work

You are currently browsing the archive for the work category.

Lots and lots of work…

October 13, 2009 in work by Daniel Nyström | No comments

Last week I helped hold the Panda Security Days seminar tour and had a smaller appearance myself. It was fun, but it left me very tired. One small whisky put me to sleep last Friday ;)

I’ll post some pictures later on tonight (or tomorrow) both here and on our swedish Panda Security blog (blogg.pandasecurity.se) together with some additional info.

Right now I’m at the airport (Bromma) waiting for a flight to Umeå where I will help a partner present our solutions to a possible client, and the calendar for the rest of the week looks like a car wreck…

It’ll work out though, and it’s nice to have something to do that I actually enjoy. No recession here for sure :9

Cheers,

Tags: , , , , ,

Cybercrime Security forum 2009

September 21, 2009 in personal, work by Daniel Nyström | No comments

Today I’m visiting Cybercrime Security Forum 2009 with Andy Malone. I found an agenda in english here, but it does not correspond 100% to the swedish one that I’ve got.

Looking forward to two days of hopefully new knowledge or new point of views…


“All in all”-recap

I had the wrong expectations going into this event, thinking it would be more hands on, real world tests, active examples of tool usage etc. There was some, but not of the sort I expected. That dropped me a bit the first day and made me a bit unhappy.

However, the second day remedied almost all of the problems I had with the first one. For example the issue of legislative questions was cleared up, and all other questions of scope was handled. This was good for me as I could switch my brain from hackermode to managementmode, which was the state I should have been in from the beginning in order to gain as much as possible from the sessions.

It is also important to recognize the value of the information provided. Not many people bring the traditional issues up on the table anymore, just because they’re not hot anymore. You usually get stuffed with SQL injections, XSS, CSRF and other “web 2.0″ hax at a lot of seminars, but those are really very secondary to a Cisco router with an open SNMP implementation.

This situation makes it harder for people new to the securityworld (managers dropped into a security role for example) to get hold of the basics, and seminars like these are the ones that get them up to speed.

William Matthey had a slide showing all the layers and possible attack vectors in all of them that illustrated this quite clearly.

When summarizing the event for myself, I’m not regretting my attendance. I am however, regretting the mode I was in entering the event. It covers the whole big picture, and some finer details, but it’s not a hands on hacking event.



UPDATE (after day one):

Actually a bit dissapointed so far. 50% of the lectures have been good and 50% not good at all. Some things are presented as facts even though there aren’t any and it feels a bit like fearmongering.

For example, one fact presented was that it would be against the law (as in legislation) for us in Europe to store data on US-owned computersystems… emmm.. goodbye globalization? Goodbye SalesForce? Goodbye Google? It just doesn’t feel right hearing this from people sitting on more certifications than I can memorize… I might have misunderstood so if any of the lecturers would like to comment on that statement it would be nice.

Some of the time the networking details and hacking methods also feel a little bit outdated. I expected to learn something new, but it aint happening. I’m guessing you have to adapt to a varying level of expertise in the audience, but come on… I want SQL Injections, mapping of botnets, details of current threats etc… Not references to Netbus (plz, if removing or replacing something, remove that one!).

I get very frustrated when things turn this way as it clouds out all the good things that’s being delivered.

Andy Malone is a very good presenter though, even when his Microsoft MVP status shines through from time to time, and I appreciate his presentation style. Clear and to the point.

I enjoyed Andy M’s physical hacking info the most, as that’s where I have the least experience. Not very often you break into buildings, hehe… but more seriously that might come in handy if doing bigger audits in the future.

During the seminars he also had some illustrative video clips that broke off the “Death by Powerpoint”-syndrome. I’m probably going to “steal” that trick for some of my future seminars.

As all nerds/semi-nerds I also appreciated the wide array of gadgets he seems to carry ;) I mean, a camera pen, what’s not to love about it?

