Phill Hallam-Baker's Security Blog
Monday, March 22, 2004
Wired News: Brits Going at It Tooth and Nail
Wired News: Brits Going at It Tooth and Nail

This story worries me, but not because I am a fan of social conservatism, I think that if people want casual sex that is their own affair. Nor does it appear to be a major health risk, if people use condoms there should be no problem.

The part that does worry me is all the personal security issues. Announcing to folk you don't know that you are available for casual sex might not be the safest thing to do. What do you do when it turns out that the sexy 20 something girl you thought was sending the message turns out to be the 6' 3", 350lb guy sitting a few rows down who stole the phone off the last guy he mugged this way?

The 'toothing' craze appears to be a blue-tooth phenomena. At present it seems to be a mainly UK thing, but something similar might be happening in Japan where GPS positioning is starting to become common.

It does not even need to involve a cell phone. I guess a similar thing could happen through meetup type bulleting boards. It need not even involve sex. The role of sex as a pioneer of new forms of social interaction is well documented. What if this same type of technology was to be used for non-sexual encounters?

For example, I am really into woodworking at the moment. My Delta Unisaw should be delivered today. Now fine-woodworking is not an unusual hobby, it is likely that on any given day a plane or hotel would have someone else with a similar interest. Perhaps we could meet up for dinner and conversation? But the difficulty of finding them is the problem.

People criticize the net for breaking social connections but the truth is that modern lifestyles did that decades ago, the net is the biggest factor putting society back together. We should think hard about how to allow this type of thing to happen safely.

Sunday, March 21, 2004

Even with cryptography there is no such thing as 100% risk free

Acme Klein Bottle
You can tell a coffee shop is geek oriented when it serves its 'bottomless cup' of coffee in a Klein Bottle
Thursday, March 18, 2004
TAP: Web Feature: Rational Security. by Matthew Yglesias. March 16, 2004.
TAP: Web Feature: Rational Security. by Matthew Yglesias. March 16, 2004.

I don't intend to get into politics to any great extent in this blog, but one point that this article makes is that the Bush Administration is focused on terrorism supported by state actors.

This type of terrorism certainly existed in the 1980s. The IRA received funds from Libya. Iran supported terrorist groups in Lebanon. More recently the Taleban supported Al Qaeda in Afghanistan and the Taleban was in turn largely the creation of President Musharaf and Pakistan.

But this is not the case today. State involvement in terrorism has been almost completely eliminated. There are many reasons for this, in particular the end of the cold war, the Israeli withdrawal from Lebanon. But one of the most important factors was the fact that the US and other countries made it plain that support for terrorism whether covert or overt would be considered cause for war.

It is now necessary to change the strategy, not because it failed but because it succeeded. Eliminating the state sponsors of terrorism was the easy part. The Taleban government is gone and it is not comming back. But Al Qaeda is still functioning despite having absolutely no state support whatsoever.

Sunday, March 07, 2004
NewsForge | A peek at script kiddie culture
NewsForge | A peek at script kiddie culture

OK so a second bite at the same article, lets take a look at those DDoS schemes.

According to the article the ISPs are unresponsive to take down requests, the FBI do not take notice. I know that people keep making this complaint but there are high tech crimes units in the major cities and they are looking to takedown these guys. And at the moment the demand is such that DDoS is being treated as if it was a littering offense.

I think we need a better primer on how to prepare a case for law enforcement. I guess it is possible if you read the article carefully that the desk guy thought this particular person had been getting evidence by hacking.

We can't expect to do this with law enforcement in the loop every time. Lets change the model, law enforcement only get involved if the ISPs fail to act, and instead of just going after the hacker there is a liability for the ISP.

This is consistent with fire department model of government security regulations. You can do pretty much anything to your house decoration wise. Government only gets involved when safety is the issue. In particular the fire dept won't let you build a house that is a fire-trap, in part because it might set fire to buildings arround it.

Here we have ISPs that are forwarding bogons. It seems to me that this should not be that difficulty to prevent. A $500 box performing passive listening at the cable head end could sound an alert when there is a bogon attack. You don't have to look at every packet, all you need to do is to look at a sample. If you see an ethernet MAC spewing bogons you shut it down.

