Saturday, December 19, 2009

1-factor authentication in the Matrix

I just remembered the way Seraph tells Neo in the Matrix "You do not truly know someone until you fight them." and I was trying to sort the fight that follows into one of the typical categories of authentication:
  1. Check what someone has.
  2. Check what someone knows.
  3. Check what someone is.
when I realized that in the precise context of the Matrix, in the case of Neo, categories 2 and 3 are the very same.
  • Neo is the One because he knows he is the One.
  • Being the One, Neo knows he is the best kung fu fighter.
  • Knowing he is the best kung fu fighter, Neo is the best kung fu fighter.
He is because he knows and he knows because he is. Seraph indeed performs a 1-factor only authentication to check Neo is the One.

-+- The little joys of security-thinking ! -+-

Thursday, December 3, 2009

Vulnerability in VPN/SSL platforms: so what?

The US-CERT points that using a VPN/SSL to access arbitrary web sites circumvents the security features of modern browsers.

I have an odd sensation of being in a troubled IT/ITsec world when I read that. What seems so strange to me is not the vulnerability, it's that it requires a US-CERT advice for people to notice.

I mean... For years the web has been struggling to build protocols like HTTPS (and to get the mainstream browsers support it correctly). And we hear every day that even though the protocol is a jewel in itself, it is not sufficient for security. That's why we have vulnerability reports for browsers, anti-phishing features, certificate authorities, etc.

Now we build a new tool that will handle web sites and forward them to and fro and we should think that it does not deserve the same amount of care and time to mature? No, no, no...
Big expert organizations like Microsoft, Google or Mozilla struggle at it, why should Cisco, Juniper or SafeNet have it right from the first time?

Pessimistic: It's always the same game. You build something strong and then you build it anew making the same mistakes. And every time you get surprised.

Optimistic: Now that the vulnerability is public (I thought it always was!) maybe the VPN/SSL makers will improve their products.

Realistic: If you use the intranet from the Internet, you should be prepared to handle the security of the intranet as if it were exposed to the public. That means, for instance, investing some time in understanding a VPN/SSL product before entering wildcards in its policies.

EDIT 12/04/2009: Cisco says it very well ^^
"Administrators are advised to configure clientless SSL VPN sessions so that only trusted internal networks are accessed using the VPN session. All other connections should be accessed without using the SSL VPN session."

Common antivirus products disabled within minutes

It was the subject of a contest organized by the French IT (and other disciplines) engineering school ESIEA. Results are available as slideshows at this address.

Summarizing roughly, the most common antivirus products (McAfee, Norton = Symantec, Kaspersky...) can be disabled within minutes by a clever virus maker.

Shredding files mostly useless (review)

Bruce Schneier points that filesystems sometimes get in the way of secure file deletion.

I blogged about that six months ago (second point in that bill) after checking my understanding of the question with the developer of Inferno.

I since heard about similar stories quite a few times, either from software like filesystems or recovery systems or from hardware like Flash memory putting the content of a file in arbitrary locations. It seems to be a fairly well known fact among people who spent time on the matter.

To my mind, apart from shredding entire drives when the hardware is disposed of or goes from an user to another, companies should not waste time on shredding.

Of course, I guess Bruce Schneier would argue about encryption, rather than deletion :-)

Tuesday, November 24, 2009

How would I steal IDs and passwords from people?

I've been asked a question by a former classmate (or rather he challenged me) to give a proposal to steal IDs and passwords from people with little danger for me and little required technical knowledge from me.
Here's my proposal, I don't know whether it's new at all, I guess it's not. It's purely virtual, I've not tested anything like this.
  1. I go to a place where people use laptops: train stations, a home apartment in a crowded city or a job place where the Internet access is not given to all employees.
  2. I create an unprotected wifi access point, open to all. And I keep listening when someone does connect. It may take time, but that's not part of the given problem so I'm assuming I've got time.
  3. I count on the fact that at least one service the victim will use is not secured via SSL or similar. So when that happens, I just take note of the login/password couple.
  4. Then I go and try the login/password in other applications such as Facebook, Gmail, MSN, online stores and so on. As most people use the same passwords for many applications, I think it could be a correct ratio of success.
EDIT 01/24/2011: A few clues against public wifi here.

