Saturday, September 16, 2006

What makes a good programmer

Aha! I just found a quote from Joel which puts into words what makes a good programmer.

You need training to think of things at multiple levels of abstraction simultaneously, and that kind of thinking is exactly what you need to design great software architecture.
The quote can be found in this blog post.

I didn't realize it before, but this is what makes the good programmers at BigFix, good.

Saturday, September 09, 2006

Ruth's Chris Steak House

It was my birthday the other day (37. Thanks for asking.) I wasn't really into a party or cake or presents or anything, so my wife took me to dinner. We went to Ruth's Chris Steak House. The food and service were both excellent! It's just a little expensive, though. It actually ended up being a bit more expensive than we even thought it was going to be, because our waitress misquoted the price on one of the specials about $40 too low. It wasn't a big deal, and the correct price wasn't really out of line with the rest of the items. So, two of us, I had the American kobe beef special and the Australian lobster tail special, wife had a filet, we had 3 sides, and cheesecake for dessert (dessert was free, because of the birthday.)

The total was $192 before tip and valet. I wouldn't have spent quite that much on purpose, but man that was good.

ELER Mention

One of the on-line comic strips I like to read is Everybody Loves Eric Raymond. I got a mention there the other day, as "Famous security dude Blue Boar (Ryan Russell)". (Yes, I'll accept that description :) ).

The comic that day, "Bruce Schneier Facts" is also quite hilarious, as is the database that goes with it.

He has a "Knuth is my homeboy" t-shirt, which I purchased. I happen to be wearing it as I type this. It's just a funny shirt all-around, but you would't enjoy it on as many levels as I do, flavin.

One reason is that my main character from the "Stealing the Network" series uses "Knuth" as a handle, mostly to piss off the other hackers. (Which worked pretty well on Fyodor.) Another reason is because the picture used was taken by Jake Appelbaum, whom I have met a number of times.

So I wore the shirt to Black Hat one of the days, and had Johnny Long take a picture of me in it with Darci and Jaime.

Why can't I print this email?

Why can't I print this email?

Many years ago (about 1990-1995) I worked at Bechtel in San Francisco. It was the kind of place that made you wonder if Dilbert creator Scott Adams worked there. So I will likely have a number of stories that are set there, if i can remember them.

Bechtel was a long-time DEC VAX shop, so we ended up using a lot of strange DEC products, probably long after we should have been. For example, DEC PathWorks, which was DEC's weird LANMAN-based NETBIOS over DECNet (Phase IV). We were also using the DEC email product, I want to say it was called "MailWorks", but I can't actually remember. A lot of their stuff had "works" in the name, I think they were trying to convince themselves. And this is back in the day when Windows wasn't a given, and we're talking Windows 3.1x.

So one of the executives calls the helpdesk, and wants to know why he can't print his email. We thought that was a little strange, since the printing generally worked well. We troubleshot the usual queue problems and such, and then sent someone up to see him. OK, so the problem turned out to be that the print function just wasn't there in the program mode he was in, which was the compose mode. In other words, he wanted to print the note while he was still typing it up.

OK, so why did he want to do that, we asked him. He said he couldn't send it unless he printed it out. Huh? Of course he could, just press the "send" button. And you can even print it out from your "sent" items, if you want. No, he doesn't want to send it that way, and he needs to print it!

After backing up several steps, the person finally gets the full story out of him. What he wanted to was type it in the compose window, print it out, and the FAX it to the person it was addressed to. That's right, he just wanted to use the email program as a word processor.

When questioned as to why he didn't just send it via email, he said that he couldn't be sure it got there that way. OK, so why is FAX any better? You can't tell that it got sent for sure that way either.

Yes you can, he replied. You can see the paper going into the machine, so you know it got sent.

Tap Whistle

Tap Whistle

(Orginally from a writing exercise I did in my Slashdot Journal. There's a writer there by the name of SolemnDragon, and she occasionally gives out said exercises. This "universe" is one I've had in mind for a while. I haven't been satisfied with the level of tech detail in other steampunk stuff I've read. I may do more in this vein, we'll see.)

Tap Whistle hated to work in the rain. It loosened the black from the streets and buildings, and made the manhole diving unbearable. You didn't want to get caught by the Plumbers when it was raining. If you tried to run, you'd just end up slipping in the black runoff. After a couple of hours of rain like today, the sewers would be full up to your knees.

It also seeped into the battery jars, and the top layer of grease would short out the 'nodes, leaving you no voltage. Anyway, you didn't want to get caught with a jar if you could help it, or else you would be charged under the Tesla ban.

The rain made it too noisy to scope the street for audio, too. Not that sound would do him any good at the machine point he planned to monitor today, not from the topside.