Hoping for a day 2 with less to whine about ;)

UPDATE (day 2 in progress):

This day has started out better with a great seminar by Andy Malone called “Defense against the dark arts!”. He passed over some physical security stuff, IDS’s, IPS’s and HIPS’s and other local and remote protection mechanisms and tools. This too felt a little MS-ified at times, but the overall level of the information was good.

[...]

All other sessions was good, and William Matthey had one called “The invisible network” about wireless networks and their inherent vulnerabilities. Actually made me a bit uncomfortable as I remembered an old firewall rule I’ve left in a place it shouldn’t have been. Fixed now though, hehe.

The afternoon session with Andy Malone was also interesting and he touched on many subjects. Among them the CIA triad (what it is, how to use and look at it) and tools that can be used to help secure your environment. The one that was the most interesting and new for me was the latest version of MSAT (version 4.x), that helps you to assess your overall risk exposure. Might not sound very interesting to some, but I’m going to do a testrun first thing tomorrow morning in our test environment.

Tags: , , , , ,

Beslutsfattardagen on the 6th of October

September 21, 2009 in work by Daniel Nyström | No comments

Beslutsfattardagen

I’m the first speaker in the security track on Beslutsfattardagen (in english, something like “Decision maker day”) in Sundsvall on the 6th of October.

I’m going to talk some about the situation that we’re facing today with maicious code and more about our cloud based solutions that aim to solve it.

I have an extremely tight schedule for that week and I’ll go directly from Sundsvall to Malmö in order to attend Panda Security Days that starts there the next day. I have something like 20 minutes between connecting planes on my way there… last time I was in that situation I had to spend a night in Madrid ;) but it would be extremely weird if that happened now, hehe.

Day after that, on the 8th, we’ll go to Gothenburg and finish off in Stockholm on the 9th.

I’ll post some more info on Panda Security Days soon… a bit too tired atm.

Tags: , ,

IT-SecurityWorld & Panda Security Days in .FI

February 4, 2009 in work by Daniel Nyström | 2 comments

Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. More info, read “About this blog”.
Panda Security - www.pandasecurity.com - www.pcm.se
Tomorrow afternoon I’m holding a shorter live demo on MalwareRadar (a corporate scan-in-the-cloud service from Panda) at IT-SecurityWorld in Kista, Stockholm tomorrow, and I’m going to be there for the whole day. Come by and say hi if you’re attending.

My colleagues Sebastian Zabala and Rickard Uddenberg are also going to make appearances during the day and we’ve coordinated our efforts under the phrases “Antivirus, is it really an effective protection?” and “We don’t trust antivirus, do you?”. It’s going to be fun, heh.

I’m also going to Finland next week to participate in the “Panda Security Days” over there, and I’ll be staying in Tampere for two days. This will also be a good opportunity to handle some administrative issues on-site in our Finnish office, so double niceness. The only downside to this trip apart from having to be away from home is that I’ll miss the next “Pirate” meeting here in Stockholm, but I’ll catch up through our blog (Swedish) and Skype channels.

Cheers,

Tags: , , , , ,

Handling large scale worm infections

December 3, 2008 in malware, networking, security, work by Daniel Nyström | 1 comment

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. Read “About this blog”.
Lock in the grass... yup.

We’re seeing a quite large increase in Conficker.A infections (exploiting MS08-067) in Sweden right now, and computers not sufficiently patched or secured is causing a mess.

So far, most corporate network infections are making more noise than damage as people seem to have become better at patching since 2003-2004. What is causing alarm is our protections blocking the network attack proactively when it’s delivered from an infected machine or on computers without TruPrevent, when we nail it with the signature.

Anyways, I feel like being a bit proactive and recite some of the simpler lessons from 2003 in the new light of this little worm as it feels in my gut like we’re going to get taken for a ride.

What do you do once your switches start looking like Christmas trees, all lit up and warm? Well, there’s no one single recipe and there will most certainly be a twist to your specific situation. There is however some basic things you can do, and you can start by asking yourself;

Are your machines patched?
  a) I do not know
  b) Yes they are
  c) No they are not

If A, use Microsoft Baseline Security Analyzer to get a picture of the current situation. This tool can be set up on any modern windows system and should be run using domain admin credentials in order to gain total visibility. This tool will also display a lot of other crucial security information (password complexity, security policies etc. etc.).

