June, 2007

Larry Osterman's WebLog

Confessions of an Old Fogey
  • Larry Osterman's WebLog

    Why don't I agree with Bruce Schneier all the time :)


    Friday's post about security blogs apparently contained a bit of unintended controversy.

    When describing Bruce Schneier's blog, I said "I don't agree with a lot of what he says".  Apparently this is heresy in some parts, although I don't understand why.  Bruce is unquestionably a very, very smart man (and an excellent writer, I simply loved Applied Cryptography), but he's no Chuck Norris :)

    On most topics - security architecture, crypto design, threat analysis, etc, Bruce is remarkable.  I find most of what he writes to be insightful.

    But Bruce seems to have a complete blind eye when it comes to Microsoft.  To my knowledge, even though essentially every other serious security analyst has acknowledged that Microsoft has done a staggering amount of work to improve the security of its products, Bruce still maintains that Microsoft has no clue when it comes to security.  That stings.

    The #2 hit in a search for Bruce Schneier Microsoft is: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1011474,00.html which includes: " Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they're still not taking security seriously enough for me. They've made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem".  This couldn't be farther from the truth (the #1 hit is Schneier's FAQ about the PPTP analysis he did where he neglected to acknowledge the work that Microsoft did to rectify the issues he found after his analysis).

    And then there was this gem (from February of this year): http://www.schneier.com/blog/archives/2007/02/drm_in_windows.html.  He took Peter Gutmann's article and accepted it as the gospel truth, even though Gutmann had absolutely no factual basis for his speculation - Gutmann hadn't verified a single one of his claims, heck he hadn't even installed Vista at the time he wrote his paper.

    On the basis of one paper from someone who had never even RUN Vista, Schneier leapt to the conclusion that Microsoft had embedded DRM into all levels of the operating system and that was a reason to avoid Vista.


    For the following 5 paragraphs, please note: I AM NOT A LAWYER.  I AM NOT GIVING A LEGAL OPINION, THESE ARE JUST MY THOUGHTS.

    I also believe that he hasn't fully thought out his position on holding companies financially liable for the security holes in his product.  At first blush his idea is attractive, but I firmly believe that the consequences of his idea would totally destroy the Internet as we know it today.

    It's also entirely possible that it would kill the open source movement (talk about unintended consequences).  Let's say that there's a security vulnerability found.  If the vulnerability is found in a closed source product (or in proprietary code), then the corporation would be the only one that could be held liable for the damages - the individual developer would be protected by the corporate liability shield. 

    But for open source projects, often there is no such corporate liability shield (I could imagine scenarios where a corporate liability shield might apply, but I don't think they apply in general).  So who pays up if a vulnerability is found in an open source project?  The only likely target is the individual developer (or developers) who introduced the defect (I suspect that those involved in the distribution that contained the vulnerable code would also be targeted).

    This means that it's highly likely that the individual contributors to open source projects would be held personally financially liable for security vulnerabilities they introduce.  So to contribute to open source projects, you'd have to have many millions of dollars of personal liability insurance (or run the risk of financial ruin if a mistake is found in your code).  That is highly likely to result in a stifling of the open source movement, and there's no easy way to work around it.

    It's also likely to decrease the likelihood that a corporation would adopt an OSS solution.  Consider the situation where a bank (or major retailer) is worried about having its customer records hacked.  Since the bank/retailer is going to be held responsible for its security breaches, then the bank/retailer has to factor that risk when it chooses a vendor for its database solution.  If the bank/retailer thinks it can sue the software developer who developed the database solution in the event of a breach, and it has two choices for a database vendor, one of them developed by a bunch of people who don't have any real assets and the other comes from a company with insurance and assets, it would be crazy to choose the one where you have no one to sue.


    Those are a couple of reasons why I disagree with Bruce Schneier on occasion.

  • Larry Osterman's WebLog

    Where do you go to get your security news?


    Anyone who's hung around me for a while knows that I'm a bit of a security geek.  As such,I try to keep up on what's going on in the industry and try to keep current on what's going on in the vulnerability research community.

    Yesterday, someone in my division asked me where I go to get my security-related news.


    I thought about it a bit, and came up with a couple of places:

    First off, there are a number of internal mailing lists I'm on, lots of times, other people post interesting stuff to them.

    I also lurk on a couple of the mailing lists related to vulnerability disclosure (full-disclosure, bugtraq), although I find that the noise-to-signal ratio is somewhat high on them.

    And I read Slashdot - again, a high noise-to-signal ratio, but the discussions can be quite fascinating (seriously).

    For blogs, I read (in no particular order)

    Matasano Chargen - consistantly interesting reading about a relatively wide range of vulnerability related topics

    rdist: setuid - Nate Lawson's blog. 

    Skywing - Ken Johnson's blog - he does some fascinating research into reverse engineering.

    Emergent Chaos - Adam Shostak and friends

    Bunnie Huang - What can I say about a guy who has a scanning electron microscope in his living room? 

    Bruce Schneier - I don't agree with a lot of what he says, but he's always interesting.

    Jesper Johansson - Always interesting, doesn't post enough :)

    Michael Howard and David Leblanc - these guys literally wrote the book on writing secure code :)

    Jeff Jones - He does MAD Statistics.

    Alun Jones - Not much to say except "always interesting" (but then again everyone on this list fits into that category).

    Mark Russinovich - Newly at Microsoft, does great "why does this happen?" tutorials where he shows end-to-end how he troubleshoots problems.

    I'm sure I've got others but those are a good overview...


    Edit: Sorry Skywing :) 

    Edit2: Fixed Alun Jones link.


  • Larry Osterman's WebLog

    Last Wednesday wasn't a really good day for the home team...


    Another personal post, I'm sorry about that, but life's been a smidge crazy.


    So this is Valorie's car as of last week Wednesday afternoon. 


    The good news is that (as you can see) Daniel and Valorie are both fine (as far as we know, just aches and pains), however I can't say the same for her car.  We just got word from the body shop that it's toast. 

    Major bummer.

    Btw, while duct tape may hold the universe together, it didn't hold the rear door of the car - by the time it made it to the body shop, the duct tape had given way and the door was loose.

     So now we're looking for a new car...

  • Larry Osterman's WebLog

    My wife and I are SUCH geeks.


    Once again, nothing technical, but massively geeky (and maybe a bit TMI, but I figure most of the people reading this are grownups).

    Last night, I was reading my email on my computer (which lives in our bedroom) when my daughter came in and asked "Where's Mom?".

    I replied that I didn't know, I thought she was playing a game on the shared computer downstairs (we have 5 computers in the family, one for each of us, and a shared computer in the kitchen that's used for email and surfing the web - the kids computers don't have Internet access).  Sharron said that she had checked Valorie's office, and she wasn't there either.

    I told Sharron that it wasn't a big deal, she was somewhere around, and then I heard the toilet flush.

    Aha!  We've found Mom.  I went downstairs with Sharron and there was Valorie in the kitchen getting a glass of water.

    Sharron: "Mom, where WERE you?  I was so worried!"

    Valorie: "I was just going to the bathroom, you're upset that I took too long to pee?" *this is the TMI part*

    Me: "I wasn't complaining about how long you were peeing"

    Valorie "NIL!"[1]

    Me: "P"[2]

    Valorie "Pee P!"

    Me: "T.[3]"

    This went on for a couple of further iterations, and at some point both of us started rolling on the couch laughing (I did say we were geeks).

    Sharron, on the other hand, looked at us like we were totally insane.

    Sigh.  Sometimes I worry about my family's sanity.


    [1] NIL is LISPish for false - it's literally an empty list

    [2] For those who are not familiar with the hackers dictionary, "P" is the universal interrogative - you add "P" to the end of any noun to turn it into a question, so "FoodP" means "Do you want to get food?"

    [3] And T is LISPish for True.  So one answer to the question "FoodP" is "T" while another is "Nil".

  • Larry Osterman's WebLog



    Yesterday I mentioned that I was going to the 5th Avenue High School Musical Theater awards show.

    I'm still speechless.  And anyone who knows me knows how unlikely that is.

    First off, I want to offer my congratulations to Bellarmine Preparatory School for winning the award for Outstanding Musical Theater Production for their production of Urinetown.  I now wish I'd had the opportunity to see their show, from the little I heard last night, it was undoubtedly a remarkable production.


    All of the productions that I saw last night were remarkable in their quality.  High school musicals have come a long way since I was in school.  The costuming for some of the shows (Kentwood High School's production of "Roar of the Greasepaint, Smell of the Crowd" and Shorecrest High School's "The Wizard of Oz" stand out in my memory) and choreography blew me away.  Oh, and then there was the performance from Capital High School's production of Aida. 

    And capping off the evening, Overlake's production of The Robber Bridegroom won two awards, the first for Best Set Design, the second for Bill Johns for Best Direction of a Musical.  From what I saw of the other productions, Overlake was up against some really stiff competition, I'm extraordinarily proud that they won.  Huge prop's to Bill Johns and Erin Gabriel for their remarkable achievement.

  • Larry Osterman's WebLog

    Tonight's the Night...


    Nothing technical, just proud parent stuff.

    Tonight we're going to see the 5th Avenue High School Musical Awards for the first time.  The 5th Avenue Awards are essentially the Tony Awards for high school musicals in the Seattle area, and the competition for shows is fierce.

    Now that Daniel's in High School, we've been seeing more and more high school musicals, and I've got to say that the local high school productions set a standard that we never saw when I was in school.  Many of the productions I've seen this year are truly remarkable (in particular the vocal quality of the kids performing is simply amazing).

    This year's Overlake School musical, "The Robber Bridegroom" has been nominated for several awards:

    Outstanding Direction

    Outstanding Choreography

    Outstanding Scenic Design

    Outstanding Costume Design (the costume designer for Overlake even designed period undergarments for the actors!)

    Outstanding Performance by an Actor in a Featured Ensemble Role (Brian Willingham as Little Harp)

    And Honorable Mention for:

    Outstanding Overall Musical Production

    Outstanding Music Direction

    Outstanding Performance by an Actress in a Supporting Role (Samantha Reising as Salome (she was absolutely hilarious))

    Outstanding Performance by an Actress in a Featured Ensamble Role (Linnea Xuereb as Big Harp (again, she was hilarious, especially since she was playing a disembodied head))

    In addition to the nominations above, Overlake Student Race Nagley won a Special Award for Student Achievement.


    The competition for these nominations is fierce, as I said above, the various local productions are pretty remarkable, it's a tribute to the remarkable quality of the Overlake production that it was nominated for so many awards.


    I'm really excited to see the results.

  • Larry Osterman's WebLog

    Missed metaphors


    Not surprisingly, the various teams that contribute to the Windows product have been hard at work planning what goes into potential future versions of Windows. 

    As a part of that planning process, we've been collecting all sorts of data, and sifting through it to try to figure out what are the most compelling scenarios for the myriad of customers of Windows.

    I was looking at the feature planning timeline and it had something like:

    Due Date Task
    x/y Scenario Description Complete
    x/y Preliminary Feature Description
    x/y T-Shirt Sizing
    x/y Full Feature Description Complete

    When I saw "T-Shirt Sizing", I got really excited.  There's an old adage that says something like "A new product isn't done until the T-Shirts have been ordered", so I thought it was cool that the planning process had integrated ordering the group/feature T-Shirts right into the process.

    Unfortunately that wasn't the case :(.  Instead, what the people who designed the planning process meant by "T-Shirt Sizing" was categorizing the effort to implement the feature into "S, M, L, XL, XXL, etc".  The basic idea was to get a rough feel for the amount of effort associated with each feature.

    T-Shirt Sizing is an "interesting" metaphor for development effort. Normally metaphors speak to fundamental truths - "All the world's a stage, And all the men and women merely players, They have their exits and their entrances" is a metaphor that maps life to the actors in a play.  But I'm really not that sure what T-Shirt Sizing has to do with the amount of effort involved in a software project.  You might as well use "Ice Cream Scoops" for your metaphor - single scoop is a small amount of work, double scoop is more, triple scoop is still more, banana split is really big.

    Personally if I were doing the planning, I'd not bother with the cute name and simply describe it for what it really is "Feature Size Guestimate".  But that's just me, and I don't get to decide these things.


    Obviously this is my opinion, the opinions of others may vary.

Page 1 of 1 (7 items)