State of the Malware Nation

It’s a couple weeks old, I know, but for anyone who hasn’t seen it, Google’s Online Security Blog has linked to a draft article produced by some of their malware researchers about the trends they’ve observed in malware hosting and distribution.  Aside from a troubling pre-occupation with CDF graphs, it’s a really interesting look at the way malware networks are spread through the internet.

I found this snippet interesting:

We also examined the network location of the malware distribution servers and the landing sites linking to them. Figure 8 shows that the malware distribution sites are concentrated in a limited number of /8 prefixes. About 70% of the malware distribution sites have IP addresses within 58.* — 61.* and 209.* — 221.* network ranges.

Our results show that all the malware distribution sites’ IP addresses fall into only 500 ASes. Figure 9 shows the cumulative fraction of these sites across the 500 ASes hosting them (sorted in descending order by the number of sites in each AS).  The graph further shows the highly nonuniform concentration of the malware distribution sites— 95% of these sites map to only 210 ASes.

But I think this is the big takeaway:

Malware Landing Site Distribution

Because malware is being distributed via ad networks more and more, it’s no longer safe to assume that you’ll be okay if you just avoid the seedy parts of the net.  And because it’s no longer requiring user interaction in a lot of cases, the old-school “don’t run executables from random websites” best practice might not be enough either.  To stay on top of things, you are going to want to be running a browser that is as hardened as we can make it, and that also incorporates active checking of known malware sites.

And lookit, the Firefox 3 beta is right over here.

What happens when your job is also a hobby?

I took a vacation day yesterday, since I had a bunch of appointments piling up, and figured it would be best to just blitz.  In the evening, I was sort of fiddling around, and built this:

PDB v1

It’s probably only interesting to people who find performance monitoring interesting, but I like having it around, even in its very rough condition.  I would love to include the Talos graphs in there, since Talos data is a lot more relevant than the oldschool tests, particularly around pageload.  Nevertheless, it beats clicking a hundred different links off the tinderbox waterfall, and it was a fun excuse to play with a tiny bit of jQuery too.

Johnath’s Performance Dashboard – Trunk

[PS – NSID Day 12 – pretty damned shaggy.  Itch might be subsiding though!]

It’s On.

Firefox RacerAs announced Very Early In The Morning (EST) today, Firefox 3 Beta 1 is now live.

There is some appropriately scary text there about not downloading it unless you are a developer or a tester, and that’s good text to have, because we wouldn’t want people treating this like a final release BUT it’s pretty awesome, and if you don’t mind living a little bit on the edge, you should check it out.

There are a ton of changes, and as I’ve said here before, a lot of them are subtle.  I want very much to point out a bunch of them, but I also don’t, because I want to know what unprimed minds think of it.  I’ll leave it up to you – if you want to see a (non-exhaustive) list of the kinds of changes we’ve made, you can check the release notes.  If you don’t, skip straight to the announcement and grab a copy.

Once you’re on the beta, you’ll get updates as new betas come out, just like you do with Firefox 2 when we release security and stability updates.  Running the betas and letting us know what you think is a great way to help the project, even if you’ve never tried programming.  You’re a human and a web user, that’s as much expertise as we need.

Airport Security 2 for 1!

nedrichards' playmobil photoTwo interesting (if longish) articles lately on airport/airplane security:

1. A pilot on airline security

2. An interview between Bruce Schneier (Security Dude) and Kip Hawley (Head TSA Dude)

Both are, I think, interesting reading; and both avoid the Designated Stupid Zones (“Airport security is useless” and “Whatever it takes to Fight Terror”) at the polar ends of the debate.

Neither of these articles is directly related to Mozilla, but enough of my co-workers travel regularly that I’m gonna tag it that way anyhow, so that it shows up on planet – where our blogs all hang out and play together while we’re at work.

[Special thanks to nedrichards for the photo – I’m keeping this one around.]

SSL Infoporn

mac_steve infoporn600,000.  According to Netcraft, there are about 600,000 SSL sites out there on the public internet, and we just recently tipped over that arbitrary, but pleasantly round, number.

I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised.  I think mostly they expect the number to be higher.  And in actual fact, it probably is, at least a little bit.  I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors – false negatives – than they are to false positives.  Nevertheless, it’s probably the right order of magnitude.  There are almost certainly less than a million, for instance.

Netcraft doesn’t publish any numbers it may gather about the ratio, in that group, between DV, OV, and EV certs, but the informal vibe I get leads me to believe that there are around 2000 EV certs out there at the moment.  Given that several of these have gone to extremely high traffic domains, though, that number probably under-represents their network significance.

