Category Archives: 6801

Web Of Trust: RIP

It's official. I just received an e-mail from Thawte notifying me that, as of November 16, 2009, the most innovative and useful idea in PKI since its inception, the Web of Trust, will die.

Thawte was founded 14 years ago by Mark Shuttleworth. The primary purpose was to get around the then-current U.S. export restrictions on cryptography. Shuttleworth also had an idea that drew from PGP: rather than force everyone who wanted an e-mail certificate to get verified by some central entity – and pay for the privilege – why not have them verified by a distributed verification system, similar to the key signing system used by PGP, but more controlled. This was the Web of Trust. Anyone can get a free e-mail certificate, but to get your name in it instead of the default "Thawte FreeMail User" you had to get "notarized" by at least 2 people (or 1, if you managed to meet Shuttleworth himself or a few select others). The Web of Trust was a point-based system, and if you received 100 points (requiring at least three notary signatures) you became a notary yourself. The really cool idea was that it created a manageable system of trust based not so much on the six degrees of separation as on the fact that most of us are inherently trustworthy beings.

In 1999 Shuttleworth sold Thawte to Verisign for enough money for him to take a joyride into space, found the Ubuntu project, and to live without worries about money for the rest of his own life and that of several of his descendants. Verisign, of course, is in the business of printing money, only in the form of digital certificates, and certainly not in giving anything away for free. Not that there is anything inherently wrong with that, but it iscertainly at odds with Thawte's free service, so it was really just a matter of time before the latter was disbanded. WIth it goes the Web of Trust.

Finally, on November 16, 2009, the Web of Trust will be removed as a free competitor to Verisign's paid service that does the same thing. It will be a sad day indeed.

Microsoft Poland Empowers White People

In an absolutely astonishing move Microsoft's Polish subsidiary decided to do some photoshopping on its Business Productivity Infrastructure page to tailor it to the Polish market. Here you can see the U.S. original. In one of the least sensitive moves this year, the Polish subsidiary decided that black people in Poland do not need to be empowered, so here you can see what its version of that page looked like for a few hours today. As you can see from the current version on the Polish site, someone with a bit more human sensitivity than a teaspoon, and an I.Q. that is at least room temperature (celsius), decided to fix it. This evening Microsoft empowers everyone equally – even in Poland.

Warning: The software you are installing does not match your mental model

This morning I talked to my dad. After a few minutes of polite small talk, I heard the 10 little words I have come to dread: “I had some problems with my computer the other day.” The video card on his laptop had died. The screen was just black. He has a Dell Vostro, so he called Dell Technical Support. They sent a contractor technician out; with a motherboard. The technician, having no real qualifications other than the need for a job; and no real training other than how to fill out the repair paperwork, installed the motherboard. Three days later he returned with the video card the computer actually needed, and the computer started again.

At this point, the following conversation ensued:

Dad: When I started the computer I got an error message

Me: What did the message say?

Dad: How should I know? It was written for “people” like you. I didn’t understand a word of it. It just said something about some software not working and it should be reinstalled

Me: Which software?

Dad: I don’t know. I told you, I didn’t understand it.

Me: So what did you do?

Dad: I figured it must have been Windows. Windows never works properly, so that made sense. I thought if I reinstalled Windows it would all work.

Me: And…?

Dad: Now Office doesn’t work.

Me: When you say “reinstalled Windows” did you do an in-place upgrade?

Dad: Can you restate that again in Human?

Me: Did you upgrade Windows?

Dad: No, the upgrade option was grayed out.

At this point, if, like me, you are a cubicle-dwelling, bespectacled nerd with the social skills of a turnip you know exactly what happened. He created a new side-by-side installation of Windows. Sure enough, in the C:\Windows.Old folder were his old Users folder, his old Windows folder, his Program Files folder, and all the other contents of his hard drive. I pointed this out to him to explain what happened.

This is when Dad drew the completely logical assumption: “OK, so if I just copy the Microsoft Office folder from there to C:\Program Files it will work?”

No. It won’t. It would if software were designed for the humans that actually use it. Unfortunately, it is not. It is designed by and for the same people: cubicle-dwelling bespectacled nerds with the social skills of turnips; people who have never spent any significant time interacting with humans, and who have never met any of the real users who will use the products they design. If we had actually met and interacted at length with real people at any point over the past 15 years, we probably would have realized already that designing a “program” that consists of 3,829 files, spread over 60 folders, is not how people expect it to work. That, by the way, is not a random figure. It is the number of files and folders in C:\Program Files\Microsoft Office on my laptop. Lest you were now to say that someone else knows better, iTunes vomits 2,718 files over 1064 folders, in two different hierarchies. Why don’t you try to move either to your cavernous external hard drive to save space and see how well that works?

