Network News Break: Eager Companies Can Over-Engineer Security Solutions
|Main||Elsewhere||The Week in Crossnodes||The Week in Network News|
PassMark Vault is an appliance with an interesting concept: It uses a sort of "visual password" to help stop phishing scams. Here's how it works:
With PassMark, the user first supplies only their user ID. Once the user ID is received, the site looks up the user's account and sends them a secret image--a small graphic that is selected by the user when they registered with the site--and asks the user to verify this image before supplying their password. The graphic that is displayed, as well as a custom message describing the graphic, are both selected by the user during their registration process, or changed at any time later by accessing their account (in the same manner a user might change their password from time to time). The graphic can be a custom graphic uploaded by the user or simply selected from a predefined library of images provided with the product.
In keeping with a broader trend in the tech industry, you won't just buy the appliance and use it. PassMark gets to dip its beak every time you sign up a new user:
Pricing is based on the number of PassMarks utilized, and starts at less than $1 per year/per PassMark. Volume discounts are available; with high volumes dropping the price below ten cents per year/per PassMark.
It might seem like "spam week" here at the News Break, considering the things that have come across the radar. On Tuesday, we burbled happily about Microsoft teaming up with an independent developer to push a new and improved domain authentication scheme. And yesterday we grunted with less enthusiasm at news of assorted anti-spam legislation, noting that spam and its accompanying woes are better handled with technology, not more laws.
We're glad PassMark came across the news desk today, though, because it shows that there's such a thing as too much of the wrong kind of tech to solve a problem.
Phishing scams rely on inherent weaknesses in protocols and standards designed in a more trusting era, and gullible users. To some extent, it's appropriate to lay responsibility for the ease with which some 'net-based scams have propagated at the feet of the standards and their designers (while, obviously, never forgetting that it's the burglar who actually commits the crime, regardless of who left the kitchen window unlocked). We can't really engineer the gullibility out of end users. But if we've identified a point of failure in the form of weak security in SMTP and related protocols, we can also look for a solution there. And in this case, we have several solutions, all of which involve modifying existing, open protocols in such a way that the entire Internet community can benefit... not just those willing to pay an annual fee for yet another box they can hang off their already complex networks.
Phishing scams are a serious problem, PassMark came up with a clever solution, and we're all for companies making an honest profit when they build a better mousetrap. But with a growing coalition of ISPs, developers, and standards maintainers coming together to patch up the problems that permit phishing in the first place, we're not sure if you'll need to subscribe to this particular scam-buster for very long.
» Microsoft says XP SP2, the much-anticipated security upgrade, will cost $300 million to roll out. At 100MB, it's going to be a huge download, too. Still no word on whether SP2 will be available to everybody or just authorized users.
» ChinaTechNews reports that anti-spam crusaders Spamhaus are opening up shop in Beijing:
"According to Spamhaus, China currently has three of the world's worst spam ISPs: PCCW, Chinanet in Chongqing, and Chinanet in Guangdong. Though the world's worst spammers are not Chinese companies and individuals, foreign spammers--particularly those from North America--take advantage of China's lax infrastructure and oversight to send their bulk emails."
» If you're sick of watching mystery packets flitting around your nets, Yahoo!'s new anti-spyware browser bar might make you happy. It helps end users root out troublesome and surreptitiously placed software.
» Baby steps? The editor of NTBugTraq says Microsoft needs to get its patching game together. Sasser, he recently maintained, exploited just one vulnerability in a massive raft of patched problems because net admins hadn't had time to properly test the whole patch release.
» One advantage of self-checkout or "u-scan" lanes, in our experience, is their clear labeling. If you can see them, you can avoid them and the experience of standing behind someone trying to figure out where the UPC code is on a head of cabbage and just take your basket to a person who probably has the entire bulk food section's codes memorized. Thanks to 802.11, Food Lion has discovered a way to remove that benefit and bring the agony of waiting around on self-sufficient but clueless shoppers right into the aisles. Bright side? Maybe all the 802.11 RF flying around the vicinity of the corner grocery will distract none-too-bright wardrivers from coming after your network.
The Week in Crossnodes
With IM use at critical mass and growing, security and privacy challenges abound. FaceTime's enterprise-grade server suite monitors, archives, and analyzes IM traffic for thousands of users without requiring thousands of admin hours.
By examining a working script line by line, this edition of the Scripting Clinic shows you how to put your own scripts together and exposes a few Python quirks along the way.» Pack-Rats by Law: A Message Archiving Primer
With the Sarbanes-Oxley Act, messaging archives have gone from a voluntary tic among pack-rat users to a regulatory necessity. Here's how to crate up the correspondence without overloading your LAN.» AirDefense Secures the Wireless Perimeter
In the rush to go wireless, administrators will find that they must supplement standard security measures with serious reporting and policy-enforcing products. Count AirDefense among them.» WiMAX Bridges the Last Mile in Broadband
WiMAX is slated to provide high-speed connectivity over distances that dwarf 802.11's effective range. Of course, it also promises to keep things interesting for network administrators just coming to grips with Wi-Fi.
The Week in Network News
» Monday: Time to Talk Network Storage
If your CIO hasn't come to chat about archiving and storage, brace yourself: the message storage outlook for many companies is a little rocky. Also: battling message authentication standards, and a boost in NAS capabilities from Microsoft provokes some products from Iomega.
» Tuesday: Microsoft Backs a New Way to Slam Spam
With a new day comes a new, Microsoft-backed standard for spam-fighting. With the merger of Caller ID for E-Mail and the popular but flawed SPF, there's no reason to sit out the spam wars. Also: Cisco's monstrous new switch, Comcast's startling admission, and Microsoft's new security software.
» Wednesday: Memo to Microsoft: XP SP2 Wants to Be Free
As Microsoft mulls its bottom line, the rest of the world deals with the widespread Windows vulnerabilities SP2 was built to fix. Our suggestion: Be a good citizen of the 'net and let even the freeloaders get at SP2. Also: EMC and Dell push out a sub-$10k SAN, Broadcom's new 4-Gig switch might be overkill, and get ready for a few new Palm clients on your WLAN.
» Thursday: Mixed News on the Spam Wars Front
New laws and the occasional conviction might make a spam-fighting admin's day, but are they distracting from the technical battle? Also: Wi-Fi you might want to relabel Hi-Fi, an anti-virus product that helps Linux protect Windows on your net, and an anti-spam giveaway from Microsoft.