All in all, I think it's a piss-poor process where testing and results (not just at NIST) can be swayed or delayed just because a external objection was submitted. If I was NIST (or the Wi-Fi Alliance), I'd be writing rules about spurious objections into the charter.
Sunday, February 25, 2007
OpenSSL and FIPS
CompUSA closing?
Radio Shack went through a similar down-sizing last year. I lucked out in that the local store that was closing was kept open the longest so that the other stores' un-sellables could be sold at our location (at %70+ off). The one clerk's joke was that if we're still open, the discount has increased. I was able to pick up a handful of X-10 interfaces, some handtools, a Vonage box, rechargeable batteries, a really nice soldering iron, a video sender, and a Skype phone, all for less than $60.
Saturday, February 24, 2007
Wiki comments
It'll take a bit, but I'll add the comments function to each of the pages in the wiki (a set of tags needs to be added to the bottom of each page or section).
Update: I've posted my version of adding Haloscan comments to the wiki.
fetchmail timeouts
Remembering that fetchmail doesn't timeout unless you tell it, I set about trying to add the timeout to .fetchmailrc. Would you believe that after about 20 minutes and a healthy number of Google searches, I still hadn't discovered the proper syntax for adding the timeout? (I'd guess that it doesn't get used much.) Finally, I stumbled across the following syntax:
poll [popserver]
timeout 120
protocol pop3
username [popuser] there is [localuser] here
password [pass]
fetchall
Thank you to "init0" in the #mutt channel on Freenode IRC!! (The pastebin says the paste was about a week old.)
Comment system back on
It's also interesting that they now support comments for MediaWiki. I'll have to experiment with that.
Friday, February 23, 2007
Think safety
Tuesday, February 20, 2007
Speed
Monday, February 19, 2007
Free BlackHat Tickets
Shmoo Topics
It appears that the Potter triplets (Ray, Al, and Bruce) are not appearing together this year so Jeff W. will have to throw straight-lines from the back at more than one talk. (You're our hero, Jeff!) Then again, the topic is similar so maybe Renderman and Russ Housley will be stepping in for Ray and Bruce. If they're doing the other topic that is mentioned repeatedly in the Bios, Jeff and I will probably be there to lob straight-line questions and Shmoo balls.
Richard Beijtlich and Simple Nomad are also return speakers. All in all, it looks to be an interesting conference shaping up (ignoring the lynch mob facing whomever gets to do the "Own the Con" talk).
Update: it looks like they took the advice from last year's "Own the Con" and are starting the Sunday talks an hour later.
Shmoo Bar-foo
Update: Deja vu! Anyone else get a bad bar code (corrupted file?).
Sunday, February 18, 2007
SageTV upgrade
Oh! It's also nice to see that the hardware community is starting to work on getting WinTV PRV USB-2 running under Linux.
Update: The upgrade went off without a hitch. The shows I had recorded under the previous version showed up in the imported videos folder (not sure how that happened). The YouTube feature stutters a bit more than the Google Video feature did but that may be caused by the current Internet issues. I discovered a feature that wasn't in the previous version: network encoding. SageTV is now a true network application in that the server can run on different systems than the tuners and/or the clients. It is also capable to working with the Roku PhotoBridge. Cool!
Friday, February 16, 2007
Wiki page counts
In short, sex is #1 with television a rapidly closing second. (heh)
File Carving Challenge 2007
Thursday, February 15, 2007
Another wave
It'll affect a lot of other markets too. Grass-roots media (you guys in the garage) will be able to homebrew clusters for animation that are more powerful than what exists in big iron or animation cluster farms now. Coupled with high-def and other technologies, wired life is going to get weird. Fast.
Tuesday, February 13, 2007
Last word
DRM protects you from nothing, other than your ethically challenged self. If you're an honest person, you'll never see it (unless it's implemented poorly). If you're a professional criminal, it'll add steps to your process but won't stop you.
Q: So, who is it aimed at? A: You, the guy who attempts to save 99 cents by listening to music that someone else puts online. 400 million 99 cent thefts gets attention. I find it odd that the same industry is willing to spend almost as much to run out "copying music is stealing" advertisements.
Q: So who does it effect? A: Everyone. (I did mention poor implementations, right?) Someone has decided that it's an all or nothing thing, demanding that the OS with 95% market share implement it. This means that 3rd party manufacturers will have to add DRM to their products or not have a market. This will drive up the price for everything computer related. Costs go up, production goes down, markets get squeezed and prices for lower level components go up, driving costs for all electronics up. It took a very long time for the market to get to the point where you can buy $300 systems. (It got there because of very little innovation other than chip speed for an extended period of time.) Computer systems are more or less static in design, having become ubiquitous enough that most consider it an appliance rather than a tool. This action of mandatory DRM will destablize that market. You'll see prices shoot up faster than gasoline.
Q: How I feel about it? A: I actually hope that it works. After a short period of time, the entity driving the bus won't be the one that demanded that MS implement DRM in the first place. Yeah, MS will be a LOT more richer, but at some point, they'll have control of the market. Remember, not only is MS putting DRM in computers, they're also involved in content, either selling it to you directly or behind the scenes (Walmart's music uses MS's copy protection).
Also, innovation seems to occur when markets are squeezed. Inventors are usually frustrated people, looking for new or better ways do do something. Five years ago, who'd have thought that podcasting has gone where it has.
The scary part of all this is that DRM is built into hardware. Like it or not, the evil types will eventually learn the ins and outs of the system. Like I've always opined: adding technology to any system, while often improving performance, adds complexity to that system (more ways for it to break down) and makes the system more rigid (less tolerant to failure). Increased complexity plus increased rigidity equals greater catastropic failures.
MS can barely keep up with patching vulnerabilities now. You think Blaster was bad. Wait until a worm gets into the DRM system. (Remember, it now has control over your monitor, speakers and harddrive.)
How about a patch involves a firmware or hardware replacement? The market will likely tolerate one but two, a few months apart, will cause riots in Congress. The point to keep in mind that (to date) no bugless program has ever been commercially marketed (i.e., all programs have bugs). Put that on top of a system built by the lowest bidder. End result, DRM will be (or already has been) broken. Only a few will know about it at first. Once the number of machines containing the new feature are out there, it will become a target. Then someone will demonstrate how obscenely easy it is to compromise or abuse. Then you get the worms. Want see a "flash" policital movement? It'll come into existance a few days after the MP3/MP4-eating DRM mega-worm does.
I may not like it but I look forward to it. This is the pendulum that has spent a long time on our end ($300 systems). Market forces (DRM and a return to higher priced systems) will cause it to swing away but it'll come back.
With apologies for the rambling...
Sunday, February 11, 2007
When were-sme's collide
Example: this post from 360 Security. Mr. Malm seems to be self-justified in "taking a swipe" at Mr. Thompson because Mr. Thompson "took a swipe" at Microsoft. I call it "security church" because it appears that Mr. Malm's "faith" has been offended, triggering a self-righteous attack on Mr. Thompson (calling him by his first name, implying lack of expertise, belittling his company, etc.) without supporting any of his arguments.
"Security church" is just as dangerous as "security theater" in that it is a collection of unjustified human reactions (bowdlerization (not a real word but an eponym), pillory, apocryphy (my attempt to turn a noun into a verb), censorship and outright anathema) used against anyone who has the courage to be contrary. (I'm sure that Adi Shamir didn't win any points at the conference with his prediction of security in the future.) It is both the institutional inertia that is resistant to change and the fickle flightiness of chasing "the new paradigm".
Behind it all is the tendency to take the shortest path (i.e., it is easier to scorn someone that argue a point). That these acts are usually easy to recognize and almost impossible to combat is the really sad part.
(Side-sarcasm: did they really say "security should be built-in, not added on?" Please! I don't want that 1996 flashback.) (See? It's easy.)
Comments coming back
Friday, February 9, 2007
DRM
Example: Electronics Arts games do not run on home systems where a Digium TDM400P card is installed. Even though the card provides an interface to the telephone system for a *BSD or *nix system, on the Windows side it is an unknown and, therefore, must be some sort of hacker tool for defeating copy protection. The end result: your EA Games game is disabled by its DRM and you, as the end-user, have no recourse other than to remove the phone card or stop playing the game.
Can we hope that Windows DRM will be any different? It isn't Microsoft's intellectual property that the Vista DRM is protecting. (At least I hope not. That'd involve a large set of really nasty anti-competition court cases that I hope no one wants to get involved in.) Those IP owners that the DRM is actually protecting care little about whether or not your systems work properly.
OS and hardware vendors are in for a very bumpy ride because legions of frustrated innocent bystanders (such as in the above example) will be left with no recourse other than to "conform" with the masses and stop using their systems to do anything other than play games and buy content.
(Yeah, I excluded Office apps. I did this because we already know that documents have unique IDs embedded in them. How long until Vista's DRM is used to disable licenses of controversial content authors? With Vista's DRM, the only thing keeping this from happening is: morals/ethics/ignorance of the ability.)
Tuesday, February 6, 2007
DnD
[*sigh*] For Tim Keanini's sake, let's turn the clock back a few years and look at some of the other paradigms that passed by on the carouseli (and are likely to come around again on the fashion wheel):
- Use defense in depth. Use a variety of known tools to provide a layered protection where the weakness in one tool is protected by a strength in another tool (e.g., a virus scanner in conjunction with a firewall).
- Use diversity. Using a Sun or BSDi-based firewall to protect your Windows-based network will prevent your boundary systems from being infected by the user who manages to bring on in on his laptop.
- Trust but verify. Scan/examine everything before it gets plugged into your network.
- It's not "if" but "when". Attackers' techniques are not static. Network security will always lag behind the ability to compromise.
- Responsible disclosure. I have no comment other than we've come full circle on the argument set and seem to be going around for another orbit.
- Intrusion detection is dead, long live intrusion prevention. We've all learned that each has its best use in specific situations.
- Deep packet inspection is just as good as application proxying. Yeah, right. Again, it depends on what you're trying to do and what you're trying to protect against.
To the rest of you old farts out there: what've I missed?
Please pass this on
Sunday, February 4, 2007
Working conditions
SAs are considered an operating expense, falling into the category of "minimize whenever possible" so that profit margins are maintained. A typical SA operates under a constant backlog of work, suffers from periodic "priority re-org" from multiple management contacts, and has a budget that couldn't support an off-brand keyboard purchase from the clearance bin at Walmart. (Hint: the time and paperwork used to justify the $10 purchase often amounts to more than $10.)
Don, go back and look at those companies again. That the SA did not have the time or initiative, to view vendor sites, may be a symptom rather than a cause.