The Security Skeptic

My apologies for not publishing as often as I usually do. I've been recovering from traveling, traveling once again to teach Network Security, and busy on the home front.

My wife and I have been working sporadically for nearly three months on a painted kitchen floor that we hope even Debbie Travis would be proud to claim her own. We remodeled our kitchen recently, and having exceeded our original budget by a factor of three (3), we decided we could not justify a entirely new floor. The floor was wood veneer and after 15 years of wear, not suited for a refinishing other than paint.

We opted to hand sand the floor to minimize the dust. Nearly everyone thought we were crazy, but this turned out to be rather simple since nearly all the water-based polyurethane had already been stripped from the floor through wear. We had to do some patching since the cabinetry and island layouts were different in the new kitchen. We then applied two coats of latex primer and the Delft-blue base color (again two coats).

It took us nearly an entire weekend to lay out the diagonal checkerboard design. We used chalk-line and painter's tape (rolls and rolls of it). Molly mixed glaze and a darker blue for the second color and painted the 18-inch blocks. I followed her and did touch up.

This weekend, I finally completed the last coats (4) of sealing polyurethane. Paint and hardware stores carry a polyurethane applicator designed specifically for flooring, and it works extremely well. The hardest part of this process is the preparation between each coat: fine sand the finish, dry sponge the dust, and go over the entire surface when dry with a tack cloth. The last step is important and commonly not mentioned by do-it-yourselfers. The entire process, with ample time for drying, took two full days.

We began with a distressed floor and wanted a distressed look, with wood grain, separation lines, and (intentionally) uneven paint. We also wanted a tightly sealed floor that will hold up to typical kitchen and pet traffic. And we wanted to conceal the two unsightly patches. The result is exactly what we'd hoped for.

I now appreciate why painted floors can be more expensive than hardwood replacement flooring, especially if the customer and design are intolerant of the least imperfections:-)

I'll post pictures once we have the furniture in place.

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID522 by Dave Piscitello  

In my Blogs 453 and 462 I rant about my frustrations with Adobe Acrobat. I received a comment recently that shows that not only does misery love company, but sometimes the mere existence of company is deemed a blessed event. Stephanie writes:

Dave

Bless you. I found your blog while searching for acrostan.msi on the internet I don't feel so badly about my frustrations with Adobe Acrobat Standard or Reader now that I've seen your rant. Word for word, I've lived it...and again today. This has happened to me too often.

Thanks,

Stef

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID521 by Dave Piscitello  

A recent thread on bug-traq debates whether Microsoft's DNSAPI DLL deliberately subverts the standard and intended client DNS resolver functionality. The initial post explains that Microsoft embeds certain names from the microsoft.com domain in the DSAPI DLL and that this action not only prevents these excluded names from being resolved by an external name server, but also prevents the user or administrator from using %\Windows\drivers\etc\hosts to alter the name/address binding locally, e.g., to localhost (127.0.0.1).

Is this, as the poster claims, "yet another example of the sheer breathtaking arrogance of Microsoft's belief that they have the right to control your computer and misdirect the normal flow of operations if they believe doing so to be in their own financial advantage?" or is it a measure to prevent malware from altering the host file and hijacking or disrupting services Microsoft offers, including Windows Update? You make the call.

Every so often, someone on this list loses patience with the folks who try to garner credibility and support by bashing Microsoft. In this case, "Thor (Hammer of God)" offered such a deliciously worded reply I can't resist sharing an excerpt:

I think the noted objections are a bit hyperbolic. (Or as Dr. Tom Shinder would say, a "Creative Interpretation.")

Statements like "deliberately sabotaged,"corrupting the resolver," and "intentional dns poisoning" sound like something Steve Gibson would say. It's a local hosts-file entry filter, and is in the API.

In one bold stroke, Thor aptly whacks *two* anti-Microsoft moles. Brilliant! But wait, there's more! On the finishing stroke, he adds value by making the following observations:

Malware hosts-file modification is common-- it makes sense for Microsoft to do this, though again, it would have been nice to see this functionality mentioned in the SP2 documentation. If administrators are really freaked about this, then they can block in their own internal DNS, proxies, firewalls, etc... This boils down to a "home user" issue, and thus, I think the decision to create exceptions was smart.

If one doesn't want auto-updates on, then turn them off.

Thanks, Thor. Wield that Mighty Hammer more often!

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID520 by Dave Piscitello  

In my blog ID#516 I rquestioned the accuracy of Network World's claim that Shlomo Kramer, et. al. deserve credit for inventing the firewall. While I did not actually call for a vote, balloting has indeed begun!

Dear Dave

I vote for DEC as a company. along with Marcus Ranum you may add Fred Avolio while being at DEC for crafting the SEAL, then the FWTK at TIS. Ask either Marcus or Fred. They'll tell you the truth as these are not the type of guys that boast themselves.

My own background: I installed the first ones in France around 1992 or 1993, then the first Gauntlet.

Best regards,

Olivier CALEFF, Consultant Sécurité Sénior

Thanks, Olivier. FWIW, my interest in firewalls was kindled from Marcus' "Thinking about Firewalls", which is a classic work and must reading for any would-be security expert. I tinkered with the Firewall ToolKit in 1993, and Fred Avolio was responsible for shipping me my first commercial firewall, a TIS Gauntlet, in 1994.

Is it any wonder that I have steadfastly endorsed proxy-based security all these years?

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID519 by Dave Piscitello  

Most of us know Al Gore did not invent the Internet, but only a handful of folks have been involved in Internet Security long enough to recall the chronology of events leading to the invention of the firewall. In 20 people who changed the industry, Network World gives Shlomo Kramer and fellow Check Point colleagues credit for inventing the firewall.

I question the accuracy of this claim. Cisco's article, Evolution of the Firewall, offers this chronology of events, which is closer to my own recollection:

The first generation of firewall architectures has been around almost as long as routers, first appearing around 1985 and coming out of Cisco's IOS software division. These firewalls are called packet filter firewalls. However, the first paper describing the screening process used by packet filter firewalls did not appear until 1988, when Jeff Mogul from Digital Equipment Corporation published his studies.

During the 1989-1990 timeframe, Dave Presotto and Howard Trickey of AT&T Bell Laboratories pioneered the second generation of firewall architectures with their research in circuit relays, which are also known as circuit level firewalls. They also implemented the first working model of the third generation of firewall architectures, known as application layer firewalls. However, they neither published any papers describing this architecture nor released a product based upon their work.

As is often the case in research and development, the third generation of firewall architectures was independently researched and developed by several people across the United States during the late 1980's and early 1990's. Publications by Gene Spafford of Purdue University, Bill Cheswick of AT&T Bell Laboratories, and Marcus Ranum describing application layer firewalls first appeared during 1990 and 1991. Marcus Ranum's work received the most attention in 1991 and took the form of bastion hosts running proxy services. Ranum's work quickly evolved into the first commercial product—Digital Equipment Corporation's SEAL product.

Around 1991, Bill Cheswick and Steve Bellovin began researching dynamic packet filtering and went so far as to help develop an internal product at Bell Laboratories based upon this architecture; however, this product was never released. In 1992, Bob Braden and Annette DeSchon at USC's Information Sciences Institute began independently researching dynamic packet filter firewalls for a system that they called "Visas." Check Point Software released the first commercial product based on this fourth generation architecture in 1994.

During 1996, Scott Wiegel, Chief Scientist at Global Internet Software Group, Inc., began laying out the plans for the fifth generation firewall architecture, the Kernel Proxy architecture. Cisco Centri Firewall, released in 1997, is the first commercial product based on this architecture.

I'm curious how Kramer invented the dynamic packet filtering firewalls before Cisco's IOS crew developed static packet filtering. I could be persuaded that Kramer, et. al., experimented with stateful packet inspection at approximately the same time period as Bellovin and Cheswick.

If Shlomo Kramer did invent the firewall, someone ought to be able to corroborate the claim. When I receive it, I will be more than happy to publish it in my blog. Until I see evidence to the contrary, I'll conclude that Cisco's version of history is more accurate and less revisionist than NWW's Top 20.

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID516 by Dave Piscitello  

The attack launched against Joker.com last month is a recent example of attacks directed at TLD and registrar name servers for several months. The attacks are very effective and illustrate how vulnerable the Internet remains while we refuse to implement source IP address validation on a large scale.

On behalf of the ICANN SSAC, I gave a presentation on DNS DDoS Amplification attacks at the ICANN meeting in Wellington NZ. The presentation is based on an SSAC Security Advisory I prepared on behalf of the committee. SAC008 describes representative incidents, identifies the impacts, and recommends countermeasures that TLD name server operators can employ for immediate and long-term relief from the harmful effects of these attacks.

My presentation is included in the SSAC Workshop presentation (local copy).

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID517 by Dave Piscitello