Network News Break: Eager Companies Can Over-Engineer Security Solutions


Network News Break is
Crossnodes’ daily summary of networking news and opinion, served up fresh daily.
Please send your comments and suggestions to the editor.

Main     Elsewhere     The Week in Crossnodes     The Week in Network News

PassMark
Vault
is an appliance with an interesting concept: It uses a sort
of “visual password” to help stop phishing scams. Here’s how it
works:

With PassMark, the user first supplies only their user ID. Once the
user ID is received, the site looks up the user’s account and sends
them a secret image–a small graphic that is selected by the user when
they registered with the site–and asks the user to verify this image
before supplying their password. The graphic that is displayed, as
well as a custom message describing the graphic, are both selected by
the user during their registration process, or changed at any time
later by accessing their account (in the same manner a user might
change their password from time to time). The graphic can be a custom
graphic uploaded by the user or simply selected from a predefined
library of images provided with the product.

In keeping with a broader trend in the tech industry, you won’t just
buy the appliance and use it. PassMark gets to dip its beak every
time you sign up a new user:

Pricing is based on the number of PassMarks utilized, and
starts at less than $1 per year/per PassMark. Volume discounts are
available; with high volumes dropping the price below ten cents per
year/per PassMark.

It might seem like “spam week” here at the News Break, considering
the things that have come across the radar. On Tuesday, we
burbled happily
about Microsoft teaming up with an independent
developer to push a new and improved domain authentication scheme.
And yesterday we grunted
with less enthusiasm at news of assorted anti-spam legislation
,
noting that spam and its accompanying woes are better handled with
technology, not more laws.

We’re glad PassMark came across the news desk today, though, because
it shows that there’s such a thing as too much of the wrong kind of
tech to solve a problem.

Phishing scams rely on inherent weaknesses in protocols and
standards designed in a more trusting era, and gullible users. To
some extent, it’s appropriate to lay responsibility for the ease with
which some ‘net-based scams have propagated at the feet of the
standards and their designers (while, obviously, never forgetting that
it’s the burglar who actually commits the crime, regardless of who
left the kitchen window unlocked). We can’t really engineer the
gullibility out of end users. But if we’ve identified a point of
failure in the form of weak security in SMTP and related protocols, we
can also look for a solution there. And in this case, we have several
solutions, all of which involve modifying existing, open protocols in
such a way that the entire Internet community can benefit… not just
those willing to pay an annual fee for yet another box they can hang
off their already complex networks.

Phishing scams are a serious problem, PassMark came up with a
clever solution, and we’re all for companies making an honest profit
when they build a better mousetrap. But with a growing coalition of
ISPs, developers, and standards maintainers coming together to patch
up the problems that permit phishing in the first place, we’re not
sure if you’ll need to subscribe to this particular scam-buster for
very long.

Elsewhere:

» Microsoft says XP SP2, the
much-anticipated security upgrade, will cost
$300 million to roll out.
At 100MB, it’s going to be a huge
download, too. Still no word on whether SP2 will be available
to everybody
or just authorized users.

» ChinaTechNews
reports that anti-spam crusaders Spamhaus are opening up shop in
Beijing:

“According to Spamhaus, China currently has three of the
world’s worst spam ISPs: PCCW, Chinanet in Chongqing, and Chinanet in
Guangdong. Though the world’s worst spammers are not Chinese companies
and individuals, foreign spammers–particularly those from North
America–take advantage of China’s lax infrastructure and oversight to
send their bulk emails.”

» If you’re sick of watching mystery
packets flitting around your nets, Yahoo!’s
new anti-spyware browser bar
might make you happy. It helps end
users root out troublesome and surreptitiously placed software.

» Baby steps? The editor of NTBugTraq
says Microsoft needs to get its
patching game together
. Sasser, he recently maintained, exploited
just one vulnerability in a massive raft of patched problems because
net admins hadn’t had time to properly test the whole patch release.

» One advantage of self-checkout or
“u-scan” lanes, in our experience, is their clear labeling. If you
can see them, you can avoid them and the experience of standing behind
someone trying to figure out where the UPC code is on a head of
cabbage and just take your basket to a person who probably has the
entire bulk food section’s codes memorized. Thanks to 802.11, Food
Lion has discovered a way to remove that benefit
and bring the
agony of waiting around on self-sufficient but clueless shoppers right
into the aisles. Bright side? Maybe all the 802.11 RF flying around
the vicinity of the corner grocery will distract none-too-bright
wardrivers from coming after your network.

The Week in Crossnodes

» FaceTime
Makes IM as Safe as Talking Face-to-Face

With IM use at critical mass and growing, security and privacy
challenges abound. FaceTime’s enterprise-grade server suite monitors,
archives, and analyzes IM traffic for thousands of users without
requiring thousands of admin hours.

» Scripting Clinic: Dissecting a Live Python… Script

By examining a working script line by line, this edition of the
Scripting Clinic shows you how to put your own scripts together and
exposes a few Python quirks along the way.

» Pack-Rats
by Law: A Message Archiving Primer

With the Sarbanes-Oxley Act, messaging archives have gone from a
voluntary tic among pack-rat users to a regulatory necessity. Here’s
how to crate up the correspondence without overloading your LAN.

» AirDefense
Secures the Wireless Perimeter

In the rush to go wireless, administrators will find that they must
supplement standard security measures with serious reporting and
policy-enforcing products. Count AirDefense among them.

» WiMAX
Bridges the Last Mile in Broadband

WiMAX is slated to provide high-speed connectivity over distances that
dwarf 802.11’s effective range. Of course, it also promises to keep
things interesting for network administrators just coming to grips
with Wi-Fi.

The Week in Network News

» Monday: Time
to Talk Network Storage

If your CIO hasn’t come to chat about archiving and storage, brace
yourself: the message storage outlook for many companies is a little
rocky. Also: battling message authentication standards, and a boost in
NAS capabilities from Microsoft provokes some products from Iomega.

» Tuesday: Microsoft
Backs a New Way to Slam Spam

With a new day comes a new, Microsoft-backed standard for
spam-fighting. With the merger of Caller ID for E-Mail and the popular
but flawed SPF, there’s no reason to sit out the spam wars. Also:
Cisco’s monstrous new switch, Comcast’s startling admission, and
Microsoft’s new security software.

» Wednesday: Memo
to Microsoft: XP SP2 Wants to Be Free

As Microsoft mulls its bottom line, the rest of the world
deals with the widespread Windows vulnerabilities SP2 was built to
fix. Our suggestion: Be a good citizen of the ‘net and let even the
freeloaders get at SP2. Also: EMC and Dell push out a sub-$10k SAN,
Broadcom’s new 4-Gig switch might be overkill, and get ready for a few
new Palm clients on your WLAN.

» Thursday: Mixed
News on the Spam Wars Front

New laws and the occasional conviction might make a
spam-fighting admin’s day, but are they distracting from the technical
battle? Also: Wi-Fi you might want to relabel Hi-Fi, an anti-virus
product that helps Linux protect Windows on your net, and an anti-spam
giveaway from Microsoft.

Latest Articles

Follow Us On Social Media

Explore More