taint.org: Justin Mason’s Weblog

Tech: One of the first online periodicals I started reading regularly, when I first got access to USENET back in 1989 or so, was comp.risks – Peter G. Neumann’s RISKS Forum. Since then, I’ve been reading it religiously, in various formats over the years.

It appears that RISKS has just celebrated its 20th anniversary.

Every couple of weeks it provides a hefty dose of computing reality to counter the dreams of architecture astronauts and the more tech-worshipping members of our society, who fail to realise that just because something uses high technology, doesn’t necessarily make it safer.

I got to meet PGN a couple of weeks ago at CEAS, and I was happy to be able to give my thanks — RISKS has been very influential on my code and my outlook on computing and technology.

Nowadays, with remote code execution exploits for e-voting machines floating about, and National Cyber-Security Czars, I’d say RISKS is needed more than ever. Long may it continue!

Tags: access, code, comp, computing, couple, forum, online, risks, tech, technology, usenet

Net: Fergus Cassidy reports that ‘bandwidth-starved TDs and Senators’ in the Oireachtas will be taking a shortcut around Ireland’s woeful consumer broadband situation, especially in terms of deployment outside of the main urban areas.

There’s a tender up to implement ‘an enhanced remote access system, which will improve access from Members’ homes or constituency Offices to data and services on servers in Leinster House’.

No similar luck for their constituents, of course. That really takes the biscuit…

Tags: access, broadband, consumer, deployment, net, oireachtas, shortcut, situation, system, tds, tender

Patents: wow, this is amazing news! ‘IBM today pledged open access to key innovations covered by 500 IBM software patents to individuals and groups working on open source software. IBM believes this is the largest pledge ever of patents of any kind and represents a major shift in the way IBM manages and deploys its intellectual property (IP) portfolio.’

Even better, they are hoping to begin a ‘patent commons’ for other companies to join, and the OSI definitions of which licenses are judged ‘open’ apply.

More details:

• IBM’s press release
• PDF list of patents
• the list, as plain text (fixed!)

Of course, it would be better if it were also safe for commercial software development. But this is a valuable bulwark against Microsoft-style patent tactics.

Tags: access, ibm, kind, list, news, patent, patents, pledge, software, source, today

Linux: Everyone who’s used a non-MS system will have learned – typically the hard way — that not all hardware is equal. Not just in terms of specs, flexibility and power, but also in terms of whether or not it can be used at all.

Most hardware vendors consider their specification and interface documentation to be their crown jewels; giving access to these without a signed NDA is impossible. On the other hand, for free software developers, signing an NDA makes life quite difficult — it can be done, but nobody else can help you maintain it further without signing an NDA, the resulting code may ‘disclose’ too much of the ‘IP’, and so on. In a lot of cases, the vendor isn’t interested in giving access to the specs, even with an NDA — it’s their IP and why isn’t the customer just using Windows?

The end result: lots of hardware with crappy support on non-MS operating systems.

Things aren’t as bad as they used to be, though — since nowadays the high-end hardware is more likely to support standards, and Linux is a top choice on embedded hardware (set-top boxes for example), so it has a much higher profile. But cheap, end-user oriented PCs still wind up with components from vendors who couldn’t be bothered with non-Windows customers, and that can mean using a hacked-up, reverse-engineered driver and hoping it works. (That’s not to denigrate reverse-engineered drivers. some of them work great. But fundamentally, the vendors are making a mistake here.)

So it’s pretty impressive to see that LaCie are now sponsoring development of k3b, the CD/DVD burning application for KDE!

Good timing too, I was about to buy a DVD burner ;)

Tags: access, dvd, everyone, flexibility, hardware, linux, nda, non, system, way, windows

Security: good ;login: preprint article on the ‘Witty’ worm. ‘Conclusion: Witty represents a new generation of malcode: written by a motivated, skilled, and malicious individual. Witty’s author is the first to combine both skill and substantial malice. The author had some motive which lead, for him, to desire a destructive effect. Witty was written by an expert and, unless caught, he could do it again.’

However, there’s one point where I think the authors have slipped up:

The use of previously compromised machines (for seeding) requires that the attacker either obtained access on 110 machines using a different tool, already had access to 110 machines, or took control of these machines from a third party. Thus Witty’s author probably possessed some ties to the attacker underground, to gain these machines in the short timeframe.

IMO, that’s not necessarily the case. Given that current estimates are that 80% of spam emanates via open proxies, and that those in turn are generally insecure machines that have been taken over, I would surmise that someone with access to a reasonable amount of spam and an off-the-shelf Windows vulnerability scanner could quickly amass 110 machines to launch the attack with — simply by scanning for the vulnerabilities those machines were r00ted with in the first place.

Good article otherwise, though…

Tags: access, article, attacker, author, login, preprint, security, spam, the, witty, worm

Ireland: Bad news from home.

A truly ground-breaking concept, the ‘Group Broadband Scheme’, has been watered down into a shadow of what it could be with a requirement that all community internet access schemes be operated in association with ‘an Internet Service Provider or Authorised Operator’.

In other words, rather than a radical new way to provide affordable non-profit, community-owned high-speed internet access in rural areas, it’s just business as usual:

‘With the launch of the 1st Call for Group Broadband Scheme proposals, it is clear the Minister intends to require that any application for funding under the group broadband scheme initiative be made in association with an Internet Service Provider (ISP) or Authorised Operator (AO)’, said (Ireland Offline) chairman Christian Cooke, ‘a so-called Broadband Internet Service Provider (BISP)’. …..

Experience in the UK has shown that the commercial provision of broadband in rural areas is not financially viable. Low population and wide dispersal lead to lower margins than can be supported by a profit-oriented enterprise. ….

Ireland Offline warned that the prerequisite of partnering with a BISP as a condition of GBS funding, there is a very real danger of companies cherry-picking more lucrative areas, leaving communities for which the funding should have been made available … without any services.

‘In short, in its current form, the group broadband scheme initiative bears no resemblance to the group water schemes, to rural broadband provision’, said Cooke, ‘and every resemblance to the packaging of subsidized local monopolistic franchises, monopolistic because no competitor could go head-to-head with a subsidized service. It is therefore better to think of them as not so much like group water schemes as ‘group coca-cola schemes’.’

IrelandOffline press release here.

In other EU news — the EU Parliament has approved the IP Enforcement Directive. The Greens report:

• Patents are included within the scope of the directive.
• only 3 parts of the directive are limited to ‘commercial scale’. This means that the provisions of Articles 7(1), 8 and 9 can potentially be used against consumers. In the US this kind of legislation has been used to target, amongst others, children and their parents for downloading music.
• there are concerns amongst ISPs that they can be attacked for ‘providing’ the means to download content which is protected by copyright.

James Heald: ‘Exactly what will now happen, and exactly what surprises it may lead to, will now depend on the different details of how the directive is now implemented from member country to member country across Europe.’

Tags: access, association, authorised, broadband, funding, group, internet, ireland, provider, scheme, service

Patents: New Scientist reports that IBM have applied for a patent on “an electronic password ‘wallet’ that securely stores all your passwords, with overall access via a single password. The wallet pops up on screen whenever you are asked for a password. You enter the master password and the wallet then answers the online request by pasting in the appropriate password for that site.”

This should be familiar to anyone who’s used Mozilla’s Form Manager feature, which fits the patent claims perfectly. That page notes that the Mozilla feature was created in 1999, just under 3 years before the patent application. Let’s hope the USPTO remember to do a Google search this time!

Tags: access, feature, ibm, mozilla, new, password, patent, patents, scientist, screen, wallet

New Scientist reports that IBM have applied for a patent on “an electronic password ‘wallet’ that securely stores all your passwords, with overall access via a single password. The wallet pops up on screen whenever you are asked for a password. You enter the master password and the wallet then answers the online request by pasting in the appropriate password for that site.”

