Happy Birthday, WWW

Most readers are probably acquainted with at least the outline history of the World Wide Web [WWW], developed originally, beginning in 1989, by Sir Tim Berners-Lee and Robert Cailliau at the European nuclear research establishment, CERN (Organisation Européenne pour la Recherche Nucléaire).   At the time, the Internet was very much a new thing, and that first project was aimed at using hyper-text to make accessing scientific information easier.  (There were other search and indexing tools available, like Archie and Gopher, but none had really caught on in a big way.)  The new WWW was made accessible to the public via the Internet in August, 1991.

As an article at Ars Technica reminds us, it was twenty years ago today, on April 30, 1993, that CERN announced the conclusion of an internal debate, making the WWW technology freely available to anyone, putting three software packages in the public domain: a basic Web server, a basic client (a line mode browser), and a common library.  Quoting from the announcement:

CERN’s intention in this is to further compatibility,  common practices, and standards in networking and computer supported collaboration.

CERN has announced today that, in commemoration of that 1993 decision, it is starting a project to restore the world’s first website, which was hosted on Berners-Lee’s NeXT workstation, and explained how to use the new technology.   (A slightly later copy is available here.)  It also intends to restore related files and documents.

To mark the anniversary of the publication of the document that made web technology free for everyone to use, CERN is starting a project to restore the first website and to preserve the digital assets that are associated with the birth of the web. To learn more about the project and the first website, visit http://info.cern.ch

CERN also has a restoration project page.

Anti-Virus Updating

The folks over at the SANS Internet Storm Center have a recent diary entry on keeping anti-virus (AV) software up to date.  This kind of anti-malware protection typically tries to recognize “evil code” on the basis of a set of heuristics, or by recognizing bit patterns in the code itself (these are sometimes called “signatures”).  These elements, especially the signatures, need to be updated as new varieties of malware are created and discovered “in the wild”.   (The defender is always, in a sense, trying to catch up, since a new type of malware has to be found and identified as such before a signature can be developed.)

The contributors to the article are all very capable systems administrators, and I think it’s well worth a read, especially if you are responsible for a bunch of PCs.  (There are also some comments following the article itself; they are, as usual, sort of a mixed bag.)  I’d take away these suggestions from the discussion:

• You may need to schedule AV updates more frequently than your initial instincts (one participant suggests hourly), to account for the fact that the updates will not all run every time they are scheduled.  (Machines may be rebooting, or turned off, for example.)
• Because updates are not guaranteed to occur on the advertised schedule, it’s important to measure how up to date your machines actually are — if there are big discrepancies, try to find out why and fix the problem.
• AV software is one layer of defense, but is certainly not a total solution.

Probably the most important advice is this: if a machine has been compromised by malware, it is highly improbable that AV software, or anything else, will be able to clean or repair it.  Modern systems, and the malware that attacks them, are so complex that figuring out exactly what has been affected, compromised, or corrupted is effectively impossible.  The only reliable recovery method is “nuking from orbit”: wiping the machines hard drive(s), and reloading the OS, applications, and data from known clean backup copies.  Yes, it is a bloody nuisance, but it’s really the only way to make sure that you have a clean system.

A Safer Form of Fertilizer?

A tragic accident, perhaps compounded by carelessness, led to a fire and explosion in a fertilizer plant in West TX on April 17.   (Just to clarify a point which was slightly confusing in the initial reports, ‘West’ is the actual name of the town.)  The news was somewhat overshadowed by the bombings at the Boston Marathon on April 15, but the disaster killed 14 people, injured many more,  and devastated the small town.  The plant apparently had stores of anhydrous ammonia (NH₃), a gas, and ammonium nitrate (NH₄NO₃), a solid.  Both are very commonly used as components of fertilizers.  Ammonia is a strong irritant, and a health hazard, but doesn’t burn in air except in very high concentrations (roughly 15-25%).  Ammonium nitrate is also an irritant; however, it is also a powerful oxidizing agent, and can form explosive mixtures with many organic compounds.

In fact, ammonium nitrate has been used, mixed with fuel oil, to make bulk industrial explosives for routine use, because of its low cost.  It has also been a popular ingredient for improvised explosive devices (IEDs) and vehicle bombs, such as the one set off at the Murrah Federal Building in Oklahoma City in 1995.  Because of its potential for misuse, there are regulations concerning its storage and use, but these are apparently not always followed.  (It appears that the plant in West did not report its February inventory of 270 tons to the Department of Homeland Security, as the law requires.)

An article at the Gizmag site reports that Kevin Fleming, an engineer from Sandia National Laboratory, has developed a technique for compounding ammonium nitrate so that it can’t be used to make fuel-based explosives.

