GDT::Security::Watchdog::Archive::Year 2002

Security Watchdog

Computer Security Requires Trustworthy Computer Professionals
I've been thinking and writing a lot about trust these days. Why? Because computer security can only happen if computer professionals practice being trustworthy.

During the last Introductory Unix class for Fall 2002 (Tuesday, 17 December 2002) I lectured about taking pride in becoming super-user. If an employer gives you root access to their computers, then they are trusting us to treat their data (i.e. information) with respect.

The next day, 18 December 2002, Slashdot.org had a discussion thread on the topic on when a SysAdmin goes bad.

On Wednesday, 08 January 2003, the Arizona System Administrators Guild (AZSAGE) is going to have a speaker speak about Computer Crime and the SysAdmin.

[Extra] From InternetWeek.com... "A flaw in popular shopping cart software allows customers to modify the price of items that they purchase, a security firm has warned. ShopFactory, from 3D3.com in Australia, stores prices in cookies on the customer browser, and customers can change those prices by simply editing the cookies using a text editor, according to Trust Factory." Note: InternetWeek.com used the term flaw, but I prefer to call it a defect. [At least they didn't use the term bug.] [Trust-Factory.com]

[27 December 2002, top]
CERT.org::Multiple Vulnerabilities in SSH Implementations
On Monday, 16 December 2002, the Computer Emergency Response Team (CERT) issued yet-another advisory against Secure Shell (SSH).

A test suite was created that "demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before any user authentication takes place."

The test suite found the following defects.

   incorrect field lengths
   lists with empty elements or multiple separators
   "classic" buffer overflows
   null characters in strings

The aforementioned defects are common in many computer programs that are written in C and C++ programs.

CERT.org::Multiple Vulnerabilities in SSH Implementations

Learning About Cybersecurity requires us to start using CERT advisories for dot-edu purposes. CERT advisories are effective learning resources.
[20 December 2002, top]
C3S::Center for Computer and Communications Security (again)
Carnegie Mellon University will receive $35.5 million over five years from the Department of Defense to conduct research into fighting cybercrime. The university's Center for Computer and Communications Security (C3S) is already doing research in areas such as using biometric tools to identify users and adding artificial intelligence to hardware so that it can detect when it is being attack and take measures to protect itself. Center for Computer and Communications Security [sources::EDUCause and WiredNews::Politics]

[Extra] Professor's Case: Unlock Crypto [WiredNews::Technology]

[Yet-Another-Extra] Today's (Friday, 13 December 2002) GDT::Dot::Headlines from Slashdot includes the following: Sun Security Patch Introduces Security Hole.

[13 December 2002, top]
Total Information Awareness Program [be aware]
On Wednesday, 04 December 2002, I attended a Mesa Community College forum for international students that provided them information about civil rights these days in America. Those of us in attendance (and there wasn't many) heard about TIAP (Total Information Awareness Program). Upon returning from the meeting, my email in-box contained a new message from the CPSR (Computer Professionals for Social Responsibility) that started as follows.

"Just weeks after the U.S. elections, we have witnessed the return of the two nightmare technologies that catalyzed CPSR's creation: high tech warfare and the biggest of Big Brothers, the Total Information Awareness program. It is more important than ever that CPSR serve as the voice of the grassroots public interest."

What is TIAP?

The following was obtained from a TIAP homepage located at DARPA.mil.

"The Total Information Awareness (TIA) program is a FY02 new-start program. The goal of the Total Information Awareness program is to revolutionize the ability of the United States to detect, classify and identify foreign terrorists, and decipher their plans, and thereby enable the U.S. to take timely action to successfully preempt and defeat terrorist acts."

It is from DARPA in which the Internet was born...

DARPA -- Defense Advanced Research Project Agency

Note: GDT contains few dot-mil hyperlinks.

[06 December 2002, top]
Homeland Security Using Insecure Computing Systems
I read these two stories from Nandotimes.com.

"Some of the U.S. government's most important computer systems continue to suffer significant security lapses despite renewed focus protecting them against terrorist attacks." [ Problems Remain in U.S. Computer Security {InformationWeek.com}]

ISPs (Internet Service Provides) such as AOL, MSN, etc., could give the government more information about subscribers and police would gain new Internet wiretap powers. [ Say Hello to Big Brother {Declan McCullagh}]

Are these two stories oxymoronic? [I admit ignorance is not bliss.] In a nutshell, the government wants to use data collected from computer systems to help with homeland security, yet the data they want access to is being processed by insecure computing systems. Oxymoron: Using insecure tools to provide security.

