[SecurityRatty] tag: thirty-eight

"New Attack" Against Encrypted Images

Thu, 09 Oct 2008 02:44:14 +0000

In a blatant attempt to get some PR:

In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'.

Here's the paper. Turns out that if you use a block cipher in Electronic Codebook Mode, identical plaintexts encrypt to identical ciphertexts.

Yeah, we already knew that.

And -1 point for a security company requiring the use of Javascript, and not failing gracefully for a browser that doesn't have it enabled.

And -- ahem -- what is it with that photograph in the paper? Couldn't the researchers have found something a little less adolescent?

For the record, I doghoused PMC Ciphers back in 2003:

PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory?

EDITED TO ADD (10/9): I didn't realize it, but last year PMC Ciphers responded to my doghousing them. Funny stuff.

How to minimize the impact of a data breach

Mon, 29 Sep 2008 20:00:00 +0000

Thirty-one percent of customers--nearly one-third of a company's client base and revenue source--are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.

Links List 8.29.08

Fri, 29 Aug 2008 10:00:44 +0000

ChangeWave Research released a survey of 1,947 people responsible for IT spending. Thirty percent of the respondents reported that third-quarter IT spending was lower than previously planned – while 12 percent spent more than planned. Thirty-five percent cited higher energy costs as the top factor for spending slowdown.

Parlez-vous open source? While wide-spread open source usage is still debated in many companies, the French have been advocating for all open source all the time in government and education. French President Nicolas Sarkozy set up an economic commission that recommended tax benefits to stimulate more open source development. Lesson learned from France: start ‘em early. “All students in France use open source.”

Just in time for Labor Day, John Edwards (no, not that one) comes out with an informative guide on “Who provides what in the cloud”. No doubt, this will be a rapidly expanding list, but what’s really interesting is the comment on the article. People have very strong opinions on the cloud…

Research firm Aberdeen Group reports that network costs will increase slightly more than 5 percent over 2007. Contributing factors: “need for speed”, shift from standard to mobile PCs (more end points of connectivity), and the ever-expanding network. And of course the hidden costs of multiple tools with multiple management consoles – if you’re not smart enough to choose say a comprehensive network management solution that is vendor agnostic…One tool to monitor them all…

And just because I miss the Olympics already, here’s an irreverent take on what it’s like to lose to Michael Phelps. http://www.thetechstop.net/?p=1503

Enjoy your long Labor Day Weekend!

Please dont ever die guys, we need you!

Mon, 21 Jul 2008 15:54:41 +0000

Sadly, we have very few heroes nowadays. This time in our lives is sure different.

clipped from blog.wired.com

Commemorating the Ultimate Geek-Project: Apollo 11

Thirty-nine years ago, on July 20, 1969, two ultra-geeks landed upon Luna, Earth’s moon.? Their mission was called Apollo 11.? While the vast majority of the press at the time was devoted to Armstrong actually setting foot upon the Moon, the really crucial aspect of the landing on the Sea of Tranquility was just that, the landing.? This day commemorates the culmination of the science, technology, and massive national effort that went into the American Space Program.? In commemoration, we salute the second man to walk upon Luna, the Lunar Module Pilot of Apollo 11: Edwin Eugene “Buzz” Aldrin, Jr.

Mission Statement for Federation

Thu, 26 Jun 2008 06:35:35 +0000

Bruce Sterling (11/20/2001):

You know what I want? I don't want a National ID Card. I want a Global Coalition Visa.

Like it or not, we've got a huge global diaspora now. It is a fact of life. Nations with stupid and corrupt politics have seen their clever people brain- drained away, to places where the cops don't shake you down twice a day. And jet-setters go everywhere. And properly so. If you're in a true global society, then you spend a lot of your time among aliens. Quite often you are the alien. You might notice that even Al Qaeda is a genuinely multinational group. They gravitated to wicked, lawless places like Sudan, Chechnya and Afghanistan, where the locals shoot you if you ask for a badge.

But what about all us bright, shiny, world-trading jet setters, huh? There are thirty percent fewer Yankees in Europe this Christmas, and that is bad. Let me pose the problem this way. If I am going into a Japanese restaurant in Japan, I would rather like to be able to haul out some gizmo and flash it at my fellow civilians, and have these kindly people understand with a high degree of likelihood that I am not a mass murderer. On the contrary, I am quite civilized, and I should be brought a beer immediately.

