If you tell enough stories, perhaps the moral will show up.


We Are At War!

Possibly. The story has been running in the computer press for a fortnight or so -- google “Stuxnet Iran” but it’s gone mainstream with articles in the Economist this week.

A specific malware -- called Stuxnet by its original discoverers -- turns out to be:

  • Very sophisticated, robust and prolific, particularly well able to travel on USB memory sticks to infect systems kept off the Internet
  • Targeted rather specifically to attack WinCC, a notoriously insecure plant and process control system from Siemens
  • And, weirder, even at sites running WinCC, despite all that specicifity, it doesn’t do any of the harm it is capable of. Except in Iran.
Because it seems that the Iranian nuclear fuel and reactor plants run WinCC. And when it’s activated in Iran -- the details of that aren’t clear -- it causes harm.

Cutting a long story short, the line offered to us is that Stuxnet was build by a well-resourced team to smash up the centrifuges at Natanz or even the reactors, by disabling the computers that manage them. The Americans are said to have form here. The Israelis have an obvious interest. And both nations have deep capabilities in development and experts in malware analysis.

I think this could very well be true. Stuxnet is really hard to explain on any other theory. It “wasted” a previously unknown Windows vulnerability on an esoteric target -- a weakness that could have made millions installing Zeus to collect banking passwords. The “waste” is just as gross when you consider the huge skill and work that’s gone into the code -- just to bugger up some plant for no obvious economic benefit.

So, Stuxnet is a weapon in an undeclared war against Iran. And that’s interesting because it’s a first look since Titan Rain at what modern information weapons look like. And what do they look like?

Well, unimpressive, mostly:

  • Slow. Stuxnet has been around for months, and if there was an effect at Natanz, it took a while.
  • Expensive. There’s a lot of effort in that code, no doubt, and a lot of investment in the test and development rig it first ran on, but the real cost is that as soon as it goes public it betrays the zero-day vulnerabilities it depends on for its unique spreading capabilities. Zero-days are wasting assets -- and the clock starts running the moment they’re used.
  • Weakly targeted. Stuxnet went global. It was designed to limit the harm in non-target sites, but it would be better from the security point of view if it had never got there. Global distribution tipped off every WinCC site, including the Iranians to get smart.
  • Limited scale. You can’t do wave after wave of this sort of attack, as the victim will tighten up their patching and filtering, and at any time the supply of zero-days is limited.
  • Limited effect. The Iranians still have a nuclear programme.
  • And, finally, there’s no magic. No doubt Stuxnet is quality work, but it’s just a well made malware. Like all current malware, it’s a combination of understood techniques.

That last one seems crucial to me. If you do all the things that you should be doing to manage routine malware and zero-days: endpoint, removable media, gateways; then you’re also, and entirely for free, building yourself a bunker which will stifle many of the best efforts of the “cyber” warriors.

I’ve been meaning to write about the boondoggle called information war, but it will have to wait. All I’m going to say here is that I’ve felt for some time that even the idea of IW is unsound -- a hysterical reaction to the pathetic network security seen in the United States and the defence establishments of other countries. If Gary Mackinnon can break into your systems by guessing telnet passwords, then, yes, probably you are at risk to rather broad attacks. But that has nothing to do with expanding warfare into the cyber domain and, frankly, everything to do with being a tosspot.

In the meantime, for the rest of us, the lesson of Stuxnet is that Information Warfare is, and remains, a matter for routine operational security.



OK. Another good title would have been "Idiot." It's a lesson to me. The lessons for you are at the bottom.

It all seemed so reasonable. The screen on my phone was going mental and it had to go for repair. I don't know enough about Android to be sure I'd erased sensitive info and so instead I had to change passwords for every app I used: Facebook, Twitter, my Google account and my email too. Just good practice. The phone was going in on Monday, so that's what I did on Sunday night. I was quite proud of myself.

Now I'm not foolish. I know the risks. I wrote the new passwords down on a piece of paper, and tested them (Can you see where this is going? No, actually you can't. Read on.) My memory of that is very plain, though I was getting sicker minute by minute. I struggled back to town on the Monday, and spent the rest of the week pre-occupied with a really horrible cold.

Back in Kent on Friday night, I thought I'd try and catch up with a week's worth of Twitter timeline. Except I can't log on. Check the bit of paper. Try cAPS lOCK. Try spaces or a punctuation trick. Nope. Try Facebook -- straight in. OK, so it's a silly error, and all I need is a password reset. Off to my mail to pick it up -- can't log on. Arses. Nothing I can think of will get me in. I even have a cached Twitter logon, but it won't let me change my email without knowing the password. And that won't help me get my email password back.

