The situation is clearly getting out of hand: it is barely the end of the first month of 2004 and a new mega-virus hits the Internet.
It is becoming one huge joke: a new virus is unleashed, thousands of systems are infected, anti-virus software companies scramble to produce a signature and then tell you in their virus encyclopaedia that you should always have the latest set of signatures.
What about all the systems which were infected before the anti-virus companies produced a signature?
This is where the whole castle collapses in one fell swoop. The business model is shrewed: get users to pay for an "update" service which most of the time is reactive and late. A few lucky users, the ones who use their machines once in a while, escape unscathed from the virii while the others end up shaking their heads muttering "if only I had updated the signatures...".
It is pretty obvious really: the anti-virus companies cannot produce a signature before seeing the virus in action. By the time the virus is "in action" it has often spread far and wide. Take Sobig.F or indeed Mydoom: if the anti-virus software was doing its job it wouldn't have spread so far and so deadly.
All that remains is the insult of being told that to stop the virus you need a certain revision of the anti-virus signatures which simply wasn't available when you got hit, even if you were to attempt an update every 10 minutes.
Why don't users demand better? Why do they still accept software which will happily execute an attachment "no questions asked"? In an era when you can't bring on board of a plane something that remotely resembles a blade we have people continuing to accept dangeous attachments as if nothing had ever happened before, including people who have already been hit by virii!
Wouldn't it be the anti-virus software's job to stop the execution of these attachments outright, perhaps mentioning that it isn't normal for a document to be called "document.doc.exe"?
It would but unfortunately there would then be little incentive to keep updating the signatures and finance the business model of the anti-virus companies...
There must be something terribly wrong with 2004, perhaps it is the fact that it is a leap year .
Today a subject on the ISN mailing list caught my attention: "Bagle e-mail virus slows, fuels naming debate". The first half of the title is pretty self-explanatory but the second half had me wonder what the "naming debate" could possibly be. So I read on, and what a terrible idea that was.
The news comes from Reuters, a news agency renowned for its understanding of computing.
Quoting from the article gives an immediate feel for the depth of the issue being faced by anti-virus firms:
"Personally, I would have called it Beagle rather than Bagle, for the
sole purpose of avoiding all these support calls asking, 'Why did you
call it bagle?' " said Graham Cluley, a senior technology consultant
at Sophos PLC, a U.K.-based software firm specializing in virus and
spam detection.
I would have thought that the majority of support calls should have been: "why didn't your advanced heuristic analyser pick it up?". But no, this is not of concern, it is acceptable for the anti-virus software you pay for to be only useful if you are lucky enough to download the correct signature before being hit. The big issue is the name being given to the virus.
It is clearly heresy to suggest that anti-virus firms should organise themselves into the equivalent of CVE and forget about the naming issue to concentrate on trying to prevent unknown virii from entering computers. Everyone and his dog is able to detect a signature for something that has been seen before and block it - the real issue is what research is being done to try and stop unknown attacks from being successful (and no, "uninstalling Windows" is sadly not the correct answer).
Apparently not much or not as much as the work into names.
At times I really do wonder how my UK bank manages to be so creative with security.
They alternate between a rather good Internet banking service, an excellent card fraud department and a hopeless card issuing mechanism.
As a repeated victim of card cloning (that's when a copy of the card is made without you physically losing it) I am well acquainted with the fraud department of said bank. They are remarkably good and proactive: I often get phone calls or letters outlining transactions they would like me to check and confirm. They had already been authorised but clearly didn't quite match my "user profile" or had been declined and they wanted to discuss it with me. I always take the time to ring them back when they send me a letter, confirm the transactions and thank them profusely for their efforts. As a matter of fact it would be marvellous if everyone did the same: when people feel gratitude for their work they put more effort into it and in the case of card fraud it is the kind of effort one's pockets appreciate too.
The Internet banking service is not as stellar as ones using one-time pads but it offers passable security and a simple, clear interface.
Where they continue failing me is their physical card issuing service.
The first time my ATM card was cloned I recieved an identical card on which the only change was the so-called "issue number" (incremented by one) and the expiration date which was defined exactly as "re-issue month + 36 months". That's it. So if you had my previous card it wouldn't be rocket science to know what the new one would be like, in fact trivial: just see when the old one stops working (that gives you the "re-issue month") and add 36 months. Guess what? That is exactly what happened. What is the solution to this? New bank account, totally different number, close the old one: the ideal solution to minimise your customer's distress.
I had thought that it was a "feature" of the ATM card until a problemette appeared wth my credit card: the signature had become unreadable, the regulations mandate that you cannot re-sign your card so I ask for a new one to be issued. The new card is identical except for the expiry date which is (no prizes for guessing) "re-issue date + 36 months ".
Must be a habit... so instead of cutting the card up I burned it as I'd rather not discover more creative uses for rubbish rummaging, sellotape and card swipe readers.
I can sort of understand rather less-than-accurate reporting from "reliable" news sources such as Slashdot but when Reuters and the BBCcontinue propagating RIAA and MPAA myths I get rather upset.
Why do journalists find CSS so difficult to understand? It is nothing other than an obfuscation mechanism (I find it hard to describe a 40-bit key as encryption these days) to ensure that only licensed DVD players can reproduce a "protected" DVD. These are the players which comply, amongst other things, with the mandatory "zoning" which, in theory, allows film studios to time the releases in the USA, Europe and Asia according to schedules of their liking.
What did this terrible DeCSS do? It allowed its author to view DVDs which he had bought on his Linux box by effectively cracking the codes of the Windows DVD player software he had and using those to decode the CSS information in an equivalent piece of Linux software. Without entering into the legalities of the matter the whole point of DeCSS was to be able to read DVDs in a "non MPAA sanctioned" DVD player.
What has the above got to do with "illegal copies"? Nothing whatsoever. A relative of mine has been working in the VHS (and now DVD) duplication industry for years and they know full well how pirate copies are made: a master is taken to a friendly duplication studio which then churns out thousands in the space of a day.
Do they "crack" CSS? Of course not! They make a bit-by-bit copy of the DVD, inclusive of all the CSS data so much that if they duplicate a zone 1 DVD it will only be usable on zoned DVD players which support zone 1.
Both the BBC and Reuters claim that DeCSS is instead used for copying DVDs illegally. It might well be the case but it is really a rather inefficient way of doing it: why read the DVD in the first place, decode it and then burn it again when you could just make a higher quality bit-for-bit copy of it?
Let us use an analogy: claiming that CSS protects the DVD from illegal copies is the same as claiming that an Arabic language newspaper is protected from copying by a european on a photocopier by the fact that it is written in Arabic as if not being able to read something precludes you from copying it. Alternatively the more literature-oriented might consider the idea that Joyce's Ulysses can only be copied if stream of consciousness literature is understood by the reader.
So the bottom line is that what the DeCSS author did is the equivalent of learning Arabic or completing a modern english literature course which I am pretty confident is not necessary to opearate a photocopy machine.
The WebMonster lets me know that there is now another very smart use of Netcraft's service.
How about using the archived information on millions of websites to improve security on the web instead of letting would-be baddies learn what operating system and webserver is being used by some MegaCorp? Netcraft has come up with an anti-phishing service.
The idea is simple: you pay them, they scourge their archives for your trademark, company name, whatever and report on their findings. The example uses Citicorp and of particular note is the fact that they have enough brains to mark sites carrying a copy of the phishing as "benign" instead of shouting wolf.
After a long delay due to various matters it is high time for an article on what I would term "fashionable security".
Like many others in the world I am a user of various Internet Banking services and I continuously compare and contrast the security measures between them. One service in particular struck me as being particularly well designed. What struck me though was the original version, not the latest fashionable incarnation.
The version which I found well-designed was based upon three-way authentication: username, password and one-time pad. You would enter your username and password (both secret) and then select the next four-digit number from the one-time pad. The pad contained 80 four-digit numbers and a new one would be automatically sent to you as you exhausted the current list.
The beauty of the above system is that you could use it in all safety in unsafe locations (e.g. your PC at work) because at worst the attacker would have username and password but would not be able to reproduce the next four-digit number in the sequence. All you needed to do is jot down the next couple of numbers from the one-time pad before going into work in the morning if you thought you needed to e-bank.
Then they decided that it simply wasn't "cool" enough for their high-profile clients and switched over to the new system.
This "new" system is based upon your username, password, a token calculator and an "e-banking card": you enter your username, then place the e-banking card into the calculator, unlock it with the password, type the challenge from the website into the calculator and enter the response as the authentication token on the website.
Sounds sexy doesn't it? Pity that you now have to carry around a calculator and an e-banking card (which no doubt the vast majority of people leave in the obvious location: the token calculator) and the security of your account relies exclusively in your password. If your calculator is stolen after your password has been shoulder-surfed (along with your username) then your account is wide open.
So here you have an inifintely more fashionable gadget-based authentication which looks like RSA SecurID but isn't.
You now have to carry a bulky and eminently visible calculator (it is rather hard to disguise a calculator in a bag in comparison to four digit groups in a phonebook...) with a card which looks like an ATM card sticking out of it, just in case the opportunistic thief hadn't spotted the unique-looking calculator. The uneducated user thinks "wow, cool, a special calculator and a secret-agent procedure to get in" and the thief thinks "wow, thank you very much, no need to find the one-time pad now!".
Hence we have a perfect example of "fashionable security" or "how to reduce security by making it look sexy for users".
