MS08-067

I think this is the second or third time MS have published an out of cycle patch, and it may be the first proper Windows (as opposed to IE or Office) vulnerability to get this treatment.

It probably deserves it. When I read the notice, my heart sank. I remember staying up thirty-six hours in August 2003 dealing with Nachi/Welchia running through our systems because we didn't suceed in patching MS03-026. It didn't help that I was pissed as a fart for the first six hours or so -- having been hauled out of the pub at 10PM by an aggrieved network engineer watching our traffic heading through the roof -- and my boss had to hide me in the machine room trying to figure out what was going on, while she explained to her boss that she'd sent me home. What did help was that it used ping to explore the network, and it dropped nice clear signature files. That night I experienced the sheer beauty of Cisco VACLs (level 2 filters) when I found we could use them to suppress ICMP, and that left the worm blind enough for us to clean up by hand, though I didn't dare turn it back on for a week, and we left the filter on the link to Group for years....

That vulnerability was in DCOM -- pretty important, but possibly fixable by switching off the service in the registry. This one is SMB, and there's no switching that off. You may as well shut down.  Oh, and a modern malware wouldn't make the same mistakes as nachi, or be so gentle to its hosts. So I was pretty uncompromising all Friday, and reading the increasingly nervy statements from MS, I really don't think I was too rough. We're inserting this patch as a special into the October/September patch cycle that was just starting its route to live on the Friday. We'll have to re-do all the test servers. I hope that's enough.

Real Financial Insecurity

Prostitute's postcard seen today in a phone box in King William Street:

• A very conventional picture of a youngish woman in partial undress, and
  
• A site: "London Bridge" -- in reality that would be far out in the Borough, but never mind...

All ordinary. But what struck me was the caption. It wasn't "Maid for Pleasure." It wasn't "New 19 YO Swedish." It wasn't even that perennial City favourite: "Fully Equipped Dungeon."

No. The caption was: "Kisses and Cuddles." If that isn't the clearest sign of financial calamity, I don't know what would be.

God bless her, though. It's wonderful to imagine that there's a living in snogging.

Consequences of Solving a Non-problem

http://wvgazette.com/News/200810180251
Whatever was so wrong with marking X's in the boxes with a 3B pencil?
Or is the real problem that people are voting wrong?

The Current Status of the Pound

I'm writing this on 28/10 but I'm back-posting to the day it happened, right in the middle of the (first?) UK banking turmoil.
I had occasion to use the toilet in the headquarters of a big four bank. As I reached for the paper I noticed a little blemish on the white(ish) sheet. Being unsqeamish about this sort of thing, I gave it a little scratch and a shred of coloured paper came away on my finger nail. I pushed back my specs for a closer look and found a tiny fragment of a £10 Bank of England note -- barely a millimetre across, but the engraving and colour so fine as to be unmistakeable. That bank had been wiping their collective arses on thousands of pounds in fine rag paper -- and they never knew.
I do wonder whether it's co-incidence, or whether support from the BoE comes with an unpublished obligation to help them get rid of their pulp....

Boot (If You Can) and Nuke.

Endless problems trying to get DBAN to boot reliably off a USB stick for Desktop to erase a bunch of machines with.

The Windows installer never quite managed to make the stick bootable and there isn't an installer for Linux. Eventually I booted into linux and just dd'd the floppy disk image over the raw device (/dev/sdb rather than /dev/sdb1 -- though I'd previously made sdb1 bootable) -- there are no partitions on a floppy, and that seems to boot, but not very happily.

I'd have made a real floppy, but I can't believe that many of those machines would actually manage to read a whole FD without error. What they don't have is CD readers, and I don't know the general process to make an ISO bootable on a USB stick.

Spam Counter - 2008 September: 1355

Among the penis pills and the phishing we see hints of cheap clothes and dodgy diplomas. Are the times hardening? If so, Spam Will Adapt & Survive!

Free Health Food

One good reason to get home in daylight is that you can browse the hedges. It has been an amazing year for blackberries with whole sprays ripening at the same time. Even the fruit of the hawthorn are edible, though no tastier than they ever were.
Mrs U made hedgerow jam which allowed me to claim that I had spent the afternoon hawing in the hedges. Which is a very fine image.

