Uff Da and the Radio Bagel

There were too many fun things to do over the Memorial Day holiday to waste time thinking about security. One of those fun things was going to see Garrison Keillor and Prairie Home Companion at Wolf Trap. Oddly enough, it appears there is going to be PHC movie - could it mean that after all these years, the show will jump the shark?

I doubt it - Garrison Keillor is pretty impressive in person and a fantastic writer. Here is "A Note From The Host" from the program for the PHC show at Wolf Trap:

"Dear Friends,

This show is a re-creation of my own jumbled memories of radio shows I heard on a floor-model Zenith receiver in Brooklyn Park, north of Minneapolis, around 1948, when I was six and my family lived in a basement my dad built in a cornfield, in loamy clay, and I, the baby of the family, had been eclipsed by the birth of twin brothers who sucked every particle of adult attention out of the air, much as if Roy Rogers and Trigger had come to live with us, and at this critical moment, people on the radio became my chums. I clutched that old Zenith like a life raft. They were so wonderful, Irma and Luigi and Fibber and Molly and Tom Mix ("Shredded Ralston for your breakfast starts the day off shining bright") and Jack Benny and Cedric Adams and Arthur Godfrey, and thus a seed is planted.

The radio had a big round dial and a tuning knob the size of a bagel and it gave off heat and a rich warm sound with bass reverberations that came up through the floor, so that when you lay on your stomach listening to Gene Autry sing on Melody ranch you could feel good vibrations in your stomach. For a number of years, my parents were barely aware of my existence, and sometimes they called me Larry or Harry or Murray, and there were Christmases when I could see that my presents had been hurriedly assembled a few minutes before -  a pair of socks (wrong size), a used book, some fruit, some small coins taped to a Christmas card with the original signature erased - but thanks to radio I maintained a sunny outlook (sort of), and years later, having graduated from college with a degree in English, casting about for something to do that people would pay me for, I found this beloved old institution. And thanks for coming to see it today.

                                                    Garrison Keillor"

That's good writing. I guess I identify with it - as I kid I asked a local radio/TV repair shop if they had any junk radios I could have. They did - and that (plus a seriously misguided guidance counselor in high school) is what started me on the path to the career I have now.  You can't tell your kids this, but life is pretty much just random serendipity.

I guess right now some 12 year kid is laying on the floor in front of his PS2 with the plasma screen, listening to some podcast and storing up some serendipity points that will pay off later on. He will either be the guy that creates the next big thing 10 years from now, or maybe the gal that hacks the next big thing then. I wonder which way he (or she) will go?

Gettin' Aboard the Cluetrain

I miss the bubble. Greed, certainty and optimism ruled the roost, pushing fear, uncertainty and doubt onto the back burner. Stock options grew like weeds, companies never failed, Internet connections and bandwidth needs were exploding - and dragging along lots of security spending in the name of enabling e-business. It was the best of times, it was the worst of times.

By 2001, the bubble burst, the worms hit, the terrorists attacked - FUD was king once again. Wah, now every doomsayer could quote Mi2g type silliness and get the press to carry a story.

Back at the height of the bubble. “The Cluetrain Manifesto,” by Levine, Lock, Searls and Weinberger, was sort of a naive screed saying that the rules had changed. But in four of its 95 theses it did have some pretty prescient things to say about security through stasis: 

(51) Command-and-control management styles both derive from and reinforce bureaucracy, power tripping and an overall culture of paranoia.

(52) Paranoia kills conversation. That’s its point. But lack of open conversation kills companies.

(53) There are two conversations going on. One inside the company. One with the market.

(54) In most cases, neither conversation is going very well. Almost invariably, the cause of failure can be traced to obsolete notions of command and control.

Since I'm in a quoty kind of mood, here's another one apropos of this topic:

"Advocacy and belief go hand in hand. For there can be no true freedom of mind if thoughts are secure only when they are pent up."
 

Justice William O. Douglas
 

I was going to write more but for some reason, the blog software has spoken - everything must now be centered.

Ommm.