A platinum VISA card and a five-hundred-dollar suit will almost do that, but those are too easy to forge and steal, plus they are not very democratic. The UN should get together on this. We should have a high level summit about digital hardware support for the crippled tourist economy. Fear and ill treatment shut down tourism faster than anything short of open warfare. That is bad for all of us. Killing off tourism harms our civilization and impoverishes our cultures. People in civilized states shouldn't routinely treat one another as criminal suspects. I don't want to get done-over for three hours every time I get off a plane in London. When I go to London, I go with empty suitcases. I don't plan to stay, but I am better news for the London economy than a lot of the people who live there.

They should know all that that before I get off the plane. My arrival is excellent news for Britain, so I should be treated that way. If this is a new kind of war, I don't want to be the evil guy hunkered down in the bunker; I want to fly with the boys from Air Assault. I want one of those handy crypto-style Friend-or-Foe IDs.

These people who normally meet me whenever I am an alien, they don't need to know my nationality, my home address or my shoe size. They just need to know that, despite being alien, I'm sort-of okay.

I want a democratic, citizen-to-citizen device that will bridge those social barriers and language barriers. I think we could invent devices and means of verification that would strengthen the global social fabric that terrorism wants to rip. It wouldn't be easy or simple, but it's not beyond our ingenuity. Our social capital sustains all civilized societies, and it is all about trust. So let's invent new methods of trust.

I added bold to the last sentence because I think this is the mission statement for building out federation systems.

Your 419 Mail Roundup

Wed, 25 Jun 2008 09:29:29 +0000

Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
Subject:
HELLO DEAR
From:
"abavanagift13 Gazeta.pl"
Date:
Sat, 21 Jun 2008 12:26:24 +0000
BCC:

Hello Dear,

My name is Blessing Abavana, the elder daughter of Mr. paul Abavana of Zimbabwe, I am 17 years old with my younger brother (Micheal), we are in Ghana as refuge/asylum since we lost our parents because of the recent war that occurred in our country.please do go through this web page for better understanding with full details:

http://www.rte.ie/news/2000/0418/zimbabwe.html

I am looking for one who will honestly assist my younger brother and I to realize our inherited funds into your account and as well as invest it into a lucrative business.

During the recent war against the farmers in Zimbabwe from the supporters of our President, Robert Mugabe to claim all the white -owned farms to his party members and his followers, he ordered all the white farmers to surrender all their farms to his party members and his followers.

My father being one of the few rich and successful black farmers in our country was also victimized because of his opposition to Mugabe's policies. And because he did not support Mugabe's ideas, Mugabe's supporters invaded my father's farm and burnt everything in the farm, killed my father and made away with a lot of items in my father's farm. This action was taken because my late father felt the growing tension on the farm issue, but I guess he never anticipated the tragedy that brought their brutal and sudden death.

However with the benefit of hindsight, owing to the looming but deteriorating crisis in my country, Zimbabwe, my father, before his unfortunate death deposited with International Commercial Bank (ICB) here in Accra Ghana the sum of US$ 35MUsd (Thirty Five Million United States Dollars), with the sole aim of acquiring and buying some dredging equipments in setting up of a dredging firm with his partner. With his death and all his assets seized at home and accounts frozen, the family is now in a very difficult situation.

After the death of my father, my brother and I escaped to the Republic of Ghana where he had deposited the money in the Bank . And we were permitted to reside here as Political Refugees.

So Because of our present and unpleasant status here we decided to contact an overseas firm / individual that can assist us to move this money out Of Ghana because, as asylum seekers, we are not allowed to operate any financial transaction of such amount within Ghana and also to assist in providing me and my brother a permanent residential permit in your country after the money must have been transferred to your account.

