cat slave diary

Category: Rants

  • I hate being proven right – mass pwnage

    Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security pros that I truly admire. I am not perfect, and honestly, I feel for these folks as it could happen to me, but weak passwords? OMG! Passwords seem to have cost one of them a great deal of money and time, irreversible data loss and now involvesd law enforcement (update – see comments, this log is from the 1990’s I’m so duh that I missed that bit, but it still proves my point that passwords have sucked for a long time):

      [14:41] <@rkl> shit.
  [14:41] <@rkl> whoever broke into blackops.org
  [14:41] <@rkl> when we caught them
  [14:41] <@rkl> they began rm filesystems
  [14:41] <@rkl> and removed my only copy of some photos i had of me and my
          fiance'
  [14:42] <@rkl> that i had up there for like 2 days while i reinstalled my OS
  [14:42] <@rkl> she's going to be sad about that
  [14:44] <@nobody> ur shitting me
  [14:44] <@nobody> who broke in?
  [14:44] <@rkl> we know.
  [14:44] <@rkl> luckily they were incompetent
  [14:44] <@rkl> however
  [14:44] <@nobody> bunch of savages in this town
  [14:44] <@rkl> because they tried to use blackops as a platform to launch
          attacks against a few corporations
  [14:44] <@rkl> now the FBI is involved
  [14:45] <@nobody> wonderful
  [14:45] <@rkl> me and murray couldnt' give a rat's ass
  [14:45] <@rkl> we back up blackops 1 time a month
  [14:45] <@rkl> to cd, now dvd
  [14:45] <@rkl> they got in through a weak user passwd
  [14:45] <@rkl> cause there were near 100 users
  [14:45] <@rkl> just normal users, so they didn't practice good security with their passwds
  [14:45] <@nobody> typical
  [14:46] <@rkl> we've had to turn over everything to the FBI
  [14:46] <@nobody> a system is only as secure as its users

    In my previous post, my first item stated unequivocally that passwords are crap and first against the wall when the revolution comes? That revolution starts today.

    Everyone’s New Year resolution has to be to change their crappy password (or in the rare case, passwords) for their computer to a passphrase (20 characters or more), install a password manager, and change all those crappy passwords into long (20 characters or more) random passwords for every single service. If your service doesn’t let you use > 20 character passwords, STOP USING IT. There’s something very dumb, wrong and insecure with that service.

    I do not have a single password that is the same for any service on the Internet. Changing a password to me is extremely simple because I DO NOT CARE about any of them. I do not type them, I do not remember them. They are all at least 20 characters long, and occasionally way more if I care about the system in question.

    Additionally, I have no truthful answers for the weak Q&A security backdoor on any system I use. What is your first pet’s name? Just try to crack fazEha*u@eJAM#!#6DafRatrAm6Q before the universe ends. p.s. I generated that one just for this blog entry. Don’t waste your time trying it out anywhere.

    Passwords are insecure, always have been, always will be, and that goes double for the horrifically insecure Q&A backdoor that many sites insist upon who should (and most likely do) know better. Passwords are unsuitable even for this blog. Folks who say passwords are free or worse – “the norm” – are idiots and should be ignored whilst the rest of us get on with getting rid of them as Priority #1.

    CALL TO ACTION!

    If you are responsible for passwords on your site or service, the very first thing you must do when you get back to work is to call an urgent meeting with all stakeholders. The very first agenda item must be “We’re getting rid of passwords as of right now. How do we do that?” Don’t stop until you succeed. Your users will love you.

    If you are a victim of passwords, you should ask “Why are we still using passwords? When will you get rid of them?”

    Just Do it. Do It Now. I’m deadly serious.

