Ed Felten describes the silly anti-piracy measures Microsoft is hammering into their next OS release, Vista, at the movie industy’s request:

movie studios will have explicit veto power over what is included in some parts of Vista. For example, pages 22-24 describe the “High Bandwidth Cipher” which will be used to encrypt video data is it passes across the PC’s internal PCIe bus. Hollywood will allow the use of the AES cipher, but many PCs won’t be able to run AES fast enough, leading to stutter in the video. People are free to design their own ciphers, but they must go through an approval process before being included in Windows Vista. The second criterion for acceptance is this:

Content industry acceptance
The evidence must be presented to Hollywood and other content owners, and they must agree that it provides the required level of security. Written proof from at least three of the major Hollywood studios is required.

Wow. And here I thought that making crap movies was Hollywood’s way of making me not want to copy their movies. I should have known that wasn’t it. After all, it’s simple, non-invasive, effective, and doesn’t exist primarily to preserve their defacto monopoly on movie production and distribution.

As Mark Cuban (someone with skin in the movie theater game) has previously noted, people increasingly don’t like the options available for going to the movies, especially when compared to the competition:

So on any given night, for whatever category you feel like putting yourself into for that night, you only have 3 or 4 major movies, and unless you live in NY or LA, only 6 or so limited release movies to choose from. Is that enough to always have something that the full range of movie going public wants to see?

That’s not many choices. Not many choices for kids 12 -20 who make up the most active film goers. Not many choices for the rest of the population that goes 1x or less per month.

Then you add the battle you go through of not wanting to fight the crowds and lines and long walk from your parking spot against not wanting to wait so long that you are one of 4 people in the theater when you see the movie, or have listened to everyone at work talk about the movie and spoil it for you.

When there are 40k DVD titles, all the TV shows and Movies we can capture on our PVRs and VOD and PPV, you have to really want to go to the movies.

Mark is unusual in viewing the problem this way. He has taken the radical viewpoint of asking, “What don’t people like about the total entertainment experience and what can I do about it?” This seems to be viewed as heresy by The Content Industry (as opposed to the broader category of Content Producers, which includes me by virtue of these very keystrokes) wants to make sure that they are the only people “allowed” to provide content. We’re all competing for viewers, but only the Content Industry is attempting to leverage their cartel status to prevent Independents (aka, “their competition”) from competing through technical means.

Not that this will come as a surprise to anyone, but the movie and music industries have an incredibly reactionary approach to risk management. They seem to think that they have some sort of “right” to control their audiences’ behavior as if they can add a third inevitability of, “go to movies” alongside death and taxes.

So what can we divine from this about the Movie Industry’s risk priorities? That’s a gimmee. The movie industry is is terrified of technological change and primarily concerned with preserving the status quo.

This comes as no surprise, but it still bears including. Their greatest fear is the “Napsterization” of movies–the idea that digital formats will lead to unrestricted unauthorized re-distribution via the Internet. Everything they now do is focused on preventing this from happening.

Unfortunately for them, thanks to DWDM and blue diode lasers making backbone bandwidth nearly free, the only things standing between them and their worst nightmare are time and the fact that the cable and phone companies are waiting build out their infrastructure to the Edge until they figure out how best to maximize their profit from doing so.

So what’s the Movie Industry doing in the meantime? Improving the moviegoing experience? Improving the quality of their product? Making the cost of going to the movies better match up to the value of going?

Nope. They’re too busy making the situation worse by crippling the output quality of a DVD on Personal Computers. They’re effectively lowering the bar that file traders must compete against. Truly dedicated file sharers–the collections–will still bypass all those DRM efforts and begin happily shuffling 10GB files around via BitTorrent. They’re collectors, so they don’t care how long it takes–they want it to have it, not to watch it tonight.

For those who are more impatient or less picky, though, the choice is now between crippled (low-resolution) content off a DVD or downloaded from the Internet. If the best you can hope for from “your” legally purchased DVD is something inferior, then the quality bar that the file sharers must beat has just been lowered significantly.

So there we have it. Their self-described countermeasure, decreased movie quality, has a huge second-order risk. It effectively reduces the “price” (filesize, which is to say time and bandwidth) required to obtain a comparable product from the DarkNet. And as we all know from, when price decreases, the number of people who are willing to pay it increases.

So the Movie Industry, like modern-day Oedipuses, bring about their own doom. Maybe that’s why movies so often make me want to gouge out my eyes.

