Category Archives: Security

WMF Update

I guess this is one of those moments where I get to say thank you to those who were the true early responders. Thanks to you I was able to make an accurate as well as timely estimate of the risks and I helped many others take early preventive action. Feels good to have provided a useful service that lowered risk way ahead of the curve.

With that in mind I just received confirmation directly from Microsoft that they have been working on ISPs to block or even shutdown sites known to be hosting the WMF exploit code. They also said that a patch may be possible prior to Tuesday, but that doesn’t honestly impress me much since it’s already Thursday, Jan 5th and the hole has been on our radar since at least Dec 28th. I’m not going to look a gift horse in the mouth, so to speak, but we practice defense-in-depth because a patch from the vendor is just one of many controls that need to be in place. Patching a few days early would be great, but I have been holding most systems out from hexblog (except in isolated cases) because of the percieved higher value of rolling thousands of patches cleanly with no side-effects. Risk and trade-offs, eh? So far so good.

MS also mentioned that their security team is trying to put together a list of sites to block. Well, I think many of us have been doing that ourselves since the 28th as well as monitoring traffic based on a set of open-source rules available since the 30th. So I welcome the update from MS, but my guess is that they are tapped into the same sources we are and will just add polish to an otherwise excellent effort by the security community at large. Not so much a value-add as a, “really, you too, no kidding?”

And that just reminds me of the early 1980s when Gates was famous for railing against the BBS operators and public disclosure forums as wasteful amateurs who were harmful to the market. He might want to take a moment and apologize (or maybe even donate to open-source efforts like snort) since it is exactly these community and non-profit forums that have been most helpful in protecting our Windows systems from disaster these past two weeks. Thank you to those who provided the real alert and have been working on this with me in advance of our “official” meeting with Microsoft today.

I had some other questions for Microsoft that they seemed unable to answer, but they said the security team will be calling me back to discuss further. In a nutshell, they’re getting ready to issue a preventive control update, but at this point we’re up to our eyeballs in preventive controls and need to validate the detective end of the spectrum to assess the success of the patch. Trust, but verify, right?

Oh, and I have to admit that we have one confirmed case of One Care cleaning the WMF exploit from a test system, which is very heartening, but I also have to say that the discussion immediately afterwards turned to “Have you tried Vista? No you should test it. No way man, you should test Vista. Not me, I just bought a Mac, you test it…”

Countries have no justification for secrecy

Every once and a while I read the Economist. I used to be a loyal follower through the early 1990s, but I noticed some slight editorial changes towards the end of the millenium and lost interest. Instead, I drifted back to the library where I would grab ancient copies of the magazine, from the 1940s for example, read a few editorials and wonder “how could they have been so smart?”

Today I noticed an article that reminded me of the glory days of the magazine and it set me right down in my chair. It is called “The curse of oil: The paradox of plenty

I don’t mean to bore anyone with the details but it sets off with the suggestion that the discovery of oil, which is far more desireable as an export than anything else in a nation, can lead to development slow-downs, damaging financial turbulence, or even repression of freedom in a country.

Graham Baxter at BP says “the curse of oil is a problem that BP recognises, and we have a part to play in helping our hosts deal with this wall of dollar-denominated cash coming into their fragile economies.â€? But André Madec of Exxon says: “We don’t like to call it the oil curse, we prefer ‘governance curse’. We are private investors, and it is not our role to tell governments how to spend their money.”

Once you peel back some of the layers of free-market versus regulated-market debate, the issue appears to be whether those flush with cash should be authorized to see where their money really goes. Apparently many are starting to say that the books should be open to review. Does that mean they will really want what’s best for those receiving the money? A representative of the World Bank is quoted as saying “countries have no justification for secrecy“:

The push for greater disclosure is, he says, already leading to demands for greater transparency in the power, water and construction sectors. If push really comes to shove, natural resources may yet become what they should be for some of the world’s poorest people: a blessing.

Really? That seems optimistic, especially when the US Administration is still arguing that national security in a war (related to oil, if not for control of it) must be placed above the public’s right to know. And what guarantees are there, even from a pure market standpoint, that the Exxon’s and BP of the world will actually give a whip about how the world’s poorest people make do? I think that’s a stretch, but you never know. Things do change.

Oh, and another thing: when was the last time that gas/petrol stations were willing to open their books to the public? I’d like to know how much of my money was going where (taxes, overhead, profit, etc.) so how do I go about getting that information. Come to think of it, I think I’d like to know why prices jump up so quickly on market news but take weeks to go down. Do energy companies have justification for their secrecy?

Will Galileo be secure?

I’ve been reading many of the Galileo reports and wondering where the privacy advocates are. For example this BBC report suggests all the amazing things that will come about when your every move in a vehicle can be pinpointed. I understand why some would argue that they should be able to pay more for faster routes, even if I disagree, and I can even get behind the suggestion that emergency services may be more effective with more accurate location data. But what about privacy? If you opt-in are you agreeing to give up any critical rights (like beverage marketing companies can buy your data and then send you spam/ads because you spent 10 minutes parked outside the MoonCoin coffee shop)? And can you opt-out temporarily to have different levels of exposure, or just to leave the “mapped” world, like the opening scene in the movie Until the End of the World?

This seems like a rather naive statement:

Drivers would use a small keyboard to enter certain parameters at the beginning of a journey, such as how many passengers were on a coach, or whether a lorry was carrying hazardous chemicals.

This from the country that tried to tax people based on the number of windows in their house and then found everyone bricking up the windows? Something tells me that it will not be sufficient to expect people to self-report if there is any doubt about risk, such as taxes or fees. In other words, the average driver will do what anyone might and say “what’s in it for me” even if they are told it is the proper practice.

This is a much more logical take on the uncertainties ahead:

It’s fine having a company process all the data from each country and tell you how much you owe; but if you get a bill for a road you haven’t driven on at a time of day you weren’t there, what’s the recourse for getting your money back?

Indeed.

Honey, please light the Ethanol

< Smart FireA design group has come up with the perfect solution for those people who want the appearance of a fire, while reducing the risk of poisonous fumes and the mess of combustion. It is called “EcoSmart Fire” to emphasize how smart it is to have an Ethanol flame burning in your house.

My first questions were, of course, what is the actual heat output of this thing and whether it is practical to assume a ready supply of denatured ethanol. Unfortunately this is probably the wrong approach to this new technology — finding a way to enhance the ambiance of a space already running on central heat seems to be the main point, with only a very basic level of practicality, safety, and sustainability in mind.

Nonetheless, I found that the FAQ says the flame can “produce 14Mj/h equivalent to 13000BTU”. Not bad for a small room. Come to think of it the average PC power-supply generates about 1500BTU to 2500BTU but even if you ran five or so PCs to keep you warm you would still be on the grid and you couldn’t “safely” burn stuff. On the other hand, if you live in more than a 500 sq/ft bungalow you might need to invest in a lot of small fires, which just begs the question of whether you can run these fires from a centralized control system to manage output, burn-rate, etc. or if you are just supposed to setup a fire on its own in each room, as the Victorians did.

The marketing blurbs claim this really uses a renewable energy as the source of fuel, but burning wood is like burning ethanol in that regard, eh?

In fact I read that Alaska’s Senate passed a law recently (bill 337) to promote creating ethanol by processing waste wood with fish parts. So the comparison must be intended for petroleum or natural gas based fireplaces, not wood fires. Is that a big market?

Come to think of it I’m wondering why someone hasn’t yet figured out a way for restaurants to recycle their own cooking oil into beautiful and firery displays of ambiance. And if ethanol is actually available, then just mix it with the waste oil from food preparation and you end up with a convenient fuel for running your fireplaces as well as your vehicle…biodiesel.

America and the Con

While I was reading about the history of the Hart-Rudman national security commission (sometimes also known as Hart-Gingrich or the Hart-Rudman-Gingrich), I ran into an interesting Weekly Standard article (Issue 35, May 29, 2000) by Tom Donnelley. Donnelly was deputy executive director of the Project for the New American Century at the time. This is the same organization that has tried to make a case for the President’s search for WMD in Iraq as late as April 2005, so bear with me. (Note: for a more realistic conservative’s view of the WMD debate, check out the book “State of War: The Secret History of the CIA and the Bush Administration”)

Donnelly called his article in 2000 “Newt Gingrich’s Last Boondoggle” and he gave a fascinating look at the beliefs of the group that ultimately pressured the President into invading Iraq. Note that this article was published before Bush took the reigns of the country by an order of a conservative federal Supreme Court, so the reasoning expressed in the article illustrates why/how Bush could have began his term buoyed by the lofty dream of absolute US hegemony.

For example, Donnelly very harshly criticizes Hart and Rudman for arguing “that American strategy must ‘compose a balance’ between the goals of freedom and stability.” Donnelly suggests that trying to strike such a balance in the world would be meaningless as the concepts of right and wrong can be easily judged by America and the resulting policy would be one of struggle against evil, not some kind of compromise:

But in a world where so many nations remain ruled by dictators, liberty and stability are often at odds. How, for example, is the United States to “compose a balance”? between liberty and stability in China? If stability reigns, so will the Chinese Communists. If America works to advance freedom in China, there will almost certainly be turmoil.

Make no mistake about it. That is a policy of destabilization meant to allow control of a country’s future by whomever is strong and big enough to fill the vacuum. It is the same means-justify-the-end argument used throughout the Cold War, coupled with the idea that it is far better to err on the side of right-wing economics than go for something undefined in the middle that might be susceptible to the left. Donnelley was arguing that the Cold War did not really end; it just changed a little and there was an adversary with a different flag. Thus his reasoning was probably that the US would be foolish to miss their opportunity to take a seat at the head of the table and assert themselves again as a moral authority through some kind of deontological ethics. He then indicates that no compromise or collaboration with other countries is necessary when you have the kind of superiority demonstrated by the success in cold war conflicts:

The report disavows the habits of leadership, power, and principle that unexpectedly won the Cold War. Alas for Hart and Rudman, these strategic habits may be hard to break—and since they made America into history’s “sole superpower,”? some will wonder why they need breaking.”

It is almost as though if you have been right once, you will be right again no matter what the situation. However, while the US might have “won” a superpower conflict when the primary adversary stood down, that does not translate directly into unquestionable control of the remaining geopolitical affairs. This is the crux of the mistake made by think-tanks like Project for the New American Century. The situation was not like one of the Rocky movies where a heroic fighter beats the odds is left standing in a ring over the dispirited opposition. Quite the contrary, while one particular risk became lessened other high-risk security issues became more critical; threats and vulnerabilities changed so the overall risk equation shifted but still needed to be heeded. Even Tom Clancy’s writing was tapping into this philosophy by the late 1990s (Rainbow Six, Rogue Spear), which reflected that the military establishment itself could see engagements ahead would require a more indigenous, sophisticated and delicately balanced response than that of giant missle defense systems and Big Red One rolling over and occupying vast expanses of foreign territory. Goodbye John Wayne, hello Mr. Bond (or Alpha team), you might say.

The risk algorithms of national security and international relations were clearly evolving in a way that many, including Hart-Rudman, could see. So, by the summer of 2001, intelligence and anti-terrorism experts were literally yelling into the ears of the Bush Administration that Hart-Rudman’s recommendation of “a finer calculus of benefits and burdens” really would be necessary. Richard Clarke’s “roll back” presentation suggested a strategy for the US to strike right at the heart of al Qaeda training camps and put the terrorist group on warning in February 2001. Yet the Bush Administration walked away from the table announcing they were going to handle things the old-fashioned way, on their own timeline and without interference.

It really boiled down to the desire for a new policy founded on a concept of shared balance and co-existence versus the old policy of total elimination. Nuance versus hubris. Many suggest that the elimination policy group was bolstered by the events during the Reagan administration that led to the unexpected change in the policy of the USSR. But this “proof” of the policy had more to do with timing and admission of failure rather than the success of any direct assault or overwhelmingly powerful US strategy. Some could say that the US outspent the Soviets, but even that was hard to prove. It was like the countries were drag-racing and the US won because the other car ran out of gas or had a mechanical failure, but the Reagan administration walked away believing they were the better driver. Thus an elimination policy group formed and believed that unilateral leadership based on superior moral ground (like Kant’s categorical imperative) had won a war during their watch. Moreover, they believed that this success needed to be further capitalized upon or lost forever. Some were so caught up in this dream-like state that they were offended by any suggestion of uncertainty about the state of US supremecy. Lynne Cheney, wife of Dick Cheney, found the reality of geopolitical issues so threatening that she simply resigned from the commission in protest:

Cheney was unhappy with the suggestion that American power was bound to decline: “Emerging powers will increasingly constrain U.S. options regionally and limit its strategic influence. As a result, we will remain limited in our ability to impose our will. . . .”?

The irony is almost too thick to avoid. The ex-Regan administration member Cheney resigned because she could not deal with reality. The only alternative, impose her view on those who recognized the new security risks ahead, must have been unsuccessful and so she quit the team. It is only logical that she and her husband from that point onward were planning to deep-six the recommendations of the final report and knew what to do when it was handed to the Bush Administration in 2001. Incidentally, during the 9/11 events she was reported to have turned down the offical debreifing from the anti-terror task force so she could hear the reports from CNN.

At the end of the day it was an uncompromisingly myopic stance of the Bush Administration coupled with the inability to process information about the real and present dangers to the country that arguably precipitated the ease with which al Qaeda staged their attack on 9/11 — Osama’s minions did not fit the image of what the Bush Administration, and the Cheney couple in particular, were willing or able to accept as a credible threat. They therefore not only fumbled the job of understanding risk, but they ignored and actively distanced themselves from the voices that tried to raise alarm before disaster struck. Like a heavy-weight fighter brushing off idea that bar-room punches of a welter-weight were of any concern, the Bush Administration didn’t understand that the inauspicious new adversaries not only had motive, but the means to do serious and lasting damage.