This should be familiar to anyone who’s used Mozilla’s Form Manager feature, which fits the patent claims perfectly. That page notes that the Mozilla feature was created in 1999, just under 3 years before the patent application. Let’s hope the USPTO remember to do a Google search this time!

Tags: access, feature, ibm, mozilla, new, password, patent, scientist, screen, wallet

LWN on the case. An excellent commentary, and features this lovely user-posted comment as well:

‘Without access to such equipment, facilities, sophisticated methods, concepts and coordinated know-how, it would be difficult or impossible for the Linux development community to create a grade of Linux adequate for enterprise use.’

Alan Cox wrote the first SMP version of Linux. Do you know who bought Alan the hardware? It was Caldera :-)

Not IBM, after all, but Caldera — who are now part of the SCO group. This usenet posting from 1995 backs that up, as does the Caldera-badged Linux SMP page.

Tags: access, caldera, case, comment, commentary, equipment, know-how, linux, lwn, smp

Matt Blaze has posted a very neat exploit against ‘weaknesses in most master-keyed lock systems, such as those used by offices, schools, and businesses as well as by some residential facilities (particularly apartment complexes, dormitories, and condominiums). These weaknesses allow anyone with access to the key to a single lock to create easily the master key that opens every lock in the entire system. Creating such a key requires no special skill, leaves behind no evidence, and does not require engaging in recognizably suspicious behavior. The only materials required are a metal file and a small number of blank keys, which are often easy to obtain.’

‘The vulnerability was discovered by applying the techniques of cryptanalysis, ordinarily used to break secret codes, to the analysis of mechanical lock design.’

Paper here.

Tags: access, anyone, apartment, creating, evidence, key, lock, master, skill, system

Eircom gets beaten up by regulator. Check out this quote: “As eircom has failed to supply all the relevant information, I have set interim prices [...] Eircom’s approach with respect to costing and the level of response and co-operation on this issue is not acceptable.”

MEDIA RELEASE For Immediate Release April 30th 2001 Telecoms Regulator sets prices for Local Loop Unbundling.

Etain Doyle, Telecoms Regulator today (Monday 30th April 2001) cleared the way for implementation of local loop unbundling. In a Decision Notice today the regulator set prices for access and directed changes to eircom’s Reference Access Offer. Monthly line rental is fixed at €13.53, or £10.66.

According to the Regulator ” while there has been an LLU reference offer available from Eircom since the due date of 31 December 2000, this was incomplete and non compliant in several respects. In order to ensure that consumers are in a position to derive the benefits that Local Loop Unbundling can bring I have decided to intervene and set prices.”

Local Loop unbundling has to potential to increase significantly the range of competitive services available to businesses and consumers. It requires the network owner to provide access to the copper pair connecting an individual telephone subscriber to the nearest point of interconnection with the main telephone network at the local exchange. This allows new entrants to offer a full range of broadband services directly to the customer.

The regulator continued “As eircom has failed to supply all the relevant information, I have set interim prices based on the information available to me. Despite repeated requests and the clear direction that the 30th April was the final date for the determination, there are still very substantial gaps in the material provided to me by eircom. Eircom’s approach with respect to costing and the level of response and co-operation this issue is not acceptable.” These charges set are based on data from eircom, benchmarking and other reviews and analyses by the ODTR of efficient operator costs. They are within the range of pricing in other EU countries. The line rental at €13.53 is within the EU range from €8.23 to €19.51, and connection at €119.73 compared with €47 to €221.69.

The setting of these prices does not relieve eircom of its responsibility to address the deficiencies in its pricing proposals and to make a comprehensive re-submission to the ODTR on all matters.

Tags: access, april, eircom, information, local, loop, regulator, release, respect, response