Anyone else notice that MS07-051 disappeared today? I was working on this vulnerability, when I noticed the link stopped responding. All that remains is the reference from the September bulletin page:

Bulletin Identifier: Microsoft Security Bulletin MS07-051

Bulletin Title: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)

Executive Summary: This critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Maximum Severity Rating: Critical

Impact of Vulnerability: Remote Code Execution

Detection: Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update will require a restart.

Affected Software: Windows. For more information, see the Affected Software and Download Locations section.

Patch if you can.

Linux.com provides a detailed explanation of how to get the most out of your Canon camera:

If you have a point-and-click digital camera made by Canon, you may be able to turn on all sorts of features usually reserved for more expensive SLRs. That includes live histograms, depth-of-field calculation, under and overexposure highlighting, and — best of all — shooting your pictures in RAW. The secret is CHDK, an enhanced, free software replacement firmware.

Even more interesting than the advanced picture control features is access to the scripting/automation language:

When you get comfortable with CHDK, you can check out user-supplied scripts. CHDK’s scripting environment uses a simple BASIC-like language that lets you write your own scripts to automate camera functions — but not to create whole new features for the camera. User-contributed scripts are available on the CHDK wiki, and implement interesting functions like HDR stacking, focus bracketing, time-lapse movies, and lightning photography.

Whoa, Bessie. How do you trust those scripts? Could there be malicous or mischevious consequences? Despite those risks, I’m now more tempted to buy a Canon (I have traditionally used everything but Canon, with a focus — ha ha — on Nikon and Olympus) than ever before.

I find it unbelievable people still pose this question. Over the years the data on incidents has been used to suggest that outside attacks on companies are a bigger threat, or inside attacks, but somehow in the fray some people have been led to believe that they can still operate with the “candy model” — hard on the outside soft on the inside.

Some recent news stories have provided fertile evidence of why so-called insiders are as big, if not bigger, threats to system security.

A company that is serious about investigating incidents will know that the more successful they become the more porous their perimeter, and so internal vigilance and controls are essential elements of their very identity.

First, a story of a neo-Nazi group recently tracked down in Israel, based on complaints from victims:

Police discovered the skinhead ring after investigating the desecration of two synagogues that were sprayed with swastikas in the central Israeli city of Petah Tikva more than a year ago, Rosenfeld said.

Police computer experts have determined they maintained contacts with neo-Nazi groups abroad, and materials seized include a German-language video about neo-Nazis in the U.S.

Where was the gap in the perimeter control?

Under Israeli law, a person can claim citizenship if a parent or grandparent has Jewish roots. Authorities say that formulation allowed many Soviets with questionable ties to Judaism to immigrate here after the Soviet Union disintegrated. About 1 million Soviets moved here in the late 1980s and early 1990s.

[police spokesman Micky ] Rosenfeld said all the suspects had “parents or grandparents who were Jewish in one way or another.”

[…]

Amos Herman, an official with the semiofficial Jewish Agency, which works on behalf of the government to encourage immigration to Israel, said the phenomenon was not representative of the Russian immigration.

He called the gang a group of frustrated, disgruntled youths trying to strike at the nation’s most sensitive core.

“We thought that it would never happen here, but it has and we have to deal with it,” he said.

Many companies with a comparable situation, when insiders do the unthinkable and essentially turn against their own identity, are highly unlikely to ever reveal or acknowledge the problem let alone discuss it openly in the news.

Next, consider the blog chatter that the GOP has been overrun by (or is representative of?) perverts:

I’m sure an enterprising winger blogger could come up with a similar list of “naughty” Democrats, but I’ve found a nice list that bolsters the assertions I made previously about perversion being endemic in the Republican party.

The absolutely huge list (I lost count after 50), includes everything from allegations to convictions. Even Schwarzenegger’s name is there. It is truly depressing and sad. But the point is that it highlights the problem with banging the perimeter drums while ignoring the fact that security is not a wall with a gate, but rather a mindset based on values that are consistently measured. In other words, if you maintain a shallow gauge to determine foes (e.g. a stereotype of Russian immigrants as bad) then you most likely have an equally shallow gauge to determine friends (e.g. a stereotype of elected Republicans with family values).

The bottom line is that there really is no “inside”, just like the concept of “national” perimeters continue to erode. Good security professionals can help raise the bar in the post-nation-state world and build more reliable trust systems.

What do you base your trust upon?