Wednesday, May 21, 2008

mid week funnies

hysterical: gary kasparavo attacked by a flying RC phallus:

rec'd this in my inbox (junk) this morning:

Dear Sir,

I allow myself to get in touch with you regarding the MOHO project set up by students and professors from Stanford and two among the best universities in France (Centrale Paris Engineering School and ESSEC Business School).

the moho project? really?

director: sumthin' ain't workin' in this video dawg...
rap artist: we need moho up in here!

something clearly got lost in the translation. don't the students at the finest french universities keep up with pop culture? those french dubbed versions of 'boyz in the hood" aren't selling themselves...

lastly, haiku humor
In Japan, they have replaced the impersonal and unhelpful Microsoft error messages with Haiku Poetry messages. Haiku Poetry has strict construction rules: Each poem has only 17 Syllables - 5 syllables in the first line, 7 in the second, 5 in the Third. They are used to communicate a timeless message, often achieving a wistful, yearning, and powerful insight through extreme brevity.

Here are some actual error messages from Japan. Aren't these better than "your computer has performed an illegal operation?"
The web site you seek
Cannot be located, but
Countless more exist.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.
Program aborting
Close all that you have worked on.
You ask far too much.
Windows NT crashed.
I am the Blue Screen of Death.
No one hears your screams.
Yesterday it worked.
Today it is not working.
Windows is like that.
Your file was so big.
It might be very useful.
But now it is gone.
Stay the patient course.
Of little worth is your ire.
The network is down.
A crash reduces
Your expensive computer
To a simple stone.
Three things are certain
Death, taxes and lost data.
Guess which has occurred.
You step in the stream,
But the water has moved on.
This page is not here.
Out of memory.
We wish to hold the whole sky,
But we never will.
Having been erased,
The document you're seeking
Must now be retyped.
Serious error.
All shortcuts have disappeared.
Screen. Mind. Both are blank.

Sunday, May 18, 2008

a day in la

so many times the days sneak by and i wonder what i will think looking back many years from now. or, i ponder how wacky life in LA truly is and think i should write it down. so w/o further ado, here is my sunday in LA.

last nite ended at a restaurant called "nak won" on vermont in k-town. i didn't want to go really but jane wanted to and far be it from me to deny the soon-to-be bday girl from some late nite korean food. hodori was the goal, but nak won is next door and not a bad second place when you just want to eat and go. hodori's main attraction is the fact that they are open 24x7 and that the food is unoffensive & cheap. contrasted with nak won which is only cheap and open 24x7.

kimchee kal guk soo at 2am turns into a late morning so i piled out of bed late while jane slumbered off her hang-over (sort of). i was designated driver last nite and angling for a morning run. i cranked out a 6.5 miler including a few rounds of stairs and a fast mile on the samohi track. wrapped it up with some stretching and few rounds of wii boxing.

i made us lunch of bbq kabobs, corn and spinach salad. the multi-colored little potatoes from yesterdays farmer's mkt worked out in place of chicken. while kabobing, chatted with my old pal chuck who is a stunt man/actor who told me about his role in a forthcoming gi joe blockbuster. as interesting as it seems, i would not trade my predictable income for his occasional last minute stint on "lost" in hawaii yet not knowing when the mortgage money is going to run out.

we ate lunch while listening to the new tom middleton cd "lifetracks" i downloaded from emusic, quite legally i might add. this served as a break from the excellent yoav cd "charmed and strange" i've been binging on all weekend after getting it in the mail from kcrw on friday. check out "club thing" and "beautiful lie" from yoaz's new cd, if nothing else.

the afternoon was reading and resting on the deck upstairs along with some work. really hot today, something like 90s and hotter inland. we then headed off to "celebrity bingo" at my hair stylist's salon. he dresses in drag for these and goes by the name of "geneva deveraux", see the pic below. it started well beyond fashionably late (like an hour late) and we didn't win squat but we did hang out with faith evan's husband while faith belted out numbers and letters with richard... er, geneva. if you win, you shout out "bingo, bitch!" and then ppl throw their wadded up bingo cards at you.

