Dave's Bit Bucket

Gates sounds off

So, Microsoft Windows Vista is now out in the world at large, and Mr Gates is sounding off about how it's "dramatically more secure than any other operating system released".

The natural knee-jerk reaction to this statement can be summarised politely as "Solaris 10 Trusted Extensions", or perhaps "Green Hills INTEGRITY", depending on what you want to do.

However, let's step back a bit before considering putting the proverbial boot in.

Vista may well be the most secure Microsoft operating system ever released; let's face it, that wouldn't be hard. However, security is a sufficiently many-splendoured thing that, to compare the security of completely different environments, you have to go all the way back to the threat model and the user community - more of which later. However, to begin with, let's hit the features.

Full disclosure: I've not used Vista. I've not even seen Vista (or XP, as far as I can tell, although I've seen folk using W2K). I'm just working from Vista datasheets and press / pundit info here, as compared to genuine Mac OS X and Solaris knowledge.

• Vista has a transaction-stateful firewall. So does Solaris. Vista's is apparently enabled by default (although I gather its default ruleset is less than stunning). Solaris' isn't. I reckon this is down to the fact that Vista assumes initial user access on its console, whereas Solaris can't justifiably do that - it can't even, necessarily, assume that there is a console. Honours even, on this technicality.
• Vista has anti-virus and anti-spyware capability with Windows Defender, Solaris doesn't. Windows has viruses written for it, Solaris doesn't. If you're a Solaris user and are worried about viruses, there's plenty of third-party and open source stuff available if you want it. Either way, all the anti-virus solutions require user interaction to stay current. On Solaris, running in a sparse-root non-global zone makes your system binaries immutable and hence invulnerable to trojans; you can also tell if an ELF binary is an original Sun binary using elfsign -v. Honours even.
• Vista has User Account Control, which apparently "runs a Vista PC with fewer user privileges, which dictate how software can interact with the PC". Solaris has RBAC, and with the least privilege model, we're about at the point where, if you set your Solaris box up properly, the only reason for the root account to exist is to own files. However, "UAC asks for permission to lift security barriers whenever software requires it" - in this respect, it's probably more on a par with sudo, rather than something which strictly enforces reduced privilege in the way that Solaris least privilege can with its limit set. One up to Solaris.
• Vista has Protected Mode for IE 7, which stops the browser from writing data anywhere except in a temporary folder without first seeking permission. Doing this with Mozilla, Firefox, you name it on Solaris is straightforward with least privilege. Honours even.
• Vista has Address Space Layout Randomization to load key system files in different memory locations each time the PC starts, making it harder for malicious code to run. While Solaris' slab allocator and lazy memory sweeper are deterministic rather than random, figuring out where a given piece of code is executing is extremely hard, especially when the system is under load. Honours even.
• Vista has full hard drive encryption with BitLocker, where the keys are stored in a hardware TPM. Solaris has encrypting loopback filesystems if you install xlofi, although ZFS encryption is in development. Solaris doesn't have TPM interaction capability yet (although again, it's being worked on), so one up to Vista. However, I'm not so sure of the value of whole-disk encryption rather than just encryption of areas such as user home directories; if nothing else, it hits performance and, more significantly, gives an attacker a whole bunch of known plaintext in the form of the Vista code itself.

However, Vista can't do multi-label environments in the way that Solaris Trusted Extensions can; while label segregation enforcement can in some ways be thought of as a DRM technology, it can be set up much more flexibly than Vista's DRM, and without having some of the sillier DRM functions such as having data become unavailable after either a set time or a set number of renderings, or doing silent quality downgrading.

Also, once you get a copy of Solaris, it's your copy of Solaris to use in perpetuity and on as much hardware as you see fit, and it doesn't 'phone home to Sun.

Solaris wins, therefore, but at least when it comes to tick-box feature count rather than in-depth analysis of the features, it wins by less than you might think.

So, on to the threat model and the user community.

