[ April 2008 ]

1. Google and Hotmail Security

Webmail services have been very popular since Microsoft started it's Hotmail service way back when. Lately, Google's GMail seems to be the heavy hitter on the block and the services provided are certainly very useful, among them being IMAP-based email, calendaring, voip and mapping. However, putting your faith in an online service for mostly an important and sometimes private function is not always the best choice.

Most online services make use of a graphic system called CAPTCHA ( wikipedia ) for registration purposes. Besides the login details and some personal stuff, a distorted graphic is shown and the user is asked to type into a dialogue box, the contents of the graphic. The idea is that only a human with suitable recognition, can understand the contents of the graphic.

The reason for using captcha is that a lot of spammers make use of online services with email capabilities to do their spamming. So CAPTCHA is a method for stopping automated registration of accounts, and therefore spam.

Recent efforts by spammers have resulted in significant strides being made in the cracking of these systems. Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A few weeks later, Gmail's version followed suit. In just over a month's time, some anti-spam vendors were forced to completely block these domains as bots signed up for thousands of bogus accounts and began to flood the internet with e-mail advertisements for lottery tickets and watches amongst other things. To make matters worse, Websense Security Labs is now reporting that the method for getting around Windows Live Mail's CAPTCHA has been improved to the point that a bot can decipher the text and make a guess in less than six seconds, on average.

The result is that a lot of email originating from GMail/Hotmail is now being blocked by corporates and ISP's as these email domains are no longer 'safe'. For the end user, this means that when they send email to non-GMail/Hotmail users, their email is likely to be dropped or bounced. This is unfortunately one of the disadvantages of using a popular online service

CAPTCHA is no longer a barrier to automated systems - better images and improvements to CAPTCHA can prolong the inevitable but perhaps it's time to look for an alternative. In the meantime, make sure you're not using these types of services for business-critical emails as you might find your email being sent to a dirtbin somewhere in the ether.

2. Applications part 1: management and monitoring

Systems and network monitoring can be a very useful tool in both tracking down issues and automating the checking of systems for health. Imagine looking into 50 servers for disk space, memory usage and running processes; this would be a serious waste of resources. Thankfully, M&M applications can take care of a lot of the grunt work involved with these types of requirements.

Nagios, Groundwork and Zenoss provide frameworks for setting up profiles and policies for monitoring and management of servers, devices, applications and services, as well as provide for in-depth alerting and notification of faults. Both Groundwork and Zenoss are available in commercial and non-commercial versions.

Groundwork is a fairly full-featured application and it's best to dedicate a machine running Centos to this application. Features include:

• Manages operating systems (Linux, Unix, Windows, others), applications, and networked devices
• Avoids vendor lock-in and provides greater flexibility than a closed-source monitoring platform
• Unifies proven open source with existing legacy management systems in an extensible SOA-based architecture
• Offers enterprise-level availability, performance, and operational efficiency at a fraction of the cost normally charged by proprietary vendors

A functional comparison can be found here.

Zenoss, like Groundwork, is also complex and a dedicated server would be useful. Features include:

• Inventory & Change Tracking
• Availability Monitoring
• Performance Monitoring
• Event Management

A feature comparison is available here.

Nagios is the grand-daddy of OSS M&M applications and sports a plugin architecture for extending the ability to interface with applications and devices. Everything from MySQL to Network Appliance and Fortinet is supported. If you have a programming inclination, the API is available to create your own plugins. Without product cost.

Monit, although basically a monitoring application, has another interesting use: based on the monitored status of a process, it can start, stop and restart that process. Parameters include the time to wait between the fault of an application and its restart, how many times before a fault is declared and the time between checks. Everything from disk space to cpu/process utilisation and availability of services can be checked. A dashboard shows the systems current status and email notification is available when a problem has occurred and monit takes action. Only Linux systems are currently supported though.

3. ODF news

As announced in Tectonic recently, the SABS has officially approved ODF as an official national standard. The adoption of ODF by South Africa opens the way for businesses and government to adopt ODF more widely in their processes. ODF is already an international standard, approved by the International Standards Organisation, or ISO. The South African government had previously already adopted ODF as one of the standards for government communication.

 4. Facebook

Social networking may be a household phrase these days, but its actual usefulness beyond collecting tons of friends you've never met or wasting time with mini-games is debatable. The phenomenon that is Facebook, keeps on gaining traction like a big juggernaut that's just about in control. Recent changes to the system now include advertising specifically related to certain Facebook apps or the base product itself. The biggest issue to date is the fundamental idea of social networking - privacy. Normally, one would like to remain fairly inconspicuous and keep information private, but more than ever before, people are baring not only their souls on Facebook, but their private information as well.

Recent vulnerabilities in the system have resulted in Facebook apps or widgets automatically installing Spyware onto machines. Some apps are also feeding user stats and information back into their systems for either ad-related targeting ( without user consent ) or outright spamming. Users of the site have been finding their off-Facebook web activities - such as purchases at online retailers, reviews at other sites, and auction bids, among other things - being broadcast to their friends without their consent.

The moral of the story is be very careful of the information you provide to social networking sites - you would be surprised at how fast it can be misused.

5. Self serving security vendors

Vendors are inventing self-serving security models to make their customers believe they need their product to eradicate a threat which doesn't necessarily exist. There is a huge amount of hype that is continually thrown at end users and corporates in the areas of anti-virus, online threats and spyware. Yet some of the malicious threats in the online world can be thwarted using good security practices rather than a specific product. Vendors are trying to give users a good feeling about their security even though practically the user has gained nothing extra from a security point of view. Look through the hype and make a decision on product purchases based on the facts.

6. What is Open Source

Open Source is an idea that came about as a result of the split in programming paradigms in the early 80's. Free software was already available ( and public domain, shareware ) and in fact it wasn't until Microsoft introduced MS DOS, that the proprietary software methodology became popular.

Wikipedia says:

"The open source model of operation and decision making allows concurrent input of different agendas, approaches and priorities, and differs from the more closed, centralized models of development.^[2] The principles and practices are commonly applied to the development of source code for software that is made available for public collaboration, and it is usually released as open-source software."

In effect, open source is a methodology for creating content which includes software, video, audio, documentation and others. Participants ( users, developers, creators ) can modify these products and give them back to the community.

Most people associate open source with Linux, but Linux is only a part ( albeit big part ) of the open source ecosystem. Creative Commons is a project involved in essentially the open sourcing of documentation. Youtube and other social network systems are incubators for open source video and audio content. And so on.

Whereas Open Source is generally associated with software, it is actually the idea of community and sharing that can be applied to most areas. And if you think that it doesn't effect you, think again: the largest digital construct on the planet ( the Internet ) is based and built on open source software.