Sunday, 28 February 2010

Frantic Support Call

Best Newcomer in a Supporting Role

You see, this is why my admiration for our Help Desk staff has always been, and remains today, unbounded. Also: why I would never have succeeded in a professional tech support capacity. Today, over the telephone, I had to help my elderly (84yo) Aunt regain the picture on her Sky+HD system.

Don't get me wrong. Auntie may be vintage circa '25, but she's absolutely no slouch. Every week she does her shopping, and the lottery, on the Internet. Every day she keeps in touch, via email and IM and the occasional forum or two, with family, friends, and ofttimes colleagues. In fact she's almost certain to read this, which is in its own way terrifying for me!

Nevertheless, I must tell you about that conversation between us today. As the curtain rises, the audience sees a lady in a chair, looking at a blank TV screen. A voice comes over the telephone speaker...
Me: Now press the Source button. What's on the screen?
Auntie: AV one.
Me: Good. Now press it again. What's on the screen now?
Auntie: AV two.
Me: Okay, one more time. What's on the screen now?
Auntie: HDMI one.
Me: Anything else?
Auntie: No, just HDMI one.
Me: Are you sure there's absolutely nothing else on the screen?
Auntie: Nope, nothing else at all. Apart from Harrison Ford.

Keep up the good work, guys.

Friday, 26 February 2010

Security Digest #6

February Rollup

Finally, some late breaking items of News...

USA To Lose War

Mike McConnell, from 2007 to 2009 the (Bush Administration) USA's national intelligence director, claimed on Tuesday that if the US got involved in a cyber war at this moment, they could not win. Testifying before the US Senate Commerce, Science, and Transportation Committee, he stated "We're the most vulnerable. We're the most connected. We have the most to lose."

According to a report from InfoWorld, he thinks that nothing will spur the government into action short of an attack with catastrophic consequences. "We will not mitigate this risk," he says. "We will talk about it, we will wave our hands, we'll have a bill, but we will not mitigate this risk."

McConnell was speaking five days after a simulated cyber attack, an extensive scenario designed by Former CIA Director Michael Hayden, was staged with the ballroom of Washington's Mandarin Oriental Hotel in the role of Situation Room. The attack started with a free March Madness smartphone app, activating malware to incapacitate cell networks, landlines, and the Internet, finally bringing down the entire East Coast electrical power grid. Commerce ground to a halt. Air traffic was thrown into chaos.

The verdict, when the dust cleared: the attack was "...neither deflected, nor mitigated to an extent that would avoid considerable impact on the everyday life of citizens."

Meanwhile, Ryan Singel at Wired has, unsurprisingly, a rather different viewpoint from McConnell; in the interests of balance, be sure to read his "Cyberwar Hype Intended to Destroy the Open Internet" here.

SDL Coverage Note

A cool footnote to the list of 25 most wanted coding errors: one of Microsoft's principal security program managers on the Trustworthy Computing (TwC) team, Michael Howard, reports here on the extents of mappings between these errors, and the processes and tasks prescribed in the SDL.

Just as it was last year, once again the coverage is exemplary:
  • Every error on the list is covered by at least one SDL requirement.
  • Almost every error is also covered by either (1) an automated SDL verification tool, or (2) a secure coding library.
This evaluation exercise is becoming a tradition both at Microsoft and elsewhere, and security professionals have certainly begun to treat this list as one de facto standard for comparison of vulnerabilities and mitigations, though neither unanimously nor exclusively.

For Microsoft, Bryan Sullivan in May 2008 analysed the OSWAP top 10 most important web application security issues, finding the SDL already equipped with: XSS detection and prevention tools; guidance for preventing SQL Injection attacks; cryptography requirements, including mandated cryptographic algorithms and key sizes; and other resources directly addressing these issues. Then last year he did the same for the SDL and the CWE/SANS Top 25, that time finding all 25 "Most Dangerous Programming Errors" covered by SDL requirements in the areas of education, threat modelling, tools and/or manual processes - and all but two covered by multiple areas.

Michael's 2010 update contains the interesting observation that even such a programming error as CWE 98, "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", receives SDL coverage " our required security training classes, which is especially remarkable when you consider that virtually no PHP code is written at Microsoft!"

That's what you get for structuring the SDL to provide basically sound, secure programming practices, rather than just adding rushed mitigations to security processes when a new vulnerability taxonomy appears. You get protection against vulnerabilities not yet on the list.

