Quick update, OpenOffice now ships with macro security set for 'High' so that "Only signed macros from trusted sources are allowed to run. Unsigned macros are disabled". By going to Tools -> Options -> OpenOffice.org -> Security -> Macro Security You can also set the security level to 'Very High' so that "Only Macros from trusted file locations are allowed to run. All other macros, regardless whether signed or not, are disabled." So if you are concerned with these articles, use OpenOffice.

Listening to CBC's Search Engine Podcast (which was removed by CBC sadly) I was reminded again of how much our perceptions of security have changed and how much organizations and activists need to do to be mindful of the people they are working to support. For those folks who missed the news on this item, the office of the Dalai Lama brought in the Munk Centre for International Studies' Citizen Lab to investigate some issues they were having with their computers. Turns out that an Microsoft Word document containing a Trojan horse that allowed the attacker to list and access any documents available to their computer (including on their networks), any keystrokes made on that computer and even allowed the attacker to turn on the victim's webcam and see/hear their conversations. This large-scale cyber spying operation was given the name GhostNet.

Now this has been possible for a long time, in fact the code for the Trojan horse that was used can be downloaded from the Internet and manipulated by hackers for all kinds of purposes. What's new is that the folks from the Citizen Lab were able to backtrack and access the control server that was directing these hacks. They were also able to identify that the attackers seemed to have a political target as this Trojan horse was distributed through crafted email and attachment concerning Tibet. Now given that the control server was hosted in China, that the interface was written in Chinese and that China has a strong interest in monitoring activists concerned about their occupation of Tibet, it is most likely that Chinese intelligence is behind this. This is a concern, but not my main one.

One of the reasons given about why the government should worry about open source software is security.  I'm rather tired of this argument, so after hearing it one too many times, I decided to take some action. 

The concern is that if a piece of software is open for everyone, including hackers, it will be more vulnerable. This has been shot down any number of times, with some of the best known arguments stemming from the idea that many eyeballs will give you better confidence in the security of your software. Others security experts that have argued that good open source software is as secure as proprietary software and will likely have fewer bugs. 

However, most arguments are looking at security on an application level rather than a system level. When looking at websites, you have to look at all of the elements which a hacker can gain access to, not just a single application. 

It is well known that every software project will eventually have security issues that need to be addressed through patches or newer releases of the code.  If there isn't a techie with authority, time and knowledge to apply those security patches in a reasonable time-frame, then you won't have a secure site for long.

I had to write a short note about a concern that was passed along to me about having public facing websites having databases on them.  The opinion passed along to me was that it was insecure to have a database driven dynamic website for a public government department because the database made the whole system less secure. 

I just needed to state clearly that it is the scripting languages that interact with the browser that are the main point of concern, and these are well used in most GoC sites.  Yes, if the .asp or .php scripts that are driving a page were badly written or just not monitored for security issues, adding a database just adds to the possible exploits.  However the problem isn't the database it's insecure code and there is a difference.  All the hacks I've seen have actually expressed through the file system, not the database. 

So everyone knows that the Internet has people out there looking to gain control of your computer using some innovative new malware program that they developed. There are all kinds of reasons to do this, most recently I heard of malware that was targeting Tibetan solidarity NGOs in order to track their communications with people within Tibet. So although sometimes lives are on the line, most of the time though it is just to grab credit card information or to use your computer as a spam bot.