So I’m catching up on my Techdirt reading and they have this gem about people self-infecting their PC’s with viruses and spyware.

apparently some upset employees are taking to a different form of corporate “civil disobedience.” 23% of companies surveyed claim that they believe upset employees are downloading viruses and other malicious software on purpose just to cause trouble (the article doesn’t make it clear how these companies knew the downloads were on purpose — so you could question the study on that point). This doesn’t go quite as far as the employee who wrote and sent out a virus to colleagues, but it certainly seems like the type of internal “hack” less technically savvy employees might try.

Digging into the original ComputerWorld story, we find out that:

A recent study sponsored by Risk Control Strategies, a threat management and risk assessment firm, found that an overwhelming majority of 223 security and human resources executives who manage between 500 and 900 employees said workplace violence is a bigger problem now than it was two years ago. As a result, 23% said employees have intentionally and maliciously downloaded viruses over the past 12 months. The study found that hitting employees in the pocketbook is prompting the burgeoning retaliation.

A recent study of IT outsourcing trends sponsored by DiamondCluster International Inc., a business and technology consulting firm, supports this conclusion, stating that 88% of outsourcers cited employee backlash as their primary concern. Cognizant of buyers’ unease, outsourcing providers limit their on-site presence to keep the “face of outsourcing” out of sight from employees, according to the study.

Techdirt also points to Ed Bott, who takes them to task:

That seems really, really high to me, and it makes me doubt the rest of the study as well. If this sort of deliberate virus attack were really happening all that often, wouldn’t you think we would hear more specific examples? Wouldn’t some people have been arrested? I have no data to back this up, but it sure seems more logical that viruses attack organizations because the underlying security systems are faulty and users haven’t been trained in how to avoid risky behavior.

Personally, I can believe that 23% of companies had suffered incidents where people deliberately damaged their own computers. I think the motivation, however, for this sort of petty vandalism is generally to avoid work, not damage the company. “My computer is broken,” is one of the more defensible excuses out there for not getting work done. And unlike, “The dog ate my powerpoint presentation,” all you need is a helpdesk ticket to excuse the time you officially were Down.

Of course, damaging a machine as an excuse for not having to work is stealing time from the company, although it may also backfire: if the employee just wanted to cut up and talk on the phone instead of working, but instead was told to clock out and go home early, they may wish they had just finished out the day and been able to collect the few hours pay.

Addressing Ed’s specific question however, the reason you don’t see any reports of prosecution is because, first of all, prosecutors wouldn’t get a conviction. Second, most companies wouldn’t want the bad press of having the whole thing mis-reported in as having fallen victim to the next Kevin Mitnick. Most companies won’t even prosecute people for embezzlement, much less losses that don’t involve hard costs.

So let us not forget some of the more useful rules of evaluating internal incidents:
Never attribute to malice what can be adequately explained by incompetence. Most people screw things up because they don’t know what they’re doing, not because the really mean to. As a result, unless someone absolutely knows better (i.e. it would be considered negligent for someone in their role to do something), it was probably just stupidity.

All things being equal, the simplest answer is usually the best. Most non-IT people (and more than a few who do work in IT) are utterly clueless about technology. Most of them couldn’t get a virus by choice if they tried.

Fool me once, shame on you. Fool me twice, shame on me. In other words, the benefit of the doubt that the first two rules imply only goes so far.

So do I believe that 23% of companies have had employees “deliberately” do stupid things which damaged computers? Of course I do. Honestly, I’d venture to guess that the actual rate is even higher. After all, half of all employees are below average.

What is it with me and 0days all of a sudden? I usually dismiss them almost out-of-hand, but as soon as I make a statement to that effect, it’s all I can post about.

Also on the Internet Storm Center page was a note about port 1433 scans by Zotob-infected hosts:

Port 1433 scans after Zotob infection

One reader reported that he obsevered a significant increase in port 1433 scanning after a host in his network was infected with Zotob. The implication may be that miscreants are monitoring for Zotob infected machines and scan them assuming weak security practices in the respective network.

First off, I don’t know that it’s fair to assume that because someone is A) Still running Windows 2000; and B) didn’t have their machines fully patched in a week; that they necessarily have poor security practices. But that’s not what really caught my eye here.

Attackers who compromise one host inside the network perimeter, then use it as a jumping off point to attack other hosts on the network are a bit of a nightmare scenario for defending a network. They are also part of why Defense-In-Depth is so important and why the firewall isn’t all it’s cracked up to be.

