Pat’s Daily Grind

Linux declared “hacker proof“, according to a contest at the CanSecWest conference. Here’s the rules of the game (you hack it, you get to keep it):

• Limit one laptop per contestant.
• You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.
• Thirty minute attack slots given to contestants at each box.
• Attack slots will be scheduled at the contest start by the methods selected by the judges.
• Attacks are done via crossover cable. (attacker controls default route)
• RF attacks are done offsite by special arrangement…
• No physical access to the machines.
• Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.

There’s not quite enough in the way of detail here, but it’s pretty obvious (by the inclusion of web browsers and mail clients) that there is some level of client-software use going on, you’re not just trying to hack into an idle box plugged into a network.

This was a decidedly gamed contest.  These are supposed to be “typical road warrior” targets, but I imagine that the people playing the part of “client software users” weren’t typical road warriors at all. Moreover, if you’re really worried about secure files on a laptop used by a typical road warrior, physical access to the machine is your number one problem, for crying out loud. Since none of these laptops use an encrypted storage solution (that I know of), all you need to get the file is physical access to the machine for about 2 minutes and a boot CD. For that attack scenario, all of these configurations would fall over and perish swiftly.

Ann’s recent blog post is one of those blog memes you see from time to time: “If you could pick only five albums to listen to for eternity, what would they be?” I’m going to define “album” thusly: one (1) complete recording, maximum of 72 minutes in length, distributed in the form of a single cassette, vinyl album, or compact disc.

So, no cheating and pulling out dual-disc “albums”, unless you want to pay two slots for it. This is extremely difficult. I am one of those people that walks around with a soundtrack in my head, but this contest isn’t about choosing 360 minutes of music, it’s about choosing 5 *albums*; there’s a significant difference. I consider albums to be a superset art – assembling an album isn’t just a matter of choosing 10-20 good songs, it’s about building a collection that is more than the sum of its parts. At the same time, if I’m stuck for eternity with only 5 albums, I can’t necessarily pick the best albums, because there are songs I must have. So, here’s mine, no particular order, with reasoning:

(1) City of Birmingham Symphony Orchestra: Walter Weller Conductor – Beethoven: The Complete Symphonies, Vol 1, CD 2 – (Symphony No 2 in D Major, No 5 in C Minor)

(2) Rush – Moving Pictures

(3) Assorted Motown Artists: Saturday Night Downtown, Disc (not sure, I’ll have to update this post when I can look at the playlists)

(4) Midnight Oil – Red Sails in the Sunset

(5) The Beatles – Abbey Road

Abbey Road because we must have some Beatles. Every time I hear “Oh Darling” or “I Want You (She’s So Heavy)”, I wish that I could sing this goddamn song as well as Paul /John does, because I would love to be able to sing it to my wife* in something other than my horrid singing voice. Red Sails because it is tied to a great number of memories in my head of my early teenage years. Not sure if the Birmingham recording is the best of Beethoven’s 5th, but it’s the one I have and I must have Beethoven’s 5th. Not only is this required in and of its own right, but several of my favorite memories of my father have this recording as the soundtrack, and I should miss the clarity of recollection that comes with the music itself. Saturday Night Downtown for similar reasons -> I must have some Motown, and this album has a number of associations with my mother that I would like to keep alive. Moving Pictures because we must have some Rush.

* – not implying that she’s planning on leaving me

Hilarious. Mixed-martial arts websites meet Viking berserkers.

Comedy gold quote:

“My old father, Thor Svensson, used to say that “defense is what happens when you’re about to die”

Yay! We have a new cybersecurity czar. From The Washington Post.

Boo! It’s not really certain who is in charge anymore.

Sources in the government contracting community said the White House is expected to announce as early as Thursday the selection of Rod A. Beckstrom as a top-level adviser based in the Department of Homeland Security.

… DHS only recently appointed Greg Garcia, former head of the Information Technology Association of America, to be assistant secretary for cyber-security and telecommunications…

Garcia in turn answers to Robert D. Jamison, who serves as Under Secretary for National Protection and Programs Directorate. When asked last week at a press briefing about a simulated cyber attack against the United States who would lead the government’s response in the event of a sustained cyber attack on the federal government, Jamison said that duty would fall to him.

Double Boo!  Beckman’s not a security guy.

By all accounts, Beckstrom is neither a cyber-security expert nor a Washington insider. But his private-sector background and published writings emphasize a decentralized approach to managing large organizations.

Is it just a pathological condition that this Administration chooses people with no domain experience for positions of authority? How long until we hear, “Becksie, you’re doing a heckuva job”??

At NASA. Very cool. Today’s picture:

Wow. Just. Wow.

Sender: Smith, Ed [address redacted]@sequoiavote.com
To: felten@cs.princeton.edu, appel@princeton.edu
Subject: Sequoia Advantage voting machines from New Jersey
Date: Fri, Mar 14, 2008 at 6:16 PM

Dear Professors Felten and Appel:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Very truly yours,
Edwin Smith
VP, Compliance/Quality/Certification
Sequoia Voting Systems

Let me translate this: If you attempt to analyze or audit our machines outside of a testing framework we approve, we will sue somebody. If you publish the results of any such analysis or audit so that the voters can learn how horrible our machines are, we will sue somebody.

I only hope that *one* (oh, lord, just *ONE*) of the voting districts that purchased a block of these machines was smart enough to buy them without having anyone in authority sign one of these stupid agreements. Please, let one of these county voting authorities have sent back their legal agreement with a rider expressly detailing the county’s right to audit these machines.  Somewhere, some voting official have the gumption to file suit against their e-voting machine vendor for gross negligence and incompetence.

Bruce wrote an editorial for Wired (reproduced with commentary at his blog) about what kinds of people make good security people, and in which he muses about whether or not a security mindset can actually be taught. It’s good reading, particularly if you know me and want to know a little bit about the way my brain works.  From the article:

SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”

You see Bruce’s point.  Security-minded people are naturally sneaky.  Whether they exploit their natural sneakiness or not dictates whether they become a criminal, a CIA analyst, a law-enforcement agent, or just a guy like me who notices where the security cameras *don’t* overlap in the local convenience store.

One of the commentators pointed to this other blog post by Colin Percival, in which Percival states: “If you want someone to understand security, just send him to a university mathematics department for four years.”

To some extent I think Percival has a point. I have noticed that lots of mathematicians are naturally slated towards picking out the unseen assumptions that introduce systematic weakness. But (as I commented on Bruce’s blog), those same mathematicians can suffer from being stuck “in the box”. Mathematics is (generally) the study of closed axiomatic systems. Security systems are usually neither closed, nor axiomatic. Mathematically-trained security guys can oftentimes be obsessed with security inside a box, but they can easily miss the forest for the trees.

I’ll use on of my favorite Bruce anecdotes to illustrate the point: Bruce, back in his more naive days, was attending a security conference, and was involved in a discussion about a cryptographic protocol when someone (I think it was an FBI agent) started describing a side-channel attack. Bruce says something to the affect of, “But that’s cheating,” to which the FBI agent replies, “There is no cheating in this game.”

I see this all the time in Infosec IT papers, and it’s actually why I’ve chosen *not* to do Infosec work as my research focus -> everyone is obsessed with proving that some cryptographic protocol is secure, or figuring out attacks against those protocols. Sure, this is worthwhile and necessary work, but the real pressing “right-now-today” problems in Infosec aren’t protcol-related. Key management. Inherited trust. Authentication and Identification. These are the problems in security, and for the most part they are not really technical problems; they are process problems or human problems. You can prove a protocol is mathematically secure, but if your engineering results in keys sitting in memory, your implementation is insecure. And really, you can be an excellent mathematician and a really cruddy practical security specialist.

… I’m in a state of decomprehensionability this morning. Oh joyous Spring, why doest thou come so laden down with the horrible burden of airborne impurities? You affect the hours of night with cruel consequence, transforming gentle embraces of Artemis into an insensate intermittent battle with Morpheus.

To arms, comrades! The vorpal blade of antihistamine to my side! I shall slay the Jabberwock, the Bandersnatch, and the JubJub bird!

The Interwebs (at least, a subsection of ‘em) are all a-twitter about Ben Stein’s upcoming “Expelled”.

In reading some of the threads, I came across this note:

“There are people out there who want to keep science in a little box where it can’t possibly touch God. ” – Ben Stein

If this is, indeed, the opening line of the movie, it pretty much illustrates precisely why this movie is (probably, I haven’t seen it yet obviously) going to be a complete pile of drivel.

Mr. Stein, science is based upon precisely two main root principles:

• The Universe behaves according to some set of laws.
• Those laws can be illuminated by observation of said Universe.

By any meaningful definition of God (that I’ve read, anyway) He (or She, or It) is not constrained by these laws, but instead exists outside of them. This means, quite simply, that science (as a discipline) is incapable of quantifying God. Studying God is not a scientific endeavor.

Intelligent Design is not a scientific theory, and has no place in a science classroom. There is no meaningful standard of evidence. I cannot produce evidence that counters the basic principle, that there is a “lawmaker”, because the lawmaker must, by definition, be outside those laws, and outside my observation. Science has no tools to examine this phenomena.

Science ought to stay in that box.

Reading Dave (not coworker Dave, but actually a different guy) LeBlanc’s blog recently led me to this post, which points out some interesting security problems that aren’t quite problems with an operating system, or problems with an application, but instead a problem specific to the interface between an application and the operating system.

A difference between UNIX-ish systems and systems based on DOS is that the current directory “.” is not on the search path for UNIX-ish systems, and it is for DOS systems, which didn’t have different users, so there was no need to worry about some of these things. Originally, a Windows system would look for DLLs using the same ordering that you’d look for an executable – as documented in the SearchPath API:

The directory from which the application loaded.
The current directory.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that retrieves the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The directories that are listed in the PATH environment variable.

The attack is that you find some DLL an app needs, make an evil twin, and put it in the same directory as a document, then lure someone who you’d like to have running your code to open the document. This is obviously a problem, and the advice we gave in Writing Secure Code (1&2) was to fully path the library you wanted to access with LoadLibrary. This advice isn’t always the best, since if you weren’t sure where you were installed, you might use SearchPath to go find it, which looks in the current directory, and now you have a problem again.

What we did to fix it correctly was to make a setting that moved the current directory into the search order immediately before the path is searched, and after everything else. This took effect by default in XP SP2, Win2k3 and later, and was available in Win2k SP4. For the most part, this did get rid of the problem – if it was a DLL in the operating system, that got searched well before the current directory and all was good.

The moral of the story: when you want to develop secure applications, you’re not writing code in a vacuum.  You need to understand how the operating system actually works.

Windows API’s (root) are here.

You have to dig around a bit to find the Dynamic Link Library search order:

The dynamic-link library (DLL) search order used by the system depends on whether safe DLL search mode is enabled or disabled.

Windows Vista, Windows Server 2003, and Windows XP SP2:  Safe DLL search mode is enabled by default. To disable this feature, create the HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry value and set it to 0. Calling the SetDllDirectory function effectively disables SafeDllSearchMode while the specified directory is in the search path and changes the search order as described in this topic.

Windows XP and Windows 2000 SP4:  Safe DLL search mode is disabled by default. To enable this feature, create the SafeDllSearchMode registry value and set it to 1.

If SafeDllSearchMode is enabled, the search order is as follows:

1. The directory from which the application loaded.
2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key.

If SafeDllSearchMode is disabled, the search order is as follows:

1. The directory from which the application loaded.
2. The current directory.
3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key.