I ran across this on the Microsoft support site:

If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and then type a new, simple password that does not pass the dictionary check in Kadmind, you may receive the following error message:
Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords.

Microsoft Knowledge Base Article #276304 [Microsoft.com]

News.com brings us two stories about Symantec and Microsoft. The first declares that “Symantec won’t ‘whine’ about Microsoft” and includes statements from Symantec CEO John Thompson like:

We’re not looking to go whining to the EU or the DOJ for anything

Essentially the message is, “we’re not scared of Microsoft entering the security market.” Just making the statement means they are, but that’s another point. But what’s even funnier is that in another story on News.com today, they go on to whine about a new Microsoft technology to protect the kernel in 64 bit systems called patch guard:

“patch guard is hurting security vendors more than it is hurting malware writers,” Bruce McCorkendale, a chief engineer at Symantec

The story goes on to say:

Indeed, Symantec is playing the anticompetitive card for the first time. The Cupertino, Calif.-based company had said it would beat Microsoft by using its security wits as long as the competition is fair. Now the fairness seems to be gone, McCorkendale said.

So, in summary Symantec will not whine to the DoJ or EU about Microsoft, just to the press. I for one am ready for Symantec to stop trying to grab headlines about technology that hasn’t hit the street yet and start fixing the problems we have today.

Windows defense handcuffs good guys [news.com]

Symantec won’t ‘whine’ about Microsoft [news.com]

McAfee claims to have “accidentally” patched a major vulnerability in their EPO management server agents.

“We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week,” Viega said. “We were optimizing the system, not looking for security vulnerabilities.” The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

It’s bad enough when security vendors have vulnerabilities in their product. It’s even worse when they don’t realize there were fixing a flaw.

Of course the real irony is that eEye is a McAfee competitor. If only McAfee had a division that discovers vulnerabilities in applications… Oh wait, they do.

McAfee fixes flaw–without realizing it [ZDnet]

Thankfully the former head of al-Qaida in Iraq hadn’t discovered laptop or flash drive encryption:

Al-Rubaie said a laptop, flashdrive and other documents were found in the debris after the airstrike that killed the al-Qaida in Iraq leader last week outside Baqouba, and more information has been uncovered in raids of other insurgent hideouts since then.

He called it a “huge treasure … a huge amount of information.”

When asked how he could be sure the information was authentic, al-Rubaie said “there is nothing more authentic than finding a thumbdrive in his pocket.”

Well actually I have every confidence that the NSA could have read it anyway, or at least cracked his password (I’d start with 1nf1d3lsMustD13).

But let this be a reminder that you should always encrypt your organization should always encrypt its plans for world domination strategic information.

Iraq Announces Info From Al-Zarqawi Raid [AP / myway news]

If you haven’t been under a rock, you’ve heard about the theft of the personal data of 25 million Americans from the home of a Veteran’s Administration employee. Some are now estimating up to $500 million to clean it up.

Some Perspective on $500 Million:

• That’s only $20 per person whose data was stolen.
• That equals more than 1/3 of their entire IT budget
• But it’s only about 1/2 of 1% of their entire 2006 Budget
• It’s estimated to be the amount all Phishing scams cost consumers in 2004.

Use this case as a wake-up call to your company. How much would it cost to notify all your customers that their data was lost or stolen? Figure out that number and you can justify a lot of projects.

VA data theft may cost $500 million [zdnet/reuters]

A new report [pdf] from Webroot declares a staggering 87% of PCs are infected with Spyware. This is just headline-grabbing fear-mongering at it’s worst.

It turns out that Webroot was counting “tracking cookies” as Spyware. We’re all familiar with this, every time you run most popular Ant-Spyware products, it alerts you to the dire warning of all the cookies installed on your machine.

Let’s set the record straight. Cookies may be a minor privacy risk, but the are not a significant security risk. Who decided cookies were Spyware anyway?

My prediction is in two years that the Ant-Spyware market will be dominated by the Ant-Virus vendors. The technology is basically the same. If the small players like Webroot want to compete they need to quit spouting falsehoods like this one, and start adding real value by making a better product.

Your Spycar Ran Over My Dogma [SecurityFix]

Thieves in So. Louis are breaking into gas pumps and setting them to dispense gas for free. They’ve hit two stations already. Evidently it’s some what of an inside job, since only the people who service the pumps should have the keys and codes necessary to hack the pumps.

With such a small number of potential suspects, and all the video cameras at a gas station, I bet these crooks will be caught in a week.

Video: Hackers Give Away Free Gas [So. Louis TV Station KSDK]

Admitted British Hacker Gray McKinnon is being made an example of US authorities. The “UK’s hacking community” (whoever that is) seems to think this is a bad thing, and he should get off easy because he was only ever motivated by curiousity.

British hackers say he is being made an example of to serve political ends rather than improve computer security.

The punishment he faces, up to 70 years in jail, was also too harsh a sentence for the crimes he has confessed to.

Yes, he’s being made an example of, and that’s a great thing. He broke into some of the most senstive computer systems in the world and should be punished severely for that. Period. Those that argue that this doesn’t help security forget that punishment is a significant deturant to crimimals, even one that were “just curious.” This is a great thing for security.

In related news, a curious burglar who broke into a Georgia home is in crtitcal condition after being shot by the homeowner.

UK hackers condemn McKinnon trial [BBC]

Levi’s is among the ever increasing numbers of retailers using RFID to track inventory:

Levi Strauss & Co., one of the nation’s largest clothing manufacturers, confirmed April 28 its testing of RFID “hang tags” on clothing shipped to two retail outlets in Mexico and one in the United States

To their credit, they are making them removable, and posting notices about them to ease privacy concerns. Wired has an article in this month’s issue on RFID Hackers:

They then showed how easily they could upload one chip’s data onto another. “I could download the price of a cheap wine into RFDump,” Grunwald says, “then cut and paste it onto the tag of an expensive bottle.”

I’d take a pair of Levi’s for the price of some Two Buck Chuck anytime.

Levi’s New Style: RFID [eWeek]

The RFID Hacking Underground [Wired]

This is funny:

Simply press the play button on your Apple Remote and TheftSensor will be activated. From now on, moving your Mac will trigger a loud alert…

…However, when travelling (sic), your Mac will in most cases be sleeping or even turned off. Even if you could leave it on while travelling (sic), a solution like TheftSensor is not useful as the alarm would go off every few minutes.

Let’s get this straight… Let’s take the most annoying, useless security product there is (the car alarm), and combine it with a portable computer. But it only works when the computer is turned on. Let’s hope the thief doesn’t know how to use a power button.

Oberlin Theft Sensor

Our favorite holes are always those that come from the same security vendors that are supposed to be protecting us from holes in software. Today’s entry into the Product Hall of Shame is Symantec’s Scan Engine. Seems they forgot to build in authentication:

The security software uses a client-side Java applet to authenticate users, but the Scan Engine server itself never checks to make sure that users have been authenticated, meaning that intruders could gain control of the server by sending their own XML (Extensible Markup Language) requests using the server’s proprietary protocol.

“It’s totally a fake authentication scheme,” said Chad Loder, Rapid7’s engineering director. “This vulnerability, as far as we can tell, has been built into the application from day one. We were just the first people to come and look into the protocol.”

This is pitiful. Our first clue should have been from their own marketing:

Easily integrates with third-party software and hardware via version 1.0 of the ICRAP protocol or the native API.

Okay, that was a cheap shot. But still, they forgot to build in authetication!

Network World: Bad Authentication Breaks Symantec Scanner

Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability