Obvious Obscurity

I haven’t had much time to read news lately, much less talk about it, but this is so stupid that I had to say something.

Accordng to some articles (see article1 and article2) verisign has just made an amazing discovery… the DNS aplification attack!

If this is so new, why did we see it 7 years ago (or even before that)?

Honestly, I don’t know if Verisign is claiming that this is new, or if it’s just the reporters who are. (This computerworld article about the Verisign statement doesn’t seem to make such a claim.)

DoS attacks have become rather unsophisticated in the last 5 years ago because attacker’s usually don’t need to be very sophisticated. If you have 100,000 bots, why bother to forge source addresses? I’m not even sure why Verisign would see these on it’s root servers because the reflection work can be distibuted among such a large number of servers that individual servers don’t see much traffic.

What are they going to discover next? The Internet?

Often I seem to go long periods without reading about anything interesting in the news, but lately I’ve come across a number of things that I’ve been thinking about.

Uber Rootkit?

First: This slashdot article points to this eweek article on the issue of “VM rootkits”. This isn’t really anything new. For some reason I thought I had seen something about SubVirt on the Virtual-machine based security services (at the University of Michigan) page, but perhaps I just heard about the project by word-of-mouth. (I know I’ve read about ReVirt before.) I recommend checking out that page, BTW.

Anyway, with hardware virtualization support about to become available (see this article or this blog) people are wondering whether hardware support will be beneficial or detrimental to system security.

I think it will be beneficial for two reasons:

1. Hardware VM support could enable a system to run a hypervisor that is booted from flash (or similar) but physically unable to write to its boot media. An upgrade might require the insertion of some sort of key into the hardware to make the flash physically writable. (This could also be done using something like “old school” PCMCIA cards that have the little write-protect switch.)
2. With virtualization support at the hardware level, it becomes (much?) more difficult (but not impossible) for something running inside a virtual machine to detect that it’s running inside a virtual machine.

For #1, you’re probably thinking “Why is this better than booting from CD?” It isn’t necessarily that much better, but it has the potential to allow active monitoring of the system while the “guest” OS is running. So, it could be a good place to run intrusion detection/prevention code or anything else that you want to monitor the OS without being visible to it. You could also suspend the main (I mean the main guest) OS and perhaps run diagnostics on it if something looks out of the ordinary.

Obviously the disadvantage of #1 (or advantage if you’re an attacker) is that a rootkit could run in the same manner, but it seems like this possibility could practically be reduced to one that requires physical control of the system in question. It wouldn’t surprise me to find that IT people don’t want to have to physically upgrade 10,000 machines they’re managing. This is a problem, but like everything else in security there is probably a useful compromise. Hopefully this sort of upgrade would take place infrequently enough that the additional cost of using some non-physical high-security approach would still be acceptable to most organizations. (And small or high-security organizations might still use the physical method.)

For number #2, the usefulness is that malware will have a harder time detecting that it is running inside a virtual machine so that it can foil attempts at live analysis. Still, there’s always the real-time clock so unless that can be made to run “slower” to track CPU time, it still wouldn’t be impossible. And again, this is exactly why a rootkit wants to run here.

The advantage that “anti-rootkits” would hopefully have against rootkits is that users want the anti-rootkits installed and would hopefully be willing to make tampering with them a very high-touch prodedure that most intruders wouldn’t be realistically able to attack. If something requires physical access to change, the intruder will have to have physical access. Even if some non-physical protocol is required, hopefully that would be high-touch enough to make most attacks impractical.

Torn up credit card application, accepted!

I usually shread the credit card offers I get in the mail with a “medium security” crosscut shreader (cuts into confetti but not paper dust like some high-security models.) Occasionally though I do rip them up by hand and throw them in the trash. I’ve often wondered if this would be sufficient to prevent someone from using them to obtain a card in my name.

Well, this guy actually tried it, and guess what? It was accepted! Never let minor issues like the application being torn up and taped back together stop you when there’s an opportunity to sell someone a credit card!

Sadly, I’m not really that surprised. In truth though, if a thief finds a torn up credit card application in your trash, he’s probably going to move on to the next trash can. Tearing one of these up is probably still sufficent to raise the bar high enough that the criminal will go for lower-hanging fruit that’s just as tasty.