This is the fundamental problem with free services. There's no escalation. And by this time I was getting seriously vexed. It didn't help my peace of mind that there's a spate of password "guessing" attacks against personal email accounts at the moment. Or that the help page for my email blandly told me that the reset would be sent to my secondary email when I didn't have one.

So it's a good thing that there's one thing I don't get free: domain hosting. I pay a very large fee to use the excellent EasyDNS. I don't go there often enough to remember my password, but they do have a recovery system, and they do have a telephone with actual people who could change the email address once I was able to prove identity. Once I could change the zone file for my domain I could haul my way back into my mail. Hurrah.

So, yes, what are the lessons?

  1. Obviously, you can't remember all your passwords. Duh!
  2. Writing them down ought to be good enough but it isn't. Empirically proven! (Idiot.)
  3. You need a plan. At the very least you need to be able to say routinely that all your password resets will come to some email account or other. Realistically that has to be your main account because the same address is used by most services for ordinary communication.
  4. You need a password on your main email account which is different from the password you use anywhere else. Why? Because if any other service has its user/password list stolen, the thieves'll be trying that password to get into your mail, and once they're in, they'll lock you out and steal your identity. A whole different nightmare, but quite common these days.
  5. You need another email account you can trust to receive resets on your main email. I have a good relationship with my employers so I'm using my work account. You might pick someone you can trust (but who doesn't have an engrossing interest in you -- that could go seriously wrong) and set up a mutual arrangement. Or Hotmail accounts seem pretty permanent these days.
  6. And finally, you need to CHECK the password recovery options every once in a while. This happened to me once before and the route back in was easy -- but it doesn't work any more. And when you have checked, you need to test.


Latex as a Security Tool

I hope I don't disappoint you here.

After a couple of dirty (ooer) jobs over the weekend I felt moved to write about the benefit I've been getting from my big box of disposable gloves.

Five pounds gets a hundred latex gloves -- male sizes -- at Screwfix and at 5p each you can use them for almost anything (and as they really don't keep for long you do need to use them up.) Just over the last few days, I've protected my hands against grease, drain overflows and -- ahem -- biologically active matter. Barrier creams can work and are more comfortable, but the gloves give you a better grip for tools, you can wear gauntlets over them and they come off when you're finished.

And, Security? Well yes. A couple of years ago I spent a week in hospital with an infected finger joint that wasn't playing nicely with the antibiotics. It was pretty scary -- an unmanaged replicator would be a very 21st century way to die, and I never found out where it came from. The best guess was some tiny wound on the finger went septic and my hands do get a lot of abuse. Since then, out of fear, I've been trying to keep them clean and intact as far as possible. All hail cheap latex gloves.

Was that a disappointment? Well I'm sorry, and I will go so far to say you look pretty good in your black PVC LBD. But get yourself some gloves as well, for safety's sake.


Barefoot Security Anti Malware

I do get asked for security advice, but not that often these days. Often, much more often, I want to tell people, to SAVE them. Yes.
So this a worked-up version of an email I send out. It's how to keep control of your computer, your data and your passwords by preventing malware on your PC. I'm aiming at the ordinary PC/Windows user with occasional notes about Apple and Linux. It's in rough priority order, and it's mostly advice I follow myself (though it's not all of the paranoid steps I take.)
If you think I should have put AV software top of the list, you should remember that I am a security Expert. Yes, and I have business cards which say just that.

