If you tell enough stories, perhaps the moral will show up.


Not Invented Here

This has got nothing to do with anything I know about, but it's got me cross so here goes.

My little Samsung music player is old now, but it does all I want. It loads up as though it was a USB stick. I can find the music I want navigating up and down the directory tree with folder and track names showing on the tiny four-line display. It plays .wma, .ogg and .mp3 files, and when I'm bored with my files, there's an FM radio.

I would have thought that this counted as some sort of baseline. iPods have a display for album art and video. Other players have integrated phones, or glossy appearance, or Bluetooth audio, or who-knows-what magic. But for a £40 player, I was happy.

One thing the Samsung doesn't have is the oomph to drive any sort of speaker without caning the battery. Nor should it, but it's a bit frustrating sometimes when your ears are tired of buds, that there's no way to fill the room with it.

This shouldn't be a problem these days. Quite a lot of music centres and boom boxes support "USB" which is a shorthand for digital music on popular media. Except they don't -- the support is rubbish. I looked at Cambridge One and the Yamaha desktop music player -- both about £300 -- and they were both really disappointing:

  • For a start, it's MP3 only. Compared with my Samsung, the hifi designers have vast resources of electrical power and size, so there's no excuse for limiting the playback decoders.
  • There's not much point in a remote if the buttons are hopelessly obscure. The navigation is hard.
  • And it's worse when the UI can't even display a directory listing. I've got 2GB of music on that thing and ignoring directory names is not going to help.
  • And in the 21st century, I reckon we're entitled to a decent screen, but what we're offered is a single line. I felt that I was fortunate under the circs to see the ID3 tags in an unsatisfactory fixed-rate marquee.
What's happened here is that someone has made the minimum possible hack to the code that plays MP3 CDs. The idea of picking up a few hints from the players made in a different division of the same firm just never occurs to anyone. All I want is something that can play the same files as a cheapo portable, and provides a simple user interface. Hard? Apparently so.


What Goes into the W7 Workstation

First look into the Security Guide in the Windows 7 Security Compliance Management Toolkit. It's an interesting read and there's a lot of potential goodies. The takeaways for me are:

  • UAC looks good, but when you get down to it, there's less than you want. In particular you still need a really non-admin account for browsing and reading mail and it won't save ordinary users from cockups -- so they still can't be admins. Good. (Mark Russinovich says that the real purpose of UAC is to force developers to make their code work as non-admin. Better.)
  • The policy can all be pushed from group policy. The price of this is that W7 machines will need their own OU tree.
  • There are some sexy, seeeexy audit log options. A whole lot more to set.
  • There's an easier replacement for software restriction, but it relies on signed code.
  • Finer-grained control over devices means we might be able to have one less agent in the build
  • Still not sure about the malware tools. I can't see why I would object to the Malicious Software Removal Tool but the old rule about not mixing AV solutions may apply here. The native tools aren't enterprise capable, so they'll have to go.
  • This may be time for SUS. The solution we have is more capable, but since we only ever push MS hotfixes with it, I might just choose to save the licence fee.
  • They seem to have de-emphasised routine IPSEC since Vista, but I may have misssed the crucial bit.
I need a W7 install to play with.


You know you're a security professional if ...

...you ask the designers what the operational meaning of a user group is.


Performance problem? No, it's a security issue...

We block Internet browsing for accounts in admin groups. It's a malware control and I like it. But we hit a strange little problem with this using one particular app. It was fast to start with ordinary console accounts, but privileged accounts were really slow. It took a smart lad -- not me -- with a protocol analyser to spot that the startup sequence involved a certificate authentication, and the host certificate had a CRL access point at an Internet URL. The admin accounts couldn't reach this so they had to go through an agonising timeout. Problem solved!


An Aid to Promptness

It has been scientifically proven (by letting my music player run down) that an exercise mix track with at least 50% Girls Aloud (and other Xenomania Trilbies) gets you to to work ten minutes earlier.

PS. This only works if you walk to work. On the train? I can't help you.


Google Dashboard

So now we have the Google dashboard www.google.com/dashboard -- everything Google knows about you in the one place. Well that would be jolly nice, but it's really everything Google knows about your Google account, which is a slightly different thing.

Because it misses all those unauthenticated search strings which are Google's actual meat and drink. And there are already complaints about this.

But I won't be complaining. Because unless you co-operate with Google cookies, what that would show is everything sought from your IP address, which if it's like any of mine is NATed. Do you want to see what everyone in the firm has sought? Do you want them to see your searches? I think not!


I'll be hedgelaying along the road again this year, so appearance matters a little more. And at the same time I've pretty much run out of all the odd offcuts I've been using to hold it all together. Privet was good -- it grows into hard straight rods -- but it's all gone now.

I've asked all over but asking for "posts for hedgelaying" draws a blank -- you get offered fencing pales at eighteen shillings each. It's overkill and at two per yard it runs into expense.

It doesn't look like I'll ever find the canonical Hazel rods, so I'm falling back on plan B. I rang up one of the woodsmen in the Wealden Advertiser -- Brede Valley Fencing -- and asked him to make me the same pales used for cleft chestnut wire fencing, but five foot long and without the wire. He quoted me five shillings each and I bought four hundred which will keep me going for a while. They filled up the back of the Galaxy and I drove cautiously home, delighted by the smell of the fresh green wood.

Here they are in the shed. It's a weight off my mind. I feel I can set to work without worrying about running out.

Benders? No need -- I've got Willow wands coming out of my ears, and that certainly gets attention on the commuter train.


The non-Build Build

From time to time we issue non-build laptops to people who want to use the SSL VPN but don't have a suitable personal machine . It's not a practice that gives me much pleasure, as the temptation will always be to assume that it's OK to put firms data on one of these. And it's not.

So I've been developing a little list: what we should do to a standard manufacturer's XP install so that it can be placed in the permanent, unmanaged care of a regular user. Here's what I have:

  • Truecrypt set up for the system partition. (If there's and I386 on d: or e:, leave that in clear.) Why encryption? 1) because I don't trust them not to put firms data on it, and 2) it's an immediate downer for a thief.
  • The MVPS hosts file. It doesn't auto update, but it's a good start.
  • Default Browser: Chrome. It's not IE so it's under attacker's radar, but it does auto update even if you never run as admin
  • Microsoft AV -- seems to have difficulty with non-admin updates, but better than nothing.
  • The default log in takes you to a non-admin account.
  • Default settings on the Windows firewall, and Windows update.
It's not much -- in particular you can't make Adobe and Java auto update on a non-admin machine, but it is better than nothing.



The Future Still Isn't Right, pt II

And another thing. Spectacles. I had my eyes tested today and my prescription has shifted again. Fair enough, and I've opted to head off into the world of varifocals with a pair of single vision driving specs, and what's called occupational lenses which shade from VDU at the top down to reading at the bottom. There are three grades of optical efficiency to choose from, optional high index plastic to reduce the weight, optional quarterwave coating for transparency, and an (optional) hardness treatment. With correction and astigmatism in the basic prescription, the Dear only knows how many possible variations on the basic format that is.

During the test, I could opt to have my retina photographed for reference (for a tenner, how could I not?) and a chance to compare it with the lovely optometrist's album of interesting eyeballs. And the whole thing was conducted at a time and place to suit me. It was the very model of the modern custom shopping experience.

But if choice is the aim, why, for the love of every holy thing, do they only make spectacle frames in two sizes: too small, and much too fucking small? Am I the only person in the world with a head like a watermelon? I think not. And on that topic why is the choice limited to what they have in the shop on that day? Is it so impossible to record the relative location of ears, pupils and nose, and cut lenses to suit a pair of frames out of a catalogue? I want glasses like Michael Douglas in Falling Down: I need nerd authority, but yet again I've settled for some boring black metal frames that are barely willing to exist.