Is it that my dad was being illogical? No. Moving the Office folder would indeed be incredibly logical; totally rational in fact. If you bought a new file cabinet, you could easily take the files out of the old file cabinet, put them in the new one, and they actually still remain readable! You could even take one of your old pens, scribble a note on them in the process, and a year later you can read the note! Amazing that ain’t it? If file cabinets were computers you certainly could try to remove the file from the computer. It would prompt you with a dialog asking if you really wanted to do that, once per character on the page. Once you accepted the prompts, you could insert the file into the new cabinet. When you tried to read it, however, you would find that the ink fell onto the floor between the two file cabinets. The magic fixative that keeps the ink on the paper works only as long as the paper stays in the old file cabinet.

We have a mental model consisting of physical, tangible things. There is a school of thought in Cognitive Science that believes the basic wiring of the human brain was forged in caves. Our brains were designed to address the biggest concerns of the day: evading the saber-toothed cat, spearing a wooly mammoth for dinner, and, for at least half the population, clubbing a suitable mate to drag home to the cave. (Presumably, the other half of the population lived in fear of getting clubbed and dragged away). Our brains were not exactly wired to understand the convoluted product management decisions that resulted in almost four thousand files and thousands of directories. And they certainly were not wired to understand that all those files and directories are utterly useless without the settings, which are stored elsewhere – in a place that does not really exist – and are joined to the file system manifestation of the software only in the very loosest sense of the word.

 Every time I boot Windows these days – and especially Windows 7 – I feel like the software is designed to be some kind of punishment. It’s meant to exact revenge on us for the designers being bullied in elementary school. So much of the software we software engineers design feels vindictive, counter-intuitive, and illogical. When the users finally figure out basic interaction styles, we change it all. When people finally learn that you can click on things on the quick launch menu to start them, we get the bastardized task bar in Windows 7 that only activates existing copies. When we finally figure out how to make find things on the start menu it becomes polluted with several hundred useless icons like iSCSI Initiator. Rather than features to make it easy to use, we bloat software up with new features because that’s what the computer journalists look for. I keep hoping for a release of a major piece of software that just works; that is elegant, that shows thoughtfulness in how the software was plumbed together, and that is designed from the ground up not to add new features but to be intuitive to the poor people who have to use it. Unfortunately, I never will. “Intuitive”, “elegant”, and “just works” are words you never see in computer journals, except maybe in Macworld. 

Sometimes I feel like the only piece of software ever designed to work EXACTLY the way its intended users expected it to work is Solitaire. Predictably, my sources tell me that Microsoft laid off the guy who wrote it in May.

Is MS08-067 Wormable?

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067. Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have not already installed this security update, you should stop reading this right now and return after you have installed the update.

The problem fixed in MS08-067 is eerily reminiscent of the vulnerabilities that resulted in the Blaster and Sasser worms. Therefore, for obvious reasons, the question arises whether MS08-067 is wormable or not. Microsoft claimed in various outlets that it was wormable "on older systems." Michael Howard backs that up with some interesting analysis on the SDL blog. The Secure Windows Initiative (SWI) blog also discusses the issue and points to a number of mitigations designed to reduce the "wormability" on newer operating systems. By "older systems" Microsoft really means "not Vista and Server 2008." This leads to the question of why the vulnerability cannot be used to create a worm on Windows Vista and Server 2008, and whether the claim is correct or not.

The claim that MS08-067 cannot be used to create a worm on Vista and Server 2008 is based largely on two defenses used on those operating systems. The first is that the vulnerable end-point is not anonymously accessible on those operating systems. That's a pretty good defense out on the general Internet. However, on a corporate network it provides little defense. Anyone with user-level credentials on a host can exploit the vulnerability. Thus, if a single computer gets infected and then is brought inside the corporate network, it can infect any other computers on the corporate network by authenticating to them. It would take a little more coding to write an exploit that does that, but it is certainly not an impossibility.

The second defense is Address-Space Layout Randomization (ASLR). ASLR causes the addresses used for code in memory to change from execution to execution. Each time you execute a program it will be loaded into a portion of memory; but, under ASLR, that memory is offset at one of 256 possible memory locations. Many exploits rely on knowing where in memory certain structures are. Prior to ASLR those locations were deterministic within an Operating System, Serice Pack, and Patch Level combination. However, under ASLR, they are, as I mentioned, no longer deterministic. This makes exploitation much more difficult.

However, do these defenses, and specifically, ASLR, really make a vulnerability "not wormable?" I would argue that the answer is "we do not know" but that it is tending toward "no." The problem is that we really do not understand the spreading patterns of worms well enough to make a claim one way or the other. Let us take a neutral scientific approach to understanding this claim.

