Building Security In, Maturely

While I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model.

Lots has been said, so I’d just like to quote one little bit:

One could build a maturity model for software security theoretically (by pondering what organizations should do) or one could build a maturity model by understanding what a set of distinct organizations have already done successfully. The latter approach is both scientific and grounded in the real world, and is the one we followed.

It’s long, but an easy and worthwhile read if you’re thinking of putting together or improving your software security practice.

Incidentally, my boss also commented on our work blog “Building Security In Maturity Model on the SDL Blog.”

SDL Threat Modeling Tool 3.1.4 ships!

On my work blog, I wrote:

We’re pleased to announce version 3.1.4 of the SDL Threat Modeling Tool. A big thanks to all our beta testers who reported issues in the forum!

In this release, we fixed many bugs, learned that we needed a little more flexibility in how we handled bug tracking systems (we’ve added an “issue type” at the bug tracking system level) and updated the template format. You can read more about the tool at the Microsoft SDL Threat Modeling Tool page, or just download 3.1.4.

Unfortunately, we have no effective mitigation for the threat of bad π jokes.

I’m really excited about this release. This is solid software that you can use to analyze all sorts of designs.

Let’s Fix Paste!


Okay, this is a rant.

Cut and paste is broken in most apps today. More specifically, it is paste that is broken. There are two choices in just about every application: “Paste” and “Paste correctly.” Sometimes the latter one is labeled “Paste and Match Style” (Apple) and sometimes “Paste Special” (Microsoft).

However, they have it backwards. Usually, what you want to do is the latter one, which is why I called it “paste correctly.” It is the exception that you want to preserve the fonts, formatting etc. Usually, you want to just paste the damned text in.

I mean, Jesus Hussein Christ, how hard is it to understand that when I go to a web page and copy something and then paste it into my document that I want to use MY fonts, formatting, color, and so on? Even if I do want to preserve those, I ESPECIALLY do not want you to leave my cursor sitting at the end of the paste switched out of whatever my setting I’m using. In the rare occasion that I want paste as it is done today, the keys I type are:

modifier-V              ! Paste (modifier is either (ironically) command or control)
start typing            ! Continue on my merry way
modifier-Z              ! Oh, crap, I'm no longer in my font,
modifier-Z              ! I'm in Web2.0Nerd Grotesque 10 light-grey
! undo the typing and the paste
space, back-arrow       ! Get some room
modifier-V              ! Paste
forward-arrow           ! Get back to my formatting
(delete)                ! Optionally delete the space
start typing again      ! Now where was I? Oh, yeah....

Note the extra flourish at the end because pasting is so helpful.

The usual sequence I type is:

modifier-V              ! Paste
modifier-Z              ! %$#@*!
search Edit menu        ! Gawd, where is it, what do they call it?
select Paste Correctly  ! Oh, there
start typing again      ! Now where was I? Oh, yeah....

This is much simpler, but has its own headaches. First of all, Microsoft binds their “Paste Special” to control-alt-V and brings up a modal dialog because there are lots of options you could conceivably want, and just wanting to paste the %$#@&* text is so, so special. Apple (whose devos must long for the Knight keyboard) binds it to command-option-shift-V, but at least doesn’t make me deal with Clippy’s dumber cousin. They put “Paste Style” on command-option-V, which pastes into place only the formatting. Oh, yeah, like I do that so often I need a keyboard shortcut.

The upshot is that the user experience here is so bad that the stupid blog editor I’m using here that actually makes me type in my own <p> tags is a more predictable editing experience. I can actually achieve flow while I’m writing.

Most tellingly, the most even, consistent, out-of-my way editing experience is getting to be LaTeX! Yeah, I have to type accents by hand, but at least I don’t lose my train of thought every time I paste.

The solution is simple. Make modifier-V be paste. Just plain old paste. Put paste-with-frosting on control-meta-cokebottle-V and give it a helpful dialog box. Please?

Photo by adam.coulombe.

Gary McGraw and Steve Lipner

Gary McGraw has a new podcast, “Reality Check” about software security practitioners. The first episode features Steve Lipner. It’s some good insight into how Microsoft is approaching software security.

I’d say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy.

You should go listen.

Cryptol Language for Cryptography

Galois has announced “

Cryptol is a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency. It has been used successfully in a number of projects, and is also in use at Rockwell Collins, Inc.