How sad.

Protect identity with a face blur: Fail

This story is so abominably sad that there's really no need to read it. All I want to do is note that in some cases, a face blur can still give important clues to identity.



Recently I wrote about the enumerate command that I use. I was looking at it just now because I wanted to enumerate one particular check across the whole domain: I wanted to report on the events that show a user being enrolled into local Administrators on their workstation -- and irregular admins generally.

This is a big deal for me -- has been for a long time, it's a big deal for more and more sites, and it should be for everyone. Admin privilege is the difference between spyware installing in a profile (and even now, most of them don't attempt to do this) and installing dangerously and ineradicably as a rootkit. Admin privilege is what allows  users to harm their builds with downloaded software or messing around with the branding or mapping. But alas, it's also the easy solution to a lot of problems and desktop team members -- admins themselves -- are often tempted to pass it on to a user in trouble so they can get on to the next call.

The control for this is to find out when it happens and follow up very promptly, next day, with the admin concerned. But you need to know it's happened, and the only ways I know how to tell it's happened are a) a listing of the group membership on every machine -- which doesn't, crucially, tell you when it was done, or b) the 536 message in the event log. So it's the message we want, provided we can pick and decode the content out of the rather unhelpful format. To hold the desktop team to account, we want to look at the new messages each day, making a nice report of all the suspect events.

We already have a tool -- enumerate -- which will run a command against every machine. So now we need a command that will append relevant log events on to a report. "But" I hear you cry, "but what about your RSA Envision log SELM appliance? Isn't that ideally suited to this task?" Well yes, my dears, it certainly is, but you see, it's licenced per event source. I have enough licences for all the infrastructure and about half of production servers, but none at all for workstations. We need something at a better price point, like free.

Microsoft is a better source of free (as in beer) software than you might expect, and they have the tool for this job: Logparser; motto: "the world is your database." In outline, Logparser converts and presents logs of many sorts and some odder stuff like registry and filesystem contents as queryable lists. The queries can be simple or complex: I started with

But you need to work a little harder to get a script parameterised enough to be enumerated across all domain members and produce a good outcome. The beauty of Logparser is that it's mature enough to deliver -- it really is a proper log analysis tool. I expected to write auxiliary scripts to break out the data, decode SIDs, accumulate the report as a CSV, and keep track of the last log read on each machine, but in fact all this can be done in Logparser script language or command line options.
-- admin.sql
-- Logparser query.
-- Accumulate events where a user has been made a member of admins or power users
-- You might want to enumerate this across the entire domain 
-- (omit domain controllers which have different messages)
-- Command would be like 
-- logparser 
--  -o:TSV -oSeparator:space -headers:OFF -fileMode:0 
--  -iCheckPoint:MYPC.lpc 
--  file:admin.sql?oFile=2009-10-18_AdminChanges+sMachine=MYPC
-- The checkpoint file is named for the machine, and output is appended to "today's" file.

-- Generating "hand" CSV rather than the CSV output type -- more flexible to do it in SELECT and USING
 -- the ms from the :ll aren't populated but it stops Excel dropping the seconds
 TO_STRING(TimeGenerated, '\"yyyy-MM-dd hh:mm:ss:ll\",')AS Date, 
 strcat(ComputerName,',') AS Computer,
 Resolve_SID (SID) AS Admin,
 Resolve_SID (SIDUser) AS User,   

-- Do the token parsing in USING: break the bits we want out of the -|%{SID}|... tokens in Strings
 Extract_Token(Strings,1,'|') AS SUr,  -- User SID
 Extract_Token(Strings,2,'|') AS GroupN, -- (Localised for free -- more friendly)
 Extract_Token(Strings,3,'|') AS GroupD, 
 Extract_Token(Strings,4,'|') AS SGp,  -- the Group SID 
 SUBSTR(SUr,2,SUB(STRLEN(SUr), 3)) AS SIDUser,  -- break raw User SID out of the %{SID}
 CASE EventID WHEN 636 THEN 'enrolled' WHEN 637 THEN 'removed' END AS Action, -- Friendly EventIDs
 -- Output like "into BUILTIN\Administrators"
   CASE EventID WHEN 636 THEN 'into ' WHEN 637 THEN 'from ' END, 
  STRCAT( '\\', GroupN)) AS Group
-- Need the -fileMode:0 (append) on the command line to avoid overwriting with each machine.
-- For a log for each machine then the command line above would let you use %Machine% in the name.

-- FROM the machine security log  --  This is -i:EVT. 
-- Don't use the SID resolve option because you may want to limit to particular built-in groups, but 
-- and S-1-5-32-544 is easier than working out internationalised versions of "Administrators"

 ((EventID=636) or (EventID=637)) and       -- 636 enroll, 637 remove
 (SID<>'S-1-5-18') and           -- Ignore actions by local System
 (                -- Ignore boring groups
  ((SGp = '%{S-1-5-32-544}') or (SGp = '%{S-1-5-32-547}')) -- Only want Admins or P Users
 -- Optionally don't report Domain admin (check your SID) being made admin, because it happens in every log!
 -- and 
 -- (SIDUser <> 'S-1-5-21-4163168572-49618088-4072775208-512') 

Remaining niggles are petty. some machines have corrupt SELs -- logparser fails at end of log, so it never writes a checkpoint so the entire file is processed every time. But this can be fixed by saving and emptying the offending log. And I suppose it would be nice if it enumerated the domain itself, but that doesn't trouble me.

Apparently V3 is due out. I cannot wait.



Just for fun, this is this is the exact text of a paragraph that Mrs U persuaded the more mad son to commit to Notepad:

On, 20th March 2010, I'm can Building the Farmhouse, I'm can Digging and Building the Pond for the Mallard Ducks and Ducklings, Runner Ducks and Ducklings, and Call Ducks and Ducklings, Khaki Campbell Ducks and Ducklings, and the Duck House, Muscovy Ducks and Ducklings. On, 11 April 2010, I'm Can Building the Dog Kennel with Mummy, Daddy, [LMS name], and [NMAAJSD name], and Take my Camera, Hammer, Drill, Spanner, and Tools, and the Bricks, and the Roof
The ducks are a long-lived interest, but this is mostly about Bob. Building is the thing: he's been talking about plans like these for a while and I think it's got worse since last weekend when we spent a happy session with hammer, screwdriver, assorted fasteners and some scrap wood.

If it all seems a tad ambitious, well yes. But it's not as bad as his plan for 2011 which is a DLR extension, or 2020 which is completion of the HS2 link. That's the trouble with Infrastructure projects -- they take so long.


Strange email a few days ago -- a casual note from one of the Exchange admins asking me to approve enabling a batch of accounts. Rather than just refuse it out of hand, I took a look at the list -- to find a mixed bag of service accounts and shared mailboxes.

For why? Well it appeared that they had been having difficulty archiving some boxes and noticed that the affected accounts were all disabled. Proof of a good reason? No. Plenty of other boxes are disabled -- our leavers process depends on archiving the boxes of disabled users, and shared box accounts are permanently disabled by policy.

I don't know how this will turn out, but it won't be fixed by the enable flag. I don't care, as the lesson I want to draw is a little different. Superstition in IT is one of the greatest impediments to security rectification.

If I had let that request go -- after all, what do I know about Exchange? and even if I was right, they might have learned something -- If I had followed a cautious "support the admins where you can" rule, a new superstitious belief would have been created. "If there's an archive problem, make sure the mailbox is enabled". And those boxes would never be disabled again -- after all, who goes looking for trouble? And we would have acquired a vast new list of unmanaged accounts for no purpose at all.