Whistle wouldn't even bother on a day like today, except that he had a rare motivation, a paying customer. It seems that several of the local "plumbers apprentices" had named him as the best when the norm had come around looking to hire a hole diver. He was even more nervous than Whistle, and it made him laugh inside to think how paranoid the norm was about getting caught. Whistle wasn't worried, why not get paid for some of his fun? He suspected he wouldn't be able to get the message anyway.

Whistle didn't actually have to pop any holes today, so he had left the crowbar at home. This junction point was big enough that it had its own housefront. Most of the major machine points had a little house-like building on top of them. The house part was little more than a single-story box with a front door. Inside was just some storage, a wall of valves that ran below, and the circular metal starcase that led down to the workroom. Whistle had a key that he had traded for, that would open the front door. It was a simple warded key, not one of the newer pin tumblers. Those were not thought to be reliable enough, though the lockers considered them more secure. That was about the extent of Whistle's lock knowledge, which he had mostly picked up from trade pamphlets and a couple informal demos from the lockers at the meetings.

Whistle checked for any of the copper-clad Plumbers carriages on the street before letting himself in the door. Once inside with the door closed behind him, he headed straight downstairs.

At the bottom of the stairs, he stepped right into the water, feeling the cold grip on his calves, dragging at his pant legs. The rain was seeping from the walls, and dripping from the curved ceiling, between the bricks. Parts of the sewers under the city went back to Roman times, though not under a machine point. In a machine point like this, they had typically been dug down two stories worth, and rebuilt, like a mini Underground station in the dark. They didn't carry any trains though, just pipes and conduit.

Whistle's target today was Lloyd's. They were an old user, so they still mostly used the pneumatics. Usually, only the newer users used rods, because they didn't have as many feeds to convert. There were a couple of exotic hydrolics in town, used in local building carrys, but that was only the standard in America. You wouldn't find a hydrolic in an official machine point. Whistle had a few catalogs from Edison's Hydrologic Manufacturing Company, describing what they had over there.

He lit the gaslight, and pulled a couple of books from his pack. One was the city feed directory, which would give him the numbers he needed to check for. Customers would use these to look up the endpoint and route. The other was a stolen PCL manual, which would give him the stamped numbers he would need to read off the pipe he wanted. He looked up the machine station he was in, and found the list of Lloyd's serials. Lloyd's had mostly low numbers, they had been around longer.

One challenge was that, through this particular station, Lloyd's had no less than 21 tubes, too many to monitor at once. Whistle knew to check which switch they went to, though. And only one switch down here lead to the destination he was supposed to watch for.

He found that only four of the tubes went through that switch, so that was the set he would have to watch. From his bag he pulled a set of loadstones and reed flags.

Carefully, he found the places in the middle of the tubes where the plungers would have to cross. The places where, when the plunger went back and forth, it would flip the flag one way and then the other, giving him a visual means of watching the bits. Down here, you could use a horn to listen to one pipe, if you only had one to watch. Well, maybe two. He had heard of one blind kid that could do two at once.

For a lot of beginners, tapping by ear was easier. Especially if you were used to decoding by ear at a legitimate endpoint anyway.

But that didn't help if you needed to watch four. Whistle set up the reeds so that the reflective sides were to the right, where the gaslight was. Once the plunger started going, the flashes would let him read the message right off the pipe.

Monday, September 04, 2006

When, where, how and for how much, to reveal your vulnerability

You know, I can do these long logic chains based on a lot of assumptions as well. Can I get some vitriol?

So, you're a researcher, and you've got some sexy new class of exploitable flaws you've found. You do your presentation at con, but it seems like everyone's employers nowadays don't appreciate presenters dropping 0-day. Therefore, you decide to show a video clip instead.

You decide to playfully pick on a group of smug OS users who generally think they are more secure. (I know. Security researchers bursting the bubble of someone with a false sense of security? I'm shocked too.)

Trying hard to be "responsible" (as defined by the software vendors), you give the vendor some heads up that you're going to be showing a video demo of yourself 0wning their kernel driver. Lo! This vendor, who happens to actively cultivate this perception that their stuff is more secure, takes exception.

Let's talk about this particular software vendor for a sec. They have repeatedly demonstrated a willingness to sue anyone who reveals anything they aren't ready to reveal. They are willing to sue every time. Even if it's true. To the point where you might have to take them to the state supreme court to try and keep them from going after your sources.

Of course, that's for news, which theoretically has some constitutional protection in the U.S. How do they feel about vulnerability disclosure? "We don't feel that our customers are better served by public disclosure of potential issues". Oh.