  • Security trends for 2012

    1. Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned.
    2. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned.
    3. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re completely pwned.
    4. Folks will continue to click shit. They will then be surprised when they’re completely pwned.
    5. van der Stock’s immutable law of gullibility: Folks will continue to be sucked in by incredibly basic scams. They will then be surprised when they’re completely pwned.
    6. Folks despite extensive and continuous evidence to the contrary for over 25 years, will continue to be sucked in by grandiose vendor claims (“buy X now, and you’ll be protected from X…”) in the unfounded belief that technological solutions can fix people problems. They will then be surprised when they’re completely pwned.
    7. Folks will continue to allow mobile and web apps to transmit their sensitive crap without any form transport layer encryption. They will then be surprised when they’re completely pwned.
    8. Folks will turn on a firewall and think they’re safe. They will then be surprised when they’re completely pwned. It’s not 1995 any more. Never was.
    9. Folks will continue to run old crap, or allow old crap to connect to them. They will then be surprised when they’re completely pwned.
    10. Folks will continue to think that they will be safe if they just virtualize or cloud enable their crappy apps. They will then be surprised when they’re completely pwned.
    If we can’t learn from our most basic of basic mistakes, 2012 will be exactly like 1989 – 2011. And that’s sad.
    Because I hate solution free hand waving posts like the above, here are some basic solutions:
    • Adopt strong authentication TODAY – passwords have NEVER been appropriate.
    • Patch your crap.
    • Implement low privilege users and service accounts.
    • Don’t click shit.
    • Learn about basic phishing and scams.
    • Fire folks who post on Twitter or Facebook all day. You know who they are.
    • Don’t buy any product marked “Protects against APT”. If you do, fire yourself as you’re an idiot.
    • Only use products that use SSL. If you don’t know, assume it doesn’t and find something that does.
    • Evaluate your security needs with 2012 in mind – firewalls alone are a few sheep short of a full paddock.
    • Upgrade to the latest OS and apps. Not only will your users love you, it’ll be harder to attack you.
    • Protect data assets no matter where they are. The plumbing is unimportant.

  • Resurrecting the wife’s laptop – Asus hates you and you and you

    At Christmas last year, I bought a new laptop for the wife, an Asus K52DR with 4 GB of RAM and 500 GB hard drive. I quote from then:

    […Asus should…] supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

    Although I stand behind every word I said above, I’m begrudgingly glad I spent the extra 2.5 hours creating those DVDs as I’m restoring her computer to factory default after she killed the previous HD by cooking it in the bedding. Obviously, not Asus’ fault, but what happens after replacing the HD is most certainly Asus’ fault. This Asus will be our last PC – my life is just too precious to donate to absurd and evil corporate practices.

    When I bought the Asus, it took me about three days to get the PC to a default-ish Windows installation, Office 2010, and iTunes with just enough drivers to run “advanced” technical devices like the display or the wireless network. Don’t get me started on the number of reboots or gigabytes of patches required. Copying Tanya’s data, migrating her PST and recovering her calendar was simple by comparison.

    I am dreading wasting yet another two to most likely three days of my personal life YET AGAIN to weed out all the circusware from the factory default build. Asus must start providing a fast circusware free method of complete restoration like Apple do. The time I’m going to spend over the next few nights, and probably the next weekend, is like a working week away from my family. Completely unacceptable.

    I tried restoring the repair partition I dd’d off, but due to the new 750 GB drive having different sized clusters and alignment than the old 500 GB drive, I struggled to create a bootable recovery partition without spending yet more time than it would take to restore using the DVDs. So I’m using the restore DVDs.

    I still don’t have a Time Machine work-a-like that can back up Tanya’s data. This is a serious issue as hers is the most likely computer to die. […]

    And die it did. I tried Windows 7 Backup for months on and off after buying a new 2TB external HD, but as per usual being a Microsoft product, it doesn’t actually work. So too late, I found Rebit, which is just like Time Machine … but expensive. I’ll be trying that after restoring Tanya’s data. Luckily, I was able to get her most if not all of her data off under Linux all the while the HD was making very high pitched death screams. It’s dead now – all the sparing sectors are spared and the computer wedges hard if you try to do anything with it in read / write mode.

    My newish MacBook Air 11.6″ is significantly faster and cheaper than this Asus, and more so every time I have to fix it up. Once I had recovered Tanya’s data to my 2TB dumping ground on my Mac, she was up and running with one of our AppleTV’s in about two minutes.

    Tanya’s next computer will be a Mac when this one dies. I will not tolerate the loss of any more of my life to Asus insistence on circusware in the default build, and cheapening out by not providing real installation media, or Microsoft’s insistence on a recovery CD and crappy end user experience.

    I stand by my recommendation:

    Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don’t get it.

     

    I’m going to reduce the rating to 1/5, and the 1 is only due to the surprisingly resilient Seagate 500 GB drive that survived just long enough to get nearly all of Tanya’s data off it.

