http://www.infoworld.com/weblog/udell/categories/security/ Copyright 2002 Jon Udell Sat, 03 Aug 2002 05:30:38 GMT http://backend.userland.com/rss092 8/2/2002; 5:58:44 PM http://www.infoworld.com/weblog/udell/categories/security/2002/08/02.html#a362 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>The September issue of the Atlantic Monthly has a remarkable special report called Homeland Insecurity (not yet excerpted online). It features none other than Bruce Schneier. I am delighted to see Schneier's philosophical transformation -- from&nbsp;crypto-infatuated fortress builder to pragmatic watchguard --&nbsp;detailed in a mainstream magazine. People who would never have read&nbsp;<A href="http://www.byte.com/documents/s=470/byt20001018s0001/index.htm">Secrets </A></FONT><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2><A href="http://www.byte.com/documents/s=470/byt20001018s0001/index.htm">and Lies</A> will read this excellent article, and I hope will ponder&nbsp;Schneier's message: </FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>The September issue of the Atlantic Monthly has a remarkable special report called Homeland Insecurity (not yet excerpted online). It features none other than Bruce Schneier. I am delighted to see Schneier's philosophical transformation -- from&nbsp;crypto-infatuated fortress builder to pragmatic watchguard --&nbsp;detailed in a mainstream magazine. People who would never have read&nbsp;<A href="http://www.byte.com/documents/s=470/byt20001018s0001/index.htm">Secrets </A></FONT><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2><A href="http://www.byte.com/documents/s=470/byt20001018s0001/index.htm">and Lies</A> will read this excellent article, and I hope will ponder&nbsp;Schneier's message: </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>- Security technologies are brittle </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>- When they fail, they fail catastrophically</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>- Human judgment needs to govern the security process</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>The article concludes with a description of Counterpane's command center:</FONT></P> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2><EM>Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgement, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well.</EM></FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2><EM>Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier's view, is a really terrible idea.</EM></FONT></P></BLOCKQUOTE> <P>&nbsp;</P> 7/23/2002; 10:43:41 AM http://www.infoworld.com/weblog/udell/categories/security/2002/07/23.html#a350 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Under the OASIS umbrella, more folks are linking arms to support WS-Security: </FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Under the OASIS umbrella, more folks are linking arms to support WS-Security: </FONT></P> <BLOCKQUOTE><I> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>The OASIS standards consortium has organized a new technical committee to advance the WS-Security specification. WS-Security provides a foundation for secure Web services, laying the groundwork for higher-level facilities such as federation, policy, and trust. Through the open OASIS process, providers and users will come together to extend the functionality of WS-Security, which was originally published by IBM, Microsoft, and Verisign. [<A href="http://www.oasis-open.org/news/oasis_news_07_23_02.shtml">OASIS</A></A>] </FONT></P></I></BLOCKQUOTE> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>I plan to attend a </FONT><A href="http://www.xmlconference.com/boston/key.asp"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>forum</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> ("co-sponsored by OASIS and W3C") in Boston on Aug 26 to hear more about this. The picture is still quite fuzzy, frankly, but it does appear we're in a market-making let's-all-work-together phase. </FONT></P> <P><FONT size=2>PS: Maybe that shouldn't be surprising. According to today's&nbsp;NY Times, we are <A href="http://www.nytimes.com/2002/07/23/health/psychology/23COOP.html?ex=1028001600&amp;en=08e6ab50f8cadae1&amp;ei=5007&amp;partner=USERLAND">wired to cooperate</A>, and doing so lights up the pleasure centers of the brain. </FONT></P> <P>&nbsp;</P> 7/2/2002; 11:14:48 AM http://www.infoworld.com/weblog/udell/categories/security/2002/07/02.html#a326 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up. </FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up. </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>When I look at the proposed standards, though, I see a bunch of familiar stuff. Name/password authentication, Kerberos, access control lists, PKI certificates, signing, encryption. All this has been part of the web forever, though admittedly PKI and Kerberos haven't really gotten over the activation threshold.</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>I don't think its a bad idea to wrap XML around this stuff. But I'm not convinced that will solve the hard problem. What's hard is that security technologies are just a royal pain in the ass to deal with. I was sure, for example, that client certificates would be widespread by 1997 as a mode of authentication to websites, and as a single sign-on solution. Today I'm one of a handful of people who have ever bothered to acquire a client cert.</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Are we just trying to XMLize Kerberos and PKI and ACLs because we hope the magic pixie dust of XML will make the pain go away?</FONT></P> 6/18/2002; 12:57:27 PM http://www.infoworld.com/weblog/udell/categories/security/2002/06/18.html#a311 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Hey, this was top news in my own magazine. Cool!</FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Hey, this was top news in my own magazine. Cool!</FONT></P> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <P><A href="http://www.infoworld.com/articles/hn/xml/02/06/18/020618hnhomeland.xml?s=rss&amp;t=news&amp;slot=5"><EM><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Knowledge management offers hope for homeland security</FONT></EM></A><EM><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>. Technology to facilitate people-based networks [</FONT></EM><A href="http://www.infoworld.com/news/t_index.html"><EM><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>InfoWorld: Top News</FONT></EM></A><EM><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>]</FONT></EM></P></BLOCKQUOTE> <P dir=ltr><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Triangulation. Gotta love it.</FONT>&nbsp; </P> InfoWorld: Top News 6/12/2002; 8:19:47 AM http://www.infoworld.com/weblog/udell/categories/security/2002/06/12.html#a298 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Sunday's New York Times featured a </FONT><A href="http://www.nytimes.com/2002/06/08/politics/08COMP.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>disturbing story</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> on the IT culture clash between Google and the FBI: </FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Sunday's New York Times featured a </FONT><A href="http://www.nytimes.com/2002/06/08/politics/08COMP.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>disturbing story</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> on the IT culture clash between Google and the FBI: </FONT></P> <BLOCKQUOTE><I> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Data is compartmentalized so that case information compiled in Phoenix might not be accessible to agents in Minneapolis, and retrieval of the full text of case reports is not possible. Devised for the quick retrieval of the names of known suspects, the network can be searched for terms like "aviation" or "schools, " but not "aviation schools" -- in other words, precisely the kinds of phrases that may have made it easier for law enforcement agents to connect the dots and discern the patterns of activity leading up to Sept. 11 attacks. </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Mr. Schmidt of Google said that government had characteristically been slower than industry to adopt new information technology and to link its multitudinous information networks. This leads to a condition that the industry calls "stovepiped" information, which means that data is warehoused in separate, unconnected silos. That is partly by design, Mr. Schmidt said, as a precaution against wandering hackers. "They don't want a network interloper to come in and do a lot of damage to other computers." [New York Times] </FONT></P></I></BLOCKQUOTE> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>I'm sure it's true, though no-one can come out and say so, that the FBI are among Google's most intense users. I hope a private network of weblogs will be the next step. Valdis Krebs has </FONT><A href="http://www.orgnet.com/prevent.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>a new paper</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> that suggests how social network mapping can be used to thwart terrorists. He writes: </FONT> <BLOCKQUOTE><I> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>To gather the data for mapping these networks, individually and as a group, requires much cooperation between departments, agencies and countries. This requires vertical, horizontal, and diagonal links between all of the investigators on the case -- in other words, our network needs to be as good or better than enemy's! [</FONT><A href="http://www.orgnet.com/"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Valdis Krebs</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>] </FONT></P></I></BLOCKQUOTE> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Maybe I've just got blogs on the brain. But like all stovepiped IT organizations, the FBI's will not be rebuilt anytime soon. The way forward is a human awareness network layered on top of those stovepipes and connecting them. </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Such an overlay network needn't, of course, intersect with public blogspace. But purely internal use of existing low-tech weblog software could reproduce the same effect: a knowledge network with human routers. Would it be perfectly secure? Of course not. But in the end, what's the greater risk? That the enemy might discover we had connected the dots and have to change its plans? Or that we have no hope of connecting the dots at all?</FONT> </P> 5/18/2002; 3:50:56 PM http://www.infoworld.com/weblog/udell/categories/security/2002/05/18.html#a251 <b>...</b> Seeing Bruce Schneier at ETCON reminded me that I've been meaning to mention <A href="http://www.counterpane.com/passsafe.html">Password Safe</A>, a really simple and useful tool available for free from Schneier's company, Counterpane Labs. It's a GUI app you use to securely maintain a database of passwords. <P></P> <P>The version I'm using, 1.7, runs on Windows. Version 2, an <A href="http://sourceforge.net/projects/passwordsafe/">open source project</A>, is apparently still also for Windows only, though I guess this could change. </P> <P>I've been holding my breath for a long time waiting for single sign-on. After a while I started turning blue, and writing down passwords, which felt incredibly stupid but was unavoidable. Password Safe makes that necessary evil feel a lot less stupid. </P> <P>The database is Blowfish-encrypted. Each entry has a title (e.g., "Amazon"), a name, a password, and a comments field which I find quite important for recording the context of a given credential (e.g. "3rd sample user for test system version 5"). Copying a username or password to the clipboard, for subsequent pasting into an authentication dialog, is easy. There are some thoughtful details: you can have the app clear the clipboard when it's minimized, and it won't ever display any passwords on the screen unless you override a default. </P> <P>The whole kit -- executable, data file, and helpfile -- amounts to under 400K, and since there are no registry dependencies it can easily be moved back and forth between your desktop and laptop. </P> <P>Nothing earthshaking about this. Just a simple and practical tool, from the most pragmatic security pro in the business. </P> 5/15/2002; 8:23:52 PM http://www.infoworld.com/weblog/udell/categories/security/2002/05/15.html#a242 Here are some notes from <A href="http://radio.weblogs.com/0100887/stories/2002/05/15/notesFromSchneiersEtconTalk.html">Bruce Schneier's</A> talk. Hard, cold realities. Microsoft and its peers don't care about security, he argues,&nbsp;because it's not rational for them to do so. As businesses, they shouldn't, because they're not liable for their practices. Schneier is running out of options, he says, and what he's left with is a two-pronged strategy. One, require businesses to use insurance to manage risk, just like businesses use it to manage all other risks. Two, beef up prosecution of computer crime. <b>...</b> <P>Here are some notes from <A href="http://radio.weblogs.com/0100887/stories/2002/05/15/notesFromSchneiersEtconTalk.html">Bruce Schneier's</A> talk. Hard, cold realities. Microsoft and its peers don't care about security, he argues,&nbsp;because it's not rational for them to do so. As businesses, they shouldn't, because they're not liable for their practices. Schneier is running out of options, he says, and what he's left with is a two-pronged strategy. One, require businesses to use insurance to manage risk, just like businesses use it to manage all other risks. Two, beef up prosecution of computer crime.</P> <P>I'm sure he is right. If we change the economic incentives governing security practices, like we've done in the case of environmental protection, then there&nbsp;will be change. Otherwise not.</P> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <P><EM>Suddenly a company choosing an operating system gets handed two insurance policies -- here's what it costs if you use Linux, here's the policy for Microsoft. The math gets much more interesting now. Security will improve because the CEO will now care.</EM></P></BLOCKQUOTE> <P dir=ltr>This has disturbing implications for small software companies. Is there another way? He doesn't see one. </P> <P>&nbsp;</P> 5/15/2002; 2:35:08 AM http://www.infoworld.com/weblog/udell/categories/security/2002/05/15.html#a240 John Robb's comment -- <A href="http://jrobb.userland.com/2002/05/14.html#a1789">certification isn't worth doody</A>&nbsp;-- overstates the case. Despite exploitable flaws in the PKI/SSL infrastructure, I would rather transact business with a company that has identified itself to some third party than with a company that hasn't. <b>...</b> <P>John Robb's comment -- <A href="http://jrobb.userland.com/2002/05/14.html#a1789">certification isn't worth doody</A>&nbsp;-- overstates the case. Despite exploitable flaws in the PKI/SSL infrastructure, I would rather transact business with a company that has identified itself to some third party than with a company that hasn't.</P> <P>I'd also much prefer to transact business with <EM>individuals </EM>who take the trouble to identify themselves to some third party. The assurance offered by my Thawte freemail cert, while minimal, is far more than what's available in typical email discourse. </P> <P>Just because PKI has been oversold doesn't mean it should be underestimated. Groove shows us just how seamless the exchange of trust can be for users. Although it presumes a PGP-like model, it was built to be -- and in version 2.0 has become -- a system than works with enterprise and cross-enterprise PKI-based trust. The issues addressed by PKI aren't going away, and the technologies woven into PKI will play out in our lives one way or another. </P> <P>&nbsp;</P> <P>&nbsp;</P> 5/14/2002; 8:15:12 PM http://www.infoworld.com/weblog/udell/categories/security/2002/05/14.html#a239 <A href="http://www.infowarrior.org/rick.html">Richard Forno</A>, chief security officer for ShadowLogic, takes a dim view of the PKI industry. "<EM>Digital trust is a slick marketing tool put out by the PKI industry. DoD wants smartcards with certs by 2004. What's the value of that? I don't know. They don't know.