Category Archives: Security

Masters of War

I was listening to a live performance and was shocked to hear a young guy belting out these old Dylan phrases as if they were freshly inked:

Come you masters of war
You that build all the guns
You that build the death planes
You that build the big bombs
You that hide behind walls
You that hide behind desks
I just want you to know
I can see through your masks

You that never done nothin’
But build to destroy
You play with my world
Like it’s your little toy
You put a gun in my hand
And you hide from my eyes
And you turn and run farther
When the fast bullets fly

Like Judas of old
You lie and deceive
A world war can be won
You want me to believe
But I see through your eyes
And I see through your brain
Like I see through the water
That runs down my drain

You fasten the triggers
For the others to fire
Then you set back and watch
When the death count gets higher
You hide in your mansion
As young people’s blood
Flows out of their bodies
And is buried in the mud

You’ve thrown the worst fear
That can ever be hurled
Fear to bring children
Into the world
For threatening my baby
Unborn and unnamed
You ain’t worth the blood
That runs in your veins

How much do I know
To talk out of turn
You might say that I’m young
You might say I’m unlearned
But there’s one thing I know
Though I’m younger than you
Even Jesus would never
Forgive what you do

Let me ask you one question
Is your money that good
Will it buy you forgiveness
Do you think that it could
I think you will find
When your death takes its toll
All the money you made
Will never buy back your soul

And I hope that you die
And your death’ll come soon
I will follow your casket
In the pale afternoon
And I’ll watch while you’re lowered
Down to your deathbed
And I’ll stand o’er your grave
‘Til I’m sure that you’re dead

Harsh. I think I was expecting something more like Metallica One interpretations from younger generations, but given the Bush administration’s affinity for revisiting mistakes from the 1960s it is easy to see why kids might find poetry of that period most compelling.

Bush administration destroys official records

Whether they are lying or not, it seems unbelievably stupid of the Bush administration to say they have “lost” official records on non-official communication channels:

President Bush’s aides are lying about White House e-mails sent on a Republican account that might have been lost, Senate Judiciary Committee Chairman Patrick Leahy suggested Thursday, vowing to subpoena those documents if the administration fails to cough them up.

“They say they have not been preserved. I don’t believe that!” Leahy shouted from the Senate floor.

[…]

Democrats say the firings might have been improper, but that probe yielded a weightier question: Whether White House officials such as political adviser Karl Rove are intentionally conducting sensitive official presidential business via non-governmental accounts to evade a law requiring preservation – and eventual disclosure – of presidential records.

What person or corporation in this country is going to abide by the plethora of data retention laws meant to protect the rights of citizens when the conduct of this President and his subordinates continues to be so pathetically disrespectful?

MS07-010 Microsoft Malware Detection Exploit

The title is a mouthful, but I was trying to capture the irony of the problem. You know Microsoft still has not solved its core problems when they release security software that introduces security holes into the operating system it is meant to protect.

An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

They say there are no mitigating factors, which I find odd. They often say “do not read HTML-formatted text” is the mitigating factor for email flaws in Outlook. Perhaps they feel “block PDFs” is too strong a statement (stop the business?), but richly formatted email is merely a feature that can be turned off without losing content. Or maybe they do not want to upset their friends at Adobe yet there is no corporation to stand up for HTML formatted email. Interesting that the exploit apparently can escape the local user privileges and take over the complete system. Ooops.

This vulnerability, credited to Neel Mehta and Alex Wheeler, reminds me of a meeting I once had (well, dinner) with them. They are super nice guys and I found the message they sell very straightforward — don’t do dumb things like repeat simple mistakes when you write software. Quality, not quantity. That sort of stuff. It’s not rocket science, they said.

Did I mention that Vista is also affected?

Again we see that the stakes are so low in the rapid-release style of consumer software management that companies probably figure they can clean up things or tidy code later, perhaps even after it has reached millions of users. Bad for us, good for them as long as there is no backlash since the risks are captured mainly in externalities. Integer overflows on a rocket (speaking of science) may be a high profile explosive and expensive error, but my guess is that if you sum the number of incidents from an integer overflow mistake on desktop software you might come out with a similar total, just distributed. The cost accounting gets really messy when you find viruses written to spread via flaws in the antivirus tools themselves. Try to figure out the ROI on that one, Symantec.