Category Archives: Security

Grow your own fuel?

Whoa, the Seattle Times reports that Washington state is talking about low-interest loans for “biodiesel factories”. Just the fact that they call them factories instead of refineries means they probably are actually hoping that this will take off on a distributed level:

Gov. Christine Gregoire recently proposed low-interest loans for biodiesel factories, and a requirement that diesel sold in the state contain at least some biodiesel. State lawmakers from both parties are vowing to promote similar plans when the Legislature convenes next month. And Congress last summer included a tax credit for biodiesel in its energy bill.

Frankly, this seems very lopsided compared to the information technology revolution that led to the Personal Computer. Companies like Microsoft that kludged together some flimsy DOS system, sold it to a couple big customers and…the rest is history. But the energy age seems to be struggling with generating a reliable source of energy to be converted, rather than the efficiency of doing the conversion itself.

I think growing greens for oils (or processing fish, meat, etc.) might not be the best approach, since you could actually get another use out of the oil first and then process the remaining waste. We still find that each small restaurant produces 20 gallons of waste oil a week, with larger productions reaching 50-100 gallons a week. I will verify that this Friday, but what if you can tap into the waste issues of resort-towns with their close concentration of hotels and affiliated restaurants, or strip malls, or even large malls? It seems best for municipalities and counties to promote that for every 1,000 gallons/week of waste oils they will subsidize establishment of a bio-diesel station. Thus you are not only focusing production of the bio-diesel around a ready supply, but you are also reducing waste/land-fill issues.

I’m not suggesting that farmers shouldn’t grow their own fuel, but it seems to me that it would be better to convert to plain oil and retain flexibility by diversifying output options — they might be able to do a minor conversion to sell to restaurants, manufacturing, energy, etc.

One thing is for certain, beware the opportunists who pose as engineers:

“You have seen a lot of snake-oil salesmen come through with the next best thing,” acknowledged Conklin, the Palouse Biodiesel president.

Both examples in the story (straw-board and beets) illustrate what happens when a concept is marketed and sold as ready for production before it even has been properly tested (quality problems and equipment failures). And because that brings me back to the issues of security in a system development lifecycle (SDLC), I think I’ll categorize this post as security too.

US-CERT on the WMF exploit

At the end of the day I finally recieved a notice from US-CERT (http://www.us-cert.gov/cas/techalerts/TA05-362A.html)

Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear.

US-CERT is tracking this issue as VU#181038. This reference number corresponds to CVE entry CVE-2005-4560.

Got that? This is VU#181038, filed under CVE-2005-4560 and available online as TA05-362A. Roger that.

Anyway, they supported the recommendations by F-secure and Sunbelt:

  • Do not access Windows Metafiles from untrusted sources
  • Block access to Windows Metafiles at network perimeters
  • Reset the program association for Windows Metafiles

I had a brief discussion today with some admins and told them I disagree with the latter recommendation. No one seemed to object, perhaps because it would be such a royal pain to implement thoroughly and it might not even be effective, but who knows at this point. So we’ve rolled out the top two (plus HTTP and SMTP filtering) and are observing traffic.

I posted some of the same info over on Bruce’s blog

WMF zero day exploit

Latest report is that the exploit installs if you even download or index an infected WMF file. In other words if you use Google Desktop, which automagically touches your media files, then your system will be trojaned faster than you can say “how convenient”. No known patches are available.

F-secure, as usual, is ahead of the game with a new signature that detects the three variations already in the wild. They also have a pointer to Sunbelt who has a link to BugTraq.

Sparse information so far, but the early responders seem pretty concerned and recommending that WMF be filtered and/or all traffic be blocked to the following sites:

Crackz.ws
unionseek.com
www.tfcco.com
Iframeurl.biz
beehappyy.biz

This seems far more serious than a Saudi teen winning a secular talent competition, so let’s hope someone higher-up issues the appropriate fatwa and/or is able to shutdown or block traffic at the carrier level.

Watch, but you can’t vote

Reuters said on Monday that a second telecom company in Saudi Arabia will block SMS messages intended as votes for a TV show:

Saudi religious scholars last May condemned the hugely popular talent show aired by Lebanese channel LBC as a crime against Islam when a young Saudi returned to a hero’s welcome after winning in the Lebanese capital Beirut.

The Saudi Telecommunications Co. (STC) made an announcement last January that it would block the messages, based on a religious decision made the prior year. The only other cell company in the country, a UAE-based consortium called Mobily (Etihad Etisalat), is finally following suit:

“We will definitely lose money, but how much, I don’t know,” [Mobily spokesman] Alghodaini said about the decision. “If we don’t (stop messaging) it would backfire on us and affect our brand.”

So, the carriers have been prohibited from profits related to the show, which does not stop the show or other forms of voting. Moreover, this certainly raises an interesting dilemma since the content of the message itself is not the problem but rather the intent of the sender to participate in a form of communication deemed objectionable to the religious leaders. And that kind of standard makes violations hard to find, let alone block.