August 30, 2003
Hacking-by-subpoena ruled illegal
SecurityFocus has an interesting story about a legal case that has been having to deal with some interesting cyberlaw issues.
In a civil case, it appears that a litigant sent a subpoena to an ISP ordering for copies of all emails from a defendant's corporate account. The ISP complied (without notifying their customer or getting advice from their own council I might add) and received tonnes of emails that did not relate to the civil case at hand. The result? The defendants sued the litigant for privacy issues, lost, appealed... AND WON!
The problem with this whole thing is the precendence its setting. Throughout this case it seems like they ruled that a subpoena such as this is considered "breaking in", which could be spun to be used via the Computer Crime and Abuse Act and turn this into a criminal manner. Prosecutors love using this act because it's so broad in scope, and is why most hacking cases are based on this.
Personally, I think the ISP should have taken more due diligance in the matter and determined if the information (emails) they were about to release was lawfully allowed. Simply getting a subpoena without checking the scope and merrit is just dumb. Next thing you know hackers are going to start firing off legal-looking subpoenas and getting to read all your mail!
Thank god I digitally encrypt all my sensitive emails with either X.509 certs or via gpg with ascii armour, and host my own mail server. Hope you are doing the same.
Posted by SilverStr at 11:05 AM
August 29, 2003
Minnesota teen arrested for Blaster strain
The Seattle Times just reported that investigators arrested Jeffrey Lee Parson aka "teekid", a Minnesota teenager (age 18) who the FBI said has admitted unleashing one version of a damaging virus-like infection weeks ago on the Internet.
Although this guy was caught, this isn't the original worm creator. His strain (Blaster.B) was released on my birthday, a full 2 days after the original worm was launched. But its a start. The fact teekid had the source so quickly begins the path to investigate the real source. Should only be a matter of time.
Of course, the laws governing such attacks (The Computer Crime and Abuse Act) are way to weak to really deal with this behaviour. Be interesting to see the outcome of this, especially since teekid was apparently spreading the source on his t33kid.com domain (which now has it removed).
*sigh* When will they ever learn.
Symantec to start using Activation to reduce Piracy
SecurityFocus reports that Symantec will begin using product activation in its products to reduce the mass pirating of its software.
When Microsoft did this for XP, there was HUGE tremors in the community. As the first security product to do this, it will be interesting to see how people react.
What is your thoughts on this? I am still mulling over just how I will be doing license keying for my software which is going to be released before the end of the year, and would love to hear people's thoughts on this. What other sort of things have you seen that you like/dislike?
August 28, 2003
HOWTO: Securing MySQL
SecurityFocus just published a step-by-step HOWTO on securing MySQL. I think they did a great job on this one. I for one always hated the cryptic fashion needed to properly secure the database, and the wasted time I would spend trying to remember each step I needed to do. Thanks guys. Nice little page to have around!
Posted by SilverStr at 11:01 PM
Microsoft's Really Hidden Files
Lockergnome pointed to an older, but still interesting, article about hidden files in Windows. Microsoft Internet Explorer has not been clearing your browsing history after you have instructed it to do so, and Microsoft's Outlook Express has not been deleting your e-mail correspondence after you've erased them from your Deleted Items bin. How can you tell? They are in hidden folders that Microsoft doesn't want you to know about. Check out this article to find out if this is the case for you!
Kinda happy I use Firebird.
Security pros: Be wary of tech analysts
This comes on the heels of something Troy was getting at recently on his blog.
It is far to easy for someone to call themselves a "security expert". It gets worse when you are high profile (like an analyist) as followers will be attracted to you like lemmings. Even if you really have no clue what you are talking about. Experience trumps reading a book or FAQ any day, and most of these people who call themselves experts have never even been in the trenches. ZDNet reported this in an article recently, where they point and counterpoint the analyst "expert" issue. I also see this in supposedly "Whitehat" hackers who never have hacked a system.
Yes I am going to cause some sh*t with that statement. Good. Until you know the threats you are susceptable to, you cannot effectively defend against it. And if you are in the field of applying technology to information security issues, you MUST learn how the hacker and his tools work. You must have experience hacking to get that. Now WAIT. I am not saying you should attack OTHER peoples systems.. But you should gain some experience on your own machines, those in which you have permission to do so. I have dedicated VMWare sessions specifically to allow me to try new things, and see how that particular OS would respond. When you have written/modified exploit code and tried a buffer overflow attack, you will vastly grasp how it works, and then can start to learn how to defend against it. Same goes with worm propagation, patch management tests, penetration tests etc.