  • On APT

    Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs.

    These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way.

    RSA chose not to discuss the details of the attack, using the old furphy that disclosure will damage their customers (reality: it would damage RSA’s brand). RSA’s silence allowed

    Advanced

    Persistent

    Threats

    to execute the boldest cryptographic information warfare attack since Enigma.

    RSA’s (IMHO) cowardly silence has actually damaged their customers in highly spectacular fashion. RSA told us nothing, so we couldn’t ask our clients to change vendors in a staged way, or to disable access, or put in other controls. We could guess, but business decisions are not made that way.

    Now the brand damage to RSA will truly begin. This is the end of the simple RSA fob. Even if a better algoritm or fob is used, RSA are toast as no one will trust them any more, particularly in the sort of organizations that buy fobs by the palette.

    APT boosters have said vociferously – “see, it was APT!”. Yep, I agree. It’s one of the few times that truly worthy attacks are out in the open enough for us to get a small glimpse into what’s really going on.

    Unfortunately, due to widespread abuse of the term, APT is the laughing stock of the information security world. The folks who routinely use it with knowledge can’t discuss why APT is any different to the other threats out there today. Everyone else has no clue.

    I’ve seen CSOs give up, thinking that since these attackers are so advanced, surely we can’t protect against them, or they buy stuff marked “Solves APT TODAY!1!” when in fact, hard work is required. Nothing very hard, just simple stuff like input validating every field and not tolerating insecure software any more.

    But for your average CSO, finding out if an application was developed in a secure fashion and that every parameter is validated is impossible. It shouldn’t be. But that’s not the main point of today’s post.

    It’s moderately clear in the fog of active disinformation that the weaknesses used in the RSA, Sony, and PBS hacks are well known and easily exploitable. The solution is like losing weight. There is a simple solution that works – albeit slowly. It’s called eating the right amounts of good food for a year or two and exercising hard every day. Anyone who has tried to lose weight, including myself, knows that we really just want an APT strength diet pill.

    I think most of us in our industry will acknowledge that penetration testing has become “different” over the last few years, from literally shooting fish in a barell with the most rudimentary or no tools, to requiring a fair bit of work, and moving up the value chain to find interesting and exploitable issues the business cares about.

    In terms of results, I think we’re still finding 10-20 things wrong in every app. Attackers need one. This is the attacker’s advantage. The number of weaknesses, the type of weaknesses, and the severity of the weaknesses are NOT “advanced” in any way shape or form in 95%+ of the code reviews and penetration tests I perform. The other 5% have been working with me for a while, are mature risk managers, and they’re hard to attack as a result.

    But because of the hard core mystique surrounding the use of the term “APT”, we’re seeing completely inappropriate uses of the term everywhere from anti-virus scanners through to security appliances that promise data loss protection but forget that the information security triangle is people-process-technology. Putting one in place doesn’t solve the other two, nor negate your responsiblities to put in appropriate controls that PEOPLE can live with to do their JOBS and make the business MONEY.

    My twitter icon is the famous drive around control image:

    Access controls are only for those with easy access
    Access controls are only for those with easy access

    This is where folks promoting APT fail. I am not denying that the attackers who have found a end run around a widely known security control are

    Advanced

    Persistent

    Threats

    Anyone who targeted a particular firm, and utterly broke a long standing crypto system, and everything else required to obviate hardened controls of at least two military industrial giants are worthy of the term APT.

    Unfortunately, APT as a term is so brand damaged in the info sec community (try saying it at a public event without being openly laughed at), that we have to choose a better one, one that marketers would never dream of using inappropriately. I don’t know what it is, but surely

    Enemy Combatent

    or

    Soon To Be A Small Pile Of Glowing Ash (STBASPOGA, or the more friendly sounding Strasbourg)

    are right up there.

    Worse still, the fact that these Strasbourgs really are APTs doesn’t mean that we should forget to do the hard work, but instead demonstrates the paucity of protective information security research. Some of you might remember me saying a year or two ago that too much attention is paid to those who hack, and not enough on those who defend. Strasbourgs should mean more dollars in pro-active research. We need to make it difficult to develop insecure software. We should make easy to determine if Acme’s latest release of their widgets are insecure. We should have metrics that easily demonstrate insecure software costs more. We should make it legally untenable to ship insecure software, and give redress to consumers when their investments, privacy and intellectual property are violated due to stupid, simple weaknesses that we knew about in 1965.

