Security Curve Weblog

Thoughts about OS Security

I came across an interesting read on Operating System security today which reminded me of a conversation that I had last week with some folks who make a product called Trustifier. It's a cool product, and I got permission from the gentleman I spoke with to mention it in this forum for folks that haven't seen it.

Basically, it's an enhanced-security Linux distribution much like SE Linux, but with the added benefit of being maintainable. If you've ever tried to use SE Linux, you probably know what I mean by that comment - if not, imagine a "Trusted Computing Module" similar to those provided by Trusted HP-UX or the services provided by the TCB - but on steroids. Anyway, anyone who's ever "bricked" a server by having the root password timeout on one of these systems knows what I'm talking about when I say that these types of systems are difficult to maintain... Googgun (the folks that make Trustifier) are right on the money in their contention that the TCB, SE Linux, etc. are too difficult to maintain to be commercially viable in the long term. Their goal is to take the same services and make it easy. Good goal. I haven't used the product so I don't know if they pull it off or not. Sounds good though.

My advice is for folks to keep an eye on this product. From my vantage point, this is something useful provided these folks can pull off their claims.

Climactic Third Act Duel Begins After Intermission

The security industry is in for some turbulant times. We're gearing up for a fight to rival the last 20 minutes of Return of the King (you know, where the good guys fight the baddies on the plains of Valinor.) Everything is in place and the troops are lined up: on the one side we have the scattered resistance fighters: academia, security researchers, the security press, bloggers, etc. On the other we have the vast and "unbreakable" legions of the seemingly all-powerful Oracle.

The situation is just about to come to a head. In the past two days, we've had published academic papers describing the trivial nature of breaking Oracle passwords, and we've had chaos ensue related to the "patch maelstrom" put out by Oracle. All while we can still hear the steady and unwavering pounding of David Litchfield's war drums as he says things like:

"That was the last straw... I was extremely disgusted and upset, and I think their customers should take umbrage too. Oracle needs to re-address their security philosophies -- their understanding of what security is and what it means."

But still Oracle's propaganda machine rolls on. Highlighted in the security section of the Oracle website is an OTN interview with Mary Ann Davidson distilling Oracle's position in the following words:

Davidson: Oracle continues to look at innovative ways to prevent security faults in software development, and remediate these prior to product shipment. For example, we have done security-specific code reviews focused on finding and eliminating the most common security faults, and we are exploring a number of source code scanning tools. We are also rolling out a comprehensive class on secure coding practice.... Oracle remains second to none in its commitment to secure product development and market-leading security features... Oracle augments this with a formal secure development process, secure coding standards, worldwide training on secure coding practice, exit criteria for security for each product release, and product assessments (ethical hacking) performed by both internal personnel and selected external firms.

Mark my words: this situation is about to erupt; and when it does, there will be heavy casualties.

I'm not a conspiracy theorist, but...

...there is something to this whole "problem with the voting machines thing." A friend of mine forwarded me a link to the Columbus Free Press article about the Bush/Kerry election. The Free Press maintains that the election was "stolen" - personally, I think that's a bit much. But what can't be disputed is that the eVoting technology is, from a security perspective, wholly inadequate.

OK, OK, I can already hear the objections: "Isn't the free press the same outlet that has front-page picture of Bush flipping the bird and text that reads 'Bush Salutes America?'" Yep, same place. They are unquestionably biased - no doubt about that. However, I'm more interested in the GAO report that they reference. Since it's not referred to in the article by name or document number, I'm assuming that the GAO report they are referring to is document number 05956 or "Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, but Key Activities Need to Be Completed." This is the only election document published in the last 6 months, so it has to be the one.

Basically, the GAO validates the points that security folks have raised all along: that these systems do not meet even the basic fundamental security requirements; the audit is lacking (if not missing entirely,) the development and testing processes are opaque and unvalidated, the companies have no accountability, the processes are undefined, and there's no oversight. I'm not one to recommend reading long government documents, but this one is worth the read.

Thoughts about Security in Grid Computing

Yesterday, I came across some text from the folks at Illuminata discussing the future of grid computing. Diana and I talked about it some (she had heard about it before me), but I was having a hard time getting my arms around the concept. At first I thought it was this some new completely magical thing that was totally revolutionary in the computing world... until it dawned on me that we were really talking about SETI at Home.