i then dropped a tired jane off at home and headed over to "tengu" in sta monica for a quick drink with my longtime pal dimitry. him and his little group "zona" have a couple house singles out that are reasonably successful abroad and after an hour at his friend's bday party, we left and he played me their new tracks. it's well produced, catchy house stuff. not bad at all. i dropped him off so he could get back to his little model friend "antonio" (all looks, no brains) and i could get home to wind down.

back to school tomorrow. this is not a normal weekend, but not that unusual either. the oddball mix of people, culture and the arts in LA makes it one of my favorite places on the planet. i wouldn't trade life in lala land for any place else :-)

Tuesday, May 13, 2008

waiting for the email to load...

a series of thought snippets while outlook chugs through its morning routine of slurping down my email.

i had dinner last nite with a couple friends, one of which is on the OC dating scene. he was with a woman for a while, but she had broken it off with him a couple days before *via text message*. ouch! she now refuses to take his calls. is this normal now? has texting infiltrated the rest of the relationship as well? for example, is there "text sex" like there is "phone sex"? hmmmm... glad i'm not on the dating scene.

jane and i saw iron man sunday evening and it was fantastic. best flick i've seen since juno last year. great acting, perfectly cast, lots of action, well-paced, etc.

... why do ppl still have office phones? i never use mine and it has a message that says "i don't check this, just call my cell". after 3 years, not a single person has abused this. the bigger issue is that i now get locked out every 4 months since i can't remember the stupid passcode. sigh...

... there is something in the UK that produces amazing female vocalists of late. yes, there is amy winehouse, but what about corrinne bailey-rae? and lily allen (not a great voice, but a big talent nonetheless)? i've been listening to duffy's "rockferry" which is an epic, wonderful single. adele seems great as well, i've nabbed 2 of her tracks from "19", "make you believe" and the funky "best for last". i see santogold is finally catching a little wind in her sails too.

alright, my email is locked and loaded and i'm already mid-way through digging my way out before the morning's exercise. happy tuesday!

Friday, May 09, 2008

current playlist

beautiful (j-boogie remix) - karsh kale - beautiful e.p.
hunter - portishead - third
killing in the name of - rage against the machine - rage against the machine
the cowboy and his sub - jon kennedy - demons
paranoid android - sia - exit music (radiohead tribute)
the funky drummer - plump djs with a skillz - funk hits the fan e.p.
planetary (club mix) - booka shade - planetary e.p.
four sticks - led zeppelin - IV
china - tori amos - precious things
crooked - evil nine - you can be special too
rockferry - duffy - rockferry
sinead o'connor - john, i love you - universal mother
gothia limone (remix) - embee - send someone away e.p.

Tuesday, May 06, 2008

ftc workshop, 2 years later

It’s been a while since the last time I jotted down my thoughts in advance of an FTC workshop, but here I am again tapping away at the keyboard on my laptop on my way to Washington D.C. I’m doing last minute preparation for being on a panel tomorrow at FTC’s mobile marketplace workshop with another security professional from US CERT and an academic/engineer. While I’m normally guided by a slide deck, slides are verboeten on panels like this and the most important thing to be armed with is well-formed thoughts. So in the spirit of cementing the thoughts in my head after doing a few days of research and mulling things over, here’s my notes on the questions I’m expecting tomorrow.

fair warning: this ended up pretty techie...

Who are the stakeholders in the mobile security market?

The carriers – it’s their job to keep the networks clean and running smoothly. Since they often get paid by how much services you use, they have a high level of incentive to make sure everything runs as smoothly as possible.

The handset manufacturers – they are responsible for making sure the hardware is designed with at least basic defenses in mind. For example, it would be great if they had onboard encryption, but they should at least make sure that the combination of the OS & hardware provide sufficient support for security related aspects of protocols such as GSM and UTMS.

