Category Archives: Security

Security

Microsoft Takes a Beating

Leave a comment

An article called ” Microsoft’s consumer brand is dying” by CNN points out that the software giant’s execution is no longer winning the market. They cite a blog from Ray Ozzie who says fit and function has been surpassed. This sounds right to me. Consumers often say they like the feel of Apple and Google better.

Then the article has this odd quote from an analyst:

“In this age, the race really is to the swift. You cannot afford to be an hour late or a dollar short,” says Laura DiDio, principal analyst at ITIC. “Now the biggest question is: Can they make it in the 21st century and compete with Google and Apple?”

I disagree. Apple and Google were not swift. Neither was first to market. The race is to the simple (smooth and sexy), not the swift. Ozzie is right, Didio wrong.

More importantly no one seems to be saying the race is to the secure. Microsoft used to get beaten up in the news for being insecure. Although they have done much to improve this, which helped them stop loss in the enterprise market, it appears not to be a primary factor in the fashion-fickle American consumer market where simplicity reigns.

EDITED TO ADD: Tonight I spoke with students at Cal Berkeley and they asked me to explain this further.

First, let me give another great example of a latecomer strategy that is successful:

…interviews conducted by SF Weekly with several former Zynga workers indicate that the practice of stealing other companies’ game ideas — and then using Zynga’s market clout to crowd out the games’ originators — was business as usual.

Rather than comment on whether Zynga is right or wrong, my point is just that they are not in a race to the swift. Zynga apparently is making a lot of money and being successful with a strategy of being later but executing better.

Second, since they were students of political science, I emphasized that people underestimate the value of complexity. Consumers often say they like simplicity but they probably do not realize that this is inversely related to freedom.

The less you can adapt and alter an environment the less freedom you are granted. Looking at the spectrum of freedom in another context, democracy is complicated while a dictatorship is simple. It was at this point the eyes of my audience suddenly lit up, wide with excitement. I was gratified to hear:

Oh! I see now. I never thought of it that way.

Reducing complexity in one area can open up freedom to tinker in another area. Demand for simple interfaces is not hard to understand. But if the market for simplicity gets crowded then differentiation may next come from privacy or security, which Microsoft has actually made progress with lately. I still do not see speed to market as the race Microsoft has to win.

Security

Rhinos Protected by GPS

Leave a comment

Park staff in South Africa have installed GPS devices into Rhino horns to help protect them from poachers. Rusty Hustler, head of security for North West Parks Board, explains:

“There are a number of alarms that can be programmed: one for excessive movement, so if the rhino starts running, and another that goes off if the rhino sleeps for longer than six hours, which is abnormal.”

An alarm also sounds if the chip goes outside of the area of the game reserve.

Poachers could jam the signal to obscure their location but this too would set off an alarm.

Food, History, Security

Rinderpest Virus Wiped Out

Leave a comment

The BBC brings good news about the cattle plague (Rinderpest) virus — it has officially been wiped out. The virus has been blamed for widespread famine.

The World Health Organization (WHO) so far has declared only two diseases officially eradicated.

The first was smallpox caused by variola virus (VARV), which was in fact eradicated by application of cowpox. The second was cowpox or rinderpest (caused by the rinderpest virus — RPV). Smallpox had caused epidemics throughout human history with estimated death tolls in the 300-500 million range (as high as 10% of all deaths in the 20th century).

Although rinderpest was used to cure smallpox, on its own it continued causing mass death of cattle herds throughout Europe and Africa for centuries.

More than a third of the population of Ethiopia died in the 19th century, for example, after Italians introduced infected cattle from India.

Vaccination was hindered due to conflict, lack of authority and perhaps even a lack of will from Europeans to solve for destabilization of Africa (preferring wealth accumulation to be controlled from Europe).

The BBC article points out the method used to test and eliminate the virus had to be administered locally, which meant operation in uncontrolled environmental conditions and by non-professionals.

The test, which was developed with the support of the UK’s Department for International Development, was designed to be used by local people in the field and to give reliable results within minutes. It proved highly effective and the technology has been rolled out across Africa. This was particularly important in the later stages of the programme when pockets of the virus remained in war-torn areas of southern Sudan and Somalia. Dr Mike Baron of the IAH told BBC News that it had been too dangerous for outsiders to enter those areas. Experts, he said, would train locals – so called ‘barefoot vets’ – to recognise the disease and administer vaccines. They would work with nomadic tribesmen in the regions and vaccinate herds “on the move”.

This is hugely important to understand for the security community because it highlights how distributed and centralized systems of information can interoperate; two systems of thinking, if you will, one deliberative and controlled (follow the steps handed to you) while the other is exploratory and creative (design the steps for others to follow).

