The Importance of Attitude

Tom Peters has a blog, and in “The Days of Our Lives,” writes about the importance of being present for your customers, not for yourself. I really like his blog. It has a good mix of hubris and humility:

This may be day 45 and mile 76,000 for me, but for the Client it is D-Day for an Important Event (often their year’s #1 event, for God’s sake); hence my exhaustion and accompanying short temper must be thrust aside … and downright cheeriness and spirited engagement must become the invariant orders of the day. Besides, such cheeriness, even if feigned, cheers me up first and foremost!

(Via Paul Kedrosky’s Infectious Greed.)

Star Wars: Economy Of Mechanism

Before I start on the Star Wars part of today’s Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That paper has been referred to as one of the most cited, least read works in computer security history. And look! I’m citing it, never having read it.

If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I’ll illustrate using Star Wars. Because lets face it, illustrating statements like “This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor” using Star Wars is a tricky proposition. (I’d use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)

On to the principle:


Keep the design as simple and small as possible.
This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.

protected-by-an-energy-shield-projected.jpg
And so lets look at the energy shield which protects the new Death Star. It is, as General Akbar tells us, projected from a base on the nearby forest moon of Endor. And as you may recall, there were not only extra access paths which required reinforcement, but additional threats which hadn’t been considered.

Firstly, why is it on the forest moon at all? Presuming that energy shields follow some sort of power-absorbtion law, the closer the shield is, the less power it will draw. But more importantly, being on the moon means that it is surrounded by forest, rather than cold, hard vacuum. The shield generator becomes harder to protect, meaning that additional protection mechanisms, each of which can fail, are needed.

Presumably, the Empire has power generation technology which drives the Death Star, and also the Star Destroyers. There’s no need to rely on a ground-based station. The ideal placement for the energy shield is inside the Death Star, and traveling with it.

But instead, there’s this bizarre and baroque arrangement. It probably comes from a fight between the Generals and the Admirals. The Generals wanted a bit of the construction process, and this was the bureaucratic bone thrown to them.


Expensive it was. mmm?

Check images increase forgery and ID theft risks?

The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?”
The overall point is that since banks store check images and provide them to customers (thanks in part to Check 21), bad guys can also get their hands on them, increasing the chances of forgery.

Avivah Litan, a vice president and research director at the Stamford,
Conn., market research company Gartner Inc., said that an online archive
of check images can be a treasure trove for criminals – potentially more
valuable than a checkbook or a few cancelled checks. Criminals can see a
months-long spending history that could help them use forgeries to emulate
a person’s spending habits or estimate what check number a victim would be
using at a specific time, she said.
Banks have underestimated the potential of digital images as a forgery
tool, Ms. Litan said. Banks are more focused on preventing criminals from
using online payment services, such as wire transfers and bill payments,
to steal money from a customer’s account.
“They just haven’t realized that online criminals would resort to check
forgery,” she said. “Crooks come in to look at your imaged checks to see
what your signature’s like. They study the checks, and then they copy the
checks.”

Maybe I’m not sufficiently old-school, but I’m more concerned about identity theft being facilitated here. After all, these images often contain exactly the kind of identity-related info crooks want, such as driver’s license numbers, since these are often added to the checks by merchants at the time of purchase. Something tells me that these images aren’t all encrypted as stored, so from a Bank’s point of view there’s the reputational hit from having to send out breach notices.

White Sox futures market


For the last couple of weeks, peddlers have set up shop just outside Chicago’s Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon.
Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 (the final game, thereby halving the Windy City’s exposure to the terrorist threat), they were up to $20.00.
The jump to twenty bucks I understand, but what surprised me was the precipitous drop from $10.00 to $5.00 earlier in the week. Does this mean that the vendor expected a Sox loss, and the subsequent decline in the desirability of his merch? That’s a mighty dismal view, for a guy whose team was up two games to none at the time.

Dog bites man really is boring

Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000.
Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada.
Alternative headlines that aren’t as spooky?
How about: “Hardest hit firms lose $25,000 to Zotob” or maybe “At $7K, typical finance firm’s loss to Zotob barely noticeable”.

Lowering Ourselves

It occurs to me that when a senior US governement lawyer says:

foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to “gross physical abuse.”

that they are in direct contradiction to the US Constitution

Read Chris Beck’s “CBC News: Flyers passing through U.S. have few rights, Arar judge told” for an analysis of how.

I remember when I was in Tel Aviv, a strike shut down the airport. Our travel agent found us tickets from Amman to London to Boston. It was only when we had the tickets in hand that we saw a stop in ‘DAM.’ It turns out DAM is Damascus, Syria. One of our party was Israeli. We joked that it would be no problem: they’d take him off the plane, torture him for a month, and then let him go. No problem. We changed the tickets, because we didn’t want to deal with crazy Syrian officials while in a transit lounge.

It’s quite sad that the US is treating people in a way that we feared Syria might. There’s no moral justification for forcing someone to enter the US, then denying they’re legally in the US, while denying them the protection of law against the actions of the government:

If passengers are deemed to be inadmissible, they have no constitutional rights even if later taken to an American prison. Mason told Judge David Trager that’s because they are deemed to be still outside the U.S., from a legal point of view.

“Someone who’s inadmissible is in the same category as the people that the CIA snatches and grabs from other countries,” said Barbara Olshansky, a lawyer for the U.S.-based Center for Constitutional Rights, which is suing a number of U.S. officials on Arar’s behalf.

“You are fair game for however executive branch wants to treat you.”

Mason said the interpretation means travellers can be detained without charge, denied the right to consult a lawyer, and even refused necessities such as food and sleep.

To put it another way, once you give up the rule of law, as Ms. Mason has, it becomes challenging to explain how the actions of the United States differ from those of a kidnapper.

But beyond sad, this helps derail any hope we have left of being a positive force in the world. How can we tell the Iraqis that they should take our advice about how to build a society when we behave like this?

Flogging The Simian Is Back

In “A Life, Observed,” I mentioned that I’d been enjoying “Flogging The Simian,” and that she’d left due to privacy issues. Well, she’s back, and so are her “PDBs,” her summaries of what’s interesting: ‘” read approximately 50 newspapers every morning and report what I find there, with an emphasis on foreign or international events.” I usually find stuff I’d otherwise miss.

Trick-Or-Treaters To Be Subject To Random Bag Searches

America’s Finest News source reports, “Trick-Or-Treaters To Be Subject To Random Bag Searches:”

“Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of ‘tricks’ to extort ‘treats’ from unsuspecting victims,” Chertoff said. “Such scare tactics may have been tolerated in the past, but they will not be allowed to continue this Halloween.”

While he would not elaborate on the specific threat, Chertoff said his office had “heard a couple spooky tales,” and indicated that there was good reason to believe that Americans face “a very ghoulish scenario” this October.

Code/Data Separation

As I mentioned in my “Blue Hat Report,” I want to expand on one of my answers I gave to a question there. My answer involved better separation of code and data. I’ve since found, in talking to a variety of folks, that the concept is not so obvious as it seems to me.

macro-dialog.jpg
The basic idea is that when opening a document, a program has to make a decision on how to treat various bits of it. When the bits are jumbled together, its harder to make the right decisions. It’s also harder to write security wrappers that will parse for things like Javascript or Office document macros, when those can be scattered throughout the document. The parser needs to understand the whole document, in the way that the receiver will, rather than just the code parts.

So if we were to separate code and data the way we’ve separated presentation and data into CSS and HTML, we should give serious thought to breaking out an HTML ‘script’ section. Yes, this would be hard, involving standardization and there’s a huge back-compatability issue to be dealt with. But it seems to me that a separate script section would mostly or completely break cross site scripting attacks.

Similarly, with MS Office moving to an XML data format, it would be great to have an explicit “macros” setting at the top of the document. (I haven’t checked to see where macros can occur in the current definition, but my belief is they can be scattered through the file.) [Update: See Kevin Boske’s comment, apparently Microsoft is doing this.]

Several years back, I had a conversation with the person responsible for macro security in Office. I really wanted “tell me more” to link, not to the help, but to either a static analysis of the macros, or their content. Through the conversation, I was convinced that that was a great idea for a few hundred, or maybe even a few thousand people, but I was unable to suggest a dialog box that would give a typical user useful decision-making context and data.

If macros were at the top of the XML, then I could do what I really wanted to do: Read the macro myself before opening the document. (I don’t trust that “disable macros” is fool-proof.) If I were writing a document firewall, I could make it faster and more effective.

One final point: Separating code and data allows the parsers to be smaller and more modular, which means faster and more reliable.

By separating code and data, not only do you gain security, but you gain performance and reliability. The sooner we start dealing with the back-compatability issues, the better off we’ll be.

The President Endorses This Blog

presidential-seal.jpg

You might have thought that the White House had enough on its plate late last month, what with its search for a new Supreme Court nominee, the continuing war in Iraq and the C.I.A. leak investigation. But it found time to add another item to its agenda – stopping The Onion, the satirical newspaper, from using the presidential seal.

The newspaper regularly produces a parody of President Bush’s weekly radio address on its Web site (www.theonion.com/content/node/40121), where it has a picture of President Bush and the official insignia.

“It has come to my attention that The Onion is using the presidential seal on its Web site,” Grant M. Dixton, associate counsel to the president, wrote to The Onion on Sept. 28. (At the time, Mr. Dixton’s office was also helping Mr. Bush find a Supreme Court nominee; days later his boss, Harriet E. Miers, was nominated.)

Citing the United States Code, Mr. Dixton wrote that the seal “is not to be used in connection with commercial ventures or products in any way that suggests presidential support or endorsement.” Exceptions may be made, he noted, but The Onion had never applied for such an exception.

Silly Onion. Everyone knows the President reads and endorses Emergent Chaos, not the Onion. Who’d read anything with such a silly name?

From The New York Times, “Protecting the Presidential Seal. No Joke.

PS: Dear Mr. Dixon, I’d like an exception for satirical use, but couldn’t find a form on your web site.