<theory type="conspiracy">
Going after just SQL Server, however, (and I assume it’s just MS-SQL or the handlers would have said so) makes me wonder if the authors of Zotob aren’t harboring one of those dreaded Underground Exploits. Or are they just bad at attacking anything but Microsoft products?
</theory>

After all, it was almost exactly one year ago today that Oracle was forced to announce their infamous (among Oracle security types) Advisory #68 which corrected an exploitable pre-authentication overflow in the SQLNet listener that had been around for over ten years. If you were going to go scanning for vulnerable databases, I’d think that was at least as interesting as MS SQL servers.

Now I know from past experience that if I scan pretty much any corporate network with Microsoft products installed, I’m going to find at least a few SQL instances, whether as part of development tools or embedded in other products, so maybe they’re figuring on a high hit rate. But I’m guessing that they’re interested in databases on the off chance they’re going to find one that contains data with cash value, like credit cards, names and SSN’s, etc.

Of course, this is all assuming that Zotob and its variants are being written by professional criminals and not just l33t h7×0rs, but at this point, that’s probably a pretty safe bet.

Looks like MS just confirmed the 0day in IE…not that it’s being exploited or anything, they swear:

Microsoft is investigating new public reports of a possible vulnerability in Internet Explorer. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft is aggressively investigating the public reports.

Unless you check with the Internet Storm Center, who are not quite so optimistic:

Yesterday, FrSIRT (aka K-otik) released a working 0-day exploit against a .Net component with is accessible remotely via Microsoft Internet Explorer.

Further down, however, an interesting point is my by The Handlers:

It merits pointing out that this particular vulnerability really isn’t 0-day, it’s more like 380-day, as the underlying vulnerability has been around for a LONG TIME.

See http://www.informationweek.com/story/showArticle.jhtml?articleID=22102487&tid=5979 for example.

Never a dull moment in our business.

There’s been a lot of back-and-forth between Pete Lindstrom, Adam Shostack, and TQBF regarding the benefits (or lack thereof) of vulnerability research and disclosure, culminating in Pete saying he’d buy beer…

C’mon, just point me to ONE major vendor patch bulletin that originated when you saw the vulnerability exploited in the wild before any good guys knew about it. Presumably, this exploit would have been the catalyst for discovery and disclosure by the good guys. I’ll definitely buy you a beer or 50 if you can do that.

he was quickly forced to put his money where his mouth is

TQBF did me right. He found the references I was looking for and now will drink for free, though I am guessing not as much as he hoped. (C’mon now, when I said 50 beers I was thinking the ever-so-delicious Coors Light). Bass Ale (or the other stuff if you can find it) on me in Chicago all night on 9/26/05, somewhere near here. (I think you said you live in Chicago now). Raindates acceptable if necessary.

I’d like to throw out the CAN-2004-1050, aka the Internet Explorer IFRAME vulnerability which was announced and patched out-of-cycle after it was used on The Registers’s compromised banner ad servers as part of the Bofra worm. The most famous exploit may have come out a few days after the CVE was created, but I just want to come out for beers since you’re going to be in town. I don’t mind buying my own.

Of course, when all is said and done, I personally think it’s irrelevant. Given that in an environment of any size whatsoever, there’s always at least one machine which is vulnerable to any number of known patchable exploits, what’s the point of worrying excessively about it? This is the reason for Defense-in-Depth.

Sure, you could probably calculate the expected risk of a private exploit being used against a particular application if you have metrics for codebase size (either in kLOC’s or Function Points), defect density, and the rate at which defects have security implications in the particular language/API, but there’s no point. All that’s going to tell us is what we already know: That vulnerabilities exist and will continue to be found until long after I’m dead and gone. Undiscovered vulnerabilities are simply one more risk we have no choice but to accept if we want to continue to do our work with a keyboard and mouse instead of a pencil and paper.

From my perspective, though, these sorts of 0day’s (so much shorter and l337er to say than, “in-the-wild exploit against an undercover vulnerability) are fun in the same vein as Ghost Stories and the Bermuda Triangle. They provide us a useful reminder about the limits of our knowledge and our ability to protect ourselves. If we didn’t have things we all acknowledge we flat-out can’t defend against, we might be tempted to think absolute security is attainable.

As an aside, does anyone know how many holes were found and closed during the great Microsoft Security Stand Down? Does Microsoft even know? And more interestingly, what I’d really like to know (but never will) is how many new holes were inadvertantly created during that exercise.

A friend of mine used to say, “You know how you kill a weed? You grow it to death.”

And buried down in the bowels of a Register Story about who might buy Skype, is this indicator that Skype might be learning a thing or two about growing itself to death:

In terms of technology, Skype has a real problem: it relies on “supernodes” - users who have direct Web access to a “real” IP address. The traffic in and out of normal nodes wouldn’t be capable of travelling between two subscribers; there are no inbound routes. So the software fakes a session through a supernode.

The problem seems to be: the number of potential supernodes is dropping, and the number of ordinary nodes - behind mapped addresses or firewalls, or both - is going up rapidly.

The result: quality of calls is falling. Bandwidth available is poor compared with a year ago.

This would be consistent with what we’ve seen in some informal testing I’ve been involved in. We thought it was related to quality issues in the implementation of their authenticated proxy support (and there definitely seem to be some issues there) or the overall load on our proxies, but perhaps we’ve been wrong.

If this is the case, then it looks like Skype’s free bandwidth lunch may be coming to an end. I see no reason why it wouldn’t be the case–I can now buy a Cable/DSL firewall/access point/print server/blender/kitchen sink combo at the grocery store right next to the extension cords and lightbulbs. Even the least computer-savvy people I know have bought and installed one. Okay…maybe I strongly encouraged them, especially if we were drinking, but the point is still that they all went out and did it!

But getting back to Skype… IP Bandwidth is cheap these days. I would think it would be easy for Skype to buy some IP access scattered around the country, set up some supernodes, and let the network do the rest. Unless they don’t have the cash, which seems highly unlikely considering how little this would cost since all they’re looking to do is augment the existing infrastructure.

This reminds me a little of the origins of Amazon.com. They were founded as an on-line bookseller who could beat the competition because they didn’t have to support a physical infrastructure of supply chain–they’d just order books from the publishers or dealers, then ship them along to the customer in return for some mark-up. It didn’t quite work out that way, though. These days, Amazon has massive “distribution centers” filled with inventory, workers, and fulfullment systems, none of them free.

I think that if anyone is working on a valuation for Skype, they should look long and hard at the assumptions about the viability of the pure peer-to-peer architecture and how much it’s going to cost to prop that architecture up as the supernode-to-non-supernode ratio continues to shift the wrong direction.

So the folks over at FedEx, in addition to lacking any sense of humor whatsoever, have once again provided a cautionary tale of Second-Order Risks being greater than the Risk from the original (perceived) threat.

Case in point is their attempt to force the closure of http://fedexfurniture.com by mis-application of the DMCA. Until their attorneys got involved, the odds I’d ever have even heard of the site (unless it showed up on Boing-Boing) were pretty much zero. Because they did, however, I’m reading about it in Wired:

Most of us have been there. You can just barely afford to pay the rent. But forget about buying furniture — not if you want to eat, anyway.

Jose Avila recently found himself in just that predicament. Although he has a good job as a software developer, he’s locked into two rents after moving to Arizona, and has no extra cash for an Ikea shopping spree. But instead of scouting street corners for a ratty, unwanted couch, Avila got creative and built an apartment full of surprisingly sturdy furniture — out of FedEx shipping boxes.

Fanciful as his creations may seem, FedEx is not amused. The shipping giant’s lawyers have sent Avila letters demanding he take down the site he created to document his project, invoking, among other things, the Digital Millennium Copyright Act (.pdf), or DMCA.

Avila has outfitted his entire apartment with FedEx box designs, including a bed, a corner desk with wall shelves, a table, two chairs and a couch. Drawing from architecture and drafting classes he took in college, Avila has designed pieces that are surprisingly un-boxy.

I also got to read about it over at TechDirt or at any of eight or ten other news outlets. I’m also now able to learn more, both about the specifics of this case as well as more on what the DMCA does or doesn’t allow at the Stanford Law School Center for Internet and Society, where they are doing a very nice job of demolishing FedEx’s claims.

While I’m not going to be building any furniture out of FedEx boxes, I can say that the next time I need to ship something overnight, I’ll be choosing some other carrier. I don’t like bullies in general and have a particular dislike for corporate legal bullying, whose tactic is based solely on the premise that the target can’t afford to fight back. Instead, I’ll vote with my wallet by choosing an alternative (of which there are plenty) and encourage others to do the same.

So let this be a warning to all of those who would, Cry, “Havoc!” and let loose the Dogs of Law. Many times, things which would otherwise fade rapidly into obscurity, especially in the Attention-Deficit afflicted modern media, become major stories (usually Media Relations disasters) for no other reason than because the corporation turned it into a conflict.

In general, I recommend that Lawyers should only be called out when all reasonable options have failed, especially when the Internet is involved. The problems tend to start when you ask a lawyer what your options are–when your only tool is a hammer, all your problems tend to resemble nails.

