September 16 2010
A few links that have floated my way in the last few days...
PCMag.com: Google Engineer Fired for Accessing Teens' Gmail, Chat Log:
Google this week confirmed that it fired an engineer who accessed the Gmail and Google Voice accounts of several minors and taunted those children with the information he uncovered.The point here is really in one of the comments on the article:
David Barksdale worked in Google's Kirkland, Wash. office as a site reliability engineer, where he had access to user accounts. As first reported by Gawker, Barksdale accessed the Gmail and Google Voice accounts of several teenagers he met through a local technology group, and made them aware of the data he'd uncovered.
the elephant in the room is the _ability_ for a tech to have unfettered access to a user account without the knowledge or permission of the account owner.Yeah that's not the case in LotusLive Notes, where we encrypt the data at rest and support the built-in Notes PKI for per-message end-to-end encryption.
Then for the Redmond camp, The Inquirer writes "Microsoft Exchange opens the door for hackers". This isn't some simple stack buffer overflow...
A security vulnerability in Exchange Server 2003 SP2 and Exchange Server 2007 SP1 and SP2 means that attackers can take control of a user's OWA session and issue commands up to the level permitted by security controls without the user knowing. OWA is a rich 'web mail' client that is offered by Exchange Server and has the look and feel of Microsoft's standalone Outlook software.I like the zinger at the end:
Microsoft's proposed solution to the problem might raise the ire of it customers. In the security advisory the Vole says, "Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability." Of course system administrators have nothing better to do than upgrade the version of Exchange on all of their mail servers and shift thousands of mailboxes to a new version of Exchange.
Now all that's left is for Microsoft email system administrators to pick which day to come in at 3AM in order to overcome yet another security hole in Exchange.That's gonna leave a mark.
And in case you missed it, last week, Microsoft Exchange shops were battling a virus, called "Here you have". Honestly I didn't even know about it until it was mentioned in passing in a press release from an IBM business partner, but it sounds like it was a doozy for Exchange/Outlook customers, according to Information Week:
Why was the "Here you have" -- aka "Just for you" -- mass-mailing worm able to move so quickly, and infect so many Windows PCs, and just what was its purpose?Obviously anyone can receive an infected email, but it's a matter of how you are protected. In Notes, that's through things like the execution control list -- an oldie but a goodie -- and the trail ends there.
To briefly recap: On Thursday, the now defunct malware moved at lightning speed through corporate e-mail systems and via network shares, e-mailing itself to everyone in a compromised PC's Outlook address book with a message that asked the receiver to open a malicious file disguised as a PDF. Numerous organizations were reportedly affected, including ABC, Comcast, Google, and NASA.
When was the last time a problem with your Lotus Notes implementation made headlines in the Wall Street Journal? Yep, that's part of the tolerated pain of running Microsoft software. It's assumed that problems affect everyone, but they really don't. Nor should they.
Updated: It was too good to pass up this one other story, from ZDNet Australia, "SharePoint a 'Rolls Royce ashtray' - exec":
Microsoft's SharePoint software is like a "Rolls Royce ashtray" for government departments: it's free with the car but it doesn't add much, according to Bryan King, director of strategy and innovation with the South Australian Chief Information Office. ...
"A lot of really hard-working sales execs from a lot of companies have managed to sell a lot of proprietary code into government and to a certain extent many governments are trapped. Classic case in point is SharePoint. SharePoint websites are in the government are a bit like a whack-a-mole game. Every time you think you've got it, it pops up somewhere else," he said.
King pointed out that SharePoint was free in most licensing deals with government, though many had no use for it.
"I like to think of it as the free ashtray you get with every Rolls Royce you buy. If you buy the Rolls Royce the ashtray is there but it doesn't really work any more, it doesn't really serve any particular purpose but it's there so let's do something with it," he joked.