ThinkGeek - Cool Stuff for Geeks and Technophiles

Monday, December 21, 2009

another database cracked

This one has far-ranging consequences. It's a global database, and most of the people listed are children:

The majority of the children are accurately identified by their age, addresses, birthdates and (where possible) national identification numbers. All United States kids with Social Security numbers are now sharing their identities with the whole world.


For some, the consequences have already hit home:

Jane Doe has had to disappear into the FBI witness protection program to hide from the crowd of men seeking her company. Frequent age errors in the database mean that grown men and women who used their social security numbers as banking passwords are now losing their life savings.


Some people are now questioning whether the database should ever have been compiled in the first place. Just how much does Santa Claus need to know about who's been naughty or nice?

See the full story at Precision Blogging.

Labels: , ,

Monday, October 26, 2009

whitehouse drupal

The new media team at the White House announced over the weekend that the whitehouse.gov website has been moved to Drupal. Open source advocates are hailing this as a victory for open source over proprietary software.

Tim O'Reilly says:

This move is obviously a big win for open source. As John Scott of Open Source for America (a group advocating open source adoption by government, to which I am an advisor) noted in an email to me: "This is great news not only for the use of open source software, but the validation of the open source development model. The White House's adoption of community-based software provides a great example for the rest of the government to follow."

John is right. While open source is already widespread throughout the government, its adoption by the White House will almost certainly give permission for much wider uptake.


Dana Blankenhorn says:

The switch was designed to be transparent, but even a casual observer will note the site now features five separate blogs, and that officials’ names are now listed on announcements that read more like stories, often with personal details.

So it’s one small step for Washington, one giant leap for open source.


He also notes:

Sites like Whitehouse.gov are the ultimate honeypots for hackers and script kiddies around the world. This is true regardless of the party in power.


Because the White House is such an inviting target, the White House team needs to be extra vigilant.

Security expert Robert "RSnake" Hansen explains:

According to Dries Buytaert, “…this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software…” This is a complete fallacy. More than that, it’s a dangerous that non-security people are touting their knowledge of security as if it’s fact. Look, if you were talking about vulnerabilities per line of code or something, I may get on board with that statement, but that’s just not how the real world works. There is one very massive difference between open source and proprietary coded applications. I can pen-test Drupal all day long without sending a single packet to Whitehouse.gov.


That is, if the White House is actually using an unmodified ont-of-the-box version of Drupal. But if the White House is concerned at all about security, they have already hardened their copy of Drupal before going live:

Like ha.ckers.org they most likely chopped it up, removed all the unnecessary functionality, stripped it down to bare bones, locked the server up so tight it would be impossible to even upgrade it without an act of Congress and on and on…


The irony of all this, RSnake notes, is this:

And how is a locked down highly customized variant of Drupal different than a proprietary solution?

Labels: ,

Monday, September 21, 2009

The Future of Security

RSnake examines what Star Trek tells us about the future of information security. A sample:

Organizations will focus on secure transport and network security and will still ignore drive encryption and the insider threat: I don’t really recall any times where enemies were able to intercept any meaningful communications between the Enterprise and other federation ships. That must mean they are using TLS16/SSL34.0 in the future, which is good, but for some reason any schmuck diplomat from some third world (pun intended) alien race can get any information out of the computer he wants without ever even supplying a password!


The more things change, the more they stay the same. Check out the entire post.

Labels: ,

Tuesday, September 8, 2009

the fallacy of anonymized data