My friends at Sourcefire shared a rather interesting experience about using an Internet-connected computer in an East African country. Broadband is still a dream there, and dialup is most certainly not cheap when it's charged by the minute.

Aside from just the experience of using the Internet on dialup--which I effectively did about 18 months ago during a move--there is a serious question about how up-to-date you can keep a computer when you have to download the multi-megabyte security updates over a non flat-rate dialup connection. The short answer: you can't.

In reality, no operating system is spared the pain of large updates. While Microsoft is bagged on for constant needs for updating, Mac OS X and Linux also have them. My last Mac OS X set of updates under 10.4 was over 200mb, which would take me more than 8 hours on a 56k line! Linux seems to require fewer updates, though it does depend on which applications you have installed.

Then, of course, there are the updates for the anti-virus and security software. I don't run anti-virus and security software on Mac or Linux, but you can bet that I do run it on all my Windows boxes. Yet more updates to be downloaded over a slower connection.

Between the third world and places in the first world where broadband hasn't reached yet, there is still a significant population on dialup. Even though these computers aren't online 24x7 like you are with broadband, the real security problems aren't blocked by the Windows Firewall that has been installed and enabled by default since XP SP2, it's the web browser.

I did find a clever-looking program called ForceField, which is focused entirely on web browser-specific protections. I haven't tried it, just yet, but I suspect once the acquisition of Nokia's Security Appliance is completed, it should be relatively easy for me to get a copy to try out for longer than a few days. ;)

While ForceField addresses a small part of the problem, I'm not sure there is a good solution to the general problem of pushing larger and larger software down a dialup-sized pipe. Even with the protection that ForceField provides, it's always a good idea to keep your operating system and applications up to date.

Several years ago, I purchased a domain for our family. Upon doing the prerequisite search, we ultimately settled on a .net name. Not our first choice, but it was what was available.

On 1 January, I got an email from a company called Zip Domains on my admin email address:

Our company specializes in acquiring expired domain names to help individuals and businesses protect their brand online.

The domain name XXXXXX.COM is expired and will become available soon.

We noticed that you own XXXXXX.NET and felt that you may be interested in acquiring the .COM version of your existing domain name.

We can assist in trying to acquire the domain name, as there are likely many interested parties competing for it.

There are no upfront costs, and the fee if we are successful is only $199 USD.

If you are interested, please let us know by January 3 at the latest.

Sorry, but someone tried to sell me the domain earlier in the year for less than that. Think I'm going to pay $199 to some company that spammed me? Fat chance!

At that point, I checked the whois registry and found the domain was about to be removed from DNS, just like they said. I figured, I'll wait a few days for it to be removed from the whois registry and try to purchase it through 1&1.

On the 9th, I got another email from Zip Domains telling me they had secured the rights to the domain and I could purchase it from them for only $99!

Our company specializes in acquiring expired domain names to help individuals and businesses protect their brand online.

The domain name XXXXXX.COM expired recently and we were able to secure it.

We noticed the you own XXXXXX.COM and felt that you may be interested in acquiring the .COM version of your existing domain name.

It is available for a one-time fee of only $99.00 USD.

To purchase or learn more, please visit http://zipdomains.com/buy.php?domain=xxxxxx.com

While the domain was still showing as being deleted in whois, when I checked the next day, it was available. I went into my domain control panel on 1&1 and ordered the .com domain for $8.99, saving me over 1000% what Zip Domains wanted to charge!

I thank Zip Domains for making me aware of the expired domain. However, there was zero chance I was going to pay above the typical registration cost for a domain, particularly for my family where the value of having "the right" domain is relatively low.

I have to wonder how many people fall for zipdomains "scam," buying a domain they could have had for the nominal cost if they waited a few days. It's not clear to me ZipDomains actually does anything to secure a domain name. The domain was either marked as "being deleted" or "not present" in whois when Zip Domains told me they had secured it for my purchase, so I question their legitimacy. (If someone from Zip Domains wants to rebut my statements, leave a comment below)

In short, beware of companies that are trying to scare you into buying a domain from them or send you "renewal" notices in the postal mail--that's my favorite one.

Reblog this post with Zemanta

At one time, I thought about doing my own site for "home user" network security. Nice to see my buddies over at The Academy doing it with The Academy Home. While the site is relatively new, they do have a few how-to videos available already, including installing a program I recommend wholeheartedly: K9 Web Protection from Blue Coat Systems.

I'd like to see some stuff on configuring Windows XP with non-admin users for your kids. I have to do this for my friends all the time. That right there makes it more difficult for a piece of malware that does get in to do any damage.

As I write this, I am still a Nokia employee. Yesterday's announcement did not change that, at least until the deal closes sometime in the next three months. Meanwhile, here are a few of the more interesting pieces that appeared online regarding the announcement.

I've been thinking about the compromise of President-Elect Barack Obama's mobile phone records at Verizon Wireless. Verizon Wireless recently fired the guilty parties, as they should. However, this is not the end of the problem. In fact, it's only the beginning.

As I work in a customer service organization, I understand the business need for customer service agents to have access to customer records. In order to provide quality service to a customer, access to their relevant data is vital.

How much access to that data is needed? Does every rep need access to all that data 24x7, anytime? The CISSP in me says absolutely not. Do companies properly control access to this data? Not in my opinion.

There are always going to be people who need access to all customer data, e.g. management or management designates. However, the number of people who have that level of access should be relatively small. All access to that data should be heavily audited.

For the lowly customer service rep--the people who typically answer the phone when a customer calls in--they should have access to the customer's records unless the customer provides a PIN of some sort. Without a valid phone number and the appropriate PIN, the customer service reps should not be able to pull up the records at all.

Of course, there are going to be exceptions to this rule, for example if a specific rep is working with a specific customer on a specific issue, but as a rule, only people with a valid business reason to have access to the customer data right now should have that access. This needs to be enforced by business process as well as the tools themselves.

Really, though, it's a simple matter. If you don't have a legitimate business reason for looking at customer data, don't do it. This has always been my policy back from when I was a systems administrator. Reputable customer service agents follow this rule, the good ones don't even have to be told.

Back to Verizon Wireless for a moment. While I know it is a matter of a few rogue employees and I feel they responded to the situation appropriately, it shouldn't have happened in the first place. A large telecom like Verizon Wireless should have systems in place to prevent this kind of "data leakage" already. Clearly, whatever measures they employ either weren't followed or were ineffective.

I hope that all telecommunications carriers learn from this experience.