Fred Avolio's Musings

musings on security and other topics topics archives
Sun Mon Tue Wed Thu Fri Sat
most recent headlines other links, other blogs  

Sat, 27 Sep 2003
Buried in Swen!

I was getting buried in e-mail. With every download came new e-mail carrying the “Swen” worm (aka “Gibe” and “Worm.Automat”). Some variants contained HTML to look like a Microsoft web page. Each one carried a PC-executable program. At its peak, my email server was hit with about 200 messages a day. (I had over 300 when I checked my e-mail after being without power fo4 18 hours courtesy of tropical storm Isabel.)

I stopped it by disallowing executable attachments at my e-mail gateway. In other words we changed our security policy. It brought the deluge to a steady trickle. I continued to get e-mail to my address at my ISP: I only used that on Earthlink newsgroups, but once is enough. (I fearlessly post the address here as it is no longer valid.)

A policy that rejects e-mail carrying .exe (and other executables) may seem drastic, but it was just the ticket for me. You night consider it. There are other ways to transfer executable files. And if you reject such e-mail, you greatly reduce your risk.

Comment on this.
[/e-mail/] permanent link

Wed, 24 Sep 2003
Safety vs. Security
Comments on 15Sep03 “CRYPTO-GRAM”

I always enjoy getting Bruce Schneier’s “CRYPTO-GRAM.” This month’s issue, at, has an interesting discussion about “Accidents and Security Incidents.” He quotes computer-security researcher Ross Anderson’s describing the difference as “Murphy vs. Satan.” (This is why I almost put this under “theology”. I would have if he described it as “Our sin nature and Satan”: sometimes it’s the devil and sometimes I don’t need his help to screw up. :-))

Bruce give some examples, including: “Safety: Knives are accidentally left in airplane carry-on luggage and can be spotted by airport X-ray machines. Security: An attacker tries to sneak through a knife made of a material hard to detect with an X-ray machine, and then deliberately positions it in her luggage to make it even harder to detect with the X-ray machine.” Check it out at the URL above and if you like it, subscribe.

I mentioned this same tension in one of my NetSec Letters (here) — someone thought this would make a good marketing line: “Just because you feel safe, doesn’t mean that you’re secure.”

Comment on this.
[/security/] permanent link

Domain Redirect Fuss

It’s been in the news. Maybe you’ve read it. It’s been the topic of various Internet mailing lists. Maybe you wonder “What’s all the fuss?” Let’s look at it allegorically.

What if the technology existed for someone to intercept all telephone calls in an exchange not owned by anyone else? My phone number is 410-309-6910 (6911 is fax). Suppose no one actually owns 6912 and 6919. If someone misdials my number they’ll get someone else. Maybe that someone will have a recording that says simply “Press ‘1’ to send a fax. Press ‘2’ to talk to an attendant.” What is the harm? Faxes meant for me could be easily misdirected. Calls intended for me could be answered by someone who might redirect business to a competitor. I lose the potential client. The potential client loses me. Maybe.

Check it out. Click on (Note, “com” is misspelled.) You get an error. Now, Click on My domain name is misspelled. But Verisign “owns” .com, and so helpfully intercepts it. Not as bad as instead of (And I purposely do not include the links… the “.com” address is a porn site.) It even suggests you may have meant my site. So, what’s the fuss?

The main problem – from a security perspective, anyway – is that DNS information (the Domain Name System, among other services, translates to its actual IP address, for example) is expected to be accurate. E-mail servers, such as mine, depend on getting a response of “no such name” to make antispam decisions. Again, think of the above telephone allegory. E-mail directed to me should get to me. E-mail directed to should, for now, bounce. What if someone claimed to be the mail server for “*.com?” That is effectively what Verisign is doing for .com and .net.

DNS depends on correct DNS responses, not responses geared to make the life of web surfers easier.

Comment on this.
[/security/] permanent link

Mon, 22 Sep 2003
I’ve been drinking martinis off and on ever since Ken –2 doors down from me in the dorm (1973) – introduced me to them. For some reason, I recall he liked a “dirty martini,” with a bit of the olive brine added. I didn’t know back then its name nor that Franklin Delano Roosevelt drank his in that fashion.

There’s something clean and warming about a martini. It’s been my drink ever since then. Oh, and one makes a martini with gin. A martini has gin. I’d have asked for a vodka martini if that’s what I’d wanted.

