Archive for google

Operating System Choice Does Not Equal Security

Posted in security with tags , , , , , , , , , , on June 2, 2010 by hellnbak

Yesterday while some of us in the USA were enjoying a day off Google made the news with this article in the Financial Times stating that they are moving away from Microsoft Windows due to security concerns.  My first reaction was to question why a company with as many smart brains as Google would make such a misguided decision.  That was, of course, before I actually read the entire article. 

To steal from the FT.com article:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

I cannot comment directly on the China hacking incident because I was involved in various meetings with unnamed companies and unnamed forensics experts on the so-called “China hacking incident” but I can comment on the stupidity of this clearly knee jerk reaction.  Your operating system choice does not equal security.  I cannot put that any more simply than that.  If your company employs experts in Linux then it makes sense to standardize on Linux.  If your company employs expertise in Windows — rolling out Linux, OSX, or any other operating system is asking for problems.

Obviously in Google’s specific case one could argue that they have more expertise in Linux.  So the switch from Windows isn’t a security concern its common sense and makes me wonder why they would have had Windows boxes in the first place.  This quote from an unnamed employee says it best;

Employees said it was also an effort to run the company on Google’s own products, including its forthcoming Chrome OS, which will compete with Windows. “A lot of it is an effort to run things on Google product,” the employee said. “They want to run things on Chrome.”

I could care less what OS Google or any company standardised on.  The reason I felt the need to comment on this was not because I think Google is making a mistake but because the press is taking some comments from “anonymous employees” out of context and turning this in to something it’s not and helping perpetuate a huge Information Security Myth.

The myth I speak of: “Switching to Mac OSX or Linux will make you more secure”.

Corporations get hacked, in fact they get hacked much more than we read in the press.  Sometimes those hacks come via a “zero day” type attack and others via a known issue that the corporation failed to patch for.  This is the reality of running a business in the Internet age.

Let me paraphrase what was said by myself and other “experts” back in February 2010 (http://news.cnet.com/8301-27080_3-10444561-245.html)

Every operating system has its advantages and disadvantages in security but no one is a silver bullet, more secure, option.  Some represent a higher risk than others but in reality you are only as secure as your ability to administer the chosen operating system.  This means that if your organization has IT expertise in Linux then you are probably more secure running Linux than you are an operating system that they do not have the same level of expertise in.  The same goes for companies that have Windows expertise, while I am sure that a good Windows Administrator can find his way around alternative operating systems, I would not want that Administrator to be responsible for securing an operating system that he is not proficient in. 

So while one could argue that in general Windows has been the more riskier operating system to run I would actually counter that argument by saying that while correct in the past it is this level of exposure and risk that has caused great improvements in Windows security.  Not to mention the fact that if you are Google you have a very large target painted on you and no matter what operating system you decide to run you are and probably always will be a target of attackers.  Shift your operating system and attackers will shift their attack methods. 

Based on available public information on the Aurora attack the compromise may have come via an unpatched Internet Explorer vulnerability and was a targeted attack.  The second part of that sentence is actually the more important one here.  TARGETED ATTACK.  This means that when, and not if, Aurora the sequel happens it will come via an unpatched vulnerability in whatever operating system happens to be in use at the target company.

It is really too bad that the press in this particular case did not reach out to real security experts and get actual facts around what your operating system choice means to your security.  In fact the Financial Times article is nothing more than FUD generated by “anonymous” quotes from “anonymous sources”.

The unfortunate part about FUD like this is that all week various executives at other companies will read this article and determine that because the great minds at Google have done this to be “more secure” that they should follow suit.  They will bring in some clueless IT Security Consultant (aka CISSP) who will back up this opinion for the sake of billable time and the poor IT guys will have to do their bidding and will ultimately make their company less secure than it was in the first place.

Rinse, wash, repeat.. the cycle of Information Security Myths trumping actual progress continues…………..

Advertisements

Creepy GMail “Feature”

Posted in Random, security with tags , , , , , on April 8, 2010 by hellnbak

I stumbled upon this creepy GMail “feature” the other day.  Basically, it appears that there is some logic that notices when you type the phrase “see the attached” and then checks for a file attachment alerting you if you fail to attach a file.

With all the privacy concerns around GMail I found this to be very creepy.

Nexus-1 Honeymoon is Over

Posted in Random with tags , , , , , , , , on April 8, 2010 by hellnbak

As many of my friends know.  I am very hard on my electronics.  My laptops, my MP3 players, my cell phones and even the TV remote all get abused in various ways.

So, in typical dumbass fashion, over the weekend I dropped my Nexus-1 phone and sadly, even though it wasn’t a far fall – a couple of feet at most – the screen shattered.  😦

(I am travelling right now for work and I forgot my camera cable so I will have to post pics later) 

After I was done swearing and calling myself an idiot I called HTC.  The service from HTC was awesome, they told me up front a range in price to replace the screen (between 150$-250$) and via email sent me out a pre-paid shipping label to send the phone back.  In fact,. just by having my phone serial number they were able to bring up all my account information including email address and T-Mobile billing address.

Because I am travelling, I did not want to be without a cell phone so I immediately pinged all my geek friends that were local to me and as expected one of them came through with an unlocked Samsung Blackjack.  While this isn’t the most cutting edge phone in the world, it would work just fine.  Before I was able to pick up the phone, I called T-Mobile just to give them a heads up on the impending device change and wanted to make sure that I didn’t need to modify my plan in any way to avoid extra charges.  This is where things got really sketchy.

The first person I talked to at T-Mobile told me it would be no problem at all.  She said she would put a note on my account and when I was ready to put my SIM Card in the loaner phone simply call them back and let them know.  She also told me that there would be no charges as she would just adjust my plan temporarily so that I can still use both data and voice.

The next day I picked up the loaner phone (thanks again Mike you are a life saver!) and popped in my SIM Card.  After entering the unlock code for the phone, it connected to the T-Mobile network with no issues.  I made a quick voice call to test voice and then fired up the web browser.  I was met with an error that I didn’t have a data plan.  So I thought I would call T-Mobile back again and make sure that all was still well with me changing the phone.

The rep I got this time informed me that he would not be able to change my plan.  Apparently, there is an automated system (I am paraphrasing what I was told) in place that would notify Google that I have changed my plan triggering Google to charge my on file credit card the various fees for changing my contract and “deactivating” my Nexus-1.  I explained again that I was not trying to deactivate my Nexus-1 but was simply getting it repaired and needed to use this phone while I waited for mine to return.  The rep apologized but said that there is nothing he can do and that I can use the other phone but for voice only.  Changes to my data plan trigger the extra charges from Google and according to the rep — T-Mobile has no control over this.

WTF?!?!?

So not only has Google kept my credit card on file, but they also shared my contact and billing details with HTC and T-Mobile.  I don’t necessarily have a problem with this, it does make life easier when dealing with each company but during the design phase of this data sharing system how did they fail to consider the broken phone scenario?

Not willing to believe that the three companies who brought probably the best phone I have ever owned to market can actually be this dumb I called T-Mobile for a third time today.  This time the rep said no problem and that he would make chances to my account.  I interrupted him and specifically brought up what I was told the previous day.  This seemed to confuse the support rep and he said that he wasn’t sure if that would happen or not.  I asked him to verify.  This seemed to be an annoyance to him and he offered to call me back once he knew.  That was about 11 hours ago.  Something tells me I won’t receive a call back.

I suppose I can live with the broken screen until the new Windows Mobile 7 devices are released and then add my Nexus-1 to the chopping block like I did my iPhone and Blackberry.  It’s really too bad that such a nice piece of hardware backed up by what seems to be a great company (HTC) and runs a flexible Operating System (Android) gets tarnished by outright stupidity by both Google and T-Mobile.

Greatest GMAIL innovation EVER!

Posted in Random with tags , , on October 7, 2008 by hellnbak

Those of you female readers (are there any?) that have been foolish enough to have any sort of relationship with me (are there any?) will get a chuckle out of this.  If only this little innovation was available earlier.. I would had less drama in my life.  😉

 

http://gmailblog.blogspot.com/2008/10/new-in-labs-stop-sending-mail-you-later.html

 

Now I just need to find a filter for my actual mouth when drinking and its all good.