Friday, November 6, 2009

Friday liberty blogging - I'm French and that's something

It might be an unknown fact to my non-French readers, the French government is currently flooding the media with questions about the French identity. What is it to be French?

They also use the fuss to cover up their shameless unprincipled immigration practices, but that won't be the subject of the present bill.

The subject is the French identity, I would like to elaborate about it, because I'm one of the lucky ones down here who have spare time and spare thoughts to ask such questions and try to answer them. When my friend Thierry Kakouridis wrote an article about the matter (FR), I thought I had to reply to it.

France is a melting-pot of people with various views and cultural heritage. It is not one. For instance, several values are deeply written in the culture of my natal region that are not always shared in other places in France:
  • Anti-clericalism: People can believe whatever they want as long as it does not encroach upon my life and my political freedom. If it does, they, not I, have to withdraw.
  • Ability to live on one's own: You will be well-considered if you don't require help. You'll still be welcome if you do require help, but you won't be thought of so highly.
  • Giving one's word: Something said is just as good as something signed in black and white on paper.
And I did inherit these values from my living there for twenty years. Yet, as I said, these are not prominent values everywhere in France. So which should be the values of the French? First of all, I think there is the freedom of ideas. Foreigners are often surprised at the way the French take the liberty to interpret non-negotiable things. Whether it be the law, the religion or the management theories, the French often only take what they want from it. And if you ask them why, they always have a good (yeah, or bad) explanation for it.

This is one the basic freedoms that people from occidental democratic countries enjoy. And that's a freedom that can only be removed from you if you don't use it enough.

For this freedom to be within reach of a humble citizen, it requires:
  • A culture that values culture above wealth,
  • A culture that values thinking above believing,
  • And the associated society that preserves and enriches this culture.
I think other freedoms are less important to the French. We cannot be French without allowing ourselves to think freely about things of interest.

We also use to have equality and fraternity in our national motto. This to me relates to two other main components of the French conscience:
  • The hatred of ubris. Not all the French believe in a God up-there but all the French agree that there is no God down-here. The excess of pride that leads to think of oneself as a God and to behave as such is un-French. It is considered a disease that can affect both individuals and nations.
    For instance, the French renounced the death penalty. We mostly consider that a nation has no divine right to claim lives.
    This it, to my mind, the meaning of the equality word in out motto: none of us is a God.
  • The meritocracy. While we enjoy the equality of people in rights and dignity, we clearly know that we are different and of different skills. And none of us can pretend to be good at everything. Yet, we believe in the need to live and work together. And this means that we have to know and reward the merits of each. And this goes, not through money but through respect and consideration from others.
    This is precisely why the French are outraged at the idea of a film maker being treated as a usual burglar, or at the idea of their previous president being thrown in prison.
    Sure, the law is equal for all, but in conjunction with the fact that all the French choose by themselves which laws to apply and which not, meritocracy is commonplace in France. You get "powers" from being known for your past achievements. In exchange for these powers, you have to continue to serve well the nation. We know that we are not working against each other, rather for each other.
    That is, to my mind, the meaning of the fraternity word in our motto.
To answer Thierry's underlying questions:
  • Yes, one is first of all what he/she wants to be. And most of the French want to be French rather than regional or European or other. And that's precisely why there is such a fuss about national identity right now: the French do feel that their identity is at risk. (To my mind that's more because of the current government than because of the immigrants. And some people are thinking the wrong way, because of fear or ignorance. That part is indeed a French failure.)
  • There could be some confusion about Theodore Roosevelt's words. It could be misinterpreted as a call for "cultural purity". It's not. It's a call for everyone to adhere fully to the identity. And as such, the American president's words match my feeling about the French integration style. You can be more than French, but you cannot be half-French.
    There is no room for hyphenated Frenchism, reduced Frenchism, but there is plenty of room for people to bring in additional cultures from whatever source nationality.

