Thursday, February 22, 2007

Julie Amero add'l

Brian Livingston gave me permission to write my Windows Secrets article this time about Julie Amero. I'm grateful that he allowed to use my space there (which is a paid gig for me) to help spread the word. Brian is sympathetic to her situation as well, and you may have seen him quoted in the New York Times story about it. In addition, he made it the Top Story, which means that it goes to ALL subscribers, not just paid subscribers. It also means I can link to it from anywhere, like I just did.

If you don't know about Julie's situation, you can read my article, and there are some links in it to others that give more background. If you read security blogs at all, you probably already know all this, so I won't cover it here. The reason I haven't mentioned it before is because I was preparing that article, and because I have been working behind the scenes with others, as hinted at in the article.

I can be long-winded, so my article was over twice the length it was supposed to be, and had to be cut down a bit for the newsletter. I wanted to use the extra material here, and make an update or two.

In the ComputerCOP Pro section, I originally had this:

So what did the detective use to examine the "image"? He used a program called Computer COP Pro. Here's an example entry from the FAQ:
Q. Does Professional require training to use?

A. For a competent computer user, Professional truly does not need training to use as the detailed search applications are performed automatically by the software and the product does come with a Getting Started manual. However, because you may need to testify in court or in a hearing, it would be best to receive the company's training and certification.
So, training would be nice, but you can get away with not doing it if it's inconvenient. I'm told that training consists of an hour on the phone.

Needless to say, this program really doesn't sound like it would meet my standards for a forensics utility.


Since this is a key portion of the prosecution's case, Alex Shipp contacted a representative from the makers of ComputerCOP about this aspect of their software. Alex tells me:
Allison Whitney, directory of communications for ComputerCOP, confirmed that the product was unable to distinguish between URLs visited as a result of malicious software, and URLs visited by direct user action.

She also confirmed that this point is not made clear during the ComputerCOP training. At this point in time, ComputerCOP have no plans to contact the Connecticut court to point out the errors in interpretation of the ComputerCOP output made by the prosecution attorney and prosecution expert witness.

Why didn't the defense present these kinds of findings? They tried. There appears to have been a procedural error on the defense's part, and the judge would not allow the defense to enter their evidence. The defense expert has publicly stated that his analysis of the computer files would have revealed that spyware was causing the pop-ups to appear and he feels the evidence would have totally exonerated Julie.

[end of extra material]

Speaking of procedural errors on the defense attorney's part, it appears that Julie is getting a new lawyer, and this may delay sentencing. This is good news. The article makes the new lawyer out to be a hot shot, which is exactly what Julie needs. Despite the fact that she has been declared guilty already, there are a couple of small chances for the case to be resolved before sentencing still, from what I understand. The prosecution could realize that there has been an error in the facts presented, and request that the verdict be vacated, for example. I'm obviously not a lawyer, so apologies if I have abused the terminology.

Despite the TV shows you see, I'm learning that appeals aren't as easy to get as you would think, so anything that helps slow this train wreck down and bring some sanity into the situation is a welcome development.

Saturday, February 10, 2007

Apple vs. Maynor update

I had a great time chatting with people at the security bloggers meetup the other night. There were any number of "I didn't know you blogged" moments all around. Two of the guys I spent some time talking with were David Maynor and Robert Graham who have recently formed Errata Security. And yes! they are blogging too.

We chatted about all kinds of things. We chatted about Robert moving on after IBM acquired ISS. It seems that David found some reason to move on from his position at Secureworks, too. And then we went to dinner at some mediterranian tapas food place, and chatted some more. They bought. Thanks for the dinner, guys!

So when I got back home, I tracked down their blog, and there's some good stuff there. Hey look, there's this one particular entry from David. Looks like he's tired of keeping his mouth shut about the Mac wireless hack thing. Short version of my take on the issue: I believe David and Johnny.

But at this point, I do have to agree that some opportunities have been lost. The Matasano guys propose some hoops that researchers should be going through. Frankly, I thought that was a little silly and totally unnecessary. Even in David's case. I never thought for a second that Apple would ship the patch while still claiming that David and Johnny found nothing. I was wrong on both counts.

So unfortunately, this leaves room for the next bit of stupidity. If/when David ever decides to demo owning the built-in wireless, or release an exploit, etc... then the Mac zealots will claim that he must have reverse-engineered the Apple patch, and that he never found anything ahead of time.

Because David can reverse engineer the patch and write a working exploit, but he's not capable of finding the hole in the first place, right? And the hole that Apple fixed just coincidentally is in the area that the original Black Hat talk covered. And the holes in other OSes that they found of the same class aren't related. And HD Moore using their fuzzer and finding a similar hole in OS X has nothing to do with it.

One of these days, I hope David drops more info. At this point though, it looks like Apple has been largely successful. They have managed to drag things out long enough and tell enough half-truths that their customers believe Apple. So it's likely that few zealots will be swayed when David finally presents proof. There will just be further dismissals from people who really don't understand security very well. I still look forward to it, though.

Hey look, David is speaking a couple of times at Black Hat Federal later this month.

I'm in ur package, playing with ur puzzlez

So one of the developers I work with, Dave, is quite the twisty-puzzle fanatic. Take a look at some of his photos on flickr, and you'll see what I mean. Here's something like 1/3 to 1/2 of what he has in his office at work:

As you might imagine, Dave is also on all the various puzzle sites, and knows which puzzles are rare, which are worth the most, and which ones he doesn't have. Recently, he worked out a trade with some other puzzle collector in another country. He shipped a Square-1 in exchange for a few other puzzles. This is what arrived in the mail:

Yes, go ahead and look at the larger version of that pic. That's the Department of Homeland Security logo. So what was inside that caused such alarm that they had to open his package in transit to inspect it?

We suspect it was the rare and unusual Rubik's Hat that caught their attention. Had it been your run-of-the-mill 3x3, I doubt they would have felt it necessary to play with it. or maybe they saw The Da Vinci Code recently, and it looked like a cryptex on the x-ray?

Rubik-sniffing dogs?

Dave did note that whoever was fondling his hat didn't seem to have any luck solving it. Good thing he didn't trade for something with batteries and wires.

Update: As if to further prove his cube-geekiness (did I mention that he placed fairly well at the recent cube-solving time trials?) Dave writes:

Nice, although technically it was my custom modified Square-1 that I traded, as a vanilla Square-1 is only worth $20-$30. I hear that the maker may even be doing another round of production, in which case the price might go back down to $9.99 or so. Here's a flickr picture of my custom modification:
I stand corrected.

Thursday, February 08, 2007


Alright, I admit this has nothing to do with my usual blogging topics. Maybe because I snapped it while leaving the hall at RSA to head to the security bloggers party?


Hey, at least that's not quite as bad as ninjas killing your family.

I paid the gentleman a dollar for the privilege of taking his photo. I found him on 4th street between Howard and Mission, around 6pm. I have no idea what his usual working hours are, or how often he rotates his signs.

Second best ad at RSA

I hereby declare the second-best ad at RSA:


"Beware of False Positives"


(I give "best" to my company's own ad, of course. It holds special place in my heart. However, if you think this one is first place, and ours only second, I'll forgive you.)

The woman working the booth tells me that it was "obtained" in Seattle, and is authentic. They were raffling it off in their booth. Excellent job CyberDefender.

Wednesday, February 07, 2007

I'm shillin' like a villain

I just had a great time at the security bloggers thing. I was a little surprised that not only a number of them read my blog, but given that, they don't realize I work for BigFix. Speaking of vendor bias, I will now attempt to provide a good clear example.

We have been trying some new ad campaigns lately. First, there are the Software Truth viral videos. I think they're worth a chuckle. We've gotten some good feedback, and people seem to like them. So far, the only complaint has been from one blogger who seems to have been fooled into thinking they were some sort of real senate hearing. But I think that reflects more on that particular blogger than it does on our videos.

And then the last couple weeks at work, I see this ad taped to the door of our CEO's office. I assumed it was an internal joke thing, and that we would not go there.

Apparently, we would. We are on the playground talking smack, and our competitors should consider it to have officially been brought.

Check out this ad (~1MB .pdf). I'm told that this ran nice and large in the Northern California edition of the Wall Street Journal today. And you should expect to see it in a number of magazines Real Soon Now. Should you enjoy it as much as I do, you can go to our site and sign up for a demo of our stuff, and get a poster version of it. (If you don't want to grab the PDF, that link also shows the picture and text, so you'll get the idea.)

Yes, those are McAfee, Symantec, altiris, and Landesk we are ramming our sword through.

Generally speaking, I'm not big on cheerleading for my employer. I try to be careful about plugging my company's stuff out of context. If I'm writing a book or an article, a mention in my bio is usually sufficient. If I'm speaking, the line on the first page of the slide deck is usually good enough, even though they probably paid for my travel. And when I'm overtly pointing out something we're doing, I try to make it abundantly clear that I'm an employee, and that I'm in sell mode.

But when my employer does something above and beyond, and I really approve of it, I'm willing to occasionally give props like this. I think an ad campaign like this takes balls of a certain minimum diameter, and I'm glad to see we've got 'em.

The cynics (and maybe competitors) among you might look at an ad like this, think to yourself that you haven't heard much about BigFix before, and conclude that this is a desperate cry for attention from a struggling company. And frankly, if I weren't on the inside seeing what we are doing, I might agree with you, and cringe when I saw us doing this.

But the fact is, we are growing big time. We are replacing our competition all the time, and beat them regularly in customer evaluations. Despite the fact that these guys pay me, and I'm talking about the software that I QA every day, I'm still sincerely impressed with it. It actually works.

We do not come in peace.

Saturday, February 03, 2007

Old skool security

While researching things for the Oldest Vulnerability Contest, I ran across a number of references to "Computer abuse perpetrators and vulnerabilities of computer systems" 1975, by Donn B. Parker. I did find it listed on Amazon, unknown binding, ASIN B0006WFZ9I. I left in on pre-order for a good year or so, but no one was ever selling one.

Mr. Parker appears to have written a number of security books and reports in the 70's and 80's, mostly while working at SRI. You can find most of his published books easily enough, but not what I'm looking for. I'm guessing it's not a regular book.

I can see that he left a collection to The Charles Babbage Institute at UMN that includes it. I'm going to check there about getting a copy. He seems to have granted some copyrights to CBI, so that might work out.

Also, anyone know if Donn Parker is still alive, and if so, how to reach him? I'd love to do an interview with him. I see references to him doing things in the early 2000's, so he can't have been gone long, if he is.

Amazon Links

I'm trying to see what Amazon links look like now. I've had an Amazon affiliate account for years, but I have barely ever used it. I used to just throw my associate ID ("thievco") onto links, but it looks like that changed probably around 2004. Amazon sent me a quarterly report email the other day, so I thought I would look into it. I plan to mention books frequently, and I'm not at all above throwing on my associate ID. But I wanted to see how it was going to look.

Here's one for my latest book, which is now in print and in stock:

Let's see how that looks. I may twiddle this post, apologies if it shows up in a feed multiple times. Of course, this is all javascripty, so if you're reading this in an RSS reader, you probably don't see it at all. Don't worry, I'll do a proper post in the near future where I shill my latest book the right way.

Update: Whoops! I was wrong. I found the right report, and I did get some hits from the old-style affiliate links. I put a link somewhere, and two people bought a book based on that. I have earned 83 cents this year so far. Thank you for the support. ;)

"Art of Software Security Assessment, The"

Just got a new post in my RSS feed from the authors' blog for "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities". Justin Schuh says that InformIT has their book on sale at a significant savings. I did some cursory checking, and InformIT does seem to have the best price. Ground shipping was free, so my total (after adding tax) was $35.88. Not bad. Amazon wants list price for it, so don't by it there.

I've been meaning to buy this book since it came out. This offer seemed like a good reason to get around to doing that. Obviously, since I'm just now buying it, I can't offer a review. However, a number of people whose opinions on this topic I respect, like Dave Aitel, and the Matasano guys, indicate that it is well worth reading.

I'll try and get a proper review in, but my reading backlog is already comically long. But mostly I wanted to point out that this looks like a cool book, and if you're going to buy it, do so at this price.

Update: Uh oh, I got an email that it is backordered. "We strive to fill backorders within 30 days. If we are unable to ship your backordered item(s) within that time frame, we will cancel the item(s) on backorder and you will receive an e-mail confirmation of the cancellation." Good thing I'm not in a hurry. I hope I didn't talk anyone into wasting their time waiting if it's not going to come.

Update 2: It arrived on Feb. 19. The guys posted a blog entry about the delays. I suspect they have the stock straightened out now.

Friday, February 02, 2007

Opening cars with a tennis ball

Watch this video of a woman opening a locked car with a tennis ball. Brought to my attention in a Digg post.

Like a lot of people in my business, I do a little lockpicking, though I'm not particularly good at it. I'm curious if anyone knows exactly what is going on in this particular car door lock. I'm curious if the wafers and sidebar are being pressed into place by the air pressure, or if the air is actuating the lock pull linkage, or what.

MoAB to the BillG

You know your month of bugs is good when Bill Gates is out there pimping them for you.

Hey Bill, are you daring people to do a MoVB?

Thursday, February 01, 2007


I, for one, am outraged at the ridiculous over-reaction of the Boston authorities to what amounts to a battery-powered litebrite

Wait, I can get the bomb squad to come detonate things by attaching LEDs to them?

I can tie up the entire police force of a major metropolitan city for an entire day with a $100 worth or parts from Radio Shack? Completely distracting them from anything else that might be planned for that day?

Wait wait... I can get national news coverage on every major news outlet, and get away with it by just not admitting it was me in the first place?

Carry on.