Wednesday, December 7, 2005

Data shows overuse of the word 'pandemic' becoming 'global pandemic'

One example:

Isn't "Global pandemic" a bit redundant? Also, is the term "pandemic" even appropriate, or the most appropriate, to describe an Internet-based malady? Pandemic implies distribution over a large geographic area.

Plenty more

And thankfully I found this article criticizing this trend: The 'Pandemic' Epidemic

Sunday, December 4, 2005

DoJ staffers trumped by political arm

Daily Kos: Justice Determined DeLay Redistricting Illegal, Overruled By Political Hacks

More ugliness from the repugnicans made public.

Justice Department lawyers concluded that the landmark Texas congressional redistricting plan spearheaded by Rep. Tom DeLay (R) violated the Voting Rights Act, according to a previously undisclosed memo obtained by The Washington Post. But senior officials overruled them and approved the plan.

Calling BS on the "War on Christmas" News | How the secular humanist grinch didn't steal Christmas

A great article in Salon with actual _facts_ instead of anecdotes. Remember kids, anecdotes is not the plural form of the word data.

one can in fact offer Christmas greetings without legal counsel. Christmas trees are permitted in public schools. (They're considered secular symbols.) Nativity scenes are allowed on public property, although if the government erects one, it has to be part of a larger display that also includes other, secular signs of the holiday season, or displays referring to other religions. (The operative Supreme Court precedent is 1984's Lynch v. Donnelly, where the Supreme Court ruled 5-4 that a city-sponsored Christmas display including a cr�che, reindeer, a Christmas tree, candy-striped poles and a banner that read "Seasons Greetings" was permissible. "The display is sponsored by the city to celebrate the Holiday and to depict the origins of that Holiday," the majority wrote. "These are legitimate secular purposes.") Students are allowed to distribute religious holiday cards and literature in school. If the administration tries to stop them, the ACLU will step in to defend the students' free-speech rights, as they did in 2003 when teenagers in Massachusetts were suspended for passing out candy canes with Christian messages.

In fact, there is no war on Christmas. What there is, rather, is a burgeoning myth of a war on Christmas, assembled out of old reactionary tropes, urban legends, exaggerated anecdotes and increasingly organized hostility to the American Civil Liberties Union.

Possible investigation of Oil CEO lying

Lautenberg wants criminal investigation of Oil CEOs

Unbelievable to watch the CEOs lie on CSPAN and unfortunate that it took The Daily Show to point out that the prick who runs the committee prevented the Oil execs from being sworn in. Else they would be guilty of perjury.

I'm glad that my senator from the great state of Washington, Maria Cantwell, was the one who tried to get Ted Stevens (the aforementioned prick) to swear them in.

How not to demolish a building

Funny video of a real life demolition in Sioux Falls, SD that intended to cause the building to fall over but instead just shortened it by about a third.

Geeky Xmas gifts for under $100

MAKE: Blog: MAKE's Mostly Under $100 Gift Guide 2005!

What a cool list. I'm sure I'd enjoy anything on this list--even the PVC pipe (I do have a kitchen remodel coming up...)

Science Toys you can make at home

Science Toys

Make toys at home with common household materials, often in only a few minutes, that demonstrate fascinating scientific principles.

Hours and hours of fun just _reading_ about what you can build.

I've built a couple of the things on the site before. Will have to dig up some of my electronics stuff from the basement!

Nature is beautiful

Atmospheric Optics

Very beautiful photographs and explanations of optical effects in nature.

I never knew there was a "fogbow"

Wednesday, November 30, 2005

<strike>Security In Airlines</strike> Airline Insecurity

When people tried to evacuate during Hurricane Katrina, airline security prevented many from being able to leave before the airport had to be shut down. This is where a threat model would have helped make the right decision in the face of competing risks. And where "zero tolerance" policies really show how they are "zero thought" policies.

Hurricane Security and Airline Security Collide

And recently, if you thought that airline security was too strict, it is working. You should know it is only designed to make you _think_ that so that you will keep flying. If they really based it on a real threat model, you would have a very different traveling experience and stupid things like taking fingernail clippers and metal knives away, but allowing you to have full glass bottles of alcohol on planes would not happen. My cousin, who was in the army, recently said, "I'd like a terrorist to try to attack me with fingernail clippers." The implication was that he would kick their ass to a bloody pulp before they got anywhere because that is stupidity masquerading as a threat to airline security.

Here is what happens when a politician says The Emperor Has No Clothes. Good for him to speak the truth. The homeland security budget could be put to use protecting against real threats.

Real threats like the fact that our air traffic control systems have shitty security. It is so bad, they lack cyber security. Oooh.
FAA air-traffic systems lack cyberprotections, GAO finds

Stem cell research breakthrough -- in Korea

WorldNetDaily: Paraplegic breakthrough using adult stem cells

This is truly great news and will be even better if it holds up to peer review and brings about additional breakthroughs. It is proof positive of a couple of things:

  • The critical importance of stem cell research of all kinds for treating serious afflictions and diseases. The research here was done using adult stem cells, but embryonic stem cell research may hold even more promise for finding cures in general.
  • The fact that this breakthrough came from outside the US is a warning of the failure of the US policy on stem cell research and the republicans likening "stem cells" to abortion and creating a false stigma.

In an apparent major breakthrough, scientists in Korea report using umbilical cord blood stem cells to restore feeling and mobility to a spinal-cord injury patient.

The research, published in the peer-reviewed journal Cythotherapy, centered on a woman had been a paraplegic 19 years due to an accident.

After an infusion of umbilical cord blood stem cells, stunning results were recorded:

"The patient could move her hips and feel her hip skin on day 15 after transplantation. On day 25 after transplantation her feet responded to stimulation."

No City Official Left Behind

Local officials nearly fall for H2O hoax - Science -

They should also make sure that their hand isn't larger than their face or they might have cancer.

ALISO VIEJO, Calif. - City officials were so concerned about the potentially dangerous properties of dihydrogen monoxide that they considered banning foam cups after they learned the chemical was used in their production.

Then they learned, to their chagrin, that dihydrogen monoxide — H2O for short — is the scientific term for water.

Hollywood misleads the press on piracy statistics

Hollywood: Thousands Dead From File Sharing

Statements and statistics from the music, movie and software cartels are about as accurate as their claims that they're honest, hard-working companies with consumers' and performers' best interests at heart.

A couple of years back, the Big Four Organized Music family's RIAA said a raid against a New York counterfeit operation resulted in the equivalent of 421 CD burners being seized.

However, Bill Evans had been told the numbers was actually156.

Jon Newton

When he asked for an explanation for the discrepancy, "We stated that the raid was the equivalent of 421 burners, as we need to put these operations in perspective based on burning capacity and output, not the number of physical slots for the discs," RIAA (Recording Industry Association of America) truth adjustment specialist Amy Weiss said.

"Since they burn 4x burners - it is roughly 4xs the numbers of burners."

Good grief. There's more in the article. I don't believe that this is the first revelation of lying with statistics from this industry.

Judges order publishing of breathalyser source code

LiveAmmo Security Blog: Drunk drivers granted access to breathalyser source code

If only I was able to be granted the source code for the laser detector that incorrectly clocked me over the speed limit...

I like when judges don't treat technology as infallible. In my case, there was not any argument that could detract from the "evidence" , even the likely EMI!

Oh, and let's also demand the same for our voting machines!

"A panel of judges in the Florida county of Sarasota has granted a request by a group of over 150 citizens accused of drink-driving to view the source code of the breathalyser that was used to determine their breath alcohol levels.

Attorneys for the defendants had filed a motion to review the source code for the Intoxilyzer 5000 breathalyzer in October.

'The defendants have established that the source code is material to their theory of defense in these cases,' judges David Denkin, Kimberly Bonner and Judy Goldman wrote in their ruling dated 2 November.

Cardinal rebuffs "Intelligent Design"

Evolution in the bible, says Vatican - The Other Side - Breaking News 24/7 -

The vatican taking a modern position? Wow. This doesn't make up for their handling of the sex abuse scandals but it's a positive sign.

THE Vatican has issued a stout defence of Charles Darwin, voicing strong criticism of Christian fundamentalists who reject his theory of evolution and interpret the biblical account of creation literally.
Cardinal Paul Poupard, head of the Pontifical Council for Culture, said the Genesis description of how God created the universe and Darwin's theory of evolution were "perfectly compatible" if the Bible were read correctly.

Penn Jillette: "There Is No God"

NPR : There Is No God

Just in time for the holidays, a piece on what people believe that is not necessarily in the mainstream. A good reminder that not everyone believes the same as you do, especially among the "christian" religions.

Penn Jillette wrote an excellent piece for NPR's "This I Believe" series on why he is "beyond Atheism". Many religious people don't understand or simply don't believe that you can have morals without god but I think that Penn has a very simple model that explains how there are even possible advantages to the atheist moral world view:

Believing there's no God means I can't really be forgiven except by kindness and faulty memories. That's good; it makes me want to be more thoughtful. I have to try to treat people right the first time around.

He also discusses many other advantages to a godless world that are well worth reading, especially if you are religious; not because it should convince you to not be religious but because it can help you understand that it is just as legitimate a position as your religious position. And hopefully soften some of the anti-atheist views held by most of America.

High-tech Safecracking

This link wasn't working at the time of posting, but it is interesting to see how you can use infrared to determine a combination from a recently-used keypad. There must be some equipment that would cost less than $5000 that could do this? I'll have to check the local spy shop.

Richard Stallman "foils" RFID "security"

GNU project founder foils UN security

Glad my passport does not expire for many years to come. Perhaps by then passports won't have RFID tags in them any longer. But if they do, I guess this is an easy way to keep myself from being a target for a shoulder-fired missile overseas.

FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID.

Serious flaws in wiretapping equipment

Signaling Vulnerabilities in Wiretapping Systems

Ahh, too bad I don't work for a telecom compnay anymore (actually, it is good). This might be fun to test out...

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. These countermeasures do not require cooperation with the called party, elaborate equipment, or special skill.

ISAKMP: The standard for incompatibility

Peter Gutman wrote a great summary of the lengths that many have to go to in order to get ISAKMP implementations to interoperate.

I had a hell of a time trying to get Windows 2000/XP IPSec to work with FreeS/WAN in the past. It was very difficult to debug what was going on and I resorted to using tools that translated FreeS/WAN configuration into Windows IPSec configuration so that I was sure that the settings were correct.

>On Sat, 19 Nov 2005, Peter Gutmann wrote:
>>- The remaining user base replaced it with on-demand access to network
>> engineers who come in and set up their hardware and/or software for
them and
>> hand-carry the keys from one endpoint to the other.
>> I guess that's one key management model that the designers never
>> anticipated... I wonder what a good name for this would be,
something better
>> than the obvious "sneakernet keying"?
>Actually this is a good thing.

Unless you're the one paying someone $200/hour for it.

>Separation of the key distribution channel from the flow of traffic
>under those keys. Making key distribution require human

Somehow I suspect that this (making it so unworkable that you have to
carry configuration data from A to B) wasn't the intention of the IKE
designers :-). It's not just the keying data though, it's all
information. One networking guy spent some time over dinner recently
describing how, when he has to set up an IPsec tunnel where the
aren't using completely identical hardware, he uses a hacked version of
OpenSWAN with extra diagnostics enabled to see what side A is sending in
IKE handshake, then configures side B to match what A wants. Once
done, he calls A and has a password/key read out over the phone to set
up for


"cybercrime" treaty is criminal

Fuzzy logic behind Bush's cybercrime treaty | Perspectives | CNET

the Convention on Cybercrime will endanger Americans' privacy and civil liberties--and place the FBI's massive surveillance apparatus at the disposal of nations with much less respect for individual liberties.

Well, it has "cyber" in its name so it must be good... This legislation sounds like a really bad idea without the fix to ensure that requests are only allowed under "dual criminality" situations.

It's really puzzling how the Bush administration would be backing this after they put up such a stink about the US not being dictated to by other countries in environmental laws or by international courts. But since when have they been consistent?

Wednesday, November 23, 2005

Xmas nostalgia

Someone is scanning in the entire Sears 1979 wishbook.

More geeky sex-related content

Just to continue the geeky sex-related Internet content update, you can now get daily doses of customized porn via your RSS reader. Enter Sex By RSS

Two geeky takes on the Kama Sutra

The "Comma Sutra"

via Scrutiny Hooligans

Which reminds me of a related amusing and geeky version:

Linux Sex Positions - The Open Source Kama Sutra

They even have a security-related one: "Position 12 - Piercing the Firewall"

Lawyers gone wild

When Legal Strikes—Chaos Theory Meets DRM

Sadly, as management gets more cautious about legal repercussions, lawyers get a voice in decisions in which they not only have no expertise (such as IT), but in customer-facing initiatives, as well.

Sony's aggressive spyware approach to DRM smells to high hell of the kind of good-intentions-turned-cognitive-dirty-bomb so many Legal-inspired projects descend into.

This is an interesting opinion that I think is only potentially applicable to situations where the lawyer in question is representing the company's explicit interest. I haven't seen this happen in general though--particularly where the corporate lawyers are addressing issues that are _not_ in regards to the company interest (e.g. privacy law).

For the most part, I have seen these lawyers define a very low bar for a company to meet. The same tendency for lawyers "tend to wield power disproportionate to their duties" (I would use the word "influence" instead of power) leads to these proclamations to be interpreted to mean that the company should only meet the minimum bar. These lawyers are not in the business of suggesting what the company _should_ do, only a minimum of what it _has_ to do. Laws aren't necessarily sufficient or detailed enough to ensure that they are complied with, however. I have had several situations where lawyers have undone good security work because they proliferated the fact that the law didn't require the proscribed procedures, even though those procedures were in place to uphold that law. Lawyers seem to wield more influence than security folks though so who do you think was listened to?

Common writing mistakes

This post about Grammar Nerds reminded me that I've long wanted to write about some common mistakes I see over and over on the Internet and in emails.

The most common thing that I notice is confusing words that sound somewhat alike but have very different meanings and spellings:

  • conscious/conscience

  • If your conscience is bothering you, you are conscious.
  • effect/affect

  • Will poor grammer affect your chances of getting that next job?

    Missing out on that next job may be the likely effect (outcome) of being sloppy with grammar.
  • console/consul

  • You can change administrative settings via an application or server console.
  • bare/bear

  • Bear in mind these grammar rules for next time.
  • there/their/they're

  • They're = They are

    There = refers to a location (e.g. over there)

    Their = a possessive pronoun; used when referring to group possession of a thing or quality
  • your/you're

  • You're = You are

    Your = possessive pronoun; used when referring to someone possessing a thing or quality
  • e.g./i.e.