Anorexic Computing: Security Through Stasis

Hmmm, Hitachi says that to improve security it will replace 16,000 employee PCs with thin client computers that will use a USB dongle for user authentication. The economics don't seem to make much sense - each thin client costs about $1,200 and requires a base unit and server modules that adds about another $1,300 per user. So, it will cost $2,500 per user and still be running Windows XP, albeit the embedded version. The thin clients will still need to be patched - worse, the patches for embedded Windows don't come out until 45 days after the patches for real Windows. And they will still be using passwords to connect to the server side.

Why would a big company like Hitachi do this? It doesn't seem much cheaper than using low end laptops and if they locked down those laptops they would pretty much be just as secure as Windows-based thin clients. Oh, I see - they actually make and sell the thin client computers themselves. What a coincidence!

So many security strategies seem to want to return to the good old dumb terminal days - that is what thin client computing or locking down PCs basically is. It sure is tempting - if we could just go back to dictating what software users had and what data they could and could not store, since we certainly know better than those silly users - why, if we were in control again, peace would guide the planet, and love will steer the stars. Yes, comrades - central planning is the way to the future!

Of course, this is total nonsense. Security by taking away users' annoying habit of actually creating new things or bringing in new technologies (like PCs, networks, the Internet, wireless LANs, etc.) against the will of the IT shop is silly security. It is like preventing car accidents by putting sand in the gas tank, or preventing food poisoning by eating the same food day after day after day.

An early pioneer in information security, Helen Keller, said it best:

"Life is either a daring adventure or nothing. Security does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than exposure."

This Just In: All Browsers Suck

OK, we know IE is bad - and eEye just reported some more IE vulnerabilities. We also know Firefox has joined in the badly built browser world wide web sloppy security sweepstakes (B3W3S3). But not to be outdone, our old friend Netscape (the Rip Van Winkle of the browser world) upped the ante by having to release a patched version 8.01 on the same day that they released Netscape 8.

OK, we also knew that software engineering is an oxymoron - but still: when is a brother going to get a break? I know some idiot said browser competition is good, patch proudly, blah blah blah. But will these three browsers always be the Three Stooges of the software world??

Wait a minute - the common thread between the Larry, Curly and Moe browsers is that they are free. Opera costs $39 - it has to be better, right? Will it turn out to be Shep, or more like  Emil Sitka? I'm off to pay for a copy - watch the patches fly!

All We Remember About Paul von Beneckendorff und von Hindenburg is That Damned Blimp

Gordon Moore has a pretty cool law named after him.  Edward Murphy had another neat law named after him - plus an Air Force base! But having things named after you doesn't always work out so well. I'm sure Mr. Hindenburg and Edsel B. Ford aren't quite as happy to see how their names are remembered.

My US Senator, Paul Sarbanes, is going to rue the day he let that rascal Ollie Oxley talk him into co-sponsoring the dreaded Sarbanse-Oxley act. To quote Senator Paul from the below Washington Post article:

"You have some way-out requirements, and the company says that's what Sarbanes-Oxley says we have to do, but these changes are neither in the act nor in the regulations implementing the act," says Sarbanes . "I don't know where some of these things came from."

Much like Jerry Seinfeld muttered "Newman!" through clenched teeth, lots of enterprises are muttering my fine senator's name the same way. For no real good reason, other than the fact that many are using his law to justify buying lots of toys, charging more for audits, and for forcing in lots of outdated "security" mechanisms because they now can. Poor Senator Paul - he is being pilloried as the compliance monster. Oh, the humanity!

I call this the law of unintended legislative consequences. This column in today's Washington Post captures it pretty well:

washingtonpost.com

The All-Purpose Fall Guy for Control Freaks

By Marc Fisher
Post
Thursday, May 19, 2005; B01

Leave the desk for 10 minutes and the computer screen goes dead. Why must I sign in all over again? "Sarbanes-Oxley," says the poor soul in the tech department.