Knowing that in ammonium nitrate the ammonium ion is weakly attracted to the nitrate ion, and that the right chemical reaction can pull them apart, Fleming decided to look for a compound they would rather cling to that could be added to the ammonium nitrate. He tried several materials, including iron sulfate, a readily available compound discarded by the ton from steel foundries.

If someone attempts to mix fuel into the ammonium nitrate / iron sulfate mixture, they will end up with ammonium sulfate and iron nitrate, neither of which will form an explosive mixture.

The addition of iron sulfate does not degrade the usefulness of the fertilizer; in fact, it probably makes it slightly better for environments with alkaline soils.  Adding iron to the soil may also incrementally improve the iron content of vegetable crops.

Since iron sulfate is cheap — it’s a waste product from steel production — this technique might be an economical way to reduce the risk of explosions, accidental or otherwise.

Update Monday, 29 April, 22:16 EDT

Here is the original Sandia Labs information release.  Their server appears to have been down last  night.

Microsoft, Verizon Release Security Reports

Two new reports have just been released dealing with the state of Internet security; one is from Microsoft, and the other from Verizon.  If you are interested in security, I recommend both reports as interesting, if sometimes rather depressing, reading.

Since 2008, Verizon’s RISK Team has published an annual report summarizing security and data breach incidents, and categorizing them on various criteria (e.g., who did it?  how was it done?).  The 2013 Data Breach Investigations Report [PDF] analyzes data from more than 47,000 security incidents, and 621 confirmed data breaches.  This year, the report attempts to assess the prevalence and origins of “espionage” attacks: those whose primary motivation was not mischief, or financial gain, but theft of trade secrets and other intellectual property.  There is also an Executive Summary [PDF] available.

Microsoft’s Security Intelligence Report (Vol. 14) [PDF], which covers the period July through December, 2012, is (as you might expect) more focused on software security issues.  The report looks at the software security vulnerabilities that have been disclosed, and the exploits that have been detected, and attempts to identify particular problem areas and trends.  As has been true for some time, the most common type of exploit is one involving HTML and JavaScript; document-based and Java-based exploits, two other hardy perennials, showed a significant increase in the second half of 2012.   There is also a Key Findings [PDF] summary of this report.

I have not had a chance to read these reports yet, but will post further comments here when I have.   An essential part of any sensible security analysis is an evaluation of the threats one is guarding against.  These reports should provide some information useful in that exercise.

Critical Updates for Java

Last week, in keeping with its usual quarterly schedule, Oracle released a new version of its Java SE software, version 7 update 21, for all platforms (Windows, Linux, Solaris, and Mac OS X).  This Critical Patch Update Advisory addresses a total of 42 identified vulnerabilities; Oracle says that 39 of these can be exploited over the network without authentication: that is, an attacker would not need to log in to the target system.   Nineteen of the vulnerabilities receive the maximum possible CVSS severity score of 10.0.

If you have Java installed on your system, I recommend that you install the new version as quickly as you conveniently can.  Windows or Mac users can use the built-in automatic update mechanism; alternatively, the new version can be downloaded here.

As I’ve written before, most recently last October, there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.

Boston Bombings, Take 2

As the investigation into Monday’s bombings at the Boston Marathon continued, today was a day with more wildly conflicting news stories.  Early this afternoon, there were reports, notably by the Boston Globe, CNN, and the Associated Press, that a suspect had been arrested (or was in custody — I heard both expressions used).  At the same time, the TV network news from ABC and NBC was reporting that there had been no arrest.  Some of the reports said that the suspect would be taken to the US Federal Court House in Boston, resulting in a large influx of reporters and the curious.   This was probably not a big help when, as The Washington Post reported, the courthouse had to be evacuated because of a bomb scare:

Boston’s federal courthouse, where hundreds had gathered in response to false reports of an arrest, was briefly evacuated because of a bomb threat.

It seems that the networks got it right: the FBI issued a press release stating that no arrest had been made.  It also made a request to media organizations:

Over the past day and a half, there have been a number of press reports based on information from unofficial sources that has been inaccurate. Since these stories often have unintended consequences, we ask the media, particularly at this early stage of the investigation, to exercise caution and attempt to verify information through appropriate official channels before reporting.

Didn’t they mention anything about this sort of thing in journalism school?

There were other reports that were merely silly.  One TV report showed an image of investigators searching the crime scene along Boylston Street in what it described as “white HazMat suits”.  The white fabric garments were obviously not HazMat suits; they were very probably coveralls worn by crime scene investigators so that fibers, hair, and so on from the investigators do not contaminate any evidence.  Does the mistake matter?  Maybe not, but it might spark a rumor that there was some sort of toxic or infectious residue left by the explosions.

Perhaps to compensate for some of its earlier (excessive) enthusiasm, the Associated Press (via Yahoo! News) has a new report on the media frenzy.