About those insiders

Over at TaoSecurity, Richard writes about a new report from CERT/CC and the Secret Service, studying “23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002.”
I’m very glad that they’re doing this. I think that actually studying how bad guys carry out attacks is critical for defending against them. The open questions about how many attacks happen, how they’re carried out, and what defenses really work are staggering. We exist in a dense fog of prejudice that these reports can dispell.
(Incidentally, I agree with Richard’s other point. Ted Kennedy being caught by the no-fly list is much like an IDS: Its a good idea with great marketing that turns out to have a lot of operational problems, and really just ends up wasting a lot of time and energy that could be better spent on other efforts towards security. Watch lists at airports, as far as we know, have caught exactly zero terrorists, two members of Congress, and all the David Nelsons of the world.)

Is Disabling Javascript a Win?

(Dave asked in a comment.) Yes, disabling Javascript is a win. Here’s an IE issue, and here’s one for Mozilla.
Now, using Javascript, when its on, to reduce the number of clicks a user needs to make is a fine thing. I’m in favor of it. (Although I often find myself in misselect hell, when it works, its nice.) However, Microsoft is very publicly trying to take a leading position in security. And in many ways, they’re doing so. They have a lot of smart people implementing pretty clear decrees from the top.
That page could easily have been done in a way to exemplify secure and easy to use web design by adding a “Go” button next to the drop-menus.

Shut down these shadowy groups?

“The president said he wanted to work together (with McCain) to pursue court action to shut down all the ads and activity by the shadowy … groups,” White House spokesman Scott McClellan told reporters
Shadowy? What’s shadowy about free speech? There’s a very bad law in place which restricts your ability to spend your money to communicate a political message. It’s called McCain-Feingold. If these Swift Boat Veterans for Truth (an Orwellian name if I’ve ever heard one) are lying, then Kerry should sue for libel and defamation. (I take no position on what they’re saying, I haven’t been paying attention to it.) What shouldn’t be happening is a debate on if these folks are “affiliated” with the Committee to Re-Elect the President, as if that matters. Of course they are. Who cares? We care only because their freedom of speech is somehow affected by their associations.
“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” (Emphasis added.)
In a free society, people are able to express their opinions about issues that matter to them without a license, without registering with the government, and without having to explain themselves beyond the content of their contributions to a vigorous debate. The campaigns for the most important elected offices in the world have spent less than GM is spending for Olympics advertising. Heck, political advertising by the two major party candidates in Q1 (a total of about $68 million) didn’t even think about breaking the top 10 with Pepsi bottoming the list at $267 million.
So lets hear it for the shadowy advertisers, working their free speech rights in the only opening that a bad law has left them.

XP SP2

So Microsoft has released XP2 on a CD. I’m not currently running any Windows machines, but I figure hey, this is an important patch, and I should be able to foist it on people. So I go to Microsoft’s Order a CD site. I am curious to see what else the CD might contain.
A few notes:
1) This site requires that you turn on Javascript for it to work.
2) The digital certificate presented for encryption is one from Microsoft that is in IE, but not say, Safari.
3) The site asks for your phone number and email. How they’ll be used is not made clear in their privacy policy. I lied to them. (Sorry folks!)
No, I’m not volunteering to fix their computers when they break, but I wasn’t volunteering to fix their computers after they’re broken into, either. I do know that installing this patch will make you substantially safer, and suggest that your total non-productive time from both security issues and debugging will be lower after this. So backup and install off the net. And order a CD in case you need to re-install your OS.

Patch Management

Alec Muffet comments on sysadmin resistance to applying patches.
As Steve Beattie and a bunch of others of us wrote about the issue is that there’s a tradeoff to be made to find the optimal uptime for a system. Its a tradeoff between a security risk and an operational risk.
Organizationally, different teams are often measured on different parts of the risk, making a holistic view harder. Vendors need to work to make sure each patch is a smaller change. Roll-ups are nice, but roll-ups naturally combine all of the risks of all of the small changes. (SP2 is risky because of the number of changes that it makes to the OS, and riskier because some of them are new, not rolled-up changes.) Now, I’m not suggesting that the right thing to do is to release each change as a seperate patch, but vendors need to address the fear of messing up their system that people have. One way to do that would be to focus on a good, high-assurance roll-out/roll-back mechanism as part of the operating system.