So, maybe picking on Darth Litigious isn't such a hot idea. They decide to instead demo one of the third-party cards with its own vulnerable driver. And not even identify the card, so that vendor can't complain either. Yeah, it kind of weakens their demo, but they don't have a lot of choice.

Maybe they could just mention in passing that the sue-happy vendor's built-in card and driver have similar problems?

Surely, the masses won't ignore the impressive 802.11 research presented that made up 80% of the talk, and only focus on the demo? And pick the demo to death only because it affected their favorite platform? Surely, it can't be possible that rational, sane people would believe that the problem is demonstratable on FreeBSD, Windows, and even their own platform, but with a third-party driver... and then not believe that there is any chance whatsoever that the same kind of problem exists on the driver that ships with the OS?

No, clearly, the researchers must have faked the video. It seems MUCH more likely that they would use a third-party card ONLY as a red herring. Not because the OS vendor breaks out the lawyers at the drop of a hat. No, they faked the video, and they didn't show themselves popping the native card because, well... that's more believable. Or something.

So, clearly the zealots were right all along, the researchers are frauds. Wasn't it stupid of them to get up in front of all their friends and peers, and pull a scam? Especially since at least one of them had proven himself more than competent over the years. Oh well, no accounting for stupidity.

But zealots are rarely willing to let things go at victory. No, how about the zealots taunt the researchers with promises of prizes, on the off chance that the researchers have something to actually show? Maybe all they were waiting for was a shiny thing. And not the threat of lawsuit.

Let's examine the offer from the zealot.
  • Zealot will buy said vulnerable (Ha! As if!) shiny thing
  • Zealot will not permit researchers to put their filty paws on the shiny thing
  • Researchers will use their exploit, which they have promised to keep private until the patch is out
  • If the exploit doesn't work flawlessly on the first try, then researchers will either have to give the zealot the cost of the shiny thing, or it will be called "even". Where "even" is the researchers have to pay no money, but zealot will crow about victory, and researchers will have proven themselves untrustworthy by using the exploit they said they would keep private, and maybe get sued.
  • However, if it does work flawlessly, the researchers will be up one shiny thing, and will only have proven themselves untrustworthy, and maybe get sued. Plus, zealot will have some excuse as to why it doesn't matter because, well, whatever, nuh-uh!
  • All judging will be done by zealot, who would be out the cost of one shiny thing, and prove himself completely wrong if he declares the researchers the winners.
So, back to my opening question, if you're a researcher in this position. You've got this sexy vuln, what do you do with it? Here are some options:

  • Ignore any potential gain from your work, don't present it, sell it, use it as a resume item, etc... just post it, and take a chance the vendor will be really mad about that. Tick off potential employers. Anger some peers who think that is irresponsible.
  • Sell it. TippingPoint and iDefense will offer $10,000 or more. That's like, enough for 9 shiny things! Note that you will be required to keep the exploit private until the patch ships.
  • Present it and try and warn people about this class of problem. (Also, you get some travel expenses, and maybe enough money for 1 shiny thing. Woo!) Note that this does not neccessarily prevent you from releasing the exploit if you want. Unless maybe your employer paid for some of your time, and insists that you don't. Or maybe your peers and potential employers and customers wouldn't like that. Or maybe the conference itself got sued for that sort of thing last year, and it wouldn't be cool.
  • Unless you tried to be nice to the vendor by giving them some advance notice, who then turns around and makes you change your presentation and hold your tongue. Even if they later issue a public half-denial that they know about the problem. because, you know that presenters and conferences get sued for that kind of thing now...
So, the holding all details until a patch is released strategy looks like a pretty good choice. The researchers probably would have had more options if they hadn't tried to give any vendors advance notice, but it's a bit late for that now.

Maybe the vendor is trying really hard to communicate to the researchers that the best strategy is to just blindside the vendor? Maybe they like a challenge.

In case it's not obvious, I don't believe that David and Johnny faked anything. They are being really big about the whole thing, despite taunts, derision and bribes. I believe they will proven correct when Apple puts out the patch (which is, of course, completely on Apple's schedule.) And I also believe that the same people who are calling them frauds now will probably still be grasping at any little detail which might help them keep from admitting they were wrong.

Second Coder Wins

Second coder wins

I subscribe to the school of thought that says the second coder always wins. By that, I mean that after you write your "undetectable" rootkit, someone will analyze it, and find a way to detect it. If your malware kills all the protection mechanisms on a victim, then the AV vendors will recode their apps so that the technique you used to kill them no longer works. IDS vendors will find a way to detect your IDS evasion, and so on.

Exceptions: Crypto might be an exception, though I've been surprised by the number of crypto algorithms that have fallen in recent years.