[22 November 2002, top]
CERT Advisories: tcpdump/libpcap Distribution and BIND
The Computer Emergency Response Team (CERT) issued two Advisories during the week ending 15 November 2002. The first CERT pertains to a bogus distribution and the second involves a program, BIND, that is the most frequently used application of DNS. [DNS drives the Internet.]
  • Trojan Horse tcpdump and libpcap Distributions [13 November 2002]
    "The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse."
  • Multiple Vunerabilities in BIND [14 November 2002]
    "Multiple vulnerabilities with varying impacts have been found in BIND, the popular domain name server and client library software package from the Internet Software Consortium (ISC)."
[15 November 2002, top]
Computing for Charity (charityware)
I like ideas that attempt to turn "bad" stuff into "good" stuff. Most people who work with computers want computers to play a positive role in society. Here are couple of examples of doing good with computers.
  • WiredNews::Business posted a story about a web hosting company that is suing spammers and any money they are awarded is redirected to charities. Suing spammers for a good cause .

  • The vim Editor is free, but it is also charityware. If vim becomes one of your computing tools, then you can pay the creator of the program some money. In the case of vim, any money you give to its creator is passed along to a charity.

[08 November 2002, top]
Cybersquatting Politicians; Newspaper Editorializes About Spam
Politicians Like to Cybersquat
Here is a Letter to the Editor that I submitted via email to the Arizona Republic on Tuesday, 29 October 2002.
Why when I type in the URL http://SalmonForGovernor.org do I get re-directed to http://BestyBayless.com?

In addition to the redirect, a pop-up window occurs that displays an anti-Salmon article from http://ArizonaRepublic.com.

If I put on my Computer Professional hat, then this is called cyber-squatting.

The Arizona Republic did not publish this litter.

Learning About spam From the Newspaper
Here is a Letter to the Editor that I wrote that responds to an Arizona Republic Editorial about spam published on Monday, 28 October 2002. I did not submit the letter.

Although it may have been only a "musing," fighting spam with spam is not how we are going to win the war against spam.

The DMA (Direct Marketing Association) wants regulations passed so it can have exclusive rights to spam our email in-boxes. The DMA does not have a cost effective way to have their spam "stand-out" from other spam. Email spam has been a serious problem for a long time and I find it interesting that it takes action on the DMA's part before the Arizona Republic writes about it.

Here are URLs to help your readers learn about spam.

The Arizona Republic needs to be Thanked for writing about the spam problem, but their suggestion that spammees spam the spammers is bad. Their editorial ends with the sentence: "Ah, sweet revenge." When it comes to spam, this type of revenge is ineffective.

[01 November 2002, top]
Quotes From Cyber-Security Adivsor for George Bush; DMA on Spam
Here are some quotes spoken on on Monday, 14 October 2002 by Howard Schmidt, cyber-security adviser for President Bush,

"We have a great deal of focus nowadays on weapons of mass destruction but we need to be aware of the proliferation in cyberspace of weapons of mass disruption." [...]

"Cyber crime is costing the world economy billions of dollars and it is still on the increase. The more we depend on the system, the more we use the system, the more they will exploit it." [...]

"What we are concerned about is reducing vulnerability whether the threat is from the Mideast or the Midwest." [...]

Great quotes, but let's consider the source: Howard Schmidt is a former chief security officer at Microsoft.

[Extra] You know the spam problem is getting bad when the Direct Marketing Association wants anti-spam laws. [Nutshell: The DMA wants exclusive rights to send email spam.]

[25 October 2002, top]
Biometrics: Good or Bad?
Here is an article that was posted to Washington Post dot-com on 25 September, 2002, that discusses concerns about the government's use of biometrics. Technology vs. Civil Liberties?

Here is an article that was posted to Federal Government Weekly dot-com on 07 October, 2002 about how biometrics is proving to be more difficult than feds anticipated. Learning About Biometrics

[New Term::NanoBrother] "We are moving rapidly into a world in which the spying machinery is built into every object we encounter." -- Howard Rheingold [source:: WiredNews::Culture]

[18 October 2002, top]
More Microsoft Security Bulletins; CERT Sendmail Advisory
The last Security Watchdog posting indicated that Microsoft had issued 52 security bulletins thus far in the year 2002. Two weeks later and now the number is at 57.

[Extra] Microsoft is not alone with respect to providing defective software. On 08 October 2002, a CERT Advisory was issued on a Trojan Horse Sendmail Distribution.