I see it time and time again. Great security technologies rendered useless by people who don't know how to properly use them. Strong security will always be trumped by weak implementation. Just because you can apt-get snort doesn't mean you know how to use it. Just because you can rpmfind nessus doesn't make you a vulnerability scanning god. Just because you read Secret & Lies doesn't make you a security guru. I could go on and on and on and on and... well you get the picture.
We need to learn from doing, while applying this new knowledge from that which we learn from others. I typically don't need to write a buffer overflow from scratch, I can use the experience of others on mailing lists like bugtraq, ntbugtraq, vuln-dev etc to gain from the experience of others.
I think Douglas Adam said it best when he said:
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.
Get my point? Roll up your sleeves and get dirty. Install some flavour of an OS (Linux is a simple and good choice) in a vmware session and attack it with the numerous exploits out there. Learn what its actually doing. Then learn how to recognize the attack. Learn how to audit the system and find the penetration. Make the term forensic audit actually mean something to you. Then learn how to defend against it. Learn how to create policies and procedures that can be your guide within your real environment to prevent these sort of attacks from even taking place. When you start to do this, you start to see the entire security management life cycle and realize most analysts don't know what they are talking about. Nor do many MCSE types who sell themselves off as security experts.
My apologies to those in the information security field who lean towards the policy and management side. You will probably not CARE to do this. But I would like to challenge you to consider it. Understanding both sides of the field will make you a more rounded individual. You can better apply policy when you truely understand how the application of technology will be implemented. And hey... its fun! Of course, the reciprocal is also true. Implementors of security technology need to fully understand policy and procedures of the field, so you can truely apply technology properly. Security is not a technology problem alone, its a business one. Understanding this will allow you to go much further in this field, as you can apply policy in the light of politics in any stage of the security management life cycle.
Of course, you can think I am some beaver lovin, nut case Canadian and ignore the electrons that make up this entry. Hopefully you won't be protecting any information that pertains to me, or some nuclear silo at the US border. :)
Microsoft fires up security Update beta project
Inquirer (not the rag mag) reports that Microsoft has started a new beta codenamed Windows Update IU Control that is basically rehashing Windows Update since the Blaster debacle. The report includes a letter from the MS Update beta team explaining how to use the new code. Will be interesting to learn just what is REALLY different in this version in the new future.
Posted by SilverStr at 08:29 AM
August 27, 2003
Q&A: Microsoft's Allchin on Blaster, security
NetworkWorldFusion wrote an article/interview with Microsoft's Jim Allchin about Blaster, and how it relates to Microsoft. An interesting read, mostly to see just how people at Microsoft are reflecting on what they are doing wrong. In spite of the push for the Trustworthy Initiative, they have a long ways to go.
Admittedly, W2K3S is better with a lower attack surface that previous versions of the OS, but that does nothing for the masses currently running XP, W2K and earlier versions. Time will only tell the results of such eye opening experiences for the MS campus.
Posted by SilverStr at 09:34 AM
Attacks against weaknesses in the TCP/IP protocol
Found a simple article discussing various attacks such as smurf, teardrop, winnuke, boink etc. and how they relate to the weaknesses of the TCP/IP protocol. If you are interested in understanding and learning about these weaknesses, feel free to check out the article.
Its pretty basic, but easy to understand even if you are new to how these attacks work. Happy reading.
Posted by SilverStr at 09:25 AM
August 26, 2003
Taxonomy of Information Assurance
Found an interesting work in progress by Abe Usher, which is working "Towards Taxonomy of Information Assurance". He is working on creating a taxonomy of information assurance, based on the three aspects of:
It looks quite interesting. I look forward to seeing the final results in about 6 months. His initial results are now available, and are well laid out. Through an open collaboration process he hopes it will yield a useful tool for the security community to use in addressing information assurance issues.
August 25, 2003
Why people write computer viruses
The BBC has written an article in an attempt to explain why people would write virii.
