31 Jan 2005: Windows Update
I don't often boot into Windows, so when I do, I always go to WindowsUpdate first. Last week, I got this screen displayed: 3 items, all described as:
A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
What on earth is this supposed to tell me?! Well, it does admit that three new ways have
been found to remotely exploit a Windows machine since I last ran WindowsUpdate, I suppose.
I have no idea how likely I am to be affected by these exploits (if any are actually in
the wild,) or whether I have already been affected by them since my last update.
There are "<read more>" links after each item, but - as I'm sure you already know, they
are so vague as to not answer any serious questions. To know how vulnerable my Windows
machine is at any given time, I have to watch external site, such as http://www.securityfocus.com/, or even http://www.theregister.co.uk/.
If Microsoft want to appear even vaguely credible, the first step would be to give informative
explanations of new vulnerabilites found - with information on how they can affect end-users,
how the problem happened in the first place, and what has been done to fix, not just this
problem, but the possibility of related problems coming up again.
I accept that in the case of buffer overflows, it's almost impossible to guarantee that
no future C code will contain a buffer overflow, but most of Windows' problems are not
so fundamental - they tend to be the result of poor design choices. Until this attitude
is corrected, it seems that Windows users will continue to get such uninformative messages
about critical flaws in a system they paid a lot of money for.
20 Jan 2005: Education, Education, Education
A recent osnews.com story, The State of Windows Security, gives a brief summary of the historical differences between Microsoft OSes and UNIX-based OSes - that Personal Computers assume a single user, with full control of the machine, whereas UNIX systems have always had user privilege seperation. This isn't anything terribly new or exciting, but it is worth saying from time to time.
What this student gets wrong, though, is what most "security professionals" also get wrong. The answer is not in educating end-users. There are too many Windows users who do not know, or care, how their use of their PC affects the rest of the internet. If their PC is turned into a spambot, so what? If it's used for
DDoS attacks, the attitude is "what's that? who cares? I can still edit my
documents." Educating users is an endless task - a target even more futile
than securing Windows itself. The answer cannot be to educate every user.
If a certain toaster killed users because of a design flaw, nobody would
be calling out for user-education - the toaster must be recalled and not
resold until the flaw was fixed. We are not talking about life-and-death,
in most cases, we're dealing with spam, DDoS, spyware, adware, safe launching
spots for crack attacks, and wasted bandwidth. Broadband routers can play a
part; ISPs can play a part (so long as there is room for unrestricted ISPs,
why not have a market of ISPs who explicitly block as many ports as possible -
ICMP/*, UDP/* (except 53), TCP/20,21,23,80,90,135,137,443,etc, etc) - let AOL
sell a deliberately-limited internet experience for unknowledgeable users;
those of us who need those ports, also have the ability to find the ISPs who
provide them.)
The blocking ISPs can charge a premium for their alleged safety; the unblocking
ISPs can charge a premium for their openness.
Long-term, it would be nice if the OS bar were raised - Windows is out there on its own for security, being hackable in minutes, where Solaris can take weeks, and Linux can take months to compromise, according to a recent study.
There's no point having a NetBSD approach of "block everything by default" - we
need such systems, but it isn't the bar for a typical system. A few open
services, properly secured, surely it's not too much to ask for, from Microsoft,
Sun, Linux, et al.
19 Jan 2005: Traffic Laws
(discuss)
It's about time for a rant about the policing of traffic in the UK. We all know the standard blurb, but I thought I'd elucidate some of the finer points, for my own entertainment if nothing else.
Part One: We have the 70mph speed limit on motorways. All of my motoring convictions have been gained
on motorways, all for speeds under 90mph, and all in cars built in 1996 or later.
Pretty modern cars, in other words - all with ABS, decent brakes, and power steering. Perfectly capable of
stopping, and/or steering around obstacles in a better time than the Highway Code allows for.
The 70mph speed limit was introduced in 1965 as a temporary limit - the same year that indicators and brake lights were made compulsory.
The 70mph limit was made permanent in 1978, and apparently has not been reviewed since.
There are stories about car and tyre manufacturers using the M1 as a test-track, but I can't quickly find
such a mention on t'internet. The 1965 date is enough for these purposes, anyway.