If B, Haha, Yeah right… ;) But if you’re confident about it you can at least be calmed by the fact that you are probably exposing less attack surface internally to the worm. You will however have some clients that is not patched or incorrectly patched and if they’re not infected yet they’ll be in a short while.

If C, you should start finding out how you can easiest distribute the fix. If you’re running a smaller shop you might even have greater success doing the good ‘ol leggie around the office, but if you have a couple of hundreds or thousand clients you need to set up a deployment plan now. Possible deployment methods might everything from SMS, System center, Zenworks (Novell), Logonscripts with silent patch install, WSUS set-up and group policy configuration. It really doesn’t matter which technology you’ll use, it just needs to be done “yesterday”.

Do you know what machines are infected at this time?
  a) Yes.
  b) Nope, or some, but I’m guessing there’s more.

If A, set them straight. That is install the patch, install your protection, update that protection and make sure it’s as “clean” as it can be. Then move to B.

If B, install Wireshark on a patched computer (or why not use Linux?) and sniff the network for 15-30 minutes. This does not have to be done in promiscuous mode or using some kind of special networking equipment, as all that we want to see are computers trying to exploit/infect the computer that you are sniffing on. After stopping the traffic gathering you will have a lot of packets to analyze and what you’re looking for are SMB packet’s that look something like this:

Image by Don Jackson from SecureWorks via ThreatExpert blog.
Thanks Don Jackson from SecureWorks via the ThreatExpert blog.

The key here is identifying SMB packets that contain references to the NetPathCanonicalize function and to do this you should be able to use a filter expression like this in Wireshark (not tested atm so no guarantees):

smb.service contains "NetPathCanonicalize"

Note the source IP for all lines matching the above expression and try to identify the physical machine behind that. Usually it helps to identify the user first and to do that just click “Start menu“->”Run“, write “\\OFFENDING_IP_NUMBER\c$” and press OK. When you get the mapping up, go into “Documents and settings” and sort the listing by modification date and you’ll see what user last used the computer.

Of course, just having an updated inventory of all machines and their MAC-adresses before this happens is a bit easier. Doesn’t happen too often that this is available though.

After the machines has been identified you are to patch them, protect them and finally to update the protection. If you suspect that your protection doesn’t work like it should or that the infection itself persists and doesn’t get cleaned you should contact your AV-vendor as soon as possible so that they can collect the sample.

The approach mentioned above is not valid if you’re having more than 50 machines infected. If you are in that situation the following statements are probably true: You have a large network, The machines are not updated, not protected and if protected it’s with old software and/or definitions. This means that you’re going to have greater trouble than most resolving this situation and I’d suggest a more generic approach as a start.

1. Deploy the one patch needed (NOT ALL, that takes too long) through the software distribution tool of choice, logonscripts or whatever suits you in order to prevent re-infections after cleansing.
2. If available, deploy cleansing tool or script in the same way shortly after. Contact your vendor for more information, help and suggestions.
3. Deploy Anti-Malware protection using the same method that you used to deploy the patch above and make sure that all protections are turned on and updated.

These steps might be hard to follow during an ongoing infection, and if you are having trouble call your AV-vendor! We have more experience with this and will probably be able to see things that you overlooked.

After you’ve done these basic things you can move on to the manual methodology above in order to find any computers still infected.

And finally some suggestions on what you can do now to ease the burden if (when) you get hit:

* Secure your systems, not just patches but security policies, user- permissions , local administrator rights and so on. For inspiration, take a look at Microsoft’s SSLF policies. Just make sure to remember what LF in SSLF means while doing so.
* Install and manage your anti-malware and security solutions. Make sure that they are in the latest versions and that signature files/databases/ips filters are updated as they should.
* Strenghten your IT-policy in regards to connection of external units to the network. This won’t prevent much but it’s worth a shot. If you want to enforce directive’s such as these, take a look at Panda NetworkSecure, Cisco NAC or Microsoft NAP.

