Nick Barron

The laws on illegal downloading are due for a much-needed update, so make sure your voice is heard. Researchers have uncovered a number of ways attackers could force a PC to cold boot. Better keep that heating on. All the encryption in the world won't keep information safe if the people handling data don't think about security. USB devices are getting smaller. That also makes them easier to lose, yet most still have no decent encryption. Yet another politician has suggested that blocking the web can save us from terrorists. If only life was that simple. Our instinct is to fix bugs when we come across them, but sometimes that can cause more harm than good. Don't take log files as absolute truth. They're only as reliable as the systems that generated them. The idea that you can stop consumers copying electronic media doesn't hold water. But people will still try. User feedback can provide free online consumer research and security reports, so why is it impossible to leave any? Security commentators, myself included, regularly comment on the security patching cycle and the problems associated with it. What we tend not to do, though, is comment on the ‘patching' problem for physical security systems.

Most of the best ideas in IT security – indeed, security in general – have been around for a long time. One that is all too often forgotten is the concept of “least privilege”, or using the bare minimum level of access to get the job done.

If you’re paranoid like me, one of your regular daily routines will be a check of your corporate anti-virus to make sure that it is receiving updates regularly. This is not an unreasonable precaution; several times I have seen major brand products silently go into a sulk and stop talking to the update server. The UK’s main law against IT criminals, the Computer Misuse Act, is 16 years old this year. The Act has received plenty of criticism, and led to only a few prosecutions, but recent interpretations and proposed changes are worrying. IT security is one of the few professions where getting caught in the act, so to speak, can be the start of a great new career. Recently, there have been a number of high-profile cases of “poacher turned gamekeeper”, with virus writers being hired almost from the court steps. Everybody loves a good conspiracy, whether it’s alien invasion or security services’ plots to subvert governments. There seems to be no protection against such fascinations with increased education or intelligence (see, for example, Michael Shermer’s book Why people believe weird things). The latest SANS "Top 20" vulnerability list was released recently. While it needs to be taken with a pinch of salt, it did come up with an interesting observation. It seems the focus is shifting, from holes in OSs to those in applications.

Quality-assurance audits are a bit like visits to the dentist; you know you need them, and that they will do you good, but that doesn't make the day itself any more fun. A recent audit I was involved in brought with it the usual flurry of activity to close off outstanding actions and generate the relevant reports.

The end of August also saw the end of Phrack magazine (www.phrack.org). Or did it? There are rumours about a revival, but Phrack as it stands has breathed its last.