Now I've used SETI at Home in my day, so I'm not a bigot when it comes to the grid concept. What really concerns me, however, is extent to which folks are (or are not) thinking about security in this new world. For example, if we accept SETI as the "grand-daddy" of grid systems, the amount of fraud, and spoofed results, and other general insecurity that has plagued the system since the early days should be an indicator of what's to come. Not to mention the fact that SETI at Home has security advantages that other grid applications won't have - with SETI, you're running one application (and one application only) - it's not dynamic, it doesn't change, it runs the same code today as it did yesterday. You're also using very well-defined pathways for data storage, for OS library usage, for interaction with the host system, etc. Depending on grid applications, this might not always be the case in other scenarios.

I was curious about this topic, so I checked out some of the security research going on in grid computing, such as the Security for Grid Services, the Security Architecture for Computational Grids, and the Managing Security in High-Performance Distributed Computing. There's been a lot of thought done here, but in my opinion, there's an elephant in the room: complexity. Complexity decreases security.

Every computing resource on the grid is now effectively running two general purpose operating systems instead of just one: the underlying OS and the grid application "substrate." The underlying framework can do almost anything an OS can do: accept incoming processing requests, authenticate users, delegate credentials, spawn new tasks, store data, etc. As security folks, not only do we have all the fun of defending the underlying OS from attack, but we have the new pain of defending the grid substrate. Not to mention the fact that these applications usually run on web services, which require an application platform that we have to secure.

Like an onion (or a parfait), these technologies build layer on layer; each new layer carries with it a whole new security paradigm. As such, the more layers we add, the more complex everything becomes. The more complexity, the harder it becomes to manage, to audit, and to secure. As of now, we already have a "complexity parfait" big enough to leave the most gluttonous of us begging to be excused; how many more layers do we need before somebody says "when"?

Wed. Night Humor: BBQ Sign Generator

Proving that he's more than just another pretty face in infosec, Atom Smasher has put together a really cool BBQ sign generator. Now them's good eats.

Quick followup to DHS post

I just noticed that Adam posted a cool, but different, Onion reference as well. Be sure to check that one out also.

New DHS Security Initiative

In a humorous take on the current security climate in this country, The Onion reports that trick-or-treaters this year will be subject to random bag searches by the DHS.

"Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of 'tricks' to extort 'treats' from unsuspecting victims," Chertoff said. "Such scare tactics may have been tolerated in the past, but they will not be allowed to continue this Halloween."

The Onion rules.

DNS Broken (still)

Just in case anybody's paying attention, the "Measurement Factory" put out a survey saying that DNS is still broken. Well, "broken" isn't the right word - more like "deprecated." According to a survey of 1.3 Million machines, a sizeable number run antiquated versions of BIND that have security problems in certain configurations.

On a related note, how cool is it that they surveyed 1.3 million machines to determine BIND version?

More Cool FUD from Verisign

"Powerful secret forces..."

I think a septillion is just over a gujillion.

Long on bigotry, short on facts

This article from BetaDot came across my inbox this morning. When I saw the title, "Linux Vs. Windows Security: How About The Truth?", I was very interested. I think there's an opportunity here for someone to "crack the nut open." There are two camps out there: the "Linux is more secure" and the "Windows is more secure." Both are vocal, both have "independent analysis" to back their position (both paid and unpaid,) and both have reasoned and considered arguments. I, for one, would like to see a definitive analysis on this topic. This article is not it.

This article claims to be about "the truth", but the content doesn't live up. In short, we don't have any "truth" - just opinion. There's no case built describing why one security model is better than the other, no facts, no tests, no analysis. Take this paragraph for example:

The general design of Linux gives it an inherited security boost. Where Windows looks like it was a little hacked together, a bunch of different ideas stacked on top of each other in attempt to make something that “just works,” Linux shows the true makings of a Unix-based operating system: proper user support and file permissions, all kinds of little applications all handled by different groups to keep the security policy layered and a kernel which doesn’t contain unnecessary bloat.

So according to the author, Linux is better because it has "proper user support and file permissions," because it has "little applications all handled by different groups," and because it doesn't have "unecessary bloat." How do we know these things? For example, how can we quantify the amount "bloat" in Windows vs. the amount of bloat in the average Linux distribution? It's not "self-evident" as this article assumes; in my opinion, the only way to tell would be analysis of the source code - which clearly hasn't been done here. Basing an opinion like this on anything else (such as the size of the distribution,) is deceptive - last time I checked, XP was on one CD-ROM and Fedora was on 4. Does that make Windows less "bloated"?

