Monthly Archives: December 2005

Application Blocking: Whitelists Worse than Blacklists

Occasionally I’ve argued that it would be good if ISPs blocked badly configured computers. By that I meant blacklisting computers that were especially badly configured, having well-known security holes or actively spewing actual malware.

Even that has problems. Already, ISPs are hair-trigger to block anything that looks like it might be doing a port scan, even though it turns out port scans do not correlate with exploits (see later post). Regular traceroutes to your friends’ locations could get you tossed off. Others will block if your outgoing packet rate goes above some arbitrary minimum. So much for your fast-paced game.

White listing of only acceptable applications would be even worse.

Vendors call them by different names, but all use an agent on the client to verify its configuration. If the agent reports software (or in more advanced versions, hardware) that isn’t on a white list, access is denied.
Will ISPs Quarantine You From the lnternet? Microsoft is against ISPs doing anything that would restrict customers’ right to run insecure software. By Andy Dornan 1 Jan 2006, 12:00 AM ET

I’d like to believe that won’t happen, but given the way some ISPs already run turnkey software that springs bogus traps such as I already mentioned,  I can’t say it won’t.

Continue reading

Peace Breaks Out, and Nobody Notices

The world is an increasingly dangerous place, so we have to use extraordinary means in extraordinary times, right? Wrong, according to a recent report:

The Human Security Report, an independent study funded by five countries and published by Oxford University Press, draws on a wide range of little publicized scholarly data, plus specially commissioned research to present a portrait of global security that is sharply at odds with conventional wisdom. The report reveals that after five decades of inexorable increase, the number of armed conflicts started to fall worldwide in the early 1990s. The decline has continued.

By 2003, there were 40 percent fewer conflicts than in 1992. The deadliest conflicts — those with 1,000 or more battle-deaths — fell by some 80 percent. The number of genocides and other mass slaughters of civilians also dropped by 80 percent, while core human rights abuses have declined in five out of six regions of the developing world since the mid-1990s. International terrorism is the only type of political violence that has increased. Although the death toll has jumped sharply over the past three years, terrorists kill only a fraction of the number who die in wars.

Peace on Earth? Increasingly, Yes. By Andrew Mack, Washington Post, Wednesday, December 28, 2005; Page A21

We wouldn’t know this by what’s generally reported in the media, whose motto remains, if it bleeds, it leads. So what happened?

Continue reading

Internet Spying Same as Telegram Spying

As usual, Bruce Schneier gets it right:
Bush’s eavesdropping program was explicitly anticipated in 1978, and made illegal by FISA. There might not have been fax machines, or e-mail, or the Internet, but the NSA did the exact same thing with telegrams.
Project Shamrock, by Bruce Schneier, 29 December 2005
Continue reading

Man Pleads Guilty to Rolling Own Botnet

A man, Anthony Scott Clark, rolled his own botnet, using a worm to take over 20,000 computers, which he then used to launch a distributed denial of service (DDoS) attack on eBay and others in July and August 2003. Now he’s plead guilty in U.S. District Court in San Jose, 27 December 2005. He could get 10 years in prison, a quarter million dollar fine, etc., notes Paul Ferguson.

It’s good that a bot herder got caught and may get time. But this one was unusual, indiscreet, and probably easier to catch than most. Continue reading

Video Sprites and Security

There’s some discussion recently about whether video sprites in animations can be a security problem. This is outside of any of my usual areas of expertise. So far as I know, a video sprite is recorded image frames that are strung together by a program to follow a path such as an ellipse, or even to perform character actions. Think of video game characters, although the images used can also be of live animals, or basically whatever you like.

So you end up with a movie that has elements generated this way; so what? Well, in QuickTime,

A sprite can also modify its behavior with the passage of time, either “movie” time (the duration in which the movie plays) or in real time. In fact, a sprite can continue to act even after the movie it is in is paused or stopped.
QuickTime Interactivity Gives Your Movies the Smarts.
OK, a sprite isn’t just a movie; it’s a program, implemented by the movie player. Still, so what? Continue reading

Sony: Its Own Worst Enemy

Doubtless everyone has heard by now the saga of Sony’s rootkit DRM. On some music CDs Sony has put some Digital Rights Management (DRM) software that it said was intended to prevent copying of the music on the CD. Actually, that software also hides itself so it’s hard to find or remove, and opens several security holes, including reporting information about the user back through the Internet. Thus it resembles what is commonly called a rootkit, which is software that is designed to get root (unlimited access) and to hide the fact that it did so. Everybody from music buyers to antivirus vendors to Microsoft to the U.S. government complained to Sony, after which Sony put out an uninstall kit. But that kit turned out to open even more security holes. EFF is suing Sony. Continue reading

Making Backups Go Away

Every organization needs backups, but sometimes you want backups to go away:

Suppose you have a policy where certain types of personal records, like health records, have to be destroyed after a year. It’s very difficult to just delete something, because it may be on backup tapes."

Radia Perlman concisely defines the problem, and she has a simple solution, too. Incidentally, she adds, "It should be a law that with any vendor you could say, ‘Do not keep a permanent copy of my information in your database. Delete it after one month.’ I don’t want that stored — my name and address and credit card number — because it can be broken into." Perlman’s solution, in a nutshell: Encrypt the data, then, when you no longer want it around, throw away the key.

Continue reading

Web Browser Diversity

As I give talks, I continue to find, to my continued surprise, that many people don’t know that there is any alternative to Internet Explorer (IE). The other day a webmaster of long acquaintance said something to the effect of:

Sure, I tailor my web pages for IE. What else would anybody use? And why would they?

(I usually attribute quotations or even paraphrases, but let’s let that one remain nameless.)

Why? Because IE draws security exploits like honey draws flies. Because it has deep design flaws. Because it is less capable than all the other major browsers. Because having a single browser used by 90% of desktop users is inherently unsafe, no matter what the browser is, because it is a monoculture, which means that there is a possibility that an exploit could attack a large proportion of all desktop machines all at the same time. This isn’t an academic concern, either, since there have been numerous IE exploits, including some, such as scob, for which there was no patch.

What else would they use?

Continue reading

Broken Internet

James Seng posts a reminder that Dewayne Hendricks had noted an interview with David D. Clark in which Clark asserts that the Internet’s lack of built-in security has become an increasingly serious problem. Clark phrases it as a classic case of risk management:

…he observes that sometimes the worst disasters are caused not by sudden events but by slow, incremental processes — and that humans are good at ignoring problems. "Things get worse slowly. People adjust," Clark noted in his presentation. "The problem is assigning the correct degree of fear to distant elephants."
The Internet is Broken, David D. Clark, Monday, December 19, 2005 Technology Review

No tsunami warning system in the Indian Ocean, no adequate levees in New Orleans, and no adequate built-in security in the Internet. Indeed, the distant elephants are upon us. Sometimes people can say they didn’t know, sometimes it’s hard to understand how those responsible couldn’t have known, and sometimes people just thought it was a distant enough problem that they didn’t need to deal with it yet. All these are ways that people don’t see the elephant. Denial, corruption, short-sightedness; whichever way, letting the elephants sneak up on you isn’t a good idea.

Continue reading

Macs Become Even More Secure

Usually I don’t read slashdot, but today I found on it a note saying that Microsoft is to cease support for Internet Explorer on the Macintosh at the end of 2005. I must agree with the slashdot poster that Macs will thus become even more secure. Even if most Mac users already use other browsers, every little bit helps.

Not only will Macs become inherently more secure, because not as many people will be using them to run one of the most exploit-attracting pieces of software out there, but software diversity will thereby be increased, thus increasing security for everyone.