We have agreed to offer you 30% of the total sum for your assistance, and the rest will be for my brother and I, to Invest in your country under your assistant

All I want you to do is to furnish me with the below information including your readiness to assist me achieve this transaction for investment purposes in your country under your supervision. Kindly re-confirm to me the followings:

1) Your Full Name:
2) Phone, Fax and Mobile
3) Profession, Age and Marital Status.
4) Nationality

I have to re-assure you that this transaction is 100% risk free and should be treated with absolute confidentiality. All the vital documentation/certification that has to do with the origin of the fund is with me for the security reasons.And I will send them to you when we progress.And I guarantee you that this fund is not government fund, drug money, or from arms deals.

I will detail you more about the bank immediately I receive your acceptance response. I hope this is the beginning of a prosperous relationship between us.Thanks and God bless you

Regards

Blessing/Micheal Abavana

(Wow, spectacularly sick. Not that we're expecting scammers to have any morals, of course).

*********************************************************************************************

Subject:
Lycos Online Lottery Notification
From:
"LHOUTY MOHAMMED HASSANE"
Date:
Sun, 22 Jun 2008 02:42:53 -0000
BCC:

LYCOS LOTTERY ONLINE
8th Floor
1 Stephen Street
London
W1T 1AL

WINNING NOTIFICATION
This is to inform you that your email address has won the Lycos Lottery for the year 2008. your email has won you the sum of ?952,350.00 (Nine Hundred And Fifty Two Thousand, Three Hundred And Fifty pounds sterling).
You are advised to keep this notice confidential to avoid misinterpretation of funds and unauthorize claims, cheating or fraud.
To claim your funds please contact us with the information below.
Name: Dr. George Stevenson
Tel:+447031991681
Email:lycosclaimsdpt@gmail.com

It is mandatory that you send us your full names, address, phone number,
age, sex and occupation to enable us arrange your claim.

Note: Winners were selected through a computer ballot system drawn from Microsoft users from company and individual email addresse users. All winning must be claimed not later than 21 working days from the time of notification. After this date all unclaimed funds will be returned to European Union Treasury as unclaimed funds.

Congratulations from mambers and staff of Lycos
Lhouty Mohammed Hassane.
Lycos Lottery Co-ordinator

(A "Lycos Lottery" and they're using a GMail address? Doh).

*********************************************************************************************

Subject:
Yukos Oil
From:
Mr. Timinskiy Vladimir
Date:
Wed, 25 Jun 2008 5:38:17 -0400
To:

I have a profiling amount in an excess of US$100.5M, which I seek you in accommodating for me. You will be rewarded with 4% .If intrested, please reply me for moredetails...
Regards
Mr. Timinskiy Vladimir

(Short. Sweet. Pointlessly fake).

*******************************************************************************

Subject:
Immediate Release of Your FUND Via ATM CARD
From:
"Mr. Mark Louis"
Date:
Wed, 25 Jun 2008 01:45:09 -0700
To:
undisclosed-recipients:;

SUBJECT: Immediate Release of Your FUND Via ATM CARD

Attention: ATM Card Beneficiary,

I wish to use this medium to inform you that your CONTRACT/INHERITANCE Paymen of USD$10,000,000.00 (Ten Million United States Dollars) from CENTRAL BANK
OF NIGERIA have been RELEASED and APPROVED for onward transfer to you via an ATM CARD which you will use to withdraw all the USD$10,000,000.00 in any
ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is USD$10,000.00 Only.

We have mandated IBTC CHARTERED BANK PLC, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your USD$10 Million Dollars in
any ATM SERVICE MACHINE in any part of the world. You are therefore advice to contact the Head of ATM CARD Department of IBTC CHARTERED BANK PLC;

Contact Person: Dr. Olu James
Office email address: pcfc_nigeria@yahoo.com
Private: +2347084501007
Office:018969906

Tell Dr. Olu James that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use
to withdraw your USD$10 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address
where you want him to send the ATM CARD and PIN NUMBER to you. We are very sorry for the plight you have gone through in the past years. Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.
Mr. Mark Louis.
Executive Governor,

Central Bank of Nigeria {CBN}.

(Ah, the old "Let's lure them in with the magical bank card" trick).