I'm not sure that it is that simple anymore. It used to be easy to profile an attacker. In my last book there was an over simplified chapter on profiling attackers, ranging from cyber terrorists to script-kiddies. But lets be honest... its really hard to catagorize attackers, their means and their motives now adays. Well, more to the point its hard to seperate men from the boys.
I don't fret as much from script kiddies that are more an irritation than anything else. You know what keeps me up at night? Realizing each strain of these malicious attack sequences are getting more creative, more experienced and more focused. As these attacks get more sophisticated, it will attract more and more serious criminals. With the huge potential for monetary gain directly or indirectly, serious criminals will enjoy the remote advantages that they don't have when breaking into a physical location. More importantly, they can avoid the legal juristictions and poor cyberlaws to take advantage of these systems.
Crime follows where the money is. We are an information age society, and more and more transactions are being done online each day. So too does the crime. But alas, the BBC article is still an interesting read. You should go do that now.
August 24, 2003
Initial Worm Injection - A creative approach
Ever wonder just how a worm begins propagating? Somewhere, somehow it starts with a single click.
The Washington Post ran an article showing how the latest strain of the SoBig virus was launched on a porn newsgroup. Quite an effective attack vector if you ask me. One of the reasons I stay away from newsgroups is the insane cess-pool that has grown as the Internet has commercialized. With so many lonely admins clicking feverously on every post to see the next great pr0n shot, no wonder it propagated like mad.
Lesson to be learned? (besides the fact you shouldn't be visiting such cess-pools!) Never open an untrusted attachment without first realizing the implications, have it scanned, and run your environment with least privileges. Actually, you should always do that anyways.
Trust, but Verify
August 22, 2003
Face recognition failure
The idea of biometrics is kewl, but its practical application as of late has a long ways to go. With it being so easy to fake fingerprints, iris scan false-positives and face recognition software failing... it is just not mature enough yet.
The Tampa Tribute just ran an article in which the Tampa Police Department has eliminated the facial-recognition software hooked up to 36 cameras scanning crowds in Ybor City - after two years, zero arrests and zero positive identifications.
This is where I believe the vendor/manufacturer has failed the security community and more importantly, their client. It appears that they went and sold a system, and never followed up to work out the kinks and make their product better. To go 2 years without a single positive match has to bode poorly on the product. Do they even care about their client? Maybe this is unfair of me to say because I am not there, but I wouldn't let a huge opportunity like a case study with the Tampa police go by the wayside without doing everything I could to work it out. Besides, that would only help the product along in its hardening cycle.
Goes to show you that yet again a biometric implementation has failed, and isn't ready commercially yet. Are we actually moving forward with this stuff, or taking a step back when this sort of thing happens? Of course, maybe Tampa's policing is so good that they drove out every criminal. Ya I doubt it too.
Posted by SilverStr at 07:59 AM
August 21, 2003
More critical flaws in Internet Explorer
Microsoft released a patch for a number of flaws in its Internet Explorer (IE) Web browser yesterday, including two it rated critical for some versions of the browser, which could enable an attacker to take control of a user's computer. Isn't that nice of them?
On top of that, they also released a patch for a flaw, rated important, in the MDAC (Microsoft Data Access Components) element of its Windows OS (operating systems). Lots of patching goodness in the middle of the hell all Windows admins are going through.
There is a good summary about these threats in this article at InfoWorld.
For more info about the bulletins:
Posted by SilverStr at 04:32 PM
August 20, 2003
Ok, I've decided anti-virus virii are bad
Ok, I made up my mind. I believe any sort of worm is bad. I was thinking this already, but a news article I just read brought that home to me.
The Associated Press reports that when Air Canada got hit with the MSBlast worm it caused a lot of havok. What was worse though was that as administrator's are trying to remove MSBlast they find it extremely difficult (read impossible) because the "Nachi fixing worm" is swamping network systems with traffic and causing denial of service to critical servers with organizations.
Now, I give the Nachi programmers credit in a creative and unique way to try to fix these holes, but its no better than the original worm. Although the idea may be sound, the method is not. Does that make sense?
So those of you weilding virogen's PLEASE don't mutate the worms! We don't need any more of them.
Posted by SilverStr at 08:38 PM
Ok, so we have had war dialing, war driving and then war chalking. Why not War Spying?
