The Open Road

Despite pulling in 260,000 travelers at $199 each, Clear's expedited security-clearance program in 18 airports has shut down.

Verified Identity Pass, which operates the Clear service, said via e-mail and on its Web site that it was "unable to negotiate an agreement with its senior creditor to continue operations." The Clear service was suspended at all 18 airports as of 11 a.m. PDT Monday.

The message to Clear subscribers like myself: "Get back in line."

Ironically, Clear was apparently charging Clear subscribers' credit cards right up until the announcement, as revealed by the commenters to a Los Angeles Times' article on Clear's closure. I guess the company needs every little bit as it heads to bankruptcy proceedings.

Sigh.

Despite signing up for Clear almost from its inception, at first I wasn't a big advocate of the service (though CNET's Dave Rosenberg was). At my home airport in Salt Lake City, the difference between Delta's Medallion line and Clear's security lane was minimal.

But over the past few months, I've had more occasion to benefit from the service, and I can say that I will truly miss Clear. It has saved me from missing more than one flight. I want it back.

It would appear, however, that the cost of maintaining the service exceeds the roughly $52 million in subscription fees that Verified Identity Pass was able to bring in to support the Clear service. With costly biometric scanners and several Clear employees at each security station, it's not hard to see how the costs could add up.

Of course, Clear's various snafus and problems, as ZDNet's Jason Perlow writes, couldn't have helped.

Regardless, I doubt that many will appreciate Clear apparently renewing subscriptions right up until the moment the announcement of its closure. That's bad form. I understand the need to satisfy creditors. But in the age of blogs, Twitter, and Facebook, it seems like an ill-advised policy to charge for a service you're about to shutter .

Expect a backlash.

Clear's announcement via e-mail.

(Credit: Matt Asay)

Follow me on Twitter @mjasay.

In the wake of Google's weekend error that labeled the entire Web as malware, some like CMS Watch analyst Kas Thomas are asking a provocative and timely question: have we become too dependent on Google?

One wonders: If Google were to go down (or become essentially unusable -- same thing) for, say, 72 hours or more, how disruptive would it be to the economy? Would online retailers see a slowdown in business? Would job-seekers remain out of work longer? Would the productivity of information workers (who supposedly spend a couple hours per day doing online searches) be seriously affected?...

Sometimes even the most highly distributed, highly virtualized, "enterprise-hardened" infrastructure is no stronger than its weakest component. And quite often, the weakest component is human. That's never going to change--cloud or no cloud.

In the case of the Google error, which was caused by a simple human mistake, the world arguably went its merry way without serious disruption. But it's a fair question, and the same one formerly raised about Microsoft's dominance on the desktop. When one company dominates a market so completely, does it become an essential facility and hence require government regulation to ensure that it doesn't bottleneck the economy?

I'm not sure. I tend to eschew government regulation whenever possible, and I'd hate to see Google significantly constrained by U.S. oversight. Even so, the weekend snafu demonstrates just how vulnerable Google is to attack, as well as how susceptible we'd be to going down with Google.

Yes, other search engines are just a click away, but with more and more people enveloping their online lives with Google products (Gmail, News, Finance, Reader, etc.), an error in one aspect of Google's product suite could have a domino effect on all of them, and significantly hamper productivity until Google fixes the source error.

Even so, the answer to Microsoft's dominance wasn't regulation: it was competition. Google, too, will face increased competition on the Web, so perhaps the answer to the concern is simply to wait. Over time, open source and other trends will no doubt diminish the relevance of Google's stranglehold in online search.

But for now, I can't help but feel a little vulnerable.

Recently ParisHilton.com got hacked. In the rush to find a culprit, however, security experts quoted in InformationWeek incorrectly blamed the open-source Joomla web content management system for the security breaches.

According to [a senior security researcher at ScanSafe], there's an iFrame that has been embedded in the ParisHilton.com Web site....She said it wasn't clear how the iFrame got added to Paris Hilton's site, but she said it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports.

Such "other reports" include this one in ComputerWeekly. The problem with blaming Joomla for security breaches at ParisHilton.com and many of the other sites in question?

They aren't Joomla sites at all.

This is lazy security "research" by the ScanSafe researcher and other "experts" noted in these articles. It's like me blaming Microsoft for security breaches...on a Linux server. It might make for an easy scapegoat, but that doesn't make it any less untrue.

I spoke with Elin Waring, president of Open Source Matters, a part of the Joomla! project, who suggested that "both times [the security allegations surfaced] within a week of a regular release that included some security patches, which I think probably is not a coincidence." She may have a point. Is the security community seeing the patches and assuming they must have been released to fix the high-profile security website breaches?

This is plausible, but again, ParisHilton.com and others among the websites in question weren't Joomla-managed websites at all. It's therefore understandable when commentators to the InformationWeek story on the ParisHilton.com hack say things like this:

For the expert to say, "it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports" when not doing the basic research to know if the site was actually running Joomla really brings into question both the credibility of the expert as well as the reporter that quoted said expert.

It "could be" any software package that manages Web sites, because any of them "could have" been the application behind the site in question. Naming a specific Web application in such a manner without being certain it is the one managing the site is ethically and morally wrong if not legally.

Amen. Whether Joomla was simply a convenient scapegoat or a likely culprit, the reporters and "security experts" did a shoddy job by unfairly and inaccurately allocating blame to Joomla. Time for a retraction? The days of being able to casually blame open source for being a security risk are long gone. Time for the "security" community to wake up.

Disclosure: I work for Alfresco, which both competes with and partners with/supports the Joomla open-source WCM project. And, yes, I quite like Joomla.

There is no question that Microsoft's Internet Explorer has become more secure over time. There's also no question that with roughly 69 percent of the global browser market, IE remains a meaty target.

It is therefore not surprising that IE is under attack, though perhaps the recent breach of fully-patched IE is surprising, as as The Register reports:

The attacks target a flaw in the way IE handles certain types of data that use the extensible markup language, or XML, format. The bug references already freed memory in the mshtml.dll file. According to IDG News, exploits work about one in three times, and only after a victim has visited a website that serves a malicious piece of javascript.

As usual, there is browser security and then there's "user of the browser security." I suspect that the former is pretty strong with IE, but the latter...? Well, if someone wants to foolishly visit suspect sites, perhaps they're getting what they deserve.

Microsoft blames add-ons for its Internet Explorer security woes, according to InternetNews, yet in separate news from TechCrunch Mozilla's Firefox just hit its one billionth add-on and yet delivers better security, according to several studies.

Is Microsoft out of line?

Probably not. Microsoft is almost certainly right to pin some blame on add-on functionality to the browser as a security vulnerability. But given that add-ons are a fact of life now, what is Microsoft doing to protect its IE users against malware attacks?

Plenty, and in perhaps in the most important place: the update service. Both IE and Firefox include automatic update services, but researchers for the Honeypot Project discovered that Firefox's mechanism may actually be more effective:

We suspect that attacking Firefox is a more difficult task as it uses an automated and "immediate" update mechanism. Since Firefox is a standalone application that is not as integrated with the operating system as Internet Explorer, we suspect that users are more likely to have this update mechanism turned on. Firefox is truly a moving target. The success of an attack on a user of Internet Explorer 6 SP2 is likely to be higher than on a Firefox user, and therefore attackers target Internet Explorer 6 SP2.

The Honeypot research was done in 2007, however, on older versions of both IE and Firefox and, as Sean Michael Kerner writes in InternetNews, the game may have moved on, and neither Firefox nor IE may be fully ready to "play":

One of the fundamental freedoms of open source is the right to view source code. This freedom is at the heart of open-source security.

It's therefore discouraging, as Techdirt notes, to see Google criticizing Charlie Miller, a security researcher, for revealing a security flaw in its open-source Android platform. Indeed, as CNET reports, Google went a step further and claimed the researcher broke "unwritten rules" in disclosing the flaw.

Huh? Isn't that what open source is all about?

Imagine what would happen to Linux, Apache, MySQL, or other open-source projects if developers followed Google's counsel and stopped reporting bugs, security flaws, etc.

It's possible that Google didn't like Miller's motives or the way in which he announced the flaw, as some have suggested, but in open source form follows function. The "function" is disclosure of code. The form of disclosure? Well, that's a secondary concern.

Google should be grateful for the review Miller and others are giving its Android code. This is how open source improves.

It seems like in just about every department, Mozilla does things right. As a case in point, I was gratified to read CNET's interview with Mozilla's security maven, Window Snyder. Window's first name notwithstanding, she makes it clear that Mozilla groks security:

At a lot of companies, there's fear around security: you don't want to talk about what you're doing around security because one might deem it not enough--or might want to criticize it...We benefit from being open; it's the model for us and it's been successful for us.

It's an interesting article, one I encourage you to read. It's just one more reason to choose Mozilla and its open-source products like Firefox.

Putting aside the rectitude of using a public e-mail service like Yahoo Mail for government business, as Alaska governor and U.S. vice presidential candidate Sarah Palin has done, if her e-mail was so easily hacked, how private do you think yours is?

The answer? Your only hope may be to keep so low key that no one cares about hacking your e-mail.

I'm willing to bet that most public figures keep Gmail, Yahoo Mail, Hotmail, etc. accounts, though most probably don't use them for public duty. Is it really as easy as wanting to crack them to be able to do so? The methods used are not yet known, but the hackers wouldn't have had much time. Despite it being somewhat common knowledge in Alaska that Gov. Palin uses private Yahoo e-mail accounts regularly, the news doesn't appear to have hit the national stage until the last week or so.

In other words, as soon as hackers had interest, they got access. This should be of concern to anyone using an e-mail service like Gmail or Yahoo Mail. Is our e-mail privacy only as durable as our anonymity? Security through obscurity, indeed.

Update: Ars Technica has details on a possible first-person account of how Governor Palin's email was hacked.

As The Register reports Wednesday, Linux servers are increasingly under attack from Phalanx2, a "self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a tty program and connecting to it with a backdoor."

According to The Register:

The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. There's a viral aspect to this attack. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The U.S. Computer Emergency Readiness Team has recommended an approach to counteracting the risk, but this is where Linux (and Windows and Solaris and...) security meets reality: Linux may be inherently more secure as a system, but ultimately security is a question of process and people, not merely code.

Administrators must apply the patches. If Linux server administrators are anything like Oracle server administrators--65 percent of whom never install critical security patches--then Linux security will be as fallible as that of any other system. If IT administrators won't secure Linux, it won't be secured.

Much is made about security in open source, and often for good reason. But judging from the lack of chatter on the Web about the Phalanx attacks, I'm not optimistic that we're responding fast enough as a community to this new security breach.