Dan's New Blog

But I was gone for 9 months. Anyway I’ve begun blogging again for my employer. My first new post is about the Bitcoin epic fail. Check it out.

Last May I bought a netbook. It was cheap enough — under $300 — that I decided to run an experiment: I’d go without anti-virus software for a year and see if Google Chrome would live up to its reputation as the safest of all the browsers.

So last night I fired up AVG’s free Rescue CD on a bootable flash drive — is that an oxymoron? — and let it crank for about an hour.  The results? After 50 weeks of daily use at home, in hotels, and at 2 different colleges by me and 2 other family members, the netbook contained a grand total of 4 viruses. And they were spyware-type stuff. Nothing major, more like barnacles on a boat.

Now I realize that “4 viruses” means that Chrome isn’t perfect. And I confess that maybe I’m a bit less problematic than most users — I don’t visit online porn or gambling sites (although I did download music). But still, can you imagine the carnage if I used IE for a whole year without AV?

Based on my results, I’ve decided not to load AV software on the netbook.  I don’t need it to slow me down. It’s not worth giving up the 30 second boot and 15 second shutdown times I get by running free.

Security-wise, people are the weakest link, viz:

ITEM 1: John Markoff reports that January’s Chinese Google hack began with one person who clicked when he/she oughtn’t:

“The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified. By clicking on a link and connecting to a ‘poisoned’ Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.”

That software, called Gaia, only controls signons to a range of Google services from Gmail to Docs.

ITEM 2: Back in March, Apple software engineer Gray Powell lost a prototype of the next-gen iPhone in a bar not too far from the Apple campus. He was field-testing the device, which was camouflaged to look like your basic, garden-variety iPhone. The phone eventually wound up in the hands of Gizmodo’s Jason Chen — for a mere $5,000 — who publicly dissected it, according to the NY Times, “as if it were an alien from another planet”. Apple politely but firmly asked for it back.

From what I have read about Apple’s security-obsessed culture, right now it sucks to be Gray Powell.

UPDATE, April 27: The authorities have gotten involved.

They’re falling like dominoes at the annual Pwn2own event this year in Vancouver. Some really smart scary guys have managed to hijack Windows 7 PCs via Firefox and IE8 (snort) and a MacBook using Safari. Two of ‘em even hacked an iPhone and downloaded its database of SMS messages. (Yoikes!)

Google Chrome is the last browser standing. It’s not perfect, but has proved once again much harder to exploit. Having said that, I do agree with PC World’s article, Security Lessons Learned from Pwn2Own Contest:

“… the browser is the new Achilles heel of security regardless of the hardware or software platform.”

UPDATE, March 26: Nobody even tried to hack Chrome on day 2 of Pwn2own.

Web Domains

Today’s the 25th anniversary of the first .com registration. And no, the registrant wasn’t IBM (March 19, 1986), Apple (February 19, 1987) or even Microsoft (May 2, 1991). It was Boston-area AI firm Symbolics.

According to Wired, only 5 domains were registered in 1985. Once the Web was invented, domain registrations skyrocketed. And a mere 22 years later icanhascheezburger.com was born.

Fandango Mobile Tickets

Airlines have been testing cellphone-based paperless tickets for a couple of years now. Now Fandango’s testing mobile movie tickets in 8 U.S. markets — all of ‘em *not* Philly, btw. (What’s so special about Houston? They were the first city in which mobile airline boarding passes were tested. Now they’re in the first Fandango test group. Sheesh.)

Google vs. Apple

The NY Times gives us a good overview of the deteriorating relationship between Apple and Google. The following quote …

“It’s World War III. Amazing animosity is motivating two of the most powerful people in the industry. This is emotional. This is the biggest ego battle in history. It’s incendiary.”

… pretty much sums up the tone of the piece. (So does the URL for the story: 14brawl.html.) Anyway, it’s all about the mobile market.

Google vs. China

Not content with merely taking on a company that qualifies as a small country, the Big G has also decided to take on #3 on the world list. I refer to China. After calling them out on spying charges back in January, Google is real close to deciding to pull the plug on Google.cn. That means Chinese users who manage to circumvent the Great Firewall will get unfiltered content. And that makes the Chinese authorities real twitchy.

BoingBoing reports on a suspected ATM-skimmer who swallowed a USB flash drive containing incriminating data while he was being arrested by the Secret Service. After 4 days with zero throughput, doctors had to remove the device. (I swear I thought of that before I read the comments on the BB post.)

Looks like employees from several companies in Europe, Japan and New Zealand fell for the ‘ol phishing schemaroo recently. Hackers conned them out of 250,000 credits worth about $4 million. How’d the exploit work?

“The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded. When workers entered their credentials into a bogus web page linked in the e-mail, the hackers were able to hi-jack the credentials to access the companies’ Trading Authority accounts and transfer their carbon credits to two other accounts controlled by the hackers.”

Access to the German Emissions Trading Authority database of registered carbon credit trades has been suspended for about a week, pending the resolution of an investigation.

[sigh]

Guess it’s time once again to trot out my list of computer security tips to live by.