[11 October 2002, top]
Microsoft Security Bulletins; CIPA and Filtering; Voting in Floriduh
[Item] Friday, 27 September 2002, ends the 38th week of year 2002. So far this year Microsoft has issued 52 Security Bulletins. In other words, Microsoft issues one Security Bulletin every five days. Microsoft Issues 51st and 52nd Security Bulletins of the Year [Sacramento Bee]

[Item] The U.S. Federal Government has money to give schools to help them computerize, but the money is given only if schools agree to run filtering systems as per the CIPA. No Filtering, No Government Funds [WiredNews.com] and CIPA: Children's Internet Protection Act [Internet Free Expression Alliance]

[Item] The state of Floriduh spent millions of dollars to purchase touch-screen electronic balloting devices. Throwing hardware at problems is an easy thing to do when you have money, but it usually doesn't work well and the state of Floriduh provides real-world evidence of this. [At least Floriduh can play college football.] Florida Primary 2002: Back to the Future [RISKS Digest]

[27 September 2002, top]
CERT Advisory: Apache / mod_ssl Worm
Seeing a CERT Advisory issued against Linux, Apache and mod_ssl makes one sad. These are our tools of choice for implementing web secure systems. A few day earlier there was a CERT against CDE (Common Desktop Environment). In a nutshell, the FS/OS world has been cracked on both the desktop and server.

Is FS/OS bad software? That is what I would ask if I'm paying the bills.

These cracks have me even more excited about the future of FS/OS. Why? Because of the pride-of-ownership that is behind much of the critical FS/OS.

Here is the CERT Advisory:   Linux systems running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures. In other words, the Apache / mod_ssl Worm.

[20 September 2002, top]
CIAC Warns About Parasite Programs
U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) has issued an analysis of a dangerous category of software it is calling parasite programs.

In a nutshell, parasite programs are packaged with legitimate software to "display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space."

Parasite Programs; Adware, Spyware, and Stealth Networks

[13 September 2002, top]
Internet Freedoms Fall Victim to 911
The Internet can be classified as collateral damage caused by the 9/11/2001 attack on America. Internet freedoms have been eroded (i.e. taken away) in many countries and this includes the United States.

"Among the laws criticized as curbing Internet rights were the U.N. Security Council resolution 1373 on fighting terrorism, the U.S.A. Patriot Act and amendments tightening European Union rules on protecting electronic data."

Reporters Without Borders: Internet Freedom Also Victim of Sept 11

[06 September 2002, top]
Bionic Eye; Google Toolbar Advisory; Tracking Foreign Students
[Item] Bionic Eye is a device that consists of a silicon chip inserted into the eye, which is designed to act like a retina. This chip can help people re-gain lost sight. Bionic Eye.

[Item] It appears the Google Toolbar, which can be used to search Google without going to its homepage, can be exploited. GreyMagic Security Advisory: Exploiting the Google Toolbar

[Item] Here is a follow-up to last week's extra posting. More discussion is happening with respect to our government wanting dot-edu's to report on the status of foreign students. Here is a quote from EDUCause.

"PeopleSoft and other companies that provide student-information systems for colleges are scrambling to create software that will help institutions meet a tight government deadline for reporting new information about foreign students."

Chronicle.com reports Companies and Colleges Scramble to Meet New Requirements for Foreign Students.

[30 August 2002, top]
Princeton.edu Cracks Yale.edu
Statement of computing fact: Princeton.edu cracked Yale.edu. Princeton admits they did something wrong, but bottom-line response: Stuff happens. Here are quotes from Princeton's President.

"Students who apply to Princeton, or to any other university, have every right to expect that information they provide in good faith will be used only for the purposes for which they provided it, and that their privacy and confidentiality will be respected."

I say this all the time: do as a I say, not as a I do.

"These actions were wrong, but the only information obtained from the Yale Web site was whether or not certain applicants had been admitted, and this information was not used in any way."

It is the use of the words but and only that are scary.

"One of the lessons of this experience is that even individuals with a high degree of sensitivity to ethical principles in traditional settings can fail to be equally sensitive when technology is involved (as when someone who would never open a sealed envelope addressed to another person enters a secured Web site). "

Dot-com, dot-net, dot-org cannot be trusted. Princeton has taught us the same is true when it comes to dot-edu.

Princeton Acts on Its Cracking of Yale's Computers.

[Extra]
Patriot Act... "Beginning 31 January 2003, universities and colleges must frequently transmit detailed information about their foreign enrollees to the Immigration and Naturalization Service. The INS has created an IT system, known as SEVIS (Student and Exchange Visitor Information System), to capture and disseminate information about the students to federal authorities."

