Sonoma State University computer science professor George Ledin is teaching his students how to hack and creating controversy in doing it.

The companies that make their living fighting viruses aren’t happy about what’s going on in Ledin’s classroom. He has been likened to A.Q. Khan, the Pakistani scientist who sold nuclear technology to North Korea. Managers at some computer-security companies have even vowed not to hire Ledin’s students.

…

Ledin insists that his students mean no harm, and can’t cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can’t escape. Rather, he’s trying to teach students to think like hackers so they can devise antidotes.

I’m surprised that such courses aren’t more prevalent and the backlash that Ledin (and potentially his students) will face. The best point of the article is made by Ledin himself,

“Why should we shy away from learning something that is important to everyone?,” Ledin asks. “Yes, you could inflict some damage on society, but you could inflict damage with chemistry and physics, too.”

When you base security on people’s ignorance, you just get ignorant people fighting clever criminals.

If you’re lucky enough to be traveling to China for the 2008 Summer Olympics, you should think carefully about the security and safety of your personal belongings, as well as your information.  Travelers should be aware that as in any large metropolitan area, any computing devices (such as smart phones, PDAs, and laptops) are at a high risk of theft.   Additionally, the United States State Department has advised the following about travel to China:

Security personnel may at times place foreign visitors under surveillance.  Hotel rooms, telephones, and fax machines may be monitored, and personal possessions in hotel rooms, including computers, may be searched without the consent or knowledge of the traveler.  Foreign government officials, journalists, and business people with access to advanced proprietary technology are particularly likely to be under surveillance.

Therefore, we recommend the following approach for 2008 Olympics Visitors in order to keep their information and belongings safe:

• If at all possible, leave your computing devices home.  It will eliminate potential travel hassles, and alleviate the need to keep tabs on your things while you are out and about.  Enjoy the Olympic Games, and take a vacation from your email.
• If you bring a computing device, keep it with you at all times.  If you cannot bring the device with you, inquire at your hotel about a safe, or other secure storage area.  Hotel rooms and rental cars are prime places for theft to occur in China.
• Use file or disk encryption.  Products such as TrueCrypt or SecureDoc, or operating system capabilities such as Encrypting File System or BitLocker can keep your information safe even if your device is stolen.
• If you must write down passwords, secure them.  If you keep a post-it note with passwords on the lid of your notebook, the criminal may be able to use this information to get further access to the information in your machine or your networks.
• Keep your identification documents safe. Keep passports and other identification documents safe from pick pockets.  The State department recommends travelers make photocopies of their passport bio-data pages and Chinese visas and to keep these in a separate, secure location in case of passport theft.

We hope visitors to Beijing find this information useful, and stay safe during their visit to the 2008 Olympic Summer Games!

I really like my mac. It usually is pretty secure. However, Apple just patched their copy of BIND yesterday. I just got the software update request today. This is almost a month since Kaminsky’s coordinated release of the DNS patch. I wonder why Apple was the recalcitrant one that waited so long? Could it be because the exploit was finally in the wild and was on longer just proof of concept? Could it be that the patch was more critical on servers rather than desktops, and desktops are Apple’s mainstay?

Whatever the reason for Apple’s late release, it has made me think about Apple’s security practices. As far as I know, Apple doesn’t have a “patch Tuesday”, and the DNS patch release coincided with Microsoft’s patch Tuesday. Perhaps Apple is moving in that direction, and their patches just happen to come at the end of the month? Will this affect Apple’s security? Probably not, unless you have a release as huge as the DNS flaw. Because vulnerabilities that affect Microsoft don’t necessarily affect Apple, so there is no issue with the delay between Microsoft’s release and Apple’s.

Apple has known about this flaw for as long as everyone else has, and since they run BIND, they’ve even had the patch, so their delay in patching their systems is a little concerning. What else have they delayed so long on that we don’t know about?