In conclusion, and unfortunately for the US, a series of ill-conceived security decisions by the Bush Administration were made based on a tired and romantic view of a world that probably never really existed. Six years later the world is left to hope that the Bush Administration has started to realize, as Gorbachev once did, that the value concept of a giant conventional superpower could be long past its shelf date. The idea of imposing unilateral will by generating endless turmoil abroad today does in fact exhaust a powerful nation, even America, and can actually end up eroding the base of power and undermining relationships. It was easy to see how this policy would lead to a quagmire of undesireable and taxing battles on multiple fronts where success would come only by lowering expectations. Do the American leaders today have the strength to admit the mistake and swallow their pride? Unlikley. And so the real danger now is that leaders, facing the exhaustion of their nation, may forgoe the high road of true democracy by becoming accountable and instead choose the path of desperation — quick fixes intended to create the illusion of success at any cost, without regard for the true damage they may cause to their country and its freedoms.

WordPress 2.0

Well, the WP upgrade went sort of smoothly. Let me know if you see any issues. The documentation was a bit sketchy since it says “make sure you do not delete a specific wp-” file right before it says run the command “rm wp-*”. I backed up the file in question first, obviously, and so far things seem to be working ok. The management of the site is significantly enhanced with lots of WYSIWYG and pretty colors, which doesn’t really do much for me. My purpose was actually just to keep up with some of the bigger bug-fixes, and I guess I just have to take some of the inlcuded zip and zoom with a grain of salt…

Diesel converts to water

You know the whole water into wine thing? Well, I hate to bring it up but what else comes to mind when the Army announces that their diesel-powered Humvees are going to be outfitted with technology that can return water from diesel exhaust? Just filter the exhaust through some “proprietary carbon filters” and put the results into a handy container in the Humvee and add a spigot. Pretty darn amazing idea, if you ask me, and apparently just one of the innovative things that happens when the chips are down in a desert and water is considered a truly precious commodity, yet diesel fuel is all around. Or as someone in logistics might put it “if you carry fuel, you already have your water”. Well, unless you run out of “proprietary” filters. But I digress…

once you taste the water, you realize the potential.

Great marketing slogan, because before I tasted the water I just thought it would be a convenient place to dump toxic waste from warships and munitions. To be frank, the risk equation being used here to justify the research is simple. The more complicated the supply logistics the more vulnerable the soldiers, so the brass are looking for ways to shore-up a water supply chain. Cleaning domestic superfund base sites? Civilians are vulnerable mostly, so no pressing need for the military to invest in new technology there…remember, the groundwork for the Internet was started by a project funded by the US military to help maintain the command structure during war.

Now, let’s say the situation with risk is different — contaminated water is all around, AND diesel refineries are nowhere to be found. Enter engines designed for bio-fuels? Hmm, maybe the next war, although the use of bio-diesel is known to lower the risk of damage from IEDs since it is less combustible. It also might make the water taste more like yesterday’s freedom fries.

In the meantime fuels like bio-diesel remain non-combat experiments and the ability to recycle the exhaust sounds like a cool use (pun intended) of energy tech that I hope makes it to the civilian world soon.

Muscle IDs

Anyone who’s fired a pistol knows that they get a “muscle memory” from the grip. Well, the latest biometrics are being considered for pistols in order to authorize the person who grabs the grip, based on their muscles. Grab a hold of one and fire a few rounds and it should be able to distinguish you from anyone else.

Makes a lot of sense, and it could perhaps be useful in other high-risk pursuits where you need to get a grip on things (to protect assets, reduce vulnerabilities, or mitigate threats…or a combination of the three). The only down-side, of course, is that if you become tied to the device meant to be disabled without you…well, you are actually now part of the device and the risk that goes with it. So if you are the only person who can fire the pistol, then you may be actually forced to use it in a way that you wouldn’t if it could be used without you. The risk matrix changes. It never goes away. Anyway, an interesting update to the possibilities out there for authorization controls.

FindU CallSign Database

This is rather impressive. If you want to see the APRS info for your area, check out the query site. Very handy for Business Continuity portals…on the same note, I just added a weather plugin to the right. The best use might be if it can detect the weather of the person (IP) visiting, but for now it gives you a window into one of the environments I live in. If I’m feeling ambitious I might also add in a few surveillance images.

Site Maintenance

Well, I recently posted some security fixes to the photo log (plog) portion of the site and now WordPress has announced their 2.0 release is official, which means I’ll be doing some fiddling over the next few hours to test and perhaps migrate the site. I’m excited about all the new features, but what really caught my eye was the little slogan at the bottom of the WordPress site:

Code is Poetry

Excellent! Although if it were up to me I would suggest they change this to “Secure Code is Poetry”, since a lot of code is just plain crap, and crap really isn’t poetry at all. I mean you have to draw the line somewhere, right?