David L. Farquhar on technology old and new, computer security, and more
A former journalist whose track record includes being fired from the Tribune Co. and from Reuters is facing two decades in prison for giving the hacking group Anonymous credentials to log into a Tribune web site and change stuff.
Anonymous changed one headline, and it took about 40 minutes for someone at Tribune Co. to notice and change it back.
It reminds me of something that happened at the newspaper where I used to work.
Explaining security is really hard, but sometimes a sports analogy helps. Here’s an appropriate sports analogy for security.
Imagine you’re playing a sport. The sport doesn’t matter. What matters is you’re playing, and so is the opponent, and you have to follow the rules while they don’t. But you still have to prevent them from scoring.
But it’s more complicated than that. Imagine there’s another game going on, either adjacent to the field or within the field. That’s the business. Whatever you do can’t interfere with that second game, and you also have to keep your cheating opponent from interfering with that second game. And your success at preventing interference with that second game is how you’re going to be judged.
Last week, Symantec discovered a worm that infects routers and takes measures to make them more secure. For lack of anything else to call it, Symantec is calling it malware, and most of the security echo chamber is probably howling over this, but I think I understand why it was created.
Bad things happen when security pros like me start asking our infrastructure brethren to patch Flash. We get better security, but the Flash upgrade fails enough of the time to cause extra workload, and it can be confusing. One of the problems is the question of Flash vs Shockwave.
Consequently, I see more Flash-related helpdesk tickets than I ever saw, even when I was doing desktop support long ago. Adobe doesn’t make it any easier by calling the plugin “Shockwave Flash.”
A college classmate asked me if there’s anything to the stories that DD-WRT might potentially get locked out due to new FCC regulations. (Link removed in retaliation for Conde Nast’s 11/3/2025 layoffs. Sorry not sorry.)
Unfortunately the answer is yes, there may be something to it.
Changing a worn-out garbage disposal can be a 10-minute job–assuming you anticipate everything, use the same brand as the old one, you know what you’re doing, and the person who installed the old one was at least as competent as you.
It didn’t quite work out for me like that the last time.
I found this collection of hacking e-zines a while back. Some are new, some are old. Some are series and some were one-offs. If you’re interested in the early days of hacking, or the undercurrents of today, it’s not a bad place to peruse.
Whether you’re a sysadmin, an analyst, or use a computer for something else professionally–even if you’re not a database administrator or developer–SQL is a useful skill to know. I’ve gotten by for 20 years without knowing much more SQL other than simple SELECT statements, but those days are rapidly winding down–if I want to be good at my current job, I’m going to have to take some time to learn SQL. If you’re in the same boat, here are some resources for learning SQL.
Here are two resources:
https://sqlschool.modeanalytics.com/the-basics/introduction/
SQL is the underlying language behind Oracle, Microsoft SQL, MySQL, PostgresSQL, and probably a few other databases I’m forgetting. If you’re doing something beyond Microsoft Access, it’s probably using some kind of SQL. Each implementation has its own quirks but the basics remain the same between all of them.
The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.
Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.
The question of why people hack is a common one, but increasingly, it’s to fuel a vast, immensely profitable underground economy. Google researchers suggest the best way to slow or stop it is to undermine that economy, rather than the conventional methods which try to make hacking harder.