Comment on this.
[/misc/] permanent link

Sat, 20 Sep 2003
Sovereignty and Providence

A friend, Jim, called from the tarmac at Dallas-Fort Worth Airport. No “hello,” just a “What is the difference between God’s sovereignty and God’s providence.” I recognized his voice. He was thinking about this because of a comment Dr. R. C. Sproul had made on Renewing Your Mind . Well, I knew there was a difference, but I was busy preparing for hurricane Isabel, so I told him I’d get back to him. Let’s first look some quotes.

Sproul, Chosen By God, p24, “When we speak of divine sovereignty, we are speaking abolut God’s authority and about God’s power. As sovereign, God is the supreme authority of heaven and earth. … All other forms of authority exist by God’s command or by God’s permission.

Sproul, The Invisible Hand, p15, “providence” describes the activity of God. P16, “…refers to God’s provision for His people,” P17, “He looks after human affairs … He not only watches us, He watches over us.

Westminster Confession of Faith, V/1, “God the great Creator of all things does uphold, direct, dispose, and govern all creatures, actions, and things, from the greatest even to the least, by His most wise and holy providence, according to His infallible foreknowledge, and the free and immutable counsel of His own will, to the praise of the glory of His wisdom, power, justice, goodness, and mercy.”

So, in short, God is sovereign over all. And one way that He exercises His sovereignty is through His providence, being directly and immediately involved in our affairs for His own glory.

Comment on this.
[/theology/] permanent link

Control of your e-mail
I used to configure and run an e-mail gateway for a large company, then taught on it, and now–sometimes–do e-mail configurations as part of my consulting business. I am the system administrator and postmaster for I teach a course on anti-spam techniques and have tested e-mail firewalls for Information Security Magazine. All to say, I have many reasons to be interested in anti-spam techniques. I recently wrote about how I fight spam. But this week I talked to a company that deserves a mention.

Secluda has an interesting way of dealing with spam with their “InboxMaster.” They do not even attempt to guess if something is spam or ham. They just ask the question, “Have you ever sent e-mail to this address before, or have you received and accepted e-mail from the i address?” After a “learning period,” every e-mail is checked against this question. The user and administrator had many options, but I will briefly describe the way I would use it. All e-mail from addresses that have written to me before or to whom I have written, gets delivered. A few times a day I would get an email with a list of the messages that have been held pending action. I scan the list looking for legitimate e-mail and tag them to be sent (and, perhaps, tag the address as “trusted”). I can also tag the address as one to always reject.

I think it is worth a look. So much so, that I am going to get a test copy to try out on my e-mail gateway and review. I”ll let you know.

Comment on this.
[/e-mail/] permanent link

Thu, 18 Sep 2003
Selecting a weblogging program

Twice now, I have started to look into starting a web log. My friend, Dave Piscitello, of Core Competence started one. Like me, Dave likes to write. Like me, he doesn’t get as many opportunities as he would like.

Both times, I wrote down my requirements: 1, Dirt easy to set-up and update. 2. Runs on Linux. CHEAP (free). I asked some friends on a mailing list of which I am a member, the “hackers” list. (And that is the old use of the work in computer circles that has nothing to do with breaking into computer systems.) I wondered, “What is the hacker’s weblogger?”

I got two answers: Geeklog and blosxom. I chose blosxom because … well, it is elegant. It is a 444 line (with comments) Perl program. But, then life and work got in the way, and I laid it aside for a month. When I got back to it, I thought, “No this is too simple. Surely it won’t do everything I’d want.” So, I decided to install Geeklog. Oh, it needs MySql. Okay. Sure. Oh. Mysql needed something else. Oh, that thing needed another library installed.

I’m sure Geeklog is wonderful. It is a great big system that creates a whole web portal. But being a firm beliver in the security axiom, “Security and complexity are inversely proportional,” I gave up on it again, deinstalled MySql, etc. and went back and really, really looked at Blosxom. And, it is wonderful.

With that one Perl program and nothing else you have a fully functioning weblog. Add a few html files and you determine how fancy or plain your page will look. Add some small Perl “plug-ins” and you get a Google-aided search facility, “write-back” forms (not here… just e-mail me), and a host of other tools. With the help of Eric Davis and a lot of playing around one afternoon awaiting Hurricane Isabel, I had it up and running, requiring no extra software.

Anyway, it is wonderful, marvelous, terrific, and small and elegant. I;m still new to this. I don’t know how this RSS thing works or how one is supposed to use it. My friend, Dave, asked to be added to my digest list, but I have no clue how “Blosxomers” do that. But, I’m off and blogging.

Comment on this.
[/misc/] permanent link