The security initiatives have been going on a lot longer than just their "global security mobilization" of October 2003.
Indeed. I was referring to their 'Trustworthy Computing Initiative', which was announced about 2 and a half years ago. That is still a relatively short period of time to be working at it, considering that the had put about 17 years worth of 'untrustworthy computing' tools into the field already.
Explain how a train simulator could possibly require admin authority except in a poorly architected environment?
Easy. It is protected by SafeDisc, which may have problems when being used by someone who is not an administrator. Did you even read the link you posted?
The administrator access problem is not a symptom of a poorly architected environment. The NT architecture uses a more or less standard discretionary access control model, and cannot be faulted for the fact that most app developers don't pay attention to it. In this case it's not even the application developers who are at fault, its the authors of the copy-protection technology, who probably didn't test their software under NT with reduced privileges.
I'm not generally a defender of Microsoft's security efforts, and I'll agree that there is a lot to be desired from their approach to security, but you're barking up the wrong tree with these complaints.
I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.
This is not a fair criticism. The 'security initiative' thing is still relatively new, and they are burdened by a large number of legacy security problems from the many years of development with any regard for security problems.
Most of the games in that list, for instance, were originally intended to be played in the 9x series of OS's, which had no notion of anything that was not administrator access (actually, 95/98/ME users had more access than NT admins do!).
There are certainly areas where Microsoft's commitment has been lacking, but the least privilege principle is one of the better areas. Michael Howard et al have been pushing hard for this within Microsoft, and more importantly, pushing for better developer education on how to write code that adheres to least privilege.
Because when you get down to it, if an application requires administrator access to run, it is not the fault of the Operating System.
Canada declared war on Japan on December 7, 1941. The United States did not do so until the next day.
Japan invaded Hong Kong the same day they attacked Pearl Harbour (and the Philippines). Hong Kong was defended in large part by Canadian troops.
The Soviet Union declared war on Japan after the bomb was dropped on Hiroshima (but before the Nagasaki bomb, IIRC). That was purely political.
An unfortunate factor of this worm is that the patch that fixes the exploited vulnerability - MS04-011, has been found to have stability problems and other issues in the field.
This has caused many administrators to be hesitant to install it. Bugtraq had a discussion of the problems in April.
Sure, I've tried instituting "processes" and management's alwasy keen on the idea. But when push comes to shove,
Processes should be designed to fit the way you work, not the other way around. Trying to force everybody to do things differently than they have already been done by writing a document is never going to work.
But there are development models that try to accomodate those problems. Try to find one that fits the way your development projects unfold. For instance, Extreme Programming (aka 'Agile Development') accomodates constantly changing specs quite well.
The funny thing is, there are a number of processes used in industry that describe very well what tends to happen (and can structure the chaos that can ensue), but management, which often causes the chaos, tends not to like them. Management usually prefers rigid processes that tend to get thrown out the window the first time a project goes into crunch mode.
It's certainly true that "as long as we use those tools, we're going to have those problems", but I'd go a step further and include computers and networks in your list of tools that have inherent issues.
Java is not as risk-prone as C, but that does not mean it's a security panacea. It has its own set of problems. You can say we shouldn't write code in unsafe languages, but then we wouldn't have any left.
And, to put it simply, Java applications don't run as fast as C applications. While most of the time that's not important, sometimes it is.
You can't tell people to stop using unsafe tools. That's equivalent to telling people to encase their computers in concrete and drop them in the ocean to secure them against malware. Instead, tell people where the risks lie and how to mitigate those risks. Then people will naturally gravitate toward safer tools and practices, because we are all lazy and that way we will have less work to do building adequately secure applications.
It's not an urban legend, it's actually the law. The Copyright Act was amended with the change in 1998. You can copy any music you want, as long as you don't give the copy away (or sell it).
It's also the reason we have the retarded levy on blank media (CDs, tapes, etc.). It's a misconception that the extra fee is supposed to cover losses due to piracy, it's actually supposed to cover losses due to legal copying.