I bring these numbers up here because they seem to surprise people, and surprises are generally more instructive than confirmations.  In the last couple weeks, a fair number of surprising numbers have flitted across my radar, so I figured I would rehash a couple here, with no particular (conscious) effort to weave a narrative into them beyond, “hey look, infoporn!” Continue reading “SSL Infoporn”

There goes that analogy?

So Medeco Locks, often cited as the unpickable-in-practice lock, can be picked.  Not just picked, bump keyed.  I guess that’s sad if you’re Medeco, though I suspect that in their heart of hearts, they know as well as I do that lockpicking thieves are rarely the high-probability threat.

I don’t know if there are vendors out there calling their solution the “Medeco of internet security” but I suppose they’ll want to stop, if so.  The nice thing, though, is that the whole fracas is a delicious example of General Security Maxim #6:

If your product is unbreakable, you are wrong.  Also, here comes the breaking.

If you suffer from this tendency to overstate security claims, I’ve created a motivational poster to help you remember.

(Thank you johpan for the ostrich, and flickr toys for the insta-motivate.)

Tales of Comeuppance

Crying BabyOne of my cognitive science profs used to have a bit of a soft spot for evolutionary psychology and it is from him that I developed my love of “cheater detection.” If you’re an evolutionary psychologist, see, a lot of the righteous indignation you see from your fellow simians out there in the world is traceable quite directly to a part of our psyche which is tweaked powerfully by the feeling that someone is cheating – acquiring benefit without paying expected costs. It really gets us riled up, on a very primitive level.

It makes sense, of course. Cheaters in a social species will act in ways (eating other people’s food, making sweet sweet love to other people’s lady friends, etc) that allow them to acquire huge positional benefits within the group unless there are powerful repercussions like ostracism or worse.

So lo and behold, here we are with all this evolution behind us and wouldn’t you know it, our brains are wired such that someone jumping the queue at Walmart or trying to pass a traffic jam on the shoulder is taking their life in their hands. It is rarely the case that I am pro-homicide but in the case of those inveterate jack-offs that pull into the lane which they know is ending right up ahead, and which will only gain them 3 car lengths, but will slow everyone down when they force themselves back in, I am more than a little inclined to make case-by-case exceptions.

Thus, as a public service, in this time of charity and co-opted pagan solstice rituals, I have put together a list of three of my favourite recent stories of cheater-busting. These stories are cheater-detection catharsis. You can go ahead and pump your fist at the end and say “Yes!” under your breath. I won’t tell.

1. What’s Noka Worth? Noka Chocolate is a hyper-elite brand of chocolate which gets packaged into gift baskets at the Emmys and so forth. Rarest of the rare cacao, hyper pure, no additives, blah blah blah. I will not be the one to impeach a company that focuses on quality for being elitist – quality is a legitimate thing after which to strive, and a legitimate thing for which to charge a premium. But at $2000/lb, you should be able to demonstrate some actual value add.

2. The Tale of Lyger, Jericho, and Republican Congressional Aide Todd Shriber. Todd decided to hire a “hacker” to change his GPA at Texas Christian University. Too bad he ended up emailing a couple of the guys running attrition.org which, like most sites which chronicle network security news, are used to being solicited by idiots, and tend to have some fun along the way. After you read the blog post, you can read the actual emails here (or, since attrition is under almost constant attack by one party or another, the cached version).

3. Reverse 419 Artwork Scam. Okay, I confess this isn’t as recent as the other two, but I have a lot of love for 419eater.com. These guys respond to the 419 scam emails from Nigeria and elsewhere and, by acting as interested parties, get the scammers to perform in various silly ways. Usually it’s restricted to requests for religious conversion or even getting the scammer to send some money themselves but this is my absolute favourite. I won’t spoil it or anything, but if you only read one, read this one.

Spiritus Frumenti

eBay and I have a relationship that is more flirtation than passion. Of course I know how sexy it can be. Of course I want to get to know it better. But eBay is an expensive mistress, so my feedback is a withered little 5, because I rarely actually buy the things there that I covet.

I am, however, so thoroughly chuffed with a recent purchase there that I must share. Thanks to the kind auspices of ginger.1 I am the proud owner of this:

Prescription (small)

It’s a prescription from December of 1924. A very special prescription, printed on a very special prescription pad issued by the U.S. Treasury department. It’s a prescription for Spiritus Frumenti, filled in Providence, RI. This is exciting for me, because 1924 is right in the middle of prohibition and Spiritus Frumenti, as the Latin geeks have no doubt already ascertained, is whiskey.

I have always loved old paper, but I am particularly fond of old paper which reflects old ways of thinking, and reminds me that people have always been crazy. This one is particularly great because it also reminds me that people have always been wily about wrangling their way around government prohibitions of things that are fun. And as you all know, I’m a real fan of people.