August 31, 2004
Crypto-Guru Bruce Schneier on IT Threats
Just after I posted regarding IE and malware, I came across this interesting Bruce Schneier interview at Neowin. Bruce is a well-known cryptologist and security expert, and I've read his informative book, "Secrets and Lies".
As you can tell from my prior post, I heartily agree with Bruce, particularly on this point:
"What do you see as the biggest threat in the IT age?Regarding the ultimate responsibility for security:
"If you were to look at 3 areas - The Software Designer, The Systems Administrator, The User - who would you say should bear the burden of responsibility for security? Or do you perceive it to be a shared responsibility?Again, this illustrates my point about users simply not knowing any better while contributing to the problem. But that's reality, like it or not. Some may take the initiative to better protect themselves (especially after getting burned at least once), and others won't. While there's a lot of self-help available online (you know it's bad when WSJ's Walt Mossberg covers spyware this month), it only goes so far. When it comes to security, people are often the weakest link in the chain. Just ask this law firm whose longtime bookkeeper fell prey to a Nigerian e-mail scam to the tune of embezzling $2.1 million. The breach in security wasn't just the person who embezzled the money, but also the management under which it occurred, and the bank manager who approved all of the wire transfers even though the bookkeeper was not authorized to make such transfers. I also recommend reading Sharon Nelson and John Simek's enlightening article on "Disgruntled Employees in Your Law Firm: The Enemy Within". Please don't misunderstand this as a "down on people" tone, as I can assure you it's not. It's about recognizing some of the root causes for security breaches and thereby being better prepared as a result. For example, "social engineering" preys on our fundamental tendency to trust one another, especially in a seemingly routine context.
I too would like to see software developers better address the issue. But unlike Bruce, I don't see that as quite the rosy picture he's painting. Reiterative security testing, while welcome, would no doubt increase the development cycle and overall cost of the software. Since it's not practical to expect all software developers to include an equally effective level of security testing and remediation, and since viruses and trojans authors generally find ways to proliferate their malware faster than developers can detect and close the holes, we're still going to need all of our expensive security software and experts to keep us relatively secure. Overall, we'd probably be more secure, but it's going to cost us. How much? As he mentioned, it's tough to determine what's the most cost-effective method for allocating responsibility. Not all that long ago, it occurred to me that the free market would probably determine how much security is appropriate and Bruce lays this out regarding Microsoft:
"The company is not a charity, and it doesn't make sense for them to make their products more secure than the marketplace demands. And right now the marketplace doesn't demand security."Lastly, Bruce offers good advice, but inherent in that is the requirement for self-education (my emphasis added):
"Do you have any practical advice for our readers, in terms of staying secure, and safe?
A Rebuttal to Malware & IE
Forever, it seems, I've been reading the many posts and articles complaining about spyware, malware, and IE security issues. I acknowledge they exist, and I've done my fair share of removing adware, spyware and the like. The funny thing is, I've been using a powerful IE-based browser (MyIE2, n/k/a Maxthon) as my main browser for over a year, and pure IE before that, and can't recall having a browser-related spyware nor a drive-by downloading incident. I generally keep up on IE patches, and I've scanned my PCs many times with Norton Antivirus, Ad-Aware, Spybot, etc. I've also used my share of Netscape, Mozilla, and Firefox too, so I'm definitely not a Microsoft groupie. In my personal user experience, I've only encountered malware when I've installed a supposedly free program that had others bundled in as a means to defray their costs. We've all seen plenty of those -- some will tell or prompt you during installation while others just creep in unannounced. There's no excuse for the silent parasites -- we should at least be presented with the choice. But for the others, we've made a conscious decision to download and install them.
What prompted this post was Jerry Lawson's post about Ernie's Svenson's post about a Slashdot post (welcome to the link-crazy blogosphere), all of which recommend dumping IE ASAP due to the security and drive-by downloading problems.