That’s all ;)

If you need any help with anything, drop me a line and I’ll get back to you as soon as possible.

Cheerios,

Tags: , , , , , , ,

Wonderful networking cheat sheets…

November 20, 2008 in networking, personal, work by Daniel Nyström | No comments

Wireshark filters cheat sheet - Packetlife.net

… from Packetlife.net. Covering everything from BGP to Physical Terminations.

From the site:

“Cheat sheets are in PDF format. You are welcome to use and redistribute them as you please, so long as they remain intact and unmodified.”

That’s the spirit! The tcpdump & Wireshark ones are going on the wall now ;)

Tags: , ,

CSO Night Vision (seminars)

November 13, 2008 in personal, security, work by Daniel Nyström | No comments

Hector Melo A. on Flickr - http://flickr.com/photos/chile-suecia/
Photo: Hector Melo A. on Flickr.

I attended the IDG / CIO (and CSO) seminars night called “CSO Night Vision” yesterday and it was a good one.

Seminars were held by reps from Ernst & Young, Combitech and Rittal and all were interesting. I also picked up two books, “Stress vid kriser” (eng. “Stress during crisis”) by Peter Jonsson and “Våldsam aktivism och terrorism” (eng. “Violent activism and terrorism”) by Jan Kallberg as they were handed out.

Looking forward to reading Kallbergs book as I’m interested in knowing what style he writes in. When he moderated and participated in the “Security policies of 2020″ debate during Internetdagarna he was very straightforward and clear and I’m hoping that this book is as good read as that debate was to listen to.

Other than this I talked to the IT-manager at Företagsuniversitetet. He was currently using F-Secure (and happy about it) and we discussed the difference of solutions on the market during the night.

All in all, a well spent evening…

Tags: , , ,

PCI DSS: What’s in the cloud?

November 4, 2008 in malware, security, work by Daniel Nyström | 1 comment

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. Read “About this blog”.

tricky ™ on Flickr - http://flickr.com/photos/sovietuk/
Photo: tricky ™ on Flickr.

Found an interesting article by Martin McKeay through “Security Bloggers Network” which discusses PCI compliance and the implications of hosting applications and data in the cloud.

He boils everything down to one simple point; If you store/transmit/handle cardholder data in a service provider’s network, that network becomes part of the cardholder data environment and needs to be PCI compliant:

“So I made several comments on the post, most of which boil down to referencing PCI requirement 12.8: If you’re sharing cardholder information, i.e. credit card numbers, with a third party service provider, you need to have a clause in your contract that makes the service provider responsible for the PCI compliance of their systems. With the example given, Amazon’s EC2, the chances of getting such a clause in your contract are almost non-existent.”

A subject similar to this has been of interest for me before as Panda MalwareRadar is a cloud service where files deemed interesting are ‘fingerprinted’. Those fingerprints are then communicated to our Collective Intelligence servers in order to be analyzed deeper. For more info on CI, see this whitepaper by Panda Research.

In other words no complete files ever leave the client’s network, but some clients that are in the process of becoming PCI compliant are unsure of what implications services such as this might have. Their general feeling is that they aren’t 100% comfortable handing out fingerprints of possibly malicious processes or files, as it might (theoretically at least) be a false positive. This will lead to unforeseen information disclosure to a third party (PandaLabs and CI servers). We also do inventory of the current patchstatus with the same tool and the same thing goes for that.

I trust our systems with the information gathered, but I understand their position as well as they have to be able to prove compliance. But is there any need to worry?

It all seems to come down to two questions; “Can you trust your security vendor?” and “What requirements in PCI DSS might be implicated by this type of services?”.

Personally I think that some level of trust must exist between a security vendor and their customers so for me the answer to the first one is Yes. Many security products and services are placed in such sensitive locations that it would be impossible to use them otherwise (not only talking about anti-malware here).

