« | Home | Recent Comments | Categories | »

Rhymes with Orange

Posted on September 7th, 2006 at 21:52 by John Sinteur in category: Cartoon

orange.jpg


Write a comment

Microsoft and FairUse4WM

Posted on September 7th, 2006 at 19:20 by John Sinteur in category: Microsoft, Security

[Quote:]

If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.

Security patches used to be rare. Software vendors were happy to pretend that vulnerabilities in their products were illusory — and then quietly fix the problem in the next software release.

[..]

Since 2003, Microsoft’s strategy to balance these costs and benefits has been to batch patches: instead of issuing them one at a time, it’s been issuing them all together on the second Tuesday of each month. This decreases Microsoft’s development costs and increases the reliability of its patches.

The user pays for this strategy by remaining open to known vulnerabilities for up to a month. On the other hand, users benefit from a predictable schedule: Microsoft can test all the patches that are going out at the same time, which means that patches are more reliable and users are able to install them faster with more confidence.

In the absence of regulation, software liability, or some other mechanism to make unpatched software costly for the vendor, “Patch Tuesday” is the best users are likely to get.

Why? Because it makes near-term financial sense to Microsoft. The company is not a public charity, and if the internet suffers, or if computers are compromised en masse, the economic impact on Microsoft is still minimal.

Microsoft is in the business of making money, and keeping users secure by patching its software is only incidental to that goal.

There’s no better example of this of this principle in action than Microsoft’s behavior around the vulnerability in its digital rights management software PlaysForSure.

Last week, a hacker developed an application called FairUse4WM that strips the copy protection from Windows Media DRM 10 and 11 files.

Now, this isn’t a “vulnerability” in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: “Oh no. I can now play the music I bought for my computer in my car. I must install a patch so I can’t do that anymore.”

But to Microsoft, this vulnerability is a big deal. It affects the company’s relationship with major record labels. It affects the company’s product offerings. It affects the company’s bottom line. Fixing this “vulnerability” is in the company’s best interest; never mind the customer.

So Microsoft wasted no time; it issued a patch three days after learning about the hack. There’s no month-long wait for copyright holders who rely on Microsoft’s DRM.

This clearly demonstrates that economics is a much more powerful motivator than security.

It should surprise no one that the system didn’t stay patched for long. FairUse4WM 1.2 gets around Microsoft’s patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files.

And it’s clear economics dictate that Microsoft doesn’t care about their customers. Are you sure you want to buy products from a company when it is this easy to demonstrate the company doesn’t have to care if the product actually works for you?


Write a comment

Comments:

  1. This is really slanted. I’m disappointed that Schneier is willing to ignore obvious explanations why things might work this way in order to further his agenda. In a company as large as Microsoft, a generalized patch release process necessarily has a fair bit of overhead, and a predictable pathway, QA process, and schedule make it more tractible. The DRM patch is not a patch to Windows but to a specific toolkit, and comes from a specific, small team that does not need to run the gauntlet that’s in place for general Windows patches. Hence, separate patches.

    You don’t need this B.S. to argue that Microsoft “doesn’t care if the product actually works”. All you need is to observe that they have an effective monopoly in the desktop OS market, and a competitive position in the DRM market.

  2. I’m not buying your argument. Microsoft has sent out two messages the last few years: “Dear world, security is paramount, *every* deparment is part of this new Microsoft and we really mean it this time” and two: “dear largest customers, we are listening you, want to keep you as a client, so every patch is now part of the monthly cycle so you can do your work”.

    What possible reasons are there to deviate from these two things: the first one might be argued away with the remark that this isn’t a security patch, but in that case you can also immediately argue “ah, so there’s no rush then”. The second message can only be argued away with “this patch is important enough that we’re willing to piss off our large customers”.

    So, here are the choices:

    1) microsoft was grossly incompetent and multiple departments were asleep at the wheel, and that’s why this one slipped through the process. It wasn’t meant to happen this way.
    2) microsoft was lying when they told their large customers their concerns were important enough to create the monthly patch cycle, and is only doing the patch cycle to keep up appareances, and minor patches are allowed to slip through because in the end microsoft doesn’t really care about large customers
    3) microsoft felt this patch was important enough to bypass the regular patch process. For very important patches, there must always be this bypass process.

    I don’t believe 1 or 2, so what remains is the question “why was this patch so important they decided to bypass the process”?

  3. Show me a real alternative. I have to.

  4. Patch Tuesday == Windows Update.
    DRM fix == Windows Media SDK fix.

    The two are independent, the patch bypasses the monthly release cycle because it’s not considered part of that product.

  5. Note that it is not an SDK fix. From the patch documentation:

    [Quote:]

    Content services can require that the updates be present in order to issue licenses by following the instructions below.

    (bold tags inserted by me) The patch is on a piece of client software, not SDK software. Microsoft has promised that client patches are part of patch tuesday.

  6. Microsoft is making available an updated runtime binary so that ISVs who use the binary can have their app update it on the client’s machine through a channel separate from Windows Update. You’re arguing (I think) that this breaks Microsoft promise to only release OS updates on Patch Tuesday. This becomes a semantic argument whether the limited distribution release is an OS update or a third party software component update. We’ll have to disagree there.

    But Schneier argued that this shows Microsoft’s economic incentives, and I still maintain that there are perfectly good alternate explanations why this patch can get out the door faster than a normal all-machines-everywhere patch.

  7. I agree that we disagree on this one, and it’s a very basic disagreement – if it is an OS update, there cannot be any reason not to use patch tuesday. If it is not an OS upgrade, it would still be advisable to limit it to patch tuesday except for very good alternate explanations, and although I don’t think such an explanation was given, I’ll admit that this thinking is of course influenced by my opinion on the nature of the patch.

  8. When I looked yesterday there was no WM/DRM patch available from Windows Update. You apparently only get it if you have an app installed that pushes the update to you. (FWIW, I use Real Rhapsody, which uses Windows DRM, and which hasn’t required any updating yet.)

    So most customers won’t see (*can’t* see) this patch until Patch Tuesday, in particular the IT shops that insist on regular update cycles.

  9. But some will, and it’s the unpredictability of the appearance of the patch that is killing for IT shops. Even if none of the computers that are managed by a particular IT shop see the patch ’till tuesday.

  10. You know, I can’t find it in the Patch Tuesday updates.

    Is it possible that maybe this component isn’t part of the standard WMP files and _really_ is a runtime binary distributed only as an SDK component?

  11. I don’t know. I know on the Mac there’s quite a bunch of “optional” software by Apple, software you need to pay for (like Final Cut Studio, Aperture, Logic Pro, etc) that’s part of the automatic software update process. If you don’t have that software, you won’t see the updates, but if you do have the software, you see the updates. I assume that subscribers to bulk-contracts with Apple (if such a thing exists, I don’t really know) will see the update as well and are able to control it for the clients they have. I would assume/hope that MS does the same: optional components are part of the regular update process in the same way: you’ll only see the patches if you have the component OR if you’re a large account that need to control it for lots of boxes.

  12. Except that this is supposedly a bug in Windows Media DRM, and everyone has Windows Media Player installed. Except for maybe some nutcases in the EU. :) And I run Rhapsody, which certainly uses WM DRM. So I should be getting the update if there is one.

    …or maybe the Schneier rant was unwarranted…

  13. or, microsoft has been making a lot of noise about the patch to content providers but didn’t really follow-up – as in “dear mpaa/riaa, see how important we think this is, we bypassed patch tuesday for you and you alone because we love you” whilst at the same time the patch is indeed waiting for the next tuesday-set.

    By now I don’t really know what to think anymore.

Marriage

Posted on September 7th, 2006 at 19:01 by John Sinteur in category: Joke

On their way to get married, a young couple is involved in a fatal car accident. The couple find themselves sitting outside the Pearly Gates waiting for St. Peter to process them into Heaven.

While waiting, they begin to wonder: Could they possibly get married in Heaven? When St. Peter shows up, they asked him. St. Peter says, “I don’t know. This is the first time anyone has asked. Let me go find out,” and he leaves.

The couple sat and waited for an answer… for a couple of months. While they waited, they discussed that IF they were allowed to get married in Heaven, SHOULD they get married, what with the eternal aspect of it all. “What if it doesn’t work?” they wondered, “Are we stuck together FOREVER?”

After yet another month, St. Peter finally returns looking somewhat bedraggled. “Yes,” he informs the couple, “you CAN get married in Heaven.” “Great!” said the couple, “But we were just wondering, what if things don’t work out? Could we also get a divorce in Heaven?” St. Peter, red-faced with anger, slams his clipboard onto the ground. “What’s wrong?” asked the frightened couple. “OH, COME ON!” St. Peter shouts, “It took me three months to find a priest up here! Do you have ANY idea how long it’ll take me to find a lawyer?”


Write a comment

Hoge Raad: Al D. aan VS uitleveren

Posted on September 7th, 2006 at 12:04 by John Sinteur in category: Nederland is Gek!

[Quote:]

– De Hoge Raad staat de uitlevering van terrorismeverdachte Wesam al D. aan de Verenigde Staten toe. Het is de eerste keer dat het hoogste gerechtscollege uitspraak doet in een uitleveringszaak van een Nederlandse terrorismeverdachte. De advocaat van Al D., Victor Koppe, vindt de uitspraak onbegrijpelijk. ‘Helaas hebben de hardliners in die raad nog altijd de meerderheid’, aldus de raadsman.

De VS verdenken Al D. van samenzwering voor het plegen van aanslagen op Amerikaanse militairen in Irak in 2003. Al D., van Iraakse afkomst, heeft altijd volgehouden dat hij onschuldig is. Koppe vindt het ‘niet te geloven’ dat het Openbaar Ministerie de zaak ‘enkele dagen voor de inhoudelijke behandeling’ in Nederland uit handen heeft gegeven. Hij wijst erop dat in Nederland het strafrechtelijk onderzoek heeft plaatsgevonden, dat hier (eventueel ontlastende) getuigen zijn gehoord. ‘Het was een Nederlandse strafzaak. Punt.’ Al D.’s medeverdachte is wel in Nederland vervolgd en vrijgesproken.

Toch fijn om te weten dat de nederlandse staat nederlanders, die in nederland berecht worden voor een misdrijf op nederlands grondgebied, gewoon aan een ander land uitlevert voor berechting van dat misdrijf.

Kunnen we al die wetboeken niet gewoon overboord kieperen en alles uitbesteden aan het buitenland?


Write a comment

Cartoons

Posted on September 7th, 2006 at 10:11 by John Sinteur in category: Cartoon

sheneman00.gif

ohman.gif

lane.gif

donwright.gif

breen1.gif

01.gif


Write a comment

A Presidential Joke

Posted on September 7th, 2006 at 9:30 by John Sinteur in category: Joke

Reagan, Clinton and George W. Bush were all stuck in house in Kansas during a tornado warning. One tornado approached very close to the house. Reagan stood up and said, “I’ll handle this.” He went to the window and yelled at the tornado, calling it an evil empire. The tornado passed by the house. Reagan sat down and said, “I made it go away.”

Soon another tornado was reported in the area. Clinton called up Fema and laid up plans to help out anyone hurt by the tornado. He also invited a young girl named Dorothy to seek shelter with him in the cellar.

Shortly thereafter another tornado was sighted heading right for their house. All could see it right out the window bearing down on them. George W. Bush stood up and said, “I’ll fix this.” And he went over to the window and pulled down the shade.


Write a comment

Bilingual Welsh sign stumps Scots

Posted on September 7th, 2006 at 8:58 by John Sinteur in category: News

[Quote:]

Ymddirheurwn am unrhyw anghyfleustra a achosir yn ystod gwaith adnewyddu


Write a comment

FAA Imposes New Work Rules

Posted on September 7th, 2006 at 8:22 by John Sinteur in category: ¿ʞɔnɟ ǝɥʇ ʇɐɥʍ, News

Remember this? Air traffic controllers don’t get enough sleep, and that contributed to the recent airplane crash in Kentucky that killed 49.

Well, the FAA took steps to remedy that. Over labor day they instituted a dress code for air traffic controllers.

So, when your plane crashes, at least you’ll know the air traffic controller wore a decent tie.

Do you feel safer already?


Write a comment

Comments:

  1. Want to know more about this? Come read my blog:

    http://www.faaunionbusting.wordpress.com

Phone-Records Scandal at HP

Posted on September 7th, 2006 at 7:16 by John Sinteur in category: News

[Quote:]

The confrontation at Hewlett-Packard started innocently enough. Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors—not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones.

[..]

On May 18, at HP headquarters in Palo Alto, Calif., Dunn sprung her bombshell on the board: she had found the leaker. According to Tom Perkins, an HP director who was present, Dunn laid out the surveillance scheme and pointed out the offending director, who acknowledged being the CNET leaker. That director, whose identity has not yet been publicly disclosed, apologized. But the director then said to fellow directors, “I would have told you all about this. Why didn’t you just ask?? That director was then asked to leave the boardroom, and did so, according to Perkins.

Close to 90 minutes of heated debate followed, but Perkins, the Silicon Valley venture capitalist, says he was the only director who rose to take Dunn on directly. Perkins says he was enraged at the surveillance, which he called illegal, unethical and a misplaced corporate priority on Dunn’s part. In an interview with Newsweek, Perkins says he was particularly annoyed since he chaired the HP board’s Nominating and Governance Committee and had not been informed by Dunn of the surveillance, even though, he says, she had told him for months that she was attempting to discover the source of the leak. After a divided board passed a motion asking the leaker to resign, Perkins closed his briefcase, announced his own resignation and walked out of the room.

The leader of the country sets an example for the leaders of the corporations…


Write a comment