While MyIE2 features advanced content blocking (i.e., blocking inline ads, flash animations, popups, etc.) that only gets me so far in my malware defense. By far and large, I firmly believe most people have problems with spyware and malware just because they don't know any better (i.e., lack of savvy user education and not optimally configuring IE). By default, IE is left quite open for drive-by downloads, but that doesn't mean it can't be made to deflect them. Even when I use plain IE without any ad-blocking, I still have it set to block or prompt for most active content. As mentioned, I also use antivirus and anti-spyware programs, which also help.
I've found that changing the settings in IE's Security / Internet Zone / Custom Level to be quite effective against unwanted malware. I've disabled some features (especially on those "not marked safe"), set some to "high safety" and set most of the remainder to prompt me, particularly regarding ActiveX and scripting content. This allows me to decide if/when active content should run to access desired content (e.g., Microsoft's various support/update sites, launching the PDF reader when clicking on a PDF file, loading a desired flash animation etc.), versus blocking the potentially harmful active web content. This solution presents me with many pop-up dialog prompts, but after a little while they didn't bother me because I get to choose what happens next: I'm not a victim of an unfortunate browsing accident.
Knock on wood, as I know this doesn't close all of IE's holes, but I've yet to encounter a drive-by malware downloading. Why? I believe it's because my IE and IE-based browsers either ignore or prompt me for what to do when it encounters most active content. I've run a number of updated anti-spyware scans on my PCs and they come up clean each time. Of course, the distinguishing variable is knowing how to answer those browser prompts. If I'm downloading a PDF or Flash animation I want to see, then I allow it to run. If I don't know what's prompting me, I click on "No", and then see if the web page will load properly. If it does, great. If it doesn't, then I need to decide if the desired content is worth the risk of allowing the active content to load. So far, so good.
Obviously, there's a trust and/or judgment factor involved as well. Most large corporate sites are not going to want to risk alienating their market by inflicting malware. For those that have, they've usually learned a painful lesson in customer relations and the power of the Web to replicate such information very quickly and LOUDLY. If I'm visiting a new or strange site, then I err on the side of caution. I don't need more smileys for my e-mail or IM program, and I know I'm not going to win anything by clicking on a moving ad (regardless of how satisfying it may be to virtually smack that annoying purple monkey!) or answering that "Friends" trivia question for which anyone over three knows the answer.
We all know IE has a lot of security holes, no argument there. But my individual experience leads me to conclude that specifically regarding browser-delivered malware (adware, spyware, viruses, trojans, etc.), the choices made at the computer operator level (hey, that's us!) are by far the largest contributor to allowing harmful content into our systems in the first place. This stuff generally doesn't get there by itself. Someone had to make the decision to visit a particular site (whether via Google, directly, or from some other link), using a web browser configured in a specific way. Even alternative web browsers have security issues. It all comes down to where you surf on the web, what you're using to get there, and what choices you're making in how you access the online data once you've arrived. Even choosing which free programs to download and install requires judgment. For help, check out sites like SpywareInfo and Spyware-Guide.com before you download a new program. They provide helpful information and maintain lists of spyware- and malware-ridden programs.
This isn't begging the entire Microsoft security issue, and Microsoft clearly needs to address it. But unless or until that happens, it's up to us to either educate ourselves to address it, or hire someone else who's savvy enough to take care of it and educate us on an informed way to do it. In other words, good ol' personal accountability. As Smokey said: "Only you can prevent forest fires." This doesn't excuse the malware developers in the least, nor Microsoft, but a good many incidents are avoidable with an appropriate approach.
So instead of throwing the IE baby out with the bath water to clean house, I'd rather come up with a better way to keep the baby clean. I've written here previously about how I've all but dumped IE as my main browser, and that's true. My main motivation was to find a better browser for power user features while maintaining a common set of bookmarks. As my main replacement browser is based upon the underlying IE engine and its flaws, I tasked myself to find a way to get all the benefits I was looking for while securing it as much as possible. So far, I like the result. It's not perfect (what is?), but it works for me.
I was quite tempted to conclude this with the typical, "Your mileage may vary" -- but then shouldn't we ask the critical question: Why?
