WMF Update

I guess this is one of those moments where I get to say thank you to those who were the true early responders. Thanks to you I was able to make an accurate as well as timely estimate of the risks and I helped many others take early preventive action. Feels good to have provided a useful service that lowered risk way ahead of the curve.

With that in mind I just received confirmation directly from Microsoft that they have been working on ISPs to block or even shutdown sites known to be hosting the WMF exploit code. They also said that a patch may be possible prior to Tuesday, but that doesn’t honestly impress me much since it’s already Thursday, Jan 5th and the hole has been on our radar since at least Dec 28th. I’m not going to look a gift horse in the mouth, so to speak, but we practice defense-in-depth because a patch from the vendor is just one of many controls that need to be in place. Patching a few days early would be great, but I have been holding most systems out from hexblog (except in isolated cases) because of the percieved higher value of rolling thousands of patches cleanly with no side-effects. Risk and trade-offs, eh? So far so good.

MS also mentioned that their security team is trying to put together a list of sites to block. Well, I think many of us have been doing that ourselves since the 28th as well as monitoring traffic based on a set of open-source rules available since the 30th. So I welcome the update from MS, but my guess is that they are tapped into the same sources we are and will just add polish to an otherwise excellent effort by the security community at large. Not so much a value-add as a, “really, you too, no kidding?”

And that just reminds me of the early 1980s when Gates was famous for railing against the BBS operators and public disclosure forums as wasteful amateurs who were harmful to the market. He might want to take a moment and apologize (or maybe even donate to open-source efforts like snort) since it is exactly these community and non-profit forums that have been most helpful in protecting our Windows systems from disaster these past two weeks. Thank you to those who provided the real alert and have been working on this with me in advance of our “official” meeting with Microsoft today.

I had some other questions for Microsoft that they seemed unable to answer, but they said the security team will be calling me back to discuss further. In a nutshell, they’re getting ready to issue a preventive control update, but at this point we’re up to our eyeballs in preventive controls and need to validate the detective end of the spectrum to assess the success of the patch. Trust, but verify, right?

Oh, and I have to admit that we have one confirmed case of One Care cleaning the WMF exploit from a test system, which is very heartening, but I also have to say that the discussion immediately afterwards turned to “Have you tried Vista? No you should test it. No way man, you should test Vista. Not me, I just bought a Mac, you test it…”

Countries have no justification for secrecy

Every once and a while I read the Economist. I used to be a loyal follower through the early 1990s, but I noticed some slight editorial changes towards the end of the millenium and lost interest. Instead, I drifted back to the library where I would grab ancient copies of the magazine, from the 1940s for example, read a few editorials and wonder “how could they have been so smart?”

Today I noticed an article that reminded me of the glory days of the magazine and it set me right down in my chair. It is called “The curse of oil: The paradox of plenty

I don’t mean to bore anyone with the details but it sets off with the suggestion that the discovery of oil, which is far more desireable as an export than anything else in a nation, can lead to development slow-downs, damaging financial turbulence, or even repression of freedom in a country.

Graham Baxter at BP says “the curse of oil is a problem that BP recognises, and we have a part to play in helping our hosts deal with this wall of dollar-denominated cash coming into their fragile economies.â€? But André Madec of Exxon says: “We don’t like to call it the oil curse, we prefer ‘governance curse’. We are private investors, and it is not our role to tell governments how to spend their money.”

Once you peel back some of the layers of free-market versus regulated-market debate, the issue appears to be whether those flush with cash should be authorized to see where their money really goes. Apparently many are starting to say that the books should be open to review. Does that mean they will really want what’s best for those receiving the money? A representative of the World Bank is quoted as saying “countries have no justification for secrecy“:

The push for greater disclosure is, he says, already leading to demands for greater transparency in the power, water and construction sectors. If push really comes to shove, natural resources may yet become what they should be for some of the world’s poorest people: a blessing.

Really? That seems optimistic, especially when the US Administration is still arguing that national security in a war (related to oil, if not for control of it) must be placed above the public’s right to know. And what guarantees are there, even from a pure market standpoint, that the Exxon’s and BP of the world will actually give a whip about how the world’s poorest people make do? I think that’s a stretch, but you never know. Things do change.

Oh, and another thing: when was the last time that gas/petrol stations were willing to open their books to the public? I’d like to know how much of my money was going where (taxes, overhead, profit, etc.) so how do I go about getting that information? Come to think of it, I think I’d like to know why prices jump up so quickly on market news but take weeks to go down. Do energy companies have justification for their secrecy?