Keep your Thinking Cap Securely ON  Why on earth would you click on THAT?
If the answer is "because THOSE sites are the ones I chiefly love looking at" then you need to pay close attention to the rest of this list.
And if you say "because I'm human and I'm not 100% focussed 100% of the time" then you should read on too.
Backup your Files  Anything you care about should be on media which you don't leave plugged in. There are some nasty malware infections which are simplest to eradicate with a format and restore, so backups are essential. (And there's always fire, flood, technical failure and stupidity, if malware doesn't worry you!)
It's a big topic. You need to think about having a regular system that will show you if copies get lost or aren't taken, about, testing your backups, satisfying any data protection obligations, encryption if you worry about people reading it, and keeping media out of the range of that fire/flood/whatever.
It's a shame that it's a top priority as it's none too easy. If you're in doubt about how to do this, I suggest you set up with a UK online backup services, test their software, check their prices and get value out of their support line!
Don't do PC Work as an Administrator  This is really just for Windows users as Mac and Linux set it up correctly anyway. Windows 7 and Vista are better, but you should still arrange to work as a non-admin.
In XP, go into the control panel and set up a new admin account. Then make your regular account into a limited user. Use the limited account for all browsing, email, word processing etc. Only use the admin account to install software, add new hardware, and set up users.
This simple trick stops a proportion of Windows malware, when malware programmers are lazy and assume you haven't taken this precaution -- as most people haven't. Even though attackers are wising up now, and plenty of password stealers and others will now install without admin, it's still an important precaution because it stops rootkits, and ensures that installed malware is easier to clean off.
The problem is that other programmers, especially games programmers, are just as lazy as malware authors so their stuff won't work. Software which insists on admin privileges to run (rather than to install) should be rejected as unfit. If you're stuck with it, investigate "run as".
Apply Security Fixes  Ensure that all security updates apply automatically. Malware uses unpatched vulnerabilities to install. Vulnerabilities are sometimes being exploited even before they are fixed, so ignore people who say you should wait a few days -- it's too complicated, and the risk of you forgetting or being exploited in those few days is much greater than that of a bad patch.
In Windows take a moment to turn the software firewall on, as that setting is nearby.
Keep your Auxilliary Programs Up To Date  Make sure that all of the extra stuff you need for the full experience (Adobe Reader, Flash, Shockwave, Quicktime, Java) are up to date. Secunia Inspector is a good way to check.
Most modern attacks arrive through these products. If you use Office, Photoshop or whatever make sure you get updates for that too.
Use a Less Common Browser  On Windows, don't use Internet Explorer (except for updates where it makes you do it.) On Mac, don't use Safari. Malware authors naturally target the common browsers.
On Windows, install and use Google Chrome browser because it can update itself as a non-admin (unlike Firefox). If you must browse as an admin, install Firefox and learn to use it with NoScript.
Also in Windows, take the time to keep IE up to date. Even if you think you're not using it, you don't want old versions on your PC.
Use AV Software  On Windows, Microsoft Security Essentials is good enough -- free, unobtrusive and good quality -- if you avoid admin browsing and email. Check that it is updating automatically.
I confess I don't run AV myself, but it seems like a necessity for people who like to test animated cursors or other oddments.
Disable the Big Adobe Reader Mistakes  Adobe stuff needs special attention. There's just so much malware targeting it, and it's not easy to keep up with the updates. PDF used to be a handy document format, now it's a malware magnet. Reader X (10) is an improvement, but it's still a bore. You have to switch off the idiot features that Adobe added.
Start the Adobe Reader and pull down Edit/Preferences…
  • Select Trust Manager in the list and clear the checkbox marked "Allow opening of non-PDF file attachments with external applications"
  • Select JavaScript and clear the checkbox marked "Enable Acrobat JavaScript"
You need to repeat for every user account that uses Reader. There are equivalent settings in Acrobat if you use that -- you'll need to find them yourself.
So will these make you secure? Well, no; nothing will. But they will stop you from being a soft target. If you have secrets to keep, there's a whole other journey about understanding the settings on your accounts, encrypting data and the rest. But that is another post.


Organisational Truth Lies in the Email Distribution Lists

Now this is a really good idea.

"All data access should be approved by the data owner"
That sounds so reasonable, it's easy for the auditor to say. But it's absolute murder in practice:

Most access is routine, and based on who you work for. Requiring an approval for this sort of access diverts effort and attention and provides no real control because if the facts are right, the access is approved unthinkingly.

I've been messing around with the idea that the official org chart from HR is a suitable proxy for this sort of approval. Essentially, I'm claiming that if the line is on the chart then the manager can't -- won't even be asked -- to decline access to his own team's area. And the same would go for project managers: if you're on the team, you're in the folder.

Now that's an OK sort of plan except for one detail: The org chart is wrong most or all of the time. Lot's of temps are missing and there are important lines that never get on to paper. To be fair, the people who manage it never intended it to be a moment-to-moment authority, but that, unfortunately, is what I want.

I could actually live with that loosesness -- "Good enough" is a lot better than most people's practice, and I think it would do. But we can go a little better, thanks to Kate.

This afternoon I was tidying some permissions, and I ran into trouble because the team group was wrong. And Kate, bless her white pate, told me to populate the group from the team mail list.