Another memo arrives from the people who control the machines on which we work: You must now have yet another, different, impossible-to-remember password for yet another computer program, for a total of five different passwords to work on one machine. And not only must those passwords all be different, but they also must change every few weeks. Why? "Sarbanes-Oxley," comes the reply.

(A new computer program comes with the password "Welcome123." May I change that to a password I already use on another program? Sure, the technician says, but only if it contains a bizarre jumble of numbers and letters unrelated to any word in the Oxford English Dictionary. Ah. And why? "Sarbanes-Oxley," of course. So I keep "Welcome123" -- that's my password, and you're welcome to it. You'll find a bunch of half-written columns, a raft of outdated phone numbers, and -- oh, the embarrassment! -- a slew of old letters and memos that failed to win fellowships, grants, freelance assignments and raises.)

At the newspaper, everyone must now take a test that asks us to violate the ethic of journalism by refusing to talk to reporters who might call to inquire about how we do our jobs. Challenged about the contradiction, bosses say: "Ignore it. It's just something they had to do because of Sarbanes-Oxley."

This all-powerful Sarbanes-Oxley turns out to be a law Congress passed in 2002 after the Enron collapse to protect investors by forcing publicly held businesses to more accurately report information about themselves.

Nothing in the law specifically requires companies to turn cubicle life into a journey through the stages of hell. But that's how the law is being interpreted across the land. Sen. Paul Sarbanes, the Maryland Democrat who is retiring next year, has had to watch what he thought of as a guardian of ordinary investors' assets being transformed into a scapegoat for all things annoying at the office.

"You have some way-out requirements, and the company says that's what Sarbanes-Oxley says we have to do, but these changes are neither in the act nor in the regulations implementing the act," Sarbanes tells me. "I don't know where some of these things came from."

On message boards and in professional forums, computer techs are in a rage about this giant leap backward. The focus of their anger is a 170-word passage in the law that requires companies to document in fine detail how they will guarantee that their financial statements are truthful.

Businesses say they are spending millions to set up safeguards to prove their honesty to the government. But critics say those safeguards, while infuriating employees, would do little to stop a corporate criminal intent on defrauding stockholders.

A huge industry has popped up to cater to the anxieties of businesses that must comply with the law, but some advisers are counseling executives to chill out. "There is nothing about computer security in the law -- nothing," says Mark Rasch, chief security counsel at Solutionary, a computer security company with an office in Bethesda.

Computers are the favorite tool of those who want to steal money from companies, Rasch says. "If I want to steal, I have to manipulate the systems, so you need some controls. But there isn't any reason why those controls should apply to ordinary workers unless you're in the financial systems department.

"It's absurd how the law is being used to justify these silly timeouts and constant demands for you to type in your password. The law is just being used as an excuse for placing restrictions on workers."

Sarbanes sighs at how his name is being taken in vain as a nation of office workers grouses about new incursions on their time and sanity. "Some people in the business world think it's unnecessary regulation," he says, "but look at the price we paid with Enron and those scandals in losses of jobs and confidence in our capital markets. We didn't set out to create onerous requirements. We were confronted with these gross abuses, and we set out to protect the American investor."

Roofers Should Be Paid Much More Than Weatherfolks

My wife thinks I'm annoying because I love to lie in front of the TV and just channel surf. Whee - in 60 seconds I see snippets of doubles badminton/serious looking talking heads/Sanford and Son/some lady selling jewelry/some lady chopping vegetables/horses jumping over brick deals/really, really serious looking old white guy talking heads/lady in high heels and evening gown ecstatically cleaning a toilet/someone who went to school for 4 years to be a meteorologist standing in the pouring rain in the dark holding a microphone saying "It's really coming down out here."

My daughter thinks I'm a dork because I often stop at The Weather Channel and watch the weather. I find it fascinating - there are millions of sensors and satellites and supercomputers and really well-coiffed meteorologists - and basically they are about 10% more accurate than my magic eight ball. "Chance of rain tomorrow 50%"

The worst part of The Weather Channel is the limp "reenactments" of big storms or disasters - most of which are things like tornadoes and earthquakes and volcanoes that no one predicted very well. In fact, today is the 25th anniversary of Mount St. Helens erupting.  Since October 04, she's been rumbling again but no new eruptions.