The cost of infection was extremely high as 70% of cattle infected would die. This surely gave the incentive for tests and vaccines to be taken seriously. It also probably is what enabled the broad collaboration across systems despite national, religious and ethic diversity.

…to begin with [in the 1960s] there was little to no co-ordination. Individual countries and groups of countries would attempt to vaccinate cattle, suppressing the disease for a while. But it would then re-appear. Progress was only made [in the 1990s] once large unified projects were established to tackle the disease.

A dedicated global campaign, combined with local administration, was necessary for eradication.

Conflict in Ethiopia and Somalia in the 1980s was the main obstacle to the vaccination campaigns but there were other problems too. UC Davis has an excellent write-up about issues of trust, competition and complex economics that were overcome by an Ethiopian scientist in America armed only with an elegantly simple and stable test and vaccine.

The new vaccine proved amazingly powerful in protecting cattle, even when they were injected with 1,000 times a fatal dose of rinderpest. And it met all of Yilma’s criteria for simplicity and heat stability. Requiring no syringes or needles, the vaccine could easily be scratched onto the neck or abdomen of the animal, producing sufficient immune response to ward off the rinderpest virus. Later, the herder could just peel the scab from an animal’s immunization site, grind it up in a saline solution and, from a single calf, have 250,000 additional doses for future vaccinations.

What happens next? Here is an interesting side-note in the NYT:

Still to be decided is how much virus to keep frozen in various countries’ laboratories, along with tissue from infected animals and stocks of vaccine, which is made from live virus. Virologists like to have samples handy for research, but public health experts, fearing laboratory accidents or acts of terrorism, usually press to destroy as much as possible. The smallpox virus is officially supposed to exist only in two lab freezers, one in Atlanta and one in Moscow.

This brings me back to the Italian invasion of Ethiopia. Rinderpest has been associated with wars and invasions; arguably introduced as a form of biological warfare. The first Italian invasion of 1888 destroyed the capital and foundation of social relations in the Horn of Africa by killing 90% of livestock. Rinderpest also was followed by smallpox but the complete collapse of food sources intensified local disputes and withered resistance. Anyone who wonders if Italy could have had this role only needs to look to the second Italian invasion in 1935, which involved heavy use of mustard gas, tear gas and other agents as well as bombing of field hospitals.

Was Rinderpest unintentionally carried or sent as a strategic weapon? Rinderpest is still listed as “biological warfare” agent so keeping it in Atlanta or Moscow seems like an incredibly high risk practice.

Security

12-yr Old Finds Mozilla Security Flaw

1 Comment

I remember in the late 1990s when people made fun of the Microsoft certification program because 12-yr olds were passing the MCSE test. That was a measure of what kids saw as the future career path and they were mostly right. Today the measure of success has shifted to security bounty programs, as reported by the San Jose Mercury News. I see attempts made to portray a 12-yr old bug hunter as brilliant:

“Mozilla depends on contributors like these for our very, sort of, survival. Mozilla is a community mostly of volunteers. We really encourage people to get involved in the community. You don’t have to be a brilliant 12-year-old to do that,” [Brandon Sterne, security program manager at Mozilla] says.

[…]

Alex is virtually self-taught, says his mother, Elissa Miller. Reading his parents’ very technical books is not an assignment, it’s something he just does; and he understands them. He has a “gift for the technical,” Elissa says.

The story mentions that it took only 900 minutes of testing (15 hours) for Alex to find the bug he reported. He received $3000 so that’s $200/hour by his own estimate. This probably does not account for all the times he sent in bugs before he found the right one and the time taken by Mozilla to tell him why and how those did not qualify. Even at four times slower it is still a good rate for kids. The bounty program is, in short, offering very well-paid training to find security bugs…which can be found by virtually anyone. Rather than call this an act of brilliance (as some also tried with the MCSE tests) we could call this further proof that the barrier to finding security flaws is actually quite low.

Companies that want to raise the barrier should invest in security management up to the executive level who will not let software go to market without passing a rigorous test. Apple just released a program to the web that did not prompt for the old password before allowing a new one to be created. This unbelievable mistake was said by some to be a result of “beta” status. Let’s get real. Apple security just played its hand — if you are watching this game you can now confidently say they lack the desire or capability to stop serious security bugs from going to market. They can’t even find the little ones.

Compare with the HMS Astute that just ran aground. Even the most sophisticated systems have errors, but a day after the incident the Royal Navy started talking court martial and criminal proceedings for the Captain of those errors. Until that level of seriousness is given to software, you can very well expect everyone to be capable of finding and turning in security flaws. It is not how brilliant attackers are but also the liability of defenders that gives a measure of security maturity and management.