Note that most of the crappy ribbon cut shreadders that I’ve seen don’t make it that more more difficult to reassemble the original document than manually tearing it up. The typical crosscut shreadders still don’t make it impossible to reassemble a document; supposedly black ops people out there have software that will scan each piece of paper and reassemble the image from the scanned images. Maybe that’s just an urban legend, but then again the “panorama maker” software that came with my digital camera is already pretty close to that, if not there.

Anyway, the point is that you don’t always have to have perfect security, just securty sufficient enough that the cost of overcoming it is greater than the value whatever it protects. (I’d call that “appropriate security”.)

On a related note, my bank actually sent me a credit card last year that I never applied for. That’s just great. When I called their “fraud” department I got some call center, probably in some foreign country or something, where the customer service guy said he couldn’t do anything. This is almost as bad, or maybe worse, than the legitimate email that looks almost exactly like phishing email.

GPG Bug

I don’t really use GPG that much but I noticed this vulnerability. It’s pretty significant. Anyway, just thought I’d mention it.

A few months ago my bank mailed me a new debit/ATM card, completely unsolicited. I promptly called up to have it canceled. I didn’t want a debit card, and now I want one even less after recent reports of debit card fraud related to PIN theft.

So forget recent fraud incidents. Why is it that I have never wanted a debit card? This quote from this MSNBC article summs it up nicely:

Debit card theft can be far more severe than credit card theft for consumers. For starters, different consumer protections apply. Account holders are liable for only up to $50 of credit card fraud — but consumers can be liable for the entire balance of their bank account after debit card fraud, according to federal banking regulations. Many banks voluntarily extend credit card-style protection to debit cards, but they are not required to do so.

My bank claims that they do extend credit card liability limits to debit cards, but like I told the customer service guy, I don’t care. Why? Again the article sums it up nicely.

Moreover, debit/check/ATM card fraud means money is instantly missing from the consumer’s account. That can lead to bounced checks and other hassles. In credit card fraud, consumers generally never lose the money and simply don’t pay the bill for the fraud.

So event without the recent PIN theft, I’d cancel my debit card if I were you.

I learned of this do-it-yourself ps/2 keylogger design reading Schneier’s weblog today (and this is even a few days old so you can see how well I keep up with current events).

Now if only I had some keypresses worth logging…

Ran across this this article on slashdot about a phishing site using a “legitimate” cert issued by Equifax. Quote:

Now here’s where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust.

All I can say is, why haven’t we seen more of this? Or has more of this happened and I just haven’t heard of it? We’ve known from the beginning that the fatal flaw (well, really there are several. see this for more) in the SSL/TIS trust model is that browsers come with CA keys for (hmm, let me take a look at firefox here: 30 or so) many organizations and it only takes ONE of those organizations to have a breakdown in their procedures to allow an attacker to succeed in subverting the whole system. And with something like 30 organizations that I count in the bundled CA keys in my browser, they get quite a few chances at success.

I just disabled all of the Equifax and Geotrust keys in my browser (firefox). It will be interesting to see just how many sites that I run across that are depending on these keys to establish trust between users and themselves.

Another quote from the article:

Geotrust’s cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site’s registrar records, along with a special code that the recipient needs to phone in to complete the process.

Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious.

That seems like a very caviler attitude from a company that people are relying on to establish a potentially very sensitive trust relationship possibly involving millions of dollars. I don’t even know how to express what a dismal state this is for the entire SSL CA infrastructure, and it’s probably been like this for quite some time now. Given this, PGP’s “web of trust” model is even starting to look more practical as a public infrastructure.

Seriously though, this system obviously needs some serious improvement. One thing that might help is multiple classifications for CA keys where each class is treated differently by browsers. For example, you connect to a bank’s web site and the browser sees that the site’s cert is signed with a “low security” CA key. It displays a warning to the user saing “This web site is using a key which is suitable for online storefronts but not banking and financial web sites. If this site is claiming to be a financial web site then there is a significant possiblity that the site is fraudulent.” Basically any cheap certs verified only using automated procedures like this would cause such a warning to be displayed.

For certs issued to organizations after rigorous manual verification (as should be the case with banks), this warning would not appear.

