I’ll thank Tene for pointing me at this one:
Take a look at http://www.overcomingbias.com/2007/09/926-is-petrov-d.html. This was probably one of the most important moments and one of the best decisions anyone ever made in the entirety of the 20th century.
Petrov decided to not destroy the world just because a bunch of flashing lights told him that five (that’s right only five) US missiles might be heading towards the USSR.
On the last day of the Utah Open Source Conference 2007 (UTOSC), there was a PGP/GPG key signing party, hosted by Scott Paul Robertson. It was good to be able to get set up to properly sign so many keys, but it did give me a little problem; I needed to sign everyones’ keys with each of my 4 active keys. That would have been over 100 times running the gpg command. Sounds like something begging to be scripted, so I did.
I’m posting the script, which is still very rough, as I didn’t both taking any time when I whipped it up last night to take care of everything that it really should be doing. Still, I’ll work on it here and there, I’m sure. You can download it from http://www.openbrainstem.net/download/sign-lots-o-keys. If you feel like makeing some fixes, either post your patches (please, create them as a unified diff file, if you wouldn’t mind) and put a link in the comments here and/or on your own blog.
Enjoy!
Poor Ben Forta. The fact that he’s actually struggled to get through airports for a while before figuring this out seems rather strange to me. How could he be the only one? Why have none of my co-workers (at least, to my knowledge) not had similar troubles with their ThinkPad notebooks?
It seems that several TSA inspectors at several different airports were mistaking the laptop battery for a possible gun in Ben’s notebook bag as it went through X-Ray scanners.
Simply, un-excusably Amazing.
The recent MSNBC story, “Computer security problems found at IRS,” discusses security problems found at the IRS. One of the more interesting items:
Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.
But even more disturbing:
Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller.
Recently, California’s Secretary of State was required to perform a security screening of the eVoting systems that the State of California is thinking of/planning to use. The California Secretary of State appears to have been highly opposed to this outside audit process, according to information found within the official reports (the site has lots of links to very interresting documents, most of which are well worth the reading).
Avi Rubin has some excellent comments on the whole eVoting situation.
The State of Florida is getting into the act, reporting on their own security reviews of commercial eVoting systems (PDF). In this letter to Diebold (PDF) which the State of Florida has published, they give Diebold an ultimatum:
Based on the report, the Bureau of Voting systems Certification has determined that certain vulnerabilities outlined must be corrected by August 17, 2007, to continue this certification. Failure to do so will result in a denial of certification.
There’s 3 pages of required fixes attached to that letter.
The U.K. Electoral Commission recently released their report detailing serious security flaws in eVoting systems.
Electronic voting is a hard problem, but that doesn’t excuse Diebold Election systems, Inc., Hart InterCivic, Sequoia Voting Systems and Elections Systems and Software, Inc. from their demonstrated complete lack of fundamental understanding of how to secure … well, anything and in particular, they’ve all shown that they have no one with even the first clue of how to either implement nor apply cryptography correctly.
Applause go to both Florida and the U.K. for recognizing bad vendor crap in the first place. An extra-hearty ‘atta-girl’ goes out to Debra Bowen in California for throwing out approvals and certifications of these seriously flawed systems.
This topic is far too important to leave in the hads of the proprietary, closed-systems mindset crowd. It must be open. The code must be open and available to everyone. All systems must be thoroughly tested by reputable, recognized, outside authorities. I hope we’ll see an open source/free software implementation of an eVoting system that could be used for governmental elections. Such a system wouldn’t be limited to only government use, either, but I believe it would find place in many corporations and other institutions.
You might not know what DNSSEC is. That’s fine, most people don’t know either. The basic idea is to implement a replacement for the horribly flawed security model of standard DNS while not breaking backward compatibility. That’s what DNSSEC is, in a nutshell. It works by using methods similar to the way that SSL key-signing authorities work, but just for DNSSEC DNS servers.
Well, the illustrious and all wise folks at the US Department of Homeland Security have apparently decided that US Department of Homeland Security have apparently decided that they should have copies of the DNSSEC key-signing keys. Given that someone told them that these were the “cryptographic keys to the Internet,” it’s very understandable that they would drool over them.
I wonder how disappointed they’ll be if they succeed in commendiering a copy of the key-signing keys and then learn what they really are; merely the keys used to sign keys used by DNS servers which are authoritative for registered domains, and nothing more.
What’s next? Is DHS going to start demanding the key to every city, too?
In the UK, some parents are buying body armour for their children. This seems to be mostly into response to a couple of recent murders of London teenagers.
I can understand parents wanting to protect their children. Security isn’t always about the actual security. Sometimes, the perception of security is more important than the value of the actual security itself. In this case, parents have a greater peace of mind so they feel more secure.
But what about the children? Do you think that they might be a bit more emboldened knowing they have the armour on? In that case, such children are actually at a much greater risk then they were before. Do you think some would take it off as soon as Mom & Dad are out of sight? After all, many kids have done the same with their clothing.
P.S. If the story was about body armor in the U.S., I would have spelt armour differently.
I came across this article at Microsoft today. A Google search for vista networking stack shows several commentaries about the Microsoft article. One writen commented about how bugs that were erradicated 15-20 years ago in TCP/IP stacks are back in Microsoft’s new stack.
Taking a look at the bullet points in the article, the very first one jumps out and says to me, “I’m the #1 reason that Microsoft reimplemented their TCP/IP stack from scratch.” That one reads:
Dual IP layer architecture for IPv6
After all the embarasing failures to produce a workable IPv6 stack (I first remember seeing “beta” code from Microsoft in 1999), it would seem they finally realised that the whole thing would have to be rearchitected.
Most of the bullet points in the article are fluff with a little bit of BS thrown in there two (obviously, the marketing department is still in full control of the Microsoft’s website). Lest you think I’m only here to bash Microsoft, here are some things that looks like improvements to me:
The interfaces in the current TCP/IP stack for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the Windows Filtering Platform (WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is more secure, integrated in the stack, and much easier for independent software vendors (ISVs) to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic. For more information about WFP, see Windows Filtering Platform.
This isn’t exactly new. Windows has had hooks into some parts of the network stack. Windows XP Service Pack 2 added some more key hooks. But one of the problems with the pre-Vista implementations is that tools which used these hooks couldn’t be guaranteed to always be able to process traffic. Although I haven’t gotten in-depth details of WFP, what I have read about it’s architecture it looks like it’s much more robust and complete.
The Next Generation TCP/IP stack can offload the processing of TCP and other types of traffic to Network Driver Interface Specification (NDIS) miniport drivers and network interface adapters. Offloading TCP and other protocol processing can improve performance for high-bandwidth networks or high-volume servers.
Although some NICs (mainly 3Com) have offloading engines that can take much or most of the load of IP and/or Ethernet packet/frame contruction and processing from the main CPU, thus freeing it for other tasks, the networking configuration of a particular Windows machine often prevented such offloading from occuring. Although I do not know any of the details as to why this happened, I have been told (by people who would have such detail) that it was due to the networking architecture of Windows. Again, I don’t have much detail on the architecture of this new feature in Vista, but what I have read leads me to believe that the new stack will make these NICs more useful as well as being easier for driver writers to implement.
The architecture of NDIS 5.1 and earlier versions limits receive protocol processing to a single processor. This limitation can inhibit scaling to large volumes of network traffic on a multi-processor computer. Receive-side Scaling resolves this issue by allowing the network load from a network adapter to be balanced across multiple processors. For more information, see Scalable Networking with RSS.
This is a much needed improvement for some systems, like Data Center Server (which already had something similar) and some beefier Windows Server boxes, but will not benefit end users much. If you were running a game that only utilized 1 of your multiple processors, theoretically, having the ability for the other processor to take over the networking processing would improve performance. Realistically, I doubt you could see the difference. Still, this is another welcome improvement in design.
The Next-Generation TCP/IP stack has an infrastructure to enable more modular components that can be dynamically inserted and removed.
Welcome to the 21st century! Linux has done that since kernel 2.0 was released (the first version that supported kernel modules).
The Next-Generation TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after settings are changed.
Of course, Windows 2000 supposedly eliminated almost all the code paths where networking changes that would require a reboot. I remember a Microsoft event where they told me that NT 5.0, as it was still called at that point, only had 6 remaining code paths (down from 27 or so) with the whole OS where a configuration change would require a reboot. However, in practice, most people experienced a need to reboot the system to make common networking configurations changes actually effective approximately 1 out of 2 times such changes were made.
One could also read, “We changed the configuration storage methods so you won’t know where to look anymore,” into that one.
From a security perspective, I’m very concerned about their new Inspection API (emphasis added):
The Next Generation TCP/IP stack exposes an Inspection API, which provides a consistent, general-purpose interface to perform deep inspection or data modification of packet contents. The Inspection API is part of WFP. The Next Generation TCP/IP stack provides access to the packet processing path at the Network and Transport layers.
So, it’s easy to hook into the Inspection API and use that to modify network traffic. It looks like it would also be trivial to inject any traffic you wanted to. Given the definition of the word inspection, I wouldn’t expect to find a modification mechanism integrated into the same sub-system.
Having a good set of instrumentation hooks into the entire network stack is important for certain types of software development, security research, auditing and a few other things. None of these should be taking place on production machines. However, it looks like Vista does not provide a way to disable the Inspection API. This could be used by a malicious program to monitor any network traffic it wanted to, or even to implement network communications that could possibly be entirely hidden from other programs (including security tools) and users. At the very least, the Inspection API should not be installed as part of the OS. Even the ability to disable it might not be enough, especially given Microsoft’s security track record.
Overall, however, I feel that I can agree with some of the reasons it appears were behind Microsoft’s decision to reimplement the TCP/IP stack from scratch for Vista and I feel that there are several valuable improvements.
That said, I still do not consider Windows networking stack, even the new one in Vista, to be remotely secure. There are too many unknowns and there is no proper, un-biased, third-party code scrutiny. Closed software simply can not be secure. Peer review by recognized outside experts is mandatory in order to build good security. That’s why burglar alarm companies invite ex-cons and security experts to do their best to penetrate their systems. That’s why insurrance companies do the same with all automobile security systems (as well as letting them asses the relative value of each system for their purposes). Microsoft doesn’t understand that and there’s no reason, from their perspective, that they need to; they’re in business to make money. Until the liability for bad security is placed on Microsoft (and other software vendors) there is no incentive for them to fix it.
One of my sisters forwarded an email to me regarding a “new” scam:
Well, the crooks have found a way to rob you of your gift card balance. If you buy Gift Cards from a display rack that has various store cards you may become a victim of theft. Crooks are now jotting down the card numbers in the store and then wait a few days and call to see how much of a balance THEY have on the card. Once they find the card is “activated,” and then they go online and start shopping. You may want to purchase your card from a customer service person, where they do not have the Gift Cards viewable to the public. Please share this with all your family and friends…
Normally, that last line would be a sure giveaway for chain-mail. However, I’ve been looking into this one, and I think it’s legit.
The email originated with a Sheriff’s Deputy. I’m witholding his name for now, because I have not gotten his permission to publish it, yet. I have phoned him, but only left a message on his voicemail, so far. I’ll update this as I get more info.