I won't even go into the different models of access control, but ACL's (as per Windows) are very different from permission bits (as per Linux) - each serves a very different purpose and to say that one is "better than" the other really depends on who you ask. Ask someone who advocates simplicity of design, and you're likely to hear that the linux model is superior; ask someone like DISA and you're likely to hear Windows is better.

Finally, according to the author, the contra-evidence about Window's inferiority is based totally on subjectivity and opinion ("...Windows looks like it was hacked together...") So, casual observation is out test crieria?

All in all, this is not what I was looking for.

Verisign Overhypes SSL

This came in the mail a while back. Not email, mind you - the postal mail. At first, I thought it might be an invitation to join some kind of geeky security comic book crowd (the two do come together sometimes) - perhaps the Information Security United Multimedia Artistic Manga Association (ISUMAMA) or something like that.

But no. Instead, it's just more correspondence from Verisign overhyping their service. According to the ad, "evil Internet bandits" are threatening to attack our young heroine's website. However, what these dreaded bandits don't realize is that this person has obtained a certificate from Verisign and SSL will completely protect everything on her site.

Is it me or aren't we as security folks trying to send the direct OPPOSITE message: that SSL isn't a panacea. Is it responsible to encourage consumers to assume that SSL will completely block any and all attacks from "evil internet bandits"? I, for one, do not thank Verisign for this marketing campaign. Security folks will recognize that it's not true, but the average consumer won't - instead, it will (albeit slightly) reinforce the message that SSL is enough and that encrypted web pages are somehow less likely to be attacked than unprotected ones.

Not to mention the FUD that concludes the ad. "You could be next..."

Interesting Take on Web-Based Worms

If you've been following the XSS worm stuff - both the whitepaper last week and the subsequent slapping of MySpace, you'll probably be interested in the Daniel Hanson SecurityFocus article discussing the evolution of web-based worms. He breaks down why he thinks this is an emerging trend, and where he thinks the trend will go. All in all, a recommended read.

Oracle: Physician Heal Thyself

I’m worried about Oracle. Last week, we had the open letter from David Litchfield and the responses to his letter. In my opinion, Oracle’s been getting “ the slap” from a security perspective in the court of public opinion; as I’ve said before, I think they’ve been getting so much heat because their actions fall short of their own standard. Today Mary Ann continues the hypocritical trend by offering her perspective on how IT security should be approached in the federal realm. Removing the references to military history from the article, here are the lessons Mary Ann offers:

- Intelligence has value only if you act on it.
- A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.
- Interior defensive perimeters are critical.

I'm all behind this advice; I agree with it one thousand percent. However, what’s interesting to me is the extent to which Oracle itself follows (or doesn’t follow) Mary Ann’s advice. Of the three guidelines presented, it is clear that Oracle doesn't follow at least two.

I, for one, agree that intelligence only has value if acted upon; so then why does Oracle fail to act on the intelligence provided to it free of charge by the research community to build a better product? Researchers tell us for example, that security vulnerabilities reported to Oracle can remain unpatched for years. They tell us that Oracle publishes security patches that don’t fully address the issues It would seem to me that Oracle is not "using the intelligence"; Oracle seems not to heed their own advice.

I also agree that there is hubris associated with assuming enemies can’t break codes or ciphers. However, isn't there also hubris associated with assuming enemies can’t break a product? Their "unbreakable" campaign aside, Larry Ellison told us flat out that Oracle hasn’t been broken in 15 years. Again, researchers tell us it isn’t true. We’ve heard for example, that there are folks out there “tired of breaking Oracle because it's so easy." Oracle assumes that the product is unbreakable - just like the codes and ciphers Mary Ann points to. Hubris.

I don't have any insight on the third of Mary Ann's points insofar as Oracle's internal controls or "internal defensive perimeter", so I can't comment there. Maybe they're great at that... or maybe not. Either way, I have to question why Oracle is in a position to offer this advice when their own house clearly isn't in order on at least two of the three points.

People in glass houses...