The OS vendor – they have the same responsibility as the handset manufacturers to make sure all the basics are covered, but since they are also application providers (and service providers to phone applications) they have all the normal software security concerns (buffer overflows, dos conditions, etc.). Code re-use for windows exemplifies this, as the old IGMP DoS flaw was a direct carry over to Windows Mobile 5. Mobile OS have many years of security expertise to draw on from the PC space—in some areas the lessons seem to have been learned (code signing is standard), in other areas, they have not. There are also new issues here related to privacy & mobility, such as location tracking, which really are a bit different than the PC space (which assumes your device is not terribly mobile, probably not true anymore with laptop sales outpacing desktop sales, but I still carry my phone more places than my little thinkpad x60.

The user – given the movement of attacks to exploiting people, no matter how good a job the above players do, the user has to make the right decisions about what data to store on their phone (how sensitive?), how to protect it (use a password?), what to install on it (can I trust this file claiming to be a background or ringtone?), and what to connect it to (hotspot, Bluetooth device, etc.). The biggest risk here is loss or theft, phones are lost at 15 times the rate of a PC! Hence, the most important thing you can do is carefully consider how much sensitive data you store on your phone, password protect your phone, and use encryption when it is available. I use a password on my phone and store most of my sensitive data in other places, like on my lappie or in a file in gmail (not the best, but better than in a flat file in my phone).

Note that in systems that accommodate payment by phone, as you now see in Japan, you also have the merchants and more importantly the payment processor in the mix. Nothing really new here, just all the same security practices you would expect from players accustomed to handling credit cards and other payment instruments.

What is the future of malware & mobile phones? How is it different from PCs?



Homogeneous OS: Windows

At least 4 different OS (RIM, Apple, Symbian, Windows Moile), 1 with the most market share is Symbian at 65% -- Linux is out there too, and what about Motorola’s OS?

Conclusion: threats cannot spread as easily since they cannot assume a single, dominant OS.

Hardware abstracted from the OS: Single threat will run on any Windows-supported hardware (AMD, Intel processors make no difference as long as long as it is the same bit rating)

Hardware and OS more tightly linked—at least differences across platform force application development challenges such that you cannot compile for Symbian and then expect it to run across all Symbian devices—has to be recompiled for the specific processor used on the phone if not the phone itself

Conclusion: not only can threats not assume a single OS, but even on that OS, threats cannot cross processor architectures ( 05, CommWarrior could not jump from a Nokia phone to a Sony Ericsson phone via BT or MMS, even though both used Symbian Series 60).

Incentive: $$$

Phones are not used for cash transactions in most places—yet. The data they store on average is more useful for spammers than anyone else.

Conclusion: there is less incentive for malware to afflict a mobile phone since the authors cannot directly monetize their theft.

Unauthorized installs quite easy along with exploits or fake alerts

Code-signing and platform issues (mentioned above) make this difficult, forcing attackers to resort to trickery and low volume attacks

Apple gates this by forcing everything through iTunes (all apps have to register and be sold via iTunes). Symbian forces applications to be signed by them.

MSFT has code-signing with Windows Mobile 6, unsigned apps will prompt the user once and will not have access to certain “dangerous” APIs.

J2ME could facilitate this, but would have to vulnerable and installed on the vast majority of devices—and you would have to have a static IP address or some vector of exploit, such as a popular browser like FireFox. J2ME attacks will force prompts for every dangerous action, so social engineering a la RedBrowser may be effective, but self-replicating malware is unlikely.

RIM uses same model as J2ME.

Conclusion: Unauthorized, silent installs are unlikely without physical theft of a phone itself due to the level of control the OS/device manufacturers exert over the handset.

No money trail for spamming

If someone is spamming via your phone, many users will receive an “out of whack” bill (SMS is not free for many), funny charges or have a monthly bill they are accustomed to receiving.

Conclusion: Not foolproof, but it’s harder to remain unnoticed on a phone when spamming.