When I started, my first rectification was to get rid of the shared domain admin account. It was easy enough to issue DAs to colleagues who needed them, but the next stage, removing the shared account, was much harder. It was protected by superstition. Apparently, all sorts of stuff would break if I canned it or changed the password, it had been tried once and bad things happened, though nobody could remember what.

Now, that risk was real, given the usage of the account, but I knew the possibilities. It wasn't the replication account, it wasn't used to build images, and there were no services running under it (that one took a script to prove). So after a good deal of fruitless argument, I just did it -- our change control was weaker then. Nothing broke then and I suspect that what broke in the past was co-incidence

The point is that people who are out of their depth, even just a few inches, will clutch at the first turd that comes bobbing by, and once clutched, they'll never let it go. It's not a moral fault, it's a feature of human psychology, and no doubt in the wild it has survival value.

In Windows security, most people are just slightly out of their depth, even though it's pretty simple (apart from ACL inheritance, obviously.) Even though they could reach the truth with just a little effort, they don't. Instead they seize whatever comes first -- co-incidence or just wrong observation -- and their survivalist mind starts building superstition. It's my job to knock it down and I do. I don't like pretending to be authoritative, even though I took the training. But in a case like this, it's the only way forward. I declined the request, explained my reason as far as I could without accusing the team of crass irrationality, and left it at that. We'll see.


Bang per Buck

This is interesting. It's not a surprise that Iran wants to make a deal with a foreign oil major. No. The shock is the claim that a totally DIY nuclear programme, in the face of embargoes and secrecy, is cheaper than building out domestic oil production. That can't be good news.


I'm doing up a flat in the evenings, and there's enough work that I can't see an end to it. This morning I found myself peeping through the kitchen door on the off-chance that brownies had re-decorated or at least washed the greasy walls during the night. They hadn't.



The drought has parched the fields for months, and now the full moon light bleaches them bone white.

Fantasy Programming

I work at the command line, and I've never found a better place to do stuff in bulk. But since I've been dealing with dynamic networks of hundreds of PCs I've found that there's a tool missing from the utility set.

Windows is good for remote management -- better than people realise, but there's one thing it needs -- a decent network enumerator. What's that? It automates a task which crops up time and again -- running a command against a list of all the machines in a domain, or on a network, or subsets of those lists. I want to be able to type enumerate --domain MYDOMAIN.LOCAL --exclude "/(DC.*)|(PRNT.*)/" /cmd "mycommand %%Name%% %%Timestamp%% I think that's fairly clear: I want to enumerate the domain MYDOMAIN, exclude the DCs and those pesky HP print servers, and then, for each machine, run the command mycommand with the name of the machine and a timestamp on its command line.

I know that would be useful because I actually coded "enumerate" in Perl, and I use it a lot. But doing stuff in Perl has a limited future and I don't think there's really a pressing need to make it an editable script: the function seems rounded and complete -- not something that'll need continuous extension. So, as a first step to a .Net executable, here is my specification for the enumerate utility:


 Enumeration settings
 All these settings can be combined and repeated to build up a list of hosts.
 Each entry is expanded into FQDN and IP and de-duped on both, with the last entry taking precedence.
 [--domain DN] Add all members of domain DN to the list.
 [--IP N/L|IP1-IP2] Add all ip addresses in the specified subnet
      (omit network and BC) or the specified range to the list
 [--list H[, H]*] Add all the H's (names or IP addresses) to the list
 [--flist "path"] Add all the hosts in the text file at "path" 
      (one per line, leading "\\" optional, blank lines allowed, anything after white space on a line is comment)
 Logging settings
 [--job name] Log all dignostics to the file called TS_run_name and all command output to the file TS_out_name.

 Command Settings
 [--cmd "string" [--[no]ping] [--[no]browse] [--omit "regexp"] [--directory "path"] [--concurrent nnn]]
 Run the specified string in a cmd shell, for each enumerated target.
 Multiple --cmds are allowed.

 --directory : cd to "path" before running -- default is "."
 --[no]ping : ping the host -- don't run if no response. Default is --ping
 --[no]browse : attempt to Windows browse the host -- don't run if no response. Default: --nostart
 --omit : don't run if the enumerated name or IP matches the given regexp (no //). Default: --omit ""
 --concurrent nnn : Run no more than nnn instances of this --cmd setting concurrently. Default: --concurrent 1

 "string" is the command to run. Default is "echo %%Host%% %%IP%% %%TS%%"

 Variables in the command string are expanded:
 %%Host%% -- The enumerated FQDN or IP address if it can't be resolved
 %%IP%%   -- IP address -- skip if a name can't be resolved
 Times -- all suitable for use in file names:
 %%Date%% -- The date the run started in ISO yyyy-mm-dd format
 %%Time%% -- The time the run started as hh-mm-ss
 %%TS%%   -- Now as yyyymmddhhmmsscc
Now that's a utility.


Spam Counter - 2009 September: 818

More phishing than usual.



If you want to conceal your plan for a mass redundancy day, it's probably best not to book out every meeting room in the place all day....


Wrong Impression

I was very taken by this picture from the front page of the LogMeIn site.

On the site it's animated: we have  the shady character in an upstairs room hacking away at an unattended machine in an empty office.

That can't really be the impression they want to give, can it? Is that what they're selling?


Not Idle; Moral!

In a month or so, every adult who works as an employee or volunteeer with children or other vulnerable groups has to be registered with the Independent Safeguarding Authority. This is an extension to the current criminal record check, because the assessment is continuous. What that means is that if a rumour or suggestion falls into the hands of a police force, government agency or local authority at some future time, the registration can be withdrawn at that point, and the employer/organiser warned off, unattributably, under pain of a £5,000 fine.

The Home Office are saying that there will be more than ten million names on the list, dispensing information from hundreds of sources to hundreds of thousands of users, and the records will be up-to-date and truthful. Since the aim is so laudable, and the consequences of screw-ups so dire to innocent and guilty alike, we must wish them "good luck with that".

I'm not against this sort of thing overall. The test is always to move away from the emotive area of child protection and see how we feel then. If you apply for a bank job, is it good that your proposed employers is able to learn about your convictions for swindling or your creditors arrangement before they give you the safe keys? Yes, it is. Society is mobile and people do use that to hide. But this scheme fails for me, on top of its basic impracticality, because its boundaries are just too wide -- essentially, if the criteria for inclusion are fair and worthwhile there's no good reason why it shouldn't be applied to parents or at least step-parents, and that takes it into political and moral absurdity.

But I do have a slight problem. You see, the papers are full of warnings that volunteers -- the sports organisers and the reading assistants and millions of other helpful people -- will be deterred by the unpleasant thought of being on a list where they are graded and assessed for the risk they present to children. And this is a colourable view: the rules of the Standards Board certainly reduced the number of upright citizens willing to serve as parish councillors, and certainly I reckon I would much rather be judged on whether I had declared all my financial affairs than have some civil servant noting that my late marriage was a marker of sexual irregularity and a risk factor for proneness to abuse children.

On principle (like I say, it's a bad scheme, see?) I won't be registering, and that means I won't be volunteering, and will have to decline requests that I do so. But I am also aware of a slight hint of relief as I make that choice. Essentially, because of my strict moral standards, I can't do PTFA stuff; I can't do carpools, I can't mentor, I can't help with reading. All these things which I didn't do before, because I was a bad person, I'm now not doing because it's important to make a stand against idiot completists in the civil service. Result!

I'm not doing anything this evening: Fancy a swift half in the Angel? See you there.


