Fud Watcher

Name:
Location: United Kingdom

Sunday, February 19, 2006

Apple security through obscurity

John Stith writing in Securitypronews says that the reason the Mac was long thought to be immune from viruses was because of its relativly small userbase and quotes some security experts as saying that this may turn out to be the year of the OS X exploit.

"What's perhaps surprising is that there are a hardcore element of 21% who believe that threat attempts against Mac users will not grow." Graham Cluley Sophos.

"This is almost certainly the year of the OS X exploit .." "On a good day, Apple doesn't even make it to Microsoft's level of security awareness," Jay Beale Intelguardians

"Linux has a better history for security than Microsoft,
and hackers are more focused on Microsoft. So the main demand for Unix antivirus software comes from companies running Windows on a Unix server trying to boost security. The same may be true for Linux."
Graham Cluley - June 2004

"These are not attacking any kind of vulnerability in the computer,"
They are attacking the vulnerability of people's brains."
Graham Cluley - May 2004

a Mac has no more inherent security than a PC
Graham Cluley Aug 2003

EU commision threatens MS says the beeb

The BBC writes that Microsoft accuses the EU of attacking its complience efforts in regard to the March 2004 ruling. MS also accuses the Commission of creating the problem by failing to clearly define its requirments.

"It was given until Wednesday to prove it had provided rivals with computer codes that would let them develop products to work with Windows systems."

Incorrect the ruling required them to provide the protocols unemcumbered with licensing or patent restrictions.

The Commsision Ruling of March 2004 states: "Microsoft to disclose to competitors, within 120 days, the interfaces(3) required for their products to be able to 'talk' with the ubiquitous Windows OS .."

Microsoft's responce was to provide technical documentaion and some source code. According to Groklaw the Commission asks why the source code offer is relevant to compliance as it was never asked for under the March 2004 decision. The Commision also insists that it is they who will decide whether Microsoft is compliant and not Microsoft.

Saturday, February 18, 2006

Amazon.com being sued for patent infringment

The Chicago Tribune is reporting that Amazon is being sued by Registrar Systems LLC for allegidly infringing on two of its patents.

The alleged inventors say that Amazons e-commerce technology uses methods from their US patents 5,790,785 and 6,823,327.

WORLD WIDE WEB REGISTRATION
INFORMATION PROCESSING SYSTEM


"the present invention includes a World Wide Web registration web site wherein a user accessing the World Wide Web can utilize this web site as a repository for registration information so that the user can request this registration information to be transmitted substantially automatically to another web site to which the user desires to register"

Apart from the repetition of the word Web in the summary, didn't similar systems exist prior to 1998 for distributed authentication.

What is LDAP? .. possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys ..

1993 RFC 1487 - X.500 Lightweight Directory Access Protocol.

Jul 31 1989 Usenet Msg "Retix, based in Santa Monica, California, has had a fully conformant, portable Directory Access Protocol (DAP) (with an example DSA) since 1987.

Thursday, February 16, 2006

Lack of security is down to competitors - Bill Gates

The Financial Times interviews Bill Gates at the RSA conference
in San Jose.

"FT: Did anti-trust considerations figure in your decision not to bundle anti-virus software with Windows?"

"BG: Yes. The decision to leave AV outside there's so many factors that weigh into it. But certainly, we looked at that as one factor, how people will respond"

Perhaps the main reason is the first occurrence of a virus on Vista would leave considerable egg on face.

"the whole notion of improving software and making it better for users has been attacked because it makes it tough for competitors"

Lack of security in Windows is caused by [our] competitors? Like how? When has any competitor criticised Microsoft for improving security. The whole notion is nonsensical .

Besides I thought that Vista with its TPM module and least privilege user model would be immune to viruses. According to Marcus J. Ranum the AV model is defective as it relies on Enumerating Badness where a virus signature has to be in the database in order to be recognised instead of Default Deny where everything is denied access except what is explicitly allowed.

"we're kind of saying if we put new things in and don't raise the price, it's there, that's competition"

You mean like bundling Media Player and not charging for it for which they are still in court in the EU. How was RealNetworks supposed to earn a crust from selling its RealPlayer without a desktop monopoly. Was Real also being anti competitive here?

Microsoft has persuaded RealNetworks to withdraw from the case in return for some Vista licenses'.

MS also doesn't seem to concerned by a March 2004 EU decree that it must unbundle its media player and allow other parties information to allow full interoperability with Windows. Not only have they not complied with the ruling but have decided the Commision was in error and decided that releasing technical documentaion and some source code would do instead. The Commision has the temerity to insist that they will decide whether Microsoft is compliant and not Microsoft.