  • e.g. = exempli gratia (for example); use when providing an example for clarification

    i.e. = id est (that is... or "in effect"); use when providing additional clarifying information, not through the use of an example
  • lose/loose

  • I always see this one when someone misspells lose as "loose". Playing fast and loose with spelling!
  • mute/moot

  • When using the phrase, "a moot point" or similar, "this may become moot", moot is the right spelling. Mute refers to remaining or being unable to speak.
  • to/two/too

  • Too = also

    two = the number 2

    to = a preposition meaning a variety of things, such as "toward"

There are a ton of sites that go into more detail than this. A simple google search will find most all of them. Or just check your favorite dictionary.

Sunday, November 20, 2005

Internet security tips,1759,1883072,00.asp?kc=EWRSS03129TX1K0000614

MD4 and MD5 collision generators

There are still not known attacks against encryption schemes that make use of these, but certainly anything relying on these hashes for integrity protection should switch to alternate mechanisms.

Sent: Monday, November 14, 2005 10:48 AM
To: [email protected]
Subject: MD4 and MD5 collision generators

I am releasing my collision generators for MD4 and MD5. They have
significant time improvements over the ones described in the papers by Wang, et al.

MD4 collisions can be generated almost instantly, MD5 can be generated
in approximately 45 minutes on my p4 1.6ghz (on average).

-Patrick Stach

Scientists re-invent nature?

BBC NEWS | Science/Nature | Butterfly wings work like LEDs

When scientists developed an efficient device for emitting light, they hadn't realised butterflies have been using the same method for 30 million years.

Oh, the irony

Wired News: Tainted Sony CDs Used Open Source

In short: Sony's ill-conceived, ill-executed, and ill-handled copy protected CDs that inserted a rootkit on your Windows computer that were designed to supposedly protect artist's rights by preventing unauthorized copying of music ironically appear to have violated the copyrights of several open source software tools.

Friday, November 11, 2005

"Deep Thoughts" on topics of the day

Daily Kos: Cheers and Jeers: Rum and Coke FRIDAY!

Last weekend we picked up three of Jack Handy's Deep Thoughts books. While he avoids the political (after all, the thoughts are deep), we found some striking parallels to certain people and issues of the day...

More 'Christians' persecuting others who are supposedly persecuting Christians

Pandagon: 'Tis the season to 'persecute' Christians

A couple more years of this hysteria and the use of "Merry Christmas" as shorthand for, "I hate you and everything you stand for because you didn't pass my Christian sniff test, hellbound motherfucker,"

Now that sounds consistent with the loving Christian attitude fostered by Pat Robertson. - Robertson warns Pennsylvania�voters of God's wrath - Nov 10, 2005

WASHINGTON (Reuters) -- Conservative Christian broadcaster Pat Robertson told citizens of a Pennsylvania town that they had rejected God by voting their school board out of office for supporting "intelligent design" and warned them Thursday not to be surprised if disaster struck.

Don't you just enjoy how much love and inclusiveness there is at the Holidays? Sheesh.

Alito response to Vanguard conflict of interest shows true character


Alito: "he's an I'm gonna do what I want and fuck you if you think otherwise kind of guy" Nice.

O'Reilly unpacks dead horse from his holiday nick-nacks; begins 2005 flogging

O'Reilly opens new front in "war" on Christmas ... [Media Matters]

O'Reilly is ridiculous and a hypocrite. He is trying to create a controversy where one does not exist and then beat that dead horse senseless. And his issue? "Season's Greetings" and "Happy Holidays" used by businesses around this time of year "absolutely does [offend Christians]. And I know that for a fact."

Here's how he is a hypocrite (one of many ways). It's okay for him to be offended when the Christian aspect is _not_ specifically mentioned, but non-Christians do not get this same right. But this is okay because O'Reilly says, "I don't believe most people who aren't Christian are offended by the words "Merry Christmas." Nevermind this is a baseless position to take. And the possibility that non-Christians could be just as incensed as he is is not only discounted, but he resorts to ad-hominim attacks against those non-Christians, "I think those people are nuts. I think you're crazy if you're offended by the words "Merry Christmas."

To summarize:

Christians: Have a right to be offended when Christian-specific language is _not_ used at the holidays and can be offended when inclusive language is used, such as "Happy Holidays".

non-Christians: If they are offended by exclusive language such as "Merry Christmas", they are "nuts" or "nutty customers". Further, businesses should ask, "why do you want them [as customers] anyway?" Not only should exclusive _language_ be used, but business should actually think hard about _actually excluding_ them from the customer base.

He wants to see businesses only address the Christian aspect of the holiday season specifically.

But he then contradicts himself when he says, "the smart way to do it is "Merry Christmas, Happy Hanukah, Season's Greetings, Happy Kwanzaa." So it's okay to say "Season's Greetings" now or isn't it? Clear as mud, but what do you expect?

Wednesday, November 9, 2005

Password Hash Dash

Rainbow Crack is a time/memory tradeoff tool that can break passwords knowing just the password hash. So, those people who still think that disclosing password hashes is not a big deal...

SANS documented and proved, using a modified version of Rainbow Crack, something that I have suspected for a while. That Oracle's proprietary password hashes are weak There are plenty of good ways to do this that it's a wonder these days that people still roll-their-own crypto. The SANS team is releasing an update to Rainbow Crack that can crack Oracle passwords.

New photos of Wonders of the universe

Hubble & Spitzer Space Telescopes on Yahoo! News Photos

Beautiful, wonderous, cool stuff.

This undated infrared image captured by NASA's Spitzer Space Telescope, released by NASA on Wednesday, Nov. 9, 2005, shows colossal pillars of cool gas and dust that provide scientists with an intimate look at the star-forming process. The image reflects a region in space known as W5, in the constellation Cassiopeia 7,000 light years away, which is dominated by a single massive star. (AP Photo/NASA, JPL, CalTech)


Congress may curtail some PATRIOT Act powers

Congress May Curb Some Patriot Act Powers - Yahoo! News

Now that congress has apparently taken the time to read the PATRIOT Act, they are more likely to do the right thing before voting for it a second time:

WASHINGTON - Congress is moving to curb some of the police powers it gave the Bush administration after the Sept. 11 terrorist attacks, including imposing new restrictions on the
FBI's access to private phone and financial records.

A budding House-Senate deal on the expiring USA Patriot Act includes new limits on federal law enforcement powers and rejects the Bush administration's request to grant the FBI authority to get administrative subpoenas for wiretaps and other covert devices without a judge's approval.

"Religious Right" confirms they are Hypocrites

AMERICAblog: Religious right bigots upset that a US Senator called them on their religious bigotry

Yet another reason to love Vermont Senator Pat Leahy.

Primer on Root Causes of the Violence in France - Why Paris Is Burning

Attend or host a Wal*Mart movie screening

WAL-MART Movie Screenings

Attend or host a movie screening of the new film Wal*Mart: The High Cost of Low Price. I'll be attending one in Seattle next Wednesday. Hope to see you there!

Another FEMA and Bush Administration SNAFU

Think Progress � Another Titanic Mistake

The Federal Emergency Management Agency has given the defense contracting agency Titan more than a half million dollars in brand-new contracts for Hurricane Katrina. Here are the top five reasons this was a very bad idea

Read the article for the sickening details about Titan. If Republicans want to do something about the moral climate of America, forget the annoying shit that the FCC is doing and clean house in your own party. Ahh, the ones who throw stones should not live in glass houses...

Democrats, now Press find their cajones

Pandagon: Another painful Scott McClellan ass-whooping

White House press briefings are fun again!

Especially when the White House attempts to revise history again.

