Self-referential nonsense

“The time has come,” the Walrus said,
“To talk of many things:
Of shoes–and ships–and sealing-wax–
Of cabbages–and kings–
And why the sea is boiling hot–
And whether pigs have wings.”
“But wait a bit,” the Oysters cried,
“Before we have our chat;
For some of us are out of breath,
And all of us are fat!”
“No hurry!” said the Carpenter.
They thanked him much for that.
“A full text RSS,” the Walrus said,
“Is what we chiefly need:
Excerpts and quotes besides
Are very good indeed–
Now if you’re ready, Oysters dear,
We can begin to feed.”

Olympic Security

Bruce Schneier has written insightfully about Olympic security. They’ve spent $1.5 billion, and today’s marathon race was marred by some idiot leaping into the path of the front-runner, and dragging him into the crowd. Its always tempting, and usually wrong, to say that any failure of security could be prevented.
However, this Olympics has seen a large investment in protecting the sponsor’s brands. (See here or here.) I’d be very curious to see how much was spent in this “brand protection” in comparison to say, brand protection for the Olympics as a business endeavor. It seems that the money might have been mis-allocated if scorn for the Olympics grows because of this sort of thing.

In memory of Frank Sanache

Frank Sanache was one of eight Meswaski code talkers. He served in North Africa, and was captured by the Germans. I’m fairly interested in the history of code talkers, and had missed the Army’s use of them.
It turns out that there were codetalkers in the First World War, that German civilains had travelled to the US to learn native languages, and so the system was considered suspect. The Navy claims to have perfected the system with the use of the (more) famous Navajo.
I find the code talker story fascinating because of the confluence of factors that made it important, and the factors that cause it to no longer be relevant. Code talkers mattered greatly because of the rise of radio, and the broadcasting of plans. Anyone familiar with radio reception wanted private communication for their plans. But all the cryptosystems of the day were either slow and cumbersome or useless for more than a few minutes security. The realization that native languages could address these issues was a very clever hack. Today, we have clever cryptosystems in the radio chips that make all of this less interesting. The military also has automatic transcription and translation tools. You can see some of them in action via the TIDES world press reports. They’re not perfect, but it seems that they could perhaps defeat code-talking.
None of which is to detract from the outstanding service that the code talkers gave to the United States.
From Wampum via Weblogsky.

Bea Arthur, Terrorist

Beatrice Arthur, who apparently enjoys a little politics along with her fame, got irked at the airport police:

“She started yelling that it wasn’t hers and said ‘The terrorists put it there,’ ” a fellow passenger said. “She kept yelling about the ‘terrorists, the terrorists, the terrorists.’ ”
After the blade was confiscated, Arthur took a keyring from her bag and told the agent it belonged to the “terrorists,” before throwing it at them.

Now, if you or I had done this, we’d probably be arrested for assualting a federal agent.
Someone should give her a bag.
From via kuro5shin.

About those insiders

Over at TaoSecurity, Richard writes about a new report from CERT/CC and the Secret Service, studying “23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002.”
I’m very glad that they’re doing this. I think that actually studying how bad guys carry out attacks is critical for defending against them. The open questions about how many attacks happen, how they’re carried out, and what defenses really work are staggering. We exist in a dense fog of prejudice that these reports can dispell.
(Incidentally, I agree with Richard’s other point. Ted Kennedy being caught by the no-fly list is much like an IDS: Its a good idea with great marketing that turns out to have a lot of operational problems, and really just ends up wasting a lot of time and energy that could be better spent on other efforts towards security. Watch lists at airports, as far as we know, have caught exactly zero terrorists, two members of Congress, and all the David Nelsons of the world.)

Is Disabling Javascript a Win?

(Dave asked in a comment.) Yes, disabling Javascript is a win. Here’s an IE issue, and here’s one for Mozilla.
Now, using Javascript, when its on, to reduce the number of clicks a user needs to make is a fine thing. I’m in favor of it. (Although I often find myself in misselect hell, when it works, its nice.) However, Microsoft is very publicly trying to take a leading position in security. And in many ways, they’re doing so. They have a lot of smart people implementing pretty clear decrees from the top.
That page could easily have been done in a way to exemplify secure and easy to use web design by adding a “Go” button next to the drop-menus.

Shut down these shadowy groups?

“The president said he wanted to work together (with McCain) to pursue court action to shut down all the ads and activity by the shadowy … groups,” White House spokesman Scott McClellan told reporters
Shadowy? What’s shadowy about free speech? There’s a very bad law in place which restricts your ability to spend your money to communicate a political message. It’s called McCain-Feingold. If these Swift Boat Veterans for Truth (an Orwellian name if I’ve ever heard one) are lying, then Kerry should sue for libel and defamation. (I take no position on what they’re saying, I haven’t been paying attention to it.) What shouldn’t be happening is a debate on if these folks are “affiliated” with the Committee to Re-Elect the President, as if that matters. Of course they are. Who cares? We care only because their freedom of speech is somehow affected by their associations.
“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” (Emphasis added.)
In a free society, people are able to express their opinions about issues that matter to them without a license, without registering with the government, and without having to explain themselves beyond the content of their contributions to a vigorous debate. The campaigns for the most important elected offices in the world have spent less than GM is spending for Olympics advertising. Heck, political advertising by the two major party candidates in Q1 (a total of about $68 million) didn’t even think about breaking the top 10 with Pepsi bottoming the list at $267 million.
So lets hear it for the shadowy advertisers, working their free speech rights in the only opening that a bad law has left them.


So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain.
A few notes:
1) This site requires that you turn on Javascript for it to work.
2) The digital certificate presented for encryption is one from Microsoft that is in IE, but not say, Safari.
3) The site asks for your phone number and email. How they’ll be used is not made clear in their privacy policy. I lied to them. (Sorry folks!)
No, I’m not volunteering to fix their computers when they break, but I wasn’t volunteering to fix their computers after they’re broken into, either. I do know that installing this patch will make you substantially safer, and suggest that your total non-productive time from both security issues and debugging will be lower after this. So backup and install off the net. And order a CD in case you need to re-install your OS.

Patch Management

Alec Muffet comments on sysadmin resistance to applying patches.
As Steve Beattie and a bunch of others of us wrote about the issue is that there’s a tradeoff to be made to find the optimal uptime for a system. Its a tradeoff between a security risk and an operational risk.
Organizationally, different teams are often measured on different parts of the risk, making a holistic view harder. Vendors need to work to make sure each patch is a smaller change. Roll-ups are nice, but roll-ups naturally combine all of the risks of all of the small changes. (SP2 is risky because of the number of changes that it makes to the OS, and riskier because some of them are new, not rolled-up changes.) Now, I’m not suggesting that the right thing to do is to release each change as a seperate patch, but vendors need to address the fear of messing up their system that people have. One way to do that would be to focus on a good, high-assurance roll-out/roll-back mechanism as part of the operating system.