You got it. You can now drive around your neighbourhood and spy on the wireless video cameras with an X10 receiver. Reverse vouyarism, or closed circuit idciocy?
Posted by SilverStr at 08:26 PM
Small business and their (lack of) security
This is one of the fundamental issues I speak about routinely. As a member of the information security field, I try to be an ambassador of security and educate people about why this is not the right attitude. But its difficult when small business feel it will "never happen to them".
Only after they get nailed do they realize thats the wrong thinking. *sigh*
Posted by SilverStr at 08:05 PM
August 19, 2003
Nachi: A worm that isn't all that bad?
Well, I haven't decided if I like this or not. Some virogen spit out a mutation of the MSBlast worm that propgates and infects sytems through a few Windows holes, with the payload being code to download the patch and FIX the MSBlast hole.
An anti-virus virus so to speak. What do you think? Is a worm like this a good thing or bad?
August 18, 2003
Dispelling the Myth of Wireless Security
Hey, I rarely find something I DON'T like from OR&A. Today was no different.
This isn't new. I have been doing this for some time (although I prefer NetStumbler over Kismet), but for those of you that might be new to the insecurities of those wireless access points may get a kick out of it. Have a good read.
Now you know why I rotate my SSID and WEP key every few days and use IPSec VPN to connect to the internal network.!
Posted by SilverStr at 12:14 AM
August 17, 2003
C# Compiler working on OSX
One small step for Sam, one giant leap for C#.
Posted by SilverStr at 07:16 PM
August 15, 2003
Thoughts on DoS of Windowsupdate.com
You know I have been thinking. Apparently the developer(s) of the MSBlast (LuvSAN) worm have hooked in an attack to nail windowsupdate.com on Saturday August 16th, 2003.
I checked Microsoft's DNS records, and this does very little but forward to windowsupdate.microsoft.com. If anyone at Microsoft is listening, why don't you reset windowsupdate.com to point to 127.0.0.1 and update your zones? Chances are, it will propagate to all the root servers in time to stop the DoS. And with any luck, will do little but have the worm attack itself :)
Posted by SilverStr at 05:32 AM
August 14, 2003
New Fingerprint Biometric Attack
Just finished reading an interesting article on SecurityFocus that deals with new methods to defeat biometric fingerprint scanners used to authenticate electronic purchasing systems.
In this article it goes into considerable detail about the technique and attack, which was presented at the Chaos Computer Camp last weekend in East Berlin.
Anyway you look at it, its a pretty good read. I liked the Japanese gelatin method from last year better though.... you could eat the evidence!
Posted by SilverStr at 09:39 PM
GNU FTP Compromise Concerns
If you haven't heard yet, the GNU FTP Server has been compromised. Been in the news for a few days now, but I just finally got around to sniffing around and checking MD5 checksums.
What I found interesting was the README file on the ftp server. Apparently the server has been compromised since March. That is a lot of code that could have been mucked with. They say they are checking each checksum individually, and no code has been covertly altered, and I only hope noone figured out how to modify the MD5 check sum info... rendering their forensic analysis useless.
Goes to show you NO ONE is immune to security problems. Next thing you will know, there is going to be a back door in the Linux kernel (put in by SCO ... gotta love conspiracy theories) that will deduct a license fee from your online bank account. OK... maybe thats to far fetched.... but the backdoor itself isn't.
Lesson to be learned? ALWAYS do an MD5 checksum on files from the Internet. Use the Trust, but Verify attitude I have barked about for eons and validate that it indeed is the file you expect. Go so far as to ensure the MD5 fingerprint from the author hasn't been altered either. In other words, check the MD5 checksum on the archive server, AND on the mailing lists... assuming its put up there. (Most new releases do this).
August 13, 2003
The Burden of Security
I found an interesting link to a weblog of an analyst that covers the industry, and was impressed by his cander and understanding of the security as it relates to the finger pointing going on in the industry. I think he said it best when he says:
"If security issues are going to be resolved itís going to take more than finger pointing at the folks in Redmond. IT managers need to take accountability for their systems, software vendors for the correct installation and maintenance of their programs and consumers for their households. This is the price of the enablement provided by a digital lifestyle."