  • Passwords are neither free nor cheap

    I don’t know how many clients over the last decade I’ve been trying to get this basic fact through their very thick business skulls, but here goes again:

    PASSWORDS ARE NOT FREE
    PASSWORDS ARE NOT CHEAP
    PASSWORDS ARE NOT SAFE
    PASSWORDS ARE NOT ACCEPTABLE FOR HIGH VALUE DATA / APPLICATIONS. EVER.

    Vodaphone has found this out to their immense cost and on going public relations disaster.

    By changing the faulty business decision (passwords) every 24 hours, VHA are sticking their finger in the leaky dyke. They sell mobile phones. They could step up to two factor / transaction signing with mobiles for CHEAPER than passwords. Especially for them. This is an opportunity for VHA to say – look we’re leveraging our unique selling point (mobile phone operator) to provide world class security. Instead, they choose passwords.

    Stop using passwords. Their time was done more than 10 years ago, if ever.

  • CPRS / ETS / “a price on carbon” is back. WTF!

    The government never seems to learn. They nearly lost the election, they lost their previous leader, and the opposition lost their previous leader over a money spinning taxation mechanism called “a price on carbon”.

    No second order mechanism has ever succeeded in their intended effects, and always have unintended consequences. Legislating first order effects is simply much cheaper for everyone, with far more certainty for investors and consumers.

    Points in case:

    • Cars are 40x less polluting than their 1970’s counterparts, not because we put a tax or trading scheme on noxious fumes, but mandated that exhausts had to be cleaned up.
    • In Australia, incandescent light bulbs are hard to buy now, and soon will not exist. For most homes the savings from using CFLs and LED bulbs are modest, but over the entire population, this is a huge CO2 / energy saving.
    • Leaded petrol, paints, and toys (mostly) don’t exist any more. Far less health issues now, saving the community millions of dollars and enabling everyone to be at their full potential.
    • Insulation is mandatory, saving most folks 30-40% in kw/h on their heating and cooling bills compared to even 20 years ago.
    • Mandatory water saving mechanisms (dual flush toilets, water saver shower heads, high efficiency appliances, etc) have cut average Victorian household water use from 450 litres per person per day in the 1980’s to around 150 litres per person today. If only we could get oldies to give up their climate inappropriate English gardens and grass, I think we’d make more in roads to way less than 150 litres per person / day.

    Effectively, these first order regulations and effects have been 100% successful in their aims and outcomes. They usually saved the consumer a great deal of money, and cost the government little to nothing.

    The price on carbon is simply a way to allow speculators to make billions, polluters not change a thing, kill the investment market in renewables and green technology, and all of us pay more for the same outcome – terrible and expensive climate change. The government of course, will make billions from selling permits to suckers not bright or powerful enough to get them for free.

    As I’ve noted previously, the 80/20 rule should be applied source to sink on our use of fossil fuels and the carbon life cycle. Concentrate only on the things that can be easily changed for everyone by eliminating “does not scale” from the equation. It’s easier to shut one coal fired power station than it is to get millions to stop commuting every day, for example. No one or any industry should be exempt from this review. In my view:

    • Using carbon based fuels should be phased out by 2025 as most cars last about 15 years. This gives time for the car makers to get serious about non-fossil fuel alternatives and the confidence that there will be a long term market for them. We need those fossil feed stocks for other necessary things, such as medicines, plastics and so on, and not to fritter away on cars or busses or planes. This would kick off jobs in electric car research and manufacture, as well as stimulate the economy in building re-charging stations and so on.
    • Eliminate subsidies for high energy users such as aluminium smelters and concrete plants. They should pay the going rate for electricity so their products better reflect the actual costs of production and damage to the environment. There is nothing “eco” about aluminium or concrete.
    • From today, the government should just fess up and legislate the inevitable – there should be no more coal or gas fired power stations built in Australia, and no more coal exports will be entered into. However, no coal power station will be forced to shut down within their designed life time. It was never going to happen anyway even under a CPRS as they were getting their polluting credits for free, so may as well let those who run them now get their investment back. Power stations have a long lag time, and we need time to build the necessary nuclear and renewable power stations to replace them. But we can make it a statement of fact that there should be no more coal. Investor confidence problem solved.
    • The greens need to get off their anti-nuclear hobby horse. Nuclear power is clean and modern reactor design can use a lot more of the fuel reducing nuclear waste dramatically. It does require a lot of fresh water, but that’s also solvable in many parts of the country.
    • Make it mandatory that houses are to be built with solar power, solar water heating, much better insulation, appropriate siting and design for their climate, and require ground heat pumps to reduce their impact on the grid. If a house uses 20% to 80% less electricity and gas, that’s not only savings to the owners but less public power required and many millions tonnes of emissions we didn’t emit during the life of such houses.
    • Promote policies that dramatically reduce the requirement for folks to move large distances every day. There are so many it’s not funny, from enforcing urban boundaries and consolidation, telecommuting is the default work style unless required to be on site (say for manufacturing or retail sales), eliminating 99% of public servant flights for interstate meetings by requiring video conferences, public transport investment, change car registration to include a distance component as the major cost factor, eliminate car tax benefits for those who use their companies to buy luxury or even bottom dweller cars to enable a daily commute. There’s so many pro-commuting policies that need to be removed or changed. I’m sure you could think of many more that I’ve left out.

    The last 20% of things that folks worry about but are hand waving at their best – things like useless status LEDs and clocks in consumer goods. Yeah, dumb design, but honestly, not going to kill the earth any time soon. Let’s not waste time on those now. There’s far bigger fish to fry, like using cold water to wash clothes rather than 50 C water, and eliminating the daily commute for at least 20% and preferably 80% of all workers. Since I’ve stopped wasting life and fuel going to an office, my fuel bill has dropped from using about 50 L a week before leaving Australia, to using about 30 L every two to three weeks now. This is a dramatic improvement in my quality of life (my commute is about 10 seconds from my breakfast), and a dramatic drop in fossil fuel use. We save at least $100 per month in fuel alone. Imagine if most folks could do the same? I realize that not everyone can telecommute, but I think the majority of the poor sods who go to CBDs to work in a souless life sucking cubicle every day could easily telecommute. That should be the default going forward. Working from home would revitalize the local shops, such as cafes and shops as more folks would be home during the day, again reducing the commute for the weekly shop instead of driving a long distance to the nearest mega mall.

    Realistically, first order effects are simple, cheap and effective. They tend not to be fund raising mechanisms, which is why our government won’t choose them, but without first order changes to our policies and life styles, the planet is stuffed. Second order mechanisms such as a “price on carbon” just means we’re poorer because we’ll be paying 50-200% more for our electricity that still burns coal, with a polluter who has no reason to change their ways.

    Let’s get some action happening, and not a price on carbon.

  • Arbib is a spy, or we are the 50-57th states of the USA

    Mark Arbib, agent provocateur of the right wing ALP and one of those involved in the coup against Prime Minister Kevin Rudd, turns out to be a protected source of the United States.

    The Age calls Mark Arbib a “confidential contact” for the USA, but so was convicted spy Jean-Philippe Wispelaere.

    According to Wikileaks disclosure of US diplomatic cables, Arbib met with the US embassy on many occasions and fed information to them that would be news to the public as well as his political party and so called friends within the ALP. In Australia – and for that matter most countries – we’d call that spying for a foreign country. Arbib never held a foreign affairs portfolio or had any dealings with DFAT, so this it is extraordinary that a savvy political operative would risk his political future for … what?  I don’t know.

    Will Arbib be sacked or have the decency to resign? Unlikely. Gillard would be afraid to act against Arbib as he knifed her predecessor and owes her job to this man. If she has a spine, there’s no better time to act than now – it’s obvious he has to go. No hard feelings, mate – nothing personal, but you possibly broke Australia laws that explicitly prohibit this type of activity.

    Realistically, as someone who really like the USA, we should just get over the charade of being an colony of Britain independent country, and become the 50th to 57th states of the United States of America. Being a puppet state is so embarrassing.

  • In defense of Microsoft’s SDL

    Richard Richard Bejtlich says on Twitter:

    I would like fans of Microsoft’s SDLC to explain how Win 7 can contain 4 critical remote code exec vulns this month

    I am surprised that Richard – an old hand in our circles – can say such things. It assumes defect free commercial code is even possible, let alone what everyone else but MS produces. As much as we’d all like to have defect free code, it’s just not possible. It’s about risk reduction in a reasonable time frame for a acceptable price. The alternative is no software – either cancelled through cost overruns or delayed beyond use. This is true of finance industry, health, government, mining, militaries, and particularly ISVs, even ISVs as well funded as Microsoft.