[23 August 2002, top]
XDR Library CERT Advisory; Government Laptops Missing (again)
YAIO -- Yet Another Integer Overflow has been discovered. An integer overflow can lead to YABO (yet another buffer overflow).

During the week just ended, the CERT/CC issued an advisory against Sun Microsystems XDR library (XDR stands for eXternal Data Representation). The XDR library is commonly used in RPCs (Remote Procedure Calls). An RPC allows you to call a function on system A from a program running on system B. CERT Advisory: Integer Overflow in XDR Library.

[Extra] Computer security requires the use of good passwords, good software, good SysAdmin practices and strong computing ethics. It also includes physical security. Justice Department Missing Laptop Computers.

[09 August 2002, top]
July Cleanup: OpenSSH Cracked; TIPS-TIPS; Unicode Not Secure; Cyber-Insurance
[Item] On Thursday, 01 August 2002, the CERT/CC issued an advisory against OpenSSH. The advisory warns that copies of the source code for the OpenSSH package were modified by an intruder and contain a Trojan horse. Here are details from OpenSSH.com.

[Item] In the name of homeland security, some people in our government wants us to become a society of informants. A website has been established to report those who participate in Operation TIPS. Operation TIPS-TIPS: Report TIPS Informants.

[Item] Wow... I thought Unicode was just YACS (yet-another-character-set), but it turns out character sets are used to crack computer systems. According a Crypto-Gram article "Unicode is just too complex to ever be secure." Security Risks of Unicode.

[Item] Declan McCullagh sent out the following to his Politech mailing-list.

"Companies in every sector of the U.S. economy may soon find it difficult to operate without cybersecurity insurance, an evolving form of coverage that the Bush administration hopes will be instrumental in steeling the nation's information technology infrastructure against attack."
White House Advises Cyber-security Insurance

[02 August 2002, top]
H.R.3482 -- Hackers Are Cyber-Terrorists
Reading about laws that can potentially violate our computing Freedoms is yucky stuff. In the name of greater cybersecurity, H.R.3482 is a Bill that could allow the death penality to be applied as a result of cracking a computer. The following one-liner makes me leery of Bills like H.R.3482.
	(B) a revised legal framework for the prosecution of 
	    'hackers' and 'cyberterrorists'; and
The term hacker is used along with the term cyberterrorist. [26 July 2002, top]
CMU to Research Computer Security; Dot-Kids-US Domains
Carnegie Mellon University has created research centers to study information security. The Center for Computer and Communications Security joins other projects at other Universities to work on computer security issues. [ More... from Chronicle.com]

[Extra] Here comes the .kids.us domains.

"To facilitate the creation of a new, second-level Internet domain within the United States country code domain that will be a haven for material that promotes positive experiences for children and families using the Internet, provides a safe online environment for children, and helps to prevent children from being exposed to harmful material on the Internet, and for other purposes."
H.R.3833: Dot Kids Implementation and Efficiency Act of 2002

[12 July 2002, top]
June Cleanup: Apache Defects; iTerrorist; P2P Legislation
[Item] From the excellent Netcraft.com Survey comes the following blurb about the recent defects found with the Apache webserver software.

"Apache administrators have reacted quite quickly to the problem, and within a week of first publication, well over 6 million sites have been upgraded to Apache/1.3.26, issued by the Apache project in response to the problem. However, this still leaves around 14 Million potentially vulnerable Apache sites." [More...]

[Item] I hope it never comes true, but someday I could see myself being an esoldier. [Not as a General, but as a Private.] On 27 June 2002, WashingtonPost.com posted a story titled Cyber-Attacks by Al Qaeda Feared.

[Item] Politicians who feed their families thanks to generous donations from the entertainment business (there are reasons why average family units cannot afford to go to movies, concerts and sporting events) continue to attack our Computing Freedoms. Thanks to Declan McCullagh for providing Legislating the Internet (Hollywood versus High-Tech). Here is a quote from a Congressman.

"I am a strong believer in the beneficial potential of P2P networks, but most people currently use them for unbridled copyright piracy. Billions of P2P downloads every month constitute copyright infringements for which creators and owners receive no compensation. P2P piracy must be cleaned up. The question is how."
[05 July 2002, top]
CERT Issues an Advisory Against OpenSSH
CERT.org has issued Advisory CA-2002-18: OpenSSH Vulnerabilities in Challenge Response Handling

SSH is Secure SHell and OpenSSH is an implementation of SSH. SSH allows you to execute a remote login where data is transmitted over the Internet encrypted.

