Security Bullet In
Communiques from the security front, sir
Tuesday 29 April 2008, 5:10 PM
XP SP3 out on general release
The third service pack for Windows XP has been released to Windows Update for voluntary dowload.
The service pack, which has been available to manufacturers and volume licence customers since 21 April, mostly seems to be a round-up of previous updates to XP. However, according to the XP Professional SP3 summary document, the service pack also includes "Black Hole" router detection turned on by default, includes a network access policy enforcement platform, and has a "more descriptive" Security Options control panel.
Friday 18 April 2008, 5:44 PM
ISO may change its processes following OOXML debacle
The normally august International Organisation for Standardization (ISO) has said that it may change its fast track processes following the controversy around Microsoft's Office Open XML.
I've been involved in a long and very interesting round of emails between myself, a spokesperson for ISO, and Dr James D. Mason, who until the autumn chaired SC34, the ISO committee in charge of document specifications.
I did also ask Microsoft for its opinion this morning, but most correspondence from me gets sent to Redmond for a response, which is in a different time zone.
I asked the ISO spokesperson whether Microsoft's actions, which included encouraging partners to join the national standards bodies and vote in favour of OOXML, had damaged ISO's reputation, and whether it will prompt ISO to change its processes. According to earlier Microsoft statements, other companies including IBM have also tried the same tactics.
The spokesperson wrote:
"The issue of revising the fast-track procedure, or any other ISO or IEC procedure, is an ongoing process, and the experience with ISO/IEC 29500, along with the results of other standards-development activities, will indeed assist to determine whether further continued improvements should be made,"
So it seems that ISO may be scrutinising its processes. You can read more in the story I wrote about Tim Bray (XML author) and Dr. Mason's comments about OOXML and ISO.
James D. Mason's comments were very interesting. There wasn't enough space to print them in full in the story, so I'll reproduce one of my questions, and Mason's answer here:
Q. As OOXML has now been ratified, would it be fair to say that ISO had its hands tied by its own processes, in that SC34 had to accept the votes of the National Bodies?
A. JTC1 has been concerned about the perceived long time needed to approve standards for a very long time. More than a decade ago, they were worried that they were slower than the IETF. Then they worried about the W3C. The Fast Track process is an outgrowth of those worries, but it is a process that's rarely been used and so wound up getting its first serious test in the ISO 29500 case. It's fairly clear that the process is broken; even some people at Microsoft think that.
But the fundamental problem is with the overall ISO business model and process.
It's supposed to be a democratic process, driven by national standards bodies, each of which can set its own procedures. The recent experience shows that is full of pitfalls: Small National Bodies simply don't have the resources to do an adequate job of participating in lots of committees. They're generally volunteer organizations, and they take all the help they can get. So if Microsoft sends a volunteer, they take him. On the other hand, large national bodies, such as INCITS, which does the JTC1 work for ANSI, are heavily politicized, and that often prevents decisive action. V1, which does SC34 work in INCITS, was at a stalemate, and INCITS cast a U.S. vote that represented political decisions by the board rather than technical consideration of the issues. Something similar happened in Norway.
ISO, and JTC1 in particular, respond to the presence of other standards-making bodies not by looking at their overall business but by knee-jerk reactions, like creating the Fast Track process. I've been saying for more than a decade that JTC1 simply doesn't understand standards making in the Internet age. The IETF and then the W3C were created for the Internet age. One of the keystones of their operations is that they are online, and all texts are freely available. ISO still has a model that (1) requires face-to-face meetings and (2) expects to pay for operations from the sale of paper documents. I can't begin to tell you how many small NBs wrote me, expecting me to send them paper copies of DIS 29500, all 7000 pages of it! We have to remember that many national bodies have built large paper publishing organizations. Indeed, DIN, in Germany, seems to have started as a publishing house in the 19th century and only gradually evolved into a standards-making body in the 20th.
I don't know that the W3C's operating model is more fair or that it produces better standards than JTC1's, but it has different fundamental assumptions. For me, working in a service organization in a government agency, it was much easier to participate in ISO because getting voting membership in the W3C requires joining the consortium, which is very expensive. I also know that there is a whole bunch of people who left SC34 and went to the W3C when XML was getting started and then came back to SC34 because they got fed up with the particular politics of the W3C."
ISO denied that its processes were broken - the ISO spokesman wrote (in part):
"The JTC 1 fast track process is not a new development, it was introduced about 20 years ago. The total number of JTC 1 standards that have been fast tracked is 267, of which 212 are current today.
The ISO process continues to work well, producing about 100 new and revised standards every month. The ISO process continues to deliver voluntary international standards that are broadly accepted in the marketplace and by regulators, consumers, governments and other interests.
ISO/IEC 29500 has attracted a great deal of publicity and pointing out that ISO has a current portfolio of more than 17 000 standards which benefit business, government and society puts this publicity into context. The amount of publicity related to ISO/IEC 29500 on the Internet and in the press is itself an indication of ISO's success in developing standards. Its work for the IT sector has facilitated the growth of important applications, e-business and the overall exchange of information."
Friday 18 April 2008, 5:01 PM
Chinese attack on CNN predicted
A contributor to the 'Dark Visitor' blog has predicted an attack on news company CNN.
The blog, which claims to track Chinese hack attacks, has said that the attack will occur on April 19 at 8.00 pm, Beijing time. I can't read Chinese, but according to the Dark Visitor contributor 'Heike', calls for a distributed denial of service attack against CNN's website have appeared on various Chinese language websites.
