As I sat in the United 757 at O’Hare, waiting for the consumation of our delayed take-off,
I glanced across the aisle and read the headline in a fellow passsenger’s
Chicago Sun-Times: “Gates Promises More Windows Security.” Yes, it was yesterday’s
newspaper (28 October 2003). I have no witty or provocative thought for this.
“Longhorn is billed as the biggest operating system upgrade since Windows 95 by
Microsoft, whose software runs more than 90 percent of the world’s desktop computers.”
Then later in the article,
“Microsoft plans to add peer-to-peer networking technologies to let
co-workers, for example, send documents to each other that they can jointly
view and annotate.”
Doesn’t that send shivers of fear up your spin? Really. The full text is at
http://www.sun-times.com/output/tech/cst-fin-emain28.html
I just got this week’s issue of “Web Informant”
(http://strom.com/awards/347.html)
from David Strom.
Its title is “Coming to an office near you,” which reports on the Microsoft
Office System 2003 launch show.
I read the whole column with interest, and found that certain phrases
jumped out at me:
came on over a dozen CDs … many of the bravest souls using
this software actually put it into production …
the sheer complexity surrounding the
number of different versions of Office a …
Microsoft is extending the notion of what desktop software is, and with
Office 2003 we have applications that can reach out across the Internet
for online help, for data via Web services, for document repositories
and collaboration via SharePoint, for project management and scheduling
information via Project Server, for workflow information via BizTalk,
and for automatically filling out forms via InfoPath.
Office 2003 is a huge collection of stuff …
Cool. New, exciting features. Things that every one of our users will want.
Seamlessly — it doesn’t say that, but what else is there with Microsoft? —
connecting your desktop to all sorts of network.
Yes, I exaggerate. But, in the security/feature wars, Microsoft is on the side of
our users, not on the side of security. Newer, bigger, better. How well
has it been tested? As I’ve mentioned in a blog
(here) before,
I use Windows software too. But I also got an e-mail from Microsoft
today, starting off,
“Included in this advisory are updates for five recently discovered
vulnerabilities in Microsoft Windows.”
So, perhaps I am in a less than hopeful mood.
Book Review: The Myth of Homeland Security by Marcus Ranum
This is a review I posted to Amazon.com
Ranum’s book is engaging, unsettling, entertaining, and disturbing. Yet, I
think it is an accurate assessment of the morass that is “homeland
security.” MJR may not make any friends in the FBI, INS, or DHS, but as he
turns his keen analytical mind towards security issues broader than an area
for which he is world-renowned — computer and network security — he brings
clarity to this seemingly unfathomable topic.
Many security practitioners have recognized the “when you don’t know what to
do, do something” aspect of some homeland security initiatives. Ranum
identifies the agencies and actions that shape homeland security, and makes
suggestions for change. Warning: Not everything is fixable, and he makes
that clear also. But the beginning of any solution is to first recognize the
real problems — the real risks. The next step is to assess what you are
already doing. The third is to toss out what is not working, reform what is
marginal, and implement what is missing. In this book, Ranum suggests
solutions.
The security of the US homeland, and all that it entails, affects Americans,
certainly, as well as the whole world. Mr. Ranum is a skilled writer and
instructor. Never satisfied to merely lecture, he endeavors to “cause one to
learn.” Though he is famous in a highly technical field, the “techie” as
well as the “artsy” will be able to read this book, as Ranum makes the
subject matter accessible and — although the subject matter is “life and
death” — enjoyable.
Recently, Internet Security Systems, Inc. (www.iss.net
) announced “Proventia”, and “All-in-One” security device. (See their press release
at ugly URL
http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?oid=22929.)
It is supposed to do away with the need for firewalls, antivirus, content filtering,
anti-spam, and IDS.
Their press release quotes their chairman, president,
and CEO Tom Noonan as saying, “Today marks the end of an era in stand-alone
security technologies. Internet Security Systems’ Proventia products will revolutionize
information security, delivering complete, cost-effective protection and simplicity.”
What, the end of another era?
Well. First off, I kind of like stand-alone security devices. Single-purpose machines are
easier to trust than multi-purpose machines. It’s the old “security/complexity”
teeter-totter. (See
www.avolio.com/papers/axioms.html.) A few years ago what was the first Internet
firewall to have a CERT alert posted against it? Okay, right, it was Firewall-1, but
a few months later CERT issued CA-2001-25 reporting
“Buffer Overflow in Gauntlet Firewall allows intruders to execute arbitrary code.”
This happened — as far as I can tell — when Network Associates started making
Gauntlet more complex. The problem as a buffer overflow in a stub program to
allow the use of “Cyber Patrol” URL screening. It was not a bug in the Cyber Patrol code.
It was in the module added to allow the hooks for Cyber Patrol.
My point is the more complex, the more likely of introducing a bug. In a security
device, it will likely be a security-related bug. I don’t like large,
multipurpose security devices. They scare me and they should scare you.
The press release goes on to say, “Proventia unifies firewall, virtual private network
(VPN), anti-virus, intrusion detection and prevention into one engine, under
one management system, to protect at the network and the gateway.
In the future, Proventia will add application protection, content filtering and
anti-spam functionality to the unified engine.” Yipes. Complex, no? But then it says,
“Proventia’s simplified protection for every layer of business infrastructure
eliminates the complexity associated with today’s legacy security products.”
So, here’s what it looks like. This is a very complex system doing only loosely-related
things. All of these functions will be managed from one management console.
This may provide “maximum security” that is “simple” as well as being “cost
effective,” but I’d want to be convinced. What do those terms mean to you? To them?
