News
Federal Communications Commission Chairman Julius Genachowski proposed a strategy for revamping that government subsidy program to help deploy high-speed Internet service to millions of Americans living in rural and costly-to-serve areas.
Regulator unveils plan for universal broadband - Science & Technology News
Regulator unveils plan for universal broadband - Science & Technology News
Subscribe to:
Posts (Atom)