Monthly Archives: April 2007

How Many is Two?

Oh, this is too precious. A bank thinks two-factor authentication means a username and a password. As Bruce Schneier clarifies:

Um, hello? Having a username and a password — even if they’re both secret — does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.

So how many is two? The bank’s interpretation is linguistically syntactically and semantically correct. However, their context is all wrong.

Risk management requires context, not category error.

-jsq

Government-Mandated Monoculture

Apparently Microsoft needs even more of a monopoly:

The Office of Management and Budget and the Defense Department are taking similar but separate paths to ensure a standard Microsoft Windows desktop configuration is used by all agencies.

Karen Evans, OMB’s administrator for IT and e-government, has recommended to Paul Denett, the administrator in the Office of Federal Procurement Policy, that the Federal Acquisition Regulations Council add a clause to the FAR, or OFPP send out a memo to all chief acquisition officers, that would require all IT contracts to include the requirement that all software and hardware does no harm to the standard configuration.

The Air Force, meanwhile, has submitted a three-part clause to the DOD chief information officer that would be included in every IT contract, said Ken Heitkamp, associate director for lifecycle management and director of the Air Force’s IT Commodity Council.

Eventually, Heitkamp said, DOD’s rule could be given to OMB for them to decide whether to take it governmentwide.

OMB, DOD to enforce desktop standard through procurement, By Jason Miller GCN, 11 April 2007

From a security point of view, this is the height of foolishness, because it will establish a government-wide monoculture that will be very vulnerable to exploits.

-jsq

Validation: Semantic or Syntactic

Gunnar posts:

James Clark proposes another way to look at this:

Validity should be treated not as a property of a document but as a relationship between a document and a schema.

From a security perspective the validation relationship is between document and the allowed characters (white list – strongest) or disallowed characters ( black list – weaker).

So which should it be, semantic or syntactic?

Continue reading

Blogger Civility

Doubtless everyone has heard of Tim O’Reilly’s Draft Blogger’s Code of Conduct, which is an attempt to instill (restore? inspire?) civility in blogging. I had some difficulty with the concept from the beginning, since it centers around the "tone of the blogs", which is a vague and very subjective thing. O’Reilly’s draft code of conduct isn’t much less vague and subjective:

We define and determine what is "unacceptable content" on a case-by-case basis, and our definitions are not limited to this list. If we delete a comment or link, we will say so and explain why. [We reserve the right to change these standards at any time with no notice.]

Now if "we" means the individual blogger, fine. However, if "we" means some external authority, well, I have problems with that "we".

Continue reading

Knuth on Patents

This is not exactly news, but it’s still relevant:
Algorithms are exactly as basic to software as words are to writers, because they are the fundamental building blocks needed to make interesting products. What would happen if individual lawyers could patent their methods of defense, or if Supreme Court justices could patent their precedents?

Letter to the Patent Office, From Professor Donald Knuth, February 1994

Dr. Knuth points out that he couldn’t have written TeX, the formatting language used in most mathematical and physics texts, if software patents had been possible at the time.

Patent thickets can become so thick that nothing gets through. That’s not good risk management.

-jsq

Crumbling Infrastructure

Dave Isenberg found this article about crumbling U.S> infrastructure by Bob Herbert in the NYTimes that quotes Felix Rohatyn “the investment banker who helped save New York City from bankruptcy in the 1970s”:
Since the beginning of the republic,” he said, “transportation, infrastructure and education have played a central role in advancing the American economy, whether it was the canals in upstate New York, or the railroads that linked our heartland to our industrial centers; whether it was the opening of education to average Americans by land grant colleges and the G.I. bill, making education basic to American life; or whether it was the interstate highway system that ultimately connected all regions of the nation.

“This did not happen by chance, but was the result of major investments financed by the federal and state governments over the last century and a half. … We need to make similar investments now.”

Our Crumbling Foundation, By BOB HERBERT, New York Times, April 5, 2007 (transcription)

Obviously we’re not just talking bridges and dams here: U.S. Internet infrastructure is just as bad.

Is letting infrastructure crumble while other countries such as China, India, Japan, and Korea busily invest for the future good risk management? I think not.

-jsq

Boneheaded Risk Management

In an Op-Ed about the demise of albums and record stores and the rise of the downloaded single:

The sad thing is that CDs and downloads could have coexisted peacefully and profitably. The current state of affairs is largely the result of shortsightedness and boneheadedness by the major record labels and the Recording Industry Association of America, who managed to achieve the opposite of everything they wanted in trying to keep the music business prospering. The association is like a gardener who tried to rid his lawn of weeds and wound up killing the trees instead.

Spinning Into Oblivion, By TONY SACHS and SAL NUNZIATO, New York Times, Published: April 5, 2007

Hm, how could that have happened?

Continue reading

Cali Cartel

Dan Geer mentions Microsoft and the Cali Cartel in the same paragraph:
If the U.S. really wants to get Bolivian farmers to stop growing coca, then we’ll have to make growing lettuce in the Continental U.S. illegal (thus pricing up something you can grow in Bolivia’s thin air and chill temps), or we’ll have to outbid the Cali cartel for the crop in full. Ditto Redmond; MSFT can’t keep the exploit writers from doing what they do except by making them an offer they can’t refuse.

With $5B in underutilized cash laying around, it is almost criminal that MSFT hasn’t just cornered the market. Of course, the longer they wait the more the price to buy out the opposition rises and, in fact, that $5B may no longer be enough though there’s no doubt a creative pricing structure would have real effects, such as to pay informants 2X what they pay code jocks.

Punditry: Will Microsoft buy flaws? Ryan Naraine, Zero Day, March 19th, 2007

Dan didn’t say Microsoft is the Cali Cartel, merely that what they’re dealing with in terms of a criminal exploit culture is the equivalent. Continue reading

SCADA Has Holes!

In addition to foreign manufacturers, very long (decade or more) upgrade times, deployments in odd locations that pretty much require network access by non-net-savvy technicians, etc., SCADA also has another bug:
Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It’s used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.

Neutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published five vulnerabilities having to do with OPC.

Hole Found in Protocol Handling Vital National Infrastructure, physorg.com, 25 March 2007

Neutralbit also claims this is the first remotely accessible SCADA vulnerability, which the smallest amount of googling shows is not true (I leave that as an exercise for the reader). However, they probably have found a real vulnerability. Continue reading

Newsroom Flees to the Net

Doc Searls, commenting on the newsroom of the Santa Barbara News Press setting up shop online as the Santa Barbara Newsroom:

It’s also odd to see this paper-in-pixels as a Teamsters operation. Yes, I know that what the Teamsters are doing here is a Good Thing. But my hope for the SB Newsroom was to see a new online paper that would carry forward as its own operation, with its own publishing as well as editorial ambitions. What we have here is a new breed that isn’t built to reproduce. Meaning nobody else can use it. It’s unique to Santa Barbara’s bizarre dispute between the owner of a paper and pretty much everyone else — especially its growing diaspora of cast-off employees.

I’m also not sure that the News-Press is a "public trust." It’s a private business, and always has been. Even if the Teamsters succeed in getting these reporters reinstated at the News-Press, I doubt the result will be a better newspaper than they could create fresh on their own. Especially with Wendy McCaw continuing to own the paper.

News-Press-onward, Doc Searls, 4 April 2007

Seems to me it would make more sense for the reporters to start their own newspaper. Meanwhile, the odd conflations of public trust, private business, unions running exile newsroom websites, etc., are more eddies in the storm of confusion caused by the Internet moving like a tornado through the traditional business of newspapers. The biggest risk is pretending that the old business will remain unchanged.

-jsq