SANS ISC Reports Apache 1.x/2.x DoS Tool

June 18, 2009 · Technology · (No comments)

You can find the technical details at http://isc.sans.org/diary.html?storyid=6601 as reported by handler Bojan Zdrnja today on the ISC diary.

It’s a surprisingly simple attack (the handler points out that even an attacker on a slow connection could easily DoS an Apache server on a fast connection) but considering that it affects the older 1.x branch of Apache, one wonders how it could have taken this long to give rise to a tool and subsequent report. Then again, one wonders why IIS 6 and 7 aren’t affected — did Microsoft ignore the specifications for HTTP requests, or, like the report claims, does IIS act more like a reverse proxy with the web server behind it, preventing the DoS from occuring?

Blue glass fountain pen

A Short Discourse on Cantaloupe

June 12, 2009 · Musings · (No comments)

There are some strange and bizarre things that come up on CNBC. For instance, Rick Santelli, the reporter/commentator at the Chicago Mercantile Exchange, tore into colleague Steve Liesman, the network’s senior economics reporter, over claims that senior executives of financial firms failed to disclose material information to “save the world.” The FCC may have had its way with CBS and the “wardrobe malfunction” but I haven’t heard them go after on-air editor Charlie Gasparino’s little four-letter slip up. And then there was the time Gasparino didn’t have what he got. Where else do you go from there?

Cantaloupe, of course.

Jim Cramer, the understated voice of CNBC, and Erin Burnett, notable as the only one at CNBC to have her own show during market hours, have a daily segment called “Stop Trading,” where Burnett asks about certain stocks, and Cramer gives his opinion. They have some pretty good banter, but yesterday’s bit takes the, uh, melon. Have a listen. (You’ll find the link in the paragraph above, or you can just go here: http://www.cnbc.com/id/15840232?video=1149483419. I recommend skipping to 1:45 and then 3:48, unless you’re interested in hearing the whole piece.)

Blue glass fountain pen

No Matching For You: NYSE’s Matching Engine One Sputters

June 12, 2009 · Markets, Technology · (No comments)

The New York Stock Exchange (NYSE) found itself a little quieter close to noon today when its order-matching system decided to head to the Hamptons a few hours early. The string of notifications from NYSE (which will move to the archive; click the plus sign next to “Archive of System Status Notifications”) show that the first signs of trouble showed up about a quarter to 11am, and by 11:40am trading in the 242 affected stocks had been halted on NYSE while their tech staff did a server switch. Trading resumed about a half-hour later, according to reports from Bloomberg.

I was actually at my desk today watching the markets and my open positions when the news came across CNBC. Now, the cool thing about NYSE is that it’s a hybrid market; while the main floor of the exchange is quiet compared to just a few years ago, it is still notable for its combination of human and electronic trading. Trades can go through the NYSE system, where humans (specialists) handle the trades, or through NYSE Arca, formerly Archipelago, an electronic trading platform purchased by NYSE several years ago. In today’s outage, the computer systems that support the regular NYSE system glitched. And since there are multiple over-the-counter platforms like NYSE Arca, trading continued as normal in the electronic world. If one part of NYSE goes down, there’s an alternate platform to temporarily take its place.

What makes this interesting? First, the speed of the server switchover. According to Steve Grasso, one of the NYSE floor traders who regularly contributes to CNBC, most of the delay was caused by specialists having to redo what’s called “price discovery” — the process of collecting bids and offers on a stock to find the equilibrium price, hence “discovering the price” — which usually only happens at the market open. (This is why if you’ve ever followed stock prices at 9:30am, it can take some time to get a quote on NYSE listings.) Obviously NYSE’s tech staff know how to throw the switch quickly, if you will, but it’s pretty impressive that outages of this magnitude happen so infrequently on an infrastructure designed to handle anywhere from 8 to 10-billion shares of volume in a day.

