Happy MS patch Tuesday

Well, twelve patches with nine rated as critical have been officially announced. The list of vulnerabilities is longer than the fixes, so I give MS credit for finding a way to reduce the numbers (ah, the cumulative update). Yet, at least one patch requires a reboot and several deal with exploit code in the wild, so the significance of the vulnerabilities should be reviewed:

Critical

* MS06-040 – Vulnerability in Server Service Could Allow Remote Code Execution
* MS06-041 – Vulnerability in DNS Resolution Could Allow Remote Code Execution
* MS06-042 – Cumulative Security Update for Internet Explorer
* MS06-043 – Vulnerability in Microsoft Windows Could Allow Remote Code Execution
* MS06-044 – Vulnerability in Microsoft Management Console Could Allow Remote Code Execution
* MS06-046 – Vulnerability in HTML Help Could Allow Remote Code Execution
* MS06-047 – Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
* MS06-048 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
* MS06-051 – Vulnerability in Windows Kernel Coul d Result in Remote Code Execution

Moderate

* MS06-045 – Vulnerability in Windows Explorer Could Allow Remote Code Execution
* MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege
* MS06-050 – Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution

Report slices into UK government knife amnesty

A charity has some uncharitable words with regard to the government’s actions:

Chris Eades, author of the Centre for Crime and Justice Studies (CCJS) report, said: “Not enough is known about the carrying and use of knives or why people engage in those activities.

“Consequently, the government is constructing responses without any credible evidence that they will be successful.

“Knife amnesties will have a negligible impact since knives will be available as long as there is unsliced bread.

“If the goal of criminal justice policy is to reduce the number of victims and the harm they suffer, we should look at the root causes – the inclination or desire to resort to violence.”

Official statistics show violent knife crime in England and Wales has dropped in the last 10 years.

Sharp and very pointed analysis. The drop is apparently due to an overall decline in the use of knives, rather than effectiveness of the government program. But since when does an elected or even appointed official not take credit for positive results, regardless of their involvement or the real cause? Post hoc, propter hoc

Apple announces archive utility

The BBC has a report about a cool new feature for OS X that provides archive and restore capabilities that are usually found only in large well-run enterprise environments:

Apple has unveiled an auto-save system as part of an upgrade to its operating system (OS) designed for the Macintosh.

The Time Machine is a new feature in its forthcoming OS release, called Leopard, and lets users set auto-saves to hard drive or to online servers.

Files and folders can be backed-up and it also lets users search for files overwritten or altered in the past.

Excellent idea, but I wonder how they plan to handle the security of the archives. Can you encrypt them and, if so, how would you rotate and/or revoke the keys? Is there a secure-wipe function? I also wonder if the “alteration” detection is based on digests and, if so, whether the same capability will be made available for the running OS to detect suspicious activity?

Auto Safety Engineering versus Marketing

A link to a spectacular crash video has been circulating on the web that shows an BMW M3 racing on the Mid-Ohio Sports Car Course fly up into the air and do eight “end-o’s”, completely destroying the front end and spraying its fluids as it goes.

The safety in these race cars is highly regulated now with roll-cages, five-point seatbelts and the infamous HANS Device. This video gives an idea of why these enhancements are necessary.

But even more to the point, here is an interview with the driver, Joey Hand, after the accident:

When it was all said and done, I came to a stop upside down. I was still in the seat, and the first thing I noticed was my right shoe was off. I blew my right shoe off and my right glove somehow. I unbuckled myself and fell down out of the car onto the roof. There was fuel running down my back and into the roof of the car, and oil and stuff. The corner workers were yelling to get out of the car because it was going to catch fire, and I couldn’t get out because my HANS device was stuck in the window net, and the window was smaller than normal.

I went back in and tried to get my helmet off and then they called me back out again, and then they finally got me out with my HANS and everything on. I just climbed out and laid against the wall. We were too close to the car, still, so they dragged me up the way and worked on me from there.

Right now, I’m just pretty lucky, I think. When I was hitting every time, I thought it was sure that I was going to have broken legs and arms and stuff. But right now, all I’ve got is a badly-bruised right elbow and really sore back and neck, left foot, right groin and things like that hurt.

All-in-all, I can walk up and down pit lane and I really did not think I was going to be walking. I didn’t think I’d walk out of the hospital last night, for sure. I got out of the hospital at about 1:00 in the morning and went straight to Steak ‘n Shake and got myself a chocolate shake and a double Steak ‘n Shake burger with fries and chili.

You have to watch this video and then marvel at the safety engineering.

The Driver gives even more credit to the teams that implemented the safety devices:

Number one, right from the get-go, BMW Motorsport builds these cars with a roll cage in them. They come to PTG that way, and then PTG reinforces and does even more stuff to them. Number one, I think the guys at PTG, the fabricators, especially James Stevens, I know for a fact that I’m going to give him a hug, because these guys weld this cage together and it withstood a wreck it shouldn’t have withstood as far as everybody’s concerned.

That’s a big thing, and also the preparation by the Connolly guys. I mean, the belts stayed intact, the seats stayed intact and all the safety equipment stayed intact. If you don’t have that stuff, you don’t survive or you don’t come out walking away. The preparation from PTG to Connolly is probably what saved me.

Ok, now on the total opposite end of the spectrum.

I was just reading a magazine and was startled to find an advertisement from Mercedes (for their Tele Aid service) that says (yes, in all upper-case):

THERE’S NO GREATER LUXURY THAN A SENSE OF SECURITY.

My first thought is with the race-car driver. Did he have a sense of security that allowed him the luxury of driving at such high speed? Can a sense of security really be the greatest luxury?

And then it hits me…this is total nonsense. Absolute BS about security that can actually be harmful by changing driver behaviors for the worse.

To prove my point, I think I just need to lock the advertisement executives into a high-security jail cell for a few days.

In fact, I bet you can lure them into the cell by telling them they have just won three free nights in the greatest luxury suite of their life…

I would have made the advertisement say “there’s no greater luxury than a sense of freedom”, although I think I would be careful to steer clear of the “Hard work makes you free” marketing (e.g. Nazi death camp’s “Arbeit Macht Frei”).

It seems to me freedom is something beneficial that can come from security — the freedom to take risks — but the concept of security by itself does not mean luxury.

The failure of the ad agency to make this distinction is downright scary to me, as it will probably kill. I hope this is not a sign of the times since I would hate for people to think that maximum security detention is a wonderful place to be sent.

Or, in other words, I prefer this sort of real-world data on safety to this shallow propaganda.

Don’t get me wrong, I think Mercedes does a bang-up job (pun intended) with their safety research (who else would put sensors in the front grille to note when the car in front is stopping and bring you to a halt as well?), I’m just sadly disappointed with their marketing.

Do eight airbags really need to be compared to women’s breasts to convey an image of safety?

Makes you wonder if their target market is wealthy autocrats who like large breasts; the type of person who might not object to the idea of a police state since they expect to be the ones giving orders.

And that, quite frankly, is not a good image for security, or for a German car company.

the poetry of information security