"other people are saying no, let's protect us competitors"

What ?

"That's a tricky framework. Clearly if that was all we thought about we wouldn't have put all this new stuff in, but we have."

What ?

"FT: You have talked about building a trust ecosystem”.. Would this be a closed system, or an open one?"

"BG: It's totally standards-based and totally open."

No ..

Wednesday, February 15, 2006

biggest military hacker of all time back in dock

The BBC is reporting that the extradition hearing of Gary McKinnon is reopening. His lawyers are concerned that he may end up at Guantanamo Bay.

Representitives of the US Gov claim he caused £370,000 worth of damage and ultimate intention was to get access to a classified network.

McKinnon says he was just looking for evidence of a UFO cover-up and besides there was loads more people connected than he.

"Once you're on the network, you can do a command called NetStat -
Network Status - and it lists all the connections to that machine.


There were hackers from Denmark, Italy, Germany, Turkey, Thailand .. Every night .. for the entire five to seven years I was doing this."

July 09 2005

"I was always very frightened when I realised there were always other people from all over the world on there. These were like foreign ISPs,
routinely going through things. It is very worrying that it is the
world's only superpower and it is that easy to breach security."

July 13 2005

As for being the biggest military computer hack of all time this is of course nonsense. How Gary got in was because the same image was installed on all the machines with the same default admin password. How he got caught was even more banal ..

"I'd instant message them, using WordPad, with a bit of a political diatribe. You know, I'd leave a message on their desktop that read 'Secret government is blah blah blah.'



Indictment in the case of Gary McKinnon ..

"the defendant intentionally accessed a computer belonging to and used exclusively by the United States Army, Fort Myer, Virginia, with the Internet Protocol address of 160.145.40.25, which computer was used in interstate and foreign commerce and communication".


Prosecution: Mr. McKinnon on or about February 2002 within the District of Virginia did you knowingly cause damage and loss aggregating to £370,000 without authorization to a protected computer, belonging to the United States Army.

Defendent: I dunno dude, I was smoking a lot of dope at the time. Not good for the intellect.

:)

UK Law enforcement want back door into Vista

The BBC has a piece regarding the UK govs concerns regarding the TPM module in the upcoming Vista release. In it a select committee was told that law enforcement would be hampered without some kind of backdoor being installed.



"The Home Office has already been in touch with Microsoft
concerning this matter and is working closely with them."


The irony is that TPM *is* the backdoor into the system.

Tuesday, February 14, 2006

How to fud Open Source

How to avoid open source licensing pitfalls



The current issue of Computerweekly has an article by lawyer Matthew Harris on how to avoid open source licensing pitfalls. In it he makes a number of observations and what can only be described as vague generalities and numerous what if's.



[The] "creation of specific open source compliance insurance .. is recognition of the existence of such risk"



Compliance Insurance had to be created in response to certain vested interests attempts to create Fear Uncertainty and Doubt in the minds of potential adopters. It's also an attempt to up the cost of Open Source through the forced adoption of Fear of Litigation Fees.



"Such risk .. is often perceived to be greater in such a case because of the dispersed nature and larger number of contributions to its underlying code."

Then how come there are not a plethora of such cases. Remember the Source is out there for anyone to audit for such breeches. Why have no such violations been found up to now. Can you produce any such cases. Apart from the SCO case that is?



Ah, I only now notice the first half of that testimony "The risk of third-party intellectual property rights infringement, specifically in relation to copyright material and/or patents"



So it's not about Open Source, per say, but fear of copyright and patent violation. Providence of Open Source copyright can easily be proved. All the litigant's has to do is point out the infringing code. Where are the vast array of such cases?



As for patents that, if you don't mind me saying so, is a bit of a subject shuffle. You see up to recently it was possible to *copyright* code but not possible to patent a particular method or algorithm. The change in the (US) law that allowed for this is what has lead to the current nonsense where some people have patented such obvious things as the "IsNoT" operator or a method for calling an external application from a web browser or combining e-mail with mobile phone technology.

They then wait for some real technology company to go and actually invent the thing and then attempt to extort 'licenses' out of them under threat of litigation. A lot of the time big companies pay up rather then wait it out and see their customer base erode. Of course this only pays off against the big corporations as what's the point in sueing some one man business. It also means that the sueing comapay has deep enough pockets to wait it out.

So for most/all small to medium sized business the need for such 'compliance insurance' is non existent. Indeed a name for such activity exists and is refered to as the Submarine patent.