Second is the paradox of the hybrid system. Grasso praised NYSE’s acquisition of Archipelago as a way to avoid a total halt of floor trading. He pointed out the opposite, too; if NYSE Arca went down, the “old” human system meant that trading on NYSE could continue. Sure, it might mean the specialists can’t push through as many shares, but as Grasso pointed out, computers suck when it comes to price discovery; the spreads on NYSE tend to be better than on electronic markets like NASDAQ. I don’t have a source handy but I remember some articles and analysis a few years back supporting those claims. Yet this hybrid system of man and machine is, under the hood, really machine and machine. It’s possible for specialists and traders at NYSE to work without computers; again, a few years ago, I remember them resorting to whiteboards and pen and paper for some reason. (Some of the stocks didn’t get a 4pm print until 4:20pm, and people were still doing settlement paperwork past 5pm.)

So, if a technology failure in something like SuperDOT or Matching Engine results in a trading halt, can you really call the floor system a human alternative to electronic trading?

Blue glass fountain pen

“Curse your sudden but inevitable betrayal”

June 11, 2009 · Musings · (No comments)

The Fox television series “Firefly” had its own little bit of wit and charm before, as many viewers would agree, it was prematurely snufed out. With creator Joss Whedon firmly working on a new series, “Dollhouse,” it’s been assumed for quite some time that a revival of Firefly isn’t a possibility in the near future.

So it came as a surprise to see a commercial on the SciFi channel of a movie with the following:

  • A smuggling spaceship
  • A girl in a box (naked)
  • Fight scenes on a dusty, rocky planet
  • The line “We’re all trying to get off this rock alive”

Sounds familiar, except for one thing:

  • Giant insects trying to attack the characters

Yes, the wonderful team over at SciFi greenlighted a movie that brings together the elements of Firefly with the baddies of every bad sci-fi film. There doesn’t seem to be much info on it over at IMDB but it does star James Kyson Lee of NBC’s “Heroes.”

Writers understand that pretty much every possible premise and most plot lines have already been written. I’ve read that Firefly was similar to a previous work, and I always expected someone to duplicate it in some form. Mimicry and flattery, right? I assumed that most screenwriters would leave Firefly alone because of the significant and rabid fan base; those fans had mixed thoughts about the movie, showing how protective they were about the original series. So when it comes to this SciFi channel movie, only one thing comes to mind: in the words of Firefly character Wash, “I curse your sudden but inevitable betrayal.”

And in related news, the SciFi channel just ran a commercial confirming a story that ran on Slashdot a few months ago: the network is changing its name to “SyFy.” I never did understand the reasoning behind that one.

Blue glass fountain pen

Primary Day Article FAIL

June 9, 2009 · Musings · (No comments)

[Writer's note: The use of "FAIL" in a title definitely flies in the face of the subtitle, "Old-style musings on new things." But there are times when new-style musings are needed, and this has the needed effect.]

As a writer, I cringe at the glaring front-page errors in the local daily paper. As a former newsletter editor, I know it can be tough to catch every error every time. But at some point, one has to draw the line. I probably drew that line years ago.

Today, voters in Virginia went to the polls to choose the Democratic candidate for governor and lieutenant governor; some precincts had local races, as well, on the ballot. Virginia primaries are open, meaning that voters can participate regardless of party affiliation. Despite this, turnout was expected to be low, based on absentee ballot returns. Naturally, you’d expect some sort of front-page coverage of the election, and sure enough, the local daily paper offered such an article. (Unfortunately, I can’t find the article on the paper’s website.) When it came to the page turn, I read this:

Primary article - News & Messenger

Again, I understand that mistakes happen. But how can you screw up something like this:

Primary article highlighted - News & Messenger

How many people only read the first part and didn’t go to the polls today?

