DeadBeefCafe

I tend to leave my chats signed in, just throw up a ‘not here now’ sort of message. Or just walk away from the computer and forget about them. Sometimes, this leads to amusing things.

Recently, I’ve been getting hit with tons of one-line spammers telling me to chat particular yahoo accounts. Yeah, sure, that’s going to happen.

This morning though, I got this amusing tidbit:

(04:38:36 AM) honneybunss22: hihi! you’re from chat right?
(04:41:40 AM) honneybunss22: cool, sorry i type a little slow. 18f in college here, what are you up to?
(04:47:38 AM) honneybunss22: u wanna se more? i’m feeling kinda wild right now
(04:50:37 AM) honneybunss22: i’m gonna send you a cam invite here k?
(04:53:34 AM) honneybunss22: ok sent, did you get it?
(04:56:32 AM) honneybunss22: hmm.. let me try again, hang on
(04:59:35 AM) honneybunss22: what about now?
(05:02:39 AM) honneybunss22: ugh, this is stupid, this always happens to me when i use yahoo
(05:11:42 AM) honneybunss22: k, you just need a CC or debit to verify ur over 18, even an expired one works. we can’t have little ones seeing what im about to do lol
(05:14:35 AM) honneybunss22: let me know when u make ur username, so i can link u to my cam profile
(05:20:34 AM) honneybunss22: ok you’re good to go

No, I didn’t redact or change anything.

Let me count the fails:

1) It’s acting as if I sent it messages in response… no messages were sent.
2) It takes it almost an hour to go through the whole sequence (I wonder if it would have gone quicker if a cat had walked on the keyboard)
3) They don’t ever tell me where the site is, just that I should go there.
4) Granted, I suppose court cases have decided that providing a CC is proof of age? But I’m sure that if little Johnny wanted to be a brat, he could snag a CC from a wallet or purse, especially at 5am in the morning.
5) Grammar, I know mine is sometimes a little off, but at least a bot could be kind enough to use complete words instead of sms-speak.

I know, boring, but it amused me this morning as I was vaguely waking up.

A couple years ago Blackhat (http://www.blackhat.com) was embroiled in a legal battle between Cisco Systems and Mike Lynn about a presentation he was giving on breaking into Cisco’s IOS. We won’t go into the details about that here but you can go read Jennifer Granick’s journal for the details.

And now Blackhat looks like it might be in the middle again. InfoWorld report that HID, the proximity RFID card maker may be going up against IOActive, Inc. to stop a similar presentation that targets their technology, as well as similar technology from other vendors in the same field.

What really gets to me in this case is a quote attributed to HID from InfoWorld:

“These systems are installed all over the place. It’s not just HID, but lots of companies, and there hasn’t been a problem. Now we’ve got a person who’s saying let’s get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where’s the sense of responsibility?” Carroll said.

Where is the responsibility in a security company selling a product that they know has a vulnerability in it? That their customers might be susceptible to an attack which is mostly public already? That apparently one researcher took less than a month to put together?

I’m tired of this, I’m tired of hearing about security companies that fail in some major aspect of securing their own devices, working with customers to alleviate or understand problems with the technology they are selling or have sold. Security in a black box of “trust us this will work” is worthless to the customer. Why am I tired of this? Because I see to many examples of it, including:

Default installations of security web applications that leave themselves open to the world.
Security appliances that converse via SSL that you can’t update the certificate.
Security appliances that offer no secured communications channel for device management.

I think, if you’re are selling or creating any security device you need to at least hold yourself to a higher standard for protecting it and protecting your customers. Though I hate to create new legislation, perhaps we need some in this arena. I envision something where a researcher that finds a flaw is protected by whistleblower style legislation (even if they don’t work at the company) and the company must to a notification to customers affected by the problem.

Can I get a hell yeah?

– decaf out (poor editing and writing attributed to my current fever)

I was talking with a friend who works in a large segmented organization, where administration is done ad-hoc in each segment with some infrastructure that covers the entire organization. They were having issues with one of the systems administrators after an outbreak of some virii in the administrators area. After having dealt with the issues in some highly non-professional manners, the administrator came up with the following:

“We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems.” [1]

The number of things that are so wrong about this statement are astounding. The fact that the people for whom the adminstrator maintains systems for bought this line is even more astounding.

Let’s break this down on where the security problems exist, and how this proposed solution helps with them.

If it’s the fact that the Mac traditionally used Motorola processors instead Intel based processors and that’s why they don’t have security problems, then by going with Mac Mini’s isn’t going to help since they’re Intel based machines (otherwise it would be pretty difficult to do what we’re going to look at next, run Windows on them).

If it’s the fact that Windows has a number of vulnerabilities, especially if it’s not properly maintained and protected with firewalls then changing the operating system would be an acceptable alteration. But we’re not, we’re going to load Windows onto the Mac Minis.

The reason that the Macs currently are less of a security risk is that there are fewer exploits and known vulnerabilities out there for Mac OS X (and previous versions of MacOS as well). Personally, I expect that to slowly change as Mac OS X gains in popularity. But in this instance, that’s not the method we’re choosing to make these systems more secure.

So we’re left with the best security method I’ve heard of: A different case! By affixing an Apple logo onto the host, we’ve made it more secure, because Macs aren’t subject to the same security problems.

– decaf out

[1] Unfortunately while this quote is as close as I can get to the spirit of what was said, it may not be accurate as I didn’t hear the person say it.

UPDATE:  Since this has been linked to by a couple places now I thought I’d add a quick note to clarify.  It’s not the entire organization that is making this change, just one small (but important) group out of the entire organization.  Probably less than 1% of the people and hosts that exist in the organization.

The New York Times reports on a classic David and Goliath story about how a baker in the small town of Altamura, Italy, put the local McDonalds out of business by producing a superior product that his customers preferred to McDonalds. As he says:

“What took place was a small war between us and McDonald’s,” said Onofrio Pepe, a retired journalist who founded an association here devoted to local delicacies. “Our bullets were focaccia. And sausage. And bread. It was a peaceful war, without any spilling of blood.”

Who can blame him? Wouldn’t you rather have a nice focaccia and some really good sausage? I know I would.