Wireshark is OK, But a Bit Heavy

For sheer absence of dicking around, nothing beats tcpdump(1) which ought to be in your Linux install. I had to find out what systems were still using the old time server, which, happily was an ancient Slackware and, consequently, a Proper Operating System.

tcpdump -c 10000 port 123 > clockies

gathers the first 10,000 NTP packets, and, in another terminal session

gawk '/[0-9] 10/{print $2}' clockies | sort | uniq

gives you a list of the IPs (and you don't have to wait for the first one to finish.) Run wc(1) at the end of the second pipeline from time to time, while the first is still running, and you can see if any new IPs are cropping up.

What I like is the query language: for NTP packets there's just no more intuitive way of writing the search than "port 123"

SetACL for Command-Line Permissioning

SetACL looks like a saucy little alternative to approaches I've taken here before:
  • Unlike CACLS it uses a simple permission language -- no SDDL
  • Unlike CACLS and chmod(1) it works on services, registry keys, shares and printers
  • Unlike SubInACL it's not mental
I think I need to get familiar with this.....


Spam Counter - 2009 August: 967

Very evenly mixed bunch. I liked "Stimulate her grotto better"

Media Studies

The more mad son has an email account so he can be subscribed to things. To keep on top of any problems, I have it set to forward copies of anything he receives.

Today his Youtube acount got its first subscriber (thanks for that, 344). I was so surprised that I took a look at his home page and one of them is getting decent viewing numbers -- in the hundreds. There's no huge skill in what he does, but he does make lovely explicit titles, and I guess they come up well in the searches.

But here we have a boy, autistic as they come, having more success -- much more success -- publishing free content than a lot of other people. Me for example.


Mental Health Warning

You never learn anything good about yourself when you read other people's diaries or emails. But we routinely ask managers to look at leavers' emails to ensure nothing gets missed. I think we'll carry on doing that, but it looks like we need to start each permission with a mental heath warning.

This week a manager reading a leaver's email found a disobliging reference to herself from another member of her team. Sort of understandable as there was no subject line so she couldn't avoid reading it, but perplexingly she's straight off to HR on the fifth floor.

It's perplexing because if I discovered that my team thought I was a CNUT -- their spelling -- I don't think I'd be going to HR, not as the first stop anyway. I'd be keeping it dead tight, so that being disliked as a manager didn't count against me next review time... and spend the time finding ways to punish the cunt.


Spam Counter - 2009 July: 1010

Penis 60%
Acai 10%
Watches 5%
Other 15%


Privacy is a Stupid Obstacle

This is why people hate smug gits like Paul Sayner.
Perhaps we should call "Paul Sayner risk" the risk that idiots will pretend that human values don't matter.

Sergey Aleynikov Risk

Here's another risk with a name and the name is Sergey Aleynikov.

Aleynikov risk is loss of proprietary code to authorised staff. Apparently he was caught by a session log.



These (http://www.ne.anl.gov/capabilities/vat/seals/maxims.html) from the security team at the US Argonne National Laboratory are worth a three-day seminar...



As Fail goes, this one is a) personal and b) embarrassing.
Four years ago, just as I was starting this position, I met a recent contractor leaver on the train. In our conversation it emerged that he was getting email from his work account. I asked him how and he wouldn't tell me. Playful, but definite, refusal. I think he wanted to impress me with his skills. I checked -- with some difficulty, our logging is better now -- and his account was definitely disabled, the VPN accesses made sense, and I had a hundred other holes to fix, so I let it go. He was an honest man, so I was annoyed rather than fearful.
Now one of the things we fixed, as four years roll by, is the leaver process. Accounts are disabled on departure and deleted after three months and we have two independent cross checks to confirm that. Home drives and mailboxes are kept for three months for reference, archived, and deleted with the account.
So now, in 2009, we're looking at data leakage. I wrote a report to identify top correspondents to specific mail addresses -- looking for a John Smith sending two hundred mails a week to johnsmith8209@yahoo.com. To cut a long story short, I found what I was looking for, but I also found, way up that list, a leaver: left a couple of months ago. She shouldn't have been sending anything, but there it was -- all off to personal accounts -- several of them, apparently.
And this is my problem. We disable the accounts and log-off or re-build the workstations, but that doesn't -- contrary to all the assumptions of auditors and provisioning experts, stop leavers from running code. You can't disable an Exchange mailbox and so any server-side rules -- and yes, that includes forwarding rules -- will continue to run.
I don't quite know what to do about this.

  • It's quite laborious to set up to remove rules from someone else's mailbox as outlook only displays ruls from the primary mailbox.
  • The MAPI Editor lets you remove rules if you attach the box to your profile, but it's a complex tool with a huge capacity for mischief or misfortune, and anyway I'd really rather disable them.
  • There are some gateway options, but they're very global, and I don't want a global ban (I might go for it though, if it's all I can do.)
  • We could do the box early in the leavers process, but not instantly, and that's when I want the rules to stop.
It seems like there should be a utility -- point it at a mailbox and it unchecks the "enable" on every rule that forwards mail -- ideally, every rule that forwards mail to a non-local address. I can find documentation for Exchange 2K10 which has Get-inboxRule and Disable InboxRule. But twenty minutes with MAPI Editor shows me it may not be that easy.....


In Favour of Delinquency

Anti Virus software doesn't work if it's not installed, running, and updating signatures. What with one thing and another, it's hard to keep AV installed and running on every machine, and so we need a metric to manage by.

It's conventional to measure coverage: "90% of our machines have updated their signature file within the last week". The number and the age are arbitrary -- it could be 80% or 99% or whatever within a day or a month. (But it certainly seems hard to stay above 90% with McAfee....)

But I think coverage is an inadequate target, especially for servers. You have to watch it, certainly, but it's not enough. The problem is that a coverage report says nothing about how long machines are out of compliance -- you risk being satisfied that some machines never, ever, have current AV scanners. Imagine a network with a thousand machines -- if everything is up to date except for two file servers and and the DCs, then your coverage is over 99%, but your overall situation is not at all pretty.

Worse, coverage isn't a good guide to the best next action. Are you going to fix the agent on that critical server with its rare maintenance window? or patch up a couple of workstations? If you just want to get the coverage up you're going to choose the workstations, and you'll be wrong to do so.

Delinquency is a different metric. It measures the proportion going unfixed. It's the percentage of the non-compliant machines in the latest snapshot that were also unfixed at an earlier one, and haven't been fixed in between. The lower the delinquency the better -- a high delinquency means that AV installs are breaking and not getting fixed, a low one means that you are keeping up with the workload.

The levels I like are these:

  • For servers, I think the delinquency should be zero, but the lookback period should allow for the time taken to get a maintenance slot on a server. For us, that's seven weeks. It's simply a claim that everything should be fixed in one maintenance cycle, so you can't leave those DCs without current AV.
  • For workstations, some delinquents are acceptable. So we say 10%, with a lookback of one week.
It's not ideal. It's harder to compute as you need historical data. But it does tell you what to do first.

And coverage? Well, if you're fixing the breaks, it hardly matters. Like all metrics, delinquency can be gamed if it's your only target, so the best plan is to set something easy like 90% and leave it at that.


I Read Your Mail Headers

Nobody comments on the most obvious feature of the Interception Modernisation Programme -- the scheme to put intelligent sniffers in every ISP, funnelling anything GCHQ wants back to Cheltenham.

It's totally unauthenticated. Sniffers are purely at the network level. It identifies IP addresses, but not users. Without getting into the great "IP is [not] Personally Identifiable Data" debate, it seems pretty clear that this material will have to work pretty hard to prosecute anyone.

So it's just intelligence gathering? Pure snooping?

If You've Done Nothing Wrong, You've Got Nothing to Fear

So we're told. But it didn't work for Jacqui Smith.


