Category Archives: Security

WMF Update

I guess this is one of those moments where I get to say thank you to those who were the true early responders. Thanks to you I was able to make an accurate as well as timely estimate of the risks and I helped many others take early preventive action. Feels good to have provided a useful service that lowered risk way ahead of the curve.

With that in mind I just received confirmation directly from Microsoft that they have been working on ISPs to block or even shutdown sites known to be hosting the WMF exploit code. They also said that a patch may be possible prior to Tuesday, but that doesn’t honestly impress me much since it’s already Thursday, Jan 5th and the hole has been on our radar since at least Dec 28th. I’m not going to look a gift horse in the mouth, so to speak, but we practice defense-in-depth because a patch from the vendor is just one of many controls that need to be in place. Patching a few days early would be great, but I have been holding most systems out from hexblog (except in isolated cases) because of the percieved higher value of rolling thousands of patches cleanly with no side-effects. Risk and trade-offs, eh? So far so good.

MS also mentioned that their security team is trying to put together a list of sites to block. Well, I think many of us have been doing that ourselves since the 28th as well as monitoring traffic based on a set of open-source rules available since the 30th. So I welcome the update from MS, but my guess is that they are tapped into the same sources we are and will just add polish to an otherwise excellent effort by the security community at large. Not so much a value-add as a, “really, you too, no kidding?”

And that just reminds me of the early 1980s when Gates was famous for railing against the BBS operators and public disclosure forums as wasteful amateurs who were harmful to the market. He might want to take a moment and apologize (or maybe even donate to open-source efforts like snort) since it is exactly these community and non-profit forums that have been most helpful in protecting our Windows systems from disaster these past two weeks. Thank you to those who provided the real alert and have been working on this with me in advance of our “official” meeting with Microsoft today.

I had some other questions for Microsoft that they seemed unable to answer, but they said the security team will be calling me back to discuss further. In a nutshell, they’re getting ready to issue a preventive control update, but at this point we’re up to our eyeballs in preventive controls and need to validate the detective end of the spectrum to assess the success of the patch. Trust, but verify, right?

Oh, and I have to admit that we have one confirmed case of One Care cleaning the WMF exploit from a test system, which is very heartening, but I also have to say that the discussion immediately afterwards turned to “Have you tried Vista? No you should test it. No way man, you should test Vista. Not me, I just bought a Mac, you test it…”

Countries have no justification for secrecy

Every once and a while I read the Economist. I used to be a loyal follower through the early 1990s, but I noticed some slight editorial changes towards the end of the millenium and lost interest. Instead, I drifted back to the library where I would grab ancient copies of the magazine, from the 1940s for example, read a few editorials and wonder “how could they have been so smart?”

Today I noticed an article that reminded me of the glory days of the magazine and it set me right down in my chair. It is called “The curse of oil: The paradox of plenty

I don’t mean to bore anyone with the details but it sets off with the suggestion that the discovery of oil, which is far more desireable as an export than anything else in a nation, can lead to development slow-downs, damaging financial turbulence, or even repression of freedom in a country.

Graham Baxter at BP says “the curse of oil is a problem that BP recognises, and we have a part to play in helping our hosts deal with this wall of dollar-denominated cash coming into their fragile economies.â€? But André Madec of Exxon says: “We don’t like to call it the oil curse, we prefer ‘governance curse’. We are private investors, and it is not our role to tell governments how to spend their money.”

Once you peel back some of the layers of free-market versus regulated-market debate, the issue appears to be whether those flush with cash should be authorized to see where their money really goes. Apparently many are starting to say that the books should be open to review. Does that mean they will really want what’s best for those receiving the money? A representative of the World Bank is quoted as saying “countries have no justification for secrecy“:

The push for greater disclosure is, he says, already leading to demands for greater transparency in the power, water and construction sectors. If push really comes to shove, natural resources may yet become what they should be for some of the world’s poorest people: a blessing.

