Security Now 215
Topic: Security Maxims
Recorded: September 23, 2009
Published: September 24, 2009
Security Now 215: Security Maxims
News & Errata
09:02 - 17:25
- The Apple Update on September 10th fixed the following security flaws:
- A buffer overflow error in their handling of alias files that could have resulted in remote code execution
- A memory corruption error in Resource Manager in its handling of resource forks that could have resulted in either application termination or remote code execution.
- Multiple vulnerabilities identified in the ClamAV which was distributed only with the Mac OS X Server systems, but several of those vulnerabilities could lead to remote code execution.
- An integer overflow error in the handling of images with an embedded ColorSync profile.
- An integer overflow error in core graphics that could result in remote code execution.
- A heap overflow error in the core graphics caused by drawing long text strings.
- A null pointer dereference error in CUPS, which is the Common Unix Printing System that the Mac uses.
- A heap overflow error in the USB back end for CUPS.
- Multiple vulnerabilities in Adobe's Flash Player plug-in.
- Multiple memory corruption errors in Image I/O subsystem in the way it handles Pixar film-encoded TIFF images.
- A design issue in the Launch Services system which can cause an unsafe file to be opened automatically.
- A design issue in Launch Services, as a result of which there's no warning while attempting to open a downloaded content which is unsafe.
- An implementation issue in MySQL that might lead to an escalation of privilege.
- Multiple vulnerabilities have been identified in their PHP.
- An error in Samba as it fails to perform adequate checks, thereby leading to unexpected sharing of folders.
- A cross-site scripting error in their wiki server in the way it handles requests that have non-UTF-8 encoding.
17:26 - 22:45
- In the first week of Firefox alerting users that there version of Flash Player was out of date 10 million people updated their version of flash player
- Mozilla are looking to team up with other companies to alert users if other browser plugins are out of date
22:46 - 26:29
- A man purchased a program called SpyAgent to spy on his ex girlfriend
- She worked at a hospital and it got installed on the hospital computer
- Over the course of about two weeks, the spyware on her machine emailed to him more than a thousand screen captures of what was going on on this sensitive machine, including details of medical procedures, diagnostic notes, and other confidential information relating to 62 different hospital patients.
- He also obtained email and financial records for four other hospital employees.
- So he's now facing $33,000 in damages from the hospital and a maximum sentence of five years in prison.
26:30 - 30:52
- There's an unpatched vulnerability in Microsoft's SMB version 2
- There's a Microsoft security advisory #975497
30:53 - 35:02
- Monday 21st September 2009 the FCC announced there were going to impose rules requiring net neutrality
35:03 - 39:46
- Steve discovered that after measuring the Vitamin D levels in his blood every week the variation in the testing accuracy was completely masking what was going on
- So he is now taking supplements and measuring his Vitamin D levels every month
- Recently at a hospital one doctor gave all her patients vitamin D supplements and another did not
- None of the patients who took vitamin D caught H1N1 and 10% of the other doctors patients did
39:47 - 42:56 Justin (Unknown)
His uncle's hard drive crashed and he needed to get his data off it. He ran Spinrite on it for 14 hours and it fixed the problem, he was able to copy all of the data off it.
02:00 - 02:15
- Maxim: "A succinct formulation of a fundamental principle, general truth, or rule of conduct"
48:11 - 51:00
#1 - The Infinity Maxim
- There are an unlimited number of security vulnerabilities for any given security device, system, or program, most of which will never be discovered, either by the bad guys or the good guys
51:01 - 51:35
#2 - the Thanks for Nothin' Maxim
- A vulnerability assessment that finds no vulnerabilities, or even only a few, is worthless and wrong.
51:36 - 53:03
#3 - The Arrogance Maxim
- The easy of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and how often they use words like "impossible," as in "impossible to crack," or "tamper-proof.
53:04 - 53:55
#4 - Be Afraid, Be Very Afraid
- If you're not running scared, you have bad security or a bad security product. And his comment is fear is a good vaccine against both arrogance and ignorance.
53:56 - 54:05
#5 - The So We're in Agreement Maxim
- if you're happy with your security, so are the bad guys.
54:06 - 55:00
#6 - The Ignorance is Bliss Maxim
- The confidence that people have in security is inversely proportional to how much they know about it.
55:01 - 57:12
#7 - the Weakest Link Maxim
- The efficacy of security is determined more by what is done wrong than by what is done right.
57:13 - 59:29
#8 - the High-Tech Maxim
- The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high technology it uses. So in security, high technology is often taken as a license to stop thinking critically.
59:30 - 01:00:04
#9 - the Dr. Who Maxim
- The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.
01:00:05 - 01:00:57
#10 - the Low-Tech Maxim
- Low-tech attacks work, even against high-tech devices and systems.
01:00:58 - 01:01:59
#11 - the Don't Wet Your Pants Maxim
- The more excited people are about a given security technology, the less they understand, one, that technology; and, two, their own security problems
01:02:00 - 01:02:46
#12 - the Too Good Maxim
- If a given security product, technology, vendor, or technique sounds too good to be true, it is. And it probably sucks big-time
01:02:47 - 01:04:34
#13 - the Control Freaks Maxim
- Control will usually get confused with security. Even when control doesn't get confused with security, lots of people and organizations will use security even when control doesn't get confused with security, lots of people and organizations will use security as an excuse to grab control.
01:04:35 - 01:05:25
#14 - Father Knows Best Maxim
- The amount that non-security senior managers in any organization know about security is inversely proportional to, one, how easy they think security is; and, two, how much they will micromanage security and invent arbitrary rules.
01:05:26 - 01:05:43
#15 - the Big Heads Maxim
- The farther up the chain of command a non-security manager can be found, the more likely he or she thinks that they understand security, and that security is easy.
01:05:44 - 01:06:11
#16 - the Huh Maxim
- When a nonsecurity senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or nave.
01:06:12 - 01:06:50
#17 - Voltaire's Maxim
- Common sense isn't all that common. He says real world security blunders are often stunningly dumb
01:06:51 - 01:08:16
#18 - the Yippee Maxim
- There are effective, simple, and low-cost countermeasures, or at least partial countermeasures, to most vulnerabilities.
01:08:17 - 01:09:46
#19 - the Arg Maxim
- Users, manufacturers, managers, and bureaucrats will be reluctant to implement these effective, simple, and low-cost countermeasures for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance.
Link to "Security Maxims" page at Argonne National Laboratory by Roger G. Johnston: 
- Go To Meeting
- Ad Time: 0:36 - 0:50 and 5:28 - 9:00
- Offer Code TWIT
- Ad Time: 0:51 - 1:06 and 43:03 - 46:51
- Recorded = September 23, 2009
- Published = September 24, 2009
- Duration = 1:14:02
- Log line:
- Edited by: Tony
- Leo sneezed during the ad but he did not mark it. I accidently found it. 7:00
- Steve had problems hearing Leo. Leo was breaking up for Steve. 1:03:19
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|