A few months ago I found a XSS vulnerability in a product used by many people. I contacted the vendor, which happens to be a very large entity. (No, it’s not Microsoft, but that’s the only hint I’ll give). Here’s the timeline of what’s happened so far:

• Dec 18 2008 – I send an email informaing them of the problem, and showing them what was needed to replicate it.
• January 8 2009 – They sent me a response saying they were “evaluating and will get back to me”.
• Feb 12 2009 – I send a followup email asking what’s going on.
• March 5, 2009 – I get a response saying that they have verified the issue, and are working on a fix.

So, does this seem like a reasonable timeline? Should I be pushing harder? This isn’t the biggest vulnerability in the world, but it still seems like something that should be fixed, and the fix shouldn’t be that hard.

Over the last few days there have been a lot of headlines about how the US has cracked the biggest ID theft ring ever. Frankly it’s a load. Biggest? Perhaps. ID theft? Only by the worst definition. The suspects in question are alleged to have stolen 40 million credit card numbers by breaking into retailer’s networks. (Most notably the much maligned TJ Maxx). The problem is that the US government defines stealing a credit card number as identity theft. This is the most inclusive definition but it’s also the worst. If someone steals your credit card number you simply cancel the card and are not held responsible for the fraudulent charges. No one can wreck your credit score or open a line of credit in your name. (For that they usually need your social security number.)  Including credit card numbers in ID theft numbers artificially inflates them and makes for great scare tactics from companies like lifelock, but doesn’t actually measure the real risk to your credit score. Some organizations that have no vested interest in scaring you (like the privacy rights clearinghouse), but most simply use the largest and scariest number possible. It’s time for this tactic to stop. Stealing someone’s credit card number is not the same as stealing their identity, and if reliable crime statistics are important, then we need to stop equating the two.

I don’t want to spend a lot of time bashing airport security, if only because it’s a little bit like shooting fish in a barrel. Every security expert, regardless of background, knows it too.  However, should I be worried that George Carlin is making more sense than TSA?

For those of us who like to be able to represent everything graphically, this is what a botnet looks like. Researcher David Vorel mapped interconnected, bot-infected IP addresses and created this geometric representation. If you’re at all interested, it’s a very good way to understand the command and control structure of a botnet.

When I first started my website, I bought this domain with the intention of it being an information security focused site. I initially wanted to stay anonymous, using only my first name on the site, and I even kept the content outside of the blog updated for the first few months. (This is when I was in grad school and had the time). The blog ended up being more personal than I originally intended, the content updates lapsed, and since only my friends were reading it, anonymity became an afterthought. When I was getting married a few years ago I pointed the web domain www.elias-bachrach.com (which I had previously only used for email forwarding), at my site and created a wedding directory. This way I could have wedding related content on the www.elias-bachrach.com domain. The unforseen consequence of this was that I had now merged my personal website and what was initially supposed to be my professional one. That problem has now been rectified. Over at www.elias-bachrach.com I have a family webpage replete with pictures and have moved the blog over. This site will become what it was originally supposed to be – a site focused on information security. I probably still won’t be updating the content any time soon, but I will at least have the blog.

All the web design work (except for some details) are done. I’ve updated the DNS entries for elias-bachrach.com, and as soon as it propagates across the internet, you’ll see the site switch over. This blog here will essentially be starting over from scratch with this post.