Blue glass fountain pen

Mini “Great Firewall” For Every Chinese PC

June 8, 2009 · International Relations, Technology · (No comments)

The Wall Street Journal obtained a copy of a notice from China’s Ministry of Industry and Information Technology that indicates the government’s desire to bundle a software agent (Loretta Chao, “China Squeezes PC Makers,” 8 June 2009, page A1) with every personal computer sold in China which will block access to objectionable websites. According to the report, the software, called “Green Dam-Youth Escort,” is developed by Jinhui Computer System Engineering Co., which has partnerships and agreements with the Chinese government, and company and government officials say that the program poses no additional risks to users and hasn’t caused problems on test systems. The New York Times adds that the vendor’s website claims 3.2 million downloads of the software and that Chinese PC manufacturers have agreed to install the agent on PCs they sell domestically. That website, which offfers the software for download, also has a bulletin board that, according to the Times, had reviews from users claiming that the software did not block some pornographic material or slowed down their PCs. Many of those messages were deleted hours later.

Ignoring the political and free-speech debates surrounding this reported move (the notice has not been publicly circulated or announced by the Chinese government), there are a few inherent flaws with this attempt to block “objectionable” content. As any student of information security knows, you can never guarantee absolute security, only find a balance between security risks and availability. Applying Occam’s Razor makes the question “How do you bypass such a requirement?” a rudimentary exercise:

  • Purchase a non-Windows machine (the software agent is only designed for the Windows operating system)
  • Build your own PC (how could hard drive manufacturers load the agent without Windows being pre-installed?)
  • Format the hard drive and install a retail copy of Windows (unless the government forces Microsoft to integrate the software agent with all copies of Windows)
  • Swap the hard drive and install a retail copy of Windows (same stipulations as above)
  • Format the hard drive and install a modified copy of Mac OS X or another OS (e.g. Linux)
  • Delete or uninstall the software agent (a company official, Zhang Chenming, told the Times that the agent could be deleted or temporarily turned off, adding that “a person can still use this computer to go to porn”)
  • Toss the CD with the software agent (the Times and WSJ mention the agent possibly being included on CD rather than preinstalled)

I don’t doubt that there are some smart people working inside the Ministry for Industry and Information Technology. The implementation of this notice is not about fixing a technological loophole in the full-size “Great Firewall,” which can be bypassed with a bit of research. When the vendor admits the software is easily deleted or turned off, and when there are so many simple workarounds, any claim that the software will satisfy those crying “think of the children” and shield those inside China from pornography is dubious.

What is frightening from an information security perspective is the risk that such a software agent poses. We know that malware frequently filters victims’ Internet access, preventing them from accessing the websites of anti-virus and anti-spyware vendors. If the software is closed-source — and I have seen no mention of the code being open-source — then there is no definitive way to audit every bit of functionality. If the software has an update mechanism, it has the potential to be hijacked — imagine someone poisoning a major Chinese DNS server so that a malicious person could serve a tampered update. If vulnerabilities exist in the software, which is designed to work in a network environment, imagine the possibilities of remote attacks — for instance, a buffer overflow leading to a DoS or, even worse, remote access and/or privilege escalation.

It would be interesting to see an industry expert’s analysis of the software program. To the vendor’s credit, it is impossible to test a Windows program on every possible combination of hardware (compared to software for Mac OS X, where the available hardware configurations are much more limited) and it is very possible that the negative comments on the bulletin board were from politically-motivated users. However, for this kind of a program, it isn’t hard to imagine how it could result in system instability.

Again, while there are very obvious political and free-speech issues involved, I am trying to approach this from a technology perspective.

Blue glass fountain pen

The new and updated blog

June 4, 2009 · Site News · (No comments)

I’ve been in the process of moving to a new web host (for reasons I will discuss at a later time) so instead of dragging the old Movable Type blog in, I’ve switched over to WordPress and abandoned my prior posts. So drop in every day or so and there should be an update. Even better: add the RSS feed to your favourite reader; you’ll find it on the blue menu bar by clicking the “Feeds” link. My preference is Google Reader, especially once you get the keyboard shortcuts down.

Blue glass fountain pen