As some of you know, I'm getting married tomorrow (well, my fiance is getting married too, technically), and we are leaving immediately on our honeymoon. Unless things go badly, in which case my best man is holding for me a 1-way ticket to France.

So I will be away from my keyboard for about a week (which is what /afk means if you haven't joined the rest of us in the new millenium yet).

I wouldn't expect any progress on cyberterrorism while I'm gone, since I won't be around to point the feds in the right direction. They are too busy chasing down barely-significant worm writer wanna-be's to focus on the real fight anyway. Call me when you catch the author of Blaster.A, not the 1000 unoriginal script kiddies who changed a line of code and re-released it as their own creation.

Half-Baked Patches: More than once, patches are pushed out so quickly they are not properly tested. This makes IT guys very nervous. Take for instance MS03-010, which broke a lot of ASP web sites once it was applied. How about MS03-007? And I have to take my shoes off to count the number of patches that have broken various Terminal Server implementations.
Unnecessary patches: Any decent admin does not surf from the console of his Exchange server. IE patches are rarely critical for servers in such an environment. Leave it up to the admin on if they need to be installed. Same with WMP or any other tag-along technology that has no business on a server.
Downtime: I remember one of the biggest selling points of Windows 2000 when it first hit the street was the massive reduction of events requiring a reboot. But since then, patches have almost always required reboots. Which translates to downtime (Exchange servers can take 30 minutes or more to return to operational capacity after a reboot). As an IT guy, downtime is EVERYTHING. Not only does downtime cost the company money, but downtime means I'm working well into the night to do patches because I prefer to minimize the impact on my users. Some patches don't require reboots, if you apply them cleverly (read: manually), but if you rely on the built-in update processes you are going to reboot more often than not. No IT guy in their right mind wants to be home sleeping when core servers are being patched and rebooted.

Operating systems, and the applications people run on them, are not perfect. This is a fact we all accept (except you Linux types, you guys are just in denial). If you want a 100% secure box, unplug it from the network, lock it in an airtight steel chamber, and dump it into the Marianas Trench. But that's not very useful is it?

We all have known how incredibly lax users are when it comes to keeping up with patches. Do I need to post examples, or can I just consider that a given? Even after the extraordinary efforts to get the word out about the dangers of the vulnerabilities in RPC/DCOM, Blaster still had a discouragingly high rate of infection. Even after not one, but two warnings from the Department of Homeland Security, and an unprecedented spam campaign by Microsoft itself (which they promptly got flamed for), and dozens of warnings plastered on every possible security web site, Blaster had an astounding infection rate. What more could Microsoft have done? This is the question I keep asking myself as the days roll on, and the stories about picking up the virtual peices continue to come out.

This is not new. Fixes for the SQL/MSDE vulnerabilities were available a full 6 months prior to them being exploited to a frightening degree by Slammer. There is a fundamental flaw in the attitudes of the home user, ladies and gentlemen. The home user does not take ownership of the security of their home networks. The home user does not realize that putting an unprotected PC on the Internet is akin to having unprotected sex with the only hooker in town.... morning noon and night..

No longer can we rely upon the home user to take care of his/her business. Too much is at stake. The damage these huge botnets can inflict is enormous, and the majority of the zombies are home users having unprotected sex with the foulest hooker possible: The Internet.

I hear you say "It's up to Microsoft to write better software!" And you are right, Microsoft (and everyone else) needs to do a much better job coding securely. But that does not help the millions of systems already deployed, does it? Windows 2000 is going to be around a very long time, and so will Windows 2003. These systems, while magnitudes better than those before them, are not perfect either. They will require patching, and diligent attention to security problems that may crop up. The question is: What do we do in the meantime?

Microsoft recently floated the idea of taking patch management out of the hands of the users, who time after time prove to be incapable of fulfilling this critical responsibility on their own. Even some staunch privacy advocates have finally given up, and realized that end users cannot be relied upon when it comes to securing the systems that ultimately become the loaded guns aimed at critical networks. But Microsoft has to do it right. No distributing Windows Media Player 22 "just because". None of this crap about collecting private information either, save your demographics/piracy code for something else. And the first broken patch they send out will doom the entire project. You can bet end users will scramble to learn how to disable the updates the second their Everquest stops working (and from then on, the first thing a Sony CSR will tell all users to do when they are having trouble is "disable that pesky auto-update feature").

But honestly, even if Microsoft did all these things, and correctly, we'd still be doomed. Not only do we now have Linux representing 60% of the defaced web servers these days, but we also are waging war against application developers who care less about the security of the system they are running on, and more about their application working. Let me just stick with the Everquest example, since I already brought them up. They have a FAQ on their site that describes how to reduce the protection of your firewall software so your game will work. This behavior I see all the time. If I ever have a network problem on my home network, I best disconnect my firewalls prior to calling Comcast, or they will blame those the second they learn of them. You can't convince some $8.00/hr phone jockey that your NAT is not the fricking problem!

Anyway, this whole issue frustrates me, and I don't see a way out. Even if MS moves to enable auto-patching by default, there are so many scenarios that will result in it being turned off that in 3 months we'll be right back where we started, with full-blown cyber-clap and blaming Microsoft for making us take the virtual condom off.

However, according to this article in the WorldTechTribune Microsoft is working with the FBI to determine if either of the recent viral outbreaks (SoBig.F and Blaster) were also coordinated terrorist acts.

Umm, no. Blaster was poorly written to begin with, and delivered no malware to speak of. And is a DDOS against Microsoft's Windows Update site really going to impact the world economy? Come on. I could think of a thousand more destructive things I could have done with that code, and I'm not even a crafty terrorist.

On a side note, this plant is operated by the fine folks at FirstEnergy, who are now the focus of the investigation into the recent blackout in the Northeast.

Unbeknownst to me, w.Bloggar thought (correctly) that I was still modifying Wednesday's entry. So when I posted what I thought was a new entry, it was really a complete re-write of one I did on Wednesday. And since w.Bloggar did not recognize that new entries had been added since I started that modification on Wednesday, it whacked everything I had written since.

The Register is currently running a story about popular anonymity site Java Anonymous Proxy (JAP) being secretly back-doored by a German court order (JAP is located within Germany). Apparently, a few weeks ago, JAP suddenly went dark. The site said they were upgrading server hardware, and would be back in a few days. They also said that once service was restored, a new version of the JAP client would be required in order to continue using the service.

What they failed to tell the consumers, is that the new client was trojaned (by JAP), and contained a secret function to monitor accesses to a certain web site. Those logs, apparently, were then sent to the German authorities. Once the users had the trojaned client, they were free once again to use the service. No mention was made about the purpose of the new client, or the fact that the anonymity service no longer provided anonymity.

But one suspicious user who couldn't understand why a new client had to be pushed out after a mere hardware upgrade, took a walk through the source code and found all kinds of interesting things like "Loading Crime Detection Data...." and "Crime Detected" buried in the new client code. When the user went public with his discovery, all hell broke loose.

To the average user, this may seem like a yawner of a story. But consider this: How many other services have such trojans in them, and have just not yet been discovered? Is there no hope of anonymity on the Internet if any goverment entity can order such services to be trojaned for their benefit without any word to the consumers who rely on those services?

Fox News is reporting that sabotage cannot be ruled out as a source of the Blackout. The odd thing is, the government says terror *has* been ruled out, but the possibility that a hacker caused the damage cannot be so readily dismissed.

Am I the only one who finds this disturbing? Has our government suddenly forgotten what "cyberterrorism" is? Computer + Terrorist = Cyberterrorism.

If you cannot rule out a computer-based attack, you cannot rule out terrorism. Period. End of story. A terrorist deals in terror, regardless of the method used. The fact that they used a computer instead of a box cutter makes them no less a terrorist. I swear I wonder if we need to explain to someone in Washington DC the concept that things done over the Internet can affect things "in real life".

This past weekend was full of non-terrorist goodness. Well, I take that back. Me and 100 of my closest biker friends went out on Saturday and terrorized large portions of the population during a poker run the South Sound chapter of the Southern Cruisers was hosting. My bike has a pretty loud exhaust on it, but I couldn't hear it all day Satuday as it was drowned out by the sound of about 60 other bikes in my group. It's pretty cool riding with such a large crew, and motorcycle people are about the nicest you could ever meet. I've got a cool story to share about the ride, but I'm saving it until I get the accompanying picture in my email.

After the ride on Saturday, I went back home and tried to get the taste of exhaust out of my mouth in preparation for my bachelor party later that evening. Apparently I should have not advertised the fact that there would not be a stripper, because that really put a dent in attendance. It was for the best though, because I was too busy laughing to talk much. The party was at Giggles Comedy Club in downtown Seattle. It's a small venue, but very cool. No smoking, but they do serve drinks. Actually, they *normally* serve drinks, but we had to get them ourselves from the bar due to one of the two waitstaff quitting at the beginning of the night. Food was excellent, we had chicken quesadillas, which I highly recommend.

The show was about 1.5 hours long, with 2 warm-up acts, then the headliner for an hour. The headliner this weekend was a *very* funny guy, Auggie Smith. If you ever have a chance to see him in action, you should jump on it. He is the king of rants, make no mistake. He opened by looking mournfully at the two 8-year-old kids in the front row, and saying "You're going to learn some new words tonight kids". And then at the end of each bit, he'd look over at those kids and say "Don't ever do that, kids". Just had us rolling in the aisles.

One of the best short jokes on the night actually came from one of the warm-up acts. He was talking about how kids today are often getting fake glasses because it makes them look smarter. The comic paused for a second and wondered aloud: "If looking smart is the goal, why don't they all get talking wheelchairs?"

One memorable joke from Augie had to deal with the Mormons trying to ban casinos everywhere because they think it promotes sinful behavior. His response: "If you don't like the casino...DON'T GO! I don't see casinos knocking on my door at 10AM on a Sunday morning trying to get me to go PLAY BLACKJACK!!!" He also had a Barbie bit that went on for so long I thought I was going to pass out from lack of oxygen I was laughing so hard.

Follow me down the rabbit hole, for just a minute while I try to paint the picture.

Imagine you are a terrorist. Part of an organization of terrorists that understands how vulnerable the US is to Internet-bourne attack vectors. Imagine that your organization has detailed plans of US infrastructure elements, such as dams, telephone systems, and power plants. You have copies of the SCADA software, the software that controls the US power infrastructure, on your laptop.

Imagine, after much work (perhaps years), the groundwork is laid for an attack of historic impact. Taking out the entire American power grid, in one fell swoop. Dousing the US in total darkness for days. Perhaps the attack relies upon the exploitation of a very specific vulnerability that has gone un-noticed for years. A vulnerability that can be used to gain access to the SCADA systems that control the nation's power. Perhaps you do not gain access to the heart of SCADA itself, but you have access to enough connected systems to effectively control it. Perhaps through the use of a keyboard sniffer on the plant foreman's hasn't-been-patched-since-he-bought-it-2-years-ago home PC, you have recorded critical accounts and passwords that gain access to SCADA core systems. Slowly, you plan for a coordinated attack on these systems so that the entire grid can be brought down in one fell swoop. You carefully erase any traces of your activity so it cannot be traced.

Follow me just a bit further, won't you, before writing me off as a complete wacko?

The vulnerability that the attack relies upon is discovered, and quickly a patch appears... But that does not worry you much, who installs patches? It will take months for a big bureacracy like a power company to approve such a patch. The attack is nearly ready to launch.

But then along comes a worm. The worm has such a devastating effect that it becomes headline news and suddenly everyone is patching against your attack. With all the flurry of patches, the compromised systems critical to the attack are slowly being patched against the vulnerability upon which your attack relies.

So you launch your attack, hoping there is still time before the entire grid is secured against the vulnerability you have spent months or years cultivating. But there isn't. Only one of the grids comes down, leaving the Americans to wonder if an innocent hardware failure was the cause.

All you can do now is claim responsibility for an event that can be explained away as a hardware failure to the ignorant American population. Back to the drawing board.

OK, back to reality. The above is all pure speculation on my part, based on a number of facts:
  Al Qaeda laptops have been recovered with detailed designs of US infrastructure on them.
  Al Qaeda laptops have been recovered with copies of the SCADA software on them (the software that controls our power plants)
  Al Qaeda operatives have been arrested in the US gathering intelligence on critical infrastructure elements
  Al Qaeda is known to be actively recruiting hackers over IRC and other chat channels
  Other terrorist organizations sympathetic to Al Qaeda have demonstrated abilities in cyber-warfare

Could this still be simply a hardware failure? Sure, why not. But why is it taking so long to determine? Hardware failures are easy to identify. Much less easily found are expertly-crafted hacks. Especially by government agents who a week ago were trying to catch kiddie pornographers and credit card scammers.

A couple years back, the FCC came down from the mountain and told wireless service providers "Thou shalt allow subscribers to take their phone numbers with them when switching to a competitor". The concept is called "local number portability" (LNP), and has been commonplace in traditional land-line services for many years. Wireless carriers, however, fought LNP tooth and nail, because the rate subscribers leave (or "churn", as it is called) is a key metric for measuring the success of a carrier. Anything that encourages churn is BAD, if you are a carrier.

On the surface, LNP seems like a boon to consumers, who will now have an easier time moving from one carrier to another as the fancy strikes them. In practice though, nothing could be further from the truth. And here is why:

LNP Monthly Fees: Recently appearing on your bill, and continuing for the next 5 years, is a new service charge. Go ahead, look. I'll wait. Some carriers call it out as a "Number Portability Fee", others just add it into the regular service fee. But it's there, honest. That is how much every consumer is paying for LNP, whether they intend to take advantage of it or not. Everyone with a mobile phone in the US will be paying for LNP. Has anything the government mandated ever come without a cost to the consumer? Why would this be any different? Here's the kicker. The carriers can charge whatever they want. There are no rules laid down by the FCC, and no reporting required to ensure the charge is inline with the costs involved with the implementation of necessary systems to support LNP on the carrier's network. In fact, some people are starting to wonder if these LNP charges are going to become a new profit center for carriers. The FCC, in effect, just gave carriers carte blanche to stick the consumers for however much they wanted to, so long as they claim the funds are being used in some way to support LNP. And without any reporting requirements, the FCC just has to trust that they are using the funds for that purpose. Now it becomes clear why all the major carriers have given up the fight against LNP, and are now embracing it.

Contracts: Once carriers are forced to support LNP, you can bet the contracts for service will get a LOT more restrictive. You want out of a 1-year agreement after only 6 months? Sure, you can take your number to a competitor. But you owe your original carrier for what they would have collected from you if you had fulfilled your contract entirely. Right now, many carriers don't sweat contract lengths, and often let unhappy subscribers off the hook. You can bet that won't be the case any longer.

Handsets: Many consumers don't realize that the handset they get from one carrier will not necessarily work with another. Not only are there 2G/2.5G/3G issues, but carriers are often using entirely incompatible frequencies even if they are using the same base technologies. An Ericsson t68 originally acquired from AT&T Wireless may be completely useless when taken to another carrier. So you have to buy a new phone, as well as agree to yet another long-term contract.

Wireline Switches: The carriers are only required to support LNP if there is a wireline switch in the same rate center as the wireless switch. Only 1 in 8 rate centers actually have wireline switches, so 90% of consumers won't even qualify for LNP.

I also had a flurry of activity relating to some visiting engineering teams that we are hosting in the lab this week. The machines they brought into the Lab were not patched, and were quickly compromised. So I spent a bit of time cleaning up their mess as well. I guess I'm going to have to pre-qualify gear that outside partners bring into the Lab from now on.

Also, I should apologize for saying that the MS03-026 patch does not stop Blaster on Win2k. It certainly does. However, there is still an attack vector for the RPC exploit that the patch does not address. Luckily this malware does not exercise that particular vector, so applying MS03-026 is a valid countermeasure for Blaster.

Also, it's interesting to note that this particular worm was not well-crafted. We can expect some clever black-hat to "optimize" Blaster and re-release it in a few days. Hopefully it will still be stopped by MS03-026.

In the meantime, block outbound requests for udp/69 (tftp) at your perimeter, which should prevent any machines susceptible to this exploit from fetching the worm code and executing it.

The Washington Post ran an article today about the growing concern over the Diebold voting systems, and their reported vulnerabilities. Seems North Dakota is holding off on their e-voting system indefinitely, in light of the recent flurry of security concerns.

However, many counties and municipalities are going right ahead with their plans. Hmm, 193 candidates for governor of California, at last count. That will be an interesting test bed for the system won't it?

Scariest quote of the Washington Post article: "If the computer scientists had one valid point, one, then why hasn't one incident of what they're saying occurred in all of these elections?" -Mischelle Townsend, registrar of voters in Riverside County, Calif.

Ms. Townsend, I humbly ask "How do you know?" Would all state and local election officials with intrusion detection and digital forensics training please raise your hands? Nobody? I thought so. Is there even an IDS infrastructure monitoring these systems? Please tell us, Madame Registrar, what systems and procedures are in place to ensure a hack attempt would even be detected, much less thwarted?

The ultimate winner was Richard Bush Photography. He's been doing photos for 20 years, including a number of them at the winery. He also charges sanely ($1250 for 4 hours of his time, plus $50 per roll of film used), and we retain full ownership of the negatives and stuff.

My office is quite literally a keyboard graveyard. I have at least 4 different keyboards strewn about as I look around right now. And they are all different, which is why I have them all to begin with. Some are "natural" and some are not. Some have the navigation keys (Home, end, page up and down, etc.) in 2 vertical columns, some have those buttons in 2 horizontal rows. I have have one keyboard where there are only 5 buttons there, with the delete key taking up twice the space as the others (I haven't figured out where they banished the Insert key to on this one to make way for that double-tall Delete).