So true, yet so false. Security is NOT a technology problem alone, it is more a business problem. Dealing with security is to deal with risk mitigation, and that goes beyond any single product or vendor. I always regurgitate Bruce when I say "Security is a process, not a product".... and that is because it's so true. Microsoft is only one vector of the problem. There is so much other things to consider.
Posted by SilverStr at 02:25 PM
The "image" of Steganography
SecurityFocus ran a pretty good article on Steganography that I found interesting. I always wanted to get into steganalysis, cracking all those pr0n images looking for secret messages.
Seriously though, if you know very little about the topic, it's a good read. Explains some of the theory behind covertly hiding information in other files, such as images and mp3, and how to get it out.
Posted by SilverStr at 02:18 PM
August 12, 2003
The Privacy / Security Paradox
Deloitte & Touche LLP in conjunction with the Canadian Information and Privacy Commissioner (Ann Cavoukian) have released a paper that provides corporate executives with suggestions for developing strategies for information security and privacy protection.
If you are an ISO/CSO/CIO that has responsibility for balancing the information security vs. privacy aspects in your organization, you may wish to read this paper.
The paper describes the overlap between information security and privacy protection, addresses misconceptions that can lead to wasted money, time, effort, conflict and, all too often, inappropriate measures and programs. It also makes recommendations and prioritizes business, organizational and technical approaches that are cost-justifiable and can be beneficial in reaching regulatory compliance.
An interesting read if this falls into areas of your responsibility. And not just for Canadians either. This is good for anyone... with obvious rational thinking to the privacy policies and laws of your country.
Posted by SilverStr at 08:28 AM
August 11, 2003
RSS 2.0 Update
So feed your aggregator this link for all the RSS goodness.
Posted by SilverStr at 03:54 PM
DCOM RPC Worm on the loose!
Didn't take to long for this one. Remember the DCOM RPC vulnerability I talked about last month? Well.. there is a nasty worm out there exploiting it.
Reports indicate in some instances the RPC service fails and the system reboots. Oh how quaint. Gotta love these things.
Time to update your anti-virus signatures. Vendors do have them out... W32.Blaster.Worm (Symantec), Win32.Poza (CA), WORM_MSBLAST.A (Trend).
Posted by SilverStr at 03:31 PM
Get an ISSN for your Weblog
How would you feel about your blog existing in the worldwide standardized encyclopedia of periodicals? Imagine a student being able to walk up to the librarian and ask for your blog periodical from 5 years ago as part of a research project.
Ok, so it's doubtful that anyone would do that on my blog, but there are some really great, and thought-provking blogs than might make sense. If you are interested in such an endevour, go read about getting an International Standard Serial Number (ISSN).
I just updated this blog to support RSS 2.0 now. You can access it via this link.
A question for anyone out there that might know. I have been using NewsDesk for a bit now as my RSS syndicated news reader and really like it. Works awesome to import/export between my laptop and desktop machines. But I find with my entries, it always ends each one with a "..." in the excerpt summaries, as if there is more to the entry, when there is not. I am guessing I am not using Moveable Type properly, and was wondering if anyone had a clue to what I was doing wrong. I notice feeds such as Arc's and Foz don't have this issue, but most everyone else hosting on Ufies does. Even Solas' feed shows them.
Anyone have any clue what I am talking about, and how to fix this? I increased my excerpt size to 1024... but that didn't do much more. What else am I missing?
August 08, 2003
Using Blogs as a tool for the Security Professional - Part 2
I just finished reading the second installment.
There are some good links to some security blogs I didn't know about. I will need to RSS feed them tomorrow and start reading.
Anyways, if you haven't checked it out, go read it now.
Posted by SilverStr at 06:57 PM
Showing Password Strength by the Effective Bit Size
Recently I found a need to make a better Password Dialog box for Windows. I have been observing people using sloppy passwords a bit to much, and realized that thanks to the "SSL cert" bit-strength marketing that has been driven into so many people's head... that many people realize a 56-bit key is weaker than a 128-bit key (duh). Using that to my advantage I made a dialog/form that will show the effective bit strength based on the password entered.
I won't go into detail here, as I wrote an article about it and put the source code to it up on Code Project. I ended up writing it in C# so its cross-language on .NET (already know one guy using it in VB), and can easily be inserted into any Solution in Developer Studio that supports it.