It wouldn't be such a bad thing except for the stupidity of taxing media that are used for things other than music. Why system administrators should have to pay a levy to the music industry in order to archive data to CD is a bit hazy.
It's also a tad mysterious as to why this law applies exclusively to music, and no other copyrighted works.
Where does that claim come from? I'm pretty sure it's not true because more than 10% of encryption is PGP (not counting government crypto, anyway), and PGP isn't snake oil.
It's pretty easy to find snake oil, just read the Doghouse section of Bruce Schneier's monthly Crypto-Gram. But there are also a lot of good companies out there providing a lot of crypto solutions (although admittedly most of them actually license the technology from a small handful of good companies, like RSA and Certicom).
Encryption also does little when physical security can't be controlled
But the issue at hand, with regard to the RIAA and anonymity, is about network security. The RIAA finds it much easier to subpoena your ISP than to sneak into your house and steal your USB keys.
Good and ubiquitous crypto certainly isn't the end-all-and-be-all of security, as you point out, but it would indeed make for 'profound and irreversible' changes in the Internet, in the vulnerability landscape, and in the threat models of pretty much everyone on it.
To start with, the damage figures in the Kevin Mitnick case were entirely unreasonable.
And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).
LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.
I hope there aren't too many tools that adopt this approach to testing.
I can foresee shortly after the first "Mom-Approved Nmap" version hits the market, any web site containing pornography, Barney, or Martha Stewart will find itself under constant attack by a wave of vigilante 'Script Mommiez'.
It's fairly easy for a radar system to pick something up in front of you, and for a computer to track it. What we're talking about is picking out all the things in your path, and figuring out if you're going to hit any of them.
The trouble the previous poster was referring to is that so much depends on context. For instance, what if I'm in a left turn lane drive directly toward a car in an oncoming left turn lane? We're not going to collide, but does my car know that?
I wouldn't be surprised if this kind of thing happens a lot over the next little while, until insurance companies (and in particular, the actuaries) can get their heads around the liability associated with network security.
As a developer in the security industry, I look on this as great news. I've been saying for a long time that what data security companies really need is for the insurance companies to start tying premiums to security infrastructure. When that happens there will be a clear ROI on security investment, and companies will learn quickly how to cover their asses better from these kinds of vulnerabilities.
Situations like this motivate the insurance companies to start assessing risk, and when they start assessing risk they start charging their customers for it, and when the customers are getting charged for it they start mitigating that risk. Right now, that just isn't happening.
All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
RIAA's counterpoint:
All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.
Is there a difference here?
Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.
However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.
That's exactly what he wants you to think! You see, if you realize that this really isn't a ROT13 encoded message, that was just to throw off the amateur cryptanalysts. The truly insightful, such as myself, would have thought to treat this as a one-time pad, encrypted with the following key (in hex):
In A.D. 2101 War was beginning. CAPTAIN: What happen? MECHANIC: Somebody set up us the bomb OPERATOR: We get signal CAPTAIN: What! OPERATOR: Main screen turn on CAPTAIN: It's You!! CATS: How are you gentlemen !! All your base are belong to us. You are on the way to destruction CAPTAIN: What you say !! CATS: You have no chance to survive make your time CATS: HA HA HA HA.......
even Greenpeace might embrace nuke plants as the lesser evil
Tough sell. This has been a Kyoto protocol battle -- some countries (in particular Canada) want Kyoto credits for exporting nuclear power technology (Canada has these deuterium-uranium reactors that they sell all over the world; CANDU). They argue that nuclear power is a clean alternative to fossil fuels, since Kyoto is all about reducing carbon emissions.
The environmentalist lobbies in North America and Europe have fought hard against it, apparently because they don't think building lots of new nuclear power plants is a preferred alternative to burning oil.
And off-topic, I'm adding you to my Friends list for using the term "begging the question" correctly.:)
They have more than one private network. There is no overarching government private network, but the DOD itself has two (SIPRNet and NIPRNet).
There isn't really a point to having a single large network, because access would be too hard to control and you'd lose the security benefit. The preferred solution is to deploy multiple independent private networks, each with a special purpose enabling access to be very limited.