Spam Counter - 2009 May: 1358

That's bad.

I'm seeing Acai Berry among other approaches to the size of my waist and a renewed emphasis on the size and stiffness of my male member. There are fewer fake watches -- the SS Submariner -- and a very few swine flu.


Obvious Really

I'm not interested in concealing my identity, exactly, but I don't put my real name on these because any security writing that uses real-life examples will sometimes be about Fail, even if it's Fail rectified, and who wants to go public about their own employer's Fail?

Even so, I've always been circumspect about what I say because I've felt that the intersection of the things I talk about -- Kent, Finance, Computer Security, Old man -- is going to be a pretty sparse set. Anyone who cares could find out who I am.

So it's interesting to see Schneier blogging about some research from PARC. Apparently the end-points of a regular commute are sufficient to identify a huge proportion of people. Pretty much all that required is that the granularity is fine enough for people to be working in a different zip, county or whatever from the one they live in.

I'll be more careful in future. I have a plan.

Classic Fail

Went to pick up my printout from the printer and there it was: The biggest secret in the firm, and one from which I am firmly excluded. Ninety colour pages which someone had collected, collated and left prominently displayed to be picked up.

A few minutes in the event log of the print server gave the answer -- the same document printed twice in succession: the signature of a user losing track of what they've done. He's back on track now.

The report had been out on display for thirty minutes when I found it. I imagine the person who tidied it up will be one of the three people who used that printer between me and the inadvertent leak. But who else saw it is much harder to tell.


Contactpoint Security Misses the Point

ContactPoint, the government list of children, is live today in test areas. When it's complete, it will hold contact details for every child in the UK, with a NIN and a list of the agencies dealing with the subject.

The rights and wrongs of this are one thing, but there's a gap at the heart of the published security policy (pdf) -- they've left one point out, and it's the hard part that makes the rest work.

They're proud of the access control -- it'll be two factor and the web access won't work from just anywhere (I hope it'll be limited to registered IP addresses). Users will need to be in a role that requires access and have passed CRB checks.

But it fails, it misses the point. Apparently the designers expect there will be three hundred thousand users across the NHS, education authorities, LA social work departments, the police, courts and probation service. It seems on the low side, but just that number gives us around a thousand retirements a month. Add in all the role changes where users no longer need the access, or change employer or reporting line enough to change the origin of their entitlement and I call that around five thousand leaver events a month.

No-doubt ContactPoint has the staff to do it, but however will they hear about the leavers? We have enough difficulty finding the leavers in a few hundred users, and we have access to the payroll. It looks as though ContactPoint is going to be dependent on users or managers volunteering that they no-longer need the acccess. With all the good will in the world -- and social work departments are often very replete with ill-will -- that's never going to be anyone's top priority.

I'm not surprised they left it out. I wonder when it's going to bite.


Password-Stealing Spam

Big current spam trick: The stolen webmail account.

Hotmail etc. make it hard to register accounts for spamming, so a lot of mail out of their relays isn't spam. And that means that spam detectors mod up mail coming through those gateways -- if it's truly from Hotmail, it's much less likely to be spam. So we're seeing a resurgence -- it feels like 1998 -- of spam from public webmail services. Examined, it turns out:

  • To be from a real MSN/Hotmail/Yahoo account (they're not just spoofing addresses -- that wouldn't work)
  • To be pushing Chinese electrical goods (if it was stiffy lollies, the language would push the spam balance back to "block")
  • It's all sent from Chinese IP addresses. Whether it's .fr, .co.uk, or whatever, it's all pirated from China.

I wrote about this, from the other side, last year. But this is more sophisticated, going to big lists, not just address books.

Just another penalty of being spywared.


Spam Counter - 2009 Apr: 986

But it was 1300 earlier in the month.

There's a big new botnet at work -- quarantines at have vastly increased lately. Mostly traditional stuff with rather more images and spam poetry than we've seen lately.

One thing that stands out is the new wonder drug: Magnesium Oxide. Why am I getting Magnesium Oxide spam? It's milk of magnesia -- an antacid. Why would anyone buy that online? What really perplexes me is that they obviously expect their target market to know why they want it -- or is it that people who respond to spam are precisely the people who will buy anything?

Uphill Battle

(Two FSA posts in two days -- bad sign.)

The FSA have lately been taking a very hard line on data leak risk, and they themselves deal with extremely sensitive information.

So it does seem rather hard that they can't accept or originate TLS encrypted email. It's doubly hard that they use Messagelabs which handles TLS easily -- encryption must have been explicitly disabled.

So I have to dick around with fancy encryption utilities to get something that should be free.


Facing Up To It

Just a little note about our pandemic planning.

When the system was set up, we canvassed the business very carefully. Who could work at home, and who would have to come in?

The message was clear. Investors and traders could not work at home. They needed their colleagues around them, they needed their morning meetings and their bosses and compliance reps needed to see them. Delivering the order management and dealing apps on the pandemic remote access system was unnecessary and actually dangerous. Fortunate really, as some of them do not respond well to Citrix.

Well, now here we are, and I sense a slight quavering of the upper lip. When you really think about it, the idea of wealthy, numerate, well-informed and self-confident men and women with family responsibilities actually risking a lethal infection to nurse their portfolio  is a bit daft. They'll stay home whatever the boss says. The first two or three, you can sack, but if it's the whole team, it becomes our problem not theirs.

Meeting tomorrow to start the the process -- "well, if that's not what you really meant, what do you mean?" We'll see how it goes.

Meanwhile, Mrs U is discussing what food to stock-pile.

G20 Meltdown Saves the Finance Sector

The protestors -- G20 Meltdown and the climate campers -- did a big favour to London finance firms.

For three years, the FSA has been nudging us to do "pandemic planning" -- to prepare for situations like a legal or de facto quarantine where most staff will be staying at home by choice or under legal compulsion (or a train strike, or civil disorder or ...) This isn't DR proper -- if you don't want to say pandemic (and I don't, it's silly) you can call it Colleague Availability Planning.

And since we are a good and dutiful regulatee we have done what we can. In our case, that's a Citrix farm and an SSL VPN, with security settings that make it a little less unsafe when it's accessed from untrusted PCs. To ensure it's running and up to date, we use it for most of our remote access (I've preserved a little dignity by insisting that remote admins, and staff  who need off-line access to data still have to use a trusted laptop.) The gimmick is that the equipment is grossly overspecified. Over a normal day, maybe 2% of staff log on. But the farm, the gateways and the Internet access is sized for 50%, and that presented us with a problem. We have no idea whether it is could handle the planned load, as we could never arrange that many to try it at once.

We got some information from the snow day in February -- that got us up to 15%. But the G20 demos were another thing again. Staff told to work at home, and pretty much told that unless they showed up on the VPN they'd be taking the day as holiday.

The first day, we struggled. A lot of silly glitches and one big one -- the presentation servers in the farm had not been built to specification. Very easy to fix, as it happened, and the second day went smoothly with about 40% of users -- pretty much the expected number -- on line.

And that's the gift that the G20 protesters gave us. Whatever you think of Mexican Swine Flu, you can be certain that we'll have to demonstrate to the FSA that our pandemic plan is up to scratch. And, now, thanks to the crusties, we can say, confidently and truthfully (and you need both to speak to the FSA) that it is.

Thanks, guys and gals! Was that what you wanted to do for us?


OPD (1 per Decade)

Naked-eye planets, obviously.

To be honest, I never expected to see Mercury. It's much harder to spot than Jupiter, Mars, Venus and Saturn. And I haven't seen Saturn, confidently, for a while.