I’m unsure about the second one though and would appreciate any comments on this. From what I’ve been able to find information on, there really shouldn’t be any problems. The one thing that might be troubling is the patchstatus information, but the information sent can be anonymized to not include data such as computernames or IP-adresses so that you only get an overview of the current situation (same goes for the malware detections).

Any PCI DSS experts that feel like commenting on what their experiences are with Collective- or Herd-intelligence technologies and services such as this?

EDITED TO ADD: Mike at Aegenis comments below and recommends reading his follow-up post.

Tags: , , , ,

Malware landscape in 2020?

October 27, 2008 in malware, networking, security, work by Daniel Nyström | No comments

Winerrorfixer... avlxyz on FLickr
Photo: avlxyz on Flickr.

The debate on what internet security would look like in the year 2020 at Internetdagarna ’08 made me think.

What will the malware landscape look like in 12 years?

Well, if we look at our history it’s quite hard to see a larger trend as our selection really doesn’t range that long back. Viruses and worms has been present ever since people started networking computers, and some ever longer. However, there has always been a very opportunistic area and the “bad guys” has adapted quite easily to the different challenges we’ve put them up to.

Previously the attacks were almost always aimed at being large scale and make as much noise as possible. We had the CIH virus, Loveletter, Melissa, Blaster, Sasser and so on. This type of malware did a lot of damage, caused a lot of headache, made people cry over lost images and cost companies millions of hours in overtime.

But still no one was really hurt. There wasn’t any money missing and everyone kept their identity for themselves. The game was more or less “See mee! PLZ!” and “1′m 4 b3773r VX-coder than you, mother*beep*, our cr3w rule the w0rld!!!1!!!“. Media attention was the holy grail.

This has changed though.

Some years ago (~5 yrs?) we started seeing targeted, financially motivated, malware and organizations that profited from these directly. Back then the malware authors were still learning and a lot of mistakes could be observed. We may have laughed at their worms that had bugs earlier but today it’s not that funny. They’ve learnt from their mistakes and today their cashflow enables them to do real Quality Assurance on their code.

Today almost all types of malware circulating is financially motivated in one way or another. They are adapting their methods of infection and follow world and market trends to identify the times at which hard distribution is most effective.

As my colleague Sebastian Zabala puts it; “For them it’s ‘Money talks and bullshit walks“. In other words, if it does not generate immediate cash return it is not the least interesting and terms as ARPIU (Average Revenue Per Infected User) are being used. This has been the single most dominant motivator for the malware evolution that we’ve seen in the past couple of years.

Several prominent groups has been mapped over the last four-five years, and one of them is the notorious Russian Business Network. They seem to have relocated now, but at one point last year (2007) a very large portion of the malware being distributed was coming from their network. This is probably the same now but from other, more separated, locations that isn’t as easily distinguished.

The methods of distribution was previously very direct and the bad guys were satisfied with the distribution method of one host infecting another but this has also changed a lot. Much of this change is probably motivated by their need to continuosly modify the malware to keep as much code as possible out of AV-vendors signature files. Today, a very large percent of infection happens through web browsers that get exploited by trusted websites. These websites has been hacked in one way or another in order to add HTML that loads malicious code through invisible iframe’s or scripts.

These attacks are made possible by insecure server-side code which enables attackers to do SQL injections for example. We are also starting to see signs of social networking applications being exploited for the same purpose and a possible method of infection here is XSS (Cross-site scripting). There’s a myriad of different attacks on the same theme, but it’s the same thing here really, insecure server-side code with a twist making the client essential. All in the true spirit of Web 2.0.

But the method of infection really isn’t that important. There will always be vulnerabilities waiting to be exploited. If not in insecure code, then in user behavior. Just look at the latest waves of fake security products. These often use social engineering to get installed on it’s victims computers, such as faking a windows desktop and tricking the user to click OK or taking other actions to install the malware. These applications alone are estimated to bring in multi-million numbers to the guys behind them this year.