******************************************************************************************

Subject:
CONTACT THE FEDEX COMPANY FOR YOUR FUNDS
From:
"SAMUEL DUNBAR"
Date:
Fri, 20 Jun 2008 12:33:43 +0100
BCC:

Dear Friend,

Compliment of the new year, I have been waiting for you since to come down here and pick your Bank Draft which my boss left with me before he travelled to England but I did not hear from you since that time till today. I went to the bank to confirm whether the draft is getting close to expire as it had been long time my boss issued the draft. The director of the bank told me that before the draft will get to you, that it will expire. Then I told him to help me and cash the cashier bank draft of $1,500.000.00 to cash payment.

However, I have successfully cashed the draft and packaged it in a box and have registered it in the Fedex Express Company Service here in Benin Republic because I will travell to see my boss in England and will not come back till August 20th 2008. You have to contact the Fedex Express Company Service to know when they will deliver your package to your address. I have paid for the delivering charges and insurance fees. The only money you have to send to them is their security keeping feeswhich is USD$135.00 USD to receive your package. Don't be deceived by any body.

This is their Contact Address;
Attn: Cheif Mr. George Kobra (Director)
Tel: +229-9799 2240
E-mail: fc.bj@sify.com

Send them your contacts information to enable them locate you
immediately they arrived in your country with your package.

This is the information they needed from you.

1. Your full name:.....
2. Your shipping/home address:.....
3. Your tel no #......
4. Your current office tel no #
5. A copy of your passport.

Try to contact them as soon as possible to avoid increasement of the security keeping fees Note; I didn't tell the Fedex Express Company Service that it's money inside the box, I registered it as a church of a Church Minister Materials. This is to avoid delay or any upfront problem during the delivery. So, do not let them know that the package contents money. Do let me know as soon as you received your package. You will contact me only through e-mail as my phone is no longe available now that I am out from our country. Contact me at samdunbar1986@yahoo.com and I will reply as soon as I can.
I wish you and your family Long Life,
Prosperity and Happy 2008.

Thanks and Remain Blessed.

Yours sincerely,
Mr.Samuel Dunbar
(Secretary)

(Honestly, if you contact FedEx they'll give you tons of money....)

****************************************************************************************

That's your lot for another week....

Security Briefing: May 28th

Wed, 28 May 2008 08:49:50 +0000

Insert pithy note about how much fun I’m having and how I enjoy the struggle of reading/collating/loving the links at 0-early-thirty in the frakkin morning. Thanks to all of our new subscribers that joined us yesterday. Welcome! And bunnies. Magic Bunnies!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

Man Allegedly takes a penny from the cup belonging to E-Trade and Schwab then gives the money back to Lumberg just before Milton burns the place to the ground.
Get Kraken on your botnet You want the original title or the funny title?
Haberdashery! Or, how to tell an Aitel fanboi from a mile away
HP SPIs SaaS appsec glory hey - if you think you’re so much smarter than me - comment! (not you CJ, you’re scary)
Singapore firm claims to own patent on clicking an image to go to a different site does prior art from 1993 count against a patent issued in 2004?
And the Gold goes to RFID - Olympic Tickets to contain details on legitimate holder What is the relevance of the Olympics these days anyways?
Flash Pants! - Flash 0day vuln pwns you
Consumer Alert - you’re keeping too much data in your phone Your drinking phone should look like you’re at a retro party
Prepare for ~~Jesus-Net~~ Family-friendly broadband - Nanny-state sez free-Wifi is walled garden

Tags: News, Daily Links, Security Blog, Information Security, Security News

Almost too sad to read

Mon, 26 May 2008 13:22:58 +0000

I dont think I have any words to say for this comment.

clipped from apnews.myway.com

Veterans’ burials nonstop at national cemeteries

An average of 1,800 veterans die each day, and 10 percent of them are buried in the country’s 125 national cemeteries, which are expected to set a record with 107,000 interments, including dependents, this year. And more national cemeteries are being built.

Thirty-four veterans groups volunteer for services. Every seventh Thursday members of American Legion Post 548 from Louisville, Ohio, dressed in black coats, ties and pants with white belts, gloves and shoulder cords, come to pay tribute to fellow veterans.

Phishing Emails Generating Botnet Scaling

Fri, 18 Apr 2008 10:57:30 +0000

A bigger and much more detailed picture is starting to emerge, with yet another spammed malware campaign courtesy of the botnet that is so far responsible for a massive flood of fake Windows updates, phishing emails targeting the usual diverse set of brands, fake yahoo greeting cards, and most recently delivering "executable news items", through Backdoor.Agent.AJU malware infected hosts.

Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :

- Sender Address: "NatWest Internet Banking '2008"

to Recipient: <@fs1.ge.man.ac.uk>Subject: Natwest Bank Bankline: Confirm Your Login Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D19ecygtKZDzrozrznhOzn These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "NatWest Bank On-line Banking'2008"

to Recipient: <@bbc.co.uk> Subject: Natwest OnLine Banking Important Notice From Technical Department Id: 9044 Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D15urOBFDffkOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "Natwest Bank Internet Banking Support"

to Recipient: <@yahoo.co.uk> Subject: NatWest Private and Corporate: Confirm Your Login Password Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D24ecyuczfscwzbDtcwhhOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved.

- Sender Address: "Natwest Private and Corporate Support"

to Recipient: <@yahoo.co.uk> Subject: Natwest Bankline Internet Banking Important: Submit Your Records id: 1191 Email Content: //pool32-nwolb20.com/customerupdate?cid=3D27kwszewcenzdFECKDtcwhhOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@56bridgwater.fsnet.co.uk> Subject: Natwest Internet Banking: Please Update Your Internet Banking Details Email Content: //pool32-nwolb20.com/customerupdate?cid=3D37kwszewcnnhrrDRCfszlaucndsOoerdnOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 66.199.241.98/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :

news_report-pdf_content.exe

Scanners result : 14/31 (45.17%)

Backdoor.Win32.Agent.gvk; Backdoor:Win32/Agent.ACG

File size: 45056 bytes

MD5...: c4849207a94d1db4a0211f88e84b0b59

SHA1..: 32ef2a074d563370f46738565ecf9bb53c75909c

SHA256: 12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c

An internal nameservers ecosystem within the botnet, active and resolving :

ns1.ns4.ns2.ns3.id759.com

ns3.ns1.id759.com

ns1.ns2.ns1.ns4.ns2.ns3.id759.com

ns1.ns2.ns3.id759.com

ns1.ns2.ns4.id759.com

ns1.ns4.ns4.ns2.ns3.id759.com

ns2.id759.com

ns2.ns1.ns2.ns3.id759.com

ns2.ns1.ns2.ns4.id759.com

ns3.ns2.ns1.ns2.ns3.id759.com

ns4.ns1.ns1.ns2.ns3.id759.com

Yet another internal nameservers ecosystem within the botnet :

ns1.serial43.in

ns2.serial43.in

ns3.serial43.in

ns4.serial43.in

ns1.ns1.ns1.serial43.in

ns1.ns2.ns1.ns1.serial43.in

ns1.ns2.ns2.serial43.in

ns1.ns4.ns1.ns1.serial43.in

ns2.ns1.ns2.serial43.in

ns2.ns1.ns4.ns1.ns1.serial43.in

ns2.ns2.ns1.ns1.serial43.in

To sum up - these are all of the domains currently active and used for the malware/spam/phishing campaigns on behalf of this botnet :

server52.org

set45.net

site83.net

sid95.com

shell54.com

siteid64.com

setup36.com

share73.com

service28.biz

There are several scenarious related to this particular botnet. Despite that it's the same piece of malware that's successfully adding new zombies to the infected population, the diversity of the campaigns, as well as the fact that for instance share73.com is registered by casta4000 @ mail.ru and is into the "reklama uslug" business which translates to advertising services, in this case spam and phishing emails sending on demand, access to the botnet could be either offered on demand, or the service itself performed in a typical managed spamming appliance outsourced business model. Are they also vertically integrating in respect to the fast-fluxing? Yes they are, since they're achieving it without the need to hire a managed fast-flux provider, which isn't excluding the possibility that they aren't in fact one themselves, as it's evident they've got the capability to become one.

The Checklist

Thu, 07 Feb 2008 17:14:00 +0000

Brian Chess wrote about a great article in the New Yorker - "The Checklist." The article is a fantastic read and I highly recommend it, even if you're not interested in medicine. It is well written and quite engaging about how doctors handle a ridiculously complex topic - intensive care.

Like Brian, I was struck by how closely the article can parallel some of the problems we face in trying to develop secure software. I agree with the basic premise of Brian's statement, that a checklist can help in the software development world just like it can in the ICU. I've had great success providing checklists to developers of common areas of concern, areas they need to make sure the document, etc.

Document how you handle authentication. if different from standard X, get a security reviews.
Document how you're handing input filtering. If not the standard library with declarative syntax, document and get a security review.....

You get the picture. You can do similar things with static analyzers for example, and even by tweaking compilers or compile environment to prevent the usage of certain easy to mess-up functions such as strcpy, messed up buffer sizes, etc.

I want to focus on two other items from the article that are worth noting.

Metrics
Processes

Metrics

In the paper the author talks about following the checklist and how it reduced deaths. One thing he never mentions is the cost of following the checklist. I thought it interesting, but I can only assume based on the number of lives saved, and the cost of even a single infection, that the costs of following the checklist are far outweighed by the cost savings. Still, it would have been nice to see a cost comparison between the two.

What is also interesting though is that in the hospital setting its generally quite clear what an adverse event is. We generally know when someone has an infection, we certainly know when someone dies. We do root cause analysis in many cases (though not all) to understand the general cause of death, though when there is an infection for example we don't always get to root cause.

One result of this sort of tracking, is that it occurs within a regulatory framework where hospitals must report their incident rates publicly, and there are agencies within government charged with collecting, monitoring, and even in some cases improving on these measurements and results.

As a result of this public tracking, the key doctor from the paper, Pronovost, was able pretty clearly to tell whether his process changes were having a positive or negative effect. He had lots of public data to draw from, and the incidence rate at any given hospital is large enough that we can start to make valid statistical judgments about the impact of our changes.

Contrast this with software and the differences in both area, and maturity, are quite telling. We don't have any standard measures of success/failure, we don't perform lots of root cause on adverse events, and we don't have public reporting of success and failure. So, we don't have a general body of knowledge that allows us to get better or at least measure how we're doing.

Maybe we ought to have something like that? I wrote about this last year when saying that we ought to have some sort of NTSB for security, or at least for security breaches. Maybe its time we start taking that more seriously?

Processes

I was also struck by one of Pronovost's comments about medicine that I think especially relevant to software security. When asked whether we'd get to the point that checklists are as common as a stethoscope for a Dr, he replied:

"At the current rate, it will never happen,” he said, as monitors beeped in the background. “The fundamental problem with the quality of American medicine is that we’ve failed to view delivery of health care as a science. The tasks of medical science fall into three buckets. One is understanding disease biology. One is finding effective therapies. And one is insuring those therapies are delivered effectively. That third bucket has been almost totally ignored by research funders, government, and academia. It’s viewed as the art of medicine. That’s a mistake, a huge mistake. And from a taxpayer’s perspective it’s outrageous.” We have a thirty-billion-dollar-a-year National Institutes of Health, he pointed out, which has been a remarkable powerhouse of discovery. But we have no billion-dollar National Institute of Health Care Delivery studying how best to incorporate those discoveries into daily practice.

I was reminded of Gunnar's response to the Spaf piece - "Solving the Wrong Problems." I think Gunnar hit it on the head with his criticism of Spaf's piece, and I think the situation is quite similar to the one Pronovost finds in medicine.

For the most part we fail to treat the delivery/creation of software as a science. We do lots of research on languages, we do lots of work on theories of security, and then it all breaks down because we have people implementing the processes, and we don't spend any time on that. Well, at least not in measure to how much we spend on all sorts of other efforts that we don't measure, we aren't sure achieve results, etc.

We know lots about how to theoretically secure things, but we don't know a whole lot about how to get large software development organizations to produce consistently high quality/"secure" software. Heck, we don't even know how to do it if we aren't budget constrained, much less if we are.

To be sure, medicine hasn't solved this problem either, and they aren't dealing with a huge installed base :) They are better at measuring effectiveness, but again they are in a life/death world plus they have the added joy of strict liability. Operating under those conditions they do manage to settle on newer/better techniques pretty quickly, because they are tracking how they are doing, lives are on the line, and they are pretty strongly incented to get it right.