I had an old Compaq Evo D510 full-size tower/desktop convertible PC, from the Pentium 4/Windows XP era, that I wanted to upgrade. The machine long ago outlived its usefulness–its Pentium 4 CPU is less powerful than the average smartphone CPU while consuming enough power to be a space heater–but the case is rugged, professional looking, and long since paid for. So I thought it was worth dropping something more modern into it.
I chose the Asrock Q1800, which sports a quad-core Celeron that uses less than 10 watts of power and runs so cool it doesn’t need a fan. It’s on par with an early Intel Core 2 Duo when it comes to speed, which won’t turn any heads but is plenty fast to be useful, and the board can take up to 16 GB of DDR3 RAM and it’s cheap. I put 16 GB in this one of course. I loves me some memory, and DDR3 is cheap right now.
Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.
Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.
So why do we see so many more Android bugs? Drake had an answer.
Windows 10 is out today. Of course I’ve been getting questions about whether to upgrade from Windows 7 to 10, and I’ve been seeing mixed advice on upgrading, though some of that mixed advice is regarding Microsoft history that isn’t completely relevant today.
My advice is to upgrade immediately if you’re running Windows 8 or 8.1, and to wait, perhaps six months, if you’re running Windows 7, but I still think you should do it. I’ll explain.
I was on a conference call discussing the Microsoft product lifecycle with several coworkers and our Microsoft-assigned support engineers when someone asked if a server version of Windows 10 was going to come out.
The Microsoft rep said no comment. Then I chimed in.
“We need to assume they will release a server version, probably about six months after the desktop version, and we need to start testing and preparing to deploy it when it comes out,” I said.
So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.
Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”
Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.
My name, and my department’s name in general, gets thrown around a lot at work. We have a bit of a reputation as the can’t-do guys.
Professionalism dictates I not go into specifics about what kinds of things we reject or disapprove, but if I were to explain them, no security professional would disagree with me.
The other side of the argument, of course, is that the system still does its job the way it’s supposed to do and the system cost a lot of money. Here’s a story of a tense situation and how we were able to come to an understanding. Read more
Corporations are in business to make money. That’s the premise of the classic business book The Goal, and the point of The Goal is that a lot of companies forget that.
That also means they’re not exactly happy to spend money unless there’s an obvious reason why spending that money is going to help them make more money. So that’s why you see 30-year-old minicomputers in data centers. That old system is still making the company money and with no clear financial benefit to replacing it, most businesses are perfectly happy to run the machine until the minute before it will no longer power up anymore.
That’s what makes quitting Windows XP so difficult for businesses. At this point, Windows XP and that 30-year-old minicomputer are both about as sexy as a Plymouth Volare station wagon. But they get the job done, and they’re much better than what they replaced, so the business leaders are content to just keep right on using what’s already paid for. Read more
Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.
Over the Labor Day weekend I decided to upgrade my HP Mini 110 netbook to Linux Mint 17. The Mini 110 can handle Windows 7, but Linux Mint doesn’t cost any money and I figure a Linux box is more useful to me than yet another Windows box. There are some things I do that are easier to accomplish in Linux than in Windows. Plus, I’m curious how my two young sons will react to Linux.
Linux Mint, if you’re not familiar with it, is a Ubuntu derivative that includes a lot of consumer-friendly features, like including drivers and codecs and other common software that aren’t completely open source. It’s not a Linux distribution for the Free Software purist, but having options is one of the nice things about Linux in 2014.
Linux Mint includes a lot of useful software, so once you get it installed, you’re up and running with a useful computer with minimal effort.