Hoffing - The New Trend In Defacement

Everybody loves David Hasselhoff. And why not? His singing ability notwithstanding (which I've never heard so I can't comment on), most of us have seen and/or enjoyed Knight Rider, Baywatch, and (more recently) the SpongeBob SquarePants Movie.

Interestingly, there's a new trend among the hacker crowd: surreptitious injection of David Hasselhoff-laced content into otherwise "normal" messages such as websites, informational mailings, etc.

Personally, I love this. So also do folks over at "The Age" in Australia - they've reported several Hoff sightings or "hoffings" as it's been called and they've even gone so far as to ask him about it. Surprisingly, he was pretty good natured about it and actually viewed it as a compliment; go David.

My Hometown Dubbed "Bot Capital" of the US

The Princeton Packet, a local rag from central New Jersey, has this take on Symantec's numbers citing Princeton as "adbot central". According to Symantec, Princeton (my home town during formative years) accounts for 7 percent of the world's "bot" population; not so surprising until you realize that Princeton is a town of just over 14000 people - or just .00022 percent of the world's population. According to the demographics, Princeton has just over 10000 persons over 17 years of age - if all of them have at least two computers, the town still accounts for less than a thousandth of a percent of the world's computing base. Clearly, not every home machine in Princeton is infected with adbots...

So what the heck is going on over there...

Wow, quick turn-around on the XSS worm...

Hey, remember that thing we were saying about the XSS worm and how it would be a problem in the future? Well, guess what - turns out that "the future" is now. It's been turned (already) into a worm that ripped MySpace a new one. Behold the future of malware; this is just the beginning.

iPod's Death-Token and the Mini-Cooper

I came across this via the Peter O'Kelly Reality Check this morning - Greg Matter : How the New iPod will lead to their self-extinction (eventually!).

I've been keeping my eye on the iPod since it has the wicked-cool connector to the Mini Cooper but I'm waiting for the whole process to come down in price before making the move. I hope this isn't bad news in that respect.

Cisco Totally Rains on our Parade

Diana ran the Security Curve stats through the Cisco ROI Calculator this morning. You could see the disappointment in her face when the ROI calculator (or "Grumpy" as we've nicknamed him) told us we're better off without the CSA:

“Based on the data you have provided, by investing $26,230.00 in Cisco Security Agent, you would save $0.00 annually and recoup your investment in Infinity.0 months. “

Infinity.0 sounds like a long time to wait to get our 26k back. Apparently, according to Cisco, 100% automation of the server/desktop patching process completely obviates any value that might be had from CSA. In our case, we use the default "autopatch" features of Windows, Sun, and Apple.

LSO - "Learn Security Online"?

I stumbled across the LSO or "Learn Security Online site the other day. I happened to be reading the security newswire (sometimes I do this if I feel like I'm too alert early in the day,) and their press release just leapt out at me because it was so different from the other cruft that you see on the wire. Granted, I did think that LSO CEO arguing with Gene Spafford in his own press release was a bit strange, but I just thought "huh" and plowed through:

When asked what he thought of the comment made by Gene Spafford, professor of computer sciences at Purdue University. "Criminal justice programs don't have students steal cars or commit rape to understand what motivates criminals or how to stop them." Joe replied, “Yup, he’s right. But those criminal justice majors eventually leave college and go to the real world. Then it’s just experience, and help from other professionals in the field that teach them the ropes of investigating and prosecuting those types of crimes. Nearly 1/3rd of LSO customers are college students, and I take a lot of pride in knowing that they’ll be better prepared to work in the field because of LSO.”

Anyway, the upshot is that I read through the material for LSO. I've been trying to figure out who the audience is for this - if the audience is security professionals, I'm wondering how many people are going to pay to enter a track called "3l337" (Track 5) or "Ub3r h4x0r" (Track 4). If the audience is wanna-be hackers, I'm wondering who's going to pay 39.95 a month for membership. I'm wondering how much of a market there is here - LSO obviously has funding: professional graphics, PR, web design, software development, colocation, etc. I'm wondering what VC signed on the dotted line for a marketing plan that says "Course Offerings: 3l337 Track, Script Kiddie Track, Ne0phy7e Track, etc."...

