Category Archives: Security

Word Remote Code Execution (929433)

A Word buffer overflow was just disclosed to the public by Microsoft. The advisory tries to put things in perspective so users know whether they are at risk, and what to do:

In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

Extreme caution? That must be just above high caution. Would that be a red, or maybe orange warning level? Good general advice, but not very confidence building. Imagine telling the driver of a car “use extreme caution while operating the vehicle as we have found something very wrong with the design of your brakes”…

What percentage of attachments are unsolicited? Probably a vast majority of them, I would say, with very little out-of-band confirmation as normal process. And there is no word (pun not intended) on how to reliably identify “malicious” Word files or “attackers” as a normal procedure either. If you scroll down to the more detailed “workaround” advice, you get the same update, worded only slightly different:

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

Maybe this could be rephrased into “only open or save Word files after confirming from trusted sources that they are safe”? Whitelisting seems easier to me than a fuzzy blacklist, but let’s just hope Microsoft has a patch soon.

Famous primates

The 10 Famous Monkeys* in Science page is hilarious. It also has some neat insights, including the description of a risk management approach by the US government in the 1950s:

Never send a man to do a female monkey’s job. That was the logic of the U.s. Army’s Medical Research and Development Department in 1959 when they wanted to gauge the body’s physical response to space travel. Instead of relying on fit, able-bodied Americans, researchers there turned to two highly patriotic gals named Baker (a squirrel monkey) and Able (a rhesus monkey). On May 28, the monkeys steeled their nerves, entered the nose cone of a Jupiter AM-18 missile, and embarked on a suborbital mission into space. It would take two more years before a human male, cosmonaut Yuri Gagarin, had the guts to attempt the same thing.

I also thought the Koko and Nim Chimpsky entries were funny, but you have to read number 10. Power supplies are such a drain…

The decline and fall of practically everybody

That was the title of one of my favorite books a long time ago, written by Will Cuppy. I was reminded of this kind of lighthearted zen theory of the world after I recently read a 2005 interview with Linus Torvalds:

I just don’t believe in dynasties. Things erode over time. Successes start to take themselves for granted, and the successful companies aren’t nimble and hungry enough any more.

In the tech market in particular, companies just don’t tend to stay on top forever — they become irrelevant either because of their own missteps or because their market just isn’t the “happening thing” any more. You can only skate the cutting edge for so long.

So the question is how the decline happens, and in what timeframe. Will open source be a factor? Almost certainly. Will it be the factor? I don’t know.

I understand this from a monolithic perspective, like how the human body ages, but what about rebirth or regeneration? Humans have certainly managed to extend their life expectancy, and the rate of successful birth is higher as well. So in the context of dynasties that use descent to survive, does open source accelerate the decline of a tech company, or alternatively does it allow it to extend its life through facilitating a less risky rebirth?

Tough questions, but Cuppy had some historical pointers in his book on how dynasties go awry:

Agrippina had long been a problem to Nero, always interfering as she did and quarreling about who should be murdered and who shouldn’t. (Ed. Note: Agrippina was Nero’s mother.) Since he owed her everything for murdering Claudius, he had hoped to kill her as gently as possible. He did not want her to suffer, and he went to some lengths to prevent it. He gave her quick poison three times without result, then fixed the ceiling of her bedroom so it would fall and crush her as she slept. Of course that didn’t work. It never does. Either the ceiling doesn’t fall or the victim sleeps on the sofa that night.

Next, he attempted to drown her by means of a boat with a collapsible bottom, but the vessel sank too slowly and she swam away like a mink. Nero then lost his head completely, as who wouldn’t, and told his freedman, Anicetus, to try anything. Anicetus, a rude but sensible fellow, went and got a club and beat her to death. Maybe the Cave Men knew best.

We cannot be sure how many others Nero murdered, since some of the stories are probably mere gossip. You know how it is. Once you kill a few people, you get a bad name. You’re blamed for every corpse that turns up for miles around and anything else that goes wrong.

Ah, Nero. Fiddling while Rome burned also probably hurt his legacy and chances to remain competitive, at least compared with those upstart civilizations who believed in lower margins for the ruling-class.