Worms rely on spreading from computer to computer. Each computer that is infected with the worm can infect countless additional computers. The only thing that moderates it is time. The spread, however, is exponential. The more infected computers there are, the more computers there are that can spread the infection. Eventually, some form of critical mass is reached at which point the spread turns uncontrollable. Unfortunately, we do not know where that inflection point is.

To see how this works, let us take a hypothetical worm, and let us assume that ASLR is not used. Let's say the infection takes 1/8th of a second per computer. In other words, if computer A is infected and targets the worm at computer B, 1/8th of a second later, computer B is ready to start infecting computer C. In one second, a single computer, computer A, can spread the infection, directly or indirectly, to 64 other computers. The total impact of the worm is t/r^2, where t is the time and r is the rate of spread measured in the time it takes to infect an additional computer. Using that formula, we can see that after 1 second 64 computers could be infected. After 2 seconds, 256 computers can be infected, and so on.

Now let's apply ASLR to this. Using ASLR, the memory address space is allocated over 256 possible addresses. In other words, under a very tight assumption the infection will fail in all but 1/256 cases. The assumption is that we cannot predict where the locations are, and that the randomization will actually cause the infection to succeed in only one case of 256. Let us just say this assumption holds because it lets us analyze a worst-case scenario for the worm. Under ASLR then, we can consider the rate of spread to be 1/256th that of the non-ASLR worm. In other words, rather than infecting the next computer in 1/8th of a second, computer A can only infect one new computer in 32 seconds. This, obviously, slows down the spread of the worm, but is it enough? The spread is still exponential. It just takes longer to spread. Consider this chart:

This chart maps the number of infected computers over a 24-minute period, assuming there is an infinite number of computers to infect, and ASLR is in use on all of them. It is clear from this graph that the spread is exponential. After 24 seconds, 2,025 computers are infected. By contrast, without ASLR, it would take less than 6 seconds to infect that many computers. The point, however, is that ASLR would not stop a worm, it would only slow it down. What we do not know is whether slowing down a worm is effectively enough to stop it. My inclination would be to say that it is probably not enough unless we can slow it down by many orders of magnitude.

In addition to ASLR, the affected service on Windows Vista and Server 2008 would only restart twice before staying down indefinitely. This is important because unsuccessful exploitation would almost certainly cause the service to crash. However, I do not consider that as a defense against worms, because more than likely, the user would at that point either restart the computer or just the service. Given that the restart behavior would only serve to further slow the spreading rate. It would not change the exponential nature of the spread. Again, we arrive at the same conclusion: none of the defenses make a vulnerability non-wormable. They merely slow the spread down.

This is important because there is a risk that people will avoid patching because a vulnerability is not wormable. Make no mistake, remotely exploitable vulnerabilities are still wormable, and within an hour, you could easily have your entire corporate network infected. As if that weren't bad enough, using a remotely exploitable vulnerability, someone with far worse intentions could take over your computers and use them as an entry point into your network. For that the criminal needs only one computer, not a whole network of them. Wormability, or lack thereof, is irrelevant against a targeted attack, which means that ASLR is essentially irrelevant against a targeted attack. in most cases the attacker needs a computer, not a particular computer. Being able to only gain a foot hold on one computer in 256 is likely to be enough because after the initial entry, the vulnerability plays no further part in the compromise of your network. In other words, do not consider ASLR to be a reason not to patch some particular vulnerability.

Now, do I think we will see a worm for MS08-067? No. Not in the traditional sense of Blaster. The time of worms, like Blaster, that are inherently non-destructive, has passed. At this point, criminals are not interested in simply writing worms that self-replicate. They are interested in one of the three big things: money, ideology, or national supremacy. While we may still see massive worms, they will be fundamentally different than the ones of old, and they will probably take a bit longer to write. The new breed will be more targeted, more silent, more deliberate, and more dangerous. Once the objectives change, so do the attack patterns.

In short, please do not use wormability, or lack thereof, as a decision factor in deciding whether to patch a vulnerability or not. Wormability is an irrelevant and potentially dangerously misleading metric.

Anatomy of a Hack 2008

A few years ago I delivered a very popular presentation I called "Anatomy of a Hack." Well, actually, I called it "How to Get Your Network Hacked in 10 Easy Steps" but the marketing department at my previous employer thought that title was a bit, edgy, so they renamed it. The Chinese called it "Anatomy of a Hacker" at TechEd China in 2005, but that's another story altogether. The presentation, which is actually documented in Protect Your Windows Network, had me wandering through an entire network once I got a foothold on one computer.