August 30, 2004
21 Blogs of Interest for a Law Firm CIO / IT Director
Hot on the heels of LawNet 2004, here's an interesting find for Legal CIO's:
Ed Schembor's Blog looks relatively new and has a new article listing and discussing suggested blogs for Law Firm CIO / IT Directors to read. He's picked a number of legal technology blogs, many of which I've read and listed here in my blogroll. Welcome to the blogosphere Ed.
Ed states: "The list of blogs I have put together below covers the ones which I have found are ideally suited to the knowledge needs of a senior project manager, director of technology or CIO at a medium to large size law firm. These blogs generally cover strategic aspects of technology of interest to law offices, and may also cover more tactical and technical subjects."
Ed, you're off to a great start, but I'd add the following blogs to your list, as they tend to have either a compelling strategic or legal IT flavor, or both:
I'm sure there's even a few I'm forgetting, with apologies to my fellow blawgers.
August 24, 2004
Live From LawNet 2004
I'm out at LawNet 2004 this week, and thus far it's been a very worthwhile trip. The weather has been relatively cool for Phoenix (in the low 100's for the week), so we haven't melted. LawNet is to be commended for keeping us connected: In addition to dedicated Ethernet access in the Laptop Oasis, there's Wi-Fi access throughout the conference rooms and exhibit hall, which is really the way to go nowadays for any large conference or meeting. It's truly an enabler.
There's already been a number of useful sessions. I'm glad to see the legal market has been "getting it" regarding workflow, collaboration, and integration. As various systems become even more complex (document and matter management, etc.), these systems have to become even more usable to the end users -- a daunting task indeed. Thus it's encouraging to see the sneak peeks and upcoming product announcements, many of which are focusing on tying discrete systems together, addressing workflow issues, and coming closer to delivering on the "seamless" promises we've heard for so many years.
Having said that, it's vitally important to recognize there are no silver bullets. Many xMS solutions (DMS, CMS, KM, etc.) require an insightful game plan: identifying and setting overall goals and scope, savvy needs assessment, customization, training, and the like (none of which is easy, I might add). However, I feel a sense of optimism that the legal market is once again moving forward after the entrenchment spawned by the recession over the past few years. While it's not a tidal wave, I'm hearing more about firms who are implementing more extranet and web-based solutions, and upgrading to newer versions rather than staying pat.
Perhaps the largest theme I've observed is that the lines are once again blurring regarding definitions. For example, document management and third party developers have expanded their offerings to include records management, content management, workflow, collaboration, approvals, e-mail integration, metadata cleaning, webified interfaces and platforms, and more. Thus the concept/definition of "What is a document?" is dramatically broader than ever before. In one of the DMS presentations, one source indicated that 90% of new documents being created today are electronic. This doesn't surprise me in the least.
Thus one of the many challenges for law firms, corporate legal departments, clients, and the legal system itself will lie in making the quantum shift in thinking away from paper and into the electronic realm. Some have already gotten their feet wet. With the advent of document tagging, tracking, digital rights management (DRM), metadata, electronic discovery, and compliance with new regulatory requirements, we collectively need to understand the new "laws of physics" such a paradigm shift entails. I'll agree with one of the Microsoft presenters, who said we need "Solutions, solutions, solutions, and not just technology, technology, technology."
August 18, 2004
Taking Electronic Discovery to the Molecular Level
Ever since nanotechnology heated up with discussions of nano-sized computer chips, I've been wondering when it would be extended to storing information. This time, it's taken on an organic spin: Courtesy of Engadget, it's been reported that "Korean scientists have created the world’s first Nano-DNA Barcode System (NDBS)."
"Suspended in a DNA-friendly buffer solution, the synthetic DNA may be sprayed-on or suffused into items that are normally hard to tag with a sticker, such as oil, agriculture products, or even money, providing invisible information on product origin, quality, or supplier. And unlike the stuff in us, this barcode DNA doesn’t mutate and is unhackable, making code alteration impossible."
This reminds of when, a number of years ago, graphic artists and photographers starting inserting digital signatures and copyright notices directly into their JPEG images -- due to the massive copying of web art going on at the time.