But the point of this rant (yes, I'm coming to it, be patient!) is that Logitech has fallen so far from grace that their keyboards are no longer even likely to work on a regular Windows box any more. Is this a case of The Man keeping Logitech down, or (more likely) a case of some crappy-ass driver development going on down there in Logi-land?

My most recent excursions into the land of keyboard and mice was prompted by me hurling my old mouse at a very unsafe speed at the wall in my office. Whereupon, after it was mostly reassembled, it ceased working. See, the mouse (loved as it was) developed a warped mouseball, and became rather erratic in its movement. Since it was a cordless mouse and keyboard that was several years old, I couldn't just go out and buy a new mouse and expect it to work on the old wireless receiver. So it was time to buy a new mouse/keyboard combo. So I journeyed to Office Depot and returned triumphantly with a very nice-looking Cordless Access Duo made by Logitech.

I spent the next hour installing all the drivers for the devices on all my screen-saver generators (if you've been paying attention, you know I have 5 machines, 4 of which exist primarily to display the Matrix screen saver on tiny 10" monitors strategically placed about my desk). An hour later, I lean back in my chair, confident that I am now in complete control of my small army of system.

As is usually the case when a man comes to feel he has complete control over ANYTHING, something was about to go horribly wrong.

I soon discovered that when I used my switchbox to navigate from one system to the other, often the keyboard would fail to respond entirely, forcing me to reboot all the systems in my office in order to get the keyboard back. Which would work fine until the NEXT time I switched to another system, which was about every 5 minutes.

And then there was the unpredictable behavior of the mouse. Not the motion this time, but just as maddening. The scroll wheel would sometimes stop working after switching to another system, like the keyboard would. And the scroll wheel would scroll a different amount depending on the application I was using. For instance, in IE, it would scroll the usual 3 lines, but in Frontpage, it would scroll and entire page at a time. And then in some applications it wouldn't work at all.

So today, I was in Circuit City looking for a video capture card for the MCE system that bastard Steve has us all trying to find the money/time to build. And since they were out of the video cards, and it's morally wrong to leave an electronics store empty-handed, I purchased keyboard #5, which is a Microsoft Wireless Optical Desktop. And let me tell you, this thing works beautifully. Though I wish it was Natural, and didn't have that funky Delete key I was telling you about half an hour ago when I first started this entry.

Some of them you might already recognize as an established member of my security link list on the left, but there are some new sites that are worth noting:
www.djeaux.com's RSS feed of 15 popular security mailing lists
Microsoft RSS Feeds

Also make note of the RSS feed of MS Technet Security Articles, which should be of particular interest to most of my readers.

Updated:
  Brett Schaefer
  Keith Breinholt

Updated:
  Glen Furnas
  Jani Dikkala
  John Crawford

I also finally completed the conversion of the Alumni email addresses to bitmaps, to prevent them from being harvested by spammers. Please let me know if I made a mistake on your email address and I will fix it ASAP.

Alumni page can be found HERE, or by clicking on the link at the top of the page.

But when you find yourself watching Kung Pow: Enter the Fist, just because it's the only HD content currently on, something is horribly wrong. And that, my dear reader, is exactly the position I found myself in this past weekend.

The conversation went something like this:
Jessica: "What in the world are you watching?"
Me: "Kung Pow: Enter the Fist"
Jessica: "Why in God's name are you watching that crap?"
Me: "It's Hi-Def!" (Duh!)
Jessica rolls her eyes and goes upstairs to watch the other TV in the guest bedroom.

You know, I've been digesting this whole "Bill" reorg for the past week, and I have a crazy theory. What if Bill was moved into the Maui top spot in preparation for spinning it off? That would unshackle the ball and chain that is Maui from the money-making portion of the business (PES), and allow BSQUARE proper to return to profitability. It would also let Bill ride quietly off into the sunset if Maui didn't quite work out.

Ugh, what a mistake. I have just finished the third book, after struggling through it for about 3 months.

Maybe I'm just not bright enough to "get" his writing style, but the books seemed very disjointed to me. The 3 lifelong friends in book 1 were suddenly dispising each other in book 2? And all the main characters had these pointless internal battles with themselves constantly (it was all a variation of the theme "I will not be used!"). And I'm sorry, but you are going to have to come up with more swear words than "Blood and ashes!" or "Blood and bloody ashes!" if you're going to write a dozen freaking books in a series.