Yep, we’re doing it again. Wednesday night May 2 at ApacheCon Europe, we’ll be having a PGP KeySigning. All Apache committers and all conference attendees are invited to participate.
Why do we have a PGP Keysigning session at ApacheCon? At the Apache Software Foundation, we sign our releases with PGP. Every release archive is accompanied by a signature file (name ends in .asc) and a hash file (name ends in .md5) that you can use to verify the integrity of the release.
(more…)
SpamAssassin’s Justin Mason comments on a talk by one Joe St. Sauver about the Spam Zombie Problem. Joe has some good points, but I’m afraid his proposed solution—a government-issued, free cleanup disk to be applied to infected PCs—won’t cut it.
Joe even contradicts himself in his slide show: first he assesses that the average owner of an 0wned PC does not have the motivation, or wherewithal, to clean up their infection, they are unwilling to pay to have this done and ISPs can’t be expected to help out their users since it’d take hours to properly clean up a zombie PC. However, a cleanup CD to me seems not only a hard sell to the general public, but it also looks like something easily obtained by the bad guys, who can then code around it. Malware can be updated in minutes through its natural distribution medium; good luck updating a stock of CDs sitting at every post office and library.
Nevertheless, Joe makes some interesting points such as:
- The vast majority of SPAM e-mail is now delivered through virus-infected PCs (zombies) owned by the general public
- Said general public has no compelling interest in cleaning up their machines
- The zombie PC problem is out of control
- This is a world-wide issue
- Something needs to be done
However, what can we do about this? I agree with Joe that rate-limiting e-mail from consumer PCs and cutting off their direct-to-MX SMTP path is not enough. I don’t use AOL, but I’m sure their widely advertised move to make antivirus software available to their customers for free is in their own best interest. The $250 tax credit Joe proposes seems to me merely a shot in the arm for Dell and Microsoft… especially the latter would love to see the masses upgrade to Vista forthwith. Speaking of which, what exactly does Vista bring to the table in this regard?
The Hack Report has an interview with Honeynet Founder Lance Spitzner where he gets to re-hash what we know about the bad guys: yes they are after your computer, they are in it for the money now and no, there’s nothing law enforcement can do.
And, of course, someone in the comments speaks up and denounces the use of the word ‘Hacker’ for the bad guys, since ‘Hacker’ really means ‘One who is proficient at using or programming a computer’ etc. etc. Of course I agree with this, but it’s too late to shut the barn door.
Give it up. The linguistic battle has been lost: in the eyes of the general public and the industry, ‘Hacker’ means you’re breaking stuff. End of story. Instead of mincing over words, let’s concentrate on actually fighting the bad guys. What we need is a new moniker for the ethical, the good guy hacker. Let’s rally under a new banner! From now on, the good guys should consider themselves ‘CyberPonies’.
Comments Off
Nick Kew over at ApacheTutor reviews a couple of books on Apache Security. One of them, by Ryan Barnett, is already on my shelf. I’ll probably pick up Ivan Ristic’s book as well.
Comments Off
As noted in The Register, Verisign teams up with Microsoft to enhance the user experience of Internet Explorer 7 when browsing SSL-protected sites. Verisign will sell High Assurance certificates to sites that pass a more stringent identity verification than is currently the norm. When it encounters such a certificate, IE 7 will turn the address bar green in addition to displaying the usual padlock. A Phishing Filter (Philter?) turns the address bar red when the user accesses a known phishing site.
While I hope that they include enough visual cues for the red/green colorblind among us, I don’t dislike this idea. Is it a scam? Not necessarily. Details about what a High Assurance or Extended Validation certificate actually comprises are scarce, but it’ll probably take the form of a certificate attribute that Verisign will set on these mo’ expensive, mo’ better certificates. Such an attribute can be set by any CA, parsed by any browser and can be ignored by the enormous installed base of credit card wielding, revenue generating users of older browsers. Whether or not a company drinks the Microsoft/Verisign Kool-aid, they hopefully won’t stand for breaking backwards compatibility. On the other side, it’s the responsibility of the Certificate Authorities to only set this attribute on their mo’ better certificates, for which they in turn can charge mo’ money.
This whole thing ties into a new concept of Trust. The situation is not black and white anymore. Trust is the new green. Or yellow, or red. You can get a cheap certificate by proving that you can ping an e-mail back and forth to the CA. This shows them that you have access to e-mail on the domain, which is good enough for them as an (automated) identity verification. Whether said domain is practically undistinguishable from that of an actual business falls outside this check. One would dearly hope that applicants for a High Assurance certificate undergo more scrutiny than that.
Earlier this month at ApacheCon, I attended a very interesting talk by Lisa Dusseault about Federated Identities. As she talked about rate-limiting the creation of centrally verified identities to thwart spammers, she came up with the Fifty Dollar identity. The knowledge that the party you are talking to has a non-trivial sum of money behind their identity record might positively affect the trust you place in that identity. I see much the same happen with this new server-side certificate paradigm: cheap normal certificates you trust a little, and mo’ Green mo’ better certificates you might trust more. So far, browsers have not given us any idea about the quality of a site’s certificate. It’s either trusted, or the browser puts up a slew of scary dialogs. The red/green address bar might bring some nuance to this concept and put a more human face on the concept of the identity of a web site.