If a Bad Guy wants to cause maximal public chaos with viruses, worms or other malware, he's better off writing to a Windows platform as, not only is there more of it out in the world, but it's fair to say that the mean (and indeed, median) Windows administrator is less security-literate than the average Solaris administrator. In fact, it's quite a privileged position that Sun is in, to be able to assume that pretty much any system in the installed base will be looked after by someone with a reasonable degree of cluefulness. Being a little Machiavellian, the best way to stop users doing stupid things is to make it impossible for them to do them, but this has to be balanced with having a system which is usable (and it's a piece of synchronicity that I spotted this while I was writing this paragraph). Getting the balance right is hard; even Solaris' Secure By Default initiative is not actually the default on Solaris 10 11/06, owing to the perceived risk of servers ceasing to work if upgraded to 11/06 from a previous release. It is, however, the default in OpenSolaris...

(2007-02-21 07:58:02.0) Permalink Comments [0]

.gov.uk Goes Mad, Again

I had to do a little paperwork for the company car scheme yesterday, to acknowledge the fact that the allowance I get for running a private car has gone up. While this is no inconvenience (getting a little more cash is always pleasant), I was surprised by an additional paragraph and set of bullet points in the email from our fleet manager, which read thus:

On 1st July 2007 the Smoke free premises and vehicles legislation regarding smoking in vehicles comes into force (in England), with proposed fines rising to £2500. Company vehicles are affected as the ban covers all enclosed public places, the law covers company cars, pool cars and hire cars. If a company car or van is likely to be used by more than one driver, or carry passengers on business, regardless of whether they are in the vehicle at the same time it must be a smoke free zone. Although privately owned vehicles are not covered by the new law it is unclear if privately owned vehicles are affected if they are being used for business purposes.

Exemptions

Drivers of convertibles will be exempt as long as the roof of the vehicle is down when they or their passengers are smoking. Smoking is allowed in vehicles which are for sole use of the driver and are not used by anyone else as either a driver or passenger. Proposed fines:

• Smoking in a smoke free vehicle – between £50 and £200
• Failing to display a clear no smoking sign in a smoke free vehicle – between £200 & £1000
• Failing to do enough to prevent smoking in a smoke free vehicle – up to £2500

Various aspects of this astonish me. First, I'd have thought that the interior of a privately-owned vehicle - whether used for business purposes or not - was most definitely not a public place. After all, I'm allowed to keep people out of my Aston by the simple act of locking it, and I get to decide who does and does not get to sit in it. That's hardly conducive with it being classed as "public", especially since I don't have to post a set of opening times in the window.

Second, having to display a sign seems rather over the top - simply telling people not to light up should be sufficient. In the (hopefully unlikely) event that I have to put one of these things in the Aston, it'll hand by a thread from the rear view mirror - I'm not putting anything adhesive on my leather and carbon fibre dashboard.

Third, what constitutes "doing enough to prevent smoking"? Reductio ad absurdum and with tongue at least partly in cheek, in the event that someone sitting in my passenger seat lights up, can I legitimately remove my cockpit fire extinguisher from its bracket and discharge it in their face? Would I, by doing this, not only escape the £2500 fine but also the charge of common assault? If I'm driving at the time, does using a fire extinguisher carry the same penalty as using a mobile 'phone?

I suspect there will be some bizarre test cases around this legislation when it comes in (and a colleague who shall remain nameless has already told me that if I ever need to do the fire extinguisher thing, he'll cover my legal costs provided the moment is captured on video for posterity and posted to YouTube...).

I don't want people smoking in my car anyway, but this legislation seems decidedly crazy.

(2007-02-21 03:50:50.0) Permalink Comments [3]

Tempus Fugit (well, Summer Time, at least)

The US has decided to change the dates at which transitions between Daylight Saving (aka Summer) and Standard time happen; specifically, the US Energy Policy Act of 2005 (EPACT) mandates that Daylight Saving Time (DST) in the US start on the second Sunday in March and end on the first Sunday in November starting in 2007. In 2007, the start and stop dates will be March 11 and November 4, respectively. The start date for DST in the US was previously the first Sunday of April and the end date for DST in the US was previously the last Sunday of October.

Most Canadian provinces, and the Bahamas, have announced that they will follow suit. Some other countries have yet to decide.

Either way, if you have systems which are in timezones anything from GMT-5 to GMT-10, or which interact with systems there which aren't on UTC, you need to know about these changes and potentially apply patches.

See http://www.sun.com/bigadmin/hubs/dst/.

(2007-02-15 16:10:33.0) Permalink Comments [2]

No Phishing, By Order

I got a surprising 'phone call the other day, from a UK number - it was an automated messaging service (all sampled and syncopated), claiming to be one of the financial institutions I use the services of, wanting to verify the details of some transactions on my account that it considered anomalous.