Saturday, October 31, 2009

Why Windows 7 will not crush Linux

Sorry, just a rant against a nonsensical piece "Why Windows 7 will crush Linux" from Ron Barret who, surprisingly, usually has good technical articles and a few interesting non-technical articles.

This one piece shows, very clearly, a lack of knowledge of how things work outside the Microsoft world. Let me comment point by point, before I make more general statements further down. Quotes are in italic.
Okay it is no secret that Linux has not been able to crack the desktop, either at the home or at the workplace. Not to ignored either is that Windows lost some desktops last year (a little over 3%),but let’s not panic just yet, Windows still owns over 88% of all the desktops according to leading research.
Why does Ron Barret concentrate on "crushing" Linux when he could attack the main marketshare grabber: Apple? Does he really think of panicking or is that just an expression?
[...]Windows 7 installs easier, has simpler configuration of user settings, greater availability of software, support (you could argue that all support is awful, which is probably true) Windows support is easier to get when you need help. Gaming, MP3’s,… I could go on and on.
  • Windows 7 installs easier, but by the installation you get only the OS, not the office suite, the usual programs, the good media players, the image manipulation programs, etc.
  • Windows 7 has simpler configuration of user settings. But simplicity isn't the only question since you can get the MacOSX perverse effect : too many hidden options, which makes that anything a little more complicated than usual cannot get done from the interface, you have to go commandline. So my question is quantity of settings VS simplicity VS good explanation VS automation of whatever can be automated. And here, if whoever has any precise comparison list, I am listening carefully.
  • Windows 7 has greater availability of software. Depends on what you want to do. When my WAMP solution claims that a WAMP is only for testing and that a production tool should be a LAMP, what should I do? I am also a firm believer in centralized depots, and I find that the way to install software under Linux (like Synaptic) is much more modern and efficient than Windows software install.
To real Linux die hards… terminals rule.
Yeah, conquering die hards is the crucial problem when you're getting after marketshares!?
So Powershell presents an interesting argument for Windows adoption by the Linux user.
The very idea that an experienced Linux user could switch from the Unix philosophy to the Windows philosophy "disguised" as a command line drains tears of laughter from my eyes. Words or icons are just means, but the Unix philosophy that transpires through bash, csh or perl is a cement stronger than any interface tool.
Some people want free software (even if support is limited or non-existent).
RedHat sales are going higher and higher, is that a coincidence or does support just exist?
Applications like Firefox, Open Office, MYSQL, GIMP… wait all these applications are now available for Windows.
OK but with the exception of Firefox, most of them still run better and integrate better under Linux than under Windows.
Moreover, they are easier to install in Windows then they are in Linux.
Complete idiocy: once you have installed Ubuntu, the applications like Firefox, OOo, GIMP... are already installed. Concerning MySQL, you just have to go to Synaptic, check the "mysql" checkbox and click "install". Far easier than under Windows.
Windows 7 has solved a long-standing thorn in Microsoft’s side, How to deliver a feature rich OS without killing resources?
Okay, so Ron Barrett just confesses that Windows has long lagged behind competitors in terms of resource usage. Fine. Thanks.
Linux users have no reason to hold back anymore. Windows 7 is well placed to crush and put an end to the penguin.
Except complete programming station, polyvalent kernel that puts it everywhere from DVD players to car computers to mainframe servers, freedom from unwanted "home calls", complete view on the software from the kernel to the application, ready and working middlewares such as Apache, very good support (with full source access) like those of RedHat, IBM, HP and others...