Have fun with it.
Posted by SilverStr at 10:26 AM
August 07, 2003
Autonomous Hacker Droid
Well, I wondered how long it would be before someone put this together. Hackers meet Botwars.
When I was part of D.A.R.T. (DeVRY Advanced Robotic Techology) we spent a great deal of time building autonomous robots that would walk the halls and map things out. One kewl project we did was to mimic the walking of MIT's Attilla (a spider-bot) which accidentally got into the elevator and started mapping out the admin office on the second floor. Was quite funny.
Now, these guys went the other way and hooked an 802.11b card so they can hack wireless access points remotely or autonomously. If they took some of the work we did at DeVRY they could get an autonomous bot with collision detection that could covertly map out entire cities from the safety of a Van and rarely, if even, be noticed. Next someone will figure how to get a robotic arm to warchalk the ground as it finds signals... and we would be all set.
Personally, I think it would be kewler to hook it up to an RC Helicopter.... so you could map taller buildings :)
Man I need to join some R&D arm that just does this kind of stuff without needing a commercial purpose. Where is the old Bell Labs when you need it?
Posted by SilverStr at 02:33 PM
August 06, 2003
Life, the Universe and the PDC
Man there is a lot of discussion about the next Microsoft "Professional Developer's Conference (PDC)". Scoble has been going nuts trying to respond to all the different comments for and against. Of course, that IS part of his job.
Now, I like Robert. He is a kewl guy. But after seeing how Apple treated it's developers at their latest World Wide Developer's Conference (WWDC), I wonder if Microsoft may want to rethink things. Well.. I'd like them to... but I know they have their own plans.
First off, I could, and have watched Steve Job's keynote at the developer's conference over the web. (If you haven't, you really should.. it's a good show) It allowed me to get a glimpse of what Apple is up to and help me to get an idea of what developments I can expect on their platforms. And it was well recorded, easy to understand and free. I recently had to shell out over $1600 to get the handy-cam shots of speakers at the 1994 Device Driver Conference. (To be honest, it also included a license to the IFS, but I couldn't believe the shotty videography I got when paying for the DVDs of the conference... which COULD be online)
Robert discusses how even Microsoft has to pay for its employees to attend the conference, and how many at MS are balking about the price. Price is an issue for any conference. He couldn't attend Gnomedex. (Neither could I, and I really wanted to) As a guy who owns a really small software company, (ie: me) I can't easily find this kind of money for a conference, especially after spending over $7500 recently just to tool up with Microsoft's recent tools that ARE available. In light of knowing I will probably have to spend many more thousands of dollars on the next set of tools, how can an ISV like me keep up? I can't. But I still want to be plugged in to the developments at Microsoft. Should I be punished for not being able to attend the conference? Or get the alpha/beta tools to look at? Of course I can grab many of this on MSDN later... but part of the PDC is being there, and getting to see/touch everything. Apple not only gave away the latest OS.. they even gave away hardware! Thats right, every developer got a free iSight. Bonus!
Now... if MS were throwing in a copy of .NET 2003 Architect or something , I could see/justify the conference a bit more. But instead we might get some really buggy alpha/beta software that is truely useless outside of a touchy/feely kinda way since most of this won't be released for a few more years yet.
Robert brought up an interesting point about how "if you wanna have your skills ready for 2005, good to start now. " I can buy that.. always great to learn. But what the hell!! If Microsoft is truely expanding their API environment that much more where the complexity for development is going to rise so signifcantly that the learning curve requires YEARS of experience, I question if the tools team thought out the migration for those developers like myself who build interesting software, but don't have big corp budgets.
On an aside, I can't comment/criticize all departments at MS for this. I was lucky enough to get my hands on some of the information about the new Windows Driver Framework (DDI) for the next generation OS's from MS. Its great. It significantly reduces the complexity of low-level kernel mode drivers. And although there is many new API calls... it shouldn't take to long to grasp it. And it was released as part of the WinHEC DDK. I didn't need to attend the WinHEC for this. Funny though... it wasn't part of the latest WS2K3 stuff I just bought. *sigh*
Back from that tangent, Robert finished with some comments about over-hype/underhype of the conference. I don't get it. Its his job.. and we should leave it at that. If he is under-hyping it... I think it would be safe to say he isn't doing his job very well. And from what I have seen, that isn't the case at all. He is REALLY good at his job. Which is why we are all talking about it. But it doesn't justify that the conference will be any good, or worth it. (Or that it won't be for that matter).
