Gunnar posts:
James Clark proposes another way to look at this:
Validity should be treated not as a property of a document but as a relationship between a document and a schema.
From a security perspective the validation relationship is between document and the allowed characters (white list – strongest) or disallowed characters ( black list – weaker).
So which should it be, semantic or syntactic?
Continue reading
Doubtless everyone has heard of Tim O’Reilly’s
Draft Blogger’s Code of Conduct,
which is an attempt to instill (restore? inspire?) civility in blogging.
I had some difficulty with the concept from the beginning, since
it centers around the "tone of the blogs", which is a vague and very
subjective thing.
O’Reilly’s draft code of conduct isn’t much less vague and subjective:
We define and determine what is "unacceptable content" on a case-by-case basis, and our definitions are not limited to this list. If we delete a comment or link, we will say so and explain why. [We reserve the right to change these standards at any time with no notice.]
Now if "we" means the individual blogger, fine. However, if "we" means some external authority, well, I have problems with that "we".
Continue readingAlgorithms are exactly as basic to software as words are to writers, because they are the fundamental building blocks needed to make interesting products. What would happen if individual lawyers could patent their methods of defense, or if Supreme Court justices could patent their precedents?Dr. Knuth points out that he couldn’t have written TeX, the formatting language used in most mathematical and physics texts, if software patents had been possible at the time.— Letter to the Patent Office, From Professor Donald Knuth, February 1994
Patent thickets can become so thick that nothing gets through. That’s not good risk management.
-jsq
Since the beginning of the republic,” he said, “transportation, infrastructure and education have played a central role in advancing the American economy, whether it was the canals in upstate New York, or the railroads that linked our heartland to our industrial centers; whether it was the opening of education to average Americans by land grant colleges and the G.I. bill, making education basic to American life; or whether it was the interstate highway system that ultimately connected all regions of the nation.Obviously we’re not just talking bridges and dams here: U.S. Internet infrastructure is just as bad.“This did not happen by chance, but was the result of major investments financed by the federal and state governments over the last century and a half. … We need to make similar investments now.”
—Our Crumbling Foundation, By BOB HERBERT, New York Times, April 5, 2007 (transcription)
Is letting infrastructure crumble while other countries such as China, India, Japan, and Korea busily invest for the future good risk management? I think not.
-jsq
In an Op-Ed about the demise of albums and record stores and the rise of the downloaded single:
The sad thing is that CDs and downloads could have coexisted peacefully and profitably. The current state of affairs is largely the result of shortsightedness and boneheadedness by the major record labels and the Recording Industry Association of America, who managed to achieve the opposite of everything they wanted in trying to keep the music business prospering. The association is like a gardener who tried to rid his lawn of weeds and wound up killing the trees instead.
— Spinning Into Oblivion, By TONY SACHS and SAL NUNZIATO, New York Times, Published: April 5, 2007
Hm, how could that have happened?
Continue readingIf the U.S. really wants to get Bolivian farmers to stop growing coca, then we’ll have to make growing lettuce in the Continental U.S. illegal (thus pricing up something you can grow in Bolivia’s thin air and chill temps), or we’ll have to outbid the Cali cartel for the crop in full. Ditto Redmond; MSFT can’t keep the exploit writers from doing what they do except by making them an offer they can’t refuse.Dan didn’t say Microsoft is the Cali Cartel, merely that what they’re dealing with in terms of a criminal exploit culture is the equivalent. Continue readingWith $5B in underutilized cash laying around, it is almost criminal that MSFT hasn’t just cornered the market. Of course, the longer they wait the more the price to buy out the opposition rises and, in fact, that $5B may no longer be enough though there’s no doubt a creative pricing structure would have real effects, such as to pay informants 2X what they pay code jocks.
— Punditry: Will Microsoft buy flaws? Ryan Naraine, Zero Day, March 19th, 2007
Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It’s used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.Neutralbit also claims this is the first remotely accessible SCADA vulnerability, which the smallest amount of googling shows is not true (I leave that as an exercise for the reader). However, they probably have found a real vulnerability. Continue readingNeutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published five vulnerabilities having to do with OPC.
— Hole Found in Protocol Handling Vital National Infrastructure, physorg.com, 25 March 2007
Doc Searls, commenting on the newsroom of the Santa Barbara News Press setting up shop online as the Santa Barbara Newsroom:
It’s also odd to see this paper-in-pixels as a Teamsters operation. Yes, I know that what the Teamsters are doing here is a Good Thing. But my hope for the SB Newsroom was to see a new online paper that would carry forward as its own operation, with its own publishing as well as editorial ambitions. What we have here is a new breed that isn’t built to reproduce. Meaning nobody else can use it. It’s unique to Santa Barbara’s bizarre dispute between the owner of a paper and pretty much everyone else — especially its growing diaspora of cast-off employees.
I’m also not sure that the News-Press is a "public trust." It’s a private business, and always has been. Even if the Teamsters succeed in getting these reporters reinstated at the News-Press, I doubt the result will be a better newspaper than they could create fresh on their own. Especially with Wendy McCaw continuing to own the paper.
Seems to me it would make more sense for the reporters to start their own newspaper. Meanwhile, the odd conflations of public trust, private business, unions running exile newsroom websites, etc., are more eddies in the storm of confusion caused by the Internet moving like a tornado through the traditional business of newspapers. The biggest risk is pretending that the old business will remain unchanged.
-jsq
This is from Sourcemedia’s Financial IT Security Intelligencer:
During a year’s worth of bank and credit union security audits, audit firm Redspin found that 30 percent of firewall configurations evaluated violated the institution’s own security policy. Not surprisingly, Redspin offers a tool that can detect and remedy these inadvertent holes. The company pins the industry-wide problem on the fact that most IT administrators have wide-ranging responsibilities rather than network engineering focus. To highlight the issue, the vendor is offering free use of an online version of its analysis tool for the next 90 days, available at www.redspin.com/tools
Here’s redspin’s PR. I don’t have any way to verify this report, but it’s also about what I would expect. Administrators are too busy cleaning the CEO’s laptop of its latest viruses to be ensuring their firewalls work.
-jsq
Hunter S. Thompson said “buy the ticket, take the ride.” But don’t conflate yourself the ticket and the ride.Don’t confuse the map for the territory; there may be multiple maps, and none of them completely describe the territory. Don’t confuse the sign with the signifier or the signified. Etc.Openly IDentify your attributes with Open ID, 1 Raindrop, Gunnar Peterson, 15 March 2007
Information security needs to work itself forward historically from logical positivism at least to semiotics and postmodernism. Understanding what we don’t know and stopping pretending that there is such a thing as an absolute identifier would be good risk management.
-jsq