In my mind, Kansan conservatives are likely to rub against the Texans. There is far less bravado, and no ten-gallon hat; just speaking frankly and with a dose of common sense. It should be no surprise then to read Sheila Bair shakes up Washington.

“We have different perspectives frequently, and I think that’s a healthy thing,” she said. “You don’t want to get everybody in the room nodding.”

Critics say her record of helping consumers stave off foreclosures is mixed and that she has steered the FDIC into an activist role to the detriment of the agency’s traditional purpose of limiting the damage from failed banks.

“She’s off on a lot of social missions,” said Bert Ely, a banking industry consultant in Alexandria, Va.

Bair, though, said she remains “very much a capitalist.”

“Sometimes people misinterpret that as somehow I’m not a real Republican or something. I very much am. I guess I’m more of a Teddy Roosevelt kind of a Republican … It’s been said that Franklin would be proud of me, but I think Teddy would be proud of me too.”

Why on earth a capitalist and/or a conservative would not be allowed to instigate social missions is a real puzzler. Conservatives can regulate, believe it or not, and Bair makes an excellent argument why. The self-loving ten-gallon hat crowd might spin a good yarn about sunshine, but that won’t change the weather.

My favorite part of this story is how her podium manner affected the financial crowd:

The mortgage industry was sitting on a ticking time bomb and just didn’t get it. Pick up the phone, she said, and talk to borrowers.

“The sense of hostility from that audience was overwhelming,” said Howard Glaser, a Washington-based mortgage industry consultant who sat at Bair’s table that day in October 2007.

“I thought they were literally going to throw their desserts at her.”

Just desserts? Let them eat cake! Wait, that’s backwards. Anyway…

She gave them the Bair facts. Are they afraid of a Bair market? Haha

No doubt Kansas is conservative, but many women in public office from there seem exceptionally open minded with a firm grasp of common sense. Bair is no exception. Although she is close to the Dole family, she seems a world apart; more like Nancy Kassebaum or Kathleen Sebelius.

The US Department of Justice has released a bulletin describing a Former Fannie Mae Contractor Employee Indicted For Computer Intrusion:

According to the one count indictment and affidavit in support of a criminal complaint previously filed on January 6, 2009, Makwana was a contractor employee, working at Fannie Mae’s Urbana, Maryland facility from 2006 to October 24, 2008. He was a computer programer proficient in a computer language designed to operate Fannie Mae’s 4,000 computer servers, and was part of a group that created computer scripts for Fannie Mae. As such, Makwana had access to Fannie Mae’s servers throughout the United States.

It is the ultimate insider attack. The accused was operating with system level privileges on all servers in the company. He was terminated two weeks after he pushed a script to Unix servers without prior approval. Fannie Mae apparently allowed him to keep writing scripts, but he was no longer allowed to push them.

The indictment and affidavit allege that Makwana was terminated on October 24, 2008, and advised to turn in all of his Fannie Mae equipment, including his laptop. According to the affidavit, on October 29, 2008, a Fannie Mae senior engineer discovered a malicious script embedded in a routine program. The legitimate and malicious script were removed that day. The engineer and his supervisors ordered a standard lock down of all access to the servers. The indictment alleges that Makwana entered the malicious code on October 24, 2008, and that it was set to execute on January 31, 2009. The malicious code was designed to propagate throughout the Fannie Mae network of computers and destroy all data.

Had the script executed a day or so after termination, Fannie Mae would have been devastated. Instead, the timer was set for a month, which gave other engineers enough time to find the bomb and disable it.

Makwana’s script was set to wipe out all passwords, replace all data with zeros, disable high-availability software including remote power controls, and then shut everything down. Anyone that attempted to login would see the message “Server Graveyard”. In other words, his aim was to reduce 4,000 servers to blank hardware and require on-site visits to rebuild them. Fannie Mae suggested that recovery from this level of incident would have taken at least a week.

The United States District Court of Maryland has the criminal complaint, which cites Title 18, United States Code, Section 1030(a)(5). I found it at inman.com.

Despite MAKWANA’s termination, MAKWANA’s computer access was not immediately terminated. Access to ABC’s computers for contractor’s employees was controlled by the ABC procurement department, which department did not terminate his MAKWANA’s computer access until late in the evening on October 24,2008.

[…]

The malicious script was at the bottom of the legitimate script, separated by approximately one page of blank lines, apparently in an effort to hide the malicious script within a legitimate script. It was only by chance that SK scrolled down to the bottom of the legitimate script to discover the malicious script. The legitimate and malicious script were removed and placed into an archive file on October 29,2008.

[…]

SK immediately looked at the logs from October 24, 2008, the date of the creation of the malicious script, and noticed MAKWANA’s username and files accessing the dsysadmOl server, on which the malicious script was created.

The compliant continues with a description of how Makwana used SSH from his laptop at his desk to login at 2:53pm on his day of termination, just two hours before he turned it in, to access a development server. Premeditation to the attack is suggested in the complaint as a few days before he was terminated he emailed his relatives in India and told them not to travel to the US.

Although the Microsoft Bluetooth Stack OBEX Directory Traversal reported by Alberto Tablado is interesting, he puts a heavy emphasis on the requirement for pairing before the exploit can work:

There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.

The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

That is more than a minor detail. What are the chances you would pair with a device you do not own, know or trust? I mean pairing with an unknown device is giving that device the key to your data…so would you give your key to an unknown device? I have done a fair bit of analysis of this and it’s non-trivial. In other words, the likelihood of the exploit working should be low because establishing a bluetooth pairing with unknown devices tends to be low.