For the past couple of years I've been telling people that the future of attacks are against people, not networks. In June I got further confirmation of that. A notification came in from my blog that I had a new comment to approve. The comment was just a link, looking like this one:

 A Comment has been posted to Jesper's Blog: Hey, Mozilla: Quotes Are Not Legal in a URL by Google Images:
images.google-us.info/index.html Google Images

This looked suspicious enough so I started investigating a bit. What I found just hit the net on The Register. I thought it made an interesting tale of how the bad guys are trying to monetize their handiwork. Sandi has also written about this on her blog here, and here, and here

On a very much related note,  I will actually do a live walkthrough of this type of attack at TechEd EMEA ITPro in Barcelona this coming November. Yes, that's right, I'm going back to TechEd. Hope to see you there!

How Not To Build a Highly Available Web Site

Here's what I just got when I went to http://www.technetmagazine.com:

Here's the kicker: it's not TechNet Magazine that is down, nor even TechNet. It is Microsoft Live Sign-in, nee Passport. To get to TechNet it attempts to sign you in to Passport/Live sign-in. Accounts are apparently distributed across servers, and the one holding my account is down, so I can't get to anything that uses it, including the Microsoft.com homepage!

If you want to decrease the uptime on your web site, take a run-time dependency on an unreliable and unnecessary service.

Thoughts on Security by Obscurity

This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld, on Security by Obscurity. It is another one of those point-counterpoint pieces like we did in the Vista Security book where Roger argues one side of the issue, and I explain why he is wrong; or, rather, argue the other.

Quantum Security

The May 2008 issue of TechNet Magazine is out. It has an article in it that I have been wanting to write for a long time, called Quantum Security. In it I posit the argument that there are some fundamental laws of security, similar to the laws of physics, which we must not ignore in our risk management practices. I also got to include a revised version of the age-old Annualized Loss Expectancy (ALE) equation. Anyone who has taken the CISSP exam should be familiar with ALE. I believe the equation in common use is outdated and fails to account for the modifications we make to systems when we apply security to them. To properly address risk we need an updated version of the ALE. The article includes the rationale.

 The article is available online, but I think the print version looks a lot nicer. Let me know what you think about it.

Help us Nellie! Please, help us!

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base.

Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule market share; less than 6% according to BetaNews. Starting very recently, if you installed QuickTime (with no additional options) you will be presented with this dialog:

This astonishing abuse of power threatens to destabilize the software market world-wide, thwart choice, and hamper innovation. What would happen if Apple is actually successful in giving away lots of copies of its free browser? That would bite into other browsers' market shares and ensure that the organizations that wrote them do not get to give away a lot of copies of their free browsers. Eventually we will be in an Apple hegemony! We will all be looking at small fonts, shaded colors, and thin stuff. We will all look svelte and cool, wear turtlenecks and jeans, and nobody would grow older than 26! Oh No! There would be no more geeks! Worse still, everyone will be subject to all the vulnerabilities in Safari. Terrorists can use this hegemony to take down the Internet, endangering civilization as we know it. 

Clearly it must be illegal to abuse a monopoly in this way to push unrelated software onto an unsuspecting public. If only there were a government agency who took it upon itself to protect the public from miscreants such as Steve Jobs. Without protection from some kind of commission we will be crushed under the foot of his anti-competitive and hostile practices! If only there were someone who has stood up for individual choice and free competition among American firms in the past…

Maybe if we found our savior she could force Apple to make a version of QuickTime without sound? That would certainly promote competition. 

Help us Neelie! Please, help us!

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base.

Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule market share; less than 6% according to BetaNews. Starting very recently, if you installed QuickTime (with no additional options) you will be presented with this dialog:

This astonishing abuse of power threatens to destabilize the software market world-wide, thwart choice, and hamper innovation. What would happen if Apple is actually successful in giving away lots of copies of its free browser? That would bite into other browsers' market shares and ensure that the organizations that wrote them do not get to give away a lot of copies of their free browsers. Eventually we will be in an Apple hegemony! We will all be looking at small fonts, shaded colors, and thin stuff. We will all look svelte and cool, wear turtlenecks and jeans, and nobody would grow older than 26! Oh No! There would be no more geeks! Worse still, everyone will be subject to all the vulnerabilities in Safari. Terrorists can use this hegemony to take down the Internet, endangering civilization as we know it. 

Clearly it must be illegal to abuse a monopoly in this way to push unrelated software onto an unsuspecting public. If only there were a government agency who took it upon itself to protect the public from miscreants such as Steve Jobs. Without protection from some kind of commission we will be crushed under the foot of his anti-competitive and hostile practices! If only there were someone who has stood up for individual choice and free competition among American firms in the past…

Maybe if we found our savior she could force Apple to make a version of QuickTime without sound? That would certainly promote competition.