25 July 08 - 07:49Microsoft sends a Technician over to your house and Installs Vista, works out the kinks and bugs over two years and then...

n about two weeks, Redmond has managed to turn a marketing idea into something that may just shock you. Microsoft blogger Ina Fried is reporting that Microsoft managed to trick XP users in San Francisco into loving Vista simply by telling them a small fib. The company told these users that they were using a new version of Windows, codenamed "Mojave." When asked about their experience with using Mojave, over 90 percent said they were impressed with what they saw. Then Microsoft told them they had been using Vista all along. The company hasn't figured out how it will use this to market Vista (the company has video footage of users exclaiming "wow!" and so on), but the Mojave project will likely help in Microsoft's plan to tell the "real Vista story." This is some real ammo here: these are XP lovers saying they love Vista, not just more Microsoft employees giving statements to sell the software giant's latest operating system. Bill Veghte, Microsoft's senior vice president of Online Services & Windows Business Group and the man who recently outlined the Windows roadmap, strongly believes that Vista's negative opinion by many users is due to poor perceptions created by the media, from Apple's anti-Vista ads to many journalists spewing Vista hate because it brings in the hits. Mojave is a perfect example of this—to an extent. Microsoft has time and again admitted that Vista has its problems, but has also emphasized that the majority of problems have been fixed. What's your take on the Mojave story?

- default - No comments / No trackbacks - § ¶

25 July 08 - 07:42Tarantino's Mind

A film buff tells a friend that he's finally broken "the code" - the mystery behind the character & story threads that bleed from one Quentin Tarantino movie or screenplay into the next. His friend is less than impressed. Starring Seu Jorge (The Life Aquatic) and Selton Mello (Tarja Preta). A short film by Brazilian directing duo 300ml.

- default - No comments / No trackbacks - § ¶

11 July 08 - 08:07This Just In!!! Most Children Strongly Oppose Children's Healthcare!

- default - No comments / No trackbacks - § ¶

10 July 08 - 02:21Patch Now.

Thanks to Rich Mogull, Dino and I just got off the phone with Dan Kaminsky. We know what he’s going to say at Black Hat.

What can we say right now?

1.

Dan’s got the goods. You know that scene near the end of High Fidelity where Jack Black listens to the skate punk’s electroclash demo? Yep. It’s really fucking good.
2.

This is strong year at Black Hat: Dowd and Lawson in particular have awesome talks linked up. But Dan may have Best of Show here.
3.

If you were running DJBDNS before, you’re safe. If you made fun of me for running DJBDNS: sucker.
4.

Ryan Russell pointed out earlier on our blog that Dan takes a lot of crap for doing so much public research. You can’t be in the public eye for long without taking fire from people who write shellcode instead of Black Hat talks and press releases. Ryan is right: it’s not fair. I don’t know how you can give Dan crap about his work after this.

I think Dan should come clean on this and publish the details. The 30 days he’s given before Black Hat won’t make much of a difference. But his reason for not doing it is at least plausible. And he did the work. So, it’s his call.

I think I owe Chris Eng $100 now.

I got a chance to get the scoop word of mouth from Dan Kaminsky of IOActive (pictured above [image courtesy of quinnums]) and Thomas Ptacek of Matasano (pictured below) on the DNS flaw that’s been all over the net today. Talking with Kaminsky over the cell phone, he said that the current fix sufficiently addresses the issue by randomizing the source ports, while simultaneously not really giving any reverse engineers out there the ability to reverse the patch to a working exploit. This will give other vendors out their time to address this issue. Kaminsky commented that DNS is obviously a very important part of the Internet, so a spoofing flaw like what he has discovered is significant.

I asked Dan what he thought about Thomas Ptacek’s Thomas Ptacek of Matasanocomments suggesting that the flaw was blown out of proportion and Dan said that the flaw is very real and very serious and that the details will be out at Black Hat. Dan mentioned to me that he was very pleased with how everything has worked with the multi-vendor disclosure process, as he said, “we got several vendors together and it actually worked”. To be honest, this type of collaboration is long overdue, and there’s a lot of folks in the industry asking for it, and I’m not just talking about the tech companies cooperating, several banking and financial companies have discussed forums for knowledge sharing, and of course eBay has tried to pioneer this with their “eBay Red Team” event. It’s refreshing to here a well respected researcher like Dan feeling very positive about an experience with multiple vendors working together (my own experience has been a lot of finger pointing and monkey business).

Read on for Ptacek’s comments…

I spoke with Ptacek over an AIM chat this evening, and he had some enlightening thoughts on the matter, stating:

“My thought is, what we really have is a new exploit for an old vulnerability nobody bothered to fix because no ‘perfect’ fix is available. Dan won’t release any details… he says that’s the terms for getting vendors to cooperate. I don’t understand why that leaves him room to talk about it at Black Hat, but in the absence of details all you have to go on is what the patch is.

The vulnerability says, you can spoof responses to DNS queries and the patch is to randomize source ports, if your source ports weren’t randomized already. If this is really the problem, then as of 2002 when that guy from Brazil found the outstanding query bug, it would have taken less than 10 seconds to spoof a DNS response anyways. So unless this vulnerability, I don’t know, makes a ninja come out of your LCD screen and chop your head off I think it’s probably not super new.”

Both of us did comment though that in years of watching Dan’s talks, actually seeing a Ninja come out of an LCD screen and chop someone’s head off didn’t see horribly far-fetched. My conversation with Ptacek continued:

Nate: Your thoughts on this seem to go back to your thread where you said “It’s like I don’t even care if DNS is secure”, since there’s so many other things to be worried about as well.

Ptacek: Exactly. I mean i don’t want to take down Kaminsky for working in DNS at all, DNS security is interesting, and Dan usually has cool findings in it

Nate: This is true.

Ptacek: But I mean, come on — Dan’s DNS credibility is unimpeachable, so I think he can deal with this criticism: He probably didn’t find anything that is more important than the fact that a 16 bit random number isn’t secure in the age of OWASP.

Nate: What do you mean by that?

Ptacek: If the fix is “randomize your source ports”, we already knew you were vulnerable. Look, DNS has a 16 bit session ID… how big is an ASPSESSIONID or JSESSIONID? When you get to this point you are way past deck chairs on the titanic, but, I mean, the web people already know this. This is why TLS/SSL totally doesn’t care about the DNS. It is secure regardless of the fact that the DNS is owned.

If the IETF would just find a way to embrace TLS/X509 instead griping about how Verisign is out to get us we wouldn’t have this problem. Instead, DNSSEC tried to reinvent TLS by committee… well, surprise surprise, in 2008, we still care about 16 bit session IDs! Go Internet!

Nate: Tom, thanks a lot for talking with me on the subject.

So, very interesting stuff going on here. Man if Vegas doesn’t bring out the most interesting topics. Quite a day when you get to talk to two of your favorite security researchers (Kaminsky and Ptacek) on a flaw that is sure to make huge news, that is currently under wraps with lots of controversy.

I will say this, Dan is as legitimate a showman as the security research/hacking community has. I can still remember him telling me point blank that his ToorCon Seattle talk would blow me away, preparing for that, then being more blown away than I could’ve ever expected by his presentation (see info on his Non-existent Sub-Domain attacks from ToorCon Seattle). I’ve got high hopes for fireworks from Dan at Vegas, and hell, even if, for some reason, the research turns out to be less than Dan originally thought, he’ll still put on an interesting talk by just being fun to watch and hilarious.

See you in Vegas, bring your drinking shoes.

-Nate

- default - No comments / No trackbacks - § ¶

10 July 08 - 02:16Wisdom

I think now about the amazing thunderstorms in the summer evenings. And how – late at night, during a blizzard, you can stand outside and hear the collective, thumping murmur of a million snowflakes hitting the earth, like you’re inside a sleeping god’s thoughts.

I didn’t realize how all of these places and people and events were just as crucial in shaping me as anything I roamed to the corners of the Earth to see. And they’ve shaped you, and will shape you, whether you realize it now or later. All of you are richer and wiser than you know.

First off: Reputation, Posterity and Cool are traps. They’ll drain the life from your life. Reputation, Posterity and Cool = Fear.

Let me put that another way. Bob Hope once said, “When I was twenty, I worried what everything thought of me. When I turned forty, I didn’t care what anyone thought of me. And then I made it to sixty, and I realized no one was ever thinking of me.” And then he pooed his pants, but that didn’t make what he said any less profound.

Secondly: The path is made by walking. And when you’re walking that path, you choose how things affect you. You always have that freedom, no matter how much your liberty it curtailed. You…get to choose…how things affect you.

And lastly, and I guarantee this. It’s the one thing I know ‘cause I’ve experienced it:

There Is No Them.

I’m going to get out of your way now. Get out there. Let’s see which one of you is up here in twenty years. If you’re lacking confidence, remember – I wouldn’t have picked me.

- default - No comments / No trackbacks - § ¶

07 July 08 - 11:46You Tube

- default - No comments / No trackbacks - § ¶