Of course this is probably impractical as people will eventually get sick of the message, ignore it, or click the inevitable “don’t show this warning again” checkbox. Still I think there is something that could be done here with multiple levels of trust for different CAs based on their verification procedures. I don’t think we can expect every electronic storefront to pay a huge pile of money to have some lawyers sign off on their SSL certs, but we can expect banks to go through this expense. It would be nice if we could have both for the same price, but that probably won’t happen.

cyke64 wrote to let me know that Simo Salminen has created some examples of how to use Pyrex with the S60 python port. As you may know, Pyrex isn’t really designed to wrap C++, so a little work is needed to provide a plain C interface for the code generated by Pyrex. Apparently there is another issue with static variables used in the pyrex-generated code.

I should really get back into creating some symbian toys.

pydnsres-0.11.tgz: python bindings for libdnsres, an asynchronous event-based DNS resolver. This is still very early code that I threw together rather quickly and it has a few issues. See the README file for more info. Right now it requires Pyrex to build but this dependency will be removed at some point.

Recently I was reading through blogs or something and came across a link to Applying the Principle of Least Privilege to User Accounts on Windows XP.

Believe it or not I’ve actually been running all of my windows applications as a regular non-privileged user (in the “Users” group, not even “Power Users”) starting with XP (maybe a year or so.) It used to be next to impossible to do this because applications would always want to write to various system state locations or their application directories, but it actually seems to work pretty well now.

For some reason I could have sworn that I came across that article before now even though it’s dated January 18, 2006. Anyway, I didn’t really read most of it since most of it is the usual common sense “don’t login and run everything as root” stuff that most UNIX-like OS users have been practicing pretty much ever since they started using a multi-user OS, but what did get my attention is the tools linked to in the article.

The first one, which I’ve already been using for a while, is the “run as” command thing. This is basiclaly like ’sudo’ for windows except with out as many fancy configuration options. Read about that in How to enable and use the “Run As” command when running programs in Windows. This works well when you download some installer and need to run it as Administrator in order to allow it to install.

The other interesting tools (that I haven’t tried yet) are:

• MakeMeAdmin appears to let you start a command shell as yourself but in another login session where you’re in the Administrators group. I’ve also had good luck with ‘runas /user:Administrator msh’ (substitute cmd.exe for msh if you don’t have msh) but it looks like MakeMeAdmin is more convenient especially in a network environment.
• PrivBar is interesting but I think I’m going to skip this one. I’m pretty used to keeping up with what’s going on with login privileges.
• DropMyRights is useful for those who just can’t stand not logging in with administrator privileges. It allows you to deprivilege yourself for the purpose of running specific applications that tend to be more risky to run with full administrator privileges.

These tools aren’t terribly new (I think they’ve all been around since the end of 2004) but they seemed worth a mention. I wish I had run across them earlier.

Lately I’ve been trying to force myself to learn more about windows. For people who mostly do their work on unix-like operating systems, dealing with windows is often a bit painful. One of the most painful things has always been the lack of any real text-based command shell. “cmd.exe” is a bit of an improvement over “command.com”, but not much of one.

So as soon as I heard someone mention that the new Microsoft Command Shell (code name “Monad”) was available for download (even though it’s still in beta) I immediately downloaded it and started using it. Finally windows has a command shell that doesn’t totally suck. What took them so long?

The most immediately interesting thing about msh is that commands generally don’t just pipe arbitrary byte streams between each other, they pipe objects. Quote from the Wikipedia article:

The key difference between the usual Unix approach and the MSH one is that rather than creating a “pipeline” based on textual input and output, MSH passes data between the various cmdlets as objects (structured data).

This is nice for several reasons, but one simple immediately obvious useful thing it does is eliminate the need for elaborate grep | cut | sort | uniq pipelines. To give you an idea what this is like in msh, imagine that you had a ‘ls’ command that output XML instead of formated text. Now lets say you only want a list of files and file sizes. So, you execute something like ‘ls | xmlcut filename,filesize’ which outputs only the file names and file sizes as XML. Then your shell goes “Oh, this is XML output to an interactive stdout. I need to format this.” and implicitly pipes that output to a default function for formatting XML as a table or something. Here’s how something like this works in msh:

ls | format-table Name, Length

That’s literally a working pipeline. Note that ‘ls’ is actually an alias (built-in, believe it or not) for ‘get-childitem’. msh seems to be very well abstracted. ‘get-childitem’ works for file paths, registry keys, variables, aliases, and probably other things I’m not aware of. msh also makes things like the registry, aliases, and environment variables available as “drives” such as ‘Alias:’, ‘Env:’, and ‘HKLM:’ (HKEY_LOCAL_MACHINE).