Do you trust them to be able to put all of those things together into one “easy to
use” system? If you are taking an “all-in-one” approach, you’d better trust everything
under the hood.
I needed a second system on which to build a second web site and e-mail server. I decided
on a computer from Wal-Mart. Why? It was $200. I had my choice of one without an operating
system and one with Lycoris — a Linux system. Same price. Even though I plan on tossing the O/S,
and installing Red Hat, I chose Lycoris. I was intrigued with the idea of an
inexpensive system that Mom and Pop could use.
General observations
I’m fairly impressed. The set-up is very easy. Wizard-driven, it asks you for all the usual things.
The system automatically detected the network and received an IP address, DNS information, etc.
It has a “Windows-like” interface. I write that as if that is the standard. Well, unfortunately, it is.
I tried to think like a novice (ignoring the command line prompt that I knew would get me a
Linux shell prompt, for example).
The demo explained that there are “virtual desktops” (3 automatically set up). I wondered if
the typical home user will know what that means. But , then, it doesn’t hurt not to use them.
There they are at the bottom of the screen. The average user will leave them alone. The more
inquisitive user will figure out what they are through trial.
I clicked on the Network Browser and got Mozilla. I had to configure it — that may or may not
be easy for a new user — and I had Internet access. I was able to browse and play streaming
media. But only after I allowed pop-ups from the sites that used pop-ups for playing streaming
content. I suspect a beginner would have stumbled on that.
Mozilla e-mail also worked without problems.
The Windows system is X11, and it comes with some fairly standard X11 tools you would expect
to find on any Linux system. It uses KDE for the window manager. The system comes standard
with KWord and KPresenter, as well as Kedit, and FTP client, numerous photo tools, audio
players, etc.
(I wrote this on the Lycoris system using Kedit and then FTP’ed it over to my Linux system.)
For $50 one can purchase a “productivity pack” to add compatibility with Excel, Powerpoint,
and Word (Microsoft Office).
Print set-up was easy and also didn’t work. No joy at all with my network-accessible Epson C80.
No Linux driver on the system. Yes I can find one and try to get it to work. No, I cannot imagine
my grandmother going to a store and asking for a printer that came with a driver for Linux. But,
this is a problem on Windows systems, albeit less of one now-a-days. Still, finding Hewlett-Packard,
and then selecting the printer model, and having it accept it, only to see that it thought it was
a PostScript printer (which resulted in 10 blank pages), leads me to think there are still some
usability issues needed to avoid frustration. But then, it was only $200.
Conclusions
All-in-all, I am impressed. My wife tells me that Consumer Reports gave a low
rating to this because of it being Linux. All that contributed code, depending on volunteers, etc.
You know.
I may see if I can keep this system around a while and install Red Hat in another partition.
Is an inexpensive Linux system like Lycoris a viable alternative? It depends. For someone who
has used Windows systems on the Internet for years, probably not. For someone new to
the Internet, the answer is “possibly,” with this caveat: while there is a lot of software available for
Linux systems, there are much fewer solutions that will meet the availability and installability
needs of the novice user. Linux desktops for the masses are where Apple systems were a few years
back.”Is there a version for the Mac?” But, if the user is only going to surf, do e-mail, and
(perhaps) print, this might be a cheap alternative to a Windows desktop.
In one of my
first blogs,
I discussed how and why I decided on using blosxom. I mentioned
I did not yet know how to set up an digest mailing as a friend has.
I wanted something that people could subscribe and unsubscribe to,
and that would show the headlines of all items posted in the last month.
I do not (yet) know Perl, but I do know how to write shell scripts
using grep, sed, awk, etc.
I now have a digest script the runs once a month.
A quick follow-up to the original
mention,
ICANN gave Verisign until Saturday at 6PM PDT to take down their “SiteFinder”
“service.” You can (probably) find one of many news items on this at
this really long URL.
In the “Arts & Society” section of Sunday’s Baltimore Sun (28Sep2003),
Larry Williams reviewed the book Risk: A Practical Guide for
Deciding What’s Really Safe and What’s Really Dangerous in the
World Around You by David Ropeik and George Gray (ISBN: 0618143726).
(For as long as the link is around, check it out
here.)
It is now on my “must read” list. Sounds facinating and relevant,
especially for those of us who deal with assessing risk.
(I will review it here when I do read it.)
According to Williams, Robiek “believes we go astray by using common sense
to decide what to worry about. The problem is that common sense isn’t
based on a rational analysis of the facts but rather subconscious feelings.” Robiek’s
suggestion? Statistics.
Some people are still scared to fly, right? But, they drive all over town, or take
driving vacations instead of fly somewhere. Everyone reading this knows that
you are safer in a plane, than in a car. And the likelihood of death by terrorist
attack is … well, I have to read the book. But it’s really small. We talk about these
things when we discuss network and computer security and risk.
An interesting-sounding book Williams also reviews is Peter Bernstein’s
Against The Gods: The Remarkable Story of Risk (ISBN: 0471295639).
Williams writes, “Bernstein explains how mathematicians
transformed probability theory from a gamblers’ toy into a
powerful instrument for organizing, interpreting and
applying information.” I’ve added that to my “shopping cart” as well.
The problem with doing it at Amazon is… Amazon’s web site keeps suggesting
other books.
So, I see Fooled by Randomness: The Hidden Role of Chance in the
Markets and in Life by Nassim Nicholas Taleb. And that leads me to think of
RC Sproul’s The Invisible Hand (ISBN: 0849912075). It’s about Providence.
But, now I am getting far afield. Or am I?