A DNA barcode would be a cool surreptitious way to track items and supposedly prove authenticity at the same time. However, I question whether it could also be abused. For a simple example, while the DNA code is purportedly unalterable, could a less-than-ethical oil distributer add a lesser grade of oil into a DNA-barcoded lot to "cut" or dilute it, yet still piggyback or pass itself off on the "authentic" DNA code present in the remaining original molecules? It seems to me there would need to be a parts-per-million type baseline established before it shipped, and not the mere presence of the barcode as the authentication.
The "money" application above also opens itself up to tracking other kinds of paper documents -- thus making the usually low-tech analog world of paper suddenly rich with its own style of metadata.
While some of this sounds Sci-Fi-ish, I've been thinking for quite some time that techno-tagging is going to get a lot more personal. RFID and DNA barcoding issues are only the first baby steps. Right now they're only sewing it into our garments.
I've seen numerous EED checklists expanding due to new data storage advances (PDA's, flash drives and memory cards, iPods, cell phones, hybrid consumer devices, etc.). I fully expect that list to become noticeably longer over the coming decade and beyond.
August 17, 2004
When People Ask Me Why I Left the Practice of Law...
Regarding the order, it sounds like all involved need to go on sabbatical with a good dose of self-examination, including the federal judge. On a related note, I'm with Ernie regarding his Worthwhile post. Money isn't enough and life is just too short if you aren't happy in what you're doing. In my case, I didn't have to leap all that far, since I'm still heavily involved in the legal profession -- just from a different angle. Almost ten years ago (my, how time flies), I chose to blend my long-standing computer hobby with my professional career, and am much, much happier and I count myself more successful (I'm not talking about money here, either). Funny thing, as I keep running into more and more tech-savvy lawyers who are doing the same.
My choice taught me that the right kind of passion makes all the difference.
[8.20.04: An update on the above federal case is on the ABA Journal eReport site. The money quote, by the plaintiffs' lead counsel: "It’s important to remember to try your case and not the judge’s patience."]
Why Law Firms Need to Understand (and Even Embrace) Six Sigma
Now, after having joined Caterpillar Inc. as their Legal Services IT Manager, and experiencing firsthand a fully-immersed 6 Sigma culture, I would say it's worth heavy consideration for some law firms, for several good reasons:
I've taken the Green Belt training, and am serving as such on a number of Legal IT 6 Sigma projects. A personal observation: One of the greatest challenges with this process is that it was initially developed in a manufacturing context. Thus it's much easier to sample and measure the exact dimensions of a metal part than it is to apply these principles to "soft" service areas, such as the practice of law and customer service. In this regard, sometimes one has to become quite creative, and the path to success isn't as obvious. Thus savvy judgment is required to balance the thoroughness required in arriving at an optimal set of recommendations vs. taking the additional time the process adds to get there. If you're looking for a quick fix or snap decision to leap ahead, then in my humble opinion, a full Six Sigma process isn't the right tool to use.
As Larry said, it's a major culture change for law firms. However, properly implemented, I can see where firms can obtain both internal benefits as well as cultivating deeper and more successful relationships with their larger corporate clients. And in my book, that's something that deserves more than a passing glance.
By the way, and somewhat contrary to Larry's advice, I wouldn't recommend trying to bluff one's knowledge of Six Sigma, particularly with a savvy corporate counsel who's gone through the training. Personally, I'd give outside counsel more credibility for acknowledging what they don't know, as long as they understood the underlying philosophy and weren't just trying to snow me to get my business. I do, however, recommend reading up on Six Sigma basics before broaching the subject.
August 16, 2004
2004 U.S. Corporate Counsel Litigation Trends Survey Report
Here's something that should interest both outside and corporate counsel alike: Earlier this year, Fulbright & Jaworski commissioned a survey of corporate general counsel regarding corporate litigation issues and trends. They've recently published the results as a free 20-page report in PDF format. Rather than reiterate the contents here, the ABA Journal eReport has a good write-up on it worth reading.
According to the report, it is "one of the largest surveys of corporate litigation issues ever conducted." It had 300 respondents, and identifies such things as the top five litigation areas of concern, a breakdown of litigation concerns by industry, methods of controlling costs and compensating outside counsel, and more. It also identifies trends and breaks down results by company size class and geographic region. Arbitration and mediation are also covered.