Cryptol allows a cryptographer to:

  • Create a reference specification and associated formal model.
  • Quickly refine the specification, in Cryptol, to one or more implementations, trading off space, time, and other performance metrics.
  • Compile the implementation for multiple targets, including: C/C++, Haskell, and VHDL/Verilog.
  • Equivalence check an implementation against the reference specification, including implementations not produced by Cryptol.

The trial version & docs are here.

First, I think this is really cool. I like domain specific languages, and crypto is hard. I really like equivalence checking between models and code. I had some questions, which I’m not yet able to answer, because the trial version doesn’t include the code generation bits, and in part because I’m trying to vacation a little.

My main question came from the manual, which First off the manual states: “Cryptol has a very flexible notion of the size of data.” (page number 11, section 2.5) I’d paste a longer quote, but the PDF doesn’t seem to encode spaces well. Which is ironic, because what I was interested in is “does the generated code defend against stack overflows well?” In light of the ability to “[trade] off space, time [etc]” I worry that there are a set of options which translate, transparently, into something bad in C.

I worry about this because as important as crypto is, cryptographers have a lot to consider as they design algorithms and systems. As Michael Howard pointed out, the Tokeneer system shipped with a library that may be from 2001, with 23 possible vulns. It was secure for a set of requirements, and if the requirements for Cryptol don’t contain “resist bad input,” then a lot of systems will be in trouble.

You versus SaaS: Who can secure your data?

In “Cloud Providers Are Better At Securing Your Data Than You Are…” Chris Hoff presents the idea that it’s foolish to think that a cloud computing provider is going to secure your data better. I think there’s some complex tradeoffs to be made. Since I sort of recoiled at the idea, let me start with the cons:

  1. The cloud vendor doesn’t understand your assets or your business. They may have an understanding of your data or your data classification. They may have a commitment to various SLAs, but they don’t have an understanding of what’s really an asset or what really matters to your business in the way you do. If you believe that IT doesn’t matter, then this doesn’t matter either.
  2. The cloud vendor doesn’t have to admit a problem. They can screw up and let your data out to the world, and they don’t have to tell you. They can sweep it under the rug.

In the middle, slightly con:
Its hard to evaluate security of a cloud vendor. Do you really think a SAS-70 is enough? (Would you tell your CEO, “we passed our SAS-70, nothing to worry about?”) This raises the transaction costs, but that may be balanced by the first pro:

  1. Cloud vendors involve a risk transfer for CIOs. A CIO can write a contract that generates some level of risk transfer for the organization, and more for the CIO. “Sorry, wasn’t me, the vendor failed to perform. I got a huge refund on cost of operations!
  2. Cloud vendors have economies of scale. Both in acquiring and operating the data center, a cloud vendor can bring in economies of scale of operating a few warehouses, rather than a few racks. They can create great operational software to keep costs down, and that software can include patch rollout and rollback, as well as tracking and managing changes, cutting overall MTTR (mean time to repair) for security and other failures.
  3. Cloud vendors could exploit signaling to overcome concerns that they’re mis-representing security state. If a Cloud vendor contracted to publish all their security tickets some interval after closing them, then a prospective customer could compare their security issues to that of the Cloud vendor. Such a promise would indicate confidence in their security stance, and over time, it would allow others to evaluate them.

That last is perhaps a radical view, and I’d like to remind everyone that I’m speaking for the President-Elect and his commitment to transparency, not for my employer.

Ephemeral Anniversary

Yesterday, Nov 17, was the sesquicentenary of the zero-date of the American Ephemeris. I meant to write, but got distracted. Astronomical ephemeris counts forward from this date.

That particular date was picked because it was (approximately) Julian Day 1,000,000, but given calendar shifts and all, one could argue for other zero dates as well. The important thing is to pick one.

There are some who think that this would be a better date to use as a zero-time computer timekeeping than what most of us use presently. It has the advantages that almost all of the Julian/Gregorian calendar skew comes after this (Russia being the major exception) and far enough back that nearly all time-and-date calculations you need to do with quick math can therefore be just adding and subtracting. And it has a nice scientific tie-in.

Other common zero-dates are 1 Jan 1904 (picked because if you pick this date, you can calculate all the way to 2100 assuming that leap years are every four years), and 1 Jan 1970 (picked because this was the last day that The Beatles recorded music in Abbey Road studios — actually, their last date was Jan 4, but close enough).

