Happy Birthday, WWW

April 30, 2013

Most readers are probably acquainted with at least the outline history of the World Wide Web [WWW], developed originally, beginning in 1989, by Sir Tim Berners-Lee and Robert Cailliau at the European nuclear research establishment, CERN (Organisation Européenne pour la Recherche Nucléaire).   At the time, the Internet was very much a new thing, and that first project was aimed at using hyper-text to make accessing scientific information easier.  (There were other search and indexing tools available, like Archie and Gopher, but none had really caught on in a big way.)  The new WWW was made accessible to the public via the Internet in August, 1991.

As an article at Ars Technica reminds us, it was twenty years ago today, on April 30, 1993, that CERN announced the conclusion of an internal debate, making the WWW technology freely available to anyone, putting three software packages in the public domain: a basic Web server, a basic client (a line mode browser), and a common library.  Quoting from the announcement:

CERN’s intention in this is to further compatibility,  common practices, and standards in networking and computer supported collaboration.

CERN has announced today that, in commemoration of that 1993 decision, it is starting a project to restore the world’s first website, which was hosted on Berners-Lee’s NeXT workstation, and explained how to use the new technology.   (A slightly later copy is available here.)  It also intends to restore related files and documents.

To mark the anniversary of the publication of the document that made web technology free for everyone to use, CERN is starting a project to restore the first website and to preserve the digital assets that are associated with the birth of the web. To learn more about the project and the first website, visit http://info.cern.ch

CERN also has a restoration project page.

Anti-Virus Updating

April 29, 2013

The folks over at the SANS Internet Storm Center have a recent diary entry on keeping anti-virus (AV) software up to date.  This kind of anti-malware protection typically tries to recognize “evil code” on the basis of a set of heuristics, or by recognizing bit patterns in the code itself (these are sometimes called “signatures”).  These elements, especially the signatures, need to be updated as new varieties of malware are created and discovered “in the wild”.   (The defender is always, in a sense, trying to catch up, since a new type of malware has to be found and identified as such before a signature can be developed.)

The contributors to the article are all very capable systems administrators, and I think it’s well worth a read, especially if you are responsible for a bunch of PCs.  (There are also some comments following the article itself; they are, as usual, sort of a mixed bag.)  I’d take away these suggestions from the discussion:

  • You may need to schedule AV updates more frequently than your initial instincts (one participant suggests hourly), to account for the fact that the updates will not all run every time they are scheduled.  (Machines may be rebooting, or turned off, for example.)
  • Because updates are not guaranteed to occur on the advertised schedule, it’s important to measure how up to date your machines actually are — if there are big discrepancies, try to find out why and fix the problem.
  • AV software is one layer of defense, but is certainly not a total solution.

Probably the most important advice is this: if a machine has been compromised by malware, it is highly improbable that AV software, or anything else, will be able to clean or repair it.  Modern systems, and the malware that attacks them, are so complex that figuring out exactly what has been affected, compromised, or corrupted is effectively impossible.  The only reliable recovery method is “nuking from orbit”: wiping the machines hard drive(s), and reloading the OS, applications, and data from known clean backup copies.  Yes, it is a bloody nuisance, but it’s really the only way to make sure that you have a clean system.

A Safer Form of Fertilizer?

April 28, 2013

A tragic accident, perhaps compounded by carelessness, led to a fire and explosion in a fertilizer plant in West TX on April 17.   (Just to clarify a point which was slightly confusing in the initial reports, ‘West’ is the actual name of the town.)  The news was somewhat overshadowed by the bombings at the Boston Marathon on April 15, but the disaster killed 14 people, injured many more,  and devastated the small town.  The plant apparently had stores of anhydrous ammonia (NH3), a gas, and ammonium nitrate (NH4NO3), a solid.  Both are very commonly used as components of fertilizers.  Ammonia is a strong irritant, and a health hazard, but doesn’t burn in air except in very high concentrations (roughly 15-25%).  Ammonium nitrate is also an irritant; however, it is also a powerful oxidizing agent, and can form explosive mixtures with many organic compounds.

In fact, ammonium nitrate has been used, mixed with fuel oil, to make bulk industrial explosives for routine use, because of its low cost.  It has also been a popular ingredient for improvised explosive devices (IEDs) and vehicle bombs, such as the one set off at the Murrah Federal Building in Oklahoma City in 1995.  Because of its potential for misuse, there are regulations concerning its storage and use, but these are apparently not always followed.  (It appears that the plant in West did not report its February inventory of 270 tons to the Department of Homeland Security, as the law requires.)

An article at the Gizmag site reports that Kevin Fleming, an engineer from Sandia National Laboratory, has developed a technique for compounding ammonium nitrate so that it can’t be used to make fuel-based explosives.

Knowing that in ammonium nitrate the ammonium ion is weakly attracted to the nitrate ion, and that the right chemical reaction can pull them apart, Fleming decided to look for a compound they would rather cling to that could be added to the ammonium nitrate. He tried several materials, including iron sulfate, a readily available compound discarded by the ton from steel foundries.

If someone attempts to mix fuel into the ammonium nitrate / iron sulfate mixture, they will end up with ammonium sulfate and iron nitrate, neither of which will form an explosive mixture.

The addition of iron sulfate does not degrade the usefulness of the fertilizer; in fact, it probably makes it slightly better for environments with alkaline soils.  Adding iron to the soil may also incrementally improve the iron content of vegetable crops.

Since iron sulfate is cheap — it’s a waste product from steel production — this technique might be an economical way to reduce the risk of explosions, accidental or otherwise.

Update Monday, 29 April, 22:16 EDT

Here is the original Sandia Labs information release.  Their server appears to have been down last  night.

Microsoft, Verizon Release Security Reports

April 23, 2013

Two new reports have just been released dealing with the state of Internet security; one is from Microsoft, and the other from Verizon.  If you are interested in security, I recommend both reports as interesting, if sometimes rather depressing, reading.

Since 2008, Verizon’s RISK Team has published an annual report summarizing security and data breach incidents, and categorizing them on various criteria (e.g., who did it?  how was it done?).  The 2013 Data Breach Investigations Report [PDF] analyzes data from more than 47,000 security incidents, and 621 confirmed data breaches.  This year, the report attempts to assess the prevalence and origins of “espionage” attacks: those whose primary motivation was not mischief, or financial gain, but theft of trade secrets and other intellectual property.  There is also an Executive Summary [PDF] available.

Microsoft’s Security Intelligence Report (Vol. 14) [PDF], which covers the period July through December, 2012, is (as you might expect) more focused on software security issues.  The report looks at the software security vulnerabilities that have been disclosed, and the exploits that have been detected, and attempts to identify particular problem areas and trends.  As has been true for some time, the most common type of exploit is one involving HTML and JavaScript; document-based and Java-based exploits, two other hardy perennials, showed a significant increase in the second half of 2012.   There is also a Key Findings [PDF] summary of this report.

I have not had a chance to read these reports yet, but will post further comments here when I have.   An essential part of any sensible security analysis is an evaluation of the threats one is guarding against.  These reports should provide some information useful in that exercise.

Critical Updates for Java

April 22, 2013

Last week, in keeping with its usual quarterly schedule, Oracle released a new version of its Java SE software, version 7 update 21, for all platforms (Windows, Linux, Solaris, and Mac OS X).  This Critical Patch Update Advisory addresses a total of 42 identified vulnerabilities; Oracle says that 39 of these can be exploited over the network without authentication: that is, an attacker would not need to log in to the target system.   Nineteen of the vulnerabilities receive the maximum possible CVSS severity score of 10.0.

If you have Java installed on your system, I recommend that you install the new version as quickly as you conveniently can.  Windows or Mac users can use the built-in automatic update mechanism; alternatively, the new version can be downloaded here.

As I’ve written before, most recently last October, there is a good case that the average individual user is better off without Java on his or her system.   I won’t bore you by going through all of it again.  If you do decide to install or keep Java, though, please be careful to keep it up to date.

Boston Bombings, Take 2

April 17, 2013

As the investigation into Monday’s bombings at the Boston Marathon continued, today was a day with more wildly conflicting news stories.  Early this afternoon, there were reports, notably by the Boston Globe, CNN, and the Associated Press, that a suspect had been arrested (or was in custody — I heard both expressions used).  At the same time, the TV network news from ABC and NBC was reporting that there had been no arrest.  Some of the reports said that the suspect would be taken to the US Federal Court House in Boston, resulting in a large influx of reporters and the curious.   This was probably not a big help when, as The Washington Post reported, the courthouse had to be evacuated because of a bomb scare:

Boston’s federal courthouse, where hundreds had gathered in response to false reports of an arrest, was briefly evacuated because of a bomb threat.

It seems that the networks got it right: the FBI issued a press release stating that no arrest had been made.  It also made a request to media organizations:

Over the past day and a half, there have been a number of press reports based on information from unofficial sources that has been inaccurate. Since these stories often have unintended consequences, we ask the media, particularly at this early stage of the investigation, to exercise caution and attempt to verify information through appropriate official channels before reporting.

Didn’t they mention anything about this sort of thing in journalism school?

There were other reports that were merely silly.  One TV report showed an image of investigators searching the crime scene along Boylston Street in what it described as “white HazMat suits”.  The white fabric garments were obviously not HazMat suits; they were very probably coveralls worn by crime scene investigators so that fibers, hair, and so on from the investigators do not contaminate any evidence.  Does the mistake matter?  Maybe not, but it might spark a rumor that there was some sort of toxic or infectious residue left by the explosions.

Perhaps to compensate for some of its earlier (excessive) enthusiasm, the Associated Press (via Yahoo! News) has a new report on the media frenzy.

Boston Marathon Bombings

April 16, 2013

I’m sure that I’m like most other Americans in reacting with a mixture of sorrow, disgust, and anger to the horrible bomb attacks in Boston yesterday.   Of course, we all extend our sympathies, thoughts, and prayers to the victims and their families, too.  The story of what happened is still unfolding: physical and other evidence is still being analyzed, and no one, so far, has claimed responsibility for this crime.  I think it is not only foolish, but also counter-productive, to jump to conclusions based on incomplete facts or speculation.  I expect this will be the first in a number of posts on this incident.

I was able to keep current with the press coverage of the story through most of yesterday afternoon.  (The incident probably struck home for me a bit more than average, since I lived in Boston for about ten years, within a few blocks of Copley Square, and worked nearby as well.)  When the prospect of an inch or two of snow gets reporters hyper-ventilating, I guess it is not too surprising that this incident really got them going.  It was clear that someone in the newsroom was trying to rein in the more extreme speculation, but some fairly obvious products of someone’s imagination made it through anyway.

One early report showed a very jerky video of one of the explosions (it later became clear it was the first), with breathless commentary about “an enormous bomb”.  Now, “enormous” is one of those words that, to paraphrase Mark Twain, allows a considerable return in speculation for a trifling investment of fact.  I am certainly not an explosives expert, but I have seen the immediate aftermath of a couple of large explosions in similar environments.  For example, I was perhaps half a mile away in the City of London when the Provisional IRA detonated a bomb at the Baltic Exchange in St Mary Axe on April 10, 1992.  That was a large bomb,  estimated to contain 45 kg (100 lb.) of Semtex, plus about a ton of fertilizer based explosive.  I have never seen so much broken glass in my life; it was impossible to walk without stepping on it.

In that early video, there was no noticeable glass on the pavement, and there were a couple of large plate glass windows visible, intact, within a few yards of the explosion site.  I remarked at the time that the bomb, if that’s what it was, could not have been very big — probably something in a backpack or briefcase.  (I do have a little background knowledge on this point.  As part of my job, I had some security responsibilities for our operations in the City, and got periodic briefings from the security services.)  That the devices were small, perhaps 2-3 pounds of explosive, seems to be the current consensus from authorities today.

The Associated Press [AP] initially made a rather strange report yesterday afternoon, saying that cellular telephone service was being shut down.

A law enforcement official, citing an intelligence briefing, said cellphone service had been shut down Monday in the Boston area to prevent any potential remote detonations of explosives.

The TV reporter presenting this suggested that this was being done to prevent further bombs from being detonated by cellphones, and that, for the same reason, people should not use their landline phones, either.  Now this last bit is just complete nonsense; my avoiding use of my phone does not prevent a Bad Guy from using his; in fact, if anything, his call will be completed more expeditiously.  AP later retracted the story, having checked with the cellular carriers.  I suspect the original story was based on a garbled request to avoid unnecessary phone usage; it is almost a given that networks will be stressed by heavy usage following any sort of man-made or natural disaster.

I know that the media have a difficult job, and that trying to piece together a narrative from fragments of information is especially tricky.  I’d hope, though, that everyone, reporters and audience alike, would try to maintain a rational view of the situation, and not let their emotions run amok.  Terrorism is, after all, a tactic that is intended to produce fear, fear out of proportion to the actual damage done.  As I’ve written before, we need to take care not to let terrorists win “on the cheap”.

Over at The Atlantic‘s site, Bruce Schneier has a revised version of an earlier essay, focusing on this same point.

As the details about the bombings in Boston unfold, it’d be easy to be scared. It’d be easy to feel powerless and demand that our elected leaders do something — anything — to keep us safe.

It’d be easy, but it’d be wrong.  We need to be angry and empathize with the victims without being scared.

He also has an interview with Ezra Klein of The Washington Post on the paper’s “WonkBlog”.

Contrary to what our instincts and emotions may be screaming, terrorism is a rare event, and mounting a successful terrorist attack is not easy.  Evil geniuses, like Professor Moriarty or the Joker, are denizens of fiction, not reality.  And, no matter how draconian our security response is, there is no way to guarantee perfect safety.  We need to remain as level-headed as we can.

Refuse to be terrorized.

%d bloggers like this: