WinXP Security Guide Update

Microsoft released a new Windows XP Security Guide today. Here’s their breakdown of the contents:

“The guide provides specific recommendations about how to harden computers that run Windows XP with SP2 in three distinct environments:

  • Enterprise Client (EC). Client computers in this environment are located in an Active Directory® directory service domain and only need to communicate with systems that run Windows 2000 or later versions of the Windows operating system.
  • Stand-Alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT 4.0.
  • Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment.”

Fuel Prices and Military Diesel

It’s not exactly clear why diesel has jumped higher than other fuel prices, but one thing is for sure: Diesel’s original intention was to create an engine that did not require dependence on foreign petroleum sources, or the corporations that controlled them.

Many people point to several key economic reasons for the rise in prices this season:

1) Diesel prices are impacted by the demand for heating fuels (distillates) so it has a seasonal fluctuation.

2) About 95% of production in the Gulf region is still not back on the market. This is probably related to the fact that over half of the Gulf platforms and a good number of drilling rigs aren’t running yet, not to mention 10 or so refineries are closed in LA and TX. Altogether this is apparently an impact of about 10% of total US production.

3) Speculators aren’t stupid and they find ways to increase demand in order to contribute to the rise in prices and get better returns on their investment.

That’s all fine and dandy on some level, but it reminds me of the letter from Shuster to the Energy Secretary back in 2000 when prices were doing something similar:

http://www.house.gov/transportation/press/press2000/presss138.htm

“We have received numerous reports regarding the alarming spike in diesel fuel prices, the most dramatic of which has New England customers paying 40 cents more per gallon than they paid just one week ago. By any account, diesel fuel prices appear to be rising out of control.”

No Hurricane to blame back then. Quite the opposite, a Congressman wrote the US Attorney General because “we believe to be price gouging and manipulating of consumers”.

http://www.house.gov/larson/pr_000210.htm

Again, that corresponds to Diesel’s own description and prediction of petroleum-based engery corporation behavior back in the 1800s — the very reason his engines will run on oil or fats from just about any source including fish, meat, vegetables, etc..

Moreover, as we know today, the market was in fact being manipulated in 2000 and consumers were being, please pardon my french, screwed by Enron:

http://www.house.gov/inslee/issues/energy/enron_tapes.html

“U.S. Rep. Jay Inslee announced this evening that he will offer an amendment next week to energy legislation in the U.S. House of Representatives that will help provide refunds to consumers and the Snohomish County Public Utility District (PUD) for high rates resulting from energy market manipulation”.

One last thing to consider is that the US military relies heavily on petroleum diesel production and has done a great deal to enhance/modify diesel engines for everything from ships to motorcycles (not to mention advances in trend analysis and condition based maintenance), but for some odd reason they haven’t done much to change the source of the fuel to something domestically and more sustainably produced (like B20 or even B5, which is working quite well in Europe).

SCADA security references

NIST published their Critical Infrastructure Protection guidelines and I also noted the National Information Assurance Program (NIAP) Process Control Security Requirements Forum (PCSRF). Wish I had these references about four years ago. This is an especially interesting paper, which I think was done for the PCSRF and ISO/IEC 15408:

http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf

The Gas Technology Institute/American Gas Association Encryption page also has some good pointers and here’s the Department of Energy (DoE) guide to CyberSecurity.

Drinking Alone Under The Moon

by Li Bai

Among the flowers from a pot of wine
I drink alone beneath the bright moonshine.
I raise my cup to invite the moon, who blends
Her light with my shadow and we’re three friends.
The moon does not know how to drink her share;
In vain my shadow follows me here and there.
Together with them for the time I stay
And make merry before spring’s spend away.
I sing the moon to linger with my song;
My shadow disperses as I dance along.
Sober, we three remain cheerful and gay;
Drunken, we part and each goes his way.
Our friendship will outshine all earthly love;
Next time we’ll meet beyond the stars above.

Gopher eats Microsoft

Once upon a time, Georgi Guninski wrote AIX buffer overflows. Aleph One provided shellcodes. Now everyone hammers on Microsoft vulnerabilities and Bill Gates is retraining his employees for security awareness. That seems like a good idea as UNIX gopher servers could suddenly gain popularity again. Think your “internal” network is safe? Think again as one of your users might connect to a gopher site…oh, and all versions of IE are vulnerable. Go Minnesota!

Would you like Web Services with that?

So let’s get one thing straight, the “web services” (WS) revolution is a new term for standards-based communication between networked applications. Does this change anything for anyone? Not really, not yet. An executive at a small software company asked me to help them decide what to do about WS, so it’s been on my mind lately. The rather sharp-witted Register points out a clear case where not even Microsoft or Sun can figure out how to turn the WS hype into real value for customers.

Packet Trap

There’s something really nice about a good pasta sauce. There are so many recipes on the web, it’s hard to know where to begin. My favorite, of course, is the easiest: a bit of your favorite oil, add some basil, pine nuts, and garlic in the blender. Just press a button and…pesto!

There’s something really suspicious about a product called the White Glove, but there’s no doubt that Fred Cohen has a unique view. In light of this, I think when I build a DMZ for a client tomorrow I will try to convince them to call it a “Packet Trap.”

In Salutation to the Eternal Peace

by Sarojini Naidu

Men say the world is full of fear and hate,
And all life’s ripening harvest-fields await
The restless sickle of relentless fate.

But I, sweet Soul, rejoice that I was born,
When from the climbing terraces of corn
I watch the golden orioles of Thy morn.

What care I for the world’s desire and pride,
Who know the silver wings that gleam and glide,
The homing pigeons of Thine eventide?

What care I for the world’s loud weariness,
Who dream in twilight granaries Thou dost bless
With delicate sheaves of mellow silences?

Say, shall I heed dull presages of doom,
Or dread the rumoured loneliness and gloom,
The mute and mythic terror of the tomb?

For my glad heart is drunk and drenched with Thee,
O inmost wind of living ecstasy!
O intimate essence of eternity!

the poetry of information security