Now that I could calm down, seriously, why would anything change about Linux users? There are two major situations:
  • Those who were fed up with Microsoft or wanted specific freedom and they will not change anything because of Windows 7.
  • Those who use Linux because it's at work or because they have a specific technical reason and they will not change either. At best they will consider changing, but whether that will be worth the migration, I doubt.

Tuesday, October 20, 2009

Cloud Computing Too Costly in the Long Term?

I welcomed the IDC study of the elevated cost of cloud computing in the long run (article at
There are a lot of articles about cloud computing, its cost and its risks, however, I would like to underline a single point that makes a lot of difference to me between cloud and non-cloud: cloud computing is a backward step for fair competition in IT services delivery.

I think that most of the savings made in the last years by the IT services of companies have been possible because of web 2.0. Not only because of the fact it helped interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web (Wikipedia def) but essentially because it forced companies to use open*, not vendor-specific, technologies.

This helped create a true fair competition between software developers, between hosting providers and between system integrators. They all shared a single range of technologies and could not justify high prices or low quality services just because of the technology itself.

PHP comes to my mind as a brilliant example of this fair competition revolution. It's very interoperable. They even made it capable of running on MS IIS servers! It's simple and free to use. It's improvable upon and its developers were very careful to listen to requests for improvements. And now see what it has become:

The thing is: big companies like those making cloud services today do not live on perfect competition, they live on the one hand on monopolies and on the other hand on market niches. And that's their business and I am very fine with that.
They cannot survive in a true perfect competition system, yet they want to participate in the web market which has been the number one development and services source in the past years and still will remain, I guess. Cloud computing is their attempt to build monopolies on the web and they sell it with three kinds of arguments.
  1. The economical argument. They promise good services, for cheap price, and you pay by your fidelity. Okay, as long as they do provide it.
  2. The ecological argument. I am a very skeptical environmentalist. Not skeptical about ecology but rather about first-movers on the corporate side of ecology. Seems like a lot of green paint.
  3. The technological argument. They sell the idea that all hosted applications are harmonized to a single technology and that this means it will all be cheaper. VERY TRUE.
Awfully true. It will be cheaper, for them. But as soon as you get dependent on them, since each of them has completely different technology from the other (think not only programming languages but also file formats, database formats and associated skills), they will be able to increase prices without any competitor. If you want to take the data back, you will be unable to feed it to the next cloud provider.

I think it's time "interoperability" gets into corporate policies alongside integrity, confidentiality and availability.

EDIT 10/26/2009: When I say open, I mean that corporate players cannot close the market by artifacts. This means, among other things: ASCII, not binary programs, opensource languages because the developers are so much more productive, free common libraries to build upon, a unique network to share data and software, etc.

EDIT 11/5/2009: Bob Sutor also speaks about cloud interoperability.

Thursday, October 1, 2009

F!%#¤ cryptic logs! [Bruce Schneier fun]

I couldn't get an idea of what all that logfile meant. Not binary, but not readable... Until I backed out from the screen:

c:::c:ccoccccocooocCooCcocCooCCCCCCOOOCOOOCOO88COOC@888o8C:.:.          .....  .. ...   .  .    coo:@@8@8@8@888888888888
::cccc:cocccccccooCooCocCoooCCCCCCCOOOOOOOCOO@8COC@8OOCCOc:. . . ........ :..... .. . oo.@8@@8@8@888888@8888
::cc:cccocccccoooocoCCooCoCCoOOoOCCOOOOCOOOOO@OO8CCCoCo8o . .. .:::.::.::. .. . . C88@8@@@8@@88888888
::cc:cccccoc:ocoooooCCcCCooCCOCCCCOO8OOCOOCOCOoOC:o8ooc: .....::. ::..:::.o.::..:. . ... . o888888@@@8@@888888
:ccccccocccccoooooCoCCcCoCoCCOCCCCOO88COOCOOC8OCoC8oco: ....::::.:.:.:::.::::::: . ..::COC8@@@@@@@@@@8888
c:c::ccococcccoooCoCCcoOCCCCOCCCOOO88OO8OOOO@CoOCcCo:. . . .....::.:::.:.:c.::cc::o:.. .. . cCoO@@@@@@@@@@@8@@
:c::ccccccc:ccCooCoCCcCOCCCCCCCCOOO@OOC8OOOOCoCc:O8: . . ......:::.:.::.:c:::.oc::cCc::::..... ..oO888@@@@@@@@@@@8
:c::cccccccccoocoCoOoCOCoCCCCCCOCO8O8OOCOOCoCoOOCCC ......c...:cccCccoccoc:o.:::oocc.:co:: . .... .cc@@@@@@@@8@@@@
c::cccccco:coCcoCCoOoOOCCCoCCCOCO888OOOCOO:oCC8CC. ....:::::cccCcCoooOoCoo:ooocc:coc::.... .. .@@@@@@@@@@@8@@
c:ccc:coocccoCcooCoCoOCcoOCCOC8CO88OC8CCOCcoC8@C: . .......:cCCcc:o:oCCoOOCoCcCCoCcccoc:::::.. . o8@@@@@@@@@@@@
c::cccooccccoocCCCCCCOCoCCOOCOOCO888OOOOO.ooOCC . . ..... ..:ccoCCccoCOooooooCooCCoccc::::::..... .O@@@@@@@@@
::cccccccccoocoCCCCoCOooCOOCOOCCOO8OO8o8ocooCO .::. ..:.:.:oCooooC:c::cO8OCcoCCcoCc::cco:.::::... @@@@@@@@@8@
:ccccoccccooocoCooOcCCoCCCCC8CCOOO8CO@CC:cooC. . ...:..:c:::oCCooCCCCCcoCOCooCOooocooco:::c::::. . @88@@@@@@@@
:cccccccccoooCCCoCOoOCCCCOoOCCO888COOCco:Ooc . oCOooCoCOCCCCOCoOoCCoCCoo:ococ:::.:. ..O@@@@@
ccc:ccoccccCcCoCcOCOOCCCCOoOCCO888CCC8::cC: ..:: ..:::ccco:coc ccCOCOoCCCCOOCOOCoCcCOCocoCCccccc:.... c8@@@@@@
cc:cococc:cocCooC8C8CCoOCOCOCOOO8OCO88::.:: ... .::..:cCCocOC.::ooOooOOCCCOCCOCCoCCoccCocoCooo:::.. C@@@@@ . ....:. ...::cCCCCoCCCCoc:OoCCCOCOOCCCOCoooCCooooCcccc::.. :C8@@@@
c:cocooc:cooooooOC:CCoOCCCOCOOCOOCCoC...: . ..:cCo. ..c:coCCocCoCOOooOCCCOCOOOCOOCCCOooCCooccc.::.::. C@@@
c:coococccCoooooOCoOCoOCOCOCOOOOCCCCc .. . .. :::..:c. ..:::cooooCCCO8ooOOOCOCOOO8CCCCCCCCCococcccc::: . @@@@
ccocccCccoOoocoOO:8OcOCCCCOC8OO8CCoo : ...::.c::::coCCCCo:::oo:oCOCOCo8CCCCOCOOOOOOOOOCOCCCooooococc::: @@
:cococcccCoooooOCCOCC8oOCCOO88OOOoc:.. ..:.:ccoCoCCCCOCO8O8Ooc:cooCCOOOCCOOO8OOOO8O8COOOOOCCCooCoooooccc:.. o8@@
