Is Network Intrusion Detection Software Being Used Correctly?
Marcus Ranum: Is Network Intrusion Detection Software Being Used Correctly? (paper) [via Security Focus]
Archive for March 2001
“If you really trust any Internet company to protect your privacy, I’ve got a bridge to sell ya.”
Joel Spolsky on Passport. “If you really trust any Internet company to protect your privacy, I’ve got a bridge to sell ya.” Joel is an ex-softie from the Excel team. [Scripting News]
Jacob Levy on Hailstorm
Jacob Levy’s explanation of HailStorm, from the pov of independent developers. [via Scripting News]
Quoted in its entirety so you don’t have to join a Yahoo group to read it:
From: jyljyljyl@yahoo.com [email-via-yahoo]
Date: Tue Mar 20, 2001 0:44am
Subject: Microsoft Passport & HailStormIt’s wonderful how some good food enables you to think again. Having
had dinner and having reread everything I could find about HailStorm
and Passport, here’s what I believe to be the situation:
- developers will be able to provide services that fit into the
HailStorm service.- some payment services will be supported, most likely the big three –
American Express, Visa and Mastercard. We saw American Express in the
press show.- there will be no way to compete on the back end, to provide services
such as identity management, authentication and such.- service providers such as stores (ebay, amazon, the gap, lands end,
etc.) will have to sign a contract with Microsoft to get access to the
customers.This is a very bold move on Microsoft’s part, a total morphing of the
company from a software vendor to a service vendor. Any possible
outcome of the current antitrust resulting in restrictions on how they
do business is already totally irrelevant.I have to say, it makes total sense and is a stroke of masterful
tenacity on the part of Microsoft. They hope to achieve a snowball
effect so that
- All users of the various Win32 OSes will automatically plug in to
their HailStorm scheme. Scoble said something about WinMX users not
being able to get on the ‘net without first signing in. Of course as a
side benefit this will also stop software piracy cold.. Great!- All Internet software developers will want to plug into their
platform to get access to these users.- All Internet B2C commerce vendors will want to plug into their
platform to get access to these users.- All payment schemes (Visa, etc., and your favorite Internet bank)
will want to plug in.- As a result of all this, Microsoft is sitting pretty in the middle
of this spider web collecting a nonce on each transaction.The most telling part of this is that none of the protocols are
currently open. Of course they’ve sprinkled some magic fairy dust on
the whole business by repeatedly saying the XML and SOAP buzzwords.
I’m not going to hold my breath waiting for Microsoft to publish the
protocol they’re implementing between the PassPort server and the
American Express payment clearance server, for example. Doesn’t matter
what its written in, XML and SOAP or ancient greek on papyrus, it’s
not going to be open.Methinks its time to move on beyond this venting and think what we’re
going to do about this. As I said in the start of this thread today,
we don’t need Microsoft to implement any of this.Microsoft: “All your data is belong to us”.
–Jacob Levy
Micosoft on Hailstorm (press conference)
Hailstorm:
Transcript of the Microsoft press conference today. [Scripting News]
Canonical XML now official
Canonical XML now official. Canonical XML, a technology particulary important for
implementation of XML-based digital signatures, has been
released as an official W3C Recommendation. [xmlhack]
The Network is the User Experience
Useit.Com: From June 25, 2000; Jakob Nielsen:
The Network is the User Experience [Tomalak’s Realm]
See also:
July 23, 2000:End of Web Design
OpenWall just published a security advisory entitled
OpenWall just published a security advisory entitled Passive Analysis of SSH (Secure Shell) Traffic. This advisory demonstrates several weaknesses in implementations of SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information (basically password lengths) by passively monitoring encrypted SSH sessions. Fix information, patches to reduce the impact of traffic analysis, and a tool to demonstrate the attacks are provided.
[OpenWall]
Microsoft on HailStorm
White paper: Microsoft HailStorm. “Support will also be included for integration between Windows authentication and Passport authentication of users, so that a user logged onto Windows XP will also be logged onto Passport and therefore able to receive their HailStorm services.” [Scripting News]