I spent a long weekend at the beach swimming, lying in the sun and building sand castles with my wife and daughter. The weather couldn’t have been better and a wonderful time was had by all.

My daughter is only four, so she isn’t entirely clear on things like tides, high water marks and Large Waves. She picked a point midway between the low and high tide lines and we built a very simply castle, more of a pile of sand than a proper sand castle. It took about five minutes.

Immediately, the waves began trying to wash it away. “Daddy! Do something!” she exclaimed. So I dug a trench in front of the castle and used the excavated sand to create a small berm between the trench and the castle. It stopped the erosion, but waves being waves and sand being sand, the fix was only temporary.

Nevertheless, I was having fun creating massive earthworks to protect what had become by comparison, a tiny castle. But after half-an-hour or so, a massive boat wake washed right past my berm, over my castle, beyond the high tide line, and stopped just short of my wife who was alternately napping and watching our efforts with some bemusement.

As proof that I didn’t take enough time off, my sand castle turned into a giant allegory for Risk and Network Security.

I had an asset whose value was Five Minutes. The asset owner, my daughter, was emotionally invested in the asset. I was having so much fun building countermeasures that I completely ignored the fact that I spent six times as much (30 minutes) to protect the asset as it had taken to build it. And, just to round it all out, a high-impact, low-likelihood event wiped out both my safeguard and my asset.

All in all, a perfect Tale of Risk in the Real World from a beautiful, sunny day at the beach.

I’ll be attending the Midwest Network Security Forum tomorrow and Thursday. If you happen to be attending as well, look around for me and say, “Hi.”

I have yet to find a company that will send me to Def-Con, so I always wind up at events like CSI, Security Decisions (great conference, loads of sales calls afterwards, though), and others of that ilk. I must be doing wrong since even E&Y sends people to DefCon.

Nevertheless, it’s nice to get out of the office for a couple of days for some (hopefully) good presentations and a happy hour or two.

For those of us who who have been giving thought to the roots of terrorism of late, I suggest you take a look at comments from four of the academics at The London School of Economics on the 7/7 London Bombings.

The essays are short, pragmatic, enlightening and thought-provoking analyses of the motivations of terrorists and suggestions on some options for what might be done about it.

Michael Cox opens by reminding us of one of the key differences between Western-style terrorism and the Islamofascist version:

Two very obvious differences exist between old style Irish ‘freedom fighters’ and our new theological terrorists. Most obviously, the Provos distinguished in their own minds at least between legitimate and non-legitimate targets - a not insignificant strategic distinction that led to many an armed action actually being aborted. Not enough admittedly, but many more than we knew at the time. Secondly, we always knew that at the end of the day, Irish republicans would negotiate some sort of deal. The question was never ‘if’ such a deal would be struck, but rather ‘when’. This is why the Good Friday Agreement, or something like it, was always likely to happen: one day. It was just a matter of time, luck, conjuncture and diplomacy.

Cox also looks at some important similarities, the first of which I’ll include here:

Yet let’s not dispense with the past altogether. In fact, there may even be some useful lessons to be drawn from Northern Ireland. Lesson one: don’t make the situation worse by acting dumb or tough - or both. How many ordinary members of the minority community in the North were turned into Provos by the actions of the British Army? Loads. I know, because many of them with a very similar tale to tell ended up in my lectures in Queen’s University after having done their 15 years in prison.

Gwyn Prins sees a similar problem space and his outline points toward a similar view of what the solution might look like.

The jihadists are unconditionals. They are not conditional terrorists like the IRA with political demands that could be negotiated or even conceded, who have political restraints on what they might do and who can be deterred. Unconditionals wish only to annihilate - spiritually as much or more than physically. Unconditionals like Al Qu’aeda or Aum Shinrikyo who released poison gas in the Tokyo subway cannot be deterred or bought off. As Kipling wrote, if you pay the danegeld you never get rid of the Dane.

There are only three ways to defeat them. The first is tactical, by pre-emptive intelligence leading to frustration of their plans. The second, strategic, by refusing to be intimidated into changing our lives, surrendering our values and freedoms - a point on which colleagues in the London School of Economics have been in the public eye in recent times with their severe criticisms of current proposals for high-tec identity cards. And the third is to deny them spiritual legitimacy by drowning them in the Middle East in a more potent ideology of hope.

Just go read all four. They do not offer quick solutions, suggestions for satisfyingly violent responses, or rationalizations for curtailing civil liberty–quite the opposite. That’s because they are real experts on Terrorism, something most Americans have unfortunately never seen or heard.