kdmurray.blog

The crossroads of life and tech

Tag Archives: Security

Why (and How) to Unshare Your iTunes Library

When I checked into the hotel tonight, I fired up my macbook on the provided (hardwired! gah!) Internet connection and went about my evening routine (blogs, pocasts, email, twitter… you know the deal).  When I popped open my iTunes to crank on some tunes something came to my attention:  There was a remote library showing in my iTunes.

At first, I gave “John’s Music” very little thought, I was listening to a podcast at the moment and wasn’t interested in investigating.  However soon after, when the show ended, my curiosity got the better of me and I went for a peek.  The music itself wasn’t all that amazing, but upon closer inspection I noticed something else.  I realized that I now knew far more about John than I thought I would and just from looking at iTunes.

Based on primarily his playlist names, and to a lesser degree the content, I was able to deduce:

  • John’s last name
  • John’s wife’s name
  • John has two daughters
  • John’s daughters’ names
  • John owns an iPhone
  • John’s wife owns an iPhone
  • John is from the US
  • John’s daughter (presumably the eldest) has an iPod Shuffle
  • John is highly spiritual and a Christian

Those are some pretty crazy personal details… and they were all there for the taking right out of a publicly shared iTunes folder.

How do I Un-Share?

It’s actually ridiculously easy…

First, go to your iTunes Preference Panel… Second, unselect the “Share my library on my local network” checkbox.

Now I realize that this may seem a drastic step for those who only ever use their iTunes at home.  But if you travel, or make use of open public wi-fi hotspots (or poached ones) your iTunes library could be giving away personal information without you even knowing it.  It also illistrates the point that not all Apple products ship in a “secure” mode as often touted.  It’s not out-of-the-box functionality, but it isn’t difficult to poach files out of someone’s iTunes folder if they’re DRM free…

Virus Hunting — Avast + Unlocker

After a somewhat brief Aikido class tonight I was enlisted by Crow to help rid a Vista machine of the Vundo trojan which found it’s way onto the machine (prior to Avast being installed).

Avast did a great job of finding most things and cleaning them up.  What it had trouble with was a few DLLs that were in use by the executing trojan.  I was pointed toward Unlocker to free the DLL’s of their executing process and remove the lock that windows places on these files.  Once the file was unlocked, it was able to be deleted by Avast and all was well.

(Photo Credit: bigux on Flickr)

Visual Studio 2005 on Vista Requires Admin Rights

I finally got the chance today to get back to working on PowerTray, this time with my Visual Studio 2005 installation on my Virtualized Windows Vista setup.  The first thing I ran into was this warning dialog:

VS2005 requires admin permissions

To me, this is the kind of issue that shows immaturity in the OS.  Though it is possible to run the environment without full-blown admin permissions, some of the functionality of the environment is limited as a result.  There is an MSDN article on the subject which outlines the difficulties that are faced without admin rights.

Most of the problems are only resolvable by running VS2005 using administrative permissions.  Ross Dagan has a post on his blog on just how to set this up using the VS2005 shortcut.

Admittedly this is just another front in the battle between security and usability.  I understand why most of the security features which cause these issues exist in Vista, and admittedly the option to run only Visual Studio in administrative mode does keep the computer quite secure.  It’s just disappointing that there isn’t a more elegant solution.

AntiVirus software lacking effectiveness

At the recent AusCERT 2006 Conference, a survey was published by Graham Ingram general manager of the Australian Computer Emergency Response Team (AusCERT) which discussed the effectiveness of several leading anti-virus products.  The survey states that an average of 8 in 10 threats are getting through the protection that these products provide.

Some research done by ZDNet Australia’s Munir Kotadia in a series of articles notes that the three top products (by market share) in 2005 were Symantec’s Norton Antivirus, Mcafee Virusscan and Trend Micro VirusDefense.  If the survey results are accurate, or even partially accurate, that could mean that running even two of these security defense products at once may only provide a 20%-40% protection.  Not exactly a comforting thought.

So where does this leave us?  Do we need to install three, four, five anti-virus tools?  Or should we just throw caution to the wind and not bother with anti-virus tools at all… after all what difference does it make.

The survey makes two interesting observations.  The first is that the quality of malware is improving.  The authors of the trojans, spyware and other threats are improving the methods that they use to attack and infiltrate our systems.  The second is that the threats are targetted very specifically.  Gone are the days of teenaged script kiddies who use primitive means of trying to attack or scam people.  Easy enough to detect and clean.

Today’s threats masquerade themselves as useful tools or applications.  This makes them more difficult to detect.  One such example is SpySherriff which though it must be manually installed purports to find various problems with the system and prompts the user to purchase a full copy of SpySherriff.

The vast majority of these threats are targetted at Windows systems.  Why?  Because nearly 90% of people who use the Internet, do so in a Windows environment (courtesy w3schools.com).  So if you were writing software for the home user (be they legitimate or malware) what platform would you target to get the largest number of people to use or see your application??  This puts the comments from Charlie White on Gizmodo in perspective.  When he discusses this subject he sums it up by saying: “Get a mac“.

I don’t want to get into the details of the Windows vs. Linux vs. Macintosh debate here, but let me say that yes its more likely that you’ll get infected with a Windows System.  Thats not a fault of Windows itself, just that the vast majority of threats are written for windows, and initiated by the end-user most often unwittingly.

I know we’ve all heard them before, but come on people some common sense!

  • Don’t download programs if you don’t know where they’re coming from.
  • Don’t open email attachments unless you’re 100% sure of the source, and you’re expecting the file to be sent.
  • Do install some sort of firewall product (Windows firewall works too) to help block unauthorized activity

So what does it all mean?  Well, Virus scanners aren’t perfect (duh), but we already knew that.  Should you use one?  Yes.  Should you use more than one?  It won’t hurt (except for system performance).  Will it help you if you open anonymous email attachments, or don’t use some kind of firewall? No.

Google Webmaster Tools

Well I just found these a few days ago, and thought it might be interesting to keep track of… If you have a website that you manage, you can set up an account with Google where you can track the status of your pages and see how “easily findable” you are. Google’s set of (somewhat barebones) monitoring tools give you an idea of how well your site rates within Google’s internal search indices.

Remember: one of Google’s top rating mechanisms is pages that link to you or “inbound links” from its other indexed pages.

Security vs. Functionality

I’ve been trying to decide whether or not to implement some “security” measures in Chromium Blog Project. The three that are causing me the most grief in terms of a decision are:

  • Allowing HTML in Posts
  • Allowing Anonymous comments/responses
  • Putting some sort of image in to restrict automated account creation & logins

Right now, I’m coming down on the side of putting in place an HTML editing tool like FCKEditor for the Post/Comment editor. This would allow full formatting, and I could strip out

script tags and the like… If anyone has any thoughts on the Security v. Functionality debate, I’d love to hear them…

…back to the vortex…