Watcher Of The Web

IE8 Security Program Manager Eric Lawrence’s Fiddler is an increasingly popular, freeware, and extensible (via any .NET language) Web Debugging Proxy. It allows logging, inspection, and breakpoint-assisted debugging of all HTTP/S traffic, via its event-based scripting subsystem.

Within its community of support tools, Casaba Security's Watcher plugin, a passive vulnerability scanner, is perhaps unique in the extent to which it integrates and keeps pace with the SDL. In fact at the time of writing, there are still multiple SDL requirements and recommendations for which Watcher provides the only automated tool support available (link goes to an SDL guest article about Watcher's features - by Casaba's Chris Weber).

Well, Watcher has just been improved again. Version 1.3.0 adds integration with the SDL and MSF-A+SDL templates, optionally including result exports to TFS, and can show you which of its tests map to which SDL requirements and/or recommendations. Several new XSS tampering checks have been incorporated. Cross-domain analysis is also improved by facilitating every response domain's treatment as an origin.

Most impressive is the early inclusion of new checks identifying insecure ViewState issues recently reported by Trustwave’s SpiderLabs, including JavaServer MyFaces ViewState, and even the latest .NET 4.0 MAC implementation changes.

Watcher is available as a free download at Codeplex. Meanwhile SDL's Katie Moussouris, MSVR founder, will demonstrate Watcher during an RSA co-presentation with Bryan Sullivan next week (AND-202: Microsoft SDL Tools: Automating the Security Development Lifecycle). Update: podcast preview available here.

Are All Bugs Shallow?

Linus's Law, formulated by Eric Steven Raymond, states that given enough eyeballs, all bugs are shallow. An odd formulation certainly, and subject to at least one deliberate comedic misconstruction!

An unusual article by Microsoft's Shawn Hernan (highly commented on Slashdot) begins by accepting the validity of this law, but attacking one of its minor premises, the supposed platitude that open source software is reviewed more than proprietary software. This he finds to be false, based on available data. Read his succinct coverage of the DARPA-sponsored Sardoniox project and its outcome, the insights into Microsoft's Shared Source Initiatives, the success of Coverity, and inevitably his support of the SDL, here:

And that's where I hand you back over to the Faculty of Mathematics, for the latest Weather Report. Good night.

Thursday, 18 February 2010

Here Come The Lawyers (Again)

Software Reliability Contracts

They've been threatening on the horizon for some time.

First the Open Web Application Security Project (OWASP) Foundation, a not-for-profit charitable organization dedicated to creating free and open tools and documentation related to secure software, established in consultation with Aspect Security, a Secure Software Contract Annex here:

containing the template for a software development contract.

Then in January 2009, computer experts, from more than 30 organizations worldwide, released a consensus list of the 25 most dangerous programming errors leading to breaches of security. The list was championed then by the National Security Agency, and represented the first occasion on which such a broad cross-section of computer professionals reached formal agreement on the most common security-related pitfalls in programming.

In place of the traditional focus on mitigations, this consensus list concentrated on the programming errors that cause such vulnerabilities, offering concrete measures that might be taken by developers to avoid them. A press release at the time suggested that such a list would one day shift the responsibility for secure code development to software companies, by allowing their customers to require signed assurances that products are free of all such well documented error categories.

It Hasn't Happened Yet

That was over a year ago. Now they're at it again! The Register is all Experts reboot list of 25 most dangerous coding errors - Heal thy apps, while Slashdot has picked up on it too.

First the meh news. Quite unaccountably, the full list of 25 errors leading to vulnerabilities and exploits, has remained largely unchanged since last year. The update, driven by the not-for-profit MITRE Corporation, the Sans Institute, the National Security Agency, and the US Department of Homeland Security's National Cyber Security Division, shows XSS (cross-site scripting), SQL injection, and buffer-overflow bugs topping the list of the top 25 vulnerabilities, actually released via production code, and subsequently exploited.