A couple of years back, malware on the windows platform also started to come packed with rootkits and other methods of concealment. These technologies has been more widely deployed during the last year and we are seeing them being used in layers. For example, the droppers that first reach the systems often do not come with rootkit functionality but load (injects dll’s) themselves into system processes in order to stay hidden. The malicious software pack that is later downloaded more often than not come with real rootkits often in the form of system drivers. My guess is that this is meant to make users believe that once they’ve managed to clean out the malware they are in the clear, but only hours later the dropper sucks down another pack of crap and installs it.

From our (AV-vendors) point of view we are seeing steep increases in the number of samples (different versions of the same malware) being distributed and to cope with this problem we are inventing different technologies that either make our signature less important or help us analyze samples. For example Panda has TruPrevent for behavioral analysis and Collective Intelligence for malware identification and faster analysis.

This race will continue. When we establish an effective countermeasure to their latest move, they will change their business model or malware structure. When they do so, we will change our take on the problem.

So… What will the malware scene look like in 12 years?

Well, I don’t really know… I don’t think anyone really knows.

As technology evolves so will the parasitic creatures that feed upon it. My guess is that the malware will be more user tied and that more of the malicious code will be built upon pre-built frameworks that enable faster development. Maybe this already exist?

The Storm botnet that followed us from 2007 into 2008 and still is alive and well is a good example of what the future will have in store. The malicious code relies heavily on social engineering for distribution and installation, and the underlying structure is both stable and agile. They use fast DNS fluxing and double-fluxing in order to keep it alive and also varies communications method between IRC, P2P (eDonkey) and HTTP.

I’m not saying we’ll see more of the same, but rather more malware being based on the same thoughts; Great stability, Good control, Improved anonymity and excellent networking.

Platform independence will probably become more and more important for malicious software as well, as the array of different units used to access the internet is getting bigger every day. By platform I mean both hardware and software.

The challenge for us anti-malware vendors is to keep up. How we’ll be doing that is based on future experiences but in an ideal situation we come as close as we can to a silver bullet for every new twist that the bad guys throw at us. Our real challenge here is to be equally adaptable to new situations as they are. We need to be able to react quickly and hard without impacting the stability of our customers it-systems.

I also think that the user knowledge angle will be more and more important and this will have a big effect on malware distribution. Today I’m seeing younger people just laughing when they stumble upon a strange website and fire up ProcessExplorer to see if something bad happened. This would not have happened five years ago and it changes the way that malware authors have to think.

Hopefully we are up for a cleaner internet tomorrow, but there are no guarantees.

In a worst case scenario the internet might be clogged with garbage, which forces ISPs and national institutions to do filtering in order to isolate the countries that cannot control the organizations behind the malware. This is not something that we want to see and I hope it never goes that far with all of my heart.

Please comment with your thoughts on what the future has in store for us ;)

Cheers,

Tags: , , , , ,

Second day of Internetdagarna ‘08

October 27, 2008 in personal, privacy, security, work by Daniel Nyström | No comments

ID08

The second day of Internetdagarna (22/10-08) was spent in the Security track as well, except for the last seminar where I switched to the society track.

The first seminar was “Pålitlig e-post / Anti-spam” which translates to “Reliable e-mail / Anti-spam”. The moderator for this seminar was Jörgen Eriksson from .SE.

First speaker out was Amar Andersson from TeliaSonera and he spoke about “Spam-protection that undermine their own goals”. I can honestly say that I did not follow this good enough as I was very tired this first seminar and I kind of regret it now. However, the main problem presented by him was the lack of coordination and standards in anti-spam prevention methods. He mentioned blacklisting in general and the DUL-blacklist in particular, hostname “naming” (reverse lookups which results in a name conatining either “static” or “dynamic”) and how to make sure your e-mails got delivered in this day and age where the requirements for delivery can vary quite much from server to server (correct HELO/EHLO messages, correct reverse lookups, SPF and other DNS related issues).