Surprising New Way to Write Malware

And you thought you'd seen it all. Check out Wade Alcom's Cross-Site Scripting Virus. I admit, I was skeptical when I first heard about it - after all, we're all accustomed to "writing off" XSS as being worthy of little notice. However, I've read this paper (you should too, it's short) and I think it's only a matter of time before someone writes a virus that actually does this.

The methodology works like this: the virus seeks out web pages that allows cross-scripting and that saves content permanently - such pages are not so hard to come by, some wikis and blogs do this, but as we've seen, so do auction sites, chat forums, etc. A browser uploads a script containing code that, when parsed and executed by another browser: 1) causes the browser reading the script to search around for more servers and 2) upload its content to the newly located server. This is all cleverly done within an iFrame. So the upshot is that browsers hunt around looking for new servers to infect and the servers get new browsers started on the task.

I don't see any reasons why this wouldn't work, and I think with refinement this thing could cause some serious nastiness. Mark my words - some folks will say it's not a virus (mostly AV folks since they can't scan for it as of now), but it is. It replicates, it can deliver a payload (e.g. DDOS), and it will be pretty hard to stop once a good "host" product is found (like movabletype, for example.) There weren't statistics in the paper on rate of propagation in his test environment, but that would be interesting to see as well.

David Litchfield - the fallout continues

The fallout continues over David Litchfield's open letter to Oracle. At first I wasn't sure that the community was going to pick this up and run with it, but it has. First, we have Cesar Cerrudo from Argeniss who posted to Bugtraq in response to Dave's letter. My favorite quote:

I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, it's so easy ... most security researchers know about this and also the bad guys who are actively exploiting the vulnerabilities.

There's also the response from Alexander Kornbrust who gives three examples of Oracle vulnerability management - none of them too flattering to the "big O". One of them, a remotely exploitable security vulnerability, has apparently taken Oracle 786 days to fix (790 now since he wrote that on Friday.)

The problem is not that Oracle has security vulnerabilities - every vendor does. The problem isn't even that it takes Oracle a long time to fix the problems - some software is harder to work with than others; Oracle has to support a lot of hardware configurations, so maybe we'd give them some slack if a patch takes a while. No, in my opinion, I think the problem is hypocrisy.

In my opinion, Oracle's mouth is writing checks that its actions can't cash. Clearly this is true with the "out of synch with reality" public statements made by their executives (e.g. Oracle hasn't been broken in 15 years), but I think the problem is broader than that. Take a look, for example, at the Oracle Security Alerts Commitment on their website:

"Oracle Corporation is committed to providing robust security in our products.
Occasionally, security vulnerabilities are found in Oracle products. Oracle makes every attempt to rectify these vulnerabilities quickly, yet effectively... As with any other major vendor providing a variety of software running on a variety of hardware in a multitude of configurations, Oracle cannot provide software security patches instantaneously though we do our best to expedite the patch delivery process. Any proven security vulnerability requires an in-depth investigation of the issues involved and a well-tested solution, both of which may take a considerable amount of time and effort.

In the Oracle Security Alerts, Oracle gratefully acknowledges the many individuals and organizations that bring potential security vulnerabilities to our notice prior to making these vulnerabilities public knowledge. These individuals and organizations work with Oracle to coordinate the distribution of resulting solutions to the general public."

To paraphrase, the Oracle promise is: patches that are tested, that are delivered as quickly as possible, and that represent a team effort between themselves and the researchers. I think what we're finding out is that Oracle fails by their own standard.

It's about dissonance:
- Oracle says they are committed to testing patches, researchers tell us that the patches don't work
- Oracle says they are committed to bringing patches out quickly, researchers tell us it takes years
- Oracle says they work with researchers to bring vulnerabilities to light, researchers tell us they are asked to take vulnerability content off their sites

We trusted Oracle, so no one wants to believe that the trust is misplaced. But when the dissonance becomes too great, we stop trusting and start getting angry. Dissonance between statements like "Oracle gratefully acknowledges the many individuals and organizations that bring potential security vulnerabilities to our notice" and Mary Ann calling the research community a "problematic bunch" is just too great to be able to sweep it under the rug.

Yahoo! chairman says Google sux

Typically, we over here at the Curve tend to stick to security news, but this article just screams out for someone to comment on it. In statements made by Yahoo chairman Terry Samuel, he "belittled Google's efforts to expand", and said that Google is "following in Yahoo!'s footsteps." Some pretty harsh words...