The press is starting to do its job for once, but it is often discounting and ignoring their role in marketing misinformation about the Iraq war

The complete toll of the Iraq War

It really miffs me to hear media focus entirely on the number of death-specific casualties of the Iraq war but completely ignore the other horrible casualties. From the McLaughlin Group, 11/4/05:

MR. MCLAUGHLIN: Okay, the human toll: The U.S. military dead in Iraq, including suicides, 2,035; U.S. military amputeed, wounded, injured, mentally ill, 48,100; Iraqi civilians dead, 117,700.

Note to the media: Why don't you ask yourselves why it is only the number of _dead_ servicemen who you choose to highlight? Isn't 48,100 WOUNDED US CITIZENS an even more horrific number? Yes, 2035 dead US Citizens is tragic, but death is not the only tragic consequence for the soldiers.

And what about the Iraqi _deaths_ of 117,700? That's not their wounded count. That's the number of body bags needed or graves to be dug.

Na na na na, na na na na, hey hey hey...

BBC NEWS | Americas | CIA leak probe reporter resigns

Judith Miller resigns. Good riddance.

Tuesday, November 8, 2005

Proof against Intelligent Design: The Kansas school board

In a 6-4 vote, the Kansas school board voted in favor of teaching Intelligent Design in Schools.

Two words: F*cking idiots.

There is some good news in the realm of the New New Creationism though:

Intelligent Design Candidates Voted Out in Penn. Hooray! To show how huge htis was, 8 out of the 9 members who voted in favor of ID as an "alternative" to evolution were up for election; all 8 were voted out.

Science & Theology News also has a list of the ID players

Sunday, October 30, 2005

EFF breaks secret tracking "dot code"

EFF: DocuColor Tracking Dot Decoding Guide

This is a breakthrough. It has been rumoured for years that printers and copy machines include secret codes on documents to track them back to the source machine but the EFF now has real evidence and even tools that you can use to perhaps decode your printer's secret tracking information.

This guide is part of the Machine Identification Code Technology project. It explains how to read the date, time, and printer serial number from forensic tracking codes in a Xerox DocuColor color laser printout. This information is the result of research by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew "bunnie" Huang. We acknowledge the assistance of EFF supporters who have contributed sample printouts to give us material to study. We are still looking for help in this research; we are asking the public to submit test sheets or join the printers mailing list to participate in our reverse engineering efforts.

New favorite word: Hoffing

Hackers no hassle: Hoff - People - Entertainment -

More from Oracle's CSO

Wow. Note how she says that she researches "hacking techniques" as well as the network-security-centric language throughout. A CSO should not typically be operating at this level but rather at the "big picture" strategic level.

No wonder Oracle continues having application security and patch quality problems. Their CSO seems too busy hacking the network and writing articles about it and how bad vulnerability researchers are and not enough time executing on a strategy to improve the security posture of their software and processes. Some on security mailing lists are calling for her to resign.


-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of InfoSec News
Sent: Wednesday, October 19, 2005 12:03 AM
To: [email protected]
Subject: [spam]::[ISN] Davidson: Lessons of warfare for IT security

By Mary Ann Davidson
Oct. 17, 2005

As a security professional, I research the latest issues, threats and
hacking techniques. For pleasure, however, I read mostly military
history, which shapes my view of information security. As a result, I
offer the following lessons from military history for federal agency
information technology security professionals.

Most security professionals attempt to implement programs to defend
all access points because intruders need to find only one way in. But
because agency resources are finite, boundaries typically exceed
resources. To best apply limited resources to maximize defense
success, carefully select your turf.

Risk management approaches to security must move beyond identifying
and defending the most important assets to include an analysis of a
network's strategic points where intruders could attack.

Here are some IT security lessons from military history.

* Intelligence has value only if you act on it.

The Battle of Midway in June 1942 was arguably the turning point of
World War II in the Pacific rim. The victory hinged partly on U.S.
code crackers' breaking JN25 naval cipher to learn that the Japanese
planned to attack Midway. Adm. Chester Nimitz, commander of the U.S.
Pacific fleet, sent two carrier task forces to Midway to ambush the
Japanese Navy.

A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.

Security professionals have many means of defense at their disposal.
Through network mapping, they can determine the landscape of their
networks. Knowing how many systems are locked down and adequately
patched, they can assess their readiness. Using intrusion-detection
systems, they can know the types of probes the enemy has attempted.

But some organizations don't use or act on the intelligence they have.
Many turn off their auditing systems, fail to review the logs or
ignore alarms. A military parallel is Pearl Harbor, the attack in
which the United States ignored radar detecting the incoming Japanese

* Interior defensive perimeters are critical.

The network perimeter has disappeared as ubiquitous computing and
extranet access have surged. The model of hardened perimeters and
wide-open interiors is no longer adequate.

During the 1879 defense of Rorke's Drift in South Africa, about 150
British soldiers held off 4,000 Zulus by defending the inherently
indefensible. They created makeshift barricades from grain sacks and
biscuit boxes to secure the perimeter. They had fallback positions and
used them.

Security professionals can learn from this example. A network is not
defensible if attackers breach the perimeter and the rest of the
network is wide open.

Today, administrators segment networks with interior firewalls.
Tomorrow, networks may be able to create dynamic barriers in response
to worm and virus invasions.

Admirals and generals set strategies, but individuals who make
tactical decisions and take the initiative win battles. Every federal
agency employee has a responsibility to make IT security a priority.

Davidson is Oracle's chief security officer.

More PHP web application security tips

Hacks From Pax: PHP Web Application Security - The Community's Center for Security

Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities.

Preventing future threats: not with a "lack of protective imagination"

And, after hurricane Katrina, I would add that on top of a "lack of protective imagination", government continues to suffer as well from "pork barrel security projects" and "visible-but-ineffective security projects" that divert precious resources away from the real or more likely threats.

An unfortunate example of this is how "The federal government will pay the overtime of cops and emergency medical workers if the drill involves an act of terrorism, but it won't if locals rehearse for a natural disaster." So, the government is still making it difficult for localities, such as Seattle, to prepare for _likely threats_ and instead they have to fake it by running drills for the more unlikely terrorism-related scenarios instead. See Is Seattle Really Ready?

The other glaringly-apparent issue is that unqualified people are being put into positions of authority of governmental agencies that are in charge of protection and response for natural disasters and other events. I have lost my belief that government can be a reliable first line of assistance and that individual citizens and localities have to take matters into their own hands to be prepared, just like you would do for a retirement plan. Don't rely on social security, welfare, or unemployment as your sole safety net and now add to that governmental response to disasters.

I'm going to be reactivating my local neighborhood disaster preparedness facility since I can't believe that if there was any kind of significant event that there could be a reasonable expectation of a decent national response.

Forwarded from: Richard Forno

The London bombs went off over 12 hours ago.

So why is CNN-TV still splashing "breaking news" on the screen?

There's been zero new developments in the past several hours.
Perhaps the "breaking news" is that CNN's now playing spooky "terror
attack" music over commercial bumpers now filled with dramatic
camera-phone images from London commuters that appeared on the Web
earlier this morning.

Aside from that, the only new development since about noon seems to be
the incessant press conferences held by public officials in cities
around the country showcasing what they've done since 9/11 and what
they're doing here at home to respond to the blasts in London.....which
pretty much comes down to lots of guys with guns running around
America's mass transit system in an effort to present the appearance of
"increased security" to reassure the public. While such activities are a
political necessity to show that our leaders are 'doing something'
during a time of crisis we must remember that talk or activity is no
substitute for progress or effectiveness.