    In the real world,

    • We create building codes to reduce fires, damage from water leaks, damage from high winds, and improve earth quake survivability. But houses still burn down, water floods basements all the time, tornadoes destroy entire towns, and unfortunately, many buildings are damaged beyond repair in earth quakes.
    • SOX requires organizations to have good anti-fraud / governance, yet still IT projects fail and still companies go out of business due to senior folks doing the wrong thing or auditors stuffing up
    • PCI requires merchants and processors to handle CC details properly, yet we still have CC fraud (albeit much less than before PCI)
    • We engineer bridges not to fall down, but they still do.
    • The SDL requires certain calls not to be used. This should prevent common classes of buffer overflow. However, you can still write code like this:
    char *MyFastStrcpy(char *dest, const char *src)
{
   char *save = dest;
   while(*dest++ = *src++);
   return save;
}

    Does code using calling that function likely to have buffer overflows? Sure does. Standards and better design eliminate stupid issues like the above.

    It’s not a perfect world.

    The code MS works on nearly all dates back to prior to the SDLC push in 2001. Windows 2008 has roots in code started in the late 1980’s. They literally have a billion + lines of code running around with devs of all competencies poking at it. The idea that there should be zero defects is ludicrous.

    Richard, if you’ve completed a non-trivial program (say over 100,000 lines of code) that does not have a security defect from the time you started writing it, you’re a coding god. Everyone else has to use programs like the SDL to get ahead. Those who don’t, and particularly those that do no assurance work are simply insecure. This is risk management 101 – an unknown risk is consider “HIGH” until it is evaluated and determined.

    Let’s take the argument another way. If the SDL has failed (and I think it is succeeding), what would be the signs?

    We know empirically that LOC ~= # of security defects. However, the number of critical remotely exploitable issues affecting Windows 7 is dramatically less than that of XP at the same time of release. Like 10x less. That’s an amazing achievement that no one else in the entire industry has managed to do, despite knowing how Microsoft has achieved that amazing effort.

    What are the alternatives? Until Oracle saw the light a few years ago, they had the hilarious “Unbreakable” marketing campaign. Sadly for them, they were all too breakable. See D Litchfield for details. Not reviewing or keeping dirty secrets secret does not make things secure. Only through policies requiring security, standards that eliminate insecure calls like dynamic SQL calls or strcpy(), careful thought about security in the requirements process, secure design, secure coding, code reviews, and pen tests to validate the previous steps do you have evidence of assurance that  you are actually fairly secure. The SDL is a framework that puts that cycle into motion.

    Oracle got it. They’re now pumping out 30-40+ CPU’s per quarter for several years in a row. I’d prefer 4 remotely exploitable issues once or twice a year than 40 per 3 months thanks. But even so, I’m glad Oracle has jumped on the SDL bandwagon – they are fixing the issues in their code. One day, possibly in about 5 to 10 years, they’ll be at the same or similar level that MS has been at for a few years now.

    I agree that monocultures are bad. I use a Mac and I have been unaffected by malware for some time. But do I believe for even one second that my Mac is secure just because it’s written by Apple and not Microsoft? Not in a million years. Apple have a long way to go to get to the same maturity level that Microsoft had even in 2001.

    All code has defects. Some code has far fewer defects than others, and that code is written by Microsoft in the last few years.

  • Code of Hammurabi – or 4000 years later, we still haven’t got it

    The Code of Hammurabi is one of the earliest known written laws, and possibly pre-dates Moses’ descent from the Mount.

    In it, we get a picture of the Babylonian’s laws and punishments. In particular, there’s this one:

    If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death.(Another variant of this is, If the owner’s son dies, then the builder’s son shall be put to death.)

    (Source: Wikipedia)

    So essentially, this is one of the earliest building codes. Pretty harsh, but you know…

    What this means is that only qualified builders prepared to take the risk of death built houses. This obviously focuses the mind.

    In our industry, we have hobbiests and self-taught folks working side by side with software engineers and computer scientists, but they usually share one thing in common: they know nothing of security.