Equinox

http://www.daylightmap.com

The Truths of Astrology

I am sometimes praised, mostly by me, sometimes by him or her, but very rarely by Them. So, this afternoon when I was very deliciously, loudly and fulsomely praised by the lovely ladies on the admin desk, swiftly joined by the very gorgeous customer service head, apparently with no motive other than to publicise my wonderful personal qualities, I was a bit perplexed. In fact I couldn't restrain myself from wondering what their collective game was. (And I still don't know)

I got a glimpse through the mists, though, on the way home. My horoscope in the thelondonpaper which they won't have seen, is absolutely explicit. It looks like a good weekend -- at least as a test of newspaper horoscopy.

How? Well, it couldn't be more obviously about me, and I have got -- as it happens -- a fine project to throw myself into and a number of things that need to come together. There's even a defined timescale.

We shall see.

UPDATED: 22:34 Saturday -- I assembled a chicken coop with plenty of flair, and energetically picked fruit in the hedgerows, but nothing yet.

UPDATED 21:53 Monday -- Overall the weekend has passed off like many others -- on Sunday I mowed the lawn, cut wood, picked apples... So it looks like a clear loss for astrology -- it got the right guy, but gave the wrong advice. And yet. At 3AM today, I woke with a clear sensation of being outside in a lightning flash with the roar still echoing in my ears. I was so terrified that I would not have been surprised to find myself blind with a Voice asking "umacf24, umacf24 why do you persecute me?" As it was, I shook with terror as I made my way to the toilet and then shook with terror in bed until I fell asleep. I don't think it was real lightning -- I'm too far from the window for it to have that effect. But as a way to bring things together in a rather intriguing way, it totally sucked. So I call this a draw.

ActiveX is Satan's Execution Environment. From Hell.

I went live with a simple but rather marvellous little change -- all the groups which deliver bulk machine or account admin privilege have been dropped into the group that denies browsing on the proxies. That's a huge win -- a vital step forward now that so many legitimate sites have been perved up to push BadSrc exploits and the Dear knows what else. The admins have two accounts, and if they want to browse from their workstation, they have to make sure it's not a member of any of the privilege groups. We're not mandating how the support teams arrange accounts, we're not touching anyone's permissions -- we're just declining to accept the risk of admin browsing.

It's good. I trialled on it myself and -- for six months -- on the domain admins. I gave support six weeks notice and a pile of reminders. I engaged with anyone who asked for advice on the technicalities. (It mostly boils down to using runas and getting a second explorer instance.) I've written a page on the support wiki, and for those who can't handle my writing there's advice from Aaron Margosis. It seems there are no tasks that require admin privilege browsing. Everything should be good, and our vulnerability surface hugely reduced.

Except for ActiveX. One of the Desktop team's top-twenty calls is to install or update an ActiveX applet from an external web site. And there's no way round it -- you do need to browse and you do need to be an admin, because what you're doing is exactly what malware does -- it's just that you happen to trust the site.

There's no need for this. I don't see ActiveX giving any better user experience than JavaScript -- it's just bad design. But it has to work.

I'm not going back. But:

• It's pretty plain that this can't be handled with Windows permissions. ActiveX is too broken. And anyway the philosophy of this change has been to leave Windows access alone. 
• So we have to look at the other side. When we do this at the moment, why is it OK? It's because the admin, reassured by the user, trusts the site to be safe, and required for business.

Naturally the block imposed by the no-browsing group is right at the top of the proxy policy. So I'm going to go in with a rule immediately in front of the block. If the user is a desktop admin, and the site is in a static list of "Approved for ActiveX" then the browsing is allowed, and the blocking group won't get a chance to take effect. There's an extra step to get new sites into the list but I don't think that will be too much inconvenience, and like the rest of this change, it's the sort of control we should have had a long time ago.

We have to settle who will approve sites into this list, but that's easy: I will.

Next step: probably to enable fast user switching on the desktops, to make life easier all round.

Two Shiny Stories

So now we have the Google browser with a name that proves that the Septics do get irony. It's not chromy at all, but it does have two interesting stories:

• It is possible to keep big secrets for a long time. I don't know how long it took to go from concept to (beta -- surprise) release, but it can't have been less than eighteen months and even though a Google browser is a juicy story, all the news services all seem to have been taken by surprise. That's impressive. I'd like to know how they did it, and I wonder what other secrets they are keeping.
  
• Now that Google is just as wicked as Microsoft there's lost of fuss about the browser's licence and potential to phone information to Google (i.e. under the pretence of checking if the site you are visiting is phishing. But the source is under BSD so it ought to be possible for a forked "clean" version to appear on sourceforge any time. We'll see whether open source can still function without corporate support....