Actually, Randall, We Tried That

Crypto + 2nd Amendment

And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight export restrictions. I could go on, but I’ve already ruined an otherwise amusing strip.

SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.”

I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code.

But I’m most excited about the public availability of the SDL Threat Modeling Tool. I’ve been working on this for the last 18 months. A lot of the thinking in “Experiences Threat Modeling at Microsoft” has been made concrete in this new tool, which helps any software engineer threat model.


I’m personally tremendously grateful to Meng Li, Douglas MacIver, Patrick McCuller, Ivan Medvedev and Larry Osterman. Each of them has contributed tremendously to making the tool what it is today. I’m also grateful to the many Microsoft employees who have taken the time to give me feedback, and I look forward to more feedback as more people use the tool.

The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on.

A group of security people and human rights workers not only found out that TOM-Skype is not secure, but found the list of banned words because, as usual, someone didn’t set up their servers very well. A report can be found here.

Skype president Josh Silverman replied to the issue today in this article. He says that yes, it’s happening:

It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years. This, in fact, is true for all forms of communication such as emails, fixed and mobile phone calls, and instant messaging between people within China and between China and other countries. TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.

He’s right: one of the quandaries of business in China is that you have to put your belief in freedom in a trust when you go there. This is why many of us do not like doing business there.

However, he also said:

We also learned yesterday about the existence of a security breach that made it possible for people to gain access to those stored messages on TOM’s servers. We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM.

In other words — it’s bad for the Chinese to spy, and bad for people to catch them at it. Oh, naughty Chinese, and shame on you too, Infowar for dragging this into the daylight.

This comes on top of April’s flap in which the German and Austrian governments essentially said that they have no trouble listening in to Skype. Skype hasn’t commented on that. This is a different issue, as it appears that the surveillance is being done via malware.

Despite the fact that we still don’t know what goes on inside of Skype, it appears that the software is basically secure — or at least the voice parts are. Or was at one time. The noted cryptographer Tom Berson did an analysis of Skype and showed that it was reasonably secure. There were also reverse-engineering analyses done on Skype by Philippe Biondi and Fabrice Desclaux, presented at Black Hat in 2006 that showed it was secure, if eccentric in its design.

However, despite the security of the voice parts, the text parts are obviously not secure. And we have this uncomfortable set of circumstances:

  • Skype voice, while apparently secure in architecture, can be compromised by commercially available malware.
  • Skype text chat is obviously not secure, as shown by TOM-Skype in China.
  • Josh Silverman has washed his hands of l’affaire TOM-Skype.
  • We still don’t know what’s in the Skype source code.

The problem here is one of labeling, and the market effects. I’m sophisticated enough to know that when Josh Silverman says:

… Allowing the world to communicate for free empowers and links people and communities everywhere.

that he is stating that free (as in beer) is important, even if he’s unable to do a lot about free (as in speech) in repressive countries and in the face of law enforcement technologies.

But Skype has always touted itself as a secure technology. The reason that it became popular for free (as in beer) conversations was that we thought and were assured that it was also free (as in speech). Skype themselves paid for a security analysis.

Skype thus became not only the proverbial eight-hundred pound gorilla, but (it seems) the proverbial dog in the manger. Skype’s presence has actively hindered other secure-voice technologies. Phil Zimmermann’s Zfone, for example, has had to answer the question, “why do we need you when there’s Skype?” It seems that he’ll be answering that question less. Josh Silverman needs to do something to show us the basic integrity of the system. Presently it appears that he has empowered us to have communities everywhere but China, or Germany, or any place with a sophisticated and powerful government. At the very least, he should protect eBay’s investment, because if people conclude that Skype is not secure, eBay may wish they’d invested that $1.6 billion in mortgage-backed instruments instead.

And I thought I didn’t like Streisand

While Babs’ vocal stylings may be an “acquired taste”, today I have a new appreciation for the Streisand Effect.
Thanks to Slashdot, I learned that Thomson Reuters is suing the Commonwealth of Virginia alleging that Zotero, an open-source reference-management add-on for Firefox, contains features resulting from the reverse-engineering of Endnote, a competing commercial reference management product.
Turns out that while I am pretty happy with Bibdesk, it’s not the perfect solution for me. I had never heard of Zotero, so I downloaded it and played around. Color me impressed. If you are looking for a browser-integrated citation and reference management tool, I’d give Zotero a look.

