software development, security, opinion
I am taking these on vacation:
Here’s a 10% discount at Amazon if bought by August 3, 2004.
International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Frequently Asked Questions (November 2002):
ISO/IEC 17799: 2000 is a management standard, and deals with an examination of the non-technical issues relating to installed IT systems. These issues have to do with such matters as personnel, procedural, and physical security, and security management in general.
The Common Criteria standard is a technical standard. It is intended to support the specification and technical evaluation of IT security features in products. Normally, the products are evaluated as part of the development/production cycle. The Common Criteria standard also has a major usage as a structure, syntax and catalog of information technology specifications that can be used to describe user technical requirements for security in products.
…
The current US position is strongly in favor of the major revision of the [17799] document, which is currently underway. While there was no official US government position expressed, US TAG members from both the Commerce Department (via NIST) and Department of Defense (via the Defense Information Systems Agency) supported the US position.
Daniel Berrangé: A Comparison of features for the current generation of operating system trace tools (Solaris 10 and patched Linux)
[ via Bryan Cantrill]
Dan Bricklin’s essay Software That Lasts 200 Years is provocative.
We need to start thinking about software in a way more like how we think about building bridges, dams, and sewers. What we build must last for generations without total rebuilding. This requires new thinking and new ways of organizing development. This is especially important for governments of all sizes as well as for established, ongoing businesses and institutions.
I don’t quite agree with the analogies, but I am provoked.
Rather than thinking of ways to make software stable and useful for the long haul, I think that the better perspective is that data is long-term, so data design, data formats, interoperability are the important issues. It does not matter whether I can run ancient programs, it matters that the valuable data can reliably be exported, imported, or directly accessed via ever-better tools. One way to ensure stability of infrastructure is to freeze the tools forever; the other is to be prepared to use a different tool every day.
The fact that I can move my weblog back-end from Radio to Movable Type to something else makes the data itself more stable and valuable, not less.
Rogue/Suspect Anti-Spyware Products & Web Sites
[via Diary Date]
See also some dissent about the specifics.
The problem is the bad platform.
The symptom is the miserythat so many users are living with.
The cottage industry for solutions is better than nothing, but it’s still a mess.
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, Mendel Rosenblum:
Understanding Data Lifetime via Whole System Simulation:
We have used TaintBochs to analyze sensitive data handling in several
large, real world applications. Among these were Mozilla, Apache,
and Perl, which are used to process millions of passwords, credit card
numbers, etc. on a daily basis. Our investigation reveals that these
applications and the components they rely upon take virtually no measures
to limit the lifetime of sensitive data they handle, leaving passwords
and other sensitive data scattered throughout user and kernel memory. We
show how a few simple and practical changes can greatly reduce sensitive
data lifetime in these applications.
[via Justin Mason]
I had the opportunity to join GMail [beta]. My first piece of feedback to them was a request for user-defined recipient sub-addresses (e.g. using the sendmail “username+anything@domain” convention. Having that available for recipient filtering is more reliable than trying to parse numerous styles of correspondence (some list software inserts List-ID, some doesn’t, etc).
It turns out that GMail already implements the sendmail ‘+’ convention.
It works, but as far as I can tell, it’s not documented anywhere — or at least I didn’t think of the right search terms for it.
I hope that this creates new incentives for web sites and other email addressing processing software to
stop violating RFC2822 by excessively restricting the character set of email addresses.
P.S. If anyone else wants to try GMail [beta] also,
let me know;
I now have a ration of invitations too.
Jack Shafer in the Slate article
E-mail Confidential – Who’s afraid of Time Inc.’s legal disclaimer? has his attorney dissect an email disclaimer in detail.
This boilerplate proliferates because professionals
in the legal, auditing, and security consulting industries
feel compelled to recommend its use.
Unfortunately, the ratcheting ever-more-onerous language that
gets accreted by these things for cover-your-butt reasons results in most of them being statements that are intellectually ridiculous, legally dubious, and rude.
At this point, consulting professionals should be embarrassed to recommend this stuff.
[via Jeff Nolan via Techdirt]
My home PC running Windows 2000 is finally free of Look2Me spyware.
It’s very aggressive at staying alive.
It creates an ever-changing series of DLL files.
Removing or changing its registry entries causes it to immediately rewrite them.
As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.
The tools at sysinternals
were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.
The removal instructions that finally worked were found at at the bottom of
VX2Finder.
Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode.
Once you search for the right things it looks like there are a few ways to skin this cat.
I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.
The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.
The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.
Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to
a John Battelle article:
Looking at the top downloads at download.com is always interesting – typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.
I think the proportions are reversed now.
Keith Pleas: “Brutal” Architecture is an instant classic, about the newly-constructed Seattle Public Library, plus understated and apt commentary on software architecture.
[via Jon Udell]