Cost justification about contacts are only sound if during the conference you can actually hook up with these people. In my experience, unless you get a chance to drink beer with them it doesn't work that well if you are from a really small company. I write low level code. I could care less about talking to the ASP.NET guys. Any UI code I do write I do in C#, and its not like I am going to be able to email the C# guy I meet at the PDC and ask why the hell the Regex object is so convoluted when using the Escape() method with a string of every punctuation char (try it... its escape character hell). That's what the $150 incidents are for.
What the PDC IS good for is getting together with others you do know. It would be AWESOME to get together with Robert again. It would be neat to hook up with Eric Sink or the dude that wrote the Regex code into C# (thank heavens for FINALLY putting in a good regular expression lib). But that doesn't quite justify the costs in an environment where most companies have scaled back developer training.
Of course... if MS started giving out some hardware and software that is useable NOW... I might change my mind. :)
I hope the PDC is a success. I hope it comes off great. I would love to be there to check it out and enjoy the festivities. But its nuts to assume the costs are easily absorbed/justified when very little of the technology is applicable NOW. Most of us struggle to stay sane on our product roadmaps on a yearly basis... never mind having to wait 2 or 3 years before we can use what is going to be hyped at this PDC.
I think Apple did it right. They made their developer's feel warm and fuzzy by giving them the tools they need now, and pumping them with kewl goodies to keep them interested. (I so want an iSight). For those who couldn't attend, they still could get a glimpse at what is coming through the web broadcast. Maybe that goes to the "secrets" convo we had earlier. They weren't hyping what MAY BE in 2 or 3 years. They hyped tools and technologies we can use NOW!
Wonder if Microsoft could ever learn from that. Doubtful... but maybe Robert can convince them! :)
August 05, 2003
SciFi Character Poll
I saw Foz did a SciFi Character Poll, and thought I woud give it a try.
A venerated sage with vast power and knowledge, you gently guide forces around you while serving as a champion of the light.
Judge me by my size, do you? And well you should not - for my ally is the Force. And a powerful ally it is. Life greets it, makes it grow. Its energy surrounds us, and binds us. Luminescent beings are we, not this crude matter! You must feel the Force around you, everywhere.
Congrats Linux... CCS Approved!
Congratulations to the folks over at Suse and IBM for finally taking Linux and getting it approved through the Common Criteria Standard. Old DoD standards like the Trusted Computer System Evaluation Criteria (The Orange book) are by the way side as more government agencies require CCS as part of their purchasing criteria.
I applaud the efforts. You can read about the approval here.
August 04, 2003
Win32 Driver Communication Vulnerabilities??
I just finished reading an interesting paper on a method to exploit the DeviceIOControl com infrastructure between a ring0 kernel driver and a user-mode application. In the paper, they attack a Norton device driver, but it really could be any driver, including mine.
Not sure what to make of it yet. I need to study the disassembly a bit more to see if I can thwarte this somehow. At the very least I am going to re-evaluate the way I authenticate the data to make sure I can guarantee that it is allowed, and go further and see if I can filter the input in a manner to be able to drop this sort of attack.
I think I need to go threat model this in a bit more depth and see how else this could be affected. What a way to enjoy a holiday Monday.
Posted by SilverStr at 07:30 AM
August 03, 2003
Microsoft gets DoS (not the OS)
Well, I come back from a long weekend camping trip, and find a tonne of articles pointing fingers at Microsoft again. Why? Because apparently they got nailed with a DoS relating to a flaw in their platforms, which was turned on them to their own websites.
So much so, that on August 1st for almost two hours, all of *.microsoft.com domains were unable to be accessed. You can read a snippit about it here.
Microsoft apparently deflected this as a conventional denial of service, and will not acknowledge that it may be in relation to a vulnerability they announced a few weeks back. Of course, on a few underground lists, right now people are chanting cover-up or conspiracy. Who knows. But it goes to show you that DoS still plagues us all.
Posted by SilverStr at 05:28 PM