When I went out  to shut up the chickens at 21 my eye was captured by the one of the prettiest new moons I've seen. A tiny crescent silver sliver reclining, cradling a huge oval of earthlight in the last purple of the sunset. And there it was -- just off the moon/sun line -- the only star visible between the moon and the horizon.

I'd been tipped off by the night sky column in the LMS's BBC Focus magazine. "Surprisingly bright" it said and bright enough it was. And that's my lot. If I want to see another planet, I'll need binoculars. But the LMS is off too a good start.


How Sweet

This is mostly a funny story. "Now, boys, you are getting F grades at school for the exact same reason that you probably shouldn't bother trying to hack into the systems to change them..... "

Perhaps it's wrong to laugh. The Sumitomo hackers were prosecuted with evidence gathered by the spyware they left behind. Keyloggers are two-edged swords.


X Detectors

This is an interesting story on the BBC. It appears that as part of their probation, a pilot sample of convicted sex offenders are to be interviewed under a polygraph in an attempt to catch them sliding back into abusive behaviour.
I don't think any official body in the UK, certainly not the courts, police or the probation service are prepared to say that lie detectors "work" -- in the sense that they reliably detect when an interrogation subject is lying. The problems seem to be:

  • Unconscious physiological arousal is not solely caused by lying (should this get a "duh"?),
  • Some very dangerous people lie without turning a hair,
  • Guilty subjects are disproportionately motivated to inform themselves about the devices and learn to overwhelm their measured responses with willed arousals,
  • The innocent are undone by the free-floating guilt that afflicts so many of us (sometimes seriously), or by "false" positive rates that the American Polygraph Association seems to believe range up to 15%.
So this has been an obstacle to adoption of lie detectors in the UK. They don't work, and even if they did sort-of work the false positive rate would be oppressive in an population where even a small proportion of  people are guiltless. But investigators and enforcers love the idea of the polygraph: it's just so sciencey and promises an amazing shortcut. What polygraph enthusiasts want is a group which no-one will defend, which is universally assumed to be permanently guilty, and it looks like sex offenders are chosen.

The bit that interested me is the quote from Professor Don Grubin, the man behind the tests:
"Disclosures made during polygraph examinations, as well as conclusions drawn from passed or failed examinations, allow probation officers and the police to intervene to reduce risk ... Just as important, it is also aimed at enhancing the co-operation of offenders with supervision, helping them to focus on, and avoid, the sorts of behaviours that make re-offending more likely."
That is a very careful statement indeed, and I hope the Beeb haven't picked out something unrepresentative. Grubin is a proper academic at a proper university -- Newcastle -- where the university profile identifies his current approaches to sex-offenders as being polygraphy and Prozac. And on the strength of this quote, it seems that he finds the chief value of a lie detector is that it's called a "lie detector". He does mention passes and failures, but his focus is on the interview itself. It appears that the purpose of the "lie detector" is not to spot lies, but to persuade the subject that telling the truth is the best plan.

Now I don't think this necessarily a bad thing. We needn't worry about intelligent psychopaths who can fool the machine -- because this isn't about the interviewer believing the results. There's no objection to interviewing probationers -- it beats prison, and interviews in these particular cases might actually be helpful.

A little bit of stagy flim-flam in the form of lie detectors doesn't really make a moral difference -- it's on the same level as good cop/bad cop or Reid. I do worry that the idea of polygraphs as a worthwhile tools of investigation will acquire an spurious respectibility -- we mustn't reach a situation where a spoken denial plus a "lie" response is treated as a confession. I worry that if this goes beyond the pilot, it'll create a constituency of "skilled polygraph operators" which will tend to expand its area of operations regardless of value. But overall, when many of these subjects -- people convicted of nasty crimes with a huge recidivism problem -- believe that the impressive device can read minds, that's good, provided no-one, er, lies about it. And that's the rub.

Professor Grubin is treading a careful line. Somewhere on the continuum from
  • "this machine has no real function, but we hope you will believe, mistakenly, that it is a lie detector", through
  • "this machine records your physiological arousal and correlates it with your answers to the questions I ask", and
  • "this is a polygraph, more commonly called a lie detector", right up to
  • "this machine will tell me if you lie"
there is a moral limit. Grubin knows it's there. He's going to spend the next three years wondering whether he's gone over it.

And if we want to avoid dancing around with truth and falsehood we need a better name than "Lie Detector". The machines may have a use, but detecting lies isn't it.

[Updated 2012-07-20 when the pilot completed. Para after the bullets expanded to identify the appeal of  sex offenders as a target for this.]


Naming More Risks

On the theory that risks need names, here's a couple more from the recent Sumitomo bank job.

  • O'Donoghue (Kevin) risk: Bent security guards.
  • Rodley ("Lord" Hugh) risk: Dealing with stereotypical peers who aren't in Debrett's. Check the photo in the BBC report....
There are some lessons there as well.
  • First reports are generally wrong. On the morning the arrests were made, I was told to drop everything and check out all machines with access to SWIFT for keyboard loggers. Which would have made sense -- probably does always make sense -- but wasn't relevant to the facts of this attack, which was based on software loggers.
  • Access control around documentation is not security by obscurity. Or if it is, then SbO works. Because what allowed Sumitomo to keep its funds was the mild complication of the fund transfer setup.
  • Business-hours limitations would have made sense, too.

Spam Counter - 2009 Mar: 939

At least it's not going up.
"Update your manhood here and now" (upgrade?)


Authentication News Roundup

Two items tonight, on the Authentication Hotline

Rubbish Disguises
City financial types are being directed by firms and industry bodies to wear casual clothes on the riot days, so they don't stand out. It's a lovely idea -- take one middle aged bank operative, replace suit with M&S chinos and polo shirt and Shazam! indistinguishable from a climate change protester.

Or maybe you could try wearing a keffiyah. That should do it.

Effective Disguises
New spam trend: We're starting to get stiffy lolly spam pointing to .cn sites. The sender appears to be bright enough to realise that firms have filters which spot this a mile off, but also that there will be approved addresses bypassing the filters. So this mail is spoofed from plausible addresses. Yesterday I removed unisys.com from our approved list which should stop the immediate problem, but the attack is going to work until there's some way of authenticating envelope sender addresses.

The problem will really kick off when spammers realise that everyone has a bypass for FT.com because their news alerts are totally indistinguishable from spam.

I guess we need a checkbox. For any bypass, domain or just a single address, you need to be able to say "only bypass if the sender is spf authenticated".


"It's Wrong to Wish on Space Hard Ware"

I wish, I wish, I wish you'd care.

I saw the space station!

On Monday night, I did it properly, looked up the ephemeris on Heaven's Above, prepped up the less mad son, and saw it rise and brighten splendidly out of the ruins of the sunset, fly right overhead, flare sunset orange and drop suddenly into the shadow about ten degrees past the zenith. All highly satisfactory, and making me feel like a Proper Dad.

Then today, walking west on my way home from the station, a familiar-looking star caught my eye with its rapid rise and increasing brightness. I watched and sure enough it disappeared twenty degrees past the zenith. Pure fluke, but I caught the time and there's the transit on the site.


Minor Identity

The less mad son just had a significant birthday and Mrs U was fulminating about the difficulties the building society put in the way of his opening a teenager's account -- effectively the full-scale anti-money-laundering precautions for a pass-book account with no cheques and a cash-only card. As a minor can't be held to a contract, she couldn't even see the point of asking for a signature.

But I can. If I was laundering money, I think the prize of a full scale bank account attached to a false identity would be well worth waiting a few years for. And in the meantime, spending rich uncle Lenny's generous birthday and Christmas gifts on Premium bonds keeps the account warm, plausible, and busy with a spot of placement. So I don't blame them at all.