All in all, it's an interesting read, and you may be surprised to learn that the top litigation of concern to most GC's is labor and employment. I particularly found page 7 to be interesting: It charts the percentages of companies using various cost-reduction methods, and the percentage of each method rated as effective by its users. It does likewise with use of computer-based litigation tools. Regarding cost reduction methods, I found it quite interesting that some of the least-used methods (rated by percent used) were conversely rated as highly effective (around 80%), such as success-based bonuses, task-based billing, and electronic billing.
[Updated 8.19.04: Lisa Henson, Fulbright's Web Content Manager, contacted me today to thank me for posting this, and suggested a friendlier URL to their registration page, which I've incorporated above. In addition to their original link, I had initially posted a more direct download link because some of Fulbright's web pages would not load properly in my browser (due to some of their active web content), and felt others would have a similiar problem.
However, purely in the spirit of professional courtesy, something that is often lacking nowadays, upon Ms. Henson's request I've removed the direct download link. I believe I'm not legally required to do so and am removing it without relinquishing or releasing any legal rights. Nor did Ms. Henson make any such inference, I might add. We had a very friendly conversation about this and she asked me most politely. As I've also experienced firsthand, developing web sites that load equally well in all browsers is a challenging task. Thus if you should encounter any problem obtaining the report via their registration page, then I heartily suggest contacting Ms. Henson directly at (713) 651-8372. I'm sure she'll be happy to assist you.]
August 13, 2004
Bust a Myth
PCWorld has a nice article that addresses some of the really tough PC questions:
- Do magnets really zap your data?
You'll have to read it to find out.
August 12, 2004
Great Listing of Alternative Software by Category
This week's tip is finding new software with ease. Tech columnist Jeremy Wagstaff (LOOSE wire) recently posted some very useful program listings in the following categories. Particularly nice is the inclusion of lesser-known or alternative programs to the "name brands". Even experienced software hounds would be hard-pressed not to find something new here. Well done.
[Updated 8.17.04 to add the Acrobat and Outliner listings.]
August 11, 2004
Legal Tech Talk
As part of his phenomenal "Five by Five" series, Matt Homann recently posed this conundrum to five savvy legal technologists (I'm honored to be one of them):
What five new technologies should all lawyers incorporate into their practices, but probably won't?Since the question is versed in the negative, I enjoyed reading the thought-provoking answers even more than participating in the submissions.
As far as I know, we each submitted them independently from one another. Thus it's interesting to see certain themes relating to RSS feeds and readers, blogging, personal productivity tools (especially regarding taming your e-mail and note-taking with Microsoft OneNote), spreadsheet use, and more -- which are particularly perceived as technologies that lawyers (taken as a whole) probably won't be utilizing in their practice. Scary, isn't it?
Although, with that said and being the optimist I am, I'm still heartened by the response to West's Mike Wilens query back at the ABA TECHSHOW 2004's keynote: "How many of you read blogs?" I would say at least half of the filled grand ballroom crowd raised their hands. Taking into account the nature of TECHSHOW attendees (i.e., legal professionals and support staff who are actively interested in and seeking out technology ideas and solutions), I'm tempted to conclude that a distinction needs to be made here: There's a new breed of evolving lawyer, and they're pushing the envelope much more than traditionalists because the legal and business climate has changed. Efficiency and competition is driving some of it, as well as clients' demands and dislike for complacency. Just read Matt's blog for a very good example of a lawyer who's not afraid to "break the rules" of law firm management and marketing by thinking outside the box.
While there are no silver bullets, I've found that even a little increase in overall tech savvy goes a long way, and you can't always wait until someone else has tested the waters for you first. While there's always some risk, I'm a firm believer in having first-mover advantage. But even if you're risk averse, I've found it's worthwhile to take the time to monitor early adopters' movements, including their successes and setbacks. That makes it somewhat easier to be at the forefront of the wave when it reaches critical mass -- simply because that knowledge can enable you to jump on the ladder a few rungs higher than the rest. Thus I'd say that one of unwritten themes in our responses to Matt's question is don't be afraid to experiment. On a personal note, I approached creating this blog purely as a "little experiment", and am still amazed by the dynamic range of benefits in doing so.