Two problems have been discovered with OpenSSH. The first vulnerability is an integer overflow in the handling of the number of responses received during "challenge response authentication"

An integer overflow is when you assign a value to an int variable that is too large to fit into the memory allocated for that int variable.

OpenSSH is used on a variety of systems, but it is developed by the OpenBSD Project. On Wednesday, 26 June 2002, I purchased a copy of OpenBSD (version 3.1) from OpenBSD.org.

[28 June 2002, top]
CERT Issues an Advisory Against Apache
When it comes to Open Source software, I think Apache is a star performer. More than 60% of today's webservers are running the Apache webserver software.

Open Source claims it is more secure than proprietary systems. Since Open Source is the challenger in today's computing market place, it cannot have CERT Advisories issued against it. Open Source must provide a secure computing environment. [I think it is our best chance.]

From the This Sucks department comes CERT advisory CA-2002-17 or Apache Web Server Chunk Handling Vulnerability.

[21 June 2002, top]
JPG Files Can Contain Viruses
New Virus Can Infest Picture Files -- Although this virus has not manifested itself, McAfee Security has reported that it is possible to corrupt .jpg image files. The JPG format is typically used to store pictures and it is widely used on the Internet. [14 June 2002, top]
Two CERT Advisories in One Week
It is not a good week when the CERT (Computer Emergency Response Team) issues not one, but two advisories.

[Advisory #1]
Denial-of-Service Vulnerability in ISC BIND 9
BIND is the most popular implementation of DNS. BIND (Berkeley Internet Name Domain) is maintained by the ISC (Internet Software Consortium). This vulnerability does not allow an intruder to execute arbitrary code or write data to arbitrary locations in memory, but is can cause the BIND program to shutdown (abort).

[Advisory #2]
Multiple Vulnerabilities in Yahoo! Message
This is a Microsoft Windows defect. In a nutshell, Yahoo! Messenger (a program used for communicating with others over the Internet), contains a buffer overflow and a URL validation vulnerability. These vulnerabilities can allow crackers to execute code they should not be executing.

[07 June 2002, top]
Anonymizer.com Security Holes; Buffer Overflow in JRun
Anonymizer.com is a web service that allows you to surf the WWW anonymously. The ability to be anonymous on the Internet becomes less and less and less with each passing day. There are numerous anonymizer services available, but if you use them, then you have to question their ability to provide the service in a secure way.

PeaceFire.org, which was created in August 1996 to represent the interests of people under 18 in the debate over freedom of speech on the Internet, put Anonymize.com to the test and they came up with this list of Ten Anonymizer Security Holes.

[Extra] Macromedia's JRun is a product that supports the delivering of Java applications. Typically, I think Java stuff is secure, but this week the CERT issued this Macromedia JRun buffer overflow advisory.

[31 May 2002, top]
About the Klez H Computer Virus
Klez H is a computer virus that exploits known defects and security loopholes. The ACM has published an article that states:
The original version alone demonstrated effective social engineering and polymorphic techniques, as well as complex features that would be dangerous in conjunction with other forms of malware.
A few years ago I described the spreading of computer viruses using AIDS as an example: connect to a computer you think is safe, but you don't know what computers it has been connected to. The ACM article ends with the following alert:
"DON'T RUN THAT PROGRAM ON YOUR COMPUTER! YOU DON'T KNOW WHERE IT'S BEEN!"
ACM::Ubiquity::Crying Klez: Maybe the Sky IS Falling [24 May 2002, top]
Gummi Bears and Fingerprints
The 15 May 2002 issue of Bruce Schneier's CRYPTO-GRAM contained the following posting.
Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. Companies selling these devices have claimed that they are very secure, and that it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies.
The aforementioned supplies include gelatine (as found in Gummi Bears) and as a result we read that Gummi Bears defeat fingerprint sensors. [17 May 2002, top]
Stay Safe Online -- It Needs To Be a Given
Our computing world is in a sad state when websites such as Stay Safe Online are necessary. The following was copied from the StaySafeOnline.info website:
	"Securing your personal computer plays a 
	crucial role in protecting our nation's 
	Internet infrastructure. It's the 
	responsibility of every American 
	to ensure that these cyber security 
	needs are met: That's why the National 
	Cyber Security Alliance was formed. 
	Comprised of business and government 
	organizations, this alliance works to 
	educate you on the importance of protecting 
	your personal computers from online intruders."
Stay Safe Online

I can't see how the Internet will grow to its potential (which is infinite) without our computers being free from crime.