Proximity unlimited—completely remote attacks are du rigueur

Remote attacks are possible today with repeaters and antennas, but there are still geographic limitations.

Conclusion: an attack like Slammer which spanned the globe in 15 minutes is highly unlikely. It hinged on auto-execution of code, poor centralized control, and no proximity limits.

ISPs serve as the transportation network—many of them and they sprang up quickly. Sharing relationship were new as they were not well acquainted with one another and intensely competitive.

This is how phishing “takedown” services proliferate, basically they are go-betweens across ISPs for brands asking for fraud sites to be taken down. If ISPs had better fraud detection services and coordination, phishing would not be the problem that it is. Not to mention the existence of rogue ISPs like the Russian Business Network.

Telcos are the transportation networks—while very competitive, they have longstanding relationships and are more likely to work together to solve resolve a large threat than an ISP.

What does the market for phone-based security services look like?

§ Easy data encryption and backup

§ Potentially includes privacy services

§ Identity protection

§ Safety services for file download & install, hotspot access, etc.

§ Parental controls (centralized, across devices)

What can consumers do to protect themselves?

1. Don’t store sensitive info on your phone.

Names and addresses are understandable, but don’t put your SSN and CC data on your phone. At least not unencrypyted.

2. Password protect your phone.

It’s irritating, but it will prevent most data theft if the phone is lost or stolen.

3. Back-up your phone data.

You never know when you will need it.

4. Set your device’s Bluetooth to undiscoverable.

Will prevent unsolicited requests and will not affected paired devices.

5. Don’t accept incoming BlueTooth requests unless you asked for it.

No good can come from it.

6. Review your monthly bill for any funny business.

Will help you identify fraudulent charges/spam impact.

7. Don’t install files from untrusted sources on your phone.

Might affect your phone performance, stability, or security.

Closing statement

§ Watch for transaction increases to drive more malware author incentive

§ Watch for IPv6 and dedicated IP addresses—promises for more issues and concern

§ Malware itself is not likely to target an OS platform, but rather the web which is quickly becoming the platform for all devices.

o Windows has been the target of choice b/c it is pervasive, the web is becoming this today given the proliferation of devices and increased functionality (i.e. web 2.0)

o Attackers in the future will aim for the web since it offers the biggest return, but even these attacks will be language specific (unless you can get at a global ad network)

§ Threats will therefore “merge” from the PC world to phones and other web-enabled devices where they will exhibit traits we are already seeing today

o More reliant on deception than technology exploits

o Service specific

o Language specific

And they will likely be non-persistent “flash” attacks.

So we won’t have to worry too much about self-replicating malware, but malware and spyware will be a worry, especially those that focus on install via deception (Trojans).

§ Nonetheless, we think the market is much broader than malware protection alone, it encompasses

o Easy data encryption and backup

o Potentially includes privacy services

o Identity protection

o Safety services for file download & install, hotspot access, etc.

o Parental controls (centralized, across devices)

Sunday, May 04, 2008

santa monica classic

after a couple months of training, this morning i completed our corporate challenge 10k run along with my fellow members of team fascinus. the results aren't up yet, but we probably placed 2nd to team nike who stacked the deck with a guy who as the olympic trials and ran something like a 35:50. since they sponsored the race, this is sort of like inviting all your pals over for poker and then cleaning them out in pai gow. you may have a little extra spending $$$, but you're going to get less xmas cards next year for sure. i can't complain too much as our team ringer scored me a really nice pair of nike air equalon 2s as well as some bonus shorts and a shirt.

oh yeah, i turned in a respectable time of 44:30, around 7:18 per mile. not bad, but i was hoping for something in the 43 range, which would have required more training or more likely a rocket pack :-)

edit: results are up now. i ended up with a 44:20 finish. it's only 10 seconds less, but i'll take it!

Saturday, May 03, 2008


late afternoon yesterday i cut out of work early (hey, i started at 6am) in order to take a cruise around the marina del rey harbor with my pal te'o. as we tooled around in his little boat, we were reflecting on how there really don't seem to be any rules or established "common sense" for using the massive amount of consumer technology now available. sensing an opp'ty to be both snarky and elitist, we seized the moment and i offer you this list of new rules for using today's tech, with a heavy focus on mobile phones.

1. use silent or vibrate mode on your mobile phone in the office
it's hard enough to focus on what your doing with IM, email and 2 phones (land line and a mobile) vying for your attention, you certainly don't need someone else's phone binging off every 30 minutes as my old office mate's used to do when he forgot to take it to meetings with him. i resolved the problem by threatening to flush it down the toilet.

2. don't put IM on your mobile phone
you can already text ppl from your phone to get that groovy sense of immediate gratification, why would you need IM? and you can use the web from your phone (at least ppl with a smartphone can), as well as email. do you really need IM on your mobile? i say give it up.

3. it's ok not to answer your phone
and i've yet to miss an important call.really. just b/c you can be accessible damn near anywhere, doesn't mean you should be. i can't tell you how many times i've walked into a public restroom and i can hear someone yapping away with their pal while sitting on the can. yuck. this is an extreme case, but i've become accustomed to leaving my phone at home on the weekend or shutting it off in the evening. it feels really good, try it.

4. don't invite ppl to join facebook groups
i think i have something like 18 group invitations pending, everything from joining the struggle vampires versus the zombies to the purdue women's lacrosse team. i'm over it. i've yet to figure out why i even need facebook groups.

5. don't call a bluetooth headset "a bluetooth"
this little gem came from a certain family member lately who will remain unnamed. bluetooth is a wireless protocol, not a device. it can connect your phone to your car, a keyboard to a computer, and the your digital picture frame to a phantom image of the virgin of guadalupe (ok, this one may take additional help from a psychic, but you get the idea). unless your willing to call a website "an HTTP", let's nip this one in the bud.

6. bluetooth headset <> fashion accessory
i said it before but apparently i'm losing this battle: i don't care how groovy and matchy your headset is, chances are you look really silly wearing it in your ear when your not talking. i've started seeing this all the time now, it's nutty. ever tried having a conversation with someone who is wearing it in their ear? first, the ear blinks every 5 seconds which i find really distracting while trying to maintain eye contact. secondly, you are often left to wonder if they've just picked up their phone and are speaking to you or someone else. lastly, it just seems rude that i am right in front of you and having a conversation yet i can be instantly interrupted and trumped by anyone who dials you up on your mobile to see what your favorite pizza topping is.

7. don't text, email or otherwise type while driving
the only exception to this is when stuck in traffic. this one is an obvious no-no, but i will admit to having done it.

8. keep your VM greeting 2 sentences or less
you can't always zing past every VM greeting, so for the love of god, pls keep it brief. 2 sentences or less is perfect. i don't need to know how to send you a fax, know how much you really want me to have a wonderful day, or hear your favorite quote from charles dickens. the related request here is to keep your VM messages short. not nearly as offensive and sometimes you just have to ramble a little but always appreciated.

9. don't just use your phone # as your VM greeting
i know you may not like hearing your recorded voice (not many ppl do, including myself), but i often wonder if i called the right person when i don't have any sort of aural clue when leaving a message. if you don't want a custom greeting, how about just your name? or getting someone else to say it?

10. mute while typing on a conference call
this happens once a day: i'm on a conference call with a slew of people, and someone is multitasking by hammering away on their keyboard. nothing wrong with multitasking, i do it just as much as the next person, however, you have to consider the noise factor of what your doing. nothing seems to be quite as rampant or popular as pounding out emails, IMs or anything else that requires frequent typing while pretending to listen in to the guy from finance explain budgetary procedure #71. it's just too damn loud. mute if you're going to type. or fold clothes. or dust the wood in the room. or rip your old CDs. i do all of these and they make very little noise to the ppl on the call.