No Such Weblog

One of the ever-returning topics in computer security fora looks at "full disclosure": Is it ethical to release tools that exploit a security vulnerability? Is it ethical to release information that makes it trivial to produce an exploit? One side of the argument basically says that it's not ethical because releasing exploits doesn't add anything for the white-hat consumer of the news, but makes attacks easy for script kiddies. The other side of the argument often talks about suppliers who don't move swiftly to fix problems unless an exploit is known and publicly available. This side of the argument also notes that it's often not possible to describe a fix without making an exploit obvious.

There is another angle to this, though: Where vulnerabilities are due to design issues, and workarounds are expensive, unavailability of public exploits may lead to continued deployment of insecure setups, despite awareness that security design is flawed. Of course, it's a dangerous assumption to conclude that just because there is no publicly available exploit, possible attackers aren't able to get access to a private one.

"Hi, you realize that your recently-deployed WLAN+VPN setup can be used to steal user names and passwords, possibly on a massive scale?" -- "Well, yeah, we knew about the vulnerability, but it didn't look like it's easily exploitable, and after all, there are no exploits out there." -- "It's extremely easy to exploit. Look, here's how it goes, and yes, I have the software I need to do this. Want a demo?" -- "duh. But we'd be interesting to learn about secure setups."

I wonder, can it be unethical to keep an exploit to a well-known security weakness private?

It seems like too long documents are fashionable these days.

It's not just three days worth of broadcast treaty negotiations that have been minuted by a group of daring bloggers and NGO participants in the recent Geneva negotiations. (Donna Wentworth: required reading.)

For the ICANN addict, there are also three WHOIS Task Force reports totaling 202 pages of text, a Draft Procedure For Designating Subsequent .net Operator, and a modest six-page GNSO draft for criteria to be used in selecting that operator; all these documents are waiting for public comment some time in June.

I'm at WOS 3 in Berlin, now sitting in the Copyrights in Europe workshop at the Technical University's main building. After the main conference network behaved interestingly yesterday, people are now struggling with the TU's WLAN security setup. IPSEC with pre-shared keys and XAUTH over unencrypted WLAN, of course.

User names and passwords are distributed on tiny paper strips. Keys and software are distributed on CD-ROMs that can't be mounted properly by many people here. The key information, though, has now made it to one of the blackboards, after it was unscrambled.

Ross Anderson speaks on DRM and Competition.

Economics of software: Value of a software company is accumulated switching cost of users -- if switching 100 seats to OpenOffice costs less than 50,000 ¤, you don't pay 500 ¤ per seat for Microsoft Office. If it costs more, Microsoft charges more. What happens with new document/right management technologies Microsoft is about to supply, enabled by trustworthy computing? Need permission from senders to convert files to other technology. Switching costs explode.

Use TC to lock in users by locking up their data. Software startups to have lower probability ofsuccess. Software industry much less dynamic, much more like "normal" industry. Small number of big players, big entry costs, less jobs.

Playstation model: Subsidize hardware from software sales. TC computers cheaper. Later, maybe PC free, "Office plan" for monthly rent. Effect on free software when commercial software comes with free hardware? Internal Market? Talking services now, not products!

TC has nasty effects on competition policy. Twist anti-circumvention into anti-competitive tools. Need digital rights directive -- not just about consumers, but about markets. Not just about music, about everything -- because everything contains software in the near future.

... then you are probably using a commercial hot-spot, or maybe someone has tried to provide some "security."

The last couple of days gave me a chance to experience a variety of Wi-Fi setups. Besides the generally working open conference network at WOS (hidden behind a NAT box, of course), there were the insecure, but cumbersome security mechanisms at TU-Berlin (ultimately circumvented for many people in the room by setting up a laptop as a router between an ad-hoc open network and the official Internet access), and airport Wi-Fi at CGN and TXL.

CGN is in T-Mobile's hands. The design of the payment process looked reasonable, at least as long as you are a T-Com or T-Mobile subscriber. Random 404 errors and wrong host names in SSL certificates (hotspot.t-mobile.net vs. hot-spot.t-mobile.net) pointed towards a rather unprofessional implementation, though.

(The Vodafone setup in MUC about which I ranted in March had a more cumbersome billing design, but was implemented better.)

TXL (where the photo was taken this morning) is more open to a number of wireless providers. Access points are shared between providers; users are then supposed to pick providers from some web page. When trying to go further than that, I got inconsistent and irreproducible behavior, including 404 messages, transparent proxies complaining, and timeouts. The "wlan-zone" was useless for me.

Open and free Wi-Fi should be a convenience at airports -- spending the waiting time attempting to debug a network is not a productive activity at all.

There's a new kernel for Fedora Core 2, and it seems to take care of the IRDA problems I had previously.

No more kernel re-building to move the serial driver into a module: Just make sure you do

setserial /dev/ttyS1 uart none

With the new kernel, the only remaining driver that needs to be taken care of separately is the one for the built-in Centrino Wi-Fi.

On its call today, the GNSO Council has extended the public comment periods for the three WHOIS Task Forces until July 5.

The most interesting part of today's GNSO Council call begins 98:30 minutes into the MP3 recording, and takes about 17 minutes. It's on the agenda under "any other business": new gTLDs.

My notes are below the break; if something sounds wrong to you, go listen to the MP3 recording.

WHOIS Task Force 3 (accuracy) had its (first? only?) open conference call. The call was intended to extend the reach of the ongoing public comment process. It wasn't too successful at that.

I believe I hogged the line for the most part of the call, going through the individual "best practices" proposed in TF3's preliminary report. In a nutshell, the proposed recommendations either don't make sense, are harmful, or moot.

The 2003 CDT spam report is often cited as evidence that WHOIS data mining is not really responsible for any significant amount of spam.

In early May, I changed the contact e-mail address displayed in the WHOIS records of most of my domain names to a fresh address that is not being spam-filtered. For six weeks, the address did not receive spam. I almost forgot about it. Now, I'm getting daily spam at that address.

Seems like the CDT report's findings are outdated.

Read these blogs: Michael Froomkins' discourse.net; Goldstein Howe's SCOTUS blog (this item in particular).

... and this dissent: Stevens in Rumsfeld v. Padilla.

Executive detention of subversive citizens, like detention of enemy soldiers to keep them off the battlefield, may sometimes be justified to prevent persons from launching or becoming missiles of destruction. It may not, however, be justified by the naked interest in using unlawful procedures to extract information. Incommunicado detention for months on end is such a procedure. Whether the information so procured is more or less reliable than that acquired by more extreme forms of torture is of no conse-quence. For if this Nation is to remain true to the ideals symbolized by its flag, it must not wield the tools of tyrants even to resist an assault by the forces of tyranny.

From Apple's Tiger Preview - Safari RSS page:

Safari protects your personal information on shared or public Macs when surfing the Web. Go ahead and check your bank account and .Mac email at the library or shop for birthday presents on the family Mac. Using Safari’s new privacy feature, no information about where you visit on the Web, personal information you enter or pages you visit are saved or cached. It’s as if you were never there.

Who guarantees that the Safari you see on that public computer hasn't been changed? Who guarantees that there are no programs which sniff the keyboard, and the screen? Who guarantees that no hidden cameras are hidden in strategic places?

Privacy features in some particular piece of software don't mean that software is running in a trustworthy environment. Suggesting that users perform sensitive activities (such as banking) in untrusted environments, using untrusted computers, is terribly bad advice.

I'm told that current Gmail users occasionally have an opportunity to send out invites to others. Lacking an invite so far, I haven't tried Gmail, yet, and would be interested in having a look at it.

(Although, of course, I won't quit using mutt. ;-)

Later: Whow, that was fast. Thanks! (You know who you are.)