The BBC programme, Top Gear, in 2004, tested
various 1970s rally cars versus their 2004 road-legal equivalents - the Ford Escort rally winner against
the Ford Focus, etc. The road car beat the 1970s rally car every time.
Since these laws were written when rally cars would still (5-10 years later) be worse than modern road-cars,
they make some rather obsolete assumptions.
My first car was a C Reg, 1985 VW Polo - she was called Veronica. I loved her, despite - and because of - her
many flaws. The 1965 laws seem perfectly appliccable to this 1985 car - stopping from 70mph in the rain
on the motorway was an interesting experience when you find a standstill ahead. I kept Veronica, even when
I got a company car; when I traded Veronica in for a "real" car, I drove a company car (R-reg, 1996 Honda
Accord 2.0iSE). I was amazed that the same laws applied, whichever car I drove.
The laws of physics do not apply to these cars in the same way - apart from ABS and other features already
mentioned, tyre width and tread have a huge effect on the safety of a car (I'm still, and only, talking
about avoiding collisions - modern HGVs, uh, I mean MPVs, are a fearful thing to be hit by, as a pedestrian,
and should only be driven by those who can prove a need for a bonnet at a height over 2 feet from the road).
So, if the same 1965 laws apply to my 1985 VW Polo, as to my 2003 Ford Mondeo, does this mean that technology
has not improved? No. The laws of Physics remain the same, and a modern car still takes a certain distance,
and a certain amount of time, to stop. The distance (and time) are much lower, and the avoidance abilities
are improved thanks to ABS.
For the sake of balance, it must be acknowledged that traffic has increased since 1965, but this doesn't
really deal with the fact that the 70mph limit was set when 70mph was beyond the reach of most cars - 130mph
is within the reach of even the smallest cars now, and the cars are designed to deal safely with these speeds,
otherwise they would not be allowed on the roads.
I'm not saying that I want to drive everywhere at 130mph; in most circumstances, it is inappropriate to
exceed 100mph, because of road and/or traffic conditions. I am saying that it is wrong to ban a driver
for occasionally exceeding 90mph in a modern car. Get caught doing 80mph on a motorway more than once
a year, and wave goodbye to your driving license. This is not how a sane society operates.
The DoT have a new campaign, based on how changing your speed from 40mph to 30mph affects a child running into the road - emotive stuff, I'm sure, but I'm talking about motorways, and modern cars. THINK!'s previous TV advert invovled
an old car, clearly lacking ABS, using front-wheel brakes, in a 30mph situation.
I am all in favour of 30mph laws on 30mph roads.
The low-speed limits I have no problem with. I have three problems with current driving laws:
- Maximum speed limit of 70mph, regardless of conditions
- No Minimum speed on any road; no way to force a slower vehicle to pull over, allowing faster vehicles to pass
- Cameras reduce the number of traffic police on the road; There is a great need for traffic police to penalise poor driving standards
There are automated and manned cameras across the country, identifying cars which exceeed the speed limit,
even in areas (such as the A523) where the speed limit is (apparently randomly) varied in what can only
appear to be an attempt to trap motorists. As far as I am aware, there are no cameras on any roundabouts,
T-Junctions, lane-mergers, or other "awkward" situations, where bad driving commonly occurs - well, there
are cameras, but they do not automatically issue penalties to violaters, they are only used for monitoring
traffic flow. There is no penalty for hogging the middle (or outside) lane of a motorway.
There is no minimum speed limit on any road in the UK. (correction: Apparently this sign is displayed on the Mersey Tunnel. It's hardly a major route, such as the M1, M6, or M74, though.)
Accidents are often blamed on speed; slow drivers (who tend to be oblivious to the conditions around them -
I'm not talking about HGV drivers here, who, as professional drivers, are aware of the situation, but old
Fred and Mary out for a country drive at 25mph on a 60mph A-Road) cause many accidents due to their low
speed; frustrating drivers into taking risks, simply in order to drive down the road at the speed they are
legally entitlted to drive at. The risk would not be necessary if Fred had the ability to drive at the
appropriate speed. Fred got his license in 1964, and is still allowed to drive on the roads today, with
no re-test, even though the roads of 1964 bear no resemblance to the roads of 2005. I want little old Fred,
even if he is my own Grandfather, to be pulled over, questioned, and forced to retake his test. In fact, I believe that every
driver should have to take a driving test every 3 years, regardless of age (but every year after 60 years of
age). Like the National ID Card fans, I'll pull out the "If you've nothing to hide, you've nothing to worry about"
card at this point.