    This is like an accountant graduating without knowledge of auditing principles or GAAP. It’s exactly like a civil engineer being unaware of load stresses and envioronmental factors necessary that require safety and tolerances to be built into every structure.

    When the average person goes to a builder or architect, and asks for a house to be built, we expect them to know how to build the two or three story building such that it not only complies with minimum code requirements, but that it will not collapse. When they do, we strike those builders off the master builder’s register and they can no longer build homes. We can sue them for gross negligence.

    When the average small company does their books, they expect the accountants they hire to know how to do double entry book keeping, and be aware of local, state and federal tax rules. When they fail to do so, they lose their CPA accreditation and we can sue them for gross negligence.

    When a city or state wants to build a new bridge, they expect the winning tenderer to design the bridge to last for the expected period of time, satisfy all state and federal road and safety laws, and obtained specialist advice for key elements of constructions, such as wind tunnel tests. If the bridge falls down, this is usually the end for that building group and they are sued out of existence.

    Why is so different in our field? What we do is not art. SQL injection is so utterly preventable and has been for over 10 years that I truly believe it is gross negligence to have injectable code in any running code today.

    There is a huge difference between using MYOB to run a small business and building a cubby house. Yet this is all 99.9% of all developers are capable of today. They lack the most basic awareness of software security, the only key non-functional requirement of all software – from games through national treasury finance systems.

    Efforts like Rugged Software and OWASP are vital. We must get out to Universities and employers and make sure that security is taught and that all IT, CS, and software engineering graduates have done at lease one 13 week subject on it, and make it the easiest possible path to major in software security. We must get out to employers and make sure they require all new hires to know about it and be able to code for it. Moreover, if they buy off the shelf software, we must get them to include clauses in contracts, such as the OWASP Secure Software Contract Annex to protect themselves from gross negligence such as SQL injection or XSS. We must reach out to frameworks and make them utterly aware that what they do affects millions of developers and they simply must be better at security than everyone else.

    It’s time for the software industry to grow up, realize that fortunes, privacy and lives really are at risk, and we’re doing a repeatable engineering process, and not some black art. We have to have consequences.

  • FIFA Fraud – Football Federation Australia must be investigated

    In today’s Age, there’s an article on how Australian taxpayer money is being used to bribe FIFA and other national soccer body officials to garner support for Australia’s World Cup Bid in 2022.

    Item 1. It’s is actually illegal to spend Australian government money on bribes, gifts, holidays, and so on. This is contrary to the Bribery Act.

    Item 2. Bribery is most likely illegal in all other FIFA playing countries, such that asking for or receving kick backs and gifts such as pearl necklaces and holidays is illegal.

    The Federal Police should go in an investigate these claims, and prosecute them to the maximum extent that the law allows. We send folks who hold up a 7-11 for a measly $250 to jail for a couple of months to a few years depending on how stupid the crooks are. In this case, the “crooks” (in my opinion) are running double books and stealing Australian tax payer money to the tune of several millions of dollars per year. Bribery is theft pure and simple and is dealt with that way under Australian law.

    Why is bribery and fraud so insidious? It is an opportunity cost. If the bribe did not need to be paid (and it NEVER does), then you can use that money for other things, such as health care, education, social programs, roads, and infrastructure. The more fraud you accept, the higher our taxes and the less you receive for it. In Australia’s case, $20m per year is nothing and the consultants and FFA are busy laughing it off. Wrong. For a third world country where the bribes are most likely to be accepted, this is actually death – actually no roads – actually no infrastructure. It’s evil and that’s why we and many countries have laws against it.

    FIFA must immediately sack those who received or asked for gifts and change their processes to be bribe / fraud resistant and with huge sanctions on those who breach them – such as a 20 year disqualification from holding the World Cup for the countries involved, and immediate life bans from FIFA level competitions for those who seek to profit from their position.

    FFA must immediately sack these “consultants”, and anyone in FFA who thinks running double books is a good idea. They must change their processes so that when they spend Australian tax payer funds, they adhere to all our laws, including the Bribery Act.

    The AFP must look into these allegations and prosecute. This is like a thousand 7/11’s being held up, except Australian tax payer funds were in the till.

    My guess? Nothing at all will happen. Welcome to your corrupt World Cup, a poisoned chalice for all those who covet it.