Existential Insecurity

The problem I have is that I don't believe in computer hardware.

This story puts it nicely. How can you fabricate and reliably operate a device with 16 billion capacitors, each holding 10 electrons? http://www.theregister.co.uk/2008/12/16/mlc_cpm_pcm/

It's not the physics. I believe in electrons. I did the Milliken experiment in school and I made a transistor in college.

And I've got over credulity gaps before:  As a young man, I couldn't believe in computer processors and language compilers. I thought it was magic. It took a degree in computer engineering to see that you could build a processor out of NOR gates and a clock, and that a compiler was a data structure task preceded by lexical and structural analyses. I understand that the right mental tools can turn incredible things into engineering.

But this gap is just too wide. Think about the difference between a nice throwing rock, and a modern assault rifle. Or the difference between a cave with a fire at the front and the Bell Labs building in Holmdel NJ. There's a difference -- a huge difference. But is the modern as much as a thousand times more difficult or involved than the primitive? Stretching a point, is it as much as a million? It's not more, and it's taken many lifetimes to go from one to the other.

The simplest computer memory cell in modern designs is a transistor and a capacitor, more or less. That's one bit. You need eight to make a byte, and another for parity -- call it ten. So the 2G flash card in your camera, or the 2G DRAM on your PC -- and these are low values today -- is 2 x 10E10 cells. Twenty billions. The vast majority of them have to work reliably, predictably, over a service life of years. A single bad cell won't make the device unusable, but it can't tolerate many failures -- and this stretches my credulity.

Shockley was making recognisable transistors in 1947 -- less than a single lifetime ago. And now we have twenty billions -- not total in the world, but mass produced on commodity component  for a dollar. It's not a bit more of a step than the modern building or weapon. It's order after order of magnitude in a vanishingly short time. I don't believe there's any mental tool (Moore's law, the square law of miniaturisation ...) that will cover that gap.

So if you ask me how the ALU works, or what microcode looks like, or why recursive descent parsers are a good thing, I can tell you. But if you ask me why you can trust the data in your camera card or your memory stick, all I can say is that it's magic.


I Have Been Advised....

Mr Infrastructure sent me an email. He was escalating an issue his team had with security policy.

One phrase stood out: "I have been advised..."

This is the greatest cop-out ever. It means: "Because I don't claim to understand this, you can't challenge me on it. I win."

I challenged him.


Financial Insecurity

When I drafted this this morning, I wondered if I was only one who interpreted this as a cabinet minister threatening Goodwin with a bill of attainder? A quick google shows I wasn't, and in fact there doesn't seem to be any alternative construction. The problem would arise at the ECHR and I suppose that's why mad Harry (or the rest of the government anyway) is backing away.
Mark my words. Sometime over the next few months, there will be a quiet announcement: The matter is settled, and the settlement is secret. Though the spokesman will be authorised to say that Sir Fred Goodwin has agreed to reduce his pension payments. And every year, £700,000 will be paid out -- under a variety of headings -- to Sir Bentnose.

Spam Counter - 2009 Feb: 972

Mostly drugs. Some Rolex. I particularly liked "Unlock her odorant gates" but it was just a graphic so I can't tell what it was about.
It's going up. I suppose the spamternet has interpreted the loss of McColo as damage, and routed around it.


Trusting Strangers -- Why Certificate Authorities are like Credit Rating Agencies

My list of causes of the banking crisis isn't quite the same as everyone else's. For me it generally boils down to moral courage. Because I have none myself, I can recognise that it was missing in plenty of differnt places.

  • "Spineless non-Execs" rather than "Wicked Banker" and
  • Fannie and Freddie for not making it plainer that they were lending on this stuff in response to government fiat rather than thinking it was any good, and
  • Rating agencies for closing down credit discussion on the grounds that if it was good enough for Fannie and Freddie it must be A+ at least, and 
  • Bankers (aha) for closing down credit discussion on the grounds that the securities were rated A+ by an independent rating agency, and .
  • Bankers (yes!) for saying that as everyone else was making fortunes:

    • writing liar's mortgages at tempting rates, and securitising them on
    • lending to doomed ventures, and securitising them on
    • buying A+ securities that somehow pay three points over base, and securitising THEM on
    they had better do the same, or the shareholders would kick their arses, and
  • Shareholders for kicking the arses of anyone who missed these amazing opportunities
  • and you know who else? Lying or self deluding borrowers. That's us.
Oh. I'm ranting. Let me get this back on track. Check out the credit rating agencies. They're right in the crux of this. Their business is to turn more or less synthetic securities (anything from a strip or a mortgage bundle right down to a plain bond -- anything that's denominated in money rather than equity) into a capital "I" Investment. The fairy dust they sprinkle to do this is their rating. They form an opinion on the ability of the borrower to pay as advertised. That's not whether it's a good investment or the right investment for you, or whether the issuer will craftily exploit the early redemption terms or whatever. The rating is just Moody's or S&P's opinion on whether the coupons and face will be redeemed on the published dates. Ratings go from AAA which is supposed to be a dead cert  down to ccc -- and you'll never get an agency to agree a correlation between the rating and a percentage probability.

Because of a long history of grade inflation, pretty much anything that can't make at least an A is called junk and a lot of investors aren't allowed to touch it.

Sometimes the agencies rate because they want media attention or because their franchise demands that they have an opinion on some popular issue. More often, they rate because the issuer pays to get a rating needed to get the issue away. You can't buy a particular grade, but the agencies will advise on how to get it,  and if you're an investment bank there's such a thing as being a good customer of the rating agency..... I don't really need to spell this out. Suffice to say that the investor (the technical term is "victim", these days) has no contract with the agency. If Moody's were to rate a bundle of Motown mortgages as A -- and some agencies were doing that -- and it defaults, then the owner of the bond, who trusted the rating, has no come back to Moody's when the bond defaults. It was the agency's published opinion, no more and no less. You relied on it at your own risk.

Now I expect that at some point you could say it was negligence, and of course rating agencies are controlled by financial regulators, but my point is a little different. Because there's a very fine parallel to this in the world of Internet security. The whole technical paraphernalia of X.509 has one purpose: to tell you, reliably, that the certificate authority has certified that the far end is the correct user of a name. You are trusting the certificate authority to do the necessary diligence, to refrain from certifying incorrect users, to guard their private key. (You are also, in effect, trusting them to do things they definitely do not do, like ensuring that the sites they certify can keep track of their private keys -- that's why the system is mad.) For ordinary users, this trust is a matter of default -- it's installed with the browser. Sites pay CAs for certificates because CAs pay browser authors to install their keys. The free-rider is the user, and that's a bad thing. No payment == no contract == no rights. As the rating agencies have shown us.


I Got Spywared

I ought to go into detail about this, but it's late so I think I'll go straight to the takeaways:

  • Don't browse as an admin. Resolving this has taken about fifteen hours over three days. I would rather have spent that time asleep. You can resolve a lot of LUA issues in fifteen hours. The problem here is that Firefox needs to be used as an admin to update, and I wanted 3.06 ....
  • It can happen to you. I was using Firefox, I didn't click on anything I was aware of, and the MS Antispyware 2009 installer ran. Arguably it's time to get into Noscript -- I've always put that off because I can't face setting up the exclusions.
  • It took me a long time to figure out what was going on. I was able to dump the overt spyware without too much difficulty, but the blocking of anti-malware domain names and the re-writing of Google search results in Firefox and IE to go via windows click dot com had me puzzled. It wasn't the hosts file: they've moved on -- it's device drivers now. I needed to get clear understanding becuase I couldn't get any tools to run -- of course.
  • I needed help to figure out what device drivers were the problem. I found it at www.myantispyware.com which appears to be a guy called Patrik publishing instructions. God bless him. His advice didn't quite fit the condition of my machine -- no surprise after all the work I'd done -- but it gave me the names of the files to remove, and that did the job.
  • Everyone needs a boot disk. I could have used my Backtrack key, or anything else that could mount NTFS to write, but I had a copy of the Ultimate Boot CD for Windows so I tried that. It was slow to boot, but easy to use. If I wasn't really comfortable in Linux, UBCD would be my first choice. Without it, I would have had to follow Patrik's laborious instructions , and I might have chosen to re-install instead.
  • Everyone needs a fabulous hosts file. I got the Winhelp2002 version -- it seems pretty comprehensive.
  • Wow! A lot of competent sounding people discuss malware in terms of removal, detection utilities etc. This seems insane to me -- it's really a question of not being admin. This is my first in years, and I don't have any of those tools.


