Happy Friday the 13th!

I was thinking about superstition and science today, so I was particularly amused to notice that it’s Friday the 13th. Rich and I are both scientists of sorts; we both eschew superstition, but we occasionally argue about science. What’s real and what’s not. What’s science, what’s pseudoscience, and what’s just plain myth. It’s interesting to discuss root causes and what forces actually alter our surroundings. Do we have enough data to make an assertion about something, or is it just a statistical anomaly? I’m far more likely to jump to conclusions about stuff based on personal experience, and he’s more rigorous with the scientific method. And that’s true for work as well as life in general. For example he still shuns my use of Vitamin C, while I’m convinced it has a positive effect. And Rich chides as I make statements about things I don’t understand, or assertions that are completely ‘pseudoscience’ in his book. I’ll make an off-handed observation and he’ll respond with “Myth Busters proved that’s wrong in last week’s show”. And he’s usually right. We still have a fundamental disagreement about the probability of self-atomizing concrete, a story I’d rather not go into – but regardless, we are both serious tech geeks and proponents of science.

I regularly run across stuff that surprises me and challenges my fundamental perception of what’s possible. And I am fascinated by those things and the explanations ‘experts’ come up with for them – usually from people with a financial incentive. Hawking anything from food to electronic devices by claiming benefits we cannot measure, or for which we don’t have science which could prove or disprove their clams. To keep things from getting all political or religious, I restrict my examples to my favorite hobby: HiFi. I offer power cords as an example. I’ve switched most of the power cords to my television, iMac, and stereo to versions that run $100 to $300. Sounds deranged, I know, to spend that much on a piece of wire. But you know what? The colors on the television are deeper, more saturated, and far less visually ‘noisy’. Same for the iMac. And I’m not the only one who has witnessed this. It’s not subtle, and it’s completely repeatable. But I am at a loss to understand how the last three feet of copper between the wall socket and the computer can dramatically improve the quality of the display. Or the sound from my stereo. I can see it, and I can hear it, but I know of no test to measure it and I just don’t find the explanations of “electron alignment” plausible.

Sometimes it’s simply that nobody thought to measure stuff they should have because theoretically it shouldn’t matter. In college I thought most music sounded terrible and figured I had simply outgrown the music of my childhood. Turns out that in the 80s, when CDs were born, CD players introduced several new forms of distortion, and some of them were unmeasurable. Listener fatigue became common, many people getting headaches as a result of these poorly created devices. Things like jitter, power supply noise, noise created by different types of silicon gates and capacitors, all producing sonic signatures audible to the human ear. Lots of this couldn’t be effectively measured but will send you running from the room. Fortunately over the last 12 years or so audio designers have become aware of these new forms of distortion, and they now have devices that can measure them to one degree or another. I can even hear significant differences with various analog valves (i.e. ‘tubes’) where I cannot measure electrical differences.

Another oddity I have found is with vibration control devices. I went to a friend’s house and found his amplifiers and DVD players suspended high in the air on top of maple butcher blocks, which sat on top of what looked like a pair of hockey pucks separated by a ball bearing. The maple blocks are supposed to both absorb vibration and avoid electromagnetic interference between components. And we did several A/B comparisons with and without each, but it was the little bearings that made a clear and noticeable difference in sound quality. The theory is that high frequency vibrations, which shake the electronic circuits of the amps and CD players, decrease resolution and introduce some form of distortion. Is that true? I have no clue. Do they work? Hell yes they do! I know that my mountain bike’s frame was designed to alter the tube circumference and wall thicknesses as a method of dampening vibrations, and there is an improvement over previous generations of bike frames, albeit a subtle one. The reduction in vibrations on the bike can easily be measured, as can the vibrations and electromagnetic interference between A/V equipment. But the vibrational energy is so vanishingly small that it should never make a difference to audio quality.

Then there are the environmental factors that alter the user’s perception of events. Yeah, drugs and alcohol would be an example, but sticking to my HiFi theme: a creme that makes your iPod sound better. Works by creating a positive impression with the user. Which again borders on the absurd. An unknown phenomena, or snake oil? Sometimes it’s tough to tell superstition from science.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Adrian’s Dark Reading paper on User Activity Monitoring.
• Rich’s excellent Macworld article on the Flashback malware.
• Adrian’s Dark Reading post on reverse database proxies.