cococccccOoooooOoOCoCOoCCOCOOO8OCc.... ..:ccoooCCOCCCOO888OO8CCooocooC8OOCOOO8OOOOOOOOOCOOOCCCooooCoocoC:... @@@
cccoocccooOocOOoCCCoCCCCOcCO8O@c:. . :c:cccoCCoCCCCOOOOOCOOOOOO8OOO8OOOOO888888888O88OOOOOOOOCOCCooooooooCo::.. C
cccccoccooocoCoCOCCCCCCCCoC8O8O.. .::coccooCCoCCOOCOOOOOO8OO8OOO88888O888888OO88O888OOOOOOOOOOCCCoCCooooocc:... 8@
cccCoccooCooCOoCCCCCCCOOCOO8C@o. . :::ccccooCCCCCCOOOOOOOOO8888O88888O8888888O88OO8O8OOOOOOOOOOOCCCoCCooooccc:. :@@
ccococcooCooCCc8CoCoCOCCC8OOOO:: . ..::coocoCCCCCCOOOOOOOOO88888888888888888888OO88O8O8OOOOOOOOOOCCCCCCCoooCcc:.. @@@
occccoocCocCCoCCoCCCCCCOC8OO@o.: ..:cooocooCCCCCOCOOOO8OO8888888888888888888O88O88888O88OOOOOOOOCCCoCCoooCoc:. O@@
ccccccocCoooC:CCCoCOOCCCOCOO8o . .:ccooocoCCCCCOOOCOOOO8O8888888888888888888OO888OO8OOOOOOOOOOOOCCooCCCooCoc::. o@
cccocoocCoCoCcOCCoCOOCCCOC888c. ..::cooocCCCCOCCOOO8OOOOO8888888888888888888888888888OOOOOOOOOCOCCCCCCoooCoo:... :
cccocooCCocOCCCOCCCCCoCOOCC8C. .c:oooo:CCCCCOOOOOOOO8888888888888888888888888888888O8OOOOOOOOOCCCCoCCCCCoooo. @@
ccoccooOooo8COCCoCCCCCC8COCCc ..c:ooCo:CCCCOCOOOOOOOO888888888888888888888888888888OOOOOOOOOOOOCOCooooCooco: . C
ococcocCCooOCCOCCCCCCCCOCCOC: . .::coooccCCCOOOOOOOOCOO88888888888888@888888888888888OOOOOOOOOOOOCOCCCCoCCCoo:. . C@
ooococooCcCOCCCCCCOOCCOCCCCO. ...ccoocoCCCCOOCOOOOOO88888888888888888888888888888888888OOOOOOOOOCCCoCoCoCcoo .. o@
oocoooooCoOCCCCcCOCCCCCCCCC: .::cooCccCCCOOOOOOOOO88888888888888888888888888888888888OOOOOOOOOOCCCCCCCCooc:... .@
cocoCoocCCCoCOCooCCoCOCCCC8. .cocooccCCOCCOOOOO8O8888888888888888888888888888888888OOOOOOOOOOOCOCCoCCCoCc:. . @
occocoCooCCoCCCCCCOCCOCCCC ::ccoccoCOOOCOOOOOOO88888888888888@888888888888888888888OOOOOOOOOCCCCoCCCCCc::. . 8
ocoCoCoCCCooCCCCCoCCCCCCCO . ::ccCccoCCCOOOCOOOOOO88888888888888888888888888888888OO8OOOOOOOOOOCCCCoCCCCoc:: o
cooooCcCCCoCCCoCCCCOCoCCCC .:ccoocoCCCCCOOOOOOOO8O8O88888888888888@888888888888O8OOOOOOOOOOOOCCCCCCCCCcc :.. :
coocoocCoCCOCCcCCCCOCCCCoo .:::cocooCCCCOCCOOOOO8OO8888888888888@8@@@888888888888OO8OOOOOOOOOOCCCCCCCCCCc .. .
coCooocCCoCCoooCCCCCCCCCCo .:.:coccCCoCOCOOOOOOOO8888888888888888888888888888888O8OOOOOOOOCOOOCCCCCCCCoc:. . :
ocococoCCoCooooCCoCCCCOