The Security Skeptic

My initial reaction from reading the winners of the 2009 Pwnie Awards was How could Conficker *not* win the Mass 0wnage award but instead be acknowledged as the Most Overhyped Bug?

Apologies to the *nix crowd, but awarding best mass 0wnage to OpenSSH on the bases that "nobody is quite sure how many systems were compromised or what other keys and packages the attackers were able to access" and erosion of "public trust in the integrity of Red Hat packages" is kinda lame. This result reminds me of all the Miss America pageants I've watched where the unequivocal "10" among the contestants is runner up to the annual busty, big-haired blonde from a southwestern state.

Microsoft Windows MS08-067 Server Service Worms (CVE-2008-4250), best known from the coverage of the Conficker/Downadup worms, is among the runners up. Having had the opportunity and privilege of working closely with several members, I'm disappointed that efforts of the folks who pursued Conficker WG month after month are overshadowed by a less deserving Mass Ownage nominee.

I get that the Pwnie awards are not to be taken seriously. I get that the kinds of folks who even know what a PWNIE award is grew tired of the near real time streaming press Conficker/Downadup coverage. I even get why they dubbed this year's Most Overhyped Bug the InfoSec Press Full Employment Act of 2009. But my occasionally serious side reminds me that lots of really talented, dedicated individuals labored long and hard to contain Conficker. By choosing the geek-chic route, the PWNIE folks not only took pot shots at the 4^th estate but disrespected all the folks who helped contain Conficker.

They deserve better.

Archived at http://www.securityskeptic.com/arc20090701.htm#BlogID737 by Dave Piscitello  

Originally archived at http://www.securityskeptic.com/arc20090501.htm#BlogID727 by Dave Piscitello   now found here.

Shining a humorous light on IPv6 Adoption to attract a large, interested audience is a laudable effort. But technology, like humor, resonates with some audiences and not others. For example, picture a British comedian doing a 10 minute stand up routine about cricket for the residents of Azure, Montana in January: not a lot of folks around, fewer who'll attend, fewer still who'll have a clue what cricket is, and even fewer who'll care. The witty Brit has a better shot at finding an appreciative audience if he performs at the London or Marylebone Cricket clubs.

Lesley Daigle's slide, Today's Topic

It's no surprise, then, that the Internet Society chose to host an expert panel to discuss the need to adopt Internet Protocol version 6 at the 74^th meeting of the IETF. The IETF is unquestionably a better venue than Azure to discuss IPv6. The number of IETF attendees is greater than the number of residents in Azure. Many will attend, some merely to congratulate themselves again for advancing the version number 15 years ago. A fair number of them know what IPv6 is, and some portion of those who know, care. The panel experts offered a number of interesting comments:

• Jari Akko posited that "most of the deployment effort is practical: training, vendors, plans, configuration".
• Lorenzo Colitti suggested "Do it in stages: IPv6 needn't be as capable as IPv4 on day one".
• Alain Durand explains how we must acknowledge that IPv4 - and IPv4 only hosts - will be around for a very long time so we need an IPv6 transition bridge. Kurtis Lindqvist corroborated Alain's claim, saying "the gap between IPv4 “islands” and IPv6 “ islands” needs to be bridged". Both discuss a dual-stack Lite" scenario, where stub networks use and share IPv4 addresses to gateways that support IPv4/IPV6 tunneling and provider NAT.
• Sebastian Bellagamba suggested that governments set up an industry/government/academic outside group of advisors and tasking them with producing an action plan and talk to their IT suppliers to ensure continuity of supply in the transition to IPv6.

I confess that I'm left a bit empty by the presentations and would have asked a few questions had I been in the audience:

• Jari, isn't it both late in game and disingenuous to dismiss the expensive and time consuming aspects of building networks as merely the "practical matters"? Why hasn't the outreach from RIRs and IETF moved beyond lamenting IPv4 address exhaustion to include training and deployment/configuration best practices over the past five years?
• Lorenzo, IPv4 is a lamentable mess with respect to security yet you suggest v6 needn't be as capable? I can't imagine any organization stepping from the frying pan into the fire. Comments like this are more likely to stimulate an IPv4 black market than IPv6 adoption.
• Alian and Kurtis, thanks for showing some common sense by acknowledging the long tail *and* NAT, can you please shake the same sense into the heads of the "you must adopt IPv6 pervasively to restore the end-to-end communications model" zealots? They are scaring my users.
• Sebastian, isn't IETF the "industry/government/academic outside group of advisors"? It was 20 years ago. Where's the action plan, folks? More importantly, why haven't governments been insisting on IPv6 for the last 10 years?

I know the answer. So does Russ...

Russ? Only Russ Housley among the expert panelists understands the real problem. I saved Russ Housley's comment for last: "until the IPv4 addresses are actually scarce, there is little economic incentive to actually deploy IPv6". This is truer in today's economic crisis than in years past and the clock is ticking. Fortunately, even at the eve of exhaustion, there's good reason to believe IPv6 adoption will succeed. The single biggest reason for optimism that IPv6 will work is that it really didn't push the envelope past IPv4 in the most critical areas: DNS and routing. IPv6 is simply not that different from IPv4 that it will take eons to deploy. The IETF might have made the situation less urgent by dealing with mundane, "practical" matters. The IPNG winners could have taken fewer victory laps and paid more attention to a tractable transition plan. But in fairness, the IETF and in general folks who do standards don't always decide which projects to fund. So we come full circle, and arrive again at Russ' assertion that there's no economic incentive to deploy IPv6.

Of course, we are experiencing an unusual economic time, and the rallying cry of every economist seems to be "stimulus". Only scant months ago,the Internet Security Alliance urged the Obama administration to assist in securing the nation’s cyber infrastructure by providing market incentives (see my blog #714). While governments get serious about securing the infrastructure, surely they could earmark a few billion more so that the infrastructure provides connectivity to the next generation of users, including the next gen inhabitants of Azure, Montana. Think of the jobs, the spending, the stimulus!

Archived at http://www.securityskeptic.com/arc20090301.htm#BlogID723 by Dave Piscitello  

I received an unsolicited-but-you-subscribed-so-too-bad email from Network World today publicizing an analyst report claiming "Load Balancers are dead". I've reproduced the copy below:

Don’t be one of many IT shops hanging on to a load balancer that’s past its prime.

Fudster says it’s time to ditch your load balancer for an application delivery controller (ADC). Find out why in this white paper.

If you’re still using load balancing technology of a decade ago, you’re missing out. Improve application performance and security, increase the efficiency of your data center infrastructure and give your virtualized data center deployment a boost. You can meet all of these goals with a modern ADC.

...

This white paper is available for a limited time only! Check it out today:

Just once, I'd like to see an industry segment push back on market push using similar copy. I'd delight, for example, to receive an email like this:

Don’t be one of many IT shops hanging on to a Fudster Report that’s past its prime.

Load balancer companies says it’s time to ditch your Fudster Report for one not mired in F.U.D. and fantasy, frivolously suggesting a forklift of equipment that's still useful during a time of economic crisis when, honestly, aren't you a tad worried whether you'll still be in business in 2010? Find out why in this white paper.

If you’re still using Fudster Reports, you’re missing out. We really want you to improve application performance and security, increase the efficiency of your data center infrastructure and give your virtualized data center deployment a boost. However, you may meet all of these goals by following the advice of a different analyst, or (here's a thought), engaging a networking consultant with a clue who will actually come to your data center, work with your IT, and help you get the most from your existing infrastructure, at a fraction of the cost.

...

This white paper is available for a limited time only! Check it out today

Archived at http://www.securityskeptic.com/arc20090201.htm#BlogID718 by Dave Piscitello  

Originally archived at http://www.securityskeptic.com/arc20090101.htm#BlogID716 by Dave Piscitello   now found here.

The Internet Security Alliance is urging the Obama administration to assist in assuring that the nation’s cyber infrastructure is secure by, you bet, providing market incentives "to spur industry to adopt security procedures to protect cyber infrastructure." ISA's president is quoted as saying, "“Virtually every aspect of American life is now dependent on this electronic infrastructure, which is under attack and is growing increasingly vulnerable”. He adds that neither the voluntary partnership model of the Bush Administration nor a centralized set of regulatory mandates are appropriate responses, inferring that federal funding of private companies as per the NSF years is the most practical solution.

Much as I'd like to see security improve, I'd first like to understand why the voluntary partnership that was so strongly advocated for almost decades has suddenly fallen out of favor. What does this admit? One interpretation is, "we can't do it on our own". The task is too large, the cost is too great, the talent is lacking? Those are scary admissions and would seem as likely to cause certain Congressmen to call for greater regulatory oversight as it would cause other Congressmen to to reach for the federal check book.

Why not greater regulatory oversight? Radical measure, admittedly, but look at the argument ISA makes: every aspect of American life is now dependent on this electronic infrastructure, which is under attack and is growing increasingly vulnerable. This paints as dire a circumstance for the future of the Internet as post-911 preparedness reports painted of other infrastructures, and look where those reports took us. Talk about painting yourself into a corner...

Another interpretation is that the security industry doesn't want to miss out on what on the federal free lunch opportunity. Yes, that's a shift from being a skeptic to curmudgeon.

My $.02. If ISA wants the feds to infuse the industry with funding to improve security, present the Obama administration with a plan that explains how it intends to infuse secure coding practices, improve security and resiliency in the core TCP/IP infrastructure, naming and numbering systems, and assert a global baseline of secure operating practices. Work with the administration to establish auditing and accountability frameworks to assure that federally funded security initiatives bear fruit and are not merely ways to perpetuate F.U.D. and grow market shares.

Tall order, indeed.

Archived at http://www.securityskeptic.com/arc20090101.htm#BlogID714 by Dave Piscitello  

The most senior judge in the United Kingdom thinks so, but is it true?

According to a Telegraph.co.UK article, the Lord Chief Justice says, "it might be better to present information for young jurors on screens because that is how they were used to digesting information", suggesting that the generation of young adults who were raised having Internet access are get most of their information by reading and referring to what is published on the web. He asserts that, "They are not listening. They are reading."

While it's hard to argue that young people read, learn, and publish via the web, I'm struggling to find the issue here. When did reading become a poorer learning skill than listening? How can you find fault with any medium that encourages children and adults to practice skills our education systems have repeatedly failed to improve? Moreover, why would anyone as learned as a chief justice conclude that if you learn mostly by reading, you don't know how to learn by listening"?

The Lord Chief Justice's fails to appreciate the breadth of today's Internet experience. "Print" is only one component of the today's web. Yes, young adults most certainly read what is printed on the web. However, they listen a great deal more than the judge gives them credit. The Lord Chief Justice fails to consider the emergence of the podcast and the growing popularity of this medium across all age groups.

Podcasting popularity has expanded dramatically (see image, courtesy of the Pew Internet and American Life Project)

According to Pew Internet and American Life Project, podcasting isn't simply popular for downloading music. National Public Radio is a signal example of how podcasts empower individuals to access broadcast news and editorial content at their convenience. In fact, so many publishers use this medium today that podcasts are available for nearly every subject you might find blogged or published online. Technology, comedy, religion, science, news, editorial and business are among widely available topics. Podcasts are now a common complement to the learning experience at colleges and universities and are even an acceptable submission form for course assignments.

Young adults are aggressive adopters. This is only natural given that the generation of the 18-25 age group is the first where many children held a mouse before they held a pen. Podcasting and Internet immersion potentially make the Web savvy generation more informed and better qualified than any prior generation. Lord Chief Justice, I respectfully suggest you've underestimated the web-savvy generation.

(While you are mulling over podcasting, you might want to also look at how voice over IP is integrated into collaboration software...)

If you must find reason to be circumspect about web-savvy jurors, focus on the challenge young adults face as they try to distinguish fact from opinion in a medium where self-publishing is popular. Certain jurors will no doubt be influenced by biased or erroneous content. Hopefully, attorneys and prosecutors will identify and excuse these during jury selection. Be optimistic, however, that the ratio of knowledgeable versus uneducated jurors will improve. Moreover, the ability of naive jurors to separate fact from fiction will improve as all jurors are increasingly afforded greater exposure to information. Stop worrying that the legal system will fail because we are not listening. Instead, leverage all Internet media to the benefit of the legal system. Educate and encourage young adults to seek out reputable sources that adhere to traditional publishing standards, peer review and emerging reputation-building systems. If we are successful , the web- and podcast savvy generation could be the most informed and formidable jurors ever.

Archived at http://www.securityskeptic.com/arc20081101.htm#BlogID708 by Dave Piscitello  

In football, offensive teams use misdirection plays to neutralize the strongest player(s) on the defense. At the onset of the play (the snap), lineman block to the right to "pull" the defense in that direction and the quarterback hands the ball to a running back who runs to the left. If the defense responds too quickly to the motion of the linemen, the running back will have more open field to the left to advance the ball. The play succeeds if the misdirection is convincing. Misdirection is also found in politics: my favorite was the "Look, there's Osama Bin Ladin" campaign used to focus the attention of the American public on the war against terrorism and distract its attention from the economy, infringements on Constitutional rights, Supreme Court selection, ...

Misdirection is readily found in marketing as well. Today, I saw a commercial on cable where Nortel portrays Cisco as a decidedly un-green.machine. In the commercial portrays a succesion of execs, presumably CFOs because they don't look very techie, lament hundreds of thousands of dollars spent on electricity to power Cisco Systems equipment. Misdirection, right? If you let Cisco power your network, the cost to powering your network will break you. Al Gore will no doubt include dire warnings about Cisco switches in his campaign against global warming..

In football, the misdirection play only succeeds if the deception is convincing. Here, Nortel marketing is telling you that energy efficiency is a priority criterion when selecting networking gear. If you care about future generations, you must focus your attention on the global energy crises and you must buy our brand. But... what about performance, reliability, capacity, administration, feature set and security? Oops, the deception failed.

Of all the possible ways to misdirect marketing, why did Nortel choose energy? OK, so it's a global warming issue. Perhaps some net admins of a major Cisco account complained overly long and loudly about rising energy costs in their data centers. Perhaps studies conducted by independent testers concluded that Cisco Systems really do ring up staggering electricity bills and Nortel's gear does not.

What happens when the defense doesn't react to the deception? Often the running back is hit behind the line of scrimmage for a big loss in yardage. Nortel's marketing called a bad play, and lost yardage here. How? As a net admin of a large corporate network, I'd struggle not to laugh the next time someone from Nortel came to "talk product". If I were less gentle-minded, I might dim the lights in the conference room when they arrived. I'd thank the Nortel folks for the warning about energy consumption, point to the absence of light (can you do that?) and ask them what else we might do to reduce our energy costs.

Nortel probably *does* have products that compete head-to-head with Cisco Systems. This campaign does nothing to shed light on those products. Send the marketing team back to training camp.

Archived at http://www.securityskeptic.com/arc20080901.htm#BlogID703 by Dave Piscitello  

Originally archived at http://www.securityskeptic.com/arc20080801.htm#BlogID700 now found here. by Dave Piscitello  

Originally archived at http://www.securityskeptic.com/arc20080301.htm#BlogID678 now published here. by Dave Piscitello  

Who is Cary Duffy Marsan and why is she so interested in IPv6 when (apparently) few others are?

Cary Duffy Marsan is Senior Editor, Enterprise Applications for Network World magazine. Why she is interested in IPv6 is a mystery, but she has done some "responsible journalism" by publishing a series of articles on IPv4 address exhaustion (February 2008) and transition (switching) to IPv6 (December 2007). The February 2008 article, "Who's afraid of IPv4 address depletion? Apparently no one." has particularly dismal statistics from BT INS, who claim that only 1 in 3 service providers support IPv6 and 2 per cent of IT professionals have migrated their organizations to IPv6. Yes, two (2), and if that's a misprint, it's not mine.

Comments posted to both articles are predictable: NAT will save us. No, it will not. China will have IPv6, so it's well past time for the US to enter the addressing arms race. Sigh...

The December 2007 interview with Jim Bound, IPv6 guru, is not much help. Bound is quoted as saying, "There’s no one-size-fits-all transition plan. The first thing is to upgrade the infrastructure. You need to get your network plumbing in order so that IPv6 can co-exist and be interoperable with IPv4."

No "one-size-fits-all" transition plan? There's no plan, period, Jim. If "NAT will save us" is the war cry of the IPv6 averse part of the community, then "dual stack will save us" is the counter-cry of the IPv6 advocates who've left the hard nuts in deployment for someone else to crack. Dual stack frustrates me to no end. It's engineering hand-waving, blue-smoke and mirrors. It's interesting in the context of a core switching infrastructure but offers relatively little insight at the network edge, where many of us operate, and on endpoints, where nearly all of us live. Here's a tough nut to crack, folks: endpoints that have only IPv4 addressed interfaces will hang around for decades, and before they disappear entirely from the face of the addressable universe, the number of addressable *public* interfaces will exceed 2**32; in fact, you'll have endpoints with IPv6 only addressable interfaces long before then.

Everyone is worrying about address exhaustion, and this thinking is too narrow. Whether you think IPv4 address exhaustion is imminent or not, you better be thinking about ways you will accommodate *application* communications between IPv4 and IPv6 only hosts, not only for client-server applications but peer to peer as well, because apparently, few others are.

And while you're expanding your thinking regarding IPv4 and IPv6, think a bit more carefully about security. As my study of IPv6 firewall support among commercial firewalls suggests, few others are thinking about this issue as well.

Archived at http://www.securityskeptic.com/arc20080201.htm#BlogID671 by Dave Piscitello  

Voting is a privilege in the United States (our Constitution does not guarantee a "right to vote", only that our Congress is elected by "The People"). Voting is conducted as a secret ballot to assure integrity of the process, i.e., to ensure that a citizen is not coerced into voting for a particular candidate.

We hold primary elections to choose candidates for presidential elections As we approach the dates for South Carolina primary elections, campaigners and pollsters are as numerous, annoying, and *destructive* as locusts.

Destructive? Absolutely.

IMO, asking a citizen to disclose who he (or she) intends to vote for compromises the intended private act of casting a ballot. It's no different from asking an individual to share what he'll use as a password or PIN. Aggregating responses by citizens who treat the privilege of voting so lightly that they willingly disclose their vote undermines the integrity of the vote in several, destructive ways.

• No pollster or campaigner has asked me if I am citizen and entitled to vote, nor can they repudiate any claim that I make in this regard. This taints the sampling.
• Pollsters and campaigners have no way to determine if I lie or if I will change my vote; this, too, taints the sampling.
• Pollsters and campaigners can demonstrate statistically that the stated margin of error used to compensate for invalid responses is accurate. The skeptic in me concludes that the published margin of error is one that seems plausible to people who put faith in polls.
• People who put faith in polls may change their vote or decide not to vote if their candidate is too far behind (or ahead). This is a negative influence that elections can do without.

Primaries will continue for months, candidates will be nominated, and the polling process will persist until and beyond Election Day, November 2008. Don't answer pollsters and campaigners except with the following, "Are you aware that we use a secret ballot in US elections assure that my and every voter's choice is *confidential*? How are my interests served by disclosing my vote to you?"

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID667 by Dave Piscitello  

My initial thought was to wrap up 2007 with a list of successes and failures in the areas of Internet security and stability. Too much has already been written on this topic, both fact and FUD. Perhaps this is out of character for a skeptic, but I'll close the year by asking Santa for changes I'd like to see in 2008.

A pragmatic approach to user self-administration. Many organizations lock down every client endpoint. This proves frustrating for three classes of users: those who know little but hate conceding control, those who incorrectly perceive themselves to be power users, and truly knowledgeable users who may know as much as many staff in IT departments. One policy won't fit all here, so let employees choose. Those who choose to have client endpoints locked down get priority support over those who do not. The truly knowledgeable users will solve the majority of problems themselves, from hardware diagnostics to data and OS recovery. The wannabe power users will either learn quickly that they know less than they imagine, or their productivity will plummet.

Take DNS out of the fast flux equation.. The efficacy of fast flux hosting is greatly improved when the attack can flux both web proxies and DNS name servers. Some registrars and registries have aggressive anti-abuse policies that prohibit short times to live on A resource records for name servers of domains they manage. Make this an industry wide practice, either through policy or best practices.

More fact, less FUD. Too many anti-virus products are marketed as providing effective relief from viruses and malware. The sharp folks at CERT Brasil have some sobering statistics on the performance of these products in the field. During a November 2007 APWG Summit, Cristine Hoepers of CERT BR presented a summary of antivirus detection rates for trojans, keyloggers and downloaders affecting the Brazilian financial system: only 5 vendors had detection rates above 70% while ~70% of vendors had detection rates of less than 40%. Assuming that endpoints in the Brazilian financial system are better managed than your average broadband user, how much worse can detection rates get? We need to invest in more and broader-based statistical analyses like this, obtain a clearer picture of client endpoints, and if the statistics prove what I suspect, focus research on complementary and alternative solutions to signature-based malware detection.

Take steps to reduce IP spoofing. I've written about this many times. So have SSAC, the IAB (BCP38), and other respected security authorities. Lots of folks in a position to reduce IP spoofing claim this is hard to do and there's no obvious and justifiable return on the investment in time, talent and technology. If you're waiting for an easy way to solve IP spoofing that will cost nothing and improve your revenue, don't hold your breath. If reducing the percentage of malicious traffic on the 'net, making DDoS attacks a tad harder to execute, and making it easier for white hats to identify bot-infected hosts aren't enough of a justification, then maybe your organization is just too content to remain part of the problem. Step up or step aside.

Police port 80 or shut it down. That's right... or shut it down. 80/http is overloaded to the point where we either need a standard discriminator for each of the random acts of application convenience that pass through 80 or a Draconian policy enforcement that dumps everything that's evading firewall egress policy (skype, et. al.) or really merits its own port and policy.

There are many more. I'll happily publish anyone's (serious) suggestion to complement my list.

Archived at http://www.securityskeptic.com/arc20071201.htm#BlogID663 by Dave Piscitello  

Dan Briody wrote an article in InfoWorld in May 2000 called The Ten Commandments of cell phone etiquette. It's an interesting list to re-visit for several reasons.

Etiquette hasn't improved. Dan's first commandment is "Thou shalt not subject defenseless others to cell phone conversations".This one's a lost cause, Dan. It's nearly impossible to *not* overhear cell phone conversations if you are within earshot of another individual. Corollaries to this commandment from Dan included "Thou shalt turn thy cell phone off during public performances" and "Thou shalt not speak louder on thy cell phone than thou would on any other phone" Both are lost causes as well. There is, however, a silver lining for Americans regarding "loud". For ages, Americans have been easily distinguished from other tourists by their propensity to yell English at a non-English speaking individual, as if volume would improve comprehension. Not any more, laddie. The Ugly American is dead, long live (unfortunately) the Ugly Cell phoner. Lastly in this category, Dan offers, "Thou shalt not attempt to impress with thy cell phone." One word, Dan: iPhone.

Safety is marginally improved. Commandment 5 was "Thou shalt not dial while driving." Despite laws in various jurisdictions and technology assists from speed-dial, hands-free, and voice-dialing features on nearly any phone, including most "free when you sign up" models, it's again nearly impossible to drive without observing fools aplenty swerving as they dial. Automobile manufacturers are saying "BlueTooth is the answer". The BlueTooth chip manufacturers are saying, "Hallelulia, brother, BlueTooth is finally the answer to a question!" Whatever gains we make in driver attentiveness will be overtaken by GPS gawking and idiots who will arrange mirrors in vehicles so they can watch the rear-seat DVD while they drive.

Technology has rendered some commandments obsolete or irrelevant. "Thou shalt not grow too attached to thy cell phone"? Nearly impossible these days. Carriers use different bands and protocols, phones are locked, and phone technology evolves at a fraction of Moore's law. Commandment 4, "Thou shalt not wear more than two wireless devices on thy belt" is mostly obsolete. I can't remember the last time I saw someone with a pager or PDA *and* a cell phone. I do see folks with two cell phones but such folks are power users yet unaware of dual SIM card adapters.

I'd like to replace at least one of Dan's commandments with "Thou shall not use thy cell phone in a public restroom". Seriously, what do you have to say on a phone that can't wait until you've finished your business and washed your hands?"

Maybe I'll start a new list: 10 reasons to *not* borrow someone else's cell phone.

Archived at http://www.securityskeptic.com/arc20071101.htm#BlogID662 by Dave Piscitello  

Live Chat is all the rage. "Speak" with a customer care representative directly from your PC via a Web application. How cool is that?

Those who know me know I am an infrequent and mostly reluctant phone user, so the notion that I can instant message rather than speak with call center personnel is enormously appealing. Unfortunately, I'm encountering more and more situations where Live Chat is really "live hold". The chat threads proceed as follows:

Hello this is Dorkas. I'm your customer care representative, how can I help you today?

I'd like to add a service to my cellular telephone, please."

...

??????????

...

Are you still there?

(At this point I check to see if I still have network connectivity, if I am still connected to the web site, and if my Java console is complaining... )

H E L L O ?

...

TYVMFWMT

(Thank you very much for wasting my time)

I take comfort that I get to choose the "on hold" music from iTunes. After 20 minutes, I close the popup window and call customer care.

sigh...

Archived at http://www.securityskeptic.com/arc20071001.htm#BlogID654 by Dave Piscitello  

An editor of an online publication contacted me by email today, asking if I would talk about network usage policies. The editor asked, "How can companies handle employee's usage of IM, email, social networking sites, YouTube etc. Should the company block access to certain sites? How does the company deal with network overload? Should the company prohibit personal email and IM use? How should these rules be enforced?" My response, amplified a bit, follows...

You are covering a huge swath of territory by including applications like email that are 20 years mature and IM that is less mature than email but becoming essential in mobile technology alongside social networking and entertainment sites that have unclear, even questionable business value and possibly add risk as well as impact productivity.

The hard question for organizations to answer isn't how to control traffic but rather, what applications fall within the realm of appropriate use? What applications enhance productivity? What apps are justified because they are good for morale? What applications expose the organization to unnecessary risk? Should all apps have unlimited bandwidth? Can compromises be made so that critical applications receive preferential and ample bandwidth and less critical applications receive a sufficient "trickle" to accommodate those who benefit from them?

How a company defines an AUP is very dependent on the type of business it operates. A company with hourly employees who must meet production benchmarks might require a very restrictive policy whereas an advertising company might want a very liberal policy. All the applications you mention may not be very useful to employees who use networked computers to perform work in a manufacturing company. An ad company may find YouTube invaluable because it wants to keep pace with youthful expression, teen obsessions, etc. OTOH, YouTube could pose a risk to a company that projects a traditional "corporate white collar" image but runs afoul of an employee who records and posts "insider activities" from his office PC that reveal the Emperor's true clothing.

Finally, there's a tendency to view AUPs as monolithic. With today's firewalls, application proxies and UTM appliances, even a small business can create group based AUPs in a company, so that the "creative" people in the company have access to what they need, the "mobile" people are hyper-connected, and the "production" people have a distraction-free computing environment.

Network usage and acceptable use policies are not one size fits all. This is one of many areas of network and security design where each company has to invest time and be thoughtful before it invests in technology.

Archived at http://www.securityskeptic.com/arc20070901.htm#BlogID649 by Dave Piscitello  

An InfoWorld security columnist posted the following to the BugTraq list at securityfocus.com:

I'm tired of the 0-day argument. I say forget the confusing acronym and use something else, like: unpatched exploit or previously undisclosed vulnerability or something like that.

It's unusual and somewhat gratifying to find a member of the 4^th Estate who takes issue with creating clever labels to distinguish among the indistinguishable, with the net result adding to the F.U.D.

When 0-day first appeared in print, I struggled to understand exactly how the term helped to characterize the type of attacks so labeled. Specifically, exactly what aspect(s) of an attack did 0-day describe?

Did it take an attacker zero days to write the exploit?
Did the exploit take zero days to propagate?
Did the exploit take zero days to infect, infest, or compromise a target?
Did it take zero days for countermeasures to be identified?
Did it take zero days for the countermeasure to be made available to the community?
Did it take the community zero days to implement the countermeasure and mitigate the exploit?

Depending on the amount of time represented by zero days, I can answer YES or NO to some or all these questions save the last. Why not the last? I doubt very many attacks, 0-day or otherwise labeled, are entirely mitigated in zero years much less days.

The InfoWorld columnist is absolutely right. Terms like 0-day have place in the vernacular of Internet security. They belong in marketing collateral. Yes, let's exile 0-day to marketing collateral and read it there.

On second thought, let's not read the marketing collateral. It is a silly place.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID634 by Dave Piscitello  

A woman interviewed following a debate among 2008 Republican Party candidates expressed her unhappiness with the way many of the Presidential hopefuls lashed out at President Bush, saying, "He's the sitting President and as long as he is in office he deserves our respect".

I take exception to this statement in so many ways I couldn't avoid posting a political rant.

• My high school wrestling coach taught me that no one deserves respect, but everyone must earn it. My son's coach told him the same thing. I'm glad to see this belief has endured and hope it's not only wrestlers who are taught this creed.

• An individual who occupies an elected seat in a democracy serves the people. The current sitting US President was elected, and it is clear that he earned the respect of a good percentage of the populace on several occasions during the course of his political career.

• Earning respect is not a "once and done" task. As a wrestler, you had to earn it every time you stepped on a mat. Americans expect no less than from their President; in fact, they are more demanding.

• While he may not have Presidential moments as frequently as many of his predecessors, many Americans believe he acted in a Presidential manner following September 11^th. So at one time, the sitting President earned respect.

• Public approval ratings in May 2007 indicate that fewer than one in three Americans approve of how the Bush administration is governing the country and that number could easily plummet to one in four by July. Whether you believe polls are fact or whimsy, you have to consider the possibility that the sitting US President is not earning respect at home and abroad.

Most Americans and more broadly, citizens in most countries, respect the office of the US President immensely. My experience (and embarrassment) when traveling internationally is that I find citizens of other countries fret more over what the sitting US President does and how he has acted during his term-and-a-half than a good many Americans.

People who have the privilege of living in a democracy should respect the office of the President. We should also be demanding and critical of any President who does not try to exceed our expectations every day, who acts with less than Presidential demeanor even (especially!) when dealing with members of the press who are intent on pushing his buttons; in short, a President who does not earn our respect.

One last point. We continue to call former US Presidents "Mr. President" long after they hold office. This means that US Presidents have a daunting task.

They must continue to earn our respect for as long as they live.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID622 by Dave Piscitello  

What for, beyond accepting LinkedIn invitations?

Someone please tell me if LinkedIn is anything other than a MySpace for professionals. Or do C*Os get the same adolescent rush that teens do when they have the largest number of friends? Tell me, please!

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID615 by Dave Piscitello  

Colleague David Strom discusses waning attention spans in his 4 May 2007 Web Informant. In the article, David explains how his attention span is getting shorter and shorter, and how he and other noteworthies including Rupert Murdock, rarely finish the long (WSJ) stories, web pages, long emails, and online articles. It's an interesting admission for an author and e-publisher, and you ought to take a look.

The subject of David's column - and in particular how online publications are responding to what they perceive as visitor/subscriber needs - is consistent with what I see and hear from tech media people all the time. Where I was once asked for articles ranging from 1200-1500 words, I'm now asked to keep an article under 800 words: 600 would be better, and 400 is ideal.

This trend is very disturbing. We appear to be devolving into a "just tell me what I need to know RIGHT NOW, how to do this RIGHT NOW, keep it brief I'm too busy to care WHY" society. Fewer and fewer IT professionals are learning architectural and other *big picture* networking and security principles, and rely instead on technology to solve the problem.

This attitude is not isolated to Internet technology; in fact it's a pandemic. Consider your automobile. Fewer of us know the basic principles of combustion engines, brake and electrical systems in our vehicles. We are increasingly dependent on technology to troubleshoot and to identify the parts list and labor when we need a repair or routine maintenance performed. We don't know more than the basics of driving and many drivers only learn the absolute basics needed to obtain a license. Think of the number of drivers who can't parallel park, or who don't know the correct way to orient the wheels of a vehicle when parked on a hill. I won't even speculate how many (US) drivers can parallel park on the left-hand (driver's) side of a one-way street. Too many licensed drivers invest time and brain cycles to become safer drivers, and it's painfully evident that PC and Internet users invest even less time learning how to be productive and safe while computing and networking.

If we only have patience and the willingness to deal with a symptomatic problem in the most mechanical, boilerplate and simplest manner, what differentiates us from robots? Asking why and taking the time to study an issue is not only becoming an endangered attitude, but it seems to be falling out of favor as well. When attendees approach me with questions after I've given a seminar, I get the distinct impression that taking the time to understand why X is a best security practices is unimportant - management barely acknowledges the need for the best practice and doesn't appear to encourage education and awareness as business productive activities.

I'm not entirely sure this is an accurate picture, but it is a really worrisome condition if it is.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID611 by Dave Piscitello  

Georgia Public Broadcasting reports that a bill has been passed by the Georgia House which allows gun owners to keep *loaded guns* anywhere in vehicles without concealed weapons permits; specifically, the bill allows the guns to be kept in plain view and in the glove compartment. One of the State House representatives of a rural county in Georgia claims that this bill "gives back a piece - a small piece - of the Second Amendment that has been deprived of so many law-abiding citizens over the past few years".

Reading further down the day's news, three Dawson County students have been charged with multiple counts of aggravated assault in more than 30 sniper-type shootings that targeted businesses, cars, houses and a school. The students are suspected of using a 22-caliber rifle, firing at targets across 6 counties last month. Call me crazy, but isn't is possible that an "in plain view" legislation will encourage more such sprees?

I shouldn't be such a skeptic. If the law passes the Senate, it will undoubtedly stimulate a new "conversion" industry in the Peach State. Instead of simply pimping one's ride, Georgians could legally add a turret mount on their F150s, doolies, and HumVs.

Is it any surprise that Georgia ranked 41^st in the Smartest State 2006-2007 poll?

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID591 by Dave Piscitello  

My wife and I receive on the order of 5-7 offers for credit cards per day. I've been told this is a positive indicator - we pay back what we borrow with interest blah blah blah so everyone wants to be our lender blah blah blah.

I don't feel special. I feel besieged. I have an oversized mailbox that practically explodes when I open it.

My 2007 New Year's resolution is, "Pay back time!" And I'm borrowing a page from Blue Security's antispam campaign to do so.

Today, I took the pre-paid return envelopes from seven credit card offers, filled them with shredded offer letters and applications, and returned them from whence they came. Yes, mine is a small gesture, but if you all join me, we can test the Blue Security model in the real rather than virtual world. I'd love to have life imitate art here. There's a scene in the 1947 movie classic Miracle on 34th Street where New York City postal workers fill a court room with letters addressed to Santa Claus. I'd be delighted to see the same scene repeated in mail rooms at "New Cardmember Services" processing centers.

Perhaps a small effort on all our parts can make a difference. If not, at least you've tried.

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID581 by Dave Piscitello  

Imagine that several centuries hence, anthropologists uncover a hoard of archived tapes containing terabytes of firewall log files recording events from the last decade of the 20^th century and into our present day (2006). Now imagine that they discover how to read the media and open the log files.

Initially, excited anthropologists will might rush to conclude that "gee, these early Internet folks were really committed to understanding how the primitive networks they used worked. Look at all the copiously maintained information!"

Much later, after considerable analysis and perhaps after correlating logged events with unearthed copies of newspapers containing articles about DOS attacks, Internet worms, spam and more, a young turk of an anthropologist will refute earlier conclusions in his Masters' thesis by suggesting an alternate theory.

"It really doesn't appear that early Internet people were able to derive much of value from all this 'log' information. At the very least, if they derived anything, they did not appear to apply it."

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID569 by Dave Piscitello  

Anyone who's gone through TSA security at an airport recently knows that you are required to remove your footwear for X-Ray screening. We owe this inconvenience to a man who attempted to conceal two functional improvised explosive devices in his sneakers (why can't these folks just say "bomb"?)

While waiting on line to pass through security at San Diego airport, I began wondering, "At what point does searching for IEDs cross the lines of reason and propriety?" So I began considering what other apparel might be used to conceal IEDs of approximately the size one could conceal in the heel of a sneaker.

A padded bra! Apparently, certain bra manufacturers conveniently provide pockets so that women can add padding according to need. I'm not an IED expert, but it seems that it would be far simpler to pad a bra with explosives than a sneaker heel.

So the question that begs an answer is, "If Richard C. Reid had been Roberta C. Reid, and Roberta had concealed an IED in her bra, would TSA insist that all bras pass through X-Ray?" [For the record: I would not be comforted by a response claiming that the X-Ray machine I walk through is sensitive enough to detect an IED in a bra but not in a sneaker heel.]

Thanks to spam, I am now painfully aware that certain undergarments accommodate tush pads as well. Um... let's not go there.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID567 by Dave Piscitello  

A colleague forwarded me an article entitled Laptops Content may be Subject to Inspection upon Entering the United States today. The 9^th Circuit Court of Appeals in California thinks it's OK for Customs Officials to seize and search travelers' laptops upon entering the U.S. without a search warrant or probable cause. The case on which the court based this decision - one involving the seizure of a laptop containing child pornography - could not have been more convenient. The defendant is engaged in activities the public considers repugnant. The recovery of the images reads like the script of the hugely popular TV series, CSI. Customs agents and the TSA already examine laptops as a one of many homeland security measures.

So, really, how much of a stretch is it to allow agents to boot and surf your laptop?

IMO, a huge one. There is little difference between the information you store on your laptop hard drive and that ugly metal file cabinet that occupies the corner of your home office. Our courts have a responsibility to understand rather than fear technology. Before a court concedes what has been recognized and defended as an inalienable right since the 18^th century, it ought to consider how decisions it applies to the virtual world will affect the physical world.

This and related articles (e.g., Border Insecurity) discuss the impact on corporate privacy, i.e., examination of sensitive documents and the forced disclosure of passwords. The impact is far more fundamental. Why are courts and the federal government so eager to abandon warrants and due process? Is a world free of terrorism better than a world where you and your property can be seized and searched without probable cause?

I'm skeptical we can ever achieve the former, and I'm very reluctant to concede the latter.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID557 by Dave Piscitello  

During an email exchange, a colleague reminded me that "anything can be done in software".

Since the topic we were discussing involved abuse and possible misuse of protocol responses, and since I am tired to tears of this nonsense, I grumpily replied, "If we could just fix that *anything can be done in software* issue all our problems would be solved."

The good news is that education is deteriorating globally and soon only a handful of people will be creative enough to write anything novel. :-O

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID556 by Dave Piscitello  

My wife is a licensed nurse practitioner. She has an RN, a masters degree from University of Pennsylvania, and extensive experience in critical care and private practice. Despite her accomplishments, degrees, and multiple certifications, many patients are confused when she is introduced. As an APRN (Advanced Practice Registered Nurse) in South Carolina and previously a CRNP (Certified Registered Nurse Practitioner) in Pennsylvania, she is routinely asked, "Are you a physician's assistant?", "Are you practicing for your nursing degree?", and "I just saw the nurse, I want to see the doctor!"

I began thinking about my wife's experience with degrees and appellations in the context of my own career. There's no concrete taxonomy for labeling and distinguishing security folks; in fact, degrees, certifications and titles are far more ambiguous in Internet Security than medicine. Satisfy the sometimes questionable criteria, and you can be a certified security professional or practitioner. Learn Linux, download bootable security images, and claim you're a security consultant. Here are my recent musings and ramblings on the topic.

Only a handful of people in the world are qualified and have accomplished enough in the short span where Internet Security has proved meaningful to be labeled experts. Dan Brown mentions Phil Zimmerman and Bruce Schneier in the Da Vinci Code. Give Dan credit for choosing two of an elite group of folks I consider experts (Bellovin, Cheswick, Diffie, Ranum, et. al.). The community at large diminishes "expert" status when it dilutes the talent pool by including anyone who can blurt out a credible quote for a reporter. Please be more disciplined...

I'm uncomfortable when people call me a security expert. I prefer to have folks describe me as a security practitioner. I study Internet Security and try to practice at it daily to increase my experience and expertise. Many of my colleagues do the same. Many are more expert than I in many areas. Some practice in research areas, others in deployment and operations. Over time, the best earn a positive reputation among the security community. These are the folks you want to meet. You look forward to reading and presenting their works.

Some of my colleagues have worked hard to earn certifications. IMO, certifications should reflect understanding of theory and accomplishments in practice. I believe that any certification that doesn't set minimum requirements for "time in the field" and only requires that you pass a test is suspect. I don't hold any certifications. I haven't identified one that would put me in a select group that would justify me exerting the effort to pursue at this point in my career. Even if I identified a certification I'd invest time to earn, I still believe that certifications cannot ever substitute for reputation.

I struggle with the label "security professional". The word "professional" is popularly associated with competition. Security practitioners aren't marksman, bowlers, golfers, or race car drivers. We may compete for income, but hopefully not for a ranking. IMO, the term "professional" should be reserved to reflect the behavior and integrity of of a security expert or practitioner.

I've mused and rambled long enough on this topic. Comments welcomed!

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID543 by Dave Piscitello  

In a thread discussing Integrated IDS/IPS/Firewalls, Chris Blask made the following claim that I can't help but believe is more accurate than any made by security vendors today:

Good firewalls managed badly suck, "weak" firewalls managed diligently and used with the right collateral don't."

What more can one say about the impact "clue" has on implementing effective security?

For similar insights, visit Blask Works.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID535 by Dave Piscitello  

In previous blogs, I've described numerous painful experiences with versions 4 through 6 of Acrobat. I've been using Acrobat 7.0 for only a short while, but so far, the application and browser plug-ins load faster and most importantly, I haven't had a frozen browser or hung machine incident. Your mileage may vary, but Acrobat 7.0 seems to be a worthwhile upgrade. For the record, my upgrade process for Adobe products involves completely uninstalling the currently installed version, rebooting my machine, installing the new version, and rebooting again.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID531 by Dave Piscitello  

If you've ever wondered how independent top tech research firms are in their analysis of technology and trends, you'll find a February 6^th article by Information Week's Larry Greenemeier and Paul McDougall interesting and troubling. Larry and Paul get right to the heart of the issue and begin with this challenge:

"Forrester, Gartner, IDC, and others insist their output is squeaky clean, yet they also rake in millions providing services to the very same companies they monitor, heavyweights like Cisco, IBM, Microsoft, and Oracle. Which leads to a question that continues to dog the research firms: How much influence do technology vendors have over their work?"

Larry and Paul ask the major players tough questions including, " Are analyst reports expert advice based on scientific, independent research, or does money talk?" (One question I've secretly wanted to ask for years is, "If you really believe you can accurately predict markets, why are you unwilling to disclose your predictions five years later and let the industry judge your track record?")

Larry and Paul also investigated funding and ownership of the top firms and claim some top analyst firms are partly owned by investors that hold "significant stakes" in the companies they cover. As an example, they describe Gartner's relationship with SI Ventures. Gartner invests in hedge funds, including SI Venture Fund II. SI funded Authentor Systems. Gartner analysts provided supportive quotes on Authentor Systems in the company's press releases. "I buy your fund. You invest in a company. I say nice things about the companies you invest in." Did I get that right?

I've always found it disturbing that companies with products in hot sectors say they have no choice but to pay to be placed into mystical quadrilaterals. When I've asked why, they respond as ProofPoint's Sandra Vaughan did in the IW article: "This [magic quadrant] matters more than you want it to matter..." Is Sandra saying "To do otherwise is economic suicide"?

I always thought the whole practice sound vaguely similar to the insurance street gangs offer corner grocery store owners in NYC and LA. Larry and Paul lead me to conclude it's much more ORGANIZED than this.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID506 by Dave Piscitello  

My daughter attends a private school about 18 miles "off island" in the neighboring town of Bluffton. Traffic returning to Hilton Head Island all funnels onto a single multi-lane highway which is riddled with intersections and traffic lights and constantly congested. Volume alone is only one of the factors causing this congestion.

Driving or idling in traffic can be frustrating. The driver of cars adjacent to mine look catatonic, panicked, or ready to shoot someone (given the ratio of gun racks to vehicles here, this is seriously disconcerting). I deal with the frustration and boredom by petting my dog, who accompanies me on my round trip, by observing people, and thinking about writing topics for my blog.

I spent many years involved in the development of routing protocols. Routing and traffic management are close relatives, so trying to isolate the causes of congestion when I'm stuck in traffic is almost second nature. Each morning, I watch the random acts of braking, noted the weather, observed merging from intersections which are often manually controlled from Beaufort County Sheriff Department cruisers (with little observable improvement). Observing the braking patterns this morning, I confirmed a growing suspicion that they were not random but fairly predictable. I'll give you some hints.

• It's a bright sunny morning.

• Eastbound traffic on the highway runs predominantly East.

• It's winter, and the sun is low on the horizon in the morning.

• The giveaway: when traffic turns directly into the sun, the majority of drivers touch their brakes. The back pressure effect persists for more than a mile. .

Yes, the majority of braking occurs when drivers are temporarily blinded when they face the sun. A casual sampling of the drivers I pass reveals that only one in four are wearing protective sun glasses. I'm wearing sun glasses. I'm not tapping brakes when I turn into the sun, and neither are the handful of drivers I spotted wearing sun glasses. Could we actually abate congestion on Highway 278 through Bluffton by requiring drivers to wear sun glasses? Perhaps an experiment is in order. Law enforcement agents could buy several gross of sun glasses and hand them out to drivers.

There's a hidden PR benefit for the local law enforcement as well: deputies handing something other than traffic violations to drivers on Highway 278 unquestionably breaks the stereotype:-)

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID491 by Dave Piscitello  

Evidence that targeted advertisers like DoubleClick are frustrated by my content filtering efforts is always heartwarming. This image from a Network World web page I recently visited made me smile:

The site *isn't* temporarily unavailable, dudes, it's permanently blocked, as in "you will never EVER connect to it from any host behind my firewall while I remain mentally able to configure an egress filtering policy".

Too busy? An interesting interpretation, and a equally telling measure of the conceit of Internet marketeers. Try again in a few moments? Can they seriously imagine that someone will actually refresh a web page for an advertisement?

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID487 by Dave Piscitello  

I ranted about my issues with Adobe Acrobat Standard in blog #453. Creating pdf isn't very satisfying, either. I coerced into creating pdf files by my Office-hating colleagues, many of whom are entirely naive to the poor social skills Acrobat Standard and Windows XP exhibit when they occupy the same sandbox I call my PC.

Today's chronology of events is typical of most of my Adobe punishment, I mean, publishing experience. I launch Acrobat Standard, select "Create PDF" and open a powerpoint file. I'm immediately greeted with

Unable to find Adobe PDF resource files. Do you want to run the installer in repair mode?

I'm not really interested in this, do I have a choice? Adobe Acrobat 6.0 installer begins, and of course, stops because (you bet),

Adobe Acrobat 6.0 must be closed before continuing the installation.

I close the application. Installer begins, but I immediately am confronted with a dialog box explaining that

The feature you are trying to use is on a CD-ROM or other removable disk that is not available.

This is undoubtedly true, since I've *downloaded* this software. Clinging onto a faint glimmer of hope offered from the dialog box, I browse and search for ACROSTAN.MSI. Sorry, XP informs me,

Search is complete. There are no results to display.

I cancel the operation. Not content to set me free, Acrobat 6.0 tosses one last grenade into my lap, the nefarious

Error 1706. No valid source could be found for product Adobe Acrobat 6.0 Standard.

I study this sentence for a while. I can't argue the logic. There certainly seems to be no valid source for Adobe Acrobat 6.0 Standard that consistently works on *my* Windows PCs.

I'll convert the presentation into html. Let them eat gifs.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID462 by Dave Piscitello  

In a recent a Seattle Times editorial, Sex, the Internet and the future, *Harvard-educated* Shaunti Feldhahn strongly decries the creation of the XXX top level domain (TLD), claiming that approval will "negatively affect untold millions of households worldwide".

Frankly, I was entirely ambivalent about this editorial and remain undecided about the creation of XXX, but the fact that Ms. Feldhahn threw her Harvard education in play as an implicit declaration of her intellectual superiority ticked me off.

I find (at least) three statements in Ms. Feldhahn's editorial lack accuracy and credibility.

The .XXX proposal claims that it will "move all pornography to one type of domain", but "Pornographers could keep all current domains, and merely add .xxx ones — they anticipate more than 100,000 new sites in the first year."

The New sTLD RFP Application for .XXX makes no claim that all pornography will move to one sTLD. It is extremely unlikely that 100,000 new web *sites* would be created. The .XXX Application estimates the size of the adult entertainment community at about 100,000 individuals. On average, these individuals have registered 10-20 domain names. This name-to-registrant ratio helps me make an important point. The same porn sites will simply have even more aliases than they have today! The pornography industry has proven itself remarkably adept at re-purposing and cross-linking their content. There are certainly millions of content "objects" of adult nature, but concluding that 100,000 new names equates to 00,000 new web sites suggests poorer reasoning skills than I expect from a Harvard grad.

If the fact that it's not more porn, but (mostly) the same porn reachable using different names is hard to grasp, think of a .BIBLE sTLD. Chances are that many of the web sites that already have names in one of the gTLDs wouldn't abandon their existing names, but might *also* register in .BIBLE because the context is valuable.

"Blocking porn sites would become harder, not easier."

Nearly all the content blocking technology I've used and reviewed - and I'll openly admit I haven't used every product, but I venture that I've used more than Ms. Feldhahn - has the ability to use a "wildcard" mechanism. Simply put, if you block the .XXX TLD (e.g., DENY *.XXX), then you block access to every name and hence site within the TLD, end of story. Blocking .XXX of course doesn't mitigate the already-complex process of identifying pornography hosted at sites with gTLD and ccTLD domain names, but the introduction of .XXX doesn't worsen this problem. It's important to note that if there were some mechanism to *force* adult entertainment to only use names from .XXX, the content blocking at the TLD level would probably satisfy the majority of households if not Ms. Feldhahn's.

"Consumer protections would be voluntary and self-enforced"

What the application does claim is that a carefully operated sTLD for adult entertainment may provide a means whereby consumer protections can be implemented. The .XXX applicants (ICM and IFFOR) will "incorporate a best business practices provision into the registrant’s domain name registration agreement and will develop compliance mechanisms to address non-adherence." The objective is to stem illegal and/or questionable business practices, e.g., the use of spyware, and reduce incidents of credit-card fraud, etc. Obviously, we don't know exactly how this will work from the application, but concluding that the protections would be voluntary and self-enforced is a rather *liberal* interpretation. Admittedly, any penalty that an sTLD might enforce, such as the loss of a domain name, would not be as severe as a public caning, but you can't always get what you want.

I also believe that credit card companies will work with the .XXX registry and registrars to provide registrants with financial incentives to behave. And while adult entertainment businesses may not care a whit about the negative impact of their product on untold millions of households worldwide, they absolutely care about money.

I remain undecided about .XXX, Ms. Feldhahn. I don't think it poses a clearer and more eminent danger than the one with which we must already contend, but I'm not convinced it will have any material impact on how we deal with porn on the 'net. But you don't help your cause if you choose to editorialize, evangelize, or campaign against .XXX, and fail to do your homework.

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID457 by Dave Piscitello  

"Coping with Adobe Acrobat Plug-in" was one of the reasons I switched from Microsoft Internet Explorer to Firefox. My experiences with Acrobat and IE - over several years, on dozens of PCs of varying manufacture, using XP and Windows 2000 - lead me to conclude that these children really don't play well together and perhaps never will. I won't lay the blame entirely on Acrobat or Microsoft for the too frequent corrupted registries, failed installations and upgrades, and wretchedly incomplete "uninstall" incidents, but I did reach the point where I decided that opening a PDF in IE was A Bad Idea.

I had hoped that Acrobat and the new kid on the block would get along. And to date, they do. Mostly. One remaining gripe I have is that, irrespective of whether IE or Firefox is the browser, using Acrobat impairs my "broadband experience". The delay I inflict when opening a PDF file in a browser window is comparable to a timeout on resolving a domain name, which I coarsely define as "seconds past my patience threshold". In fact, I am often on the verge of concluding the page is not reachable when the PDF file finally appears.

Worse still is the delay when I try to visit a new URL in the same (tabbed) or new window. Maybe it's not worse, just "the same". I'm not a software engineer and admit without reservation that I don't fully appreciate the interaction of browser and plug-in software. Perhaps "release the PDF file from memory and visit this 3K page of HTML" requires some amazingly complex processing sequence. Frankly, I'm really not interested enough in this behavior to investigate at the process and traffic analysis levels. I only know that I dread dealing with PDF in a browser window and have modified my behavior to accommodate software shortcomings. This is a virtual world corollary to crossing the street to avoid the bullies who steal your lunch money.

If I'm really in a hurry and I've located the file using a Google search, I'll view the HTML. While the rendering is generally imperfect, I avoid the "launch delay". Is this a big deal? Honestly, if the PDF is a 2 page brochure, I can sometimes glean what I want from the page in the time that the Acrobat reader plug-in loads. If I'm in no hurry, or I see that the PDF is more than a megabyte (the "warning Will Robinson" threshold), I save the PDF and launch Acrobat Reader directly. Maybe this just seems faster, but while Reader is launching, I can use my browser. Remember that "release the PDF file from memory..." comment I made earlier? Try this sequence for a taste of frustration. Open a PDF file in a tabbed window in Firefox. Now open a second tabbed window. Return to the window with the PDF file and try to visit a different page. Try to switch to the second tabbed window you opened.

N o t h i n g   i s   h a p p e n i n g . . . (1 2 3 4 5 ...) ...

Before you ask, the same phenomenon occurs if you try to switch between "un-tabbed" windows (in IE as well).

Why am I griping about this? I'm hoping that someone of you knows some obscure Windows Registry setting or optimization, i.e.,

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Aggravating_Reader_PlugIn_delay

No? Go figure...

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID453 by Dave Piscitello  

I had the good fortune to work alongside Dr. David Clark (MIT), on a number of projects during the early days of MCInet. During that time, David always emphasized "scalability and security" as important metrics of good architecture and design. Since then, when studying a problem, I typically ask (myself), "can you deploy this solution across a large and geographically dispersed population, securely?"

Events like Hurricane Katrina illustrate that a legitimate answer to such a question is "no". Unfortunately, people and particularly the popular press don't acknowledge that "no" is an appropriate answer to problems that are not easily solved when large populations are involved, especially when the large numbers exceed practical and even imaginable limits.

Fear, frustration, and anger cloud and color our thinking where human suffering is involved. What begins as "Someone should be able to make this situation better" devolves into, "Someone didn't do his or her job, people are suffering as a consequence, and someone must be held accountable."

In most situations, I believe strongly in accountability. However, I also believe metrics play an important role in accountability. In the case of Hurricane Katrina, all foreseeable and imaginable upper bounds to the scale and extent of a natural disaster were exceeded. Holding anyone's feet to the coals following a disaster of this magnitude, especially while the crisis persists, is pointless.

If we set our emotions aside a moment, we generally acknowledge that problems are rarely solvable when there are no limits (upper bounds). We can anticipate and propose solutions to problems like "feed a dozen family members in your home on Thanksgiving Day", "feed a thousand people at a charity event in a hotel", and even "feed 10,000 people in a dozen hurricane shelters" because the problems are bounded. If only 10,000 people were affected by only the hurricane, FEMA would very likely have met the challenge.

Try designing a solution to, "feed and relocate the combined populations of possibly every Gulf Coast community between Texas and the Florida panhandle, including the largest city in Louisianna, with little or no highway or navigable water access, no injuries or loss of life, for an indeterminate time frame".

The problem is Biblical in proportion. No one at FEMA put, "able to feed thousands from a single basket of fishes and bread" on his or her resume. Let's acknowledge human limitations in our haste to ease human suffering and put ourselves in the shoes of those asked to do the impossible.

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID450 by Dave Piscitello  

Finance Tech offers an interesting article that suggests that the concern and worry over Internet fraud is (can you imagine) overblown. In The Internet Is the Safest Channel, Ivan Schneider quotes Richard Parry, a Senior Vice President of Consumer Risk Management at JP Morgan as saying that fraud is more commonly perpetrated over the phone and even face-to-face than through Internet-based services. Parry also claims the financial impact from Internet fraud is "limited".

So why is all the negative press aimed at the Internet?

This is one more example of the roller-coaster relationships the tech and popular press have with *any* technology. Over the years, I've observed that pop press reporters fall in love with and "marry" new technologies at rates that eclipse (ahem) chapel weddings in Las Vegas. A honeymoon period follows, during which reporters lavish their spouses with compliments - "innovative", "disruptive", "lifestyle-altering". When reporters run out of compliments, they become disenchanted and fickle. Most such marriages end in divorce, preceded by lengthy proceedings so reporters can milk negative copy from the relationship. Some reporters stay unhappily married simply because there's endless copy in beating down a technology or company (think "Microsoft").

It's simply the Internet's turn to take the abuse. But expect the Internet to remain a target for a while; like Microsoft, it's a big target.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID438 by Dave Piscitello  

In a WatchGuard Wire post, Scott Pinzon labels my colleague and friend Marcus Ranum "a devoted disciple of incorruptible practicality" - damn! I wish I could have come up with as Jeffersonian a phrase as that one to describe MJR.

The label is spot on. Marcus views security issues through black-and-white lenses: you do what you know is the right thing to do, or you are wasting everyone's time and money, and putting your organization at risk. What distinguishes Marcus from so many other preachers is that his advice and insights are correct way more often than not.

Why? Well, he's pretty damned smart. But lots of folks involved directly or tangentially in security are smart. He's also intensely skeptical. Again, lots of other folks are intensely skeptical. He's principled. Lots of folks are principled - until someone higher in the organization points at the door and says, "my way or the highway..."

Marcus chooses the highway, or high way, if you prefer.

Too many practitioners in the security field concede to administrative bullyism. (This is less an indictment of security practitioners than it is of society at large.) The reason many of us admire Marcus is exactly because he chooses the lesser road traveled when issued an ultimatum. Most others will acquiesce and whine later on mailing lists or among colleagues over a beer. I've taken both paths in my career, and regret that I didn't always choose wisely.

I'm not advocating blind disciplism. The world according to Marcus is quite possibly too constricting. I'm suggesting that security would improve measurably if all who practiced it were more curmudgeonly. It's quite possible that we have a critical mass of security practitioners to say "ENOUGH" and pull us out of the security tailspin. The trick is getting those who form the critical mass to say it with Jeffersonian conviction and style.

"When in the Course of human events it becomes necessary for one people to dissolve the political band...more"

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID426 by Dave Piscitello  

The IM world learned *nothing* from the multi-protocol networking wars of the 1980s. Every provider has to run its own messaging protocol. Everyone provides a distinctly clever client. Everyone is protectionist to keep multi-lingual IMs in constant state of flux.

I was perfectly happy with Trillian. It satisfied my very modest IM needs. One client for MSN, Yahoo! and AIM.

Jabber is very popular among the folks I collaborate with when I am doing ICANN-related work. Unfortunately, the Jabber plug-in for Trillian was less than cooperative. But one positive aspect about freeware is that you don't have to feel bad if you choose to discard it in favor of something else.

On a colleague's recommendation, I installed GAIM. I like it. Very uncomplicated configuration, clean look and feel (yes, I chose the "no skins" look), and I had my IMs reconfigured in less than a minute.

Of course, the day I choose to create a Jabber account, wouldn't you know that Jabber.org's server decided to act out? From the Jabber.org web page...

2005-03-04: Attempts to register new jabber.org accounts using recent versions of Gaim are failing because of a protocol misunderstanding between Gaim and the jabber.org server...

Did I mention that the IM world learned nothing from the multi-protocol networking wars of the 1980s?

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID414 by Dave Piscitello  

Two recent surveys - you might even call them social engineering studies - reveal that office workers have no difficulty disclosing their passwords for a bribe. Infosecurity Europe 2004's organizers were able to obtain passwords from 71% of workers surveyed by offering them chocolate, and TechWeb reports a similar finding (67%) from workers offered three dollar Starbuck's coupon.

Token and certificate-based authentication can't solve this problem (both employ PINs or passwords). Biometrics might raise the stakes: a pound of Teuscher Champagne Truffles is pretty tempting. But the root cause - behavior - must be changed.

What we have here is a rowboat pressing upstream without an OAR: ownership, accountability, and responsibility. Workers who will concede authenticated access to their organization's information network and assets aren't engaged in the security process. These folks don't know, don't care, or trivialize the problems associated with granting access to unauthorized parties. It's not their data, not their network, and claims that the company could suffer serious financial harm are overblown. It's someone else's problem (no ownership).

Perhaps password protection is a reflection of a broader social condition. How often do we claim they are not responsible for a circumstance or problem? And even when proven they are, how often are we held accountable in some punitive way? How often are we contrite enough to change behavior?

Workers need to care about information security before we can consider any authentication *stronger*. Before you invest in technology, see if your workforce is willing to invest in your organization.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID399 by Dave Piscitello  

In the 1990s, everyone apologized for delays and inconveniences by saying, "sorry, the network's slow". Post 9/11, apologists blame delays and inconveniences on The Patriot Act.

Airlines, hotels, and other travel industries generally understand the concept of proof of identity.

"Checking in? Can I see your driver's license or passport, please? It's for The Patriot Act."

Certain banks, unfortunately, haven't quite explained the nuances that distinguish transaction processing from identity verification to all their employees. I visited a bank to get an Debit/ATM card for my son, who never carries cash and is always running out of gas. Before the service assistant could begin processing my request, she asked me, "Can I see your social (security card)? It's for The Patriot Act." I use this number so infrequently, and was so astonished that this information was to serve as credentials to verify my identity that I suffered a momentary brain freeze and transposed some of the numbers.

"Hmmm... that's not the right 'social'. Can I see your ATM or Check Card? Great, thanks. I can look up your account directly. Do you live at 3 Myrtle Bank Lane? Wonderful. So, how can I help you?"

I explain what I want. "I'm sorry, the person applying for an ATM card must apply in person. Sorry, it's The Patriot Act." Honestly, I am not making this up.

"The card is for my son, who never carries cash and is always running out of gas. He attends High School off the island and can't get here during bank hours, " I reply.

"Oh, that's terrible. Let's see what we can do."

Fast-forward to the last page in the episode. I succeed in getting an ATM card under *my* name, for my son's UGMA account. As the custodian of this account, I can have one, but my son can't because he's not yet 18 years old. Of course, issuing me the card gives me the opportunity if not license to let my son use it at ATM machines, which only care that you hold the card and know the PIN. For now, at least. How long before ATMs use facial recognition? After all, it would be "for the Patriot Act".

Has "It's for The Patriot Act." become an interjection? According to the always amusing definitions at http://www.cs.cf.ac.uk/fun/welsh/Glossary_main.html, an interjection is defined as an ejaculatory utterance usually lacking grammatical connection. So I suppose "It's for the Patriot Act" isn't really an interjection. It's an ejaculatory utterance, for sure, but most parties who utter it have no idea what it means or implies.

Sad and deplorable? More like "sad and dangerous".

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID374 by Dave Piscitello  

BBC reports that the World Bank takes exception to the UN's campaign to increase technology access and use in 3^rd world (a.k.a., poorer) nations.

The World Bank apparently feels that having achieved a 50% access to fixed-line telephone, and 77% to cellular service, the world community has closed the gap faster than anticipated. Apparently, the WSIS's conservative campaign goal was 50% by 2015.

I don't imagine the World Bank wishes to be perceived as suggesting we relax for a decade, but don't the deployment figures suggest momentum? Even the most skeptical might at least concede that near-term profits were lucrative, and there's more left to be had, no?

I'm not impressed with the figures, nor the conservative goals. And I'm not certain that counting landlines and cellular subscribers is the most accurate means of measuring the Digital Divide.

Perhaps we could give World Bank officials a taste of what it's like to be digitally divided? Let's have them share a single fixed line and telephone between two offices. Better: let's have four official share three cell phones.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID370 by Dave Piscitello  

The folks at Microsoft, DeepNet Explorer and Mozilla/Firefox have a countermeasure that compares a web server certificate against the domain name to help defeat attempted server identity fraud.

Nice idea in principle, but in practice, the measure causes many "false positives".

I and others minimize keystrokes by visiting sites without prepending the wuh-wuh-wuh to many domain names. Why bother? It's mostly gratuitous these days, and many sites resolve the name correctly without the prefix. For example, whether I submit a hyperlink "http://google.com/adsense" or "http://www.google.com/adsense", I am directed to the same SSL-secured page.

Unfortunately, the aforementioned browsers overzealously apply the countermeasure, and pop up a Security Alert such as "The name on the security certificate is invalid or does not match the name of the site, do you want to proceed?" when I forego wuh-wuh-wuh.

You can argue that the measure is correctly applied, and you are formally correct. But this is an example of a security measure that becomes intrusive, and begs users to seek out a method to circumvent it. It's also an example of a security measure implemented without a broad understanding of the consequences and complementary actions required for it to be effective and non-intrusive. Web site administrators go through all this effort to make certain web users can resolve "fuzzy" names, but overlook the mismatch between certificates and the names they bind to the identity to which the certificate is assigned.

I can't be certain that browser developers did an adequate job of investigating the impact of this security measure, nor can I be certain they provided sufficient documentation for web administrators, but it really doesn't matter. The measure, as implemented, falls short of my expectations.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID344 by Dave Piscitello  

The 12/28/2003 23:15:10 headline on Watchguard Wire is Even XP SP2 doesn't make Internet Explorer safe. The post leads with the statement, "Service Pack 2 for Windows XP was supposed to make all your security problems disappear" and describes a flaw in IE that allows remote code execution. The reporting is accurate, but I found myself asking why (and when) Microsoft made such a claim.

I visited Microsoft's About Windows XP SP2 page, where they state, "Windows XP Service Pack 2 (SP2) provides better protection against viruses, hackers, and worms, and includes Windows Firewall, Pop-up Blocker for Internet Explorer, and the new Windows Security Center." Another rant from Dave the Defender of Redmond, right?

No. I don't ever expect Microsoft to produce an OS, or any other software, that will make my security problems disappear. Generally speaking, I don't expect *anyone* can do this.

What Microsoft does claim is that XP SP2 will provide better, not perfect, protection. Firefox, Opera, and DeepNet Explorer make the same claims: google "browser more secure than IE" versus "browser perfect security" and you'll see my point.

Even the Grayhats authors of the security advisory 'Wire describes introduce the flaw by saying, "Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible."

Perfection is impossible. Hundreds of thousands of lines of source code, developed, enhanced, and patched by hundreds of individuals with little or no secure coding expertise or training, over a hundred months, will not produce a perfectly secure OS, whether it be closed or open source.

We burn so many cycles arguing "which is better? which is more secure?", as if we had definitive metrics and quantifiable measures for "secure". Absolute and objective conclusions regarding OS security are unachievable for general purpose operating systems, because in the real and commercial world where they are employed, GPOSs must satisfy nearly irreconcilable requirements.

If you know how to write an operating system that is easy to use, trivial to network and perfectly secure, drop me a line.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID342 by Dave Piscitello  

In Blog entry #311, I commented on what an unwise decision SecurePoint had made in hiring Sven Jaschan. ZDNet UK recently reported that SecurePoint's decision has cost them a partner. My exact words were "do you want Jaschan anywhere close to the source code for your firewall?

According to a news item by Dan Ilett, antivirus vendor H+BEDV Datentechnik shares my opinion. H+BEDV has decided to walk away from a partnership whereby SecurPoint firewalls would use H+BEDV's Antivirus software as their AV gateway offering.

Chief executive Tarj Auerbach sums up his company's reservations rather succinctly, and you gotta love his logic. If the antivirus engine in SecurePoint's firewall fails to detect a virus and that virus causes considerable damage, customers might be more than a little concerned over the fact that a former virus writer may have had his fingers in the code.

Tarj is quoted as suggesting that the whole incident might "smell a little bit stinky", which reminds me of a favorite saying of a former colleague, Marshall Rose:

If you wallow in the mud with pigs, ...

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID332 by Dave Piscitello  

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure:

What version of Windows did you discover this on? When was the software last released? Does the software vendor claim compatibility with the Windows version? Is the software on any compatibility list? What are the specific elements of the attack vector, and what is the probability that these can be encountered in real world Internet connection scenarios? Why should we worry or care about this bug?

You can guess the reactions. One wannabe couldn't answer any question but flamed me for not appreciating the spirit of the hunt. The exchange I had with one wannabe who posted a report of a buffer overflow in a 2001 version of a PC game on Windows 98SE is indicative of the problem:

Dave: "What practical consequence does this bug have for someone operating a large business network?

Wannabe: "Nothing, this game is not so much diffused and in a "large business network" the people should do their job, not play with games (except if the company is a software house that develops games)."

Dave: "The game's 4 years old, and wasn't a very good one. What's the attack vector for this game? Think of all the conditions that have to fall into place to compromise one home computer. It's too improbable to bother reporting, and the vendor is not going to invest a penny to fix it. So who benefits from the report?"

It's time for a reality traq on bug-traq. Thousands of professionals read this list to try to keep ahead of exploits and problems that could lead to significant large network exposures. Bug-traq has deteriorated from a place where we could go to help keep networks and applications healthy to a community of people who want 30 seconds of fame from identifying an obscure bug of little importance that affects a very small population. Put yourself in the position of someone really trying to apply bug-traq to make networks work well for his users. Now think about having to flog through several hundred reported and suspected vulnerabilities of little importance to find the one that affects your organization."

I closed my email by asking the wannabe to consider applying his talents to investigating applications and communications protocols where he can make a positive impact. I think this is sound advice for everyone on bug-traq.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID319 by Dave Piscitello  

Sasser and Netsky worm creator Sven Jaschan is now an employee of SecurePoint, a security appliance company in Germany.

Everyone in the security community should be disappointed and opposed to SecurePoint's decision. Jaschan should be in jail, making license plates or clothespins, and contemplating the error of his ways. Instead, Securepoint is providing him a comfortable living and a fast track to repay the nearly $160,000 he owes for acts of computer sabotage.

My opinion regarding hiring and glamorizing crackers is long-documented in Security Hats: Black and White, no Grayscale. In this column, I identify five reason why you should not hire crackers. I only wish Securepoint had read it.

It absolutely astonishes me that Securepoint would make such a moronic move when viruses and worms are sapping IT dollars faster than OPEC is producing oil.

Ask yourself: do you want Jaschan anywhere close to the source code for your firewall?

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID311 by Dave Piscitello  

After two weeks of whining about how woeful XP SP2 is and how lamentable Windows security is, I can't help but be amused at the recent barrage of MacOS X vulnerabilities and the concomitant patching frenzy.

In case you've missed the advisories:

Apple fixes 15 flaws in Mac OS X. (see the entire list at List of 15 Flaws)

Mac OS X CoreFoundation Buffer Overflow and Library Loading Bugs Let Local Users Gain Elevated Privileges

Apple QuickTime Streaming Server State Error Lets Remote Users Deny Service

Apple Safari Frame Boundary Flaw Lets Remote Users Render HTML in an Arbitrary Site's Domain

I bring these to your attention for two reasons. The first is to silence the Linux lambs, or

at least pause the annoying bleating for an afternoon. According to the article, "Many of the problems are flaws in the [Mac OS X] operating system's underlying open-source software". Sorry, your open source code is as flawed and exploitable as Redmond's. Spend the afternoon checking your code for buffer overflows instead of ranting about the poor quality of someone else's code.

The second is to corroborate a claim I share with many of my colleagues: general-purpose, commercial operating systems all have their share of security flaws and exploitable code. The bickering and dirt-slinging is as bad as any you'll see from the Democrats and Republicans between now and November.

Sadder still, it serves the same purpose: distract the public's attention from the fact that your party's just as incapable of publicly confronting and solving the real problems as your antagonist.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID307 by Dave Piscitello  

"De-perimeterization" is popular among the VPN, application protection, and web services communities. It's another in the never-ending stream of labels that marketing wonks invent to distinguish what they are trying to sell from what everyone else is selling. It's a dumb and inaccurate term that only serves to confuse buyers, which ultimately causes them to buy badly, or not buy at all. De-perimeterization is a testimony to the shortcomings of a society that operates on ten-word sound bites.

De-perimeterization is "a worldwide push toward a more porous corporate shell yet more secure collaborations in our increasingly interconnected online world"¹. De-perimeterization is yet another forecast of the demise of the corporate perimeter, the traditional network firewall, in this case due to the increased employment of web services in collaborative networking: simply put, not only people but executable code (services) move across enterprises, mostly over web, and hence through ports that network firewalls allow inbound and outbound.

What the term tries to convey can't easily be done in one word. What the term and the hype woefully misrepresent spreads the F.U.D.

De perimeter exists. You've misappropriated the prefix de.

There are many perimeters in the present and future enterprise. The perimeter that that de-perimeterization tries to deprecate is maintained through network layer firewalls. It's not going away. It's now decentralized through the use of personal, teleworker, and small office firewalls as complements to enterprise Internet-facing and compartmental firewalls.

Further complementing the network layer perimeter is a perimeter of application protection. This additional layer of security will be responsible for assuring that application connections are authenticated and that the data conveyed over them is authentic and (where appropriate) confidential. And by this, I don't mean "VPN".

The column I cited earlier casts skepticism on de-perimeterization's ultimate goal: "worldwide use of system-, data- and connection-level authentication". While I hate the term, I love the objective. What is often misunderstood when we use the word data is that data includes identities, information web services process and and the executable code (services) organizations exchange, as well as the channels over which this data are communicated. This is not de-perimeterization at all, but the addition of federated identities to our existing layers of security.

We don't need a new term. We need people to RTFM and use the terms we have appropriately.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID303 by Dave Piscitello  

My colleague and friend, David Strom, has been discussing blogs and self-publishing in his recent Web Informants #382 and #383 .

In WI #383, David permits Deb Radcliff of the Freelance Business and Technology Writers' Association (www.fbtw.org) to comment on self-publishing. Deb presents a dim view of self-publishing, and I'd like to offer a rebuttal to the conclusion that "Self-publishers and blogs are unsafe, abusive, and lack credibility" expressed therein.

I don't dispute that many blogs are unsafe, lack credibility, exhibit poor judgement and dreadful taste. But these sad examples, in general, are hosted blogging sites. They are largely unsupervised playgrounds, and educating folks about the risks and credibility of such venues is A Good Thing.

I do find more and more serious professionals using blog software rather than web publishing tools to produce very credible and valuable content. These folks - and I include myself - run their own secure servers. They moderate and filter comments, and the responsible ones are as fastidious regarding privacy, error and libel as traditional media. Professional self-publishers invest time, talent, and research as seriously in their blog endeavors as they do when they freelance or write white papers for traditional publishers. Such blogs offer professionals to explore other topics than those they typically provide consultation and advice. Some are personal, and they give readers and potential clients valuable insight into the character of the individual they might hire. Some are off the mainstream topics, and perhaps reveal clients other dimensions of the practitioner/consultant.

Some are editorial. There are too few traditional publications to permit broad editorial opportunities for the number of people who are capable of providing credible OpEd, Others are simply pro bono activities. A security professional publishes a brief configuration note for IIS or Windows 2003 server. An HTML professional recommends a utility that generates reports from web log files. These are all valuable activities.

Many such blogs offer RSS feeds. I routinely visit at least a dozen such blogs. I find them to be a marvellous complement to traditional publications. And in a number of cases, I find the stories more accurate and technical than those a beat writer composes.

Self-publishing is easy. Like traditional publishing, GOOD self-publishing is demanding, and the good self-publishers hold themselves accountable. You can get the same protections from responsible self-publishers as you get from traditional media.

It's just as inappropriate to lump all blogs in the "iffy and unreliable" category as it is to claim all newspapers are scandal rags.Don't condemn a technology, castigate instead those who misuse it.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID297 by Dave Piscitello  

Lurk on any mailing list long enough and you'll invariably eyeball a subject line that makes you question why you've bothered to lurk at all. A recent subject line, "Microsoft technologies. By default, non-HIPAA compliant?" from (who else?) but abm@anythingbutmicrosoft.org, made me blink, laugh, then laugh again. What is it with Linux people that every issue reduces to Klingons versus Earthlings? It's Linux, not Linix.

The notion that any operating system's default or "out of the box" configuration is HIPAA compliant is childishly amusing. But, if you overlook the twin implications in the subject line - by definition, Windows could never be, but someone could ship Linux in a way that it could be - you have to worry that most folks, including many who practice security, still don't know how to distinguish policy from product and implementation (deployment).

In a physician's office, handwritten patient histories, facsimiles, and printouts of test results are all examples of healthcare information protected under HIPAA. In the real world of small town physician's offices and rural clinics, these are "protected" and satisfy HIPAA regulations if they are stored in locked file cabinet made of what most of us would consider only modestly tamper- and fire-resistant. Locks on the doors to the rooms in which the cabinets are situated adds a layer of security. Locking any doors that deny access to unauthorized individuals during and outside office hours adds yet another layer of security, and thus you have defense in depth.

I'm thinking as I wait for new posts to this thread, "HIPAA identifies the criteria you have to satisfy to protect healthcare information. Wouldn't I satisfy HIPAA regs were I to store medical records in ASCII files on a pre-Pentium PC running CPM-86 or MS-DOS 3.1 if I didn't network the PC and locked it away as securely as physicians customarily lock file cabinets? Sure. No internet connection, locks in place... suppose I remove the power supply each night..."

Lingering on the list, I wait for someone to inject some sanity into the discussion. Sure enough, someone offers the following: "HIPAA has very few direct requirements. A lot of what needs to be done depends on the environment. For example, if I have a closed environment with no Internet connections (yes, this happens in some places) and sufficient controls to protect servers against insiders, then the latest ... problems are of no concern at all."

Sane minds prevail! HIPAA has few direct requirements because even much-maligned regulators appreciate that it's imprudent and illogical to mandate a particular authentication method, encryption algorithm, security (e.g., VPN) protocol or other security solution without considering the risk profile for each situation where HIPAA or any other regulation must be satisfied. Some solutions, such as the use of biometrics for physical access, might satisfy HIPAA in the overwhelming majority of situations, but such methods are prohibitively expensive for a rural clinic. Others, like the use of passwords, for example, may meet HIPAA guidelines if other measures are present to reduce the likelihood of theft and misuse.

Context, me lad, context!

And lose the Micro$oft attitude...

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID280 by Dave Piscitello  

The ACLJ and Bush administration are no doubt less encouraged by recent Supreme Court decisions than I am. Mind you, I'm no fan of child pornography and terrorism, but I am a great fan of the U.S. Constitution. As loathsome as I find child porn, I have to agree that the Child Porn Prevention Act of 1996 is overly broad and vaguely worded. The CPPA needs better language to be effective. In its current form, it's easily manipulated by law enforcement and equally easy for porn mongers to elude. Write an enforceable law, then enforce it.

I abhor violence and terrorism, but I also have to agree that terrorist suspects held by the military, both foreign nationals and American, have the right to challenge their detention in the U.S. court system. I'm not comfortable claiming the United States is a democratic society when we can arbitrarily call someone an enemy combatant, detain that individual, and deny the right to challenge that detention in a U.S court. Detention of this sort was wrong in the 1770s, the 1930s and 40s, and it remains wrong today. By including foreign nationals, the Supreme Court's clearly tells the international community something the current administration has failed again and again to convey. We aren't exclusionary in our definitions of democracy and equality. The life of an American citizen is not more valuable than the life of any other world citizen.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID276 by Dave Piscitello  

The theme for SearchSecurity.com: This Week May 17, 2004, is Defense-in-depth. The promo for this Joel Snyder webcast explains that, "Perimeter defense leads to a network that is crunchy on the outside but soft on the inside."

I'm pretty certain that the phrase, "defense in depth" originated in the DoD. I'm also certain that the D0D didn't intend defenses to ever be crunchy, but rather, hard. Crunchy conjures images of World War II G.I.'s being overrun by German Panzers in the Ardennes forest. Knowing Joel, I don't think he'd have chosen crunchy if given a choice.

Fried chicken, various breads and candies are crunchy on the outside. Defenses shouldn't be crunchy. This is a case of marketing copy gone awry. Googling, I find that others have used crunchy to describe security for SANS and WLANs. The phrase draws a bad analogy, please don't use it.

Defense in depth means strong perimeter *and* interior defenses. Phil Carden wrote a column in 1997 titled Stored File Encryption: Boiled Eggs and Scrambled Data, in which he explained that security architectures that store data in plain text are like soft-boiled eggs, whereas those that utilize stored data encryption are like hard-boiled eggs.

Dr. Bill Hancock coined and frequently used the Twinkie analogy. In TISC and SANS presentations during 1999, Bill claimed that, "Security is like a Twinkie: it's what's inside that counts".

Today, the Twinkie analogy is accurate for a different reason than Dr. Bill intended. Most perimeters are not hard. We alternatively describe security perimeters as extended, inverted, collapsed, and fluid. In a word, they're soft.

The latest buzzword among the endpoint and web services security wonks is de-perimeterized. I loathe when nouns are used as verbs, so I can't in good conscience bless the term without de-intelligencing or stupidating myself. Let me simply say that the term "perimeter" is no longer applicable when used in the singular for a given organization. If you use perimeter, use the plural, perimeters.

Every mobile client - perhaps every client - should have its own a perimeter defense (in the form of a personal firewall software or an OS hardened against network attacks). Every broadband connection - generally, every network segment where a security policy describes a trusted versus untrusted interface - should have a perimeter (firewall). Every application server farm should have a perimeter (application and network firewall).

Joel will almost certainly tell you to secure the interior of your network. I wholeheartedly agree. Remember, however, that defense in depth implies layers of security, and one of the layers consists of many, strong perimeters.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID252 by Dave Piscitello  

The 2003 CSI/FBI Computer Crime survey has lots of folks worrying that it's difficult to detect insider initiated attacks. I actually worry more about insider error.

Insider errors are more prolific than attacks. They may be root causes of attacks. They include:

• The employee who creates unprotected shares;

• runs unauthorized services;

• has no use for personal firewall software;

• fails to patch and hot fix operating systems and applications;

• falls prey to spoof email or phishing;

• fails to maintain virus definitions;

• keeps accounts and passwords in text files created in NotePad, and caches passwords to save keystrokes;

• installs software of unverified origin, without approval.

Such employees fall victim to spyware, keyloggers, worms, trojans, and combinations thereof (also known as blended threats).

Blame the employee? Perhaps. Blame the policies and processes that make non-technical employees responsible for client security and administration?

Better.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID249 by Dave Piscitello  

Network World is running a trailer ad for certification programs in one of their many e-newsletters. The ad touched a raw nerve, for more reasons than one.

This ad begins, "Not sure if you should spend the time and money pursuing IT certifications? And, if you do, whether or not your efforts will translate into a 'beefed-up' paycheck or open the doors to advancement opportunities? In this NW Special Report: It Pays to Certify - we take a look at what certification may or may not bring to the table."

The ad reinforces the (growing?) opinion that certification is all about money and advancement for the individual. The ad doesn't encourage IT departments to "beef up" expertise. It doesn't give enterprises any ROI or other evidence that certified practitioners will help improve operations and security.

It doesn't give me a warm feeling that certification programs are what they ought to be, and appreciated for what they ought to produce.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID243 by Dave Piscitello  

The US Post Office announced it will cease sponsoring Lance Armstrong. Sad and disheartening.

If this alone isn't more than "curious", you have to question the timing. The Tour de France is only two months away. A win in this year's Tour de France gives Lance the record for consecutive wins. Armstrong's among the most admired sportsmen in the world. Cycling isn't as popular in the US as other sports, so it seems the Post Office wants more exposure for its sponsorship investments.

Why be the company that backs a once in a lifetime athlete with a miracle comeback story (now history) when you can use the same money to sponsor a half-time report, game summary, or the WhoCares bowl in Maui?

Find the story here .

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID239 by Dave Piscitello  

I recently participated in an interesting thread about legal disclaimers for email messages. I'm referring to the two kilobytes of legalese bloat that proclaim the message is privileged and confidential and that, if mis-delivered, the recipient should notify the sender, destroy the copy, keep whatever he might have read confidential...

Being a long-time advocate of secure email, any time I read a legal disclaimer, I try not to laugh at the futility here, or at best, the misplaced notion of trust. Anything privileged or confidential should never be sent in unencrypted, unsigned email. That's obvious.

What, exactly, do folks expect when they attach a lengthy statement that essentially says, "I sent something confidential and privileged, and if by some random act of mail routing, you've received this and are not the intended recipient, please take time out of your busy day to let me know, and by the way, you're now accountable for keeping this information confidential, under my implied threat of legal action."

If imposing a gag act on individuals were this simple, I can't help but think that Rumsfield, Ashcroft and crew should routinely preempt negative news stories by "accidentally" blind-copying reporters with the exact accounts of incidents the Bush administration would choose to keep quiet.

David Steele, a colleague and attorney (he's actually a computer guy first, attorney second, so he's OK), made some amusing observations about such disclaimers, including, "...putting them at the bottom of the email means that the reader has to read down the email to get to the part that says 'this is confidential and don't read it if you're not the intended recipient." David suggests, "whenever I send something that is really confidential, I put the notice at the top of the email, with "PRIVILEGED AND CONFIDENTIAL COMMUNICATION" in all caps as well (and in bold, if I'm bold enough to send email in HTML), and then I add a bunch of blank lines to make sure the message is well below the notice. This, in my view, achieves the requirement of providing the notice before the information is read."

For many attorneys and corporate execs, it really doesn't matter that this behavior is, well, pointless. They were told to do this with faxes, and it's a small not quantum leap of misperception to think, " right for fax, right for email".

If you were to use a disclaimer, it would make sense to apply it only when you were sending something truly privileged and confidential, right? Wrong. What's the point of doing something pointless unless you do it in a big way? First, you'd actually have to *think* about what you're about to send before firing it off. Second, you'd have to spend time choosing between basic and disclaimer signatures. Too much room for error. But David Steele makes the interesting point that, "if you use the notice on everything you send out, regardless of whether or not it is confidential, then the notice will become too dilute and have less, or no effect, when something that is confidential gets sent out to the wrong party."

In an act of generosity rarely exhibited by attorneys, David offers this example of a disclaimer:

PRIVILEGED AND CONFIDENTIAL COMMUNICATION

This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.

I personally find this too stuffy. My choice would be:

This is email. It's like a Post Card. While the probability is low:

- Anyone can read it.

- Anyone may have changed it.

- Anyone may be impersonating me, the purported sender.

- You may not even be an intended recipient.

- If this mail or any attachment managed to meet your antispam

criteria, was delivered to you, and contained malicious code, it

probably did *not* come from me, so please don't send me one

of those dopey, "your email contained a worm" messages.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID238 by Dave Piscitello  

I'm concluding a three day business trip in Orlando, reflecting on the local driving situation.

It's virtually impossible to travel anywhere in the Greater Orlando area without encountering toll roads. Not only this, but the tolls are amazingly frequent - like, every 2-3 miles - and excessive - like $.75 per toll. Over the course of three days, I've spent about $20 in tolls.

The notorious Garden State Parkway tolls in New Jersey pale in comparison to Orlando. Given the millions of people who visit Orlando each year, and the amount of toll revenue Florida must collect, you'd think the state would rank higher than 40th in education.

Or have better election polling technology:-)

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID228 by Dave Piscitello  

News.com reports that Symbiot intends to release a product that will allow companies to retaliate against attackers. My first reaction to News.com's report on Symbiot's "defense system" was sheer puzzlement.

Is this a throwback to the Nuclear Arms Race, or what? Even the rhetoric in the quotes was reminiscent of the Fifties:

We're done with passive detection and blocking. You attack us, we'll strike back. Hard. Our response will be *proportionate* to the ferocity of the instigating attack.

Proportionate response? What's in the Koolaid in Texas these days?

Like the analysts and consultants who offered sound bites for the news piece, I asked, "Exactly what kind of response is proportionate to a denial of service? Who, exactly, do you retaliate against?"

Symbiot's web site is designed to garner all the attention the company obviously seeks. They claim to be ready to launch "the first IT security solution that can both repel hostile attacks on enterprise networks and accurately identify the malicious attackers in order to plan and execute appropriate countermeasures - effectively fighting fire with fire."

I'm speculating this is your basic "Drama queens in Austin" attempt to get as much media attention for a product launch as possible. Pray these folks don't take more pages from Reality TV and stage a proportionate incident response. Imagine the headlines...

Newco.com thwarts DDOS, takes China's power grid offline.

In response to last week's web defacement, Azmoston.com hacks into process control system near Maduria: ensuing chemical explosion destroys Meenakshi Temple.

NASQUAC.com detects trading fraud, initiates massive SQL injection attacks against major Euro and Asian market traders.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID218 by Dave Piscitello  

Today, Gartner issued a press release: Gartner Says Camera Phones Can Pose a Security Risk to Enterprises, but An Outright Ban by Companies is Shortsighted. In the release, they say that "businesses are concerned that camera phones can compromise their security and employees' privacy".

This is about late-breaking and newsworthy today as "It rained in San Francisco, February 25^th".

Where have Gartner's analysts been the past 4 months? Aren't analysts supposed to be spearheading trends and issues? I led a COMDEX panel in November 2003 that discussed handheld and smart phone security issues. I wrote an editorial a week later that's now posted at COMDEX/Networld+Interop LOOP. If you Google "camera phone security", you are deluged with information, emerging products, ... sheesh.

In the same release, Gartner sez, "there are a flood of high-tech consumer devices, not just camera phones, entering the workplace that could pose a security risk." Insightful. There are a flood of high-tech consumer devices that can electrocute you if dropped into your bathtub.

Continuing, Garnter sezzz, "There are Universal Serial Bus 'key ring' drives, some of which will soon feature built-in cameras that can quickly connect to almost any recent PC and take large amounts of information off the premises."

It snowed in Denver last January.

Perhaps someone should think about access controls for USB devices? It so happens I wrote about this three months ago for LOOP. An entire industry segment is well-funded and manufacturing all manner of USB security measures. Sheesh-squared.

I recall worrying at the time that my LOOP piece might be a bit stale. I suppose if I were an analyst, I wouldn't worry quite so much about this.

Then again, I'm not trying to fill seats in an Upcoming Mobile and Wireless Summit:-O

Trying to close on a pleasant thought, perhaps Gartner felt obliged to do some research, and found my columns...

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID213 by Dave Piscitello  

Way off topic. I won't even pretend there's a security angle here.

Looking for yet another re-run of Law and Order: Whatever, I channel-surfed to USA Network, only to find the AKC championships. This particular evening's event was the miniature breeds. I learned that many miniatures are cross-breeds of noble hunting dogs (including poodles), bred down from as much as 30 pounds to the 7 pound maximum for this class.

Seeing how we have historically manipulated what we know about genetics in dog breeding, I'm convinced me that, along with incredible advances in regenerative and reparative medicine, humans will find all the wrong applications of cloning and stem cell research. It make me sad... and scared.

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID200 by Dave Piscitello  

I've been considering just how vulnerable home and small offices are to the underhanded and IMO unethical monitoring, tracking, collecting and disclosure of information that can be gathered from browsers, email clients, messaging agents and other end user applications used daily by folks who are entirely in the dark regarding the extent to which their privacy is invaded with each web transaction, query, and interpersonal communication they perform.

Cookies. Tracking technology. Spyware. Gathering of information under opt-out rather than opt-in contractual agreements. Honestly, how different are businesses that abuse these techniques from spammers, phishers, and crackers?

I'd love to see a small office firewall evolve from the "filter filter blah blah we do NAT" species to something really valuable for the hapless SMB:

• implement an SMTP proxy that scrubs email client and server headers;

• provide an proxy that scrubs HTTP requests, reveals nothing about individual users and computers; essentially, a proxy that provides the same kind of secure anonymous surfing MEGAPROXY and other public servers offer...

• provide a proxy that detects spyware and tracking technology and blocks back channel communication to the information gathering weasels who sell such data to help "personalize" marketing.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID198 by Dave Piscitello  

I follow BugTraq, but not fastidiously. When my BugTraq email folder exceeds 100 messages, I browse the subject lines for relevant vulnerability information. First, I cull all the messages that report on *nix and related software because I don't run that OS here. Despite popular belief to the contrary, this typically eliminates half the messages in my folder - yes, Virginia, some vulnerabilities are reported on software other than Microsoft's...

Every so often, I google what I imagine to be an obscure piece of software for which a bug is reported. Case in point is a freeware system tray utility called switchoff. I was surprised to discover that this convenience tool was downloaded hundreds of thousands of times from Tucows, Cnet, et. al.

Google's results also show multiple vulnerabilities disclosed over the past year, yet the most recent version available has not been updated since September, 2002.

What appears to be "switched off" here is common sense. A large population of users continues to download and install software of questionable quality, authored by someone with apparently neither the time nor inclination to maintain it, for the apparent value of saving some mousing and keystrokes.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID196 by Dave Piscitello  

The RIAA's aggressive "anti-piracy" campaign to eliminate music sharing, swapping, downloading, and copying may be winning battles, but the music industry is still losing the war.

RIAA's biggest problem isn't illegal copies of music, but its own unwillingness to take ownership of the problem. They want everyone *else* to be responsible. Individuals should feel bad about sharing music. Legislators should protect artists and music companies by enacting laws with harsh penalties for sharing. Law enforcement agencies should treat music theft as seriously as crack cocaine.

Set aside the issue of whether music sharing or copying is legal, and look at the other problems the RIAA chooses to ignore:

• They failed to see the impact of digital music, and have yet to come up with a copyright protection mechanism that is adequate, much less "failsafe". Moreover, what the RIAA comes up with will probably antagonize consumers even more than the odious packaging used to thwart shoplifting. Or it will be cracked within weeks of implementation.

• They have positioned themselves as The Bad Guys to the most lucrative demographic of buyers. Even tricky Dick Nixon wasn't as universally reviled as the RIAA.

• Especially with regard to Internet-based music sharing, they fail to see a bigger threat: ad hoc IP networking.

Gather a few dozen kids with WiFi-enabled laptops chock full of MP3s. Add an access point. Turn on DHCP. Within minutes, music swapping is up and running. With storage as inexpensive and plentiful as it is today, kids don't need to browse or be selective: copy *everything*.

One such party isn't much of a threat. Imagine weekly, even nightly, parties at every high school and university.

Given the trends in removable storage, you may not even need a network to match the pace of music downloads via peer-to-peer networks. Exchange a 1 Gig SD with your buddy. And then with two more buddies. And two more buddies...

The problem RIAA faces is social, not technological. We've seen this before, and ultimately, Prohibition was repealed. Can you spell *unenforcable*?

The music industry's biggest failure is that they won't consider a different model for selling music. I'm no marketing genius, but it seems to me that there's a price point and convenience threshold for every product that's both attractive and acceptable, where the majority of people will simply find it easier and acceptable to pay for music than scrounge for it.

That magic figure may not be very appealing now, but it's a more likely scenario than silver-bullet technologies or a music police state.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID192 by Dave Piscitello  

A colleague forwarded me Andrew Orlowski's column from The Register, where META Group analyst Jack Gold recommends that companies "poke out" the camera lens on cell phones as a means of mitigating the threats these insidious devices pose (see also, my editorial).

A bit over the top Jack. Can you spell D-R-A-C-O-N-I-A-N?

And people wonder why I cringe when I'm introduced as an industry analyst.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID178 by Dave Piscitello  

Phishers are one of the lowest forms of e-life. These email scam artists pose as representatives of Charles Taylor, PayPal, and other legitimate businesses, hoping to fleece money or reel in your credit card or bank account information.

I have no sympathy for phishers. What they do is reprehensible. Apparently I'm not alone. Every post to the discussion thread at SecurityFocus.com for Kevin Poulsen's article, Unlucky Phisher Pleads Guilty condemns Helen Carr's phishing schemes. And everyone is hopeful that the US Justice Department will be able to impose the maximum sentence of five years, and wishes it could be more.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID163 by Dave Piscitello  

According to a news item by Kieren McCarthy at Techworld.com, and to the apparent delight of many Linux users and bug traqrs, Microsoft has "hired several analysts to review how fast holes are patched in the open source software and is expected to announce that Windows compares favorably."

While the weenies giggle and chat about how they are finally rattling Microsoft's chain, I can only shake my head in disbelief. Why anyone, much less Microsoft, would try to focus - or perhaps divert - attention on "who's quicker to fix broken code?" boggles my mind. It reminds me of the lampoon where George Bush is assailed by reporters about healthcare and the economy and his response is, "look, there's Saddam Hussein!!!".

I suppose if misdirection works for George, it should work for Microsoft as well.

If there's an issue every software community should consider, it's the sheer volume of bugs in starNIX, Windo$e and dozens of applications that don't appear on the radar of the world where meaningful business is conducted. Perhaps bugtraq-ing is trés outré and what we're seeing is simply a temporary phenomenon? Perhaps not.

I dread to think what's next. Imagine the home pages of Microsoft, Caldera, and Red Hat all boasting "over <integer>million bugs patched".

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID161 by Dave Piscitello  

Grant Gross, IDG News Service, reports that peer-to-peer software has been included for the first time on the SANS Institute's annual list of the 20 most exploited vulnerabilities. Outlook was included as well, which surprises no one.

I published an article in BCR magazine about the dangers of peer to peer applications exactly a year ago ( Security And Peer-To-Peer Applications).

I know the SANS experts are as security savvy as I am, so why did it take so long for P2P to rise to the Top 20? Bad public relations team?

Nope. Until the RIAA began suing MP3 sharers, corporations and consumers shared a "no harm, no foul" attitude; more precisely, "it's not a foul if the ref doesn't see it". Now that litigation is in play, the corporate risk profile for P2P as changed to, "this could cost us serious money", so it's only natural that SANS would raise P2P's status.

What's truly remarkable about the SANS list is that Outlook has been omitted from the Top 20 for so long. Since its introduction, Outlook has become universally perceived as synonymous with Internet worms: I could have used this {word, definition} pair in my Inaugural Security Puzzle as a "gimme".

Sad and deplorable...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID154 by Dave Piscitello  

John Ridley offered a spot-on commentary about Rush Limbaugh today on NPR. By nearly all accounts, Limbaugh's comments regarding NFL Quarterback Donovan McNabb were racist: certainly the ones the liberal media printed were. But of course Rush claims these are precisely the people responsible for all this trouble. Thankfully, he's gone from ESPN's broadcast team and I can watch football again.

IMO, Ridley correctly classifies Rush as a member of the "frightened bigoted wing of the establishment" who both blame affirmative action for all that's wrong in America while simultaneously crediting the program and not the individual whenever a minority is successful at anything.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID137 by Dave Piscitello  

NPR will run a program later this week commenting on the number of Americans without private health care insurance, which increased for the second, third, or fourth straight year, (depending on your source, but try WISTV.com).

However many years you choose, the fact that it's up over 6% over the past year, to 43.6 Million, is a dreadful indictment on our sorry sense of democracy in action. People are "choosing" to go without health insurance.

I imagine some people are choosing to drive flashy cars. My heart goes out to the many choosing to eat...

Instead of arguing over ~$20 Billion for re-buidling Iraq, perhaps we could budget half of that amount for healthcare.

Frankly, I like the sound of Leave No Healthy Child Behind...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID135 by Dave Piscitello  

Over 50 million Americans requested to be placed in the National Do Not Call Registry. An Oklahoma judge blocked Do Not Call's implementation by awarding a summary judgement to those weasel's who do (abusive) business as the Direct Marketing Association.

I find it distressing that a judge would intervene on a legal technicality faced with what I would call a clear mandate from citizens in a democratic society. If this had been a referendum on a national ballot, ...

Put 50 million "votes" into perspective. The popular voting results for the 2000 Presidential Election showed George W. earned 50,456,002 votes while Al Gore earned 50,999,897.

You might think 50 million is a LARGE NUMBER, but it didn't give George Bush a mandate for his presidency, and it apparently has no influence on a Judge Lee R. West when arguments are presented on behalf of a company with deep pockets and everything to lose.

At least one of the arguments the DMA presented is that the Do Not Call wasn't necessary, that Americans already had the means of blocking telemarketing calls by sending a letter to the Telephone Preference Service of the Direct Marketing Association at PO Box 9014, Farmingdale, NY 11735-9014. The letter must of course include your full name, address, and signature.

The DMA isn't opposed to individuals opting out of telemarketing. The DMA is opposed to the ease at which the web provides individuals with the opportunity to save time and the cost of postage to opt out.

Hell, it's almost as for an individual to opt out as it is a telemarketer to place an uninvited phone call! What's fair about that?

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID131 by Dave Piscitello  

Mitch Kabay's September 19 newsletter contains a report by Jim Reavis (SPI Dynamics) on the lively (read: loud and profane) discussion at the Black Hat Briefings over the Law of Vulnerabilities, a study by Qualsys that described a half-life of security holes.

I commented on this theory in blog 96 on August 10. I'm still skeptical that vulnerabilities really decay in this manner because I believe the problem is process-influenced (read the blog!), but here's my attempt at amplifying what I've said before:

If software "A" has a vulnerability "x" and an identified BUT SEPARATELY managed patch "10", then the vulnerability will endure until the software is no longer used on any system. Why? Because administrative *processes* will influence whether on every instance of installation, repair, or recovery, 10 will be patched onto A. And administrative processes are imperfect at best.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID129 by Dave Piscitello  

In a Wired article, Just Say No to Viruses and Worms, Kim Zetter reports that at a technology subcommittee hearing of the House Committee on Government Reform, Symantec's COO John Schwarz "called for legislation to criminalize the sharing of information and tools online that can be used by malicious hackers and virus writers". Schwarz's logic is apparently this: make it a crime to share and exchange code that can be used to attack networks, and you'll reduce the number of attacks.

Schwarz didn't suggest how one might distinguish malicious code from useful code. I suppose we can use criteria such as a company listing in the OSCAR database or NASDAQ to distinguish an ISS or SPI Dynamics' vulnerability scanner from nmap and whisker. Or maybe price. Let's brush aside the matter of a company that offers free downloads: free simply won't be an option.

Aside from adding a good number of legitimate vulnerability assessment companies and consultants to the ranks of the unemployed or incarcerated, think of the precedent this sets as a theorem:

If X can be used in a crime, then X should be illegal.

It's pretty simple to compose a list of good things that can be used for bad purposes:

• Cell phones

• Automobiles

• Nylon stockings

• Kitchen cutlery

• GUNS!

How quickly we arrive at "Never Mind." At least one lobby's influential enough to assure Schwarz's Law will never be enacted.

Take heart. At least one voice of reason attended the hearing. Chris Wysopal from @stake suggested we put pressure on software manufacturers to write secure code. Where have I heard that before?

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID126 by Dave Piscitello  

Mark Rogers offers an Op/Ed at the CERIAS web site, Computer Forensics: Science or Fad.

I'll cite several statements Rogers makes that I'm willing to debate:

• "The private sectors' push to jump on the computer forensics bandwagon threatens to turn an evolving scientific discipline into a mere fad; a lack of standards and training can result in bad case law, guilty parties escaping prosecution and innocent parties being "railroaded" into incarceration."

  
  I don't have an axe to grind about forensic software: the haste-to-market mentality will inflict damage here as it has elsewhere. Moreover, I concede that software intended to collect and preserve the integrity of evidence ought to be designed according to standards, to assure that what is collected will indeed satisfy chain of custody, rules of evidence, and law enforcement guidelines. And I concede the obvious: some forensics software will be lousy, and the poor souls who use it will taint evidence. But I find Rogers' implicit conclusion disturbing (don't let them develop software), so ask:

  Should we abandon research and development, albeit in a market economy rather than academic setting, and wait for standards?

  I concede as well that even excellent forensic software, in the hands of someone who is not a forensics expert, can result in sorry outcomes. I suspect the frequency of incidents of tainted evidence will be no different from the real world, where chains of custody and rules of evidence are subjected to human error, non-standard or inadequate tools and poorly designed or executed processes.

  We're in a sorry state, and government and law enforcement agencies are wholly unprepared to deal with the volume of computer incidents. I don't believe it's in the best interest of our connected society to handcuff the private sector.

• "...there is no recognized professional body over-seeing any designations, no nationally or internationally recognized standards, curricula, common body of knowledge or training."

  And of course we need one. But, recognition (and certification) of forensic investigative skills by professional bodies isn't a panacea, and doesn't implicitly imply quality. Many outstanding security practitioners don't have formal recognition, yet these folks are routinely called upon by government agencies to assist in incident intervention. And I imagine that some certified investigators don't meet the expectations of those who employ them.

  I agree we need better criteria and more (private and public) funding for research. And who can argue against a common body of knowledge? But I think the notion of a unified approach rather than a community-engaged approach to education and training can easily stilt rather than enhance progress and improve competencies in this field. Judge for yourself: Internet research and innovation increased dramatically once Uncle Sugar turned the NFS infrastructure over to the private sector.

• "Historically, computer forensics was restricted to law enforcement, the military or other government agencies."

  I hope the conclusion here isn't, "leave forensics in these competent hands". Even if they were supremely competent, I don't believe that forensic investigation should be limited to government and law enforcement agencies, any more than I believe that governments should escrow private keys.

  I confess that I have not spent time investigating the quality of tools and forensics investigators of a large number of government and law enforcement agencies, but I can't imagine every crime lab has the technology we see on CSI. I'm willing to bet that the Beaufort County, SC crime lab is a bit different from the agencies in Washington DC best known by their TLAs (three letter acronyms). But again, I'm disturbed by Rogers' implicit conclusion (don't let them practice), even when tempered by Rogers' plea that, "We need to increase our efforts to develop, a unified approach to education and training in computer forensics, a common body of knowledge, and increase empirical research. "

  I'm also curious whether computer forensics has truly been the dominion of government and law enforcement agencies. Surely, private computer forensics investigators have been around for a while?

• "To continue to allow the field to "naturally" progress without the appropriate scientific rigor is a mistake..." and later, "Failure to do so will result in computer forensics being relegated to a "fad" conducted by amateurs, resulting in contaminated or lost evidence.

  It's not a mistake. It's a journey..

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID115 by Dave Piscitello  

Business continuity planning is an activity whereby an organization attempts to emulate the Energizer Battery Bunny: BCP defines what it takes to "keep running and running and running..." even when s--t happens.

We've seen ample evidence that U.S. utilities need Infrastructure Continuity Planning. Our power grids are antiquated and need an estimated $105 BILLION upgrade. Curiously, the power companies, which have been rock-solid, perennially dividend-yielding investments for as long as I can remember, give us every indication that consumers will bear the brunt of this financial burden.

Can it be that these companies have managed to let their infrastructures deteriorate decade after decade, while reaping consistent profits? Can it be that they've failed to earmark cash year after year to invest in the network upgrades on which their company's continuing existence hinges?

What kind of management teams have we here?

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID110 by Dave Piscitello  

In his newsletter, Insider Attacks are a Thorny Problem, Mitch Kabay cites a Gartner prediction | myth | perception} that by 2005, 60% of security incidents will be instigated or assisted by insiders. Mitch adds that "insider crime is even harder to defend against than external attacks".

The last time I cared to investigate this claim, I relied on the trustworthy - and likely more reliable - 2001 CSI/FBI Crime Survey, which reported that 68% of incidents were insider attacks, so either Gartner's overlooked some folks and factors in their research (ya think?) or security measures to prevent insider attacks is improving<.

But I am curious whether insider attacks are actually harder to defend against, or whether organizations are, in general, way too lax in protecting assets. Actually, I'm not wondering any longer. I'm certain this is the case. Here's a quick list of reasons why I believe we are simply even more lame at protecting assets from insiders than outsiders:

• Many organizations think perimeter firewalls are all (OK, 90% of) the protection they need, and they are overly permissive about what they allow outbound. Such policies allow attacks from inside hosts that have been compromised. For example, a trojan or rootkit has been installed on a client computer (it's likely it was delivered as a mail attachment). The trojan communicates back to the attacker over a TCP Port "f00". If the organization blocked all but approved outbound ports, this attack would have been thwarted. This is an outsider attack, facilitated by an insider.

• Many organizations are too generous with access controls at servers. Groups authorization levels are implemented for convenience, and little auditing or control is exercised over the groups. Eventually, insiders without a need to know have access to sensitive information, creating temptation where there should be none (Eve's dilemma).

• Many organizations don't audit interior networks. They can't distinguish rogue MAC and IP addresses from authorized ones, because they don't know their network.

• Organizations are overly fond of single sign on. Being able to authenticate once is attractive. It's also a practical concession to our cultural inclination to circumvent security if it's inconvenient. But having single sign on doesn't mean that, once authenticated, an individual should have access to every asset in the corporation!

• Too few organizations make use of proxy mail applications, split-DNS, and other measures that hide internal network information from outsiders. Attackers can gather lots of information about an organization's "trusted" networks from mail headers forwarded without modification from internal mailservers; similarly, they can learn a great deal about internal naming and addressing if an organization publishes these indiscriminately.

• The same organizations that have permissive outbound traffic policies may use the nefarious ANY, as in "allow any traffic, from any source IP". With a little routing savvy, an insider can route entire subnets through a firewall so configured!

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID107 by Dave Piscitello  

Ido Dubrawsky's recent column, Firewall Evolution- Deep Packet Inspection, at SecurityFocus.com has me puzzled.

What constitutes "deep"? Ido claims, "With Deep Packet Inspection firewalls the IDS collapses into the firewall such that the firewall provides for in-line IDS capabilities."

The term *deep packet inspection firewall* has a Star Ship Enterprise connotation. It suggests that this radically new security system goes where no firewall has never gone before, into the brave new world of application headers and data (Ido refers to application payload, but malformed application headers certainly qualify as "deep" as well).

This is only partly true. Many firewalls provide IDS capabilities. All the ones I'd purchase do. And the good ones expand inspection capabilities every release. And the oft-overlooked and much maligned proxy firewalls inspect application headers and data and so much more!

It's not whethera firewall provides in-line IDS or not, but how thoroughly (and extensively) it provides intrusion detection and blocking. Does it have a vast and constantly updated attack signature database? Does it distinguish anomalous and potentially malicious traffic from normal communications?

Deep. Deeper. Deepest! Ooooooh, it must be better.

"...let us not go to Camelot...it is a silly place..." Monty Python and the Holy Grail

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID88 by Dave Piscitello  

CNET's News.Com reports that Micrsoft is offering "free downloads of eBooks bestsellers over a 20-week period.

Kewl? Not exactly.

What the writer fails to mention is that Microsoft is essentially leveraging on other organizations' eBook initiatives.

1. A considerable portion of the free downloads Microsoft offers are ebooks available through the University of Virginia e-Book Library; I cannot be certain, but a casual browse through the fiction section suggests that 7-8 out of every 10 listings are at U of VA.

2. Visiting Microsoft for U of VA library eBooks is an unnecessary level of indirection. Microsoft only provides the top level URL of the library, so even if you find a book you want to download at Microsoft's site, you have to search again at U of VA

3. There's no 3 book download limit from U of VA (presumably this applies to the 60 bestsellers at Microsoft?)

I appreciate that MSFT wants to attract attention to ebooks. And personally, I think eBooks are outstanding. But the company would serve the community and ultimately its own purposes better if they worked to promote ebook use in public schools (see eBooks for Education, donated to and hosted free eBook initiatives and fostered a benevolent relationship with the nascent eBook consumer market.

Well, at least I found the five volumes of the History of Rome by Titus Livius :-)

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID79 by Dave Piscitello  

f you run Norton AntiVirus (2003), you may have received an email on June 30, 2003 stating:

"A security advisory was issued regarding a potential exploit of an ActiveX control that is used by the Symantec Security Check Web site. (Symantec Security Check is a free Web-based tool that lets users test their computer's exposure to a wide range of online threats.) As part of running the Symantec Security Check, users may have installed an ActiveX control that remains on the user's system even after the check has completed.

"This ActiveX control contains a buffer overflow exploit. The buffer overflow can be exploited when the user with this ActiveX control visits a malicious Web site that is intent on exploiting this vulnerability. When exploited, Internet Explorer can crash and/or arbitrary code be executed on the user's computer."

Terrific. Symantec offers you a security auditing tool that leaves exploitable code on your host. Isn't this exactly the "develop in Internet time" behavior that security professionals beg vendors and web application developers to avoid.

What's Symantec's response? "Symantec has replaced the current ActiveX control on the Symantec Security Check Web site so that new visitors will not be affected by the exploit. Previous visitors to Symantec Security Check should revisit the site at http://security.symantec.com and run a new Security Scan. By running a new scan, the previous ActiveX control will be replaced by an updated ActiveX control that fixes the buffer overflow condition.

"For those users who prefer not to run a new scan, Symantec has created a cleanup tool to remove the ActiveX control. The tool is posted at:...

The absence of any statement of accountability, and or the offer of any evidence that Symantec has tested the new web tool and cleanup tool more thoroughly than the original is frustrating and troubling. Yes, the tool is free. Yes, you run it at your risk. But don't you feel just a little bit less confident about a vendor's ability to deliver reliable product after an event like this?

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID81 by Dave Piscitello  

Microsoft announces they are entering the AntiVirus market and the fear, uncertainty, doubt - and paranoia - is unleashed.

FEAR! Should the major antivirus players close shop and find new products and markets? Will Symantec, Trend Micro, NAI, et. al. fall by the wayside as TCP/IP stack vendors did almost a decade ago (does anyone remember FTP Software and its brethren? does anyone care?)

UNCERTAINTY! Will MSFT's AV product compete and conflict with my favorite product? Will this spur another decade of lame litigation and even lamer settlement?

PARANOIA. Ohmygod! Can't you all see that this is just another example of how Micrsoft will control our collective minds and computers through its insidious Windows Update? We've got to STOP them!

For me, the buck stops at DOUBT.

Even if the consumer market embraces Microsoft's AV solution - a big IF indeed - I doubt Microsoft will satisfy the enterprise market for AV for a long time, if ever. Too much of Microsoft's orientation is "individual PC": in its current incarnation, Windows Update doesn't have the controls enterprises need to manage large user populations. There's also the AV gateway market, and coordination across desktop/gateway products. I'm betting that Symantec, et. al., won't be shifting markets any faster than Philip Morris. Many people might choke on the notion, but there's an argument to be made that if Microsoft had not included a TCP/IP stack in Windows 9x, the consumer Internet would not have materialized. Ask yourself: what percentage of the consumer Internet population would install TCP/IP correctly? (Answer: about the same percentage as installs 3rd party IPsec software).

While we're talking about Windows Update, I think it's time to lighten up. For the average consumer, Windows Update is not dramatically different than A/V definition update processes. By and large, we're talking about an overwhelming majority of PC users who mostly shrug their shoulders when informed of the privacy implications, if they react at all. Be honest: when you venture outside the security and technology crew you hang with (please say you do this on occasion), do people talk about worries over Microsoft's intrusion on your privacy, or do they ask you how to Google?

I'm ready to concede that consumers want and need automated maintenance, especially when it comes to security. My colleague and friend, Marcus Ranum, ranted in response to the National Strategy to Secure Cyberspace that:

"If the feds want a CyberStrategy that really helps secure the critical infrastructure they should mandate and enforce use of personal firewalls and anti-virus capabilities on every Windows, Mac, and UNIX machine in the federal government."

I'll argue here that non-government consumers need A/V and PFWs just as much. Aren't the frequency of PC intrusions, DDOS and spam zombies ample evidence we just might need this?

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID71 by Dave Piscitello  

I occasionally examine the hundreds of blocked emails my Postini Anti-SPAM service quarantines. After 10 minutes, I always arrive at the same conclusion:

SPAMmers are truly invertebrates.

They'll resort to any sham or scam to convince you and law enforcement (such as it is) that what they transmit is legitimate. The latest thinly veiled excuse appended to SPAM is a trailer that suggests it's YOUR fault. Here's an excerpt from an increasingly popular SPAM trailer:

"Why was this email sent to you? At some point you registered or made a purchase on a Web site with privacy policies explaining that they may share your information with partners who will send you valuable offers from time to time. "

Notice that the message does not indicate that the sender is a partner of that web site operator, nor that the sender actually obtained your email address from that operator.

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID65 by Dave Piscitello  

USA Today and others reported today that a Muslim woman, Sultaana Freeman, is suing the state of Florida because the state insists she remove her face-covering veil for her driver's license photo.

I'm really torn here. I honestly believe this woman is entitled to her constitutional right to freedom of religion. OTOH, I think a photo where someone's face is nearly entirely covered isn't a very positive form of identification.

Extrapolate this situation to a future where we might rely on facial recognition as a means of authentication one must satisfy to gain entry to the workplace. If courts decide in favor of Sultaana Freeman, we may just have to accept retina scans.

Is there any recognized religion that requires followers wear dark glasses?

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID58 by Dave Piscitello  

More fuel for the "why I don't trust public IMs for enterprises" community.

A recent BUG-TRAQ posting describes a program, Aimhol, which collects AOL Instant Messenger screen names and "associated data" (postal address, hobbies, nicknames,...) by querying AOL's OSCAR/BOS servers with surnames randomly picked from a list of the most common surnames (helpfully provided by the US Census department). It can also generate random surnames.

What's remarkable about so many of these BUG-TRAQ posts is how many folks who break in and discover munitions-grade plutonium then ask, "what would one do with all these screen names/data?"

How about hijacking an employee's corporate IM identity, asking that a fellow employee open an IM file share, and, well... you fill in the rest.

No matter. Everyone will be making so much money doing business FASTER they won't notice the internal bleeding.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID53 by Dave Piscitello  

The ISP-Planet Daily Newsletter for May 15, 2003 mentions a security advisory,DoS Hole Found in Linux Kernel, which "could potentially bring a Linux system offline with a rate of only 400 packets per second by using carefully chosen source addresses that causes hash collisions in the table,"

IT security services provider, Secunia, describes the vulnerability as "moderately critical".

Imagine the captain on board the Titanic expressing this euphemism: "ladies and gentlemen, we've discovered we have too few lifeboats to accommodate all the passengers and crew, a situation we believe to be only moderately critical".

This is a marvellous euphemism.

[We prefer to focus on the positive: While many of you will indeed perish, a fair number of you will survive!]

What interests me most is how the Linux community constantly pounds Microsoft for its poor record on security flaws and vulnerability processing/disclosure. I monitor bug_traq, and the list of flaws and exploits reported for *nix OS's, library addins, and server applications is pretty long...

Sure, MSFT deserves a lot of the criticism, but I find the *nix community to be too often two-faced when they should be shame-faced.

People who live in glass houses...

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID52 by Dave Piscitello  

Something I shared with Marcus Ranum earlier today...

If you're a business that knows that the overwhelming majority of your visitors use Windoze... and the majority of your 404 errors emanate from *NIX hosts:

• Incorporate nmap OS fingerprinting into your web service;

• Scan the IP addresses of clients that attempt to access your web site to detect the type of remote operating system making the request; and

• if the client isn't running a windows OS, don't complete the connection!

There's probably a whole host of custom 403 and 404 error messages you could compose. You may not accomplish much more than e-venting your spleen, but hey, isn't that oh-kay?

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID48 by Dave Piscitello  

The 5/13/03 issue of NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY

presents the first in a series on honeypots (definition).

It's largely accurate, with IMO one serious and worrisome omission. The newsletter did not mention that honeypots must be deployed in highly controlled environments, where the appearance of compromising a system(s) is maintained, but the actual damage and propagation is carefully contained. This is especially important in production honeypot deployment, and will become increasingly important to research as litigation is directed not solely at the attacker but at the organizations who facilitate attacks through their negligence and failure to meet "best practices".

If you're interested in honeypots, you might want to read thecolumn I wrote on honeypots for Watchguard a while back.

You should also investigate some of the extensive honeypot materials at the honeynets project.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID49 by Dave Piscitello  

I wrote a BCR column a while back about the vulnerabilities, risks and liabilities, known exploits and limited countermeasures you can currently take to protect your organization against abuse through peer to peer applications, including the instant messengers that go beyond text messaging. I also wrote a column on Blocking IMs, so you can safely assume I'm not one of the folks on the recent bandwagon to leverage these for business purposes.

A colleague, Johna Til Johnson, gave an evangelistic presentation in favor of IMs at Networld+Interop. Johna made many compelling statements, but I'm still skeptical, and here's why...

Like any application that begins life as general consumptionsoftware, security provisions - a well-conceived authentication and authorization models,secure coding, and more - are, well, absent. All the retrofit attempts to make P2P apps, from the IMs to the music, er, file-sharing P2Ps (pick one...) enterprise ready are well-intentioned, but ultimately, they make the enterprise the center of an administrative domain. This is, of course, fine, if you only want to solve an intra-enterprise problem, or if you want to be the root P2P administrator for all file sharing across a multi-enterprise domain (and I bet dozens of F100 IT departments are just begging for this opportunity, just as soon as they complete their multi-organizational PKI rollout).

Then there's the minor issue of weaning your employees off public IMs and P2P apps.

While someone tries to solve this problem, I'll continue to separate my work computers from my family computers, where IM thrives, with interdepartmental firewalls.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID45 by Dave Piscitello  

DRLs are more than a distraction. What puzzles me:

• Some auto manufacturers use high beam head lamps, so how do you know when someone is flashing high beams at you?

• DRLs are hard to distinguish from, um, head lamps. How can you distinguish cars in a funeral procession from heavy traffic?

• Why is it that DRLs are on whenever the car is running but you have to turn tail and other (e.g., fog) lights on manually at night?

• Did you know DRLs increase gasoline consumption?

Googling led me to the Assocation of Driver's Against DRLs. It's remarkable that a sufficient groundswell of people who hate DRLs have gathered to express their disdain. The real kicker to the story is that they have a page devoted to explaining how to disable DRLs!

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID38 by Dave Piscitello  

Many school districts encourage laptop purchases for middle and high school students. Some federally funding is available to assist those who can't afford $1000 or more for a suitable system.

On the surface, this sounds like a terrific idea - our children are immersed in the Technology and Internet Ages. But dig deeper and you find several disturbing trends. Many educators haven't fully leveraged computers as the means of providing information access and as teaching and learning aids. As a result, the laptops are under-utilized. Worse, the children are saddled with the burden of carrying 10 pounds or more of laptop and equipment (power supplies and peripherals) as well as their text books and notebooks.

Some students are carrying infantry payloads to school and back. Pity the band members and athletes, who carry second and even third packs. While opinions differ on the extent to which children are injured carrying or wielding backpacks, common sense should tell us that there must be an alternative to sending our kids to school hauling 20%-40% of their body weight.

eBooks - or handhelds (Palm, Pocket PC, a.k.a. personal digital assistants, or PDAs) with equivalent readers applications - seem to be one answer. They are a fraction of the weight and expense of laptops (and books). Very good quality handhelds can be had for under $200, a fraction of the cost of a laptop. And they solve the weight issue nicely. A compact flash card can hold dozens of text books, and weigh about an ounce.

Many handhelds can be connected to school LANs and used for downloading text and lesson books. Handhelds can also be used to exchange email, messaging, scheduling and calendaring, and mostly text web access. They can be synchronized with the desktop computer that most families already own. Families with limited budgets can own both a handheld (or two, or three!) and a home PC for the same price as the average laptop (do the math). The emerging generation of handhelds also support cellular phone services.

The stumbling block is all in the processes, not the technologies:

• Educators must be willing to invest time and talent into migrating curricula from a primarily text book to ebook orientation

• Publishers must establish reasonable pricing models for ebooks of text books.

• Handheld manufacturers must consider the value of offering some "ruggedized for school age" models, at competitive pricing.

The immediate reaction of publishers to proposals such as these is how they protect of (digital) copyrights. This is such an annoying, debilitating posture. Establish reasonable per student licensing models that take into consideration the dramatic reduction in cost to deliver ebooks versus printed books, and also take into consideration the "amortization" schools would typically leverage by using the same printed text books over several years.

Cost models that yield a profit model for publishers, save school districts money, offer an enhanced learning experience, and allow students to walk erect can certainly be derived by folks who do such things for a living.

I would be delighted to see my children carry a one pound device to school instead of a thirty pound back pack. I'd be even more delighted to see their learning experiences enhanced.