Really? That seems optimistic, especially when the US Administration is still arguing that national security in a war (related to oil, if not for control of it) must be placed above the public’s right to know. And what guarantees are there, even from a pure market standpoint, that the Exxon’s and BP of the world will actually give a whip about how the world’s poorest people make do? I think that’s a stretch, but you never know. Things do change.

Oh, and another thing: when was the last time that gas/petrol stations were willing to open their books to the public? I’d like to know how much of my money was going where (taxes, overhead, profit, etc.) so how do I go about getting that information? Come to think of it, I think I’d like to know why prices jump up so quickly on market news but take weeks to go down. Do energy companies have justification for their secrecy?

Will Galileo be secure?

I’ve been reading many of the Galileo reports and wondering where the privacy advocates are. For example this BBC report suggests all the amazing things that will come about when your every move in a vehicle can be pinpointed. I understand why some would argue that they should be able to pay more for faster routes, even if I disagree, and I can even get behind the suggestion that emergency services may be more effective with more accurate location data. But what about privacy? If you opt-in are you agreeing to give up any critical rights (like beverage marketing companies can buy your data and then send you spam/ads because you spent 10 minutes parked outside the MoonCoin coffee shop)? And can you opt-out temporarily to have different levels of exposure, or just to leave the “mapped” world, like the opening scene in the movie Until the End of the World?

This seems like a rather naive statement:

Drivers would use a small keyboard to enter certain parameters at the beginning of a journey, such as how many passengers were on a coach, or whether a lorry was carrying hazardous chemicals.

This from the country that tried to tax people based on the number of windows in their house and then found everyone bricking up the windows? Something tells me that it will not be sufficient to expect people to self-report if there is any doubt about risk, such as taxes or fees. In other words, the average driver will do what anyone might and say “what’s in it for me” even if they are told it is the proper practice.

This is a much more logical take on the uncertainties ahead:

It’s fine having a company process all the data from each country and tell you how much you owe; but if you get a bill for a road you haven’t driven on at a time of day you weren’t there, what’s the recourse for getting your money back?

Indeed.

Honey, please light the Ethanol

< Smart FireA design group has come up with the perfect solution for those people who want the appearance of a fire, while reducing the risk of poisonous fumes and the mess of combustion. It is called “EcoSmart Fire” to emphasize how smart it is to have an Ethanol flame burning in your house.

My first questions were, of course, what is the actual heat output of this thing and whether it is practical to assume a ready supply of denatured ethanol. Unfortunately this is probably the wrong approach to this new technology — finding a way to enhance the ambiance of a space already running on central heat seems to be the main point, with only a very basic level of practicality, safety, and sustainability in mind.

Nonetheless, I found that the FAQ says the flame can “produce 14Mj/h equivalent to 13000BTU”. Not bad for a small room. Come to think of it the average PC power-supply generates about 1500BTU to 2500BTU but even if you ran five or so PCs to keep you warm you would still be on the grid and you couldn’t “safely” burn stuff. On the other hand, if you live in more than a 500 sq/ft bungalow you might need to invest in a lot of small fires, which just begs the question of whether you can run these fires from a centralized control system to manage output, burn-rate, etc. or if you are just supposed to setup a fire on its own in each room, as the Victorians did.

The marketing blurbs claim this really uses a renewable energy as the source of fuel, but burning wood is like burning ethanol in that regard, eh?

In fact I read that Alaska’s Senate passed a law recently (bill 337) to promote creating ethanol by processing waste wood with fish parts. So the comparison must be intended for petroleum or natural gas based fireplaces, not wood fires. Is that a big market?

Come to think of it I’m wondering why someone hasn’t yet figured out a way for restaurants to recycle their own cooking oil into beautiful and firery displays of ambiance. And if ethanol is actually available, then just mix it with the waste oil from food preparation and you end up with a convenient fuel for running your fireplaces as well as your vehicle…biodiesel.