London has the Red-Route scheme, which spreads quite wide out of the City centre; I'm not sure this is a great
solution, but marking major routes around the country with a minimum speed (allowing for certain vehicles,
such as HGVs uphill, tractors, milk-floats, etc) so the A523, with a 60mph limit, being through open country,
have a minimum speed limit of 40mph, and cameras spotting violaters (who have the opportunity to defend their
speed as reasonable, such as "sheep in the road", etc) and adding points to the driver's license, would be a
far better scheme to get the UK road network running properly.
Yes, we need to THINK! about speed, but
we also need to think about general awareness, which is what this country is really missing. Driving my
1985 VW Polo at 60mph on a motorway was a greater risk than driving my 2003 Mondeo at 50mph on the
nearest A-Road I get the opportunity. Driving it at 70mph was a far greater risk, to myself and to others,
than driving a modern car at 100mph.
14 Jan 2005: Chain Reaction
New BBC Radio 4 series: Chain Reaction (Real Audio). The feed will change each Thursday; Matt Lucas was interviewed last week, so this week he interviews Johnny Vegas. Next week, Johnny Vegas will interview someone else, etc ...06 Jan 2005: RMS Interview
(discuss)kerneltrap.org has a very interesting interview with Richard Stallman.
03 Jan 2005: MPAA vs LokiTorrent
(discuss)The MPAA are suing LokiTorrent. SuprNova.org have backed down, presumably due to similar threats.
LokiTorrent have raised over $31,000 in a few days for their legal fund. Let's not forget that the Indian Ocean tsunami occurred only 8 days ago, with 150,000 believed dead. Where do peoples' priorities lie?
Admittedly, that's an easy target - I've also spent money on food and drink since 26 Dec, and there are many worthwhile causes which still need continued support alongside the Tsunami cleanup, but - really - the need to download free movies? That is petty, self-interested and, quite frankly, abhorrent. Even without the current situation, how about spending those $30k on the films you downloaded, thus avoiding the entire scenario?
Back to the story,
I believe that both LokiTorrent and SuprNova are being stupid.
We could go on about the "links-to-links-to-links" stuff, the 2600 stuff from the DeCSS case, but
really - both LokiTorrent and SuprNova have offered direct ways to illegally download films, music, etc - as well as all the
legitimate uses of BitTorrent, such as downloading Mandrake CDs, which I did only a few days ago.
LokiTorrent surely make a decent amount of cash from the advertisements, being such a high-volume site.
They appear to be able to afford the time to classify each torrent into one of about 20 categories,
many of which (eg, "Apps - PC", "Music - Album") are more likely to be illegal than legal.
This isn't like the KaZaa, old-Napster stuff, where the organisers have no control over the content - that's
Bram Stoker's credible argument. LokiTorrent and their ilk are sorting and classifying torrents by their content,
and (presumably) profiting from it.
I believe that SuprNova.org could have stood up to the MPAA, by agreeing to remove any torrents which the MPAA (at the MPAA's
expense) can prove are illegal. I believe that LokiTorrent should do the same.
It would hit their traffic (and, therefore, their profits), if the sites were known to only contain legitimate torrents.
How can we claim that this would be a Bad Thing? If they are legit, then all is fine. If they are profiting from
fencing illegal files, they are criminals.
This is not about little Johnny downloading a single which would cost him £4.99 (!) in the shops, this is about the
criminals who are giving it to him.
There is a grey area, because LokiTorrent can't be assumed to somehow magically know what content is protected by copyright
and what content is licensed as Public Domain, GPL, BSD, etc. Even if they set up a huge operation to validate each torrent,
there would be failures. That is why I say that the solution must be that the MPAA (and anyone else with a gripe) must prove,
at their own expense, that they hold the copyright for any specific file being made available via such a website. Once proven,
a credible website must remove the torrent.
Job done. Everybody above-board. Any non-criminals with a complaint?