For these are they:
  1. Failure to Preserve Web Page Structure ('Cross-site Scripting')
  2. Improper Sanitizing of Special Elements used in an SQL Command ('SQL Injection')
  3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  4. Cross-Site Request Forgery (CSRF)
  5. Improper Access Control (Authorization)
  6. Reliance on Untrusted Inputs in a Security Decision
  7. Improper Limitation of a Path name to a Restricted Directory ('Path Traversal')
  8. Unrestricted Upload of File with Dangerous Type
  9. Improper Sanitizing of Special Elements used in an OS Command ('OS Command Injection')
  10. Missing Encryption of Sensitive Data
  11. Use of Hard-coded Credentials
  12. Buffer Access with Incorrect Length Value
  13. Improper Control of File name for Include/Require Statement in PHP Program ('PHP File Inclusion')
  14. Improper Validation of Array Index
  15. Improper Check for Unusual or Exceptional Conditions
  16. Information Exposure Through an Error Message
  17. Integer Overflow or Wraparound
  18. Incorrect Calculation of Buffer Size
  19. Missing Authentication for Critical Function
  20. Download of Code Without Integrity Check
  21. Incorrect Permission Assignment for Critical Resource
  22. Allocation of Resources Without Limits or Throttling
  23. URL Redirection to Untrusted Site ('Open Redirect')
  24. Use of a Broken or Risky Cryptographic Algorithm
  25. Race Condition
The recent attack on Google and 33 more than 100 other large companies, numerous breaches suffered by military systems, and virtually all - all - of the millions of recent cyber attacks upon small businesses and home users, can be traced back to one or more of these 25 programming errors.

But There's A Push On

Published on Tuesday (Feb 16), the list is headed by an introduction urging software consumers to hold software developers responsible for their products' security. Business customers "have the means to foster safer products, by demanding that vendors follow common-sense safety measures, such as verifying that all team members successfully clear a background investigation, and be trained in secure programming techniques."

"As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you," it states.

And this time, among various other terms and conditions that should be requested by customers, it also includes references to this draft contract,

based upon that groundbreaking OWASP Foundation work.

It was Peiter "Mudge" Zatko, the inventor of the buffer overflow exploit, who in February 2000 in a White House meeting of Internet and software experts, famously told President Clinton, "People write software sloppily. Nobody checks it for mistakes before it gets sold."

Despite many advances in computer security, when seen from an end-to-end perspective, little appears to have changed in those ten years. Perhaps now, with customers being mobilised and empowered by such potentially deal changing initiatives as this one, now might be a good time to stop relying on all those shrink-wrapped legalese disclaimers, advertising to your customers litle more than the fact that your software can be relied upon to do absolutely nothing with any degree of reliability.

Colleague update: Scottish Developers Secretary Barry Carr offers an hour on "Contractual Obligations: Getting Up and Running with Code Contracts" starting at 9:30am this coming Developer Day Scotland, May 8 2010, at Glasgow Caledonian University. Registration opens in literally half an hour, at 12:30 today (March 1). Full agenda here.

Summer Is Coming

Charlotte Hatherley

A fully excellent sentiment for mid February in the North.

Treat yourself to some perfect pop, then look for Charlotte's 2004 debut solo album Grey Will Fade, to enjoy among many other delights, the quirky instrumental tail so inhumanely cropped from this vid.

Sunday, 7 February 2010

Match Report

Scotland 9 - 18 France

Why can't they move The Six Nations to a warmer month?

It's not as if half the participants hail from Australia or New Zealand, we all live right here. And even those of us who don't, those poor unfortunates compelled to domicile the vicinity of the Mediterranean Sea, surely they must feel it even more than we.

How many more years must we sit perched on that bleak exposure of scaffold, that aerofoil to the cold east winds and drizzle, sneezing and dripping into our pies and chips on drab Scottish days? Watching those big cheerful screens, showing the bright sunny lies being transmitted back, courtesy of big media's photomultipliers, to all those who had the good sense to stay indoors?

You can probably gather much from that paragraph. For one thing, we didn't win. Well actually, the headline already kind of clinched that. Also, my attendance was reluctant, virtually all of the enthusiasm for the trip being initially my wife's. Finally, you might just have discerned, from my rueful sobs against the effects of the weather, that the pies were actually quite good...

It was a fine trip, really. We set out and arrived very early, to get parking near the stadium. Then we had plenty of time to wander around, see and hear what was going on, buy programs, take photos, annoy the stewards to let us in early (they didn't), and eat and drink a junk breakfast. The Famous Grouse offered a free beanie to anyone buying a "Ginger Grouse", which sadly turned out not to be Scots-Thai fusion cuisine, but merely a whisky and ginger beer. Well, I say merely. Of course Linda got the beanie.

We managed to find our seats. And then a wee while later, when their rightful owners appeared on the scene, asking awkward questions, we managed to find some more.

Kick-off! Minutes later there's a cloud of blue jerseys thundering down past the far 22, and I'm jumping up, shouting "Come on Scotland!" and cheering like a bampot. Which I am; for immediately afterwards, when a French injury sub (Vincent Clerc for Aurelien Rougerie) is announced, I suddenly grasp that those blue jerseys are in fact the visitors, and we are playing in white.

Quick recalibration of the specs and we're back in business. Chris Paterson has put us ahead with an early penalty, and we begin to believe the good reports we've heard about this team - against our better judgement, and that of history, which says we can only win when underdogs. We did beat the French here by 20-16, four years ago.

But sure enough, the first cheese-eating surrender-monkey try soon followed, thanks to Mathieu Bastareaud, fresh from his June 2009 stint in Australia and New Zealand, where he claimed that four or five men had attacked him from behind, when in fact security camera footage helped establish that he'd come back drunk after 5:20 am and sustained facial injuries, perhaps by tripping over a table in his hotel room as he later claimed.

Morgan Parra failed to convert, but landed a penalty, then Paterson did likewise. 6-8 wasn't looking too bad. Then, the internationally disgraced pork pie salesman Bastareaud reeled and staggered and fell all over our try line once again. Or could he have been pushed over by some team mates, who then agreed to cover the whole thing up?

Parra converted this time (6-15) and Scottish spirits took a dip. Almost literally - as Linda, trying to control her camera and keep hold of her program, forgot to use her third hand to keep her lager steady. It fell to the ground with a most unlikely clunk, then failed completely to wobble or fall over like an unreliable French centre, but elected instead to spit a frothy plume of Carling straight up into the air, then back down on top of everyone in the vicinity.

And when she picked it up, true to her own nature, the glass was still half full!

You're right, I've lost all interest in the game at this point. There's more substitutions going on than anything else, and it all winds up shortly afterwards with a couple of additional penalties, one apiece. We're soon wandering off into the cool Edinburgh night, munching on a steak baguette, shaking hands with French strangers in funny hats, and laughing at the drunken bampots in the hospitality suites.

I do hope that you have found my account completely unbiased.

All photos copyright © 2010 by Linda & John Kerr.

Tuesday, 2 February 2010


Electoral Reform

Gordon Brown is keen to scrap Britain's "first past the post" voting system if Labour wins the next general election.

At this stage, looking at all the available opinion polls, you might find it hard to escape the conclusion that any voting system, which can manufacture a Labour victory out of this deep hole, needs quite urgently to be replaced - as a matter of some national emergency. But that's a post for another day...

The proposed change, the alternative vote system being considered, is of a kind known technically as an 'alternative vote' system.

According to BBC News, Mr Brown "... is said to have secured agreement from senior ministers for a vote by MPs on electoral reform next week and will be seeking the approval of his Cabinet this morning."

In other words, he and his senior ministers have essentially voted, to have another vote today, to decide whether or not to have a vote next week, to decide whether or not to have a vote, after the next general election (and assuming, of course, that vote goes his way), to decide exactly how we shall all vote - in future general elections.

The Aristocrats.

Масленица в древнем Угличе!

Things My Postman Brings Me

Who could fail to love a town, where "the only type of urban transport is a vapor"...

Grand Circle Program Directors in Traditional Russian Royal Dress
(c) Linda Garrison

Shrovetide in old Uglich! (13-14 February 2010.) Welcome to one of the most unusual trips! For 2 day bus tour you will experience everything!

Touches the high and eternal, visiting monasteries and acting mysterious ancient churches on the Golden Ring cities - Uglich.

Feel the joy of the earth, engaging in lively Shrovetide festivities with pancakes, mummers, goblet of mead. There will be dancing on the accordion with Baba Yaga and the Wood-Demon, burning effigies Maslov, fun contests and tasty treats.

All this is just for you!

You will never forget their experiences, visiting the town of Myshkin, where the only type of urban transport is a vapor, and visiting museums with the eloquent title "Russian Boots" and "Library of Russian Vodka". And "House of Crafts" will give you a unique opportunity to become a potter at the time, or a blacksmith and create something with their own hands!

Comfortable travel and stay in a comfortable boarding house on the banks of the Volga - will only reinforce your impressions!

Price - 4800 rub. All Inclusive!

Information by phone: -XXX - XXX-XX-XX, XX-XX-XX

Translated from the original Spam by Google. Please note that Ms Garrison's beautiful photo appears for illustrative purposes only, and has no connection with unsolicited emails.

Monday, 1 February 2010

Tweets - January 2010