Philosophically Secure

This is an interesting article by Jeremy Allison, one of the lead guys on the Samba Team. He discusses the recently discovered security flaws in Samba, including some in software that he originally wrote. It’s interesting to hear his opinions on how the bugs were introduced, why they weren’t found sooner, and why it will be difficult to prevent similar issues in the future. For example, porting Samba from C to Java would almost definitely improve security, but the performance hit would be unacceptable to most users.

I try to avoid discussing political issues, but this one hit close to home.

It looks like the Maryland sales tax is going up to 6%, and will now include computer services. This will not end well for our economy, considering how much of it is dependent on technology. I have a feeling even more companies will be moving to Virginia or Delaware thanks to this new law.

The measure increases sales tax by 1% and adds computer support services, data center support, custom programming, consulting, and disaster recovery services to the list. Legislators approved the change as part of a tax package they passed early Monday morning.

The Computing Technology Industry Association said the move “will bring cascading harm” to the state’s IT industry, small local businesses, workers, and consumers.

This should be hitting the news today since it was just signed by the Governor this morning.

Update: House kills ‘tech tax’:  replaces bill with cuts, surcharges on millionaires

As far as I can tell, people will always be the greatest security challenge. Technology is a lot easier to understand and control. I doubt we will ever get to the point where no one is falling for phishing scams, such as the ones recently reported by salesforce.com.

We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database. Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers…

That stolen information was then used to socially engineer passwords from the salesforce.com customers. I just hope they noticed quickly enough to contain the damage and information loss.

This is a great presentation on the Storm worm. It talks about the basics, but the interesting part is the crawler that was used to map the peer-to-peer network. The researcher even includes Perl source code and the data he captured.