Here's the money quote you can take from this post: There are many useful and productive technologies lawyers can test without breaking the bank or wasting a lot of time. Waiting for other lawyers and firms to try them first is like watching two turtles play leap frog -- while they're absorbed in making all the methodical machinations, the hare has already zipped by them unnoticed.
August 05, 2004
Crossing the Wi-Fine Line?
If you access an open Wi-Fi connection in the woods and nobody hears you, have you broken the law?
This type of mixed question seems to be stumping a lot of experts. Thanks to Ernie posting a related link, I just read a great article by Mark Rasch, the former head of the Justice Department's computer crime unit, who now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.
Mark gives a number of everyday examples, and points out the thorny legal issues. One of the big ones is how much should individuals be held accountable for not securing their own Wi-Fi networks?
Mr. Rasch responds:
"You're busted! You see, when you "broadcast" the cable connection, you are opening it up for anyone to potentially use it. So other people can potentially get Internet access from Comcast without paying for it. In Maryland, for example, it is illegal to use an "unlawful telecommunication device" which is a "device, technology, [or] product . . used to provide the unauthorized . . . transmission of . . access to, or acquisition of a telecommunication service provided by a telecommunication service provider." Delaware, Florida, Illinois, Michigan, Virginia and Wyoming all have laws on the books that may do the same thing."
Regardless of the outcome, it's just not wise to expose oneself to the threat of prosecution, embarrassment, and substantial legal defense fees for the sake of convenience. Regarding intruders accessing unsecured access points, Mr. Rasch properly raises the "slippery slope" problem, "How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?"
However, in regard to the "cable sharing" laws above, one would think the Wi-Fi network owner's simple act of enabling encryption, disabling the network name broadcast, and other easy security steps would be enough to keep him/her out of hot water. Again, how much security is required?
His answer to all of the above: "But ultimately if we want to move to ubiquitous wireless computing, where you can use the WiFi protocols for cheap, mobile VOIP communications, or have near universal wireless Internet access, we are going to have to persuade the law to get the hell out of the way."
My take on this is that intent plays a large part of the equation. Did you just set up your first wireless router and left it open out of sheer ignorance? Or did you then tell your neighbors, "Pssst, want some free cable Internet if you cut my lawn?" In a busy downtown coffee shop, did your wireless laptop automatically jump onto another's Wi-Fi network because its default settings told it to connect to the first open access point it found? What if that wasn't the coffee shop's free network, but that of the business next store? The problem is that other than reading the SSID (the wireless network's broadcasted name), it's not easy to know whose network it is. It's not like when you go to log in at the office, and a message pops up to tell you it's a private network, keep out unless authorized.
Both the technology and the law need to meet somewhere on these issues. Many of these questions and cases are very fact-specific. But here is the Catch-22: If the technology needs to add features like the ability to broadcast a "Private Property: Keep Out" message to provide notice of unauthorized access, then that broadcast itself is compromising security by announcing the network's presence in the first place. Perhaps this could be mitigated by enabling basic security as a default in the hardware from the manufacturers. In turn, the laws need to address the intention issues.
In the meantime, given the rate at which the law generally lags behind technological advances, we're probably in for a bumpy ride.
Things to Make Your Broadband Zing!
Here are some tips, sites, and programs to help you test and optimize your broadband connection speed:
Broadband speed test sites:
While there are many such test sites, the perhaps the best place to find them is at Broadband Reports' Speed Tests page. Here you'll find a nice long list of free test sites around the world. You'll generally get the most reliable results by choosing a server that is closest to you geographically. Some of these sites' tests run a Java applet, so you'll need to turn on Java in your browser if it's not already enabled.