Just like Richard Stallman (RMS), I want to press ENTER for my password. Not being able to press ENTER for my password is a violation of my computing freedoms.

[10 May 2002, top]
Too Bad the Security Watchdog is Necessary
The Security Watchdog for the Spring 2002 is done. The next posting will be to the Summer 2002 version of this resource.

I'm not sure what is happening, but the need for Security Watchdog resources is greater now than it ever has been.

The Internet -- our prized jewel -- is full of cracks.

If we are not careful, then we are at risk of losing many of our computing freedoms. Copy one of your music CDs onto your computer and you may be considered a criminal. Use the Internet in an anonymous way and you may be a criminal. Watch a movie about cars on your computer and all of a sudden you start getting spam from car companies. Fail to apply a computer patch and it is your fault if your computer is cracked. This list goes on and on and on.

When you read the postings that have been made to this resource over the last couple of years, it is a disgusting read. Using a computer is scary and dangerous. Sometimes I don't understand why I touch a keyboard. I end this rambling with a quote from Ken Thompson taken from a paper he wrote for receiving an ACM Turing Award:

   You can't trust code that you did not totally create yourself. 
   (Especially code from companies that employ people like me.) 
   No amount of source-level verification or scrutiny will protect 
   you from using untrusted code.

[03 May 2002, top]
IEEE and the DMCA; Supreme Court Rules on Virtual Child Porn
The IEEE (I-triple-E is the Institute of Electrical and Electronics Engineers) has bowed to public pressure and will no longer require authors who write for its journals to sign a form promising not to violate the Digital Millennium Copyright Act.

[Extra] This week the Supreme Court of the United States struck down a federal ban on virtual child pornography. I agree with the following quote from a 17 April 2002 New York Times editorial:

These are critical times for establishing the scope of our freedoms on the Internet. Courts right now are laying the groundwork principles that could last for generations for how legal doctrines like freedom of expression and copyright will be applied in cyberspace. Guided by yesterday's powerful First Amendment ruling, the three-judge court in Philadelphia should waste no time in striking down the oppressive and unconstitutional restrictions of the Children's Internet Protection Act.
New York Times::Free Speech in Cyberspace

[19 April 2002, top]
Oracle Wants To Control The National ID System
According to Larry Ellison -- the founder and CEO of Oracle -- a national ID card would help protect us against terrorism.
Such a national database, though a large undertaking, is possible. My company, for example, has already offered to provide the necessary software for free, and I'm sure other companies would pitch in with hardware and support. It's important these donations be made with no strings attached: The database would be maintained and run by the government alone, with no question of corporations benefiting.

Sounds good, but now all data about everybody is stored in an Oracle proprietary format. Software is nothing [that is why so much good software is free and open]; it is the information that has value. Oracle's offer to provide software for free is nothing.

And here is another quote...

We don't need to trade our liberties for our lives. By law, Fourth Amendment protections against unreasonable search and seizure would govern access to the national security database. The "probable cause" standard will still have to be met.

Sounds good. Maybe our government will respect our Fourth Amendment protections, but what about everybody else? If these databases are stored on Windows computers, then all bets are off. Crackers will crack the computers and steal the databases.

Bottom-line: Oracle, which is a huge company, sees a major $$$ making opportunity.

NationalReview.com [conservative website]

[12 April 2002, top]
The ACM Says 'No' To the CBDTPA
The Association for Computing Machinery has publicly posted this ACM to Dear Chairman Hollings letter. In a nutshell, the ACM indicates its awareness for copyright protections, but they are "utterly convinced" that the CBDTPA is defective legislation that will not work. And in the process of not working, it will take away the computing freedoms for many of us.

Sadly, but probably true, the ACM states that the CBDTPA could "undoubtedly threaten" national security. Interestingly, some of our politicians are writing and saying the CBDTPA will enhance national security.

Hollings and his Disney-like friends say the CBDTPA is necessary for national security, whereas the ACM says the opposite. The CBDTPA wants to put legal harnesses on the way you and I use our computers. Here is a question: Who knows more about Computing? Hollings and his gang, or the ACM? I vote for the Computer Professionals who are paying members of the ACM. If the ACM says CBDTPA sucks, then it must suck.

Note: one of the two people who signed the ACM letter was Gene Spafford. Spafford is an ACM Co-Chair and ThurmDreamTeam member (he was added to the team during the Spring 2002 semester).