</EM>" <b>...</b> <P><A href="http://www.infowarrior.org/rick.html">Richard Forno</A>, chief security officer for ShadowLogic, takes a dim view of the PKI industry. "<EM>Digital trust is a slick marketing tool put out by the PKI industry. DoD wants smartcards with certs by 2004. What's the value of that? I don't know. They don't know.</EM>" </P> <P>After contributing to an <A href="http://www.csl.sri.com/users/neumann/insiderisks.html#132">article</A> on these issues, he thought more about the implications of the MS/VeriSign cert compromise: </P> <BLOCKQUOTE><I>On March 22, 2001, Microsoft issued a Security Bulletin (MS01-017) alerting the Internet community that two digital certificates were issued in Microsoft's name by VeriSign (the largest Digital Certificate company) to an individual -- an impostor -- not associated with Microsoft. Instantaneously, VeriSign (a self-proclaimed "Internet Trust Company") and the entire concept of Public Key Infrastructure (PKI) and digital certificates -- an industry and service based on implicit trust -- became the focus of an incident seriously undermining its level of trustworthiness. This incident also challenges the overall value of digital certificates. </I></BLOCKQUOTE> <P>Forno agrees with Schneier: If you don't address processes and people, you have no security. For example, a notary only verifies the signature on a document, not its contents. So the real-world trust invested by them is unreliable. Garbage in, garbage out. You don't need to be a cyberterrorist to take advantage of this. You can be a Nigerian scam artist. </P> <P>Why, he asks, don't certs work like credit cards? Why don't they expire (in a timely fashion)? Passports and drivers licenses expire in a few years. Root certs expire in 2025, 2028, 2037. (True. I just checked my MS root certificate: expires 2020.) </P> <P>Why, he asks, would you trust a 5-year-old dot-com with your identity, rather than a brick-and-mortar financial institution like CitiBank? Most people, he says, would rather trust the latter. The <A href="http://radio.weblogs.com/0100887/2002/05/03.html#a214">Digital Identity</A> weblog made this same point recently. </P> <P>Forno recommends: Ellison and Schneier's <A href="http://www.counterpane.com/pki-risks-ft.txt">Ten Risks of PKI</A>. </P> <P>Well, it's all true. PKI and SSL&nbsp;do not&nbsp;add up to an&nbsp;e-commerce silver bullet. There isn't one. Every day, credit card numbers shielded by high-grade security land in web-exposed flat files that Google can find. As Bruce Schneier likes to say, it's the liability limit on Visa cards and not SSL that props up e-commerce. </P> <P>Will this chicken-and-egg situation ever resolve? I guess I'll&nbsp;keep on signing my emails anyway.</P> <P>&nbsp;</P> 4/9/2002; 11:01:32 PM http://www.infoworld.com/weblog/udell/categories/security/2002/04/09.html#a184 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>I'm sure </FONT><A href="http://www.soaplite.com/"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Paul Kulchenko</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> will soon fix the </FONT><A href="http://www.phrack.com/show.php?p=58&amp;a=9"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>SOAP::Lite vulnerability</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> that was just </FONT><A href="http://use.perl.org/~IlyaM/journal/4012"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>noticed</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>. This episode got me to wondering, though, about the original rationale for the SOAPaction HTTP header, and what can or should be done to make filtering SOAP traffic workable. Several years ago, one of the </FONT><A href="http://www.develop.com/soap/soapfaq.htm#16"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>original SOAP FAQs</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, from DevelopMentor, said: </FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>I'm sure </FONT><A href="http://www.soaplite.com/"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Paul Kulchenko</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> will soon fix the </FONT><A href="http://www.phrack.com/show.php?p=58&amp;a=9"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>SOAP::Lite vulnerability</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> that was just </FONT><A href="http://use.perl.org/~IlyaM/journal/4012"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>noticed</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>. This episode got me to wondering, though, about the original rationale for the SOAPaction HTTP header, and what can or should be done to make filtering SOAP traffic workable. Several years ago, one of the </FONT><A href="http://www.develop.com/soap/soapfaq.htm#16"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>original SOAP FAQs</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, from DevelopMentor, said: </FONT></P> <BLOCKQUOTE><I><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Since SOAP packets declare their "intent" by publishing interface and method names in the HTTP header, it is possible for firewalls to perform filtering based on this information (the SOAP spec states that implementations must verify that this information must match the corresponding headers and tags in the SOAP payload, otherwise the call should be rejected). </FONT></I></BLOCKQUOTE><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Here's what the </FONT><A href="http://www.w3.org/TR/SOAP/#_Toc478383528"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>SOAP spec itself</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> has to say on the matter: </FONT> <BLOCKQUOTE><I><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>The presence and content of the SOAPAction header field can be used by servers such as firewalls to appropriately filter SOAP request messages in HTTP. </FONT></I></BLOCKQUOTE> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Things didn't turn out quite that way, though. No consensus as to the security role of the SOAPaction header is evident among firewall experts [ </FONT><A href="http://lists.insecure.org/firewall-wizards/2001/May/0003.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>1</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, </FONT><A href="http://lists.insecure.org/firewall-wizards/2001/May/0006.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>2</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, </FONT><A href="http://lists.insecure.org/firewall-wizards/2001/May/0004.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>3</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> ], nor among XML protocol experts [ </FONT><A href="http://lists.w3.org/Archives/Public/xmlp-comments/2001Jun/0018.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>1</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, </FONT><A href="http://lists.w3.org/Archives/Public/xmlp-comments/2001Jun/0019.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>2</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, ]. </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Did the notion advanced in DevelopMentor's FAQ -- that SOAP packets would declare intent by publishing interface and method names in the HTTP header -- make sense? At the time it seemed reasonable to me. But now, I wonder if a SOAPaction policy isn't rather like the scene in </FONT><A href="http://us.imdb.com/Title?0066808"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Bananas</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> where the newly-installed dictator declares that "everybody must wear their underwear on the outside, so we can check." The interfaces that a company chooses to expose to the world are, in the end, a policy that will or won't be enforced, regardless of the SOAP toolkits in use or the translations performed in a request pipeline. Enforcement will always require more than checking for underwear on the outside. </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Sure, opening and inspecting packets will slow things down. And then </FONT><A href="http://www.intel.com/network/idc/products/xml_7210.htm"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>XML</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> </FONT><A href="http://www.datapower.com/products.shtml#xa35"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>accelerators</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> will be invented to speed things back up again.</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Solving this kind of problem is much, much harder than anybody wants to admit. It means you have to inventory your software assets, manage change, and be able to clearly describe the interfaces between your network and the global network. The same was always true for CGI, though; it's no different for SOAP. </FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Standardizing one HTTP header may not really help much. What will is to enumerate all the RPCs that you support, and as we move to a more document-oriented style of SOAP messaging, to provide the schemas that describe those documents. There's no free lunch.&nbsp;But here's an encouraging thought. The uniformity of XML, and the declarative style of XML processing, may help us to define policies and create tools to enforce them.</FONT></P> 4/8/2002; 3:22:15 PM http://www.infoworld.com/weblog/udell/categories/security/2002/04/08.html#a182 <FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Thinking about trust and social capital, in online communities, reminds me of the work of Lawrence Baldwin, the creator of </FONT><A href="http://www.mynetwatchman.com/vision.htm"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>myNetWatchman.com</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>. As I mentioned in a </FONT><A href="http://www.byte.com/documents/s=2291/byt1010773949067/0121_udell.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>column on broadband security</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, Lawrence takes issue with the attitude of personal firewalls toward the steady stream of malicious probes that they repel. That attitude can be summed up as: "Don't worry, this is just the background noise of the Internet, and we're shielding you from it."</FONT> <b>...</b> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Thinking about trust and social capital, in online communities, reminds me of the work of Lawrence Baldwin, the creator of </FONT><A href="http://www.mynetwatchman.com/vision.htm"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>myNetWatchman.com</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>. As I mentioned in a </FONT><A href="http://www.byte.com/documents/s=2291/byt1010773949067/0121_udell.html"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>column on broadband security</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>, Lawrence takes issue with the attitude of personal firewalls toward the steady stream of malicious probes that they repel. That attitude can be summed up as: "Don't worry, this is just the background noise of the Internet, and we're shielding you from it."</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Not so, argues Lawrence. In his </FONT><A href="http://www.mynetwatchman.com/vision.htm"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>vision statement</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2> he writes:</FONT></P> <BLOCKQUOTE> <P><EM><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Every time your firewall or intrusion detection system logs an event, don't assume the source is the actual hacker. Think of it as a cry for help from a likely victim whose system has been compromised and is just being controlled by a hacker. It's easy to ignore attacks because they don't present an immediate threat &#151; after all, we have a firewall. However, every compromised system is a real and immediate threat to the underlying Internet infrastructure since these systems could be used to attack others and/or to launch distributed denial-of-service attacks (DDoS), potentially incapacitating large portions of the Internet. </FONT></EM></P> <P><EM><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>In light of these threats, I strongly believe that ALL attack events should be relentlessly pursued. </FONT></EM></P></BLOCKQUOTE> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Lawrence's software reads your firewall event logs, and relays events to his central service, &nbsp;which collates them and automatically notifies the ISPs&nbsp;or organizations that&nbsp;are (usually unwittingly) responsible.</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>Here is one of Lawrence's </FONT><A href="http://www.mynetwatchman.com/LID.asp?IID=3650406"><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>success stories</FONT></A><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>.</FONT></P> <P><FONT face=Verdana,Geneva,Arial,Helvetica,Sans-Serif size=2>myNetWatchman is a brilliant use of a network of distributed agents, and perhaps an excellent business model in search of funding, if Lawrence is inclined to go that way. But fundamentally it hearkens back to something we all know in real life: we're safer when we watch out for one another. Good neighbors report trouble when they see it. If you saw somebody breaking into a neighbor's house, you'd report it. Well, we're all neighbors here in cyberspace. Lawrence's software makes it easy to report trouble.</FONT></P> 2/2/2002; 2:26:07 PM http://www.infoworld.com/weblog/udell/categories/security/2002/02/02.html#a48 <A href="http://www.newsisfree.com/click/-6,1738718/">Hackers Hit Global Leaders' Summit</A>. An invisible cyber assault has cut off access for the second day running to the Web site of the World Economic Forum, organizers of the gathering confirmed. [<A href="http://www.nytimes.com/pages/technology/">The New York Times: Technology</A>] <b>...</b> <P><A href="http://www.newsisfree.com/click/-6,1738718/">Hackers Hit Global Leaders' Summit</A>. An invisible cyber assault has cut off access for the second day running to the Web site of the World Economic Forum, organizers of the gathering confirmed. [<A href="http://www.nytimes.com/pages/technology/">The New York Times: Technology</A>]</P> <P>See <A href="http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_a1.pdf">Cyber Attacks During the War on Terrorism: A Predictive Analysis</A>, by Michael Vatis, director of the <A href="http://www.ists.dartmouth.edu/">Institute for Security Technology Studies</A>, for an interesting set of correlations between political conflict and cyber attacks.</P> The New York Times: Technology 1/22/2002; 7:22:14 PM http://www.infoworld.com/weblog/udell/categories/security/2002/01/22.html#a33 <b>...</b> <A href="http://www.byte.com/documents/byt1010773949067/">Column | Broadband Security</A>. The Internet is an ideal collaborative environment for bad guys. Fortunately, it can work the same way for good guys too. Jon Udell 1/18/2002; 7:42:52 PM http://www.infoworld.com/weblog/udell/categories/security/2002/01/18.html#a17 <b>...</b> <A href="http://www.byte.com/documents/byt1010014252255/">Column | Dartmouth's Security Think Tank</A>. We expect government to protect critical infrastructure, and it has promised to do so. I'm glad to see that, on the issue of cyber-terrorism, the government has started to put some of our money where its mouth&nbsp;is. Jon Udell 1/18/2002; 5:44:01 PM http://www.infoworld.com/weblog/udell/categories/security/2002/01/18.html#a11 <b>...</b> <A href="http://www.byte.com/tangledthreads/thread.jsp?forum=263&amp;thread=8176">Talk | Managed code and security</A>. Because there's no safe memory or robust exception handling in C-based services, they are distressingly likely to surrender a root shell. It seems reasonable to suppose that this general class of problem could be ameliorated by the advent of managed-code-based services." Jon Udell