Occasionally I’ve argued that it would be good if ISPs blocked badly configured computers.
By that I meant blacklisting computers that were especially badly configured, having well-known security holes
or actively spewing actual malware.
Even that has problems. Already, ISPs are hair-trigger to block anything that looks like it might be doing a port scan,
even though it turns out port scans do not correlate with exploits (see later post).
Regular traceroutes to your friends’ locations could get you tossed off.
Others will block if your outgoing packet rate goes above some arbitrary minimum.
So much for your fast-paced game.
White listing of only acceptable applications would be even worse.
Vendors call them by different names, but all use an agent on the client to verify its configuration. If the agent reports software (or in more advanced versions, hardware) that isn’t on a white list, access is denied.
Will ISPs Quarantine You From the lnternet?
Microsoft is against ISPs doing anything that would restrict customers’ right to run insecure software.
By Andy Dornan
1 Jan 2006, 12:00 AM ET
I’d like to believe that won’t happen, but given the way some ISPs already run turnkey software that
springs bogus traps such as I already mentioned, I can’t say it won’t.
The world is an increasingly dangerous place, so we have to use
extraordinary means in extraordinary times, right?
Wrong, according to a recent report:
The Human Security Report, an independent study funded by five countries
and published by Oxford University Press, draws on a wide range of little
publicized scholarly data, plus specially commissioned research to present
a portrait of global security that is sharply at odds with conventional
wisdom. The report reveals that after five decades of inexorable increase,
the number of armed conflicts started to fall worldwide in the early
1990s. The decline has continued.
By 2003, there were 40 percent fewer conflicts than in 1992. The
deadliest conflicts — those with 1,000 or more battle-deaths — fell
by some 80 percent. The number of genocides and other mass slaughters
of civilians also dropped by 80 percent, while core human rights abuses
have declined in five out of six regions of the developing world since
the mid-1990s. International terrorism is the only type of political
violence that has increased. Although the death toll has jumped sharply
over the past three years, terrorists kill only a fraction of the number
who die in wars.
Peace on Earth? Increasingly, Yes.
By Andrew Mack,
Wednesday, December 28, 2005; Page A21
We wouldn’t know this by what’s generally reported in the media,
whose motto remains, if it bleeds, it leads.
So what happened?
As usual, Bruce Schneier gets it right:
Bush’s eavesdropping program was explicitly anticipated in 1978, and made illegal by FISA. There might not have been fax machines, or e-mail, or the Internet, but the NSA did the exact same thing with telegrams.
Project Shamrock, by Bruce Schneier, 29 December 2005
A man, Anthony Scott Clark,
rolled his own botnet, using a worm to take over 20,000 computers,
which he then used to launch a distributed denial of service (DDoS) attack
on eBay and others in July and August 2003.
in U.S. District Court in San Jose, 27 December 2005.
He could get 10 years in prison, a quarter million dollar fine, etc.,
It’s good that a bot herder got caught and may get time.
But this one was unusual, indiscreet, and probably easier to catch than most.
There’s some discussion recently about whether video sprites
in animations can be a security problem.
This is outside of any of my usual areas of expertise.
So far as I know, a video sprite is recorded image frames
that are strung together by a program to follow a path
such as an ellipse,
or even to perform character actions
Think of video game characters, although the images used can also
be of live animals, or basically whatever you like.
So you end up with a movie that has elements generated this way; so what?
Well, in QuickTime,
A sprite can also modify its behavior with the passage of time, either “movie” time (the duration in which the movie plays) or in real time. In fact, a sprite can continue to act even after the movie it is in is paused or stopped.
QuickTime Interactivity Gives Your Movies the Smarts.
OK, a sprite isn’t just a movie; it’s a program, implemented by the movie
Still, so what?
Doubtless everyone has heard by now the saga of Sony’s rootkit DRM.
On some music CDs Sony has put some Digital Rights Management (DRM)
software that it said was intended to prevent copying of the music
on the CD.
Actually, that software also hides itself so it’s hard to find or remove,
and opens several security holes, including reporting information about
the user back through the Internet.
Thus it resembles what is commonly called a rootkit,
which is software that is designed to get root (unlimited access)
and to hide the fact that it did so.
Everybody from music buyers to antivirus vendors to Microsoft to the
U.S. government complained to Sony, after which Sony put out an
But that kit turned out to open even more security holes.
EFF is suing Sony
Every organization needs backups, but sometimes you want backups to go away:
Suppose you have a policy where certain types of personal records, like health records, have to be destroyed after a year. It’s very difficult to just delete something, because it may be on backup tapes."
Radia Perlman concisely defines the problem, and she has a simple solution, too.
Incidentally, she adds, "It should be a law that with any vendor you could say, ‘Do not keep a permanent copy of my information in your database. Delete it after one month.’ I don’t want that stored — my name and address and credit card number — because it can be broken into."
Perlman’s solution, in a nutshell: Encrypt the data, then, when you no longer want it around, throw away the key.
As I give talks, I continue to find, to my continued surprise, that many people don’t know that there is any
alternative to Internet Explorer (IE).
The other day a webmaster of long acquaintance said something to the effect of:
Sure, I tailor my web pages for IE.
What else would anybody use?
And why would they?
(I usually attribute quotations or even paraphrases, but let’s let that one remain nameless.)
Why? Because IE draws security exploits like honey draws flies.
Because it has deep design flaws.
Because it is less capable than all the other major browsers.
Because having a single browser used by 90% of desktop users
is inherently unsafe, no matter what the browser is, because it is
a monoculture, which means that there is a possibility that an exploit
could attack a large proportion of all desktop machines all at the same time.
This isn’t an academic concern, either, since there have been numerous
IE exploits, including some, such as scob, for which there was no patch.
What else would they use?
James Seng posts
a reminder that Dewayne Hendricks had noted an interview with David D. Clark in which Clark
asserts that the Internet’s lack of built-in security has become an increasingly serious problem.
Clark phrases it as a classic case of risk management:
…he observes that sometimes the worst disasters are caused not by sudden events but by slow, incremental processes — and that humans are good at ignoring problems. "Things get worse slowly. People adjust," Clark noted in his presentation. "The problem is assigning the correct degree of fear to distant elephants."
The Internet is Broken,
David D. Clark,
Monday, December 19, 2005
tsunami warning system in the Indian Ocean,
no adequate levees in New Orleans, and no adequate built-in security in the Internet.
Indeed, the distant elephants are upon us.
Sometimes people can say they didn’t know,
sometimes it’s hard to understand how those responsible couldn’t have known,
and sometimes people just thought it was a distant enough problem that they didn’t need to deal with it yet.
All these are ways that people don’t see the elephant.
Denial, corruption, short-sightedness; whichever way, letting the elephants sneak up on you isn’t a good idea.
Usually I don’t read slashdot, but today I found on it a note saying that
Microsoft is to cease support
for Internet Explorer on the Macintosh at the end of 2005
I must agree with the slashdot poster that Macs will thus become even more secure.
Even if most Mac users already use other browsers, every little bit helps.
Not only will Macs become inherently more secure, because not as many people will be using them
to run one of the most exploit-attracting pieces of software out there, but software diversity will thereby
be increased, thus increasing security for everyone.