That's pretty much why information security is fun - regardless of what anyone says, you can't predict when a denial of service tornado will hit or a wormable vulnerability will erupt or when a some sys admin will spontaneously combust and turn the database server into a hacker punching bag.

But you can always check to see if you are vulnerable and if you close out the vulnerability in our world of bits and bytes you can ride out all the digital storms. Sometimes you can hear the digital rumblings, and that tells you its time to check the sandbags and make sure the patio furniture is tied down. The real key is removing the vulnerabilities - then you don't have to depend on those blow dried astrologists meteorologists confidently telling you the exact opposite of what they predicted the day before.

Aw, Firefox is a Big Boy Now

Different cultures have different ceremonies when a boy turns into a man. There are various ages where you can drive, then drink and then pay less than a bajillion dollars per year for auto insurance. I always considered it to be when you reach the point where others depend on you and you live up to that responsibility. Some reach this at 18, others at 28, a few much earlier, and many never, ever reach this point.

In the software world, one way you tell that software has grown up is that it reaches the point where people do depend on it, but it still takes third party security software for it to live up to that responsibility. Twenty years into using Windows PCs and we are buying and adding more and more security software (personal firewall! Anti-viral! Anti-spyware! Anti-phishing! PC health services!) to keep our PCs in a semi-dependable state. Commercial software has grown up when it spawns an entire industry to keep it from crashing down.

So, with that cynical outlook in place, I'm happy to announce that Firefox is now officially a manly piece of software. Not only has Firefox got enough traction that Microsoft has been targeting competitive security reports against it and the trade press breathlessly reports each new vulnerability, but now the true sign of maturity as a standard piece of software has appeared - several vendors are offering security products to protect Firefox!

Imagine if bridge manufacturers saw the profit potential in selling drivers "bridge design flaw protection kits" at a price of about 5% of the cost of a car. If you didn't have an active subscription, and then drove over a bridge, one time out of a hundred, the bridge would fall down. Paying $1,000 for that is about the same as paying $50 per year for security software for your PC.

Oh, well - we'll have to keep treating all software the way we treat narrow logs that we use to cross streams (slowly, carefully and prepared to get wet) rather than be able to depend on them the way we do with actual engineered bridges.

Granny Fights Back

The The Daily Show and The Onion are my favorite sources of fake news but there is no shortage of great pieces of Internet flotsam and jetsam that have great fake takes. One of my favorites is the "Grandma Beats Up Airport Security Guards" one that came out not long after stricter airport security rules went into place after the terrorist attacks of 2001. It captured the frustration of travelers in a funny but close to believable way.

A true item is in USA Today today - Microsoft has announced they will be beta testing a consumer/small business oriented PC security subscription service. Basically, put Microsoft's OneCare client software on your PC and pay $5 per month or so and it will be an automatically updated personal firewall, antiviral client, backup agent and someday other stuff - like anti-spyware and anti-whatever nasty thing comes out next year.

Basically, they are aiming at Grandma's frustration with how hard it is to keep her computer running - especially now when Granny spends a lot time on her computing IMing her grand-kids, keeps their digital photos on her hard drive and even gets on those chat boards trying to peel away single 70 year old men from online porno and on to the dance floor at the local firehouse.

Hey, ADT Security and the other home security outfits have been making big bucks in this business for years - the average granny is more likely to get hit by spyware or phishing than she is to have someone break into her home. There's definitely going to be a market for this type of service, but the first forays will have to experiment a lot to find the mixture of price and liability assumption that will work out to being a profitable mix.

It is one thing for ADT to say "We will automatically dial the police if a burglar breaks in" it is another thing for them to say "we will keep the burglar out." The antiviral vendor model for years has been "it wasn't our fault you got that virus, its your fault - you didn't update your AV signature." A service company taking on the responsibility of updating the signature loses that excuse - which is a good thing from a security perspective but is sure to make corporate lawyers nervous.

