Skype and Windows Update

skype_logo.png So, Windows update: Skype outage cause or smokescreen?

Apparently both:

The disruption was caused by a routine Windows patch update distributed Tuesday that required users to restart their computers. When a large number of Skype subscribers began logging back in around the same time, the requests – combined with the day’s traffic patterns – began overwhelming the system, revealing a bug in the software that normally helps the system allocate resources and “self heal.”

“Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring,” Skype spokesman Villu Arak said.

Skype reveals outage source, tells customers it won’t happen again, Ryan Kim, San Francisco Chronicle Staff Writer, Tuesday, August 21, 2007

So we seem to have here a combination of hazards tripping each other.

This does raise the more general question of what other bugs are synchronized Windows updates exercising? And how long before such a Windows update installs a vulnerability that immediately gets exploited? And how long before such updates themselves do cause massive outages? In software monoculture, Windows may be its own boll weevil.

-jsq

Brass Leaks

usacio.png We already observed that military information security is a bit of an oxymoron and over in Peerflow that the U.S. military thinks its soldiers in Iraq are likely leaks.

Well, it turns out that:

For years, members of the military brass have been warning that soldiers’ blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

Army Audits: Official Sites, Not Blogs, Breach Security, By Noah Shachtman, Danger Room, August 17, 2007, 12:29:00 PM

Is there a psychologist in the house? Is the military blaming it’s own incompetent leaks on the troops projection, or is it just plain old CYA?

I’m pretty sure hiding this report until the EFF filed a FOI lawsuit to get it is CYA.

I don’t think it’s good risk management for the troops, or the Iraqis, or even for the brass.

-jsq

Click Fraud Network

ContentNetworks.jpg Here’s another company detecting effects of botnets:
The Click Fraud Index™ monitors and reports on data gathered from the Click Fraud Network™, which more than 4,000 online advertisers and their agencies have joined. The Network provides statistically significant pay-per-click data collected from online advertising campaigns for both large and small companies.

“We’re not surprised to see the industry average click fraud rate climb this quarter as a result of botnet activity,” said Robert Hansen, CEO of SecTheory and one of the industry’s leading experts in online security threats. “Our clients are well aware that botnet activity is on the rise and that botnets are being used for a variety of online fraud activities, including click fraud.”

ClickFraudNetwork accessed 16 August 2007

They claim the country originating the most click fraud is France, followed by China. However, it would be more useful to show which ISPs are originating most click fraud, i.e., which ones are most infested by botnets. Countries are too big and too slow to have much of a chance of doing something about this. ISPs can.

-jsq

Outrage Considered Useful

peter_sandman.jpg There’s a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren’t a lot of metrics presented that were strategic and business-like.

Let’s assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:

Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?

As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.

The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007

He goes on to outline several reasons management might get upset.

Continue reading

Brooklyn Tornado

brooklynnytransit.jpg

How soon they forget:

It wasn’t just the tornado in Brooklyn — the first in recorded history in the borough — it was the huge quantities of rain that flooded basements and stranded rail and road commuters from Mineola to Midtown.

End of the world as we know it? By Carl Macgowan, Newsday, 10:51 PM EDT, August 8, 2007

Sounds kind of like "who could have predicted it?"

Continue reading

Metricon Slides, and Viewed as PR

comedytragedy.jpg The slides from MetriCon 2.0 are all posted now. Many good talks in there; I’ll probably comment on some more of them later.

One of the most interesting aspects was to see those with business experience try to explain to those who said "Just tell me what to count!" that counting isn’t enough. If you want business managers and executives and board to pay attention, you need to say what your counts mean.

Chatting with attendees, it became clear some of them interpreted that latter as a call to make up numbers to match whatever you wanted to sell to management. Far from it. The point is to abstract your numbers and to describe them in terms of what they mean to the business.

Continue reading

Count ‘Em All By Hand

ButchHancock.gif I admire Matt Blaze, and I only hope he was being sarcastic in the entire post in which, after pointing out that California just decertified three major voting machine manufacturors due to massive security problems, he wrote:
How to build secure systems out of insecure components is a tough problem in general, but of huge practical importance here, since we can’t exactly stop holding elections until the technology is ready.

The best defense: Ad hominem security engineering. Matt Blaze, Exhaustive Search, 6 August 2007

Well, yes, yes we can. Continue reading

Metricon: Puzzle vs. Mystery

rct_pointing2.jpg Here at Metricon 2.0, many interesting talks, as expected.

For example, Russell Cameron Thomas of Meritology mentioned the difference between puzzle thinking (looking only under the light you know) and mystery thinking (shining a light into unknown areas to see what else is out there). Seems to me most of traditional security is puzzle thinking. Other speakers and questioners said things in other talks like "that’s a business question that we can’t control" (literally throwing up hands); we can only measure where "we can intervene"; "we don’t have enough information" to form an opinion, etc. That’s all puzzle thinking.

Which is unfortunate, given that measuring only what you know makes measurements hard to relate to business needs, hard to apply to new, previously unknown problems, and very hard to use to deal with problems you cannot fix.

Let me hasten to add that Thomas’s talk, entitled "Security Meta Metrics—Measuring Agility, Learning, and Unintended Consequence", went beyond these puzzle difficulties and into mysteries such as uncertainty and mitigation.

Not only that, but his approach of an inner operational loop (puzzle) tuned by an outer research loop (mystery) is strongly reminiscent of John R. Boyd’s OODA loop. Thomas does not appear to have been aware of Boyd, which maybe is evidence that by reinventing much the same process description Thomas has validated that Boyd was onto something.

-jsq

ROI v. NPV v. Risk Management

southwestcfo.jpg There’s been some comment discussion in about security ROI. Ken Belva’s point is that you can have a security ROI, to which I have agreed (twice). Iang says he’s already addressed this topic, in a blog entry in which he points out that
Calculating ROI is wrong, it should be NPV. If you are not using NPV then you’re out of court, because so much of security investment is future-oriented.

ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007

Iang’s entry also says that we can’t even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I’ve also been harping on. I bet if many security people knew what NPV was, they’d be claiming they had it as much as they’re claiming they have ROI. Continue reading

Flying Risk

marina_hyde_140x140.jpg Airport risk management:
It was while waiting to board a transatlantic flight from Heathrow last month, having been asked to show my papers at least six times more than one ever used to be, that a hopeless fantasy took root in my mind. As my handbag was overturned, I recalled reading recently that globally there were an estimated 27m scheduled flights a year. A little further along, as my 120ml bottle of contact lens cleaner was confiscated, I thought how few of them had met a hideous fate at the hands of terrorists. And as I later removed my shoes, recalling that the sole apparent justification for this was that one complete halfwit had failed to set fire to his trainers some years ago, I realised that I was willing to play these odds.

I’d risk flying with terrorists to escape this airport hell, Marina Hyde, The Guardian, 4 August 2007

But did anybody ask her (or us)? Continue reading