« May 2004 | Main | July 2004 »

June 2004 Archives

June 2, 2004

Ethics of full disclosure.

One of the ever-returning topics in computer security fora looks at "full disclosure": Is it ethical to release tools that exploit a security vulnerability? Is it ethical to release information that makes it trivial to produce an exploit? One side of the argument basically says that it's not ethical because releasing exploits doesn't add anything for the white-hat consumer of the news, but makes attacks easy for script kiddies. The other side of the argument often talks about suppliers who don't move swiftly to fix problems unless an exploit is known and publicly available. This side of the argument also notes that it's often not possible to describe a fix without making an exploit obvious.

There is another angle to this, though: Where vulnerabilities are due to design issues, and workarounds are expensive, unavailability of public exploits may lead to continued deployment of insecure setups, despite awareness that security design is flawed. Of course, it's a dangerous assumption to conclude that just because there is no publicly available exploit, possible attackers aren't able to get access to a private one.

"Hi, you realize that your recently-deployed WLAN+VPN setup can be used to steal user names and passwords, possibly on a massive scale?" -- "Well, yeah, we knew about the vulnerability, but it didn't look like it's easily exploitable, and after all, there are no exploits out there." -- "It's extremely easy to exploit. Look, here's how it goes, and yes, I have the software I need to do this. Want a demo?" -- "duh. But we'd be interesting to learn about secure setups."

I wonder, can it be unethical to keep an exploit to a well-known security weakness private?

June 10, 2004

Too much text alert.

It seems like too long documents are fashionable these days.

It's not just three days worth of broadcast treaty negotiations that have been minuted by a group of daring bloggers and NGO participants in the recent Geneva negotiations. (Donna Wentworth: required reading.)

For the ICANN addict, there are also three WHOIS Task Force reports totaling 202 pages of text, a Draft Procedure For Designating Subsequent .net Operator, and a modest six-page GNSO draft for criteria to be used in selecting that operator; all these documents are waiting for public comment some time in June.

Continue reading "Too much text alert." »

June 13, 2004

WOS, last day: Pre-shared keys + XAUTH, again.

I'm at WOS 3 in Berlin, now sitting in the Copyrights in Europe workshop at the Technical University's main building. After the main conference network behaved interestingly yesterday, people are now struggling with the TU's WLAN security setup. IPSEC with pre-shared keys and XAUTH over unencrypted WLAN, of course.

User names and passwords are distributed on tiny paper strips. Keys and software are distributed on CD-ROMs that can't be mounted properly by many people here. The key information, though, has now made it to one of the blackboards, after it was unscrambled.

WOS: Ross Anderson on DRM and Competition.

Ross Anderson speaks on DRM and Competition.

Economics of software: Value of a software company is accumulated switching cost of users -- if switching 100 seats to OpenOffice costs less than 50,000 §, you don't pay 500 § per seat for Microsoft Office. If it costs more, Microsoft charges more. What happens with new document/right management technologies Microsoft is about to supply, enabled by trustworthy computing? Need permission from senders to convert files to other technology. Switching costs explode.

Use TC to lock in users by locking up their data. Software startups to have lower probability ofsuccess. Software industry much less dynamic, much more like "normal" industry. Small number of big players, big entry costs, less jobs.

Playstation model: Subsidize hardware from software sales. TC computers cheaper. Later, maybe PC free, "Office plan" for monthly rent. Effect on free software when commercial software comes with free hardware? Internal Market? Talking services now, not products!

TC has nasty effects on competition policy. Twist anti-circumvention into anti-competitive tools. Need digital rights directive -- not just about consumers, but about markets. Not just about music, about everything -- because everything contains software in the near future.

June 14, 2004

When Wi-Fi won't work well...

... then you are probably using a commercial hot-spot, or maybe someone has tried to provide some "security."

The last couple of days gave me a chance to experience a variety of Wi-Fi setups. Besides the generally working open conference network at WOS (hidden behind a NAT box, of course), there were the insecure, but cumbersome security mechanisms at TU-Berlin (ultimately circumvented for many people in the room by setting up a laptop as a router between an ad-hoc open network and the official Internet access), and airport Wi-Fi at CGN and TXL.

CGN is in T-Mobile's hands. The design of the payment process looked reasonable, at least as long as you are a T-Com or T-Mobile subscriber. Random 404 errors and wrong host names in SSL certificates (hotspot.t-mobile.net vs. hot-spot.t-mobile.net) pointed towards a rather unprofessional implementation, though.

(The Vodafone setup in MUC about which I ranted in March had a more cumbersome billing design, but was implemented better.)

TXL (where the photo was taken this morning) is more open to a number of wireless providers. Access points are shared between providers; users are then supposed to pick providers from some web page. When trying to go further than that, I got inconsistent and irreproducible behavior, including 404 messages, transparent proxies complaining, and timeouts. The "wlan-zone" was useless for me.

Open and free Wi-Fi should be a convenience at airports -- spending the waiting time attempting to debug a network is not a productive activity at all.

FC2 on Thinkpad: New kernel, less problems.

There's a new kernel for Fedora Core 2, and it seems to take care of the IRDA problems I had previously.

No more kernel re-building to move the serial driver into a module: Just make sure you do

setserial /dev/ttyS1 uart none
before attempting to load the FIR driver, and everything should work fine.

With the new kernel, the only remaining driver that needs to be taken care of separately is the one for the built-in Centrino Wi-Fi.

June 16, 2004

WHOIS comment periods extended

On its call today, the GNSO Council has extended the public comment periods for the three WHOIS Task Forces until July 5.

New gTLDs, or not?

The most interesting part of today's GNSO Council call begins 98:30 minutes into the MP3 recording, and takes about 17 minutes. It's on the agenda under "any other business": new gTLDs.

My notes are below the break; if something sounds wrong to you, go listen to the MP3 recording.

Continue reading "New gTLDs, or not?" »

June 23, 2004

TF3, Open Call

WHOIS Task Force 3 (accuracy) had its (first? only?) open conference call. The call was intended to extend the reach of the ongoing public comment process. It wasn't too successful at that.

I believe I hogged the line for the most part of the call, going through the individual "best practices" proposed in TF3's preliminary report. In a nutshell, the proposed recommendations either don't make sense, are harmful, or moot.

Continue reading "TF3, Open Call" »

June 24, 2004

WHOIS and SPAM

The 2003 CDT spam report is often cited as evidence that WHOIS data mining is not really responsible for any significant amount of spam.

In early May, I changed the contact e-mail address displayed in the WHOIS records of most of my domain names to a fresh address that is not being spam-filtered. For six weeks, the address did not receive spam. I almost forgot about it. Now, I'm getting daily spam at that address.

Seems like the CDT report's findings are outdated.

June 28, 2004

Read this.

Read these blogs: Michael Froomkins' discourse.net; Goldstein Howe's SCOTUS blog (this item in particular).

... and this dissent: Stevens in Rumsfeld v. Padilla.

Executive detention of subversive citizens, like detention of enemy soldiers to keep them off the battlefield, may sometimes be justified to prevent persons from launching or becoming missiles of destruction. It may not, however, be justified by the naked interest in using unlawful procedures to extract information. Incommunicado detention for months on end is such a procedure. Whether the information so procured is more or less reliable than that acquired by more extreme forms of torture is of no conse-quence. For if this Nation is to remain true to the ideals symbolized by its flag, it must not wield the tools of tyrants even to resist an assault by the forces of tyranny.

Apple: Feel-good security in the next Safari?

From Apple's Tiger Preview - Safari RSS page:

Safari protects your personal information on shared or public Macs when surfing the Web. Go ahead and check your bank account and .Mac email at the library or shop for birthday presents on the family Mac. Using Safariís new privacy feature, no information about where you visit on the Web, personal information you enter or pages you visit are saved or cached. Itís as if you were never there.

Who guarantees that the Safari you see on that public computer hasn't been changed? Who guarantees that there are no programs which sniff the keyboard, and the screen? Who guarantees that no hidden cameras are hidden in strategic places?

Privacy features in some particular piece of software don't mean that software is running in a trustworthy environment. Suggesting that users perform sensitive activities (such as banking) in untrusted environments, using untrusted computers, is terribly bad advice.

June 30, 2004

Gmail invite, anyone?

I'm told that current Gmail users occasionally have an opportunity to send out invites to others. Lacking an invite so far, I haven't tried Gmail, yet, and would be interested in having a look at it.

(Although, of course, I won't quit using mutt. ;-)

Later: Whow, that was fast. Thanks! (You know who you are.)

About June 2004

This page contains all entries posted to No Such Weblog in June 2004. They are listed from oldest to newest.

May 2004 is the previous archive.

July 2004 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35