Given the collaborative nature of any kind of intellectual endeavour if the current situation existed in the mid twentieth century then Crick and Watson could not have worked on the discovery of DNA as any kind of x-ray diffraction used would have violated someone else's "method". You see any "intellectual property" garnered would have invariably stuck to the patent holders x-ray diffraction method.



"some open source software licences seek to impose a contractual obligation on the end-user who bundles open source software with their own proprietary software to distribute the source code of both pieces of software on open source terms, thus "infecting" the proprietary software"

This is very ambiguous and misleading statement coming from a lawyer. There are a plethora of licenses that specifically do not require you to publish your own source code. The Lesser GPL for one. These were specifically designed to guard from such situations. The point is the end-users have a choice. The only restriction is that they do not hinder other developers in what they can do with the code.



Again you talk in vague generalities. How about some real cases. The only protection Sun's new open source license the CDDL, seems to confer is a mutually beneficial agreement between them and Microsoft not to sue each other for patent violations and , here's the rub, this restriction extends to downstream developer who uses the CDDL.



So just who is protecting whom from patent "infringement". Incidentally both of the above parties bought "licenses" from the SCO group. And in the case of AutoZone and DaimlerChrysler they ended up getting sued by their own suppliers - a commercial software house.



"The fact that no proprietary software has been mixed with open source software does not necessarily avoid the infection risk problem"

I don't know exactly what that means but a number of commercial companies are happy to collaborate with the Open Source community. Silicon Graphics and Weta Digital to name two.



"Another disadvantage of open source software is that it is provided without warranty protection as to its compliance with a particular standard"

What warranty exactly do you get with a non-open source license - apart from not getting sued by our own suppliers that is. The Microsoft EULA states:



''Manufacturer's .. entire liability .. is .. return of the price paid; or (b) repair or replacement of the SOFTWARE ..''

What warranty did the suppliers provide to CardSystems Solutions when details of over 40 million accounts were exposed. What indemnification did the suppliers of the software give the company that installed the radio system for Southern California's air traffic control. The one that left 800 planes without radio contact and five cases of near air collisions. Or more recently the crash of the Russian Stock Exchange.



"The manner in which open source material is produced and distributed also means that it is not possible to address these ambiguities through negotiation"

It's the manner in which it is produced that gives it its greatest strength. Disputes about the provenance of code can be quickly brought to a resolution. For instance in the case of Fortinet and Linksys. Curiously enough in both cases it was found that the companies knowingly including GPL code without abiding by the license. In the case of Fortinet they even took steps to obfuscate the code.



"As a consequence of the ease with which open source can be downloaded from the Internet, it can be in operation throughout an organisation without any detailed record of where and how."

"Therefore, the first step must be to conduct an audit of current and past open source use across the organisation .."

BIG HINT :)


"There may be other software available on less onerous open source terms"

One solution is to use exclusively Open Source solution, not do an audit and make a donation to the fsf.org. That way I can sleep sound at night and not worry about any potential associated risks.



REF:

ComputerWeekly Feb 07 2006
How to avoid open source licensing pitfalls

Other Reading ...



Patent Questions About the CDDL Groklaw Jan 28 2005

Credit card suit now seeks damages News.com.com July 07 2005

NZ open source group hires 'big dog' to fight SCO Linuxworld.com.au Aug 25 2003

Microsoft server crash nearly causes 800-plane pile-up Techworld.com Sep 21 2004

Fortinet in court for hiding Linux in its code Vnunet.com April 15 2005

gpl-violations.org

Organizations not worried about using Open Source er .. Linux in a lot of cases :]



Amazon.com, Boscov's Department Stores, Bristol-Meyers Squibb Co, Canara Bank of India, Citigroup, Deutsche Bank, Digital Domain, E-Trade Financial Corp, Ernie Ball, First Boston, First National Bank of Omaha, Industrial Light and Magic, KeyWest Bank, Los Alamos, MainConcept, Pixar , Royal Sun Alliance, Schwab , SunGard, T-online, The BBC News website, The City of Largo, Florida, UBS Investment Bank, Weta Digital ..

Key Words:



ambiguities, ambiguous, breaching, claims, compliance, concern, contractual, disadvantage, impose, , incompatible, indemnity, infecting, infection, infringement, issues , obligation, onerous, patents, problem, problems, protection, risk, terms, uncertain, warranty ...

And Finally ...



Dear Abbey,
My employees use infectious and ambigous software, is there a legitimate software house that will license their intellectual property to me so as I can sleep soundly at night. A lawyer friend of mine has advised me never to trust my own staff, especially if they have ever used the word Linux.

Signed: A perturbed businessman"

:)