[05 April 2002, top]
CBDTPA Could Reduce Our Computing Freedoms
Consumer Broadband and Digital Television Promotion Act (CBDTPA) -- Why are the words consumer and promotion in the CBDTPA title? I suspect is it political wording to make John and Jane Q. Public think this Bill will protect them as consumers, and promote a usable and secure computing environment. This Bill, if passed as-is, has the potential to place measurable restrictions on our computing freedoms. More and more of us with be classified as felon criminals simply by typing on our keyboards.

Hollings' quote:

"...legislation that will promote broadband and the digital television transition by securing content on the Internet and over the Nation's air-waves." For several years the private sector has attempted to secure a safe haven for copyrighted digital products, unfortunately with little to show for its efforts. The result has been an absence of robust, ubiquitous protections of digital media which has lead to a lack of content on the Internet and over the air-waves. And who has suffered the most? Consumers, as they are denied access to high quality digital content in the home.

Text of the Bill via Politech via Cryptome.

I wrote and sent this email message to Arizona senator John_McCain@McCain.senate.gov and North Carolina representative howard.coble@mail.house.gov. Here is an email message that EFF.org recommends sending if you are not happy with the CBDTPA. [Note: I am a paying member of the EFF (Electronic Frontier Foundation.)]

[29 March 2002, top]
New Microsoft Tools Already Getting Cracked (Sharpei worm)
.Net and C# are new tools; therefore, I can't understand why they have the same defects as the tools of the past.
Antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework. [ More... from ZDNet.com]
Note: C# is YACLL (Yet Another C-Like Language). If you know C or C++ or Java, then you already know some C#. [Microsoft pronounces the language C-sharp, but I call it C- octothorp.]

Note: Sharpei is a breed of dog. The Security Watchdog is dogged by two dogs named Iris and Harley. Iris is a sharpei.

[15 March 2002, top]
Patriot Act (and other Acts) Enables Big Brother
Once again news items are being published about how terrorist groups are using the Internet to help manage their operations. And, once again, our government is messing around with laws that could have negative effects on our computing freedoms. One example is the Patriot Act.
The Patriot Act is not anti-terrorism legislation; it's anti-speech legislation. As EFF explains it, the government can investigate even simple Web searching 'by merely telling a judge anywhere in the U.S. that the spying could lead to information that is 'relevant' to an ongoing criminal investigation.'

There are numerous politicians in this country that want to use computers (and the Internet) to help them become Big Brother.

[08 March 2002, top]
ThurmOxymoron::SSSCA Freedom
The Security Systems Standards and Certification Act (SSSCA) is sometimes referred to as the DMCA++ (or the DMCA on steroids). [Some people think the SSSCA is a potential Linux killer.] [ThurmThanks to KevinO for the SSSCA update.]

This proposed legislation was created prior to 911, but I suspect 911 has caused the SSSCA to become more attractive to our elected officials.

Here is a working draft of the SSSCA dated 06 August 2001.

The SSSCA in a nutshell:

The U.S. Government wants to make it unlawful to manufacture, import, offer to the public, provide or otherwise traffic in any interactive digital device that does not include and utilize certified security technologies that adhere to the security systems standards adopted under section 104. [Section 104 in a nutshell: nothing but buzzwords (i.e. the Bill leaves the details up to the politicians and lawyers to decide).]

ThurmThanks to Declan McCullagh for maintaining his excellent SSSCA archive.

[Extra] Every time a CERT Advisory hits my in-box, it causes me to say this sucks.

   CERT Overview:
   Multiple vulnerabilities exist in the PHP scripting language. 
   These vulnerabilities could allow a remote attacker to execute 
   arbitrary code with the privileges of the PHP process.

Here are details provided by Security.e-matters.de.

[01 March 2002, top]
MediaPlayer to User: Do you want more dirty movies?
This Associated Press news item was published in the Thursday, 21 February 2002, edition of the Arizona Republic.
"Microsoft's new version of its popular Media Player software is logging the songs and movies that customers play."

Microsoft claims they have no plans on selling the information. In effect, Microsoft is telling me to trust them. Microsoft's business practices have never been trustworthy so I have no reason to trust them now.

Microsoft promotes the fact that the Media Player software is provided for free. Big deal. For Microsoft this program is simply a tool for them to gather valuable data for free.

If Microsoft is given the benefit of the doubt and I trust them to not share the data they are collecting, then I am still in trouble because Microsoft is not able to provide a secure computing environment (i.e. their software can be cracked and the data can be stolen). From a crackers perspective this is cool because they don't have to buy my data from Microsoft, they can simply steal it from my computer for free.

I can't believe this is true: Microsoft stops new work to fix bugs.

[22 February 2002, top]
Heathrow Airport Into Iris Scanning
Heathrow Airport is testing a new identity system which examines a passenger's eye, rather than their passport as they go through immigration control.

The system Heathrow is using is called EyeTicket. EyeTicket is not new; Airports have been interested in Iris Scanning for sometime according this CNN Article from 24 July 2000.

[Extra] NPS.gov is up and running again.

[Extra Extra] Crackers have virtually an unlimited number of ways to crack a computer.

  • Multiple defects have been found with SNMP (Simple Network Management Protocol). SNMP is a widely deployed protocol that is commonly used to monitor and manage network devices [ CERT Advisory]
  • A Microsoft program designed to plug a common security hole is vulnerable to the very attack it was designed to prevent, the Wall Street Journal alleged in a report on Thursday, 14 February 2002.

[15 February 2002, top]
Cloudnine Cracked; Brain Fingerprinting; NPS.gov Still Down
ISP Cracked Out-of-Business
Phil Agre commments that this could happen to anyone -- and I agree. Cloudnine was Britain's oldest ISP, but it shutdown because it was hit by a distributed denial-of-service (DDoS) attack.

What If a Brain Scan Reveals Nothing?
This is what I'm afraid of when "brain fingerprinting" becomes a popular biometric for determining a person's identity. What if no brain is found, then what do they do with you?

NPS.gov Remains Down
We are just out of luck if we want to find out some information from the National Park Service website.

[08 February 2002, top]
More About Scanning Faces At Airports
St. Petersburg-Clearwater International Airport Deploys Face Recognition -- The computer companies in the Biometric industry have seen their stocks do well after 911. The company supplying the system at the St. Petersburg airport has seen its stock go from $1.10 to $16.80. As of Thu Jan 24 11:29:12 MST 2002 the stock is at $7.62.

From BBC News we learn that Iceland Likes Scanning Faces.

[Extra] Where is Floyd College?
"A COMPUTER GLITCH at Floyd College briefly made the Social Security numbers of 125 continuing-education students available on the Internet last week."

[YABO] They call it an overrun but it is really YABO (Yet-Another-Buffer-Overflow). This YABO was found in the RealPlayer 8 application. From Real.com comes this Buffer Overrun Exploit.

[01 February 2002, top]
AOL Time Warner ICQ Program has a Buffer Overflow
On Thu Jan 24 17:22:43 MST 2002 I received a CERT Advisory concerning YABO (Yet-Another-Buffer-Overflow).
There is a remotely exploitable buffer overflow in ICQ. Attackers that are able to exploit the vulnerability may be able to execute arbitrary code with the privileges of the victim user.

ICQ is a program for communicating with other users over the Internet. ICQ is widely used (by over 122 million people according to ICQ Inc, an AOL Time Warner owned subsidiary). A buffer overflow exists in the ICQ client for Windows.

Details: Web.ICQ.com | CERT Advisory

[25 January 2002, top]
Buffer Overflows Discussed in the RISKS Digest
RISKS Digest, which is a forum on risks to the public in computers and related systems moderated by Peter Neumann, contains a couple of postings [including one by Neumann] concerning buffer overflows.

[Extra] Expect the Unexpected -- ACM interview with Peter Neumann.

[18 January 2002, top]
About the Security Watchdog
The Security WatchDog monitors and records computer security issues and news items. This includes information pertaining to computer ethics and computer privacy.

The Watchdog includes postings about viruses, worms, trojan horses, cracks, and stuff like that. The Watchdog also keeps a eye on issues such as biometrics, information warfare, privacy, and legal stuff (e.g. DMCA, SSSCA, etc.).

This resource was started in March 2000 and as of 04 January 2002 it contained 86 postings.

[11 January 2002, top]
AOL Instant Messenger Cracked
IMCracked -- I've had to announce this before, but in this case it is AOL Instance Messenger that was cracked and not I. The crack was accomplished using YABO (Yet Another Buffer Over).

Just a few days earlier AOL announced they had over 33 million members. Shortly after IMCracked, AOL announced that during Year 2001 its customers spent 33 billion.

AOL is actually AOL Time Warner. AOL is huge. The AOL corporate website has press releases about having 33 million customers who spent $33 billion dollars, but there is no mention of IMCracked. [The Jargon Dictionary has an interesting definition of AOL.]

[04 January 2002, top]


Author: G.D.Thurman [deru@deru.com]
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting