John
SpaceX Fails to Launch
Published May 19, 2012 | 
SpaceX failed to launch today. They called off the launch with one second to go because of an error. While this must be frustrating for SpaceX, this is a lot better than launching with a malfunction resulting in the destruction of the spacecraft. At least this way they will be able to make sure that everything is ready for the launch. I bet the team is upset and now working some long hours to get the craft ready, but once the craft launches and is up in orbit, they will appreciate the wisdom of halting the launch.
Good luck SpaceX, and I hope to hear about a successful launch in the near future.
Not so RuggedCom… time to set up a blacklist
Published April 28, 2012 | RuggedCom has sold mission critical routers to the US Gov’t, utilities, and others with an undocumented backdoor installed. This is totally inexcusable and RuggedCom should be out of business as a result. Under no circumstances should any IT company produce a product with a backdoor installed. I can understand the need to for an easy way for the company to work with the router’s internals, but having a default admin account password should be sufficient. At least then the customers could change the default password and make the router secure.
I don’t know if RuggedCom’s leadership knew of this backdoor. This could have been the result of a lazy engineer, or in response to a program manager putting pressure on the team to get things down quicker. No matter what, there was a definite failure in both the technical leadership at the company and in their Quality Assurance team.
RuggedCom is a Seimen’s company. This is the same Seimens that was targeted by Stuxnet, and the same Seimens with a long history of security issues in their industrial controllers.
If a company is caught doing this crap they should be publicly blacklisted, and they should loose all of their customers and as a result, go out of business. Just the fear of a possible backdoor has caused Huawei serious problems in getting contracts with non-Chinese governments. While there is no proof that I’m aware of, they still can’t get several of the big contracts that they want to. There is also fear that when IT equipment is manufactured overseas, that the foreign companies may put backdoors into the systems. This fear is so serious, that at least one IT company I know of only installs their firmware in the US after the systems are manufactured. Talk about adding complications to your manufacturing and testing procedures, especially when you can’t test the equipment until it is shipped half way around the world.
RuggedCom got caught, and I applaud the researcher that found the backdoor. Had this been just an accidental vulnerability, then this would be a very different story. However, with an intentional backdoor… it is a much more serious story. RuggedCom should pay to replace all of their compromised routers with equivalent non-RuggedCom routers and shut down. If they sold compromised routers to the US Gov’t, then they should be investigated for treason or other applicable law violations.
I suspect RuggedCom will try to spin this as best as they can, and to update their routers to remove the known backdoor. I give them credit for at least admitting that there is a factory backdoor. It would have been interesting to see if there was any internal discussions on just the approach of just denying it. However, this isn’t a typical design flaw. This is incompetence and a complete misrepresentation of their expertise. Here’s what their webpage says about their products:
RuggedCom products are designed for use in harsh environments such as those found in electrical power substations, oil refineries, military applications, roadside traffic control cabinets and metals and minerals processing.
Now, I don’t think that any of their customers that are responsible for oil refineries, military, and so on will agree that a system with a factory backdoor are really designed with those harsh environments. Farewell RuggedCom, and I hope that as each of your employees find new jobs that you’ll take security seriously and be an advocate for secure products in your new companies.
I hope that with the pending demise of RuggedCom and the need for a blacklist of incompetent manufactures, that those that don’t take security seriously now, will start doing so.
Does it matter if VMWare’s source code is released?
Published April 26, 2012 | VMWare has admitted that their source code for ESX has been found on a Chinese network. Does it matter?
Yes: If the source code is poorly written and has inherent vulnerabilities, then the source code could be useful in developing tailored exploits to attack organizations using VMWare.
No: If the source code is well written and secure, then it will not provide any insight that will provide any help develop exploits.
So, the answer could either be Yes or No… it all depends on the quality of the source code. Now, this is only from a security perspective. The accidental release of VMWare’s source code could certainly provide a competitor insight into how to compete with VMWare, and how compete. The theft of proprietary software is still theft and is a crime.
I hope that VMWare wrote high quality and secure code. I suspect they didn’t and there will be new exploits against VMWare.
House approves CISPA… WTF?
Published April 26, 2012 | The House voted on, and passed CISPA today. I didn’t even know that it was up for vote, nor was there much if any debate on this. CISPA is basically SOPA 2.0 with some changes. I am disappointed in Congress for passing this bill. I appreciate the need to share intelligence data between ISPs and the Government, but a bill isn’t required for that at all. Nothing is preventing the NSA, FBI, or anyone else in the Gov’t to share data. The data itself it owned by the people, and therefore should be shared by default. It does make since to share classified information that would put our intelligence sources and methods at risk. I don’t advocate breaking the law by sharing classified information, but I do believe that there are plenty of legitimate ways for the Gov’t to share threat data with ISP’s without the need for any new laws.
So, they have passed CISPA and now we will have to wait for the Senate to take up the vote. I wonder if there will be an outcry such as we had with SOPA, and if those that run the internet will speak out. Until legislation is written with those that use the internet in mind whatever they write will not work.
Drupal vs WordPress
Published April 16, 2012 | My wife is considering opening up her own small business, so I’ve been tasked with developing her website. So, for the past couple of weeks I’ve been looking at Drupal. I’d like to use Drupal to run her site. This site is on Wordpress. I had considered using Drupal when I set up this site, but I found that it was too difficult for me to figure out in a short time.
After working with Drupal for a few weeks, my observations are:
- Drupal is not for the faint of heart.
- Incredibly capable yet incredibly complex.
- Lots of books on beginning Drupal and expert Drupal, very few in between.
- Will never replace Wordpress from being the easy, yet capable solution.
- Has a huge potential for being a business “platform”.
Drupal is not for the faint of heart
Wow, they certainly make downloading Drupal and standing up the basic front page easy. After that, it is steep learning curve on nodes, modules, themes, menus, data architecture, and so on. It isn’t a product, it is a lifestyle. You have to drink the koolaid and tough it out. I’m in the middle of this now, and I hope that soon the light bulb will come on and the mental aerobics I’m going through will finally straighten out.
Incredibly capable yet incredibly complex.
When you read the list of sites that are on Drupal you can easily get impressed. There are some big hitters there, and it is clear that Drupal can hold up to huge traffic and do almost anything you want it to. The range of available modules, the ability to create your own type of content, and the extendability of Drupal make it into a swiss army knife of web hosting. It can do anything you want it to do… assuming you know how to make it do that. With all of these capabilities come all of the possible options, configurations, and combinations of differing pieces and parts. I feel like they dumped all of the parts for different makes of cars in the garage, and then said to put the different cars back together. While the documentation is there, telling the difference between the Ford parts and the Chevy parts to begin with isn’t an easy task. Eventually you will either figure it out or die in the process.
Lots of books on beginning Drupal and expert Drupal, very few in between
As I’ve been learning, I’ve been looking at the different books available on Drupal. There are those introductory books on how to get a simple website up and running in only 145 steps, and there are those that help the intermediate experts become masters. I’m not stupid, and I can figure out how to install Drupal and set up a basic site. I’m looking at trying to go from the beginner (where I am now) to the intermediate guy. So, if this was a class, I’d be past the first two lessons, and not quite ready for my Senior Project. There just aren’t any books out there that I’ve found that address this class of student. Maybe I’m missing it, and I am finding some great information within blogs and posts on Drupal.org, but I’m not finding the book.
Will never replace Wordpress from being the easy, yet capable solution
I can’t imagine using Drupal for a simple blog. If you already knew Drupal it might be doable, but definitely not for the folks that are just looking for a place to call home on the web (outside of Facebook). It is easier to get a basic and functional site up and running. I don’t know what the original inspiration for Drupal was, but for Wordpress it appears to focus on making it capable, yet simple. I suspect you can go quite wild in Wordpress if you want to, but for Drupal I feel like you thrown into the wilderness on day one.
Has a huge potential for being a business “platform”
My wife wants to run a business. The business is service based, so each customer buys a day of service, and when they use that day, it is deducted from their account. Pretty simple. Also, what I expect is pretty common for small businesses. So, my goal is to allow the customers to manage their account on-line (buy more days, see how many days are left, etc.), and for the business to be able to track all of the accounts. Given that Drupal puts all of the data in a single database and can incorporate e-commerce, it seams like a good solution. If this was anything larger than what we are considering, I’d throw in a DMZ, intranet, firewalls, and all of the big iron crap necessary to protect your main business systems from the externally facing systems. However, that is not the case here and it is feasible to back off to paper processes and to back up the data via printing.
I get the feeling that leveraging the roles and rules within Drupal, this could be a powerful small business tools. Not only can you interact with your clients, you can also conduct your internal business process. Why have Sharepoint when Drupal can do the same thing. This would be a killer project for something like Aquia or another company to take on as a hosted service. Make it simple to set up an on-line store and to manage inventory within the company. Maybe even work with the major small business providers such as Quickbooks. Drupal could become the dominate small business platform, especially for new small businesses that don’t have the resources to develop their own internal software. I don’t think they will compete with SAP, Oracle, IBM, or in-house work in well established large businesses, but that is okay.
There are so many “platforms” today, but they are primarily focused to host custom applications. I can go buy computational power that will be my platform, but that assumes that I’m a software developer and software is my business. I can’t imaging the ice cream place down the street really considering building custom applications on EC2. But I can image them wanting to have a website, where folks can order ice cream cakes. But the real seller is that from home they could figure out employees hours, their supplies, how the books look today, and and to help automate keeping their stock where it needs to be. Allow them to make ice cream and to avoid having to worry about what it will take to a small business.
There may be small business solutions out there now that fit this bill. I really don’t know, and if they are out there, I doubt that they are based on a community model like Drupal.
Conclusion
Right now my goal is to create a simple site for my wife, and to see where we go from there. I’m hoping to figure Drupal out at least enough to not have to fall back to Wordpress or to make an attempt a Dreamweaver. I doubt I’ll get the non-customer facing or e-commerce integrated in the first round. I’m looking at Square on the iPad as our cash register since it take a lower cut than most of their competitors. I’m also concerned that I want to be able to conduct business when the internet is down, so a 3G iPad may be a more robust solution.
The more I get into Drupal the more I’m impressed and overwhelmed. I would feel better if I was an HTML/CSS/PHP expert, but I’m not. I just have a vision in my head as to what I want when I’m finished. It really sucks having use-cases figured out and then to struggle with bringing them to life. Hopefully soon.
All in one stun gun
Published March 10, 2012 | Wired ran a story on a new patent application by Joel Braun that is for a multi-function non-lethal weapon. It is basically a gun with many barrels. I think this is a cool idea. Don’t like pepper spray, change to the tazer. If that doesn’t work, move on to rubber bullets. This may work, but I am a bit concerned that this might be a bit too big for the average police officer to use effectively.
The more options that police have the better, as long as training and accountability is also maintained. I’d add a small camera on the weapon too, so we can keep a record of what is going on. This type of tool is very powerful, but could easily be used to attack innocent people. Or the level of force could be increased inappropriately compared to the needs of the situation. However, with that in mind, it is a good idea to have the ability to escalate gradually as the situation requires, instead of jumping from pepper spray to batons immediately.
I wish Joel the best of luck on this. Hopefully he’ll be successful and we can put the right tools, training, and accountability in place for our police.
Is Open Source Software a Threat?
Published March 3, 2012 | I have recently gone through a governmental Information Assurance (IA) process to gain permission to connect a stand alone development network to a broader government network. In the process, we got feedback on potential “threats” to our approach. While none of these were serious enough to prevent getting permission, one of the comments made really irritated me. It stated that the use of Open Source Software (OSS) posed a threat to the security of the network.
So, is OSS a threat? I don’t believe so, and in fact, I believe that in most cases quality OSS pose less of a threat than their commercial counterparts. All software, both OSS and commercial, may introduce vulnerabilities into a system. Software has bugs, bugs can be exploited, and therefore all software may pose a threat (hint, don’t keep software on your system you don’t need). But, is OSS more threatening than commercial software.
It will certainly depend on the software. If the actual question is if there is someone that is actively updating and patching the software, then it depends. For example, Firefox is an open source piece of software that is constantly being patched and improved. However, Windows 2000 is commercial software that is no longer being patched. So, which one is more secure? Firefox. However, if the roles are reversed and the open source software has been abandoned, and you are comparing it to a commercial piece of software that is being actively patched, then the commercial software is more secure.
However, what happens if everything is equal. Let’s say that both the open source software and the commercial software are being actively patched. Now, here’s where my opinion is that the open source software is actually more secure. The key issue is that as a customer I can look at the code if I wish. While that may be unlikely and I may not understand what I’m looking at, the fact that it is doable is a motivating factor for the open source developer to be more careful in writing the program. Their success is based on being able to stand behind their source code, not just the application itself. In a commercial application, it is about the program and not the source code. It could be a good looking and capable piece of software but written by monkeys from a security perspective.
It is frustrating with the IA community isn’t filled with software developers, but instead a new breed of engineers that are groomed by the marketeers of commercial software. Not many, if any, open source developers go out and sell their software to the government. If you hear it enough, it must be true. Well, here’s my challenge to the IA community. Show me some actual facts to back up your claims. If you can’t, then stop being biased towards commercial software. I want you to do your job and to do it well, and that means that you have the trust of your customers. With crap like this you loose all trust and so when you have something important to say, it is likely going to be received with doubt.
Again, all software has the potential to introduce security concerns into a network. It doesn’t matter if it is open source or commercial.
Posted in Computers, Military, Technology | 
IA, Information Assurance, Open Source, OSS | 
Leave a commentLightsquare Loses
Published March 3, 2012 | Well, it is done. Lightsquare has lost its battle to compete with GPS. While I’m glad that GPS is safe for the time being, but I do agree with several of Lightsquare’s arguments. I hope that the FCC will take some of Lightsquare’s technical criticisms to heart, and mandate better engineering in new GPS receivers. They really should implement better filters to ensure that they are not jammed by nearby frequencies. Even if there is nothing in those frequencies, that is just good engineering.
I doubt that Lightsqare will be along for much longer. I don’t blame them for their efforts. They played the crappy hand they were dealt the best they could, but the political mistakes in this issue couldn’t replace physics. The FCC shouldn’t have allocated the frequencies to Lightsquare in the first place. That was a political decision made without consideration to the technical approach Lightsquare was going to take. As a result, Lightsquare gets screwed because it couldn’t break the laws of physics and as a result, everyone involved loses. Sorry Lightsquare.
Did Chinese Spies Delay F-35?
Published February 6, 2012 | Defense Tech has an interesting article questioning if some of the delays associated with the F-35 program was due to rework necessary to recover from Chinese spying. If this is true, it represents a critical failure in information security within the DoD acquisition community and the Defense Industrial Complex. There have been many reports of government contractors’ networks being compromised but I don’t know if anyone is tallying up the bill.
If true, the bill here is Billions of dollars. Dollars spent on extending the lives of aircraft slated to be replaced by the F-35, dollars spent on the engineering rework to change the design of the F-35, and dollars spending on how to counter the possible improvements to Chinese systems due to their adoption of American technology. And for some reason, I doubt Lockheed, the Prime Contractor for the F-35 is opening up their checkbook to cover these costs.
I hope that this report is untrue and that the Chinese didn’t delay the F-35. If so, then we still have a lot of unanswered questions as to why the F-35 is so late and over budget. It was suppose to be a low-risk cheap jet, and it has mushroomed to be the DoD’s most expensive program… EVER. Not good, with or without Chinese help.
The Stupidity of Conventional SLBMs
Published January 29, 2012 | Wired had another well written article titled “Pentagon Confused by its Own ‘Subs vs. Terrorists’ Plan”. The basic idea is that the US wants to conduct conventional global strike from submarines. One of the many Holy Grails for the DoD is instanteous global strike; the ability to hit any target anywhere on the face of the earth in a moments notice.
The article does a good job of calling this what it is, a farse. There is no way that either China, Russia, or any other nuclear equipped nation will sit aside while a conventional warhead is sailing overhead to strike some target. The DoD is trying to make this new conventional warhead to fly a different trajectory, as to indicate to our allies and potential adversaries “Hey, trust us, it isn’t a nuke”. While it may be a conventional warhead, but how will anyone beside the DoD know? If you can make a worhead fly this unique trajectory, why can’t it be a nuclear warhead?
Being able to hit a target in a moments notice is a mixed blessing. I’m reminded of the discussion during Dr. Strangelove where they discuss the benefits of bombers over ICBM’s. The arguement was that bombers took longer, and that was a good thing. Time allows the US and Russia (in Dr. Strangelove) to open up diplomancy and to try to calm things down. This doesn’t happen if the immediate answer is and ICBM launch.
So, if we have this capability, what becomes the role of diplomancy. In addition, we’ll be tempted to use this on the terrorist in a mountain cave. Is that guy really worth it? To launch a conventional ICBM or SLBM will cost millions per launch. Is this guy really worth that price? Is this guy worth the possible nuclear response? I would seriously doubt it, but there may be specific cases where it is worth it.
If money was no object, if we had a sound foreign policy, strong diplomatic capabilities, and if everyone trusted us, then this could be a good idea. In reality, it isn’t. We don’t have enough money to keep being the World’s Policeman, so why do we want to go down this route. It is hard to imaging that this type of weapon would not only start, but end a conflict. This would be just the opening round to an extended conflict involving thousands of American soldiers. If it was possible to avoid war through the use of this weapon, I’d be a big fan… but I just don’t see it.
At best, this is going to be a huge work program for the Military Industrial Complex similar in scope and cost as SDI. At worse, this will get us into an accidental nuclear war and end our civilization. With those being two of many plausible outcomes, we should be wary of going down this path. Let’s hope that the budget hawks will stop it in its tracks before we waste millions of our precious dollars.