Another approach would be to push the bogon prevention right to the cable modem. Why on earth would these let bogon injection take place in the first place? Sure there will be some hacked modems, but DDoS is comming from hijacked machines.

Cable modems, NAT boxes and the like should have limiters built in to prevent the creation of ridiculous numbers of SYN packets or outgoing UDP packets to reserved system ports like DNS. It is pretty easy to think of numbers that should be no inconvenience to any legitimate use, and there could be an option to turn them off in any case. But why give every home user the equivalent of a loaded machine gun when they don't need or want one?

Reduce the value of your machine to a hacker, reduce the probability of attack?

NewsForge | A peek at script kiddie culture
NewsForge | A peek at script kiddie culture

This article pretty much shows that little has changed in the past ten years except for the number of the perpetrators. Although this is described as 'script kiddie culture' it sounds as if the hackers described have rather more skill than the usual knob-turner types.

I am not sure that anyone ever claimed that hackers did not find out some exploits on their own. But hackers have always found it easier to take ideas from others than come up with their own. Reverse engineering patches is just a twist on a trick used by Kevin Mitnick, he intercepted reports of security vulnerabilities in VMS sent to their security expert.

We know that whenever a patch for a serious security vulnerability is released it is almost always reverse engineered and turned into an exploit. I spent some time discussing this issue with some Microsoft engineers at RSA Europe. The next version of the update tool will work more like patch does, instead of distributing full executables it will circulate diffs. This might appear to make reverse engineering easier, actually it does not really because the same information can be found by running diff.

I don't know that there is a satisfactory solution here. One way might be to use linkers that make arbitrary variations in the order of modules in the final image. This has two problems, first it is probably not that hard to reverse engineer (no harder than doing it in the first place) and second you might end up causing changes to program behavior.

Blocking the reverse engineering hole might not work anyway, it might just chase the problem further upstream. The number of hours hackers spend looking for code vulnerabilities is a whole heap less than the number of hours spent in security reviews. Looking at the code is the stupid way to do it, and the attackers are not stupid, not are they particularly interested in hard work if they can avoid it.

You don't have to start from a patch, you can start from any user bug report. Every time a computer program crashes it has lost control somehow. If you start taking crashes seriously you can start to work out why they are going wrong and you may find a way to find a hole.

What this comes down to is having to change the way we write programs. We have to start taking designed for security seriously. With few exceptions most security problems come from failures of bounds chacking. Its that old buffer overrun bug from assembly language and C. It never ceases to amaze me how Denis Ritchie has been so successful at pinning the blame for the consequences of his screw up on the Redmond club.

Moving to use of managed code (Java, C#) would make a big difference to the security of systems. Stripping down O/S distributions to the bare bones would. I don't think messing with update distribution would have the same effect.

Saturday, March 06, 2004
ISP hammers Bob Vila site with spam suit | CNET
ISP hammers Bob Vila site with spam suit | CNET

One of the big problems with legislation is that it is a blunt instrument that does not necessarily hit the people you want it to. Is Bob Vila a spammer? Possibly, but not very likely. Is Bob Vila selling penis potions, mortgages or inviting you to help move money out of Nigeria illegally? Almost certainly not.

The problem here is 'deep pockets'. Civil law is much more effective at keeping legitimate businesses honest than it is at stopping the schemes of the out-and-out criminals.

Rather than filing lawsuits to determine whether someone opted in or out, lets use technology. Last year I proposed a scheme that would allow someone to send a token along with their mailing list subscription that would be returned with every email sent as 'proof' that they had really subscribed to the list. It is pretty easy to make this completely transparent to the end user and mailing list admin alike. In fact it allows some of the longstanding mailing list problems to be cleaned up like how to subscribe or unsubscribe cleanly.

Hopefull more on this soon

InfoWorld: Windows XP SP2 could break existing applications: March 04, 2004: By : Platforms
Infoworld reports that Windows XP Service Pack 2 may break some applications because of security enhancements. I hope the firewall changes break Gator and Comet Cursor real good.

Powered by Blogger