Now, maybe I've missed something, but doesn't Yahoo use Google for search results? Granted Mr. Samuel concedes that Google is better at searching (hence Yahoo's consumption of their results), but these comments sound very bitter to my ears. A quick glance at the ticker shows that Yahoo is currently valued at 34 dollars a share and Google is valued at 312 dollars a share. That seems like a pretty big difference; one could almost say that Google is "eating Yahoo's lunch". As far as performance goes, share price can be deceptive, but if you compare the Yahoo annual report with the Google annual report from 2004, you find that Google has a net income per share of $2.07, whereas Yahoo's EPS is $.67. No matter how you slice it, Yahoo's gettin' smoked.

So my question is this - are Mr. Samuel's comments just sour grapes? If there's more to it than simple jealousy, I think he could make a more convincing argument by spending more time on what Yahoo's doing right and less time on how Google's doing it wrong.

Friday evening salute

For those of us who think the security industry has become much too serious recently, a brief Friday evening salute to the now-quiet Gobbles. Hated by most, his alerts always made me laugh, much like the "vendor notification status" excerpt below:

Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

Ouch. David Litchfield's Open Letter to Oracle

David Litchfield's letter (entitled, "Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers") cuts like a scapel. In my opinion, this one's a must read. Check out the full text or just take a look at the SC paraphrase.

He leads with a quote from Mary Ann and then tells a chilling tale about his experiences working to try to get Oracle software vulnerabilities fixed. Don't stop reading in the middle - make sure to read the last paragraph or so where he gets to the part about how Mary Ann is a "mouthpiece" and has "categorically failed". Ouch.

CME useful despite static from Trend

Some of you probably already know that CME - the Common Malware Enumeration - list went live yesterday. Anybody who follows malware research will appreciate the significance of this; the fact is that trying to figure out which malware is which is seriously problematic when different vedors call it different names, and there's no unifying standard. Hopefully, this list will do for malware what the CVE list did for vulnerabilities. So, all hail the CME - it's a new era for sure.

But, of course, nothing's ever unanimous... Some folks over at Trend don't agree with the whole project and say that the CME list will just make everything worse. One wonders why, if this is the Trend position, they are spending time and resources to be on the editorial board.

Sorry about the index.rdf refresh

Adam's commentary the other day about RSS inspired me to update the antiquated default index.rdf template this morning. Sorry to anybody who has everything all of a sudden show up as unread.

On the plus side, we now proudly offer whitespace.

DHS to Vendors: "Build Security In"

Originally, I sat down to write this entry with the plan to make fun of the new DHS BuildSecurityIn site. But I'm not going to, because it's actually pretty good.

Here's the background: the DHS has partnered with Carnegie Melon to provide a software security portal. Those of you that read this blog know that I've been pretty critical about the DHS - particularly when it comes to information security. However, even though I think the DHS does have some dirty laundry in their hamper, I have to give credit where it's due - and this site deserves credit.

For example, check out the "don't use strcpy" article. Yeah, you've probably heard about not using strcpy only about a gadzillion times, but this article isn't just more noise - there are references (and good ones at that), there are both positive and negative code examples, there are descriptions of the problem on a number of architectures, there are solutions for the most common platforms, and there are all sorts of mitigation techiques - all in under two pages. Score one for the DHS.

Another example - check out the source code scanning content. OK, granted it's from Cigital (maybe a bit biased toward one particular services set), but it's still really honking thorough and really honking useful.

Overall, I really recommend that folks check out this site. The DHS is trying to move us forward, and the fact that they are doing so without placing blame indicates to me that they actually have something real to say. While other folks blame researchers or blame the consumer, the DHS is trying to move us forward rather than pass the buck. Kudos to them for doing the community a noble service.

RIAA cracks down on the disabled and single-moms

Hey, feel like getting angry? Worth reading is Wired's take on the litigation activities of the RIAA. They're apparently "cracking down" on the criminal masterminds of digital piracy; namely: single moms, the disabled, and the elderly. Looks like Granny Crabtree's been downloading Jim Nabors hymns again - maybe 10 years on a chain gang will turn her off her wicked ways...

My favorite part of this is where they go after the disabled single mom for a million in damages:

"I don't even know how to download music," said Tanya Andersen, a disabled single mother from Oregon who lives on Social Security benefits. "The user names (they cite) I have never heard of."