Extreme Hedging Porn

This is the butt end of a willow post. Now I do know that willow roots if you put it in the ground, but I needed a post and this one had a handy crook to hold down the benders. I figured it would be all right because it was going in upside down. There is no way at all that a cutting -- even willow -- could ever root successfully with its vascular arrangement the wrong way up. 
One year on, you can see the crook -- three foot from the ground -- is fresh and green and sprouting new shoots.


I Am My Own Regulator

We've all seen stories like this, and they're getting more common. I first noticed it when the NHS lost crown immunity back in, ooooh, 1986. One branch of government regulates another, finds a breach and issues compliance requirements. The more deranged cases actually have one office fining another. The only person punished is the taxpayer, as the overall costs of goverment rise. In theory, careers suffer, but in fact the civil service requires a consistent record of egregious failure to have any effect on an officer's final pension.

The absurdity does get media attention, sometimes, but the level of comment is muted compared with the gross mentalness of the situation. I think the problem is that the only reasonable conclusion to draw is rather unfashionable: there are things that are unsuitable, by nature, by structure, to be done by the government.

If Brent PCT had been a private insurer or HMO, the costs would be borne -- in a fair setup -- by the shareholders. Fair is the challenge here of course, but it's a question of reasonably hard-nosed negotiation when the contracts are let. "Fair", in this context pretty much means that regulatory consequences fall on the owners of the supplying firm. The dividend reduces, and the board decides whether the problem is severe enough to be worth fixing or insuring against or whether it was better just to take the hit. If the shareholders don't like that choice, they sell out, the price drops and the bag-holders sack the board.... And if the regulation is too hard to be borne, the supplier walks away and society gets a lesson in realism.

There's nothing available, structurally, to deliver the same result from a public sector supplier. Basically, all you can do is dock the pay of the managers, and watch your remaining sliver of talent in the civil service wither away. Except, you'll never succeed in touching their pay, and no-one who makes choices, no executive, will ever be motivated by any sharper spur than the desire to avoid a moderately difficult interview.


Burning the Evidence

Today, in pursuit of my ever-doomed goal of getting on top of my filing, I burnt a mountain of receipt slips and cheque books -- stuff that just won't shred -- from the nineties.

Burning documents isn't easy. You can't mound them up in a grate and set light to them -- I tried. Nor can you dump them on to a little fire -- they just put it out. Two approaches that have worked for me:

  1. Dump them on to a huge blazing bonfire. You'll need to keep turning until all the paper is gone, and you'll need to add plenty of branches or whatever to keep up the supply of hot coals. Maske sure you don't end up the next day with a pile of ashes with sheaves of unburned documents in the middle.
  2. Start small in a grate. Once you have a flame, pile on a few sticks of kindling. Let that blacjken and go for another layer of paper. Repeat until the flames are stable enough to add logs. Keep the fire mixed until the paper is all gone, then burn logs for a while to make sure.
The problem is that the pages stick together, and one way or another you have to counteract that.


Spam Counter - 2009 Jan: 850

850 -- Rolex and Canadian Phamacy


Avoiding the Issues

I ought to write about Conficker. The Dear knows I've stuck my neck out on that one, pre-emptively saying that we weren't vulnerable to a large-scale infection. But I already did, and the fear I felt then made me patch then, and that's why I'm moderately sanguine now.
I ought to write about the City, and the limited scope for information security if the information guarded loses its value in an afternoon. But what do I know?
And I ought to write about the more mad son, who is doing such stuff lately.

I'm going to write about the sky.

Yesterday morning, it rained so hard that my coat pockets flooded with rain running down the sleeves I'd tucked into them. If you were waiting in a platform shelter for the Cannon Street service at about ten to seven, and you saw a man hoicking up the skirts of his coat to pour water out of waxed patch pockets, that was me.

By the time I got back, in the dark again, the sky had cleared. I crossed the railway, went down the steps, and found myself stepping into water. I know that path and I know the floods so I walked into the spinney transformed into a river bed. The fields on the other side of the bridge were flooded out -- great smooth sheets shining in starlight. To the right, Venus decorated the old lady's land. On my left, a perfect reflection of Sirius and Orion. In the zenith, I counted six Pleiades.

When the path faded, the wading got deeper for a while, and I was trudging through the broad lay under that glossy, freezing, sky. As I looked up, a big orange meteor tore off Orion's belt and flashed twice as it headed straight down into the SE horizon.

Quite a night.


Lead vs Manage

A leader is judged on the performance of the team as he leads them. A manager judges himself on the performance of the team when he is not there to lead them. Prefer managers.


Spam Counter - 2008 December: 727

Still dropping. Maybe spammers take Christmas off. If the returns are as poor as we're told, that's not surprising.

MP3: All Right Now?

I had to draft one of my standard all-IT-staff circulars today. The removable media logs have started going to Risk and they read them with great delight, asking what Genesis\[album name]\[track name].mp3 could be. I think they know, really.

We don't block media types anywhere. Nothing says "*.mp3: DENY". There's plenty of business reasons to use media files. But it does mean the personal media files can flow through our systems.

It seems that Something must be Done. But the landscape has changed since the last time I sent out that note. It's possible, now, to be in possession of a legal MP3 of pretty much any track. I've been buying mine from Amazon. (And, yes, I checked, Genesis is on the list -- I just added Many too Many and Follow You Follow Me to my shopping basket.)

So why am I objecting? Personal use is legitimate, and these IT users have removable media access to do their jobs. I'm not entirely sure, but I think it's this:

  • MP3s moving through work PCs raises the possibility of sharing. That's not OK, and it would be directors liability if it was happening.
  • It's unnecessary. Decent media players are so cheap these days that if you can't work without music, you don't need to play it off your PC.
  • And I just don't like to see IT types exploiting their extra privilege. We have rules about not using admin access for personal purposes, and while removable media doesn't directly arise from admin status, it's in the same sack as far as I'm concerned.
So I drafted something, but I haven't sent it out because there has been another change, and it's this. We've acquired some serious object access audit over the holiday, and one of the facilities is the file type search. This is my chance to locate the famous invisible media repository. Tomorrow I'm going to search for *.mp3 and we will see what we will see.

In the meantime, I see today that Apple are giving up on DRM, but the track price won't change. I couldn't help thinking of all the poor saps with their vast itunes collections of DRMed music suddenly devalued by Apple's Amazon-forced coup. Still, serves 'em right for buying overpriced music players that can't do .OGG....


Best Christmas Present

This is not a joke. It's as big as it looks, it locks and unlocks with the keys, and the flap swings to cover the keyhole. It was retrieved when the contents of a country house in the family were broken up many years ago and now I have it!
It's security theatre. It looks the business, but it fails against Kerckhoffs' principle-- offhand, in two ways: it's not convenient to use -- the keys would destroy my key-ring -- and of course that key is thoroughly guessable