The call for a Ddos attack is apparently in retaliation for coverage of the recent violence against Tibetan liberation protesters, those vicious Buddist monks.
Meanwhile, on Tuesday security vendor McAfee found an interesting piece of malware. According to McAfee, the file that was being distributed appeared to be a cartoon of a Chinese gymnast doing a vault at the upcoming Olympic games, for which she was given nul points by the judges. There are then images supporting a free Tibet.
However, while the film ran, a keylogger with a rootkit was installed onto a user's PC. The cartoon was being distributed as an email attachment called "RaceForTibet.exe.", while captured information was transmitted to a computer that appeared to be located in China.
Perhaps a way for pro-Chinese supporters to keep an eye on pro-Tibetan supporters?
Tuesday 8 April 2008, 10:35 PM
Homeland Security gives cyber 'early warning system' details
The US is to develop an 'early warning system' to warn of cyber attacks, US secretary of Homeland Security Michael Chertoff said on Tuesday.
Speaking at a press conference given after a keynote speech at the RSA Conference in San Francisco, Chertoff said the US government was "making an offer to share [more] information with business."
"We want to develop an early warning system," said Chertoff. Current accreditation systems would be beefed up as new private sector organisations shared information as "every chain is only as strong as its weakest link, [and] every network is only as strong as its weakest member," said Chertoff.
"We face a very serious challenge and it's only likely to grow more serious as time passes," said Chertoff in his keynote. "We're operating in a domain in which traditional military power or the power of the government is insufficient to address the full nature of the threat. A command and control response will simply not be adequate. We need a network response to deal with a network attack."
Speaking to ZDNet.co.uk after a separate session at the RSA Conference, Greg Garcia, assistant secretary for cyber security and communications at the Department of Homeland Security, said that while information was already shared between the US public and private sectors through the US Computer Emergency Response Team (CERT), that response time needed to be speeded up.
"Currently US CERT is a focal point for sharing information between the public and private sectors," said Garcia. "We share data about anomalous network activity. We're looking for code that doesn't seem to make sense, looking for traffic patterns that don't make sense. We need to constantly improve our information sharing capabilities, and to do that will take more trusted relationships, and more centres like ISACS."
Information Sharing and Analysis Centres share critical national infrastructure (CNI) data between US CNI organisations and government. They include ISACS for communications, the electricity sector, financial services, and information technology.
"We want to coordinate with [ISACS] more in the coming years so over time we reduce the time it takes information to get from them to us and us to them," said Garcia. This would be done through a combination of improved business and technical processes, said Garcia.
Garcia added that the US government plans to accelerate data sharing with other governments, including the UK. "While the US already has sharing relationships with other governments, we plan to accelerate those, working through national laws, and taking into account privacy concerns and legal concerns." said Garcia.
Sunday 6 April 2008, 10:52 AM
RSA conference delegates in 'near death experience'
RSA conference delegates were shaken but relieved after faulty hydraulics on flight BA287 to San Francisco on Saturday caused a British Airways pilot to turn around mid-Atlantic and make a dash to Shannon Airport for an emergency landing. On board the plane the atmosphere was tense after the pilot announced the diversion and that he had been forced to dump most of the fuel. People made small talk to cover their nervousness that the landing gear wouldn't come down and we would be forced to crash land. They also noted that some members of the normally unflappable cabin crew looked decidedly peaky as they advised everyone about how to adopt the brace position in case of an emergency landing.
The state of nervousness was not diminished by the sight of a fleet of fire engines and police with blue lights turning as we were landing at Shannon Airport. Luckily they weren't needed as we coasted gently to a stop.
Dr. Igor Muttik, a senior architect for McAfee Avert labs said:
"Sure we were worried and concerned. We were mostly joking, but it was a shared near death experience. But now it's pretty fun -- it's something to remember. It would be nice to be in San Francisco but Shannon is pretty fine."
Patricia Moll, European policy manager for Google, said:
"Fortunately we're all safe, however many passengers have lost luggage from Terminal 5, and we have had little to no support from British Airways staff here on the ground. We hope that BA will be able to sort this mess out."
Rupert Cook, Prevx corporate development director, who had been upgraded from premium economy due to an extremely full flight, said:
"The organisation outside the aircraft was a total fiasco, but the food and wine in business class was very nice."
Business consultant for Prevx Fernando Francisco said:
"I was a little bit worried, but you've got to keep calm. You did a good job of keeping me calm, too. I missed a connecting flight to Los Angeles, but I was also happy to spend a night in Shannon."
Delala Attiogbe, senior cite manager Genentech said:
"There was a frantic call for the seniour flight crew member. In terms of calming passengers there should have been other means to alert the senior member of crew. Shortly afterwards there was an announcement about there being a hydraulics issue which really wasn't specific, which didn't calm people down either. Luckily the problem wasn't as bad as it seemed. However, coordination of passengers to hotels was a little bit unsettling."
The flight had already been marred by a three and a half hour wait on the tarmac at Heathrow caused by the now notorious baggage system at Terminal Five. Baggage had been loaded that belonged to passengers who did not board, which then had to be unloaded. Unfortunately the cases had to be found by hand, which seriously set us back.
The luggage problems were compounded at Shannon Airport by there not physically being enough room to unload bags. Many of the passengers also found that their luggage had not been loaded onto the plane to begin with, so had to spend the night in the clothes they stood up in.
Most of the passengers were then taken by coach to the Clare Inn in Shannon, some of whom contemplated a night in the hotel lobby. However, at least two other hotels were also used.
Previous
