TKO - Built for disaster

On the opposite side of all fanboyz and Redmond advocates this article's author has it all right . It's not about choosing the best OS for your computer, it's about choosing the one that sucks the least, and attitude, of course. "Seriously, stop it. I don't care if Mac stuff is better. I don't care if Mac stuff is cool. I don't care if every Mac product comes equipped a magic button on the side that causes it to piddle gold coins and resurrect the dead and make holographic unicorns dance inside your head. I'm not buying one, so shut up and go home." "Recently I sat in a room trying to write something on a Sony Vaio PC laptop which seemed to be running a special slow-motion edition of Windows Vista specifically designed to infuriate human beings as much as possible. Trying to get it to do anything was like issuing instructions to a depressed employee over a sluggish satellite feed." Yeah, well, he's right on both accounts!

Woke up this morning and almost choked on my breakfast. Vantage Credit Union goes banking through Twitter with myVantage. "With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It’s all available on Twitter, 24/7!" "So how is this mobile? If your phone can send and receive text messages and you’re on Twitter, you’re in! tweetMyMoney uses Twitter’s Direct Message feature to return the account information you request." Wow! Is the future or what!?!?! The person who thought this up might not be the sharpest knife in the drawer... Check out the videos :-)

Why do I bother, and why am I still amazed over these stupidities in US court orders and the consequences? One more for you: Rocky Mountain Bank (or rather one of its employees) sent out a mail to the wrong recipient at an gmail.com adress including personal information for 1325 customers. A big Oooops! This makes my brainwaves go in a direction: Why send that kind of information to a "nearly" anonymous mail server? I wouldn't send such a mail to someone who does not have their mail in a "trusted" domain like @bankdomain.com or @solicitor.com. And why the h*ll would Google comply to a request for closing that account? Is the person having that account really liable for receiving such a mail? Is it really his fault that a dumbass sends him confidential mail? Where did he go wrong? Questions answered by this article . Yes... Google refused to close it down... and Yes... google complied to closing the account. Wow! Update 2009-09-30: And apparently the innocent ...

We are all aware of that there are evil nets out ther called botnets. We've seen them do bad things like in Estonia a few years back during elections, Georgia during the Russian quick-fix invasion and so on. Now two different studies of these beasts have come to interesting conclusions. Trend Micro has had a deeper look into the lifecycle of a botnet member , which might be a PC, which might be a member of years. I just wonder if these are PC's forgotten in some attic or in a dark corner of a second floor hallway? Anyhow, if you put this in conjunction with a new Damballa study, which states that 9% of enterprise companies' computers are part of botnets it all starts to get scary. If these computers do not have updated AV/Malware scanners or patches in months, let alone YEARS (!!!) where is the security? Do they have any processes concerning security. You can't just forget about 9% of a company's computers. This is ridiculous.

Wow! This guy is really out on a mission impossible. His FAXX project aims to target applications on Facebook, both internal and 3rd party, and the intention is to make FB a safer place to be. All in all his eye-openers are being well received, as the applications are being patched. But as he also mentions, there will always be a 31st application with bugs and vulnerabilities.

Very very interesting reading from SANS, as usual. We tend to focus a lot on vulnerabilities on the OS level, be it *nix or Windows, but forget about stuff that runs on the OS. Applications and web servers, java, and mail and whatnot. After reading this report you will hopefully begin to understand the implications of the one-track-focus on operating systems and start looking up at the application level where the threats are getting (or actually have been for ages) more visible. So start patching now!

CEO Bob Carr of Heartland gave a webinar on the September 15th stating that you should be very careful when choosing QSA . "Don't just go out and grab the cheapest one", is the message (discussion during Q&A in the webinar). He is probably right, but what should the criteria be when choosing the QSA? Obviously you can't go by pricing. Is there any sites "classifying" QSA's? Carr states he paid $15k for a QSA to do their audit before the breach, and got a "go-ahead" from them after their audit. Apparently they didn't do their job too well. So after the breach Carr took in another QSA and said, "Just do your job, whatever it takes, find whatever vulnerabilities there are". Sorry to say, no pricetag for that kind of work has been disclosed... I'd really like to know!!!

One of my all time favorite TV chefs... well, calling Mr Floyd a chef is maybe too much. It seems he always cooks the same kind of stew, only with different ingerdients in every program. But hey, that's OK, because he was such a personality. Always happy and never too late too admit he was hung over, again. But on the other hand, that's easily cured by another glass of wine... or aquavit... or whatever with alcohol in it. You will be missed !

I know... geeky headline. It got your attention though :-) When your company is being audited by a PCI QSA (look it up, but if you're accepting payments with credit cards you know what it is) most people just sigh and get frustrated. I found this excellent four action point plan/advisory that will make your audit easier, if not a breeze. 1. Choose your vendor wisely 2. Lay the groundwork 3. Give the QSA access to key players 4. Don't treat the QSA like an enemy Read more about it here .

Now this takes RFC1149 a bit further. Usually those RFC:s released on AD-year April 1st are a bit of a joke, and apparently Norwegian lack that gene and took things seriously. What is more amazing, they got it working (and still struggling to convert my b/w tv to color with a little help of nylon stockings). I also seem to remember the olden days when the story went: "Where is the largest bandwidth over the Atlantic?", and the answer would be "That happens when the US Army sends back their backup tapes from Germany to the US in Hercules planes". Don't know whether that is/was true but a thoughtful story. Earlier this week Unlimited IT (South African) got frustrated with the bandwidth limits in the area, so they decided to put their trust in Winston, the 11-month old pigeon, trained to fly home when needed. This time the guys (I take it it is guys doing this type of geeky stuff) packed Winston's bag and beat the local ISP by running eights 'round the I...

Microsoft's patch Tuesday approaching again. This time five critical updates , depending on platform. But it seems a few of them go through the whole range of Windows releases, and therefore implies design flaws in the basis of the Windows code. More information coming.

Is the future of the social networks an Apple-like App Store function? It seems Facebook is heading there trying to protect their API policy, starting with greylisting, and warnings, before accepting the third-party application as "facebook compatible". MySpace might be going in that direction too. I'm not saying it is bad in any way, many friends on Facebook have been victims of worms in applications rendering crazy mail and messages to me. Always due to their curiosity in new applications and who wouldn't be interested in people that have a crush on you, or who visits uour profile most often... Me? Naaaah, it only happens to the other guy :-)