Favorite Securosis Posts

• Adrian Lane: The Myth of the Security-Smug Mac User. We get so many ‘news’ items, like how Android will capture the tablet market in 2015, or how Apple’s market share of smartphones is dwindling, or how smug Apple users will get their ‘comeuppance’ for rejecting AV solutions, that you wonder who’s coming up with this crap. Mac users may not have faith in AV to keep them secure, but they know eventually Macs will be targeted just as Windows has been. And I’m fairly certain most hackers run on Macs, so and it’s no stretch for them to target this fast growing platform. In fact most Mac users I talk to are paranoid as hell about it!
• Rich: Pain Comes Instantly – Fixes Come Later. Considering their track record, I have a hard time taking lectures on vulnerability responsibility from Oracle.
• Mike Rothman: How to Tell If Your Cloud Provider Can Read Your Data (Hint: They Can). It all comes down to risk assessment. They can read your data. Is that a risk you are okay taking?

Other Securosis Posts

• Incite 4/11/2012: Exchanging Problems.
• Responsible or Irresponsible Disclosure? – NFL Style.
• Understanding and Selecting DSP: Administration.
• Vulnerability Management Evolution: Scanning the Application Layer.
• Watching the Watchers: Monitor Privileged Users.
• Watching the Watchers: Enforce Entitlements.
• Friday Summary: April 6, 2012.

Favorite Outside Posts

• Rich: The nightmare that is Java. I have a love-hate relationship. The promise of Java was so great. But it’s now one of our biggest security messes.
• Mike Rothman: The Secret History of OpenStack, the Free Cloud Software That’s Changing Everything. In order to get anything off the ground, you need a lot of things to go right. Great story on how OpenStack happened.
• Gunnar: Can you get more out of Static Analysis?
• Adrian Lane: Application Security Matters. A Dan Geer masterpiece. The metaphor that software is the skin is fantastic. But it’s the idea of changing ‘end-to-end’ nomenclature to ‘trust-to-trust’ that resonates most with me. The concept of a single application serving us on the Internet is ludicrous. I have been talking about trust boundaries as a way of looking at threat models during application development for years, but this mostly falls on deaf ears because I suck at getting the concept across. ‘Trust-to-trust’ captures the essence of this concept. This is a fascinating read and well worth your time.

Project Quant Posts

• Malware Analysis Quant: Index of Posts.
• Malware Analysis Quant: Metrics – Monitor for Reinfection.
• Malware Analysis Quant: Metrics – Remediate.
• Malware Analysis Quant: Metrics – Find Infected Devices.
• Malware Analysis Quant: Metrics – Define Rules and Search Queries.
• Malware Analysis Quant: Metrics – The Malware Profile.
• Malware Analysis Quant: Metrics – Dynamic Analysis.

Research Reports and Presentations

• Network-Based Malware Detection: Filling the Gaps of AV.
• Tokenization Guidance Analysis: Jan 2012.
• Applied Network Security Analysis: Moving from Data to Information.
• Tokenization Guidance.
• Security Management 2.0: Time to Replace Your SIEM?
• Fact-Based Network Security: Metrics and the Pursuit of Prioritization.
• Tokenization vs. Encryption: Options for Compliance.

Top News and Posts

• Breaking up with your cloud provider.
• Stupid tech support tricks.
• Medicaid hack update.
• Mozilla Security Blog on Java Plugin Threat.
• Google patches Chrome.
• New Linux Security patch.
• Why Do Hackers Want Facebook Data, Part I.
• Instagram Acquired By Facebook For $1 Billion. That’s ‘Billion’, with a ‘B’.
• DHS: All Your Game Console Are Belong To Us. Control. It’s about control.
• Upgrading Auto Software In A Flash. And exposing your car to hackers in the process.
• Adobe, Microsoft Issue Critical Updates. Patches. Patches.
• Urgent Fix for Zero-Day Mac Java Flaw. More patches.
• Oracle Releasing 78 Security Patches. Are you sensing a theme here?
• Ask the Expert – Jeremiah Grossman. A new SANS interview series with respected app security folks.
• VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation.

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Awara Arawa, in response to Pain Comes Instantly–Fixes Come Later.

Have you considered the reverse? ie. Oracle knows about a security bug, the hacker community accidentally stumbles into it, the user community is unaware and they are being cleaned out by hackers and Oracle has not found a fix!

Should Oracle share information regards the security bug to all now?

What is being argued here, IMO, is that vendors should not release information unless it is all but known publicly via well publicized breachers or er…rumored breaches?

What next – Car manufacturers do not have to disclose problems about brakes unless there are multiple accidents?

Vendor has a responsibility to notify and alerts its customers to issues as they try to fix the problem. What the customer chooses to do with the warning is their responsibility.

Alternately, the vendor takes on liability and responsibility for damages resulting from non-disclosed information should there be breaches – see car manufacturer example…I recall something with Firestone/Bridgetone tires a while back that raised similar issues. Mitsubishi vehicles is another example that leaps to mind.