That exalted state

The Central Intelligence Agency is committed to protecting your privacy and will collect no personal information about you unless you choose to provide that information to us.”
Of course, this just goes to show that “We’re committed to protecting your privacy” has finally made it to the exalted and hard-to-reach level of “Of course I’ll respect you in the morning.”

Secret Laws Work So Well

So it seems that two members of Congress have now been added to “watch lists.”
“[Representative John] Lewis contacted the Department of Transportation, the Department of Homeland Security and executives at various airlines in a so-far fruitless effort to get his name off the list, said spokeswoman Brenda Jones.”
It seems that this sort of thing is exactly what the Privacy Act of 1974 was intended to prohibit–secret databases that control your life that you can’t get out of. Except, section j.2 exempts “police efforts to prevent, control, or reduce crime.”
If Congresspeople can’t get themselves off the list, what hope does David Nelson or Johnnie Thomas have?
Criteria for being put on the list are secret. Criteria for being removed from the list are non-existant. This only makes sense if you’re a career government employee who never wants to have to explain their actions to Congress. A few complaints, sure, but those aren’t career limiting.
John Gilmore is suing for the right to travel without ID, and not subject to secret laws “communicated orally, from week to week.” If he wins, airport security will have to stop wasting time and energy harrassing Congresspeople, and focus on searching people for weapons. In addition, airlines will no longer be able to collect extra data about each and every passenger for marketing purposes, with it being a crime to lie or try to stay out of their databases. A win for security, a win for privacy, a win for liberty.

Time for DES to go?

In 1977, the government certified the Data Encryption Standard (DES), with a planned lifetime of 15 years. It has now been in use for nearly 30, and no longer offers even decent security. Over 6 years ago, the EFF built Deep Crack a supercomputer for breaking DES, which cracked keys in under a day.

NIST has now proposed to decertify DES (sorry, PDF). Some entities are opposed to this, because they have spent money on DES compliant gear, and would like to keep using it.

They are able to argue for the validity of their choice by pointing to the continuing certification of DES, despite the evidence it should go away. This is a downside of standards–they slow innovation by creating a constituency against change.

At Crypto this year, NIST asked for comments. Here are mine, on behalf of an organization that might not otherwise speak up.

Dear NIST,

I am writing to you on behalf of Corleone International, a family business for over 4 generations.

Corleone International has made substantial investments over time in security and security analysis equipment in support of our various business lines. These outlays have included people, processes and technologies to facilitate our involvement in the financial sector.

Recently, the continued use of DES has allowed us to make a substantial return on our investment through “partnerships” with a number of leading financial institutions. We would hate to see our investments invalidated by a premature de-certification of the DES, which is working well for us.

Yours,

“Don” Vito Corleone, Chairman, Corleone International

You can send your comments opposing re-certification to descomments@nist.gov, or read more at NIST (sidebar on the right).

Why did Google pop? (II)

According to David Garrity, a technology analyst in New York with Caris & Co.:
It was supposed to democratize the process and let people buy in at just a few shares, but it was a miserable failure because the organizers didn’t realize the securities regulations that require people who bid to have a certain net worth. (From Wired News.)
So, assuming that Garrity has his facts right, this is probably the Qualified Investor rule, which requires that an investor in a non-public stock have a net worth of more than a million bucks, or income above $250,000. Its not always enforced, but when it is, in the IPO process, its one of the few rules that literally help the rich get richer. The rules got a fair bit of public notice when Linux companies started going public, and offering friends and family shares to coders who contributed to Linux. The coders, by and large, were not rich, and several banks promised to ignore lies they told on their QI attestations.
Now, is this a $210 million dollar error? Quite possibly. One of the problems discussed has been lower-than-expected participation. Given Google’s exceptionally low fees (expressed as a percentage of the deal size), its possible that they’re getting bad service from their banks. That also fits with the unregistered stock not being discovered. I can more easily see a banker not stressing a point like this than I can see them spending tens of millions to send a message.
Other commentary from Gordon Smith argues that it was a move to manage securities litigation.
[Update: SamaBlog accurately points out that the law is there to protect people from high-risk investments. I should have said that, and made clear that I’m discussing the unintended consequences of the law here.]