Broadband speed test software:
Alternatively, download and install Dan Elwell's Broadband Speed Test. It will run a series of ping, download, and packet loss tests to a variety of servers around the world. Then it generates a nice report for you. Alas, this program couldn't get out past my corporate proxy server, but it worked just fine on my home network.Optimize Windows' Network Settings for Your Broadband Connection:
Depending on your Internet connection (dial-up, DSL, cable, etc.), your current Windows settings may seriously impede your speed and cause other connection problems. For instance, a common problem is that the MTU (Maximum Transmission Unit, or packet size) value generally needs to be set to 576 for dial-up, 1492 for DSL, or 1500 for cable or regular Ethernet networks.
August 04, 2004
Blogging Abuses are Escalating
First there was comment spam: Spammers artificially boosted various web sites' Google page rankings by embedding links to those sites in blog comments. Google rankings favor sites that have a lot of inbound links, especially from highly ranked sites.
Then there was trackback spam: Blogs supporting trackbacks (i.e., the ability of blogs to learn which other blogs are linking to them) were nailed by artificial trackback pings containing spam web site links -- and they were harder to remove than comment spam. Luckily, I only received a couple of those.
Regular blog sites ended up being used to increase Google page rankings for various online pharmacies, casinos, porn sites, and more. I've personally had to clean this dreck from my blog. Usually it wasn't too bad -- just a couple a day, easily deleted. I've always resisted the urge to curtail commenting as I truly wanted to encourage a lively discussion. Then, just last month, I suddenly got hit by over 1,600 spam comments in a single week (no, that's not a typo), and they were increasing each day after. Since the comments were always made to older posts where there were virtually no new comments, the easy solution was to run a script that closes comments older than "x" number of days. It's a pretty good compromise so far, as most comments are made within a few days after posting, and I still want to have commenting enabled. (I've known about the MT-Blacklist plugin for a while, but I didn't have the time nor the inclination to upgrade my blog software just for that alone.)
Over the past six months, I've seen an increase in "me too" blogs -- ones in which the overall motivating factor was to have a site which ranked highly on Google. Then I started receiving link exchange e-mails from commercial services that had nothing to do with this blog's topics. Naturally, I ignored them the same as any spam e-mail.
Now, according to Wired News, the online porn industry is at it once again. But for the very first time, it seems they're not touching my blog, nor others. No, they've figured out they can better directly manipulate Google rankings by setting up their own set of blogs and then cross-linking between themselves. This part isn't all that novel, as many bloggers know you need to exchange links to benefit in page rankings.
But this time around, the pornsters are using Google's technology against itself. Google owns Blogger. So they've set up dozens of free Blogger sites and are using them to create the necessary inbound links to manipulate Google. Ironic, isn't it?
Here's the money quote from Wired: "It's just like (when) the first couple of people who got the idea to try to manipulate the meta-keyword thing might have been successful, but then everyone jumped all over it.... These things run their natural evolutionary course after awhile."
Note that a number of search engines don't use metatags for that very reason. Because of abuses like this and "Google bombing" (hint: do a Google search for "miserable failure" to see how anyone can be targeted), Google has been under increasing criticism due to these manipulations' effects on the integrity of the results. Like metatags, I expect that the abuses will go the normal route of getting worse before they get better. Eventually, when a particular abuse hits critical mass, then the search engine companies attempt to adapt their technology to preclude or ignore it (much like metatags are now ignored). Since Google's core technology has always focused on the link factor, this should prove interesting indeed.
That is, until the next exploit is discovered, and then we get to repeat the cycle. Get ready...
August 02, 2004
Thanks to All on My Wireless Router Query
A number of people replied to my query a few weeks ago, when I was trying to decide between the Linksys WRT54G and Netgear WGR614 wireless "g" routers on a security basis. I just wanted to say "thanks" for all the feedback. As you can tell from my recent posts, I've been playing around a lot with my wireless network to get the best performance and security out of it. All I can say is "This Rocks!", and I should have done this much, much sooner. But then again, I wouldn't have had the many benefits of having a "g" router if I bought "b".
Most people replied they didn't see much difference between the two models security-wise, but surprisingly many more favored the Linksys model, almost to the exclusion of Netgear. I ended up trying both of them thanks to a generous return policy at my favorite store. The security features were mostly the same, and while the Netgear had more user-friendly help screens and wizards, I kept the Linksys and returned the Netgear. Why?
