Shostack + Friends Blog Archive


CERT, Tor, and Disclosure Coordination

There’s been a lot said in security circles about a talk on Tor being pulled from Blackhat. (Tor’s comments are also worth noting.) While that story is interesting, I think the bigger story is the lack of infrastructure for disclosure coordination. Coordinating information about vulnerabilities is a socially important function. Coordination makes it possible for […]


Tap Tap Snarky

From the app store: I hope this doesn’t cause Apple to ban snarky update messages.


Is iTunes 10.3.1 a security update?

Dear Apple, In the software update, you tell us that we should see for the security content of this update: However, on visiting, and searching for “10.3”, the phrase doesn’t appear. Does that imply that there’s no security content? Does it mean there is security content but you’re not telling us about it? […]


Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]


The Difference Between Knowledge and Wisdom

If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]


Microsoft Has Trouble Programming the Intel Architecture

Microsoft Office 2008 for the Macintosh is out, and as there is in any software release from anyone there’s a lot of whining from people who don’t like change. (This is not a criticism of those people; I am often in their ranks.) Most of the whining comes because Office 2008 does not include Visual […]


Apple’s Update Strategy is Risky

On Saturday I was going to a party at an apartment building. The buzzer wasn’t working, and I took out my shiny new iphone to call and get in. As I was dialing, a few young teenagers were coming out. They wanted to see the iPhone, and so I demo’d it in exchange for entry […]


Lrn 2 uZ ‘sed’, n00bz

The iTunes Plus music store opened up today, which sells non-DRM, 256kbit AAC recordings. In case you have missed the financial details, the new tracks are $1.29 per, but albums are still $9.99. You can upgrade your old tracks to high-quality, non-DRM, but you have to do it en masse and it’s only for the […]


When Security Collides With Engineering (Responsible Disclosure Redux)

Stefan Esser announced earlier this week that he was retiring from citing irreconcilable differences with the PHP group on how to respond to security issues within PHP. Of particular interest is that he will be making changes to how he handles security advisories for PHP (emphasis mine): For the ordinary PHP user this means […]


"Faux" Disclosure

I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says: Full disclosure is the only thing that forces […]


Your Apple-Fu Is Impressive!

Yesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms: Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t […]


Updating Windows Mobile Phones

Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile […]


Known unknowns?

Oracle has just released fixes for 82 vulnerabilities. After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security […]


WMF Vuln fix

Courtesy of IDA Pro developer Ilfak Guilfanov. Details are available via his web log, the existence of which I learned via the seemingly indefatigable Thomas Ptacek of Matasano.


A great idea whose time has come

Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not […]


Congrats, Microsoft

“On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins,” the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. (Via Information Week, via ISN)


Quick Followups

David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.


Liveblogging Shmoocon: Patching

I’m at Shmoocon, and trying to liveblog a little. There’s network trouble, so it may not quite be live. I’m at Tina Bird’s talk on patching, and she mentioned that in the Teragrid attack, the attackers were hitting supercomputer centers, and there’s some evidence that they were 1) using 0day and 2) using the big […]


More on Economic Analysis of Vulnerabilities

Dave Aitel has a new presentation (“0Days: How Hacking Really Works“) on what it costs to attack. The big cost to attackers is not vulnerability discovery, but coding reliable exploits. (There’s an irony for you: Attackers are subject to the same issues with bad software as their victims.) The presentation is in OpenOffice format only […]


Small Bits of Chaos: Vidal, SP2, Iraq

Gore Vidal has a few choice words about the President’s Inaugural address, at DemocracyNow. A Russian company, MaxPatrol, has published a paper on bypassing heap and stack protection for Microsoft Windows XP with SP2. Winterspeak has an interesting summary of Iraq: The big bet that President Bush placed all these months ago, the bet that […]


Small Bits of Chaos

Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]


Quick Links

John Robb has an article at Global Guerrillas about the cost of terrorist attacks and their impact on the economic equilibria at work in cities, based on a report by the NY Fed. A terrorism tax is an accumulation of excess costs inflicted on a city’s stakeholders by acts of terrorism.  These include direct costs […]


Be Careful What You Wish For, Air Force

Federal Computer Week has a story about the Air Force’s efforts to patch faster: Officials’ ultimate goal is to have software patches implemented across the Air Force in minutes. During the next few months, they hope to cut the time from tens of days to just days, said Col. Ronnie Hawkins, director of communications operations […]


To sleep, perchance to sleep?

After installing Apple’s latest security update, my laptop no longer goes to sleep when I close it. Is anyone else with more time experiencing this? I am using Bernhard Baehr’s excellent Sleepwatcher, a daemon that allows you to add sleep and wakeup actions, but that hasn’t changed in a while. (If I had more time, […]


How not to find vulnerabilities (2)

Pete Lindstrom has argued that we need to end the bug-hunt: Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences. There is a rarely mentioned upside to all this bugfinding, which is that researchers use the exploit code to […]


How not to report vulnerabilities

This week Finjan announced that it has told Microsoft of 3, or 10, or maybe 19 issues with SP2. Robert Lemos at CNET writes: “We don’t want to argue with Microsoft about these things,” he said. “We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.” However, Microsoft’s […]


Mac 10.3.6

Macworld excerpts a very detailed analysis of the MacOS 10.3.6 update. Its too bad that Apple chooses to give us a 22 item change description when they’ve changed upwards of 1,000 files.


Microsoft pre-warning of patches

[Microsoft] will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release… The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected. This has been available to select customers for a while. […]


OMB, TSA asking for it.

Ed Hasbrouck points out that Public comments are open through Monday, 25 October 2004, on the Secure Flight airline passenger identification, selection, and surveillance system proposed by the USA Transportation Security Administration (TSA) and its Office of National Risk Assessment (ONRA). My draft comments are here, and I’d love feedback before sending them. [Update: Fixed […]


Patches & EULAs

Security patches should not have licenses. There’s no fair re-negotiation under threat. If I bought your software, and am using it, then you find a bug, you should not be allowed to put new terms on the software in order for me to be safe using it. Imagine a hotel which lost a master key […]


Bush, Socrates, and Information Security

“Wherin links between a number of disparate ideas are put forth for the amusement of our readers” Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on […]