Commands can also introspect (oh, sorry… in .NET it’s called “reflect” or something) their output destination to provide appropriate information to the next command in the pipeline. If all of this is sounding very .NET-like, that’s because it is.

There are a ton of interesting capabilities in this thing; I’ve barely touched the surface of it. Objects also have methods which can be called from msh. For example:

(get-childitem c:\final.txt).MoveTo("c:\techdocs\final.txt")

All of this is the kind of stuff you’d expect with .NET/CLR.

Anyway, it’s nicely designed and I’m pretty impressed. I never thought I’d say anything like that about a command shell from Microsoft (sorry guys). I’m particularly impressed that it comes with aliases for many of the common unix and dos shell commands. It also has man-page-like documentation accessable via the ‘help’ command, and there’s even a ‘man’ alias for ‘help’. Now they just need to add all the features in zsh and I’ll be really happy with it.

You don’t need a Vista beta to get msh, and you don’t even need an MSDN subscription. Just download it from here. (Unfortunately you’ll have to register for a Passport account to get the download, which is a bit annoying.)

msh will install and run just fine under Windows XP. Make sure to get the documenttation pack as well. Some doc-finding tips: use ‘help *’ to get a list of all available help pages. Use glob patterns to search the list for something, like: ‘help get-*’ will display all commands starting with ‘get-’. Make sure to check out a few of the ‘about_*’ pages, particularly the ones on objects, properties, and methods.

When I built my new AMD Athlon 64 X2 machine, I decided to try out Windows XP Professional x64 Edition for a while to see if it was stable and offered any significant advantage over 32-bit windows.

I’m not sure why I decided to be so daring since I’ve always made it a policy to never use the latest version of windows. For example, until I bought this new machine I was using Windows 2000. This actually worked out really well because about the time XP came out, Win2k had been around long enough that it was very stable and I almost never experienced a crash of the entire OS.

The only real problem I encountered using Windows 2000 instead of XP was Bluetooth support. I could do pretty much anything I wanted with Win2k, but to use bluetooth I was forced to run buggy Widcom Bluetooth Stack software which didn’t work half of the time. Bluetooth was about the only reason for me to get XP but it still wasn’t compelling enough for me to do anything about it until I bought a new machine. This sort of leaves me wondering why people even buy XP when 2k is just fine 99% of the time and is more stable on top of that. Is it the marketing hype or the blue taskbar/window theme? Even though XP is pretty stable now, I still find myself using Win2k under emulation or virtualization environments since it has a smaller memory footprint and tends to be a little more responsive.

Anyway, I wasn’t too surprised to find that x64 was just not stable enough for my normal usage patterns. I tend to use my windows machine for stuff like development tools (Xilinx ISE for example), games, video, and other “non-server” applications which require windows. For these purposes it just doesn’t work very well. Some of the annoying problems I encountered while using x64 included:

• Unstable drivers crashing the system frequently.
• Lack of drivers:
  • None for the 802.11 adapter I tried to use. (In fact, none for any 802.11 adapter.)
  • I didn’t even bother to look for 64 bit drivers for my camera, scanner, or phone, but those probably don’t exist either.
• Relatively simple 32-bit software running under WoW64 crashing for no apparent reason.

And probably some other things I don’t recall at the moment. There are very few 64 bit apps that will actually take advantage of the wider architecture and none of the ones I encountereed are something I want to use. (It’s quite possible that all of the 64 bit applications out there are solid and stable, but that doesn’t help me if I don’t need them for anything.) Some of the “64 bit” apps I encountered wouldn’t even run on my AMD-based machine because they were compiled specifically for Intel’s 64 bit architecture.

Sometime around the beginning of December I finally decided to say “to hell with it” and I reinstalled with the “x86″ (32-bit) standard version of Windows XP Pro. (And in case you were wondering, I actually bought legitimate copies of both!) Suddenly everything worked again!

I think I’m going to stick to my practice of never running the latest version of windows. This means I won’t be using Vista until the release of whatever comes after Vista, and even then I probably won’t use Vista. After all, if previous experience is any indication of what Vista will be like, it will be bigger, slower, more unstable, and offer no significant advantage over XP except maybe the suspiciously-more-mac-os-x-looking UI.

In any case I wouldn’t recommend running the 64 bit version of any windows OS right now unless you have a specific need for it.