The Linksys beat the Netgear router in wireless signal range alone, and it didn't hurt that it had two antennas to Netgear's one. Although Netgear definitely has the cooler-looking, more compact design, I'll take performance over looks any day. Also, the Netgear router's web interface didn't work well with my Norton Internet Security (NIS) firewall enabled. I had to disable my personal firewall just to reliably program the router. No problem with the Linksys, which incidentally ships with a trial version of NIS. The Linksys router also has additional encryption methods for supporting RADIUS and WPA key servers. While this is overkill for most home networks as these are usually enterprise solutions, it demonstrates a commitment to providing additional security features.
Last but not least, I really liked the fact that the Linksys firmware is based on Linux, and you know what that means. Yep -- open source. A little Googling led me to quite a variety of alternative open source Linksys firmwares offering a host of additional features. It piqued my interest that many included included the ability to adjust the transmit power of the router up or down (something Linksys doesn't provide, presumably due to FCC limitations).
However, I've since learned that a number of recent Linksys firmware releases introduced some bugs. While this is not good, the open source community works very quickly to report them and come up with alternative solutions. This is nice in that affected users don't have to wait months for the manufacturer to fix the bugs (if ever). In this regard, open source really works, and I have to wonder if this is part of the reason why the WRT54G is such a popular wireless router.
Regardless, the Linksys WRT54G has performed admirably and reliably. Even though I've placed it down in my basement office to limit signal leakage to potential hackers, it covers my entire house and back deck -- even the rooms on the top floor, which are two floors up. Amazing. I'd recommend it with the shipping v. 2.02.2 firmware version with the firewall enabled to close a remote administration security hole. If signal strength is important to you, stay clear of the two latest firmware versions, as quite a few people have reported this problem. I experienced it firsthand when I tried it before going back down to 2.02.2. Still, it performs better than the Netgear router, so I'm pretty happy with it overall.
Thanks again to all those who responded with a recommendation.
Various Wi-Fi Security Technologies Explained
The Ziff-Davis Channel Zone has a good article explaining the differences between the new wireless networking (Wi-Fi) security technologies, such as TKIP, AES, and 802.11i, and alerts us to some of the latest Wi-Fi security holes and threats. Thus it's appropriately entitled, "Making the Most of Wireless Security". Great companion piece to my "Wireless Networking Best Practices: Version 2.0" article.
August 01, 2004
Wireless Networking Best Practices: Version 2.0
I've updated my Wireless Networking "Best Practices" to add even more things you can do to harden your wireless network against intrusion. Please keep in mind there is a diverse range of networking equipment available, and that this information is provided as a courtesy. I've taken considerable time to compile and publish this information, because I have not found any single good source for all of these items. It's grown into quite a compilation.
This is also mostly geared toward home Wi-Fi networks, but the concepts are adaptable for corporate networks as well. Thus, you choose to make all changes at your own risk. If your router or access point has an option to backup its settings, then I highly recommend you back it up before and after making any changes, as well as being diligent in documenting any changes made. If you don't want to be an easy mark for wardrivers or your neighborhood hacker, read on. It's worth your while.
First, you really must change many of the default settings. Hackers and wardrivers know them all, because there are web sites that publish them.
This means you'll need to access your wireless router's configuration screen. One of the easiest ways is doing this through your web browser, and while you should be careful in the settings you change, it's something even a novice can do. While this isn't an all-inclusive list of security measures, these are things most home network users can do with care:
Naturally, the more secure you make it, the less convenient the setup. But I'll take the extra wireless security anytime, because wireless networks are still horribly insecure compared to wired. But as you can see from the above, you can still do a lot to harden it against intrusion, and it doesn't take a networking guru for many of them. Wi-Fi itself is a tremendous convenience and enabler, if it's done right.
[Update 11.29.08: Please see my post, "Wireless WPA Encryption Component Hacked -- How to Protect Yourself" in light of the published TKIP vulnerability.]