Update immediately to Samba 3.6.4, Samba 3.5.14 and 3.4.16, although patches even have been made available for versions out of support.
== Subject: “root” credential remote code execution.
==
== CVE ID#: CVE-2012-1182
==
== Versions: Samba 3.0.x – 3.6.3 (inclusive)
==
== Summary: Samba 3.0.x to 3.6.3 are affected by a
== vulnerability that allows remote code
== execution as the “root” user.
Here are some answers to questions I’ve been asked recently by reporters on the U.S. stolen phone registry.
> How does this plan work from a security standpoint?
Phones are meant to have a unique identifier. GSM phones, for example, use the International Mobile Equipment Identity (IMEI). This is similar to a Media Access Control (MAC) address many people are familiar with for networking equipment. It’s used by carriers for billing and linking services/support to devices. An identifier tends to includes manufacturer and model information as well as a unique serial. It also has a check digit to help prevent fake numbers.
Carriers could in theory use an identifier to block use of a stolen phone when the identity is unique to that phone. This requires someone to report the phone as stolen, a carrier to have a current and maintained list of stolen phones, and someone to try and register the stolen phone with a carrier with a list. If one or more of these three steps does not happen then the phone can still be used.
> Why is the U.S. far behind other countries in speed in creating database for stolen mobile phones?
Unlocked phones have been more common in other countries. You can easily buy an unlocked phone from Nokia, for example, while Apple clearly does not want their users to unlock their phones. The lock-in of devices to carriers made a centralized/shared database of stolen devices less relevant. With more people using unlocked phones the need for sharing identity information becomes far more important.
> Does this actually prevent theft? If not, what would be a more effective way to do so?
It changes the market dynamics of phone theft. Criminals will try to modify the identifier on the phone when carriers block the identifier. Laws get passed to make modifying the identifier illegal but it is still possible. It turns out that there already are collisions in identifiers and it is not terribly difficult to modify the identifiers. Carriers thus also have to be capable of identifying bogus or stolen identification. This is a centralized model of security, which also raises a question of privacy risk. A centralized database may be considered by some a bigger threat to privacy than the loss of a device. A decentralized model could be where phones use encryption and self-destruction to be rendered valueless when stolen.
I often refer to a USC economics study of parking behaviour when speaking in private on correlation and insider risk but apparently I have not yet mentioned it on my blog, so here it is: “Cultures of Corruption: Evidence from Diplomatic Parking Tickets”
Corruption is believed to be a major factor impeding economic development, but the importance of legal enforcement versus cultural norms in controlling corruption is poorly understood. To disentangle these two factors, we exploit a natural experiment, the stationing of thousands of diplomats from around the world in New York City. Diplomatic immunity means there was essentially zero legal enforcement of diplomatic parking violations, allowing us to examine the role of cultural norms alone. This generates a revealed preference measure of corruption based on real-world behavior for government officials all acting in the same setting. We find tremendous persistence in corruption norms: diplomats from high corruption countries (based on existing survey-based indices) have significantly more parking violations.