Microsoft Ditches VBA for Security?

For some time I've been noting Dan Geer's point that Microsoft faces a dilemma: stick to backward compatibility including many security vulnerabilities, or fix the holes and lose backwards compatibility. Looks like they've done the latter with Office:

Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.

However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That's worth complaining about.

— Microsoft Has Trouble Programming the Intel Architecture, by mordaxus, Emergent Chaos, 16 Jan 2008

The poster immediately goes on to sneer at OpenOffice for allegedly not being able to do things Office can do (without ever mentioning specifics) and at Keynote because everybody uses PowerPoint (while acknowledging that "Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize").

When Microsoft can manage to annoy even slavish users like that by breaking backwards compatibility, MSFT has a problem. No doubt no VBA in Office isn't the last straw, but it isn't the first, either.

-jsq

Mastery and Secure Coding

Brooks extended:

Each thing we are trying to push for in secure coding these days requires mastery, Cardspace, static analysis, threat modeling, web service security, and friends are very deep individual domains, and when applied to an enterprise they get wide as well. Let me underline that - to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.

So what I have seen work well is using a decentralized, specialist team approach with a very specific agenda and goals. Note the team can be very small, 2 or 3 people even if they are empowered.

— Go Wide and Deep, Incrementally, Gunnar Peterson, 1 Raindrop, 10 JJan 2008

Not only can't you make a late project on time by throwing people at it, you can't really make a project secure by throwing people at it.

-jsq

Cisco Open IOS

In quite a change from 2.5 years ago, when Cisco went to great lengths to try to prevent Michael Lynn from revealing details of Cisco's code, Cisco is opening its software:

Since its debut more than 20 years ago, IOS has largely been a closed, proprietary, tightly guarded jewel in Cisco's lockbox. But the company's ambitions to make the network the platform for all IT operations and become a software force are in turn forcing Cisco to give up a little in return – like making IOS more than just a platform for Cisco-developed services.

"It's a significant step forward for us," said Don Proctor, senior vice president of Cisco's newly formed Software Group, at last week's C-Scape 2007 analyst conference. "Software turns out to be a key way that we can do what [we've] been talking about for some time, which is link business architecture to technology architecture in a meaningful way."

— Cisco opening up IOS, Looks to make software third-party friendly, Network World, 12/12/07

Wow, who could have imagined that technology architecture could be related to business architecture?

Linus on Schedulers vs. Security as Numbers vs. Opinions

Thus Spake Linus:

Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis.

Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.

So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".

— Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel, by Linus Torvalds, kerneltrap.org, Monday, October 1, 2007 - 7:04 am

Linus Torvalds, inventor of Linux and thus originator of its associated industry, continues:

Bananas and Apples: Another Monoculture

Yes, we will have no bananas, again:

Most commercial growing facilities handle just a single banana type — the one we Americans slice into our morning cereal.

...

How much time is left for the Cavendish? Some scientists say five years; some say 10. Others hold out hope that it will be much longer. Aguilar has his own particular worst-case scenario, his own nightmare. "What happens," he says, with a very intent look, "is that Panama disease comes before we have a good replacement. What happens then," he says, nearly shuddering in the shade of a towering banana plant, "is that people change. To apples."

—Can This Fruit Be Saved? By Dan Koeppel, popsci.com, June 2005

Cavendish is the variety of banana eaten the world around. "Quite possibly the world's perfect food," says Chiquita. But perfection comes with a price if it leads to monoculture. And that's what we've got with bananas: every commercial Cavendish banana tree is grown from cuttings of the original tree, and so is genetically identical. Banana monoculture has borne the fruit of disaster before.

Growers adopted a frenzied strategy of shifting crops to unused land, maintaining the supply of bananas to the public but at great financial and environmental expense — the tactic destroyed millions of acres of rainforest. By 1960, the major importers were nearly bankrupt, and the future of the fruit was in jeopardy. (Some of the shortages during that time entered the fabric of popular culture; the 1923 musical hit "Yes! We Have No Bananas" is said to have been written after songwriters Frank Silver and Irving Cohn were denied in an attempt to purchase their favorite fruit by a syntactically colorful, out-of-stock neighborhood grocer.) U.S. banana executives were hesitant to recognize the crisis facing the Gros Michel, according to John Soluri, a history professor at Carnegie Mellon University and author of Banana Cultures, an upcoming book on the fruit. "Many of them waited until the last minute."

Denial in the face of a clear and present ecological danger. We've seen this before.

What It Will Take to Win

IT and Internet security people and companies act mostly as an aftermarket. Meanwhile, the black hats are a well-integrated economy of coders, bot herders, and entrepeneurs. This is what it will take for the white hats to win:

It can seem overwhelming for security people who are typically housed in a separate organization, to begin to engage with software developers and architects to implement secure coding practices in an enterprise. While the security team may know that there are security vulnerabilities in the systems, they have to be able to articulate the specific issues and communicate some ideas on resolutions. This can be a daunting task especially if the security team does not have a prior workign relationship with the development staff, and understand their environment.

...

The task seems daunting also because there are so many developers compared to security people. I am here to tell you though that you don't have to win over every last developer to make some major improvements. In my experience a small percentage of developers write the majority of code that actually goes live. The lead developers (who may be buried deep in the org charts) are the ones you need to engage, in many cases they really don't want to write insecure code, they just lack the knowledge of how to build better. Once you have a relationship (i.e. that you are not just there to audit and report on them, but are there to help *build* more secure code) it is surprisingly easy to get security improvements into a system, especially if the design is well thought and clearly articulated. You don't have get the proverbial stardotstar, each and every developer on board to make positive improvements, it can be incremental. See some more specific ideas on phasing security in the SD! LC here. In meantime, with security budgets increasing 20% a year, use some of that money to take your top developers out to lunch.

— Secure Coding - Getting Buy In, Gunnar Peterson, 1Raindrop, 17 Sep 2007

The start of what it will take.

-jsq

Non-Asymmetric Malware

<~~T.A.Z~~>

Most exploits through the Internet have been relatively small guys (individuals, gangs, etc.) against big companies and governments. Yet they're already using botnets to leverage their activity. What happens when botnets start connecting with other botnets via wireless?

Consider the following scenarios:

• malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
• no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
• once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
• Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

— Distributed WiFi Scanning Through Malware, by Dancho Danchev, @ Friday, August 24, 2007

It already wasn't clear which side the asymmetry favored, since the bad guys use the full leverage of the Internet and the defenders mostly don't. Now the bad guys can leverage the leverage of the Internet by also using local wireless connections to further interconnect.

Did we need more proof that there's no such thing as a perimeter to fortify anymore?

-jsq

Skype and Windows Update

So, Windows update: Skype outage cause or smokescreen?

Apparently both:

The disruption was caused by a routine Windows patch update distributed Tuesday that required users to restart their computers. When a large number of Skype subscribers began logging back in around the same time, the requests - combined with the day's traffic patterns - began overwhelming the system, revealing a bug in the software that normally helps the system allocate resources and "self heal."

"Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring," Skype spokesman Villu Arak said.

— Skype reveals outage source, tells customers it won't happen again, Ryan Kim, San Francisco Chronicle Staff Writer, Tuesday, August 21, 2007

So we seem to have here a combination of hazards tripping each other.

This does raise the more general question of what other bugs are synchronized Windows updates exercising? And how long before such a Windows update installs a vulnerability that immediately gets exploited? And how long before such updates themselves do cause massive outages? In software monoculture, Windows may be its own boll weevil.

-jsq

European Firefox

Here's some good news. Firefox market share in Europe is almost 28% according to XitiMonitor. In Germany it's 38%, and several other countries have higher usage. Opera is at 3.5% and Safara is at 1.7% in Europe.

I'd be more pleased if it was a quarter each by three different browsers, with half a dozen others taking the other quarter, but this is much better diversity than 98% IE.

-jsq