Spam Counter - 2008 August: 1,521

Penis pills and Paris Hilton (declared a national historic monument). Breaks a five month downward trend, alas.

Please Provide a Credit Card Number to Enroll for this Free Offer.

One fascinating comment on this Register story:

Good ol' Tiscali
By Anonymous Coward
In the days of dial up I once signed up with Tiscali as they were offering a free month's trial and being a student I needed to save as much money as possible. As they wanted card details that they were saying that they were only going to start debiting after my free month and I didn't want to risk forgetting to cancel, I entered 4111 1111 1111 1111 as the card number, which is a commonly used test number that validates using the card checking algorithm. This worked and allowed me to sign up for my free month.
Surprisingly (or not) my internet access continued into month 2 .....

Reminds me of the days when Mrs U was driven mad by La Redoute accepting orders with credit card numbers that didn't even pass the checksum test. Surely it won't work anywhere any more....

China Stole the Productivity Revolution

It's hardly possible to avoid writing about China today. Even if it has little to do with security. So I'm going to write about three-packs of knickers for EUR 3, or mobile phones for EUR 10.

Everyone can see that the Chinese cities are getting rich. There are still plenty of people living squalid lives with little money, but the gloss is there and, more to the point, there are more and more hard-working middle-class people. Today, it's the cities and the coasts, but if they can hold on to the currency, the banks and the economy, it'll be the whole country soon enough.

Now the point about hard-working middle-class people is that they don't stitch supermarket knickers or assemble disposable mobile phones. They're too expensive. So we have to ask, once the opulence has worked its way into China, where are our panties are going to come from then? (and theirs too, of course.) Bangladesh/Nepal/Burma just doesn't have the slack to take up the produce of three hundred million pairs of willing hands. India is on its own way already, and Africa is disorganised and thinly populated.

I see the answer to this question taking us back to, ooh, 1978 -- the Year of the Micro. Back then, the unions were huge, offshore manufacturing was inconceivable and the promise of cheap micro-processors was in the robot factories that would provide a life of leisure and customised goods for all.

Well, it didn't work out that way. No. Hey! it's thirty years later -- 2008 -- the future in anybody's language -- and

• If I want a suit, I can't walk into a shop and be measured up by a machine which will cut it, make it and post it to me.
• Mrs U had to buy a Toyota instead of a Nissan because the seats are too long for her thighs and there's no opportunity to get it changed.
• Children's toys are hand-assembled -- and that's not snap-together either. There are dozens of screws -- easy to design, simple to tool, but needing a lot of work to asemble.

How crap is that? What went wrong?

Offshore manufacturing is the answer. There's no point in tooling up with fancy kit if the competition can have it made by hand for less. For a huge range of goods, manufacturing has gone backwards these last thirty years -- those screws in the toys weren't there when I was young. The products are cheaper, more varied, generally better assembled but totally uncustomised and insusceptible to automation.

So my guess is this. When the supply of cheap labour dries up, we're finally going to get the automatic factory revolution. Only, it'll be thirty years better. It'll be lead by the Chinese, because they're the ones with the problem and it's going to suit their convenience not ours. But I feel that I'm within five years of getting my machine-measured suit. It's going to be more expensive than the one stitched in a Fujiian sweatshop. But at least it'll fit.

Time for Tubby Bye-Bye, Meestair Bond

Well, the NMAAJS Daughter has been on Club Penguin for a month or so, and she's been enrolled as a secret agent. You get a tool to move around the site more easily, a range of mission games, a secret tunnel from the sports shop to the surveillance HQ and some fine clothing options like a bow tie and a tuxedo. (Why on earth would a penguin -- the world's most sophisticated bird -- need a dinner jacket?)

But the real meat is in the handbook. You have to report mean penguins and the ones who use bad words, so some harried moderator in Tucson or wherever can review the log and decide on an appropriate action.

Little do they know that the NMAAJSD has essentially no chance of spotting bad language -- we were watching two potty-mouthed puffins F Uing and F U 2ing and she had no idea what it meant. And this is the child who, on her fifth birthday, addressed the author of her being in these terms: "Just fuck off, Daddy."

Still, you have to give them credit. They're at least trying to make it fun to be a snitch, and that puts them a little ahead of the Staasi.