Help fund historic computers at Bletchley Park

transport for London.jpg

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen years by a dedicated team, who have managed to figure out how it was constructed despite all the plans and actual machines having been dismantled.

Of course, keeping such things running requires cash, and Bletchley Park has been scrambling for it for years now. The BBC reports that IBM and PGP have started a consortium of high-tech companies to help fund the museum, starting with £57,000 (which appears to be what the exchange rate is on $100,000). PGP has also set up a web page for contributions through PayPal at, and if you contribute at least £25 (these days actually less than $50), you get a limited-edition t-shirt complete with a cryptographic message on it.

An interesting facet of the news is that Bletchley Park is a British site and the companies starting this funding initiative are each American companies. Additionally, while PGP is an encryption company and thus has a connection to Bletchley Park as a codebreaking organization, one of the major points that PGP and IBM are making is that Bletchley Park is indeed a birthplace (if not the birthplace) of computing in general.

This is an interesting viewpoint, particularly if you consider the connection of Alan Turing himself. Turing’s impact on computing in general is more than his specific contributions to computers — he was a mathematician far more than an engineer. He was involved in designing Colossus, but the real credit goes to Tommy Flowers, who actually built the thing.

If we look at the history of computing, an interesting thing seems to have happened. The Allies built Colossus during the war, and then when the war ended agreed to forget about it. The Colossi were all smashed, but many people involved went elsewhere and took what they learned from Colossus to make all the early computers that seemed to have names that end in “-IAC.”

(A major exception is the work of Konrad Zuse, who not only built mechanical programmable computers before these electronic ones, but some early electronic ones, as well.)

This outgrowth from Colossus also seems to include the work that turned IBM from being a company that primarily made punched cards and typewriters to one that made computers. It is thus nice to see IBM the computing giant pointing to Colossus and Bletchley as a piece of history worth saving along with the cryptographers at PGP. It is their history, too.

I think this dual parentage makes Bletchley Park doubly worth saving. The information economy has computers and information security at its core, and Colossus sits at the origins of both. Please join us in helping save the history of the information society.

Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges.

The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is the root of the problem has been part of the software for 10 years, said Chris Riggall, a spokesman for Premier Election Solutions, formerly known as Diebold.

So reports the Washington Post. Wow.

When Congress acts in haste, a la the HAVA fiasco, we all repent at leisure.

Uncle Harold and Open Source


Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust them, tune them, and so on. As time has gone on, cars got electronics in them, then computers, and nowadays an auto mechanic is as much a computer tech with grease under his nails as a mechanic.

I never was much into mechanics as a kid. My father wasn’t, either, and discouraged me from ever being a mechanic. If he were to read this, he’d deny discouraging me, but he did. All he did was point out that some bit of automotive fluff that caught my eye would literally be high-maintenance, and either you do that yourself or you pay someone else.

I eventually did buy a pre-1968 bit of automotive loveliness as part of a quarter-life (okay, third-life) adjustment. The 1968 date is important because that’s when the US started requiring pollution controls, safety equipment, and so on that caused the transit of the gloria of Uncle Harold’s mundi.

For a technologist, a pre-’68 car is utterly amazing because of sublime lack of technology in it. It needs petrol to burn, water to cool, oil to lubricate, and enough electricity to drive the spark plugs. That’s it.

The first time I tuned a pair of SU carbs, it was amazing fun. I could really understand Uncle Harold’s irritation. The tenth time it was far less fun, partially because I’d gotten good at it. It was just a chore. I could really understand my father’s point of view even better. Eventually, the antique bit of fluff got sold and I got a modern fun car that has computers that run everything from engine to brakes.

It’s really sort of sad that I can’t tune the carbs (which of course I don’t have; it’s all fuel-injected). It’s even amusing that if you pull the power from the car, the computers lose their state and they they have to re-tune the ignition system, over the next few miles you drive — in a wtf sort of way. I mean, haven’t these people heard of flash? How much space does it take to store ignition settings and radio presets? (Yes, Uncle Harold, a real radio stores its presets mechanically. Thanks.)

But it’s really wonderful that I don’t have to tune the carbs. There are reasons why those wonderful old systems were replaced. The new ones really are better. Uncle Harold thinks the world has gone to hell in a hand basket. I see the merit in what he says, but when it comes right down to it, I prefer my present hell to Uncle Harold’s heaven.

The brilliant Ivan Krstić has recently written about the transit of his own personal gloria, the OLPC project. In part of his essay, he shows clearly about how some open source people, in particular RMS, have become Uncle Harold, insisting that if you can’t tune those metaphorical carbs, it’s like forcing people to be crack addicts. (And this is paraphrasing, not misquoting RMS.)

Krstić also talks about the same Haroldisms. He says:

About eight months ago, when I caught myself fighting yet another battle with suspend/resume on my Linux-running laptop, I got so furious that I went to the nearest Apple store and bought a MacBook. After 12 years of almost exclusive use of free software, I switched to Mac OS X. And you know, shitty power management and many other hassles aren’t Linux’s fault. The fault lies with needlessly secretive vendors not releasing documentation that would make it possible for Linux to play well with their hardware. But until the day comes when hardware vendors and free software developers find themselves holding hands and spontaneously bursting into one giant orgiastic Kumbaya, that’s the world we live in. So in the meantime, I switched to OS X and find it to be an overwhelmingly more enjoyable computing experience. I still have my free software UNIX shell, my free software programming language, my free software ports system, my free software editor, and I run a bunch of free software Linux virtual machines. The vast, near-total majority of computer users aren’t programmers. Of the programmers, a vast, near-total majority don’t dare in the Land o’ Kernel tread. As one of the people who actually can hack my kernel to suit, I find that I don’t miss the ability in the least. There, I said it. Hang me for treason.

My theory is that technical people, especially when younger, get a particular thrill out of dicking around with their software. Much like case modders, these folks see it as a badge of honor that they spent countless hours compiling and configuring their software to oblivion. Hey, I was there too. And the older I get, the more I want things to work out of the box. Ubuntu is getting better at delivering that experience for novice users. Serious power users seem to find that OS X is unrivaled at it.

I used to think that there was something wrong with me for thinking this. Then I started looking at the mail headers on mailing lists where I hang out, curious about what other folks I respect were using. It looks like most of the luminaries in the security community, one of the most hardcore technical communities on the planet, use OS X.

And lest you think this is some kind of Apple-paid rant, I’ll mention Mitch Bradley. Have you read the story of Mel, the “real” programmer? Mitch is that guy, in 2008. Firmware superhacker, author of the IEEE Open Firmware standard, wrote the firmware that Sun shipped on its machines for a good couple of decades, and in general one of the few people I’ve ever had the pleasure of working with whose technical competence so inordinately exceeds mine that I feel I wouldn’t even know how to start catching up. Mitch’s primary laptop runs Windows.

I know exactly what he means. Once, long ago, I’d fire up my GosMacs session in the morning and close it down when I’d go home. I and my colleagues had so customized our editors (which we lived in) the we said that using someone else’s emacs was like using someone else’s toothbrush. It’s just not done.

When the Story of Mel came out, one of my coding buddies read it and it really creeped her out. She sent out an email to all of us that said, “Oh, my God, that’s my *DAD*!”

I once patched a running CVAX just to watch it fly. I admit that I did it because of the smart remark in Dungeon. And I’ve changed my unices so many times I don’t know what I look like.

Like me, Ivan’s stopped being Uncle Harold with computers. I like being able to get grungy, but I also hate having to. The last remnant of my Uncle Haroldism is my main server that’s running FreeBSD. I am especially glad this week that I listened to Ben and didn’t put Ubuntu on it. I’m even chafing at that system and asking myself why I don’t just outsource the whole damned thing. I’d tell you, but then you’d see my tinfoil hat. (Oh, all right. If you run your own mail server, they can’t NSL your sysadmin. I know what you’re going to say. I’ve said it myself. Hush.)

Nonetheless, the Uncle Harolds of the world have a point. It’s nice to be able to change your kernel. It’s nice to be able to recompile everything. It’s just a drag to have to. When Open Source realizes that, it will make great strides to getting back people as non-technical as Ivan. And yeah, Ubuntu’s getting close, I know that. I actually do love puttering around, but another prop has occupied my time.

Photo courtesy of Light Collector.