The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.
Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.
Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.
I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
Much has been made of Hillary Clinton’s use of her own mail server, running out of her home. It didn’t change my opinion of her, and I don’t think it changed anyone else’s either–it just reinforces what everyone has thought of her since the early 1990s. Then, Ars Technica came forward with the bizarre case of Scott Gration, an ambassador who ran his own shadow IT shop out of a bathroom stall in Nairobi.
The money quote from Ars: “In other words, Gration was the end user from hell for an understaffed IT team.” And it concluded with, “[A]s with Clinton, Gration was the boss—and the boss got what the boss wanted.”
Indeed. And it doesn’t just happen in the government.
It seems like a hundred years ago, but in 1996, I briefly infiltrated a group of conspiracy theorists–“sovereign citizens”–and wrote a few news stories and an analysis piece about them. They quit speaking to me after the first one was published, and I received threatening phone calls at the newsroom.
The group was newsworthy because it was causing a lot of problems for officials in that town, but we struck gold. Another reporter in the newsroom was a Marine–there are no former Marines–and when he saw the ringleader’s claim he was a retired Marine colonel, he made some phone calls. This “colonel” turned out to only be a low-level enlisted. (There are two tracks in the military: officers and enlisted. A colonel is the rank below a general–a big deal. This guy was probably a common infantryman, and probably wasn’t in very long.) When I printed this finding, he lost credibility. If he was lying about his rank, what else was he lying about?
This movement fizzled out after a couple of years, but this and other movements like it are back again. Read more
On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.
Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.
But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.
If all (or even a slim majority of) Lutheran churches were like Bethlehem Lutheran Church, I would still be Lutheran. Since they aren’t, I’m not.
But I’ve gotten ahead of myself, and made this way too much about me.
Late last week, there was a big boom at the corner of Salisbury and North Florissant in the north St. Louis neighborhood of Hyde Park. It sounded like a truck wreck, but it turned out to be the wall and roof of a 120-year-old sanctuary crashing to the ground. Read more
Sometimes in a batch file I find myself needing to perform more than one operation on a server, especially inside a for loop. Rather than do a pair of for loops, which isn’t always desirable, you can use the & operator.
I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.
For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.
Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.
I also know about this training that Snowden put on his resume. Read more
For several years, I administered a command and control system for the U.S. Air Force. I sat in a datacenter, surrounded by racks jam-packed full of servers, and they kept the building at 64 degrees year round. I quickly learned to keep a jacket handy.
Our system consisted of a diverse collection of Dell 1U and 5U servers, HP blades, and a couple of Sun SPARC boxes. It was a professional-looking setup, and except for the times we were doing massive system upgrades, the system generally worked as well as it looked.
Then we got a neighbor.
It was 9:15. I was tired. I’d been reading, then I went to my computer to check baseball scores. I saw that the president had called a press conference for 9:30 CST, with no indication what it was about. 9:30 PM on a Sunday night isn’t when you usually call press conferences, and there’s usually some indication what the subject will be. I was curious enough to click around to see what was going on, but when I didn’t find anything right away, I went to bed.
This morning I woke up, went straight to the Kansas City Star’s baseball page to get an account of last night’s Royals-Twins game, and out of the corner of my eye, spotted the last headline I ever expected to read: “The Raid that Killed bin Laden.” What? Beneath it was a similar headline. I clicked, read the first two sentences to make sure I was reading the right thing, then raced into the bedroom, where my wife was getting our two sons dressed.
“They got bin Laden,” I said. And she did the same double-take that I did, and made me say it again.