Now, this particular financial institution has a very good security team. When I've been over in the US before, availing myself of the beneficial exchange rate and doing some shopping, I have been called up to verify the fact that it's really me making said transactions. However, it's always been by a real, live person, and when they call me, I have a pass-code recorded along with my account details at their end so that I can verify that they really are my the institution in question before I let them verify that I'm really me.

There was no opportunity to verify that the machine was really associated with the institution before it asked me for my date of birth, so I hung up on it and called the number on the back of the card I'd been using. I also smelled a rat on the grounds that I'd already informed the relevant folk that I was going to be out here in California and doing some shopping, so any transactions on my card while here should not automatically be treated as anomalous (and by extension, any transactions conducted in England this week, should be).

It turned out that the messaging service had nothing to do with the institution in question; they still use people exclusively, when making 'phone calls to customers. By coincidence, someone had clearly tried phishing me at the time when I'd been making transactions which could seem genuinely anomalous. I gave the messaging service's number to the institution's security team (they hadn't been cunning enough to block caller line ID, even though the number couldn't be rung back) and the details of who and what it had claimed to be, and let them get on with it. I'll be keeping a weather eye on the financial press for the next couple of months, to see whether any court cases arise.

I can confirm, therefore, that 'phone-based phishing is real, not hype or scaremongering. Be careful out there.

(2007-02-14 09:31:55.0) Permalink Comments [0]

Happy Birthday to me...

I got another year older yesterday. I didn't blog about it on the day, as I wanted to see how everything turned out first - it turns out that it was the best birthday I've had in a long time :-).

I'm in California this week, at our internal Security Ambassador conference. I'm presenting a number of sessions on various fun things. Anyway, yesterday started well; at 07:00 I got a wake-up call from a colleague back in the UK who sang "Happy Birthday" to me, I got a couple of surprise cards from folk in the office, and there was a full chorus of "Happy Birthday" from the audience after I'd finished one of my presentations and before they'd let me off the podium :-).

Then, dinner. There's probably no finer way to spend the evening of your birthday than surrounded by a bunch of pals from all parts of the world, and who you get to see rather less of during the year than you'd like, crammed into your favourite Mexican restaurant eating seriously spicy seafood and sipping Margueritas. I'd sent an RSVP email to an internal mail alias for off-topic security community stuff the previous week and had 12 positive replies, so secured a table for 15 - in the end, there were 23 of us and we had to overflow a bit! I was also treated to yet another round of "Happy Birthday" - in Spanish this time - by the staff, and a little creme caramel dessert with a candle in it.

A surprise guest was Cynthia Milton - former Sun employee, mad motorcyclist and old pal of Alec's who is currently circumnavigating the globe on her BMW; she left the UK 2.5 years ago, happened to be in California, and dropped by to catch up with folk. She's off to the top end of Canada next, before having the bike (and herself) shipped to Cape Town and riding up Africa. Alec and I agree that she needs to turn all this into a book when she eventually gets home; it's been done before, but not like this. I also got to have a chat over the 'phone with Alec's pal Adriana, and we agreed we need to catch up for a chat when we're both back in the UK.

I was hit with a hard combination of general fatigue and jetlag when I got back to the hotel, sank a pint of ale and hit the hay just before 23:00, "all Birthdayed out".

Many thanks to all who wished me well, signed cards, emailed, 'phoned and partied. You guys rock.

Update:

Photos from the conference can now be found here.

(2007-02-14 09:29:32.0) Permalink Comments [2]

Tagged by FatBloke!

I was wondering when this meme would get to me - seems it did so a couple of weeks ago, only I didn't spot it until now!

So, without further ado, "5 things you didn't know about me"...

1. The "index" and middle toes on my left foot are the same length. While this is only a minor deformity, I gather it was sufficient to prevent my paternal grandfather (who also had it) successfully applying for a job with the Cheshire Constabulary. More interestingly, the scarring on my left cornea from a nasty case of Acanthamoeba Keratitis a decade or so ago, coupled with having extremely dark irises, may confuse iris scanners.

2. My first piece of paid work was a farm management game, commissioned by my school's Geography department, and which I wrote (in a combination of BBC BASIC and 6502 assembler) over the course of a school summer holiday on a BBC Model B, with cassette tape as my only storage. I was 13 at the time, and my fee was a floppy disk drive and controller card :-).