I can do something with this!

Because one thing that managers and their PAs care about is that the team or project distribution list is OK. It'll be updated when the structure changes, and everyone will be on it. If you work for two bosses you'll be on both lists. And, crucially, with Exchange, distribution lists can feature in access control -- you just have to turn on "security-enabled."

Do you see where I'm going? The distribution list structure, with its nesting, is a true org chart, kept up to date by people who care and understand what it means. And that means that it can be used for all your "because he works for me" approvals, without dealing with the constant stream of "oh that changed" errors.



It's OK -- It's Just Normal

Stupid article in Friday's Kent Messenger about a rapist on the transplant list. The editorial comment asked the question "Would you donate your heart to a Rapist?

Well, the obvious answer is "No: I'm still using it," but it's still worth a look because it makes a rather wonderful example of the way normals think.

As far as I can tell, it's not a joke. We're not intended to say "No, and he shouldn't get blood transfusions either" or "No, and donor registration should allow you to opt out of patients with unpaid parking tickets as well." Or, and I particularly like this one, "No, and convicts should be denied medical attention generally."

Someone wrote this, someone subbed it and the editor put it on the front page of the Maidstone edition. None of them gave it the ten seconds thought required to see that there's no principle here, that even if the transplant immunologists didn't already have enough to worry about, there's no line, no criterion offered which will serve to guide donors or doctors.

There is a real story -- that some judges are much too prone to make stupid remarks -- and I'm hoping that it wasn't just cynicism that got it covered this way. I can't really object to journos who fail to take an idea to its limits to see where it goes. It is, after all, just normal. 


Ballistic Brown

This story feels like it's being pushed by someone hostile. But I see it -- and trust it as far as -- any other dodgy authentication issue. It's only OK for a bullying hotline to trust your word about your identity if all they'll do is give advice.

Because otherwise it allows callers to build a slanderous paqper trail.

The only reason i don't believe this actually is a long-planned operation to discredit the PM is that no-one could possibly have imagined that the woman would be daft enough to go public.


Safety First

I don't believe the LHC will bring the universe to an end when they switch on the second beam and start getting relativistic collisions. The energies are simply too low.
But just for safety's sake, I'm testing the scheduled posting feature in Blogger. I had this story booked to go for Christmas morning 2008 when I figured they'll be running both beams by the end of December.
But they broke it and broke it again. The latest news I have (18/10/2009) is it'll be running early in the new year, so Valentine's Day is a safe bet.


It's a Dirty Job

Diane gets sex spam and she doesn't like it. She's sent up an offensive example.

Now I don't know why the filth heads toward her mailbox, but a quick look at her quarantine shows that there's plenty of raw ... offers ... being blocked. A closer look at the one that got through reveals the reason. There's not a single dirty or ambiguous word, it's barely even English:

If you are disappointed in its second half, bold, come in. I can do for you is - what can not no girl! enter here (a link).
Where's the harm in that? Well, it's obvious. Obvious to me and obvious to Diane too. But utterly undetectable to to the machine that's trying to keep solicitations out of her mailbox.

So I have to go down and tell the lady that her basic problem is her dirty, dirty mind.



Over the last few weekends -- say 20 hours work total -- I've laid over the first hedge I planted here -- about 50 yards of "native mix" with the hazel taken out and used elsewhere. It's gone well. I'll never be fast at that job -- I enjoy the looking much too well -- but it's a real eye opener to see how much easier it all goes when you don't have to spend time de-wiring. And it's interesting to see what other planting-time lessons there are to learn.

  • Rabbit guards are a must. The plants mostly survived, but I reckon they're a year or so back, and the ground-level damage makes them harder to split and bend over.
  • Ignore the supplier's sincere advice to plant these bare-rooted slips in a trench of tilled soil. Even six years on, the roots move when you strain the plants around the spiles. Slide them into the clay down the back of a spade and they'll be forced to set firm roots in the clay.
  • Another piece of gardening advice to avoid is to take the top of the slip off so that they bush out. A bush is useless -- you have to strip it all off when you lay. What you want is tall, spindly whips, so just leave them be.
  • Never plant blackthorn. Duh.
  • Don't plant briars with the rest of the hedge. Until it's laid over they just get in the way.
  • So the mix, if you don't fancy just hawthorn, would be five hawthorn, one spindle, one hazel and one fruiting tree depending on your taste -- mine would be beech. Then come back when you've laid it and put a dog briar in each of the gaps.