The Silicon Underground

Home » Page 281

And in a story that should surprise no one, Target’s attack was unsophisticated

Dave Farquhar security March 12, 2014April 17, 2017antivirus, IDS, malware, Mandiant, McAfee

I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.

My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.

Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.

Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win. Read more

Why tech encourages bad managers–and hope for those who want to be good managers

Dave Farquhar Uncategorized March 11, 2014March 6, 2014

A friend asked me recently to talk to his son, a talented software developer whose career recently took a (temporary) turn for the worse, and he asked me a very good question.

Are there more bad managers in technology than good ones?

I said I think there are. And I told him why. But I’ve also worked for some very good managers, and I know exactly what it is that sets them apart. Read more

The bitcoin-train connection

Dave Farquhar model railroading, security March 8, 2014March 7, 2014Bitcoin, Japan

Ever since Bitcoin came into prominence, there’s been a great deal of speculation about the shadowy creator, Satoshi Nakamoto. Newsweek thinks they found him: A semi-retired engineer who dislikes banks and the government and the fees and difficulty associated with importing model train parts from England and Japan.

Well, if you’re going to invent a cryptocurrency, what better thing to spend it on than model train parts? Read more

Microsoft is offering some help in migrating off XP

Dave Farquhar security, Windows March 7, 2014March 5, 2014defragmenter, windows 7, windows 8, Windows XP

Since there is no direct upgrade path from Windows XP to Windows 8.1 or even Windows 8, Microsoft has reacted to criticism by licensing a cut-down version of PC Mover and offering it to latter-day XP upgraders for free. It will only migrate three applications for you, but for most people, that’s probably enough.

The good news is that this version of PC Mover works with Windows 7 as well, so if you want to take the strategy of migrating people to $99 off-lease PCs running Windows 7, it will still help.

The linked article above criticized Microsoft for not developing its own migration tool, but that seems a bit harsh. I’ve used PC Mover before, and found it to be a very capable tool. I’d be surprised if Microsoft actually could do much better. And Microsoft has a history of licensing third-party tools anyway: Every disk defragmenter Microsoft has ever shipped was a cut-down version of something written by other companies.

Of course it’s best to rebuild machines from scratch–it will perform much faster that way–but when there’s a must-have program on an old PC and the installation media is long gone, PC Mover is about the only way to recover it and move it on. Most people probably don’t have much more than three programs in that category.

Spritz promises to revolutionize speed reading

Dave Farquhar Uncategorized March 6, 2014March 1, 2014cissp

I found a reference this week to Spritz, a promising smartphone/tablet app to help people read faster. Much faster. I tried the demo of the technology and could almost keep up with its 500 word-per-minute pace right away.

Now, I’ve always been a fairly fast reader, though I’ve never felt any need to have someone time my speed. I just know I read faster than most of my classmates did. But I know I don’t normally read anywhere near 500 words per minute. My typical blog posts are usually about 750 words, so that would be reading one of my posts in a minute and a half.

I’m interested in it, though, because I’ve resolved to read more this year. You can roughly estimate 100 pages at 25,000 words, so at 500 words per minute you could read a 200-page book in about an hour and 40 minutes.

I’m not sure I would want to rush through something really dense and technical at that rate–especially not something like the CISSP Common Body of Knowledge–but when the other choice is not reading at all, it’s obviously much better than that. And nothing says you have to pick one way of reading or the other. You can read a book quickly and come back and read the tougher parts more slowly. Some people say you shouldn’t read without taking notes; but running a book through Spritz is a fast way to find out if a book is worth sitting down and reading with a pad of paper–or, ahem, laptop with a word processor–next to it.

Details of how it will work are a bit sparse. Hopefully the app will be able to read your existing e-book library. If it exists as a walled garden where you have to buy books within the Spritz app, that seems like it would limit its usefulness to me. We’ll see. This is definitely a technology I want to track.

The trade off of fidelity and convenience in marketing, and how it doomed my favorite company

Dave Farquhar Retro Computing March 5, 2014July 14, 20171980s, amiga, apple, apple ii, atari, atari 2600, commodore, commodore 64, IBM, kindle, mac os x, macintosh, NES, nintendo, nintendo nes, os x, radio shack, Star Trek, unix

I’m reading a book called Trade-Off, by former USA Today technology columnist Kevin Maney. It’s primarily a marketing book.

Maney argues that all products are a balance of fidelity and convenience, and highly favor one or the other. He additionally argues that failed products fail because they attempted to achieve both, or failed to focus on either one.

An example of a convenient product is an economy car. They’re inexpensive to buy and inexpensive to keep fueled up, but don’t have much glitz and you probably won’t fall in love with it. A high-end sports car or luxury car is a lot less practical, but you’re a lot more likely to fall in love with it, and gain prestige by driving around town in it. Read more

Why you need to guard your Backup Exec servers

Dave Farquhar security March 4, 2014February 28, 2014Backup Exec, code execution, passwords, symantec

If you have a Windows domain, there’s a fairly good chance you have Backup Exec servers, because you probably want to take backups. Because you need them. (As a security guy, I no longer care how you get backups; just that you’re getting them somehow.) Backup Exec is a popular solution for that. But there’s a problem.

A security problem, that is. The quality of Backup Exec as a product hasn’t been my problem since 2005. The problem I have with it now is that Backup Exec stores its passwords in a database. The passwords are encrypted, but it’s possible to decrypt the backup copy, if you’re determined enough.

Free Windows 8.1 upgrades: Right idea, wrong target

Dave Farquhar Windows March 3, 2014March 1, 2014vista, windows 7, windows 8, Windows 9, Windows XP

Last week, rumors started flying that Microsoft was going to make upgrades to a cut-down version of Windows 8.1 either free or very inexpensive for Windows 7 owners.

That’s not necessarily a bad idea, but the target is wrong. Here’s a great idea: Microsoft needs to be dangling the freebie in front of Windows XP owners. Read more

Finding a connection to my Dad in a suburban St. Louis estate

Dave Farquhar Toy trains March 1, 2014December 5, 20151940s, 1950s, lionel, marx, paper model, train layout, train table

Yesterday I wrote about my greatest estate sale find ever. Well, the very same month as that one, I found another estate sale featuring a Lionel 1110 locomotive, which happened to be my Dad’s first train. So of course I put that sale on my list. The 1110 wasn’t among Lionel’s finest moments, but I’ll note that in 1986 when Dad and I pulled his postwar Lionels out of storage, it was the first of Dad’s locomotives that we got running, and in 2003 when I got them out again, it was the only one that still ran.

Well, this 1110 didn’t run. The motor assembly was cracked and it wasn’t worth the asking price. But behind the locomotive, I found some paperwork. “Build these realistic models!” it urged. It was marked $4. The tag warned it was very delicate. I took it out of the plastic bag it was in, decided against trying to unfold it, and bought it unseen. Read more

My greatest estate find

Dave Farquhar Toy trains February 28, 2014March 25, 20221940s, 1950s, 1960s, american flyer, estate sales, marx, survivors, tin

If you’ve been reading this blog for a few years, you know I kind of like trains. But my favorite way to buy them isn’t to buy them at a train store. I like to buy them from estates.

One week, I spotted a few late-production Marx 6-inch cars and a plastic locomotive in an estate ad. I tallied up $30 worth of trains in the picture, and figured I’d be lucky if they asked $60 for it. But I decided to take another look at the picture, just in case.

This wasn’t an ordinary train. Read more