3. My academic background is in Physics (primarily condensed matter), and I believe that the superconductor I produced while doing my MSc at Bristol - an amusing mixed-valent Mercury Barium Calcium Copper Oxide in the usual distorted-perovskite structure that the high transition temperature superconductors tend to share - remains the highest-transition temperature superconductor made there. Oh, and my supervisor, Dr John Wilson, recommended serious investigation of anomalous magnetic effects in mixed-valent cuprates at low temperatures in a paper he published in 1978, 9 years before the whole high-temperature superconductor thing took off; see Phil. Mag., B38 427-444 (1978). "CuCl; more facts and thoughts on high temperature superconductivity". Had he secured funding to follow his recommendation, he'd probably be a Nobel laureate now.

4. The last time I used Microsoft Windows was in October 1990 - it was Windows 3.0. After having spent 6 unbelievably frustrating hours trying to get it to do something useful without crashing, I said "never again", went home and did the job in 20 minutes on my Archimedes. I've spent a mostly-reliable computing life for the last 16 years (and counting) on - at various times - Acorn RISC OS 2 through 3.6, RISC iX, RSX-11M, VMS, SunOS 4.3_U1, NetBSD, IRIX 5.2, Debian, Solaris 2.5.1 through Solaris 10, and Mac OS X, and it suits me.

5. As stereotypical "professional security geek" activities go, I've been "blooded". In other words, I've worked with a police force on an incident where a customer's systems had been broken into - and were actively being poked around at the time, so we came up with all sorts of mad techniques to mitigate the risk of the Bad Guy taking the entire enterprise out - and we nailed the guy who did it; he got prison time for his efforts. Maybe I should write my reminiscence up as a blog article, suitably anonymised; some of the techniques we came up with were genuinely useful, although the situation is "somewhat niche".

So now - hmm, who do I know who blogs but hasn't been tagged yet, who do I not mind apologising to for tagging them by buying them beer, and who might appreciate the reminder to blog more often...

I therefore tag Glenn, Darren, Jon, Martin and Simon.

Job done.

(2007-02-02 10:52:15.0) Permalink Comments [0]

Review: "ID Fraud: They Stole my Life"

On Wednesday night, BBC1 broadcast an interesting documentary about "ID theft" (when it comes to "Identity fraud" as a concept, I'm with Ross Anderson).

As the title suggests, it was rather sensationalist in parts, particularly in the running commentary - however, it did feature some excellent sections where officers from Surrey Police, the Metropolitan Police and the City of London police shared their wisdom and allowed the film crew to accompany them on a couple of searches and arrests - with faces obscured where necessary. The piece on cash machine skimmers and PIN-pad cameras was particularly interesting.

The commentary was misleading on a particular point in these sections, though - there isn't an "identity unit" in these police forces, it's the cheque and credit card fraud unit who were doing their stuff.

While the dustbin-diving efforts in Surrey were covered well - and it even surprised me to see how many receipts still contain a full card number rather than the more common row of asterisks with last three or four digits - I was a little disappointed not to see more details on the measures people can employ to prevent such issues. The shredder which was briefly shown churning out shreds wasn't even a cross-cut model, and for folk who don't want to splash out on such a device, putting your sensitive papers in a suitable metal bin / brazier and setting fire to them is unsurprisingly effective.

However, the section where the ethical hackers went wardriving was very disappointing. Having an open wireless access point allows people to steal your bandwidth, not your identity - at least, if you're sensible regarding the way your computers are set up. While they said that "the best way to protect your identity is to keep your anti-virus software updated" (and doing this may have some merit, admittedly) there was no mention of:

• hardening your system
• keeping your OS patches up to date
• keeping your application versions up to date
• using a firewall
• running your tools as a relatively-unprivileged user
• not using IE - and, in fact, avoiding Microsoft products in general
• turning your computer off, or otherwise disconnecting it from a network, when you're not using it

...so the BBC has done the average home user a disservice in this area.

I'd expect this programme to be repeated on BBC3 or BBC4 at some point in the near future, so if you missed it first time round (as many of my UK-resident security geek pals did), it's worth a watch - just don't get hot under the collar about the advice from non-police sources...

(2007-02-02 04:37:41.0) Permalink Comments [2]