I would have hoped the government would have thought of this much sooner.
They have. NIPRNet and SIPRNet are two 'private internets' used by the US military (for unclassified and classified data respectively). This is just a new special purpose network for the Department of Homeland Security.
On the other hand, reasoning that it's better to move to an open source product just because said OS product is currently attacked less, is fallacious.
The argument is roughly analogous to reasoning it's better to move to a given neighborhood just because said neighborhood currently has a lower crime rate.
As a parent and homeowner, that logic sounds pretty good to me.
It's not as easy as that. The folks at Symantec have a good point: it was already available in a number of public forums, so disclosure wasn't an issue anymore.
The criticism has a bit of a different skew:
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
Ridiculous. The police aren't elected either, do you think they have no incentive to protect your rights? Do you treat the army as an enemy because Generals don't obtain their posts democratically? Try to tell a court judge you won't accept his judgment because you didn't vote for him.
While you do not elect them, they are a government agency and they ultimately report to elected officials (indeed, this report is written for a Senate committee).
I am not an American, but I have met and worked with many fine people employed by the National Security Agency and I believe they are a great credit to your country. They are actively protecting you from real threats, and they have no secret agenda to destroy your freedoms.
In that light, the question posed here is entirely appropriate. There is a compromise between freedom and security, and the NSA is exactly right to ask the government to decide where the compromise should end up. And rest assured, it will end up where the American people say it should end up.
That may or may not give you some comfort. The decision-making capabilities of the American people can be questionable at times.
Slashdot Mirror
Indeed. I was referring to their 'Trustworthy Computing Initiative', which was announced about 2 and a half years ago. That is still a relatively short period of time to be working at it, considering that the had put about 17 years worth of 'untrustworthy computing' tools into the field already.
Explain how a train simulator could possibly require admin authority except in a poorly architected environment?
Easy. It is protected by SafeDisc, which may have problems when being used by someone who is not an administrator. Did you even read the link you posted?
The administrator access problem is not a symptom of a poorly architected environment. The NT architecture uses a more or less standard discretionary access control model, and cannot be faulted for the fact that most app developers don't pay attention to it. In this case it's not even the application developers who are at fault, its the authors of the copy-protection technology, who probably didn't test their software under NT with reduced privileges.
I'm not generally a defender of Microsoft's security efforts, and I'll agree that there is a lot to be desired from their approach to security, but you're barking up the wrong tree with these complaints.
This is not a fair criticism. The 'security initiative' thing is still relatively new, and they are burdened by a large number of legacy security problems from the many years of development with any regard for security problems.
Most of the games in that list, for instance, were originally intended to be played in the 9x series of OS's, which had no notion of anything that was not administrator access (actually, 95/98/ME users had more access than NT admins do!).
There are certainly areas where Microsoft's commitment has been lacking, but the least privilege principle is one of the better areas. Michael Howard et al have been pushing hard for this within Microsoft, and more importantly, pushing for better developer education on how to write code that adheres to least privilege.
Because when you get down to it, if an application requires administrator access to run, it is not the fault of the Operating System.
No, it would have been five weeks or so filming the episodes. They film one week's worth of episodes in a day, and then take the rest of the week off.
Game show hosting is good work if you can get it.
Canada declared war on Japan on December 7, 1941. The United States did not do so until the next day. Japan invaded Hong Kong the same day they attacked Pearl Harbour (and the Philippines). Hong Kong was defended in large part by Canadian troops. The Soviet Union declared war on Japan after the bomb was dropped on Hiroshima (but before the Nagasaki bomb, IIRC). That was purely political.
It's a similar way too forward-looking military thing. The plan is that by 2020, every soldier will have an IP address.
This has caused many administrators to be hesitant to install it. Bugtraq had a discussion of the problems in April.
Processes should be designed to fit the way you work, not the other way around. Trying to force everybody to do things differently than they have already been done by writing a document is never going to work.
But there are development models that try to accomodate those problems. Try to find one that fits the way your development projects unfold. For instance, Extreme Programming (aka 'Agile Development') accomodates constantly changing specs quite well.
The funny thing is, there are a number of processes used in industry that describe very well what tends to happen (and can structure the chaos that can ensue), but management, which often causes the chaos, tends not to like them. Management usually prefers rigid processes that tend to get thrown out the window the first time a project goes into crunch mode.
It's certainly true that "as long as we use those tools, we're going to have those problems", but I'd go a step further and include computers and networks in your list of tools that have inherent issues.
Java is not as risk-prone as C, but that does not mean it's a security panacea. It has its own set of problems. You can say we shouldn't write code in unsafe languages, but then we wouldn't have any left.
And, to put it simply, Java applications don't run as fast as C applications. While most of the time that's not important, sometimes it is.
You can't tell people to stop using unsafe tools. That's equivalent to telling people to encase their computers in concrete and drop them in the ocean to secure them against malware. Instead, tell people where the risks lie and how to mitigate those risks. Then people will naturally gravitate toward safer tools and practices, because we are all lazy and that way we will have less work to do building adequately secure applications.
It's also the reason we have the retarded levy on blank media (CDs, tapes, etc.). It's a misconception that the extra fee is supposed to cover losses due to piracy, it's actually supposed to cover losses due to legal copying.
It wouldn't be such a bad thing except for the stupidity of taxing media that are used for things other than music. Why system administrators should have to pay a levy to the music industry in order to archive data to CD is a bit hazy.
It's also a tad mysterious as to why this law applies exclusively to music, and no other copyrighted works.
Where does that claim come from? I'm pretty sure it's not true because more than 10% of encryption is PGP (not counting government crypto, anyway), and PGP isn't snake oil.
It's pretty easy to find snake oil, just read the Doghouse section of Bruce Schneier's monthly Crypto-Gram. But there are also a lot of good companies out there providing a lot of crypto solutions (although admittedly most of them actually license the technology from a small handful of good companies, like RSA and Certicom).
Encryption also does little when physical security can't be controlled
But the issue at hand, with regard to the RIAA and anonymity, is about network security. The RIAA finds it much easier to subpoena your ISP than to sneak into your house and steal your USB keys.
Good and ubiquitous crypto certainly isn't the end-all-and-be-all of security, as you point out, but it would indeed make for 'profound and irreversible' changes in the Internet, in the vulnerability landscape, and in the threat models of pretty much everyone on it.
And cost to evaluate and repair are a little hard to get a handle on. If you keep good logs then the cost of making sure he didn't steal or damage sensitive data isn't all that difficult (provided, of course, he didn't steal or damage sensitive data). 'Repair' can have a much higher cost, but it also has a marked benefit. Spending money to fix the vulnerability Adrian exploited cannot really be considered a loss (it has an ROI, in fact). It's like accusing a building inspector of causing damage when he points out the crumbling foundation of your house. (The difference here, that Adrian's actions were illegal, is not lost on me, but we're talking strictly about damage computation).
LexisNexis is a little different. Since he would not have otherwise paid $300,000 for the service, he didn't really cost them that money. This is much the same as copyright infringement 'damages' where the RIAA claims you downloading 1000 songs costs them thousands of dollars, even though most people would have actually purchases only a small percentage of the songs they downloaded. Adrian may have incurred costs using system resources if he caused inconvenience to other customers, and again there are assessment costs as well.
Blaster got past a lot of firewalls that way.
SELECT name FROM FederalPoliticians WHERE name.bimbo<>name.wife
I can foresee shortly after the first "Mom-Approved Nmap" version hits the market, any web site containing pornography, Barney, or Martha Stewart will find itself under constant attack by a wave of vigilante 'Script Mommiez'.
It's fairly easy for a radar system to pick something up in front of you, and for a computer to track it. What we're talking about is picking out all the things in your path, and figuring out if you're going to hit any of them.
The trouble the previous poster was referring to is that so much depends on context. For instance, what if I'm in a left turn lane drive directly toward a car in an oncoming left turn lane? We're not going to collide, but does my car know that?
I wouldn't be surprised if this kind of thing happens a lot over the next little while, until insurance companies (and in particular, the actuaries) can get their heads around the liability associated with network security.
As a developer in the security industry, I look on this as great news. I've been saying for a long time that what data security companies really need is for the insurance companies to start tying premiums to security infrastructure. When that happens there will be a clear ROI on security investment, and companies will learn quickly how to cover their asses better from these kinds of vulnerabilities.
Situations like this motivate the insurance companies to start assessing risk, and when they start assessing risk they start charging their customers for it, and when the customers are getting charged for it they start mitigating that risk. Right now, that just isn't happening.
RIAA's counterpoint:
All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.
Is there a difference here?
Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.
However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.
070F00335427494C12525E57463D031751570B05591B450407 080849091258466331252631316E5552270609125248060502 150C4E526D2D253A276E2E3648002A1D0C11051A441B535302 0152551846071600060902450E434D03422870222733743620 5B5430100005165447061B471E030945313137742227285C4A 350D105A01622825373761372D3548412A170717001006100A 1C1C5A12555A01481C1D522661323D332C3D434223120B5352 3E1F5B08014E2633742A48532F4F1946411C04000B04074517 1308064C160F004E47545300241E02510B0A5B527B24141D1F 5218000346420615071A5D00221C00191146002B0E02420D11 00420017520E0E455901190B00131A56024953011C1C11540F 080B42223570323339265F56300441064B1A1D105601000952 0D0150213B2E3B5B5629011252480B041C59424F4E02194104 0D044754010004171D560711454E4D12030400510114034311 0B1E13472D2E2D21130038235A2B2F41246D0021374858490E 5B4949633A2F2F6A6A6A2E70656C63676274656E63756C2E70 627A2F70627A636E616C2F706E65727265662E75677A792E5D
Which, of course, decodes the message to:
In A.D. 2101 War was beginning. CAPTAIN: What happen? MECHANIC: Somebody set up us the bomb OPERATOR: We get signal CAPTAIN: What! OPERATOR: Main screen turn on CAPTAIN: It's You!! CATS: How are you gentlemen !! All your base are belong to us. You are on the way to destruction CAPTAIN: What you say !! CATS: You have no chance to survive make your time CATS: HA HA HA HA.......
A devious one indeed, that Paul Kocher!
Tough sell. This has been a Kyoto protocol battle -- some countries (in particular Canada) want Kyoto credits for exporting nuclear power technology (Canada has these deuterium-uranium reactors that they sell all over the world; CANDU). They argue that nuclear power is a clean alternative to fossil fuels, since Kyoto is all about reducing carbon emissions.
The environmentalist lobbies in North America and Europe have fought hard against it, apparently because they don't think building lots of new nuclear power plants is a preferred alternative to burning oil.
And off-topic, I'm adding you to my Friends list for using the term "begging the question" correctly. :)
There isn't really a point to having a single large network, because access would be too hard to control and you'd lose the security benefit. The preferred solution is to deploy multiple independent private networks, each with a special purpose enabling access to be very limited.
That's exactly what this is.
They have. NIPRNet and SIPRNet are two 'private internets' used by the US military (for unclassified and classified data respectively). This is just a new special purpose network for the Department of Homeland Security.
They're not pretending it's a novel idea.
The argument is roughly analogous to reasoning it's better to move to a given neighborhood just because said neighborhood currently has a lower crime rate.
As a parent and homeowner, that logic sounds pretty good to me.
There is zippo pregnant gay man content in this article.
The criticism has a bit of a different skew:
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."
I have to admit I wonder about this myself from time to time.
While you do not elect them, they are a government agency and they ultimately report to elected officials (indeed, this report is written for a Senate committee).
I am not an American, but I have met and worked with many fine people employed by the National Security Agency and I believe they are a great credit to your country. They are actively protecting you from real threats, and they have no secret agenda to destroy your freedoms.
In that light, the question posed here is entirely appropriate. There is a compromise between freedom and security, and the NSA is exactly right to ask the government to decide where the compromise should end up. And rest assured, it will end up where the American people say it should end up.
That may or may not give you some comfort. The decision-making capabilities of the American people can be questionable at times.