Forget the fact that regular uniformed police officers and rail
employees can sweep or monitor a train station just as well as a
fully-decked-out SWAT team -- not to mention, they know it better, too.
Forget that even with an added law enforcement presence, it's quite
possible to launch a suicide attack on mass transit. Forget that a
smart terrorist now knows that the DHS response to attacks is to
"increase" the security of related infrastructures (e.g., train
stations) and just might attack another, lesser-protected part of
American society potentially with far greater success. In these and
other ways today following the London bombings, the majority of security
attention has been directed at mass transit. However, while we can't
protect everything against every form of attack, our American responses
remain conventional and predictable -- just as we did after the Madrid
train bombings in 2004 and today's events in London, we continue to
respond in ways designed to "prevent the last attack."

In other words, we are demonstrating a lack of protective imagination.

Contrary to America's infatuation with instant gratification, protective
imagination is not quickly built, funded, or enacted. It takes years to
inculcate such a mindset brought about by outside the box,
unconventional, and daring thinking from folks with expertise and years
of firsthand knowledge in areas far beyond security or law enforcement
and who are encouraged to think freely and have their analyses seriously
considered in the halls of Washington. Such a radical way of thinking
and planning is necessary to deal with an equally radical adversary, yet
we remain entrenched in conventional wisdom and responses.

Here at home, for all the money spent in the name of homeland security,
we're not acting against the terrorists, we're reacting against them,
and doing so in a very conventional, very ineffective manner. Yet
nobody seems to be asking why.

While this morning's events in London is a tragedy and Londoners deserve
our full support in the coming days, it's sad to see that regarding the
need for effective domestic preparedness here in the United States,
nearly 4 years after 9/11, it's clear that despite the catchy
sound-bytes and flurry of activity in the name of protecting the
homeland, the more things seem to change, the more they stay the same.


Even MORE evidence of PHP becoming the new C

This summary is not available. Please click here to view the post.

Roll your own High-Entropy (Hardware) Randomness Generator

High-Entropy Randomness Generator

In this paper, we explain how to construct a High-Entropy Randomness Generator, suitable for a wide range of applications, including extremely demanding ones. We will explain and then use some key theoretical ideas:

* We start with a raw input, typically from a good-quality sound card.
* We obtain a reliable lower bound on the raw input’s entropy density (as defined in appendix A). This is calculated based on physics principles plus a few easily-measured macroscopic properties of the sound card. (This stands in stark contrast to other approaches, which obtain a loose upper bound based on statistical tests on the data.)
* We make use of the hash saturation principle, as discussed in section 3.2. The resulting output has essentially 100% entropy density. This is provably correct under mild assumptions.
* We use no secret internal state and therefore require no seed.
* We do not depend on assumptions about “one-way functions”.

We have implemented a generator using these principles. The result is what most people would call a True Random Number Generator. Salient engineering features include:

* It costs next to nothing. It uses the thermal fluctuations intrinsic to the computer’s audio I/O system.
* It emphatically does not depend on imperfections in the audio I/O system. Indeed, high-quality sound cards are much more suitable than low-quality ones. It relies on fundamental physics, plus the most basic, well-characterized properties of the audio system: gain and bandwidth.
* It can produce thousands of bytes per second of output.
* Remarkably little CPU time is required.
* It includes optional integrity-monitoring and tamper-resistance capabilities.

Flashback: More on PHP Security

I dug this out for additional evidence of how PHP gives programmers too much rope to hang themselves, not unlike C.


-----Original Message-----
From: David Wheeler [mailto:[email protected]]
Sent: Wednesday, August 08, 2001 2:06 PM
To: me
Subject: PHP

Ben Ford said:

>>Don't call it a weakness of the language, call it by its true name:
>> Lazy Programming.

If this was a common problem in other languages, I might agree with you.
But it's not. Essentially all other computer languages do _NOT_ let
attackers set the state of arbitrary program variables to arbitrary
values, and then require programmers to constantly reset
values if they'd like to prevent attackers from controlling them.

I'm not saying that PHP is some horrible, unfixable language.
I've posted to PHP-DEV a relatively simple set of changes that would
make it possible to eliminate the problem, and others have proposed
other approaches. And those who can control their PHP configuration can
obviously do so and eliminate the problem right now for their

Yes, you can write secure applications in PHP. But it requires
herculean effort. It's "obvious" when the application is small
that some variable needs to be unset, that's true, assuming you know to
But once you call functions, you have to have global knowledge of all
global values that the function uses, including the complete transitive
closure of all functions it calls directly & indirectly -- and that
INCLUDES the implementation of the library functions you call. And you have to
redo the analysis when you use a new version of PHP. You could argue
that all PHP developers do this... but I wouldn't believe you.

It's certainly true that all languages have "gotchas".
This one is larger than most (in my opinion), though. And we should be
striving in our computer languages to make it easy, not hard, to write
secure programs.

If some application can be used securely in theory, but its user
interface is so hard to use that it cannot PRACTICALLY be used securely,
then it's still insecure. I argue that the same is true for programming languages.

Study: Correlation between more sex and more happiness

Planned Parenthood Federation of America, Inc. - Sex And Happiness: What's The Connection?

If I had to choose, I'd choose more sex over wealth even before reading about this study :-)

In a recent preliminary and unpublished study, "Money, Sex, and Happiness," researchers from Dartmouth College and Warwick University (UK) found that people who consider themselves happiest are those who are having the most sex. The study does not claim that having sex causes happiness or vice versa. But of the 16,000 people in the research sample, happiness was associated with sex for both women and men and people under and over the age of 40. And despite the notion that money can buy happiness, researchers found little — if any — connection between increased wealth and long-term happiness.

Federal Judge Rules Pledge Unconstitutional

U.S. District Judge Lawrence Karlton ruled that the pledge's reference to one nation "under God" violates school children's right to be "free from a coercive requirement to affirm God."

Just take the freaking words "under God" out of the pledge that weren't there to begin with and the problem goes away!

Is PHP the new C?

I've been wondering lately if PHP is much like C from a security perspective in that the chances that if you are using PHP for an application that your application is secure depends on tribal knowledge about "what not to do" with the basic language. Another way to say this is that like C, PHP gives you plenty of rope to hang yourself if you don't know what you are doing. Which is unfortunate for a language that should be safer by default for use by UI programmers.

This posting from Andrew van der Stock brings up some specific issues with the PHP language that could really help improve security in the same way that GCC compiler warnings when using insecure functions help with awareness.

-----Original Message-----
From: Andrew van der Stock [mailto:[email protected]]
Sent: Friday, June 24, 2005 10:07 PM
To: Benjamin Livshits
Cc: [email protected]
Subject: Re: Languages/platforms used for Web apps. Any stats?

I don't know of any stats, but if anyone was to make a study, that's
where I'd focus on.

However, saying that:

* I review J2EE finance apps used in very large institutions. I find
plenty of problems which need fixing
* I look after a PHP forum, which definitely could improve
* In my previous job, the most vulnerable app I ever reviewed was
written in ASP in VBScript

I don't think the language has much to do with it beyond basic security
posture. PHP could do a lot to redress the problems, for example, by:

* making echo do htmlentities by default, and having a special echo /
print which doesn't in case you really meant to spit out HTML
* deprecating the old function based MySQL drivers (ie warnings when
E_ALL is used) in favor of the MySQLi drivers or PDO which have prepared
* in the next version of PHP, remove support for register_globals and
make url_fopen permanently false
* Remove implicit declarations and add optional strong typing which
really means it

The basic security posture of PHP has been improving, but honestly, it
really depends on the quality of the coders and if they are aware of the
security options open to them. The other thing is that there is a lot of
PHP code out there written in the PHP 3 days which sorta runs okay on
PHP 4 and 5, which shouldn't. PHP 3 really was a security nightmare -
everything in the interpreter was set to be the most insecure possible
posture with maximal attack surface area.

Does voting machine technology affect the outcome of elections?

Some interesting results found in a study of 2000-2004 election data.

We first show that there is a positive correlation between use of touch-screen voting and the level of electoral support for George Bush. This is true in models that compare the 2000-2004 changes in vote shares between adopting and nonadopting counties within a state, after controlling for income, demographic composition, and other factors. Although small, the effect could have been large enough to influence the final results in some closely contested states.

They also found:

Touch-screen voting could also indirectly affect vote shares by influencing the relative turnout of different groups. We find that the adoption of touch-screen voting has a negative effect on estimated turnout rates, controlling for state effects and a variety of county-level controls.

Fixes to the PATRIOT act seen as sufficient to address concerns

Appropriate rational commentary on the specifics that need to be changed about the PATRIOT act to address privacy and governmental power and oversight issues.

The Wall Street Journal

November 12, 2004


Patriot Fixes

November 12, 2004; Page A12

The most common charge levied against critics of the Patriot Act -- one
that Alberto Gonzales, the new face of Justice, is likely to repeat in
his days ahead -- is that they're "misinformed." Well, as a former U.S.
attorney appointed by President Reagan, a former CIA lawyer and analyst,
and a former Congressman who sat on the Judiciary Committee, I can go
mano a mano with any law-enforcement or intelligence official on the
facts. And the facts say that the Patriot Act needs to be reviewed and
refined by Congress.

Critics of the Act are not calling for full repeal. Only about a dozen
of the 150 provisions need to be reformed; these, however, do pose
singular threats to civil liberties. Here's how to bring them back in
line with the Constitution.

The two most significant problems are sections 213 and 215. The first
authorized the use of delayed-notification search warrants, which allow
the police to search and seize property from homes and businesses
without contemporaneously telling the occupants. The Justice Department
often claims that this new statutory "sneak and peek" power is
innocuous, because the use of such warrants was commonplace before.
Actually, the Patriot Act's sneak and peek authority is a whole new
creature. Before, law enforcement certainly engaged in
delayed-notification searches, especially in drug investigations.
Importantly, this authority was available in terrorism investigations.
Courts, however, put specific checks on these
warrants: They could only be authorized when notice would threaten life
or safety (including witness intimidation), endanger evidence, or incite
flight from prosecution. It was a limited and extraordinary power.

The Patriot Act greatly expanded potential justifications for delay. The
criminal code now allows secret search warrants whenever notice would
"jeopardize" an investigation or "delay" a trial -- extremely broad
rationales. The exception has become the rule. Congress should remove
that catch-all justification and impose strict monitoring on the use of
these secret warrants.

The other primary problem is the "library records" provision, Section
This amended a minor section of the 1978 Foreign Intelligence
Surveillance Act, which created a specialized court for the review of
spy-hunting surveillance and search requests. This "business records"
section allowed agents to seize personal records held by certain types
of third-parties, including common carriers and vehicle rental
companies. The Patriot Act made two changes to this relatively limited
power: It allowed the seizure of any "tangible thing" from any
third-party record holder (including medical, library, travel and
genetic records); and it removed the particularized suspicion required
in the original statute.

Pre-2001, investigators had to show "specific and articulable facts" --
a standard much lower than criminal probable cause -- that a target was
a spy or terrorist. Now, that already low standard has been lowered
Agents simply certify to the intelligence court that the records desired
are relevant to an investigation -- any investigation -- and the judge
has no real authority to question that assertion, rendering judicial
review meaningless.

Reformers on the left and right want two fixes to this section. First,
reinstall the individualized suspicion requirement. This reflects the
Fourth Amendment notion that the government cannot invade privacy and
gather evidence unless it has reasonable suspicion that one has done
The proposed "fix" would retain the section's broad "tangible things"
scope, but with a safeguard against abuse. The authorities would still
be able to go to a criminal grand jury to demand the production of the
same records, providing additional flexibility for counterterrorism
Second, Congress should require additional reporting requirements.

There are other refinements desired by the Act's critics. The new
definition of domestic terrorism in Section 802 can be used by
prosecutors to turn on an array of invasive new authorities, including
broad asset-forfeiture powers, even when the underlying crime does not
rise to the level of "terrorism." The preferred legislative reform keeps
the definition, but links it to specific crimes like assassination or

Reasonable critics of the expansive provisions of the Patriot Act, on
both sides of the aisle and in both Houses, have introduced legislation
that would implement these modest changes. Far from gutting the Act,
these would secure the important powers of the law, but place modest
limits on their use. For most of us who voted for the Act, what sealed
the deal was the inclusion of provisions that would require us to take a
sober second look at the most contentious provisions in the Act by the
end of 2005, before reauthorizing them. That time is coming, and the
Justice Department does not want to lose the emergency powers it won in
the aftermath of 9/11. But Congress should resist its overtures, move
forward on the sunsets, and enact additional Patriot fixes if it
believes them needed.

Mr. Barr is a former Republican congressman.

Study: Motivations for global terrorism over the past 25 years

This is not so much about Islam vs. Christianity (although I think a lot of wacky Christians are making this case still) Courtesy of Bruce Schneier.

An absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980. "The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland."

His book:

Another reason to cancel your Time magazine subscription

First Ann Coulter on the cover of Time, now a so-called-news story on religion vs. science (which is a false dichotomy IMHO)

"Welcome to Jesusland" Part Deux...

The United States of Almighty-God


Another state to avoid: Kansas

Close to adopting "intelligent design" in Kansas. They're joining Pennsylvania. FYI, there was an update on NPR from Oct 21 about the Pennsylvania case. It may be good that this is not a jury trial. The defense is now bringing on their witnesses about the merits of the "theory" of intelligent design. At least the science teachers at the schools in question had refused to read the ridiculous statement about intelligent design being another "theory" that is out there.

Also good news: 8 of the 9 school board members are up for reelection. More reason to vote in PA so you can vote these people out who pushed ID BS into schools.

A move to adopt guidelines encouraging Kansas schools to teach an alternative to the theory of evolution -- intelligent design -- gains momentum. The Kansas Board of Education has approved a draft of new science standards proposed by supporters of intelligent design. Approval is expected in October.

Acceptable Risk as a euphamism for shifting fraud liability to the consumer

Financial Cryptography: "Acceptable Risk" - a Euphemism for Selling Fraud?

This is a post from a while back but is still relevant to recent discussions about how the financial industry is still shifting the burden of identity theft and fraud to the customers. Bruce Schneier just wrote about this in regards to phishing in the most recent edition of Crypto-Gram as well.

The "acceptable risk" concept [writes guest financial cryptographer Ed Gerck] that appears in recent threads has been for a long time a euphemism for that business model that shifts the burden of fraud to the customer.

The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.

In fact, if they would reduce fraud to zero today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.

Everything you wanted to know and more on: Teleportation

Teleportation -- Facts, Info, and Encyclopedia article

Teleportation, or teletransportation, is the process of moving objects (or more likely with present techniques, (A particle that is less complex than an atom; regarded as constituents of all matter) elementary particles) from one place to another by encoding information about the object, transmitting the information to another place, such as on a (A communication system based on broadcasting electromagnetic waves) radio signal, and creating a copy of the original object in the new location. The notion of teleportation was first conceived in the course of the Golden Age of (Click link for more info and facts about 20th century) 20th century (Literary fantasy involving the imagined impact of science on society) science fiction (Creative writing of recognized artistic value) literature by authors who considered necessary a form of on-the-spot intangible conveyance tools to hold up the narratives of their tales.

Top 5 Spam Categories

Security Scoop - NSI Watercooler Stories -

This seems consistent with what I've seen in spam that comes into Spammers and scammers are the scourge.

Top 5 Spam Categories Named
Drum roll please … it’s time to reveal the top five categories of junk e-mail, as tracked by security firm Sophos. The big winner for 2005 so far is medication/pills, which accounts for 41.4% of all spam reports. Next are mortgage offers, which clocked in with 11.1%. That old favorite pornography took the third spot, with 9.5%. Stock scams are growing fast, Sophos says, accounting for 8.5% of all spam thus far this year. In fifth were product-related spam messages, with 8.3%. The remaining 21.2% fall into the “other” category.

Restrictions placed on FBI cellular tracking

FBI Dealt Setback on Cellular Surveillance

Finally some restraint on use of the PATRIOT act powers. Especially in light of recent FOIA documents that EPIC found that show abuses by law enforcement.

The FBI may not track the locations of cell phone users without showing evidence that a crime occurred or is in progress, two federal judges ruled, saying that to do so would violate long-established privacy protections.

Biometrics in ATMs?

InformationWeek > Biometric Security > Privacy Concerns, Expense Keep Biometrics Out Of U.S. ATMs > October 12, 2005

This article is chock full of fun things to comment on.

Ricardo Prieto, who was vice president for system operations at BanCafe when the system was installed, said that at first ATMs failed to recognize fingerprints on the well-worn hands of some elderly customers and laborers such as construction workers.

He said the ATM imaging was improved, and the number of customers whose fingerprints couldn't be read fell from 30 percent to 8 percent.

Wow, that is great progress! Now for a large bank, only 2 million instead of 7.5 million customers will not be able to use my bank's ATMs! Where do I sign?

"Biometrics is certainly the most secure form of authentication," said Avivah Litan, an analyst with Gartner Inc., a Stamford, Conn.-based technology analysis firm. "It's the hardest to imitate and duplicate."

He's right. It is very difficult to "imitate and duplicate" biometrics in ways that could fool sensors.

I also would argue that biometrics is not the most secure form of authentication. Smart cards and tokens are hard to imitate and duplicate and this isn't even a threat model to be concerned about in general because in practice, nobody uses this factor as the only factor. These are used as part of a two-factor authentication system, which is really a much more secure form. For some bizarre reason, biometric holy-grail folks (mostly vendors, I imagine) think that biometrics don't need a second factor. Additionally, there is a nonzero False Acceptance Rate and False Reject Rate (as noted beautifully above) that make biometrics fail in many real world scenarios. Smart cards don't have that problem.

"The real holy grail in biometrics," said Jim Block, Diebold's director of global advanced technology, "is let's get rid of the PIN so no one has anything to steal anymore."

Let's think about that for a minute. Let's ignore for a moment that this came from Diebold, a foremost authority in voting security. He claims that without a PIN, there would be nothing to steal anymore. Really?

Actually, having a PIN or another second factor can help to thwart these kinds of "steal the biometric" attacks since the biometric by itself is rendered useless. It certainly won't eliminate the threat, but I think it would reduce the likelihood that someone would violently extract the biometric to steal something since they need you alive anyhow to get the PIN or password.

Saturday, October 29, 2005

Friday, October 28, 2005

Keeping eyes on the prize

Daily Kos: Rove's Lawyer Confirms Rove Remains Under Investigation

Hunter is right on. The investigation is still ongoing and ultimately, this country needs to get to the bottom of the core issue of the Valerie Plame leak, which compromised her safety and national security apparently for political purposes.

And a big "FU" in advance to any in the punditocracy who are preparing to write these charges off as something insignificant. It wan't insignificant during Watergate.

Whether or not Rove is ever charged with anything is less important than simply finding out the facts of what happened in the White House to lead multiple senior officials, Rove and Libby apparently foremost among them, on a press spree outing a NOC agent to at least six Washington journalists.

Friday, October 21, 2005

Must-have Firefox Extensions

I thought it would be good to document the Firefox extensions that I find invaluable:

All-In-One Sidebar
A much nicer integration of common configuration options with the FF GUI at the ready. Also, lets you load up two different pages side-by-side or the source code to a page right next to the site, etc.

Download Statusbar
I find the firefox download manager separate dialog box kind of annoying. This extension shows all download progress right in the statusbar so you don't have to watch multiple windows to track download progress.

This integrates firefox with any currently-installed download manager to quickly perform mass-downloads on pages with a nice right-click context menu.

This is a must-have for security. NoScript allows you to set fine-grained policy on which sites you permanently or temporarily allow to run javascript. You can also use this to block Macromedia flash, but I prefer the Objection extension instead to manage the Local Shared Objects.

Lets you save long form textbox entries locally so that you don't lose them before you submit them. Very handy for blogging or submitting tech support or forum posts and being safe from the "back button" or your browser crashing and losing your posts. No more need to edit in Vi or Notepad and then paste into the site!

Allows you to control Macromedia Flash cookies from the privacy settings window.

On Windows:

IE View
Adds a new right-click context menu item that will let you easily launch those pesky IE-only websites that don't show up in Firefox. Yes, there still are some of those around, unfortunately. Hopefully the launch of IE7 will force many to clean up their sites to the latest standards.

Tuesday, October 11, 2005

Rant on Oracle just not "getting it"

Funny and entertaining and sad rant about Oracle's inability to do security in stark contrast to public claims by their CSO, marketing, etc.

This has inspired others to note how there are some Oracle vulnerabilities that have been open for 768 days!! among other comments. Oracle even tried to put the cat back in the bag on some other disclosed vulnerabilities recently. They just don't get it. I'm wondering if Larry Ellison were in Bill Gate's place just how much worse off the Internet and world would be from a security perspective.

---------- Forwarded message ----------
From: David Litchfield
To: bugtraq@private, ntbugtraq@private
Date: Thu, 6 Jan 2005 16:01:26 -0000
Subject: Opinion: Complete failure of Oracle security response and utter neglect
of their responsibility to their customers

Dear security community and Oracle users,

Many of my customers run Oracle. Much of the U.K. Critical National
Infrastructure relies on Oracle; indeed this is true for many other
countries as well. I know that there's a lot of private information
about me stored in Oracle databases out there. I have good reason,
like most of us, to be concerned about Oracle security; I want Oracle
to be secure because, in a very real way, it helps maintain my own
personal security. As such, I am writing this open letter

Extract from interview between Mary Ann Davidson and IDG

IDGNS: "What other advice do you have for customers on security?"

Davidson: "Push your vendor to tell you how they build their software
and ask them if they train people on secure coding practices. "

Now some context has been put in place I can continue.

On the 31st of August 2004, Oracle released a security update (Alert
68 [ ])
to address a large number of major security flaws in their database
server product. The patches had been a long time in coming
[,1759,1637213,00.asp ] and we fully
expected that these patches would actually fix the problems but,
unfortunately this is not the case. To date, these flaws are still not
fixed and are still fully exploitable. I reported this to Oracle a
long time ago.

The real problem with this is not that the flaws Alert 68 supposedly
fixed are still exploitable, but rather the approach Oracle took in
attempting to fix these issues. One would expect that, given the
length of time they took to deliver, these security "fixes" would be
well considered and robust; fixes that actually resolve the security
holes. The truth of the matter though is that this is not the case.

Some of Oracle's "fixes" simply attempt to stop the example exploits I
sent them for reprodcution purposes. In other words the actual flaw
was not addressed and with a slight modification to the exploit it
works again. This shows a slapdash approach with no real consideration
for fixing the actual problem itself.

As an example of this, Alert 68 attempts to fix some security holes in
some triggers; the flaws could allow a low privileged user to gain SYS
privileges - in other words gain full control of the database server.
The example exploit I sent to Oracle contained a space in it. Oracle's
fix was to ignore the user's request if the input had a space. What
Oracle somehow failed to see or grasp was that no space is needed in
the exploit. This fix suggests no more than a few minutes of thought
was given to the matter. Why did it take 8 months for this? Further,
how on earth did this get through QA? More, why are we still waiting
for a proper fix for this?

Here is another class of thoughtless "fix" implemented by Oracle in
Alert 68. Some Oracle PL/SQL procedures take an arbitrary SQL
statement as a parameter which is then executed. This can present a
security risk. Rather than securing these procedures properly Oracle
chose a security through obscurity mechanism. To be able to send the
SQL query and have it executed one needs to know a passphrase. This
passphrase is hardcoded in the procedure and can be extracted with
ease. So all an attacker needs to do now is send the passphrase and
their arbitrary SQL will still be executed.

In other cases Oracle have simply dropped the old procedures and added
new ones - with the same vulnerable code!

I ask again, why does it take two years to write fixes like this?
Perhaps the fixes take this long because Oracle pore through their
code looking for similar flaws? Does the evidence bear this out. No -
it doesn't. In those cases where a flaw was fixed properly, we find
the same flaw a few lines further down in the code. The DRILOAD
package "fixed" in Alert 68 is an example of this; and this is not an
isolated case. This is systemic. Code for objects in the SYS, MDSYS,
CTXSYS and WKSYS schemas all have flaws within close range of "fixed"
problems. These should have been spotted and fixed at the time.

I reported these broken fixes to Oracle in February 2005. It is now
October 2005 and there is still no word of when the "real" fixes are
going to be delivered. In all of this time Oracle database servers
have been easy to crack - a fact Oracle are surely aware of.

What about the patches since Alert 68 - the quarterly Critical Patch
Updates? Unfortunately it is the same story. Bugs that should have
been spotted left in the code, brand new bugs being introduced and old
ones reappearing.

This is simply NOT GOOD ENOUGH. As I stated at the beginning of this
letter, I'm concerned about Oracle security because it impinges upon
me and my own personal security.

What is apparent is that Oracle has no decent bug
discovery/fix/response process; no QA, no understanding of the
threats; no proactive program of finding and fixing flaws. Is anyone
in control over at Oracle HQ?

A good CSO needs to more than just a mouthpiece. They need to be able
to deliver and execute an effective security strategy that actually
deals with problems rather than sweeping them under the carpet or
waste time by blaming others for their own failings. Oracle's CSO has
had five years to make improvements to the security of their products
and their security response but in this time I have seen none. It is
my belief that the CSO has categorically failed. Oracle security has
stagnated under her leadership and it's time for change.

I urge Oracle customers to get on the phone, send a email, demand a
better security response; demand to see an improvement in quality.
It's important that Oracle get it right. Our national security depends
on it; our companies depend on it; and we all, as individuals depend
on it.

David Litchfield

RIAA: The New Mafia?

[infowarrior] - RIAA Takes Shotgun to Traders

Hundreds of people are being wrongly sued by the Recording Industry Association of America for illegally trading music online, legal experts say.

Attorneys representing some of the 14,000 people targeted for illegal music trading say their clients are being bullied into settling as the cheapest way to get out of trouble. Collection agencies posing as "settlement centers" are harassing their clients to pay thousands of dollars for claims about which they know nothing, they say.

Last week a judge in Michigan dismissed a file-sharing case against Candy Chan, a mother who testified in court that the user name identified in the suit belonged to one of her children.

In the court report (.pdf), Judge Lawrence P. Zatkoff wrote: "Chan opposed the motion and asserted that the plaintiffs used a 'shotgun' approach to pursue this action, threatening to sue all of Chan's children and engaging in abusive behavior to attempt to utilize the court as a collection agency."


Google Maps + Craigslist = Housing Maps

New Washington State Quarter designs. I think that we should use the state quarter designs to vote states out of the union. I'd say that if you put your best on a quarter and all you can come up with is lame crap like "Birthplace of Aviation Pioneers" (as if one resident's coincidental occupancy in your state somehow is noteworthy) then perhaps we don't need you in the union. That said, Washington's proposals are pretty tame. I do like Salmon, the mountains, and apples. Although we are one of the up-and-coming wine regions so perhaps they should pick that instead?

Here's some state quarter commentary:

And pictures of all current state quarters:

PDA + wi-fi + "borrowed connection" + VOIP software = free cell phone.

New Age quotes a coworker is collecting (aka New Age "Wisdom")

Now this is a cool looking device. I would like to do something like this in my house to join network + audio sources. I think that a box running MythTV would be cheaper and better though:

The New New Creationism: Intelligent Design

Several notes on this Intelligent Design crap driving us toward another Scopes trial.

Evolution Lawsuit Opens in Pennsylvania

US President Jimmy Carter, and an evangelical Christian:

"As a Christian, a trained engineer and scientist, and a professor at Emory University, I am embarrassed by Superintendent Kathy Cox's [Georgia Public Schools] attempt to censor and distort the education of Georgia's students. The existing and long-standing use of the word 'evolution' in our state's textbooks has not adversely affected Georgians' belief in the omnipotence of God as creator of the universe."

The President continues, with my favorite part of his statements. This is exactly what doesn't make sense about the ID and creationist nuts. There is no incompatibility between science and the general faith tenets. Perhaps there are some issues raised with the strict Biblical account, but add them to a huge list already out there that still does not shake most people's faith as they often pick and choose what to take at face value, what to interpret, what to believe, what is an allegory, etc. anyhow. If you believe that the natural world was created by God for you, then why would you go to great lengths to distort our experience and understanding of the natural world, which the only tool we have for this is the lens of science?

"There can be no incompatibility between Christian faith and proven facts concerning geology, biology, and astronomy. There is no need to teach that stars can fall out of the sky and land on a flat Earth in order to defend our religious faith."

"They're blinding you with NOT science" - Lewis Black on Intelligent Design

I just finished reading Science Friction (ISBN 0-8050-7708-1) which has several essays discussing the interplay between Religion and Science. Chapters 8 and 11 dive into a lot of the fray and Chapter 11 provides "ten arguments and ten answers" against ID which point out the absolute ridiculousness of their position(s). Oh, and the "What type of creationist are you?" is a great one if you run into any proclaimed creationists. There are at least 10 different positions on a continuum so the answer is not binary as many creationists would have you believe and probably believe themselves.

"Open Sesame" opens "High tech" Cockpit doors

The Seattle Times: Business & Technology: Glitch forces fix to cockpit doors

Well, "Open Sesame" works if you say it through a nearby walkie-talkie:

For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes.

But, the doors were not foolproof.

In December 2003, a Northwest Airlines maintenance mechanic inside an Airbus A330 jet on the ground in Minneapolis pushed the microphone button to talk into his handheld radio. Though he hadn't touched the cockpit door, he heard the sound of its lock operating.

So, other on-board avionics and electronics has to meet strict EMI standards to get on an airplane, but not the new cockpit doors??? Let me guess, the Bush Administration and Congress exempted this new equipment from typical safety and other regulations after 9-11 since those aren't important when there are terrorists out there?