Next speaker up was Bengt Carlsson from Blekinge Tekniska Högskola that just announced a new project between .SE and BTH. The project name was “säker e-post hantering bland illsinnad programvara” which translates to “Secure e-mail management amongst bad software”.

After this Rickard Bondesson from Linköpings Universitet took the stage to present his research on DKIM, DKIM-milter and DNSSEC implementations. This was a quite long and very informative presentation which stepped through his research in a comprehensive way under the following bullets; Forged e-mail, Prevention of forged e-mail, DKIM, Reliability within DNS, Implementation, Tests, Statistics, Experiences.

After this there was a small moderated panel debate on the topic of Reliable e-mail.

The next seminar was “Parasitekonomin på Internet” which (roughly) translates to “The parasitic economy on the internet”. Stefan Görling from KTH moderated and had one presentation, and the other speakers were two representatives from Lavasoft (you know, the guys behind Ad-Aware) and Martin Boldt (IT-security researcher from BTH).

Görling started out by picking at affiliate systems and the easy of exploiting these services for profit and he worked out from a site that supposedly uses this format in a legit way. He did not go into the malware point-of-view very much but he touched the subject when talking about “mis-spelled domain names default pages” which contain only affiliate links.

The guys (they were two) from Lavasoft then held their presentation which more or less detailed the different types of spyware they had included during the year, and also gave a strange remark saying the TeliaSonera was gaining money from the malware circulating on the internet (as they’re an ISP, they supposedly make profit when having their bandwidth used… hrrm…). This little remark came back to bite them in the ass when a (quite upset) TeliaSonera security employee demanded that they would take that statement back during the Q & A at the end of the session.

Following this Martin Boldt from BTH that discussed reputation systems and automatic EULA analysis. He had researched these areas and they were at this moment involved in creating web browser plugins and applications to enable users to share their thoughts and score on specific applications (binary files). See their project website at www.softwareputation.com for more information. He also noted that this project is still in Alpha stage. The ideas they’re having kind of looks like Panda Security’s Collective Intelligence, except it is user generated not automatic.

When it came to EULA analyzing they’ve taken a harder route than SpywareGuide’s EULA analyzer and they used many different bayesian and similar algorithms in order to define if an EULA is “good” or “bad” with a high level of success. Ideas for the future was to make this automatically integrated into system so that any EULA boxes could be automatically read and scored.

After this there was a Q&A session and Lavasoft’s statements was quite heavily scrutinized both by the TeliaSonera employee and Netnod‘s CEO Kurt-Erik Lindqvist (I think it was him but I only heard the voice, so don’t quote me on this). It seems like Lavasoft’s statement was just illustrating and that they based their assumptions on an US ISP that had misbehaved and in some ways had profited on bad software.

Here I switched room and joined the “Infrastructure and society”-line of seminars. The one I was interested in was “Integritet och övervakning” which translates to “Integrity and surveillance”.

This seminar was moderated by Johan Hallsenius (editor for Computer Sweden) and the debate panel was only populated by pro-Integrity people as none of the invited politicians and FRA-people had turned up even though they were invited. The panel members was Oscar Swartz (debater, writer and blogger), Patrik Fältström (Cisco), Fredrik von Essen (Swedish IT and Telecom Industries) and Daniel Westman (Juridicum, Stockholms University)

The focus of the debate was of course the FRA-law but also dangerous EU-directives and other laws that affect impede personal integrity. It was an interesting debate, but as “the other side” was missing no hard questions could be discussed. I talked briefly to Oscar Swartz before the seminar and he described it as a “non-debate”, as there was only one point of view from all participants (with small diversions). He wrote a post on “Internetdagarna” on his blog in which he breifly mentions this debate.

It was also to hear what Fredrik von Essen from the Swedish IT and Telecom Industries had to say on this issue.

Unfortunately I had to leave before the Q&A session that followed, so I’m looking forward to the sound recording that are to be released here.

Some pictures from this day:

Integrity debate:
ID08
ID08
Martin Boldt (from BTH):
ID08

Tags: , , , , ,

« Older entries