Microsoft of course has the financial wherewithal to play for years in markets and not have to worry about breaking even any time soon. I hope they really try to push the envelope in making home PCs (and someday the next frontier - home networks) more secure, rather than push the state of liability waiver legalese to new heights.

I Don't Know About You, But My Information Doesn't Want to Free

The word "redact" used to have a simple meaning - get something prettied up for publishing. The seeds of the modern evolution of the word redact were planted in 1966, when the Freedom Of Information Act was first enacted. It gained more teeth in 1974, as the backlash against the Nixon Watergate abuses began to ripple outward.

Today, to redact means to take a big black magic marker and black out all the interesting parts of a document that must be grudgingly provided to satisfy a FOIA request. Back when EPIC and others were fighting the Clipper chip and crypto export controls, they used to get on stage at the annual RSA Conference and and have great fun holding up redacted documents that were 90% blacked out - the only words that survived tended to be "the", "if", "party of the first part" and "tuna salad."

Of course, these days we scoff at primitive technologies like big black magic markers - we have Microsoft Word and Adobe Acrobat. Last week various news outlets reported that a Pentagon document which had been electronically "redacted" turned out to be pretty much undacted. Once again, naive technology users found out the difference between what is printed and what actually gets saved in a file. Oopsie.

One scary thing I found out in looking into this: there is actually a site called PDF For Lawyers which has a link to the best quote about this, from vowe dot net: "If you close your eyes, you don't actually disappear.

This is really not new - the National Law Journal had an article on this back in 2002. I guess the problem is that most people can't afford to pay lawyers for their redaction needs, at least not the expensive lawyers who read the NLJ. I guess they can't afford the redacting plug-ins you can buy, either.

I guess this does prove information wants to be free, except information tends to be like weeds: the information you want to die seems to grow the fastest and you really have to use strong pesticide to kill it.

Which reminds me of a great line from a recent post on the Politech mailing list:

Date: Tue, 10 May 2005 22:05:22 -0400
From: Lizard <lizard@mrlizard.com>
To: Declan McCullagh <declan@well.com>
References: <42811D03.7020202@well.com>

Can I be the 10 millionth person to note that the overlap between people
opposed to things like Zabasearch and people who ritually quote
"Information wants to be free" is much larger than would logically follow?

Or is it "Other people's information wants to be free. My information
wants to be locked in the attic."?

Dino and Astro Both Phell Phor Phishing Phrauds

The Register reported that US citizens are are just as "pants" about passwords as UK citizens. An informal survey done by Verisign in San Francisco showed that 2/3 people would give up their password for a Starbucks gift card. RSA funded a similar survey in the UK just about a year ago and 70% of Brits would cough up their password for a pen or similar geegaw.

Important disclaimer: both Verisign and RSA sell strong authentication tokens and systems. The reason these surveys were conducted a year apart is that they were both done as part of building advance publicity for conferences about digital IDs. So, take the data with a grain o' salt, and don't forget Mark Twain's line about the three kinds of lies:  Lies, Damn Lies and Statistics.

Regardless of the source of these two data points, anyone involved in security knows that typical user behavior is generally not going to align with good security practice. I imagine driving instructors shake their heads and sigh when they see how people actually drive cars - and those awful drivers had to take courses and tests to be allowed to drive a car. Not to mention years of television ads and campaigns in high schools to foster good driving skills.

Look, the Flintstones fell for scams that the Jetsons will also fall for. We have been trying to educate users about passwords and viruses for over 15 years now. Technology changes much faster than human nature - and I could argue that, in the case of most of the people I seem to know, never changes.  In reality, I think there are generational changes - my kids now understand that passwords are important because they have learned they can hide things from me by turning on security features on the family PC. The little twerps don't really understand the concept of administrative accounts, but hey - tough luck on them.

So, if you are depending on  security awareness posters to have even the slightest impact on security (other than the CYA factor), make sure you have your resume up to date and your seat belt buckled tight and low across your lap.