Andersen is one of three single parents claiming to have been erroneously identified as an illegal music trader by a law firm representing RIAA interests, which is seeking more than $1 million in damages -- $750 for each of the 1,400 songs Andersen allegedly shared.

Purdy big words from the DHS

According to Andy Purdy, the DHS is ready to "git 'er done" in terms of ramping up the nation's cybersecurity posture. From PC World:

'A draft of a national infrastructure vulnerability assessment, including a cybersecurity assessment, should be completed within a couple of months, and the DHS Internet Disruption Working Group is working on a plan for Internet recovery after a major attack... The cyber division is also supporting efforts to push IPv6... the division is encouraging software vendors to create more secure products, and it plans to renew efforts to work with other agencies and private companies to identify the most significant cyberattack possibilities' (Purdy)

So, to sum up from this and other sources, the plan is:

- IPv6
- "Wargame-style" simulation exercises
- Get software/hardware vendors to reduce vulnerabilities (specific plan forthcoming)
- Hire a telecom guy
- Develop a disaster recovery plan
- Do a vulnerability assessment

The bottom two seem like good ideas to me, but lest we give the DHS too much credit, keep in mind that they were specifically mandated by executive order to be complete by 2003 and that we're still waiting for it to get done. Other than the bottom two, I'm thinking that the DHS plan has some major flaws. After all, do they think that they're going to get IPv6 rolled out across the US single handedly? Are they going to somehow get every software vendor to change the way they do business to fix software vulnerabilities? Clearly not. Call me a skeptic, but I'm disappointed in the DHS plan, no matter what the spin from the industry press.

In the aftermath of Katrina, after it comes out that the DHS knew for at least a year about the internal problems plaguing it, why are we still seeing lack of clear, accountable, direct steps from the DHS? Continued statements about how disaster recovery plans, asset inventories, and vulnerability assessments are "forthcoming" do not inspire confidence - especially since these tasks are 3 years overdue. I've missed some deadlines in my day, but I think after being a year or so late (let alone three years,) I'd start doing some major soul-searching on how things came to be in that state and I'd probably demand some accountability.

And the DHS hiring more staff to "coordinate"... It seems to me like they already have a bunch of people coordinating and not enough people getting work done... Setting impossible goals like "switch to IPv6" or "fix software vulnerabilities" doesn't help me sleep soundly at night - if the DHS can't get the simple stuff done like determining what systems they have deployed or figuring out their network topology, how can we believe they'll fix the big stuff like changing the nature of software development the world over?

VIA con Dios

Maybe you've heard about the VIA Strongbox challenge? Basically, VIA is offerning a paltry sum to anybody who can break their product. So we've all heard that these contests are bogus, but what about this one? Let's investigate to see if it is also rigged... So you know I'm not making this stuff up, I'm pulling the details from VIA's own account of the proceedings:

In this particular challenge, VIA gave (initially) a time-limit of 1 hour for the "hacking" to take place. Since no details of the product and the architecture thereof were given to the challengers, breaking the product has to start with reverse engineering. As anybody who knows about reverse engineering knows, even setting up a debugger to start the analysis would take longer than an hour. As a result, VIA "graciously" extended the contest to last two days. I ask you: in the real world, will an attacker who has something to gain from attacking the product actually stop after two days and give up? Somehow, I doubt it.

Not to mention that the quality and quantity of the researchers was intentially kept small. This was done in two ways: first, by having the contest only open to attendees of the Hack In the Box conference, the challengers were at a maximum a few thousand. Also, the minimal prize money (5k dollars) ensured that from the participants, only those with a desire to waste time would actually participate. So, at the end of the day, we have - what - 20 or so people trying to break it for two days? Guess what - that's not gonna happen.

So the conference is rigged... who cares right? After all, who listens to this stuff anyway? Apparently, the press does. A google search for "VIA strongbox challenge" (no quotes) yields 13,900 hits. Press outlets like "ComputerWorld" are covering this thing like it's legitimate news. In fact, ComputerWorld has no less than three stories on this particular event.

VIA made one hell of a coup - with absolutely no risk to themselves, they have gained a ton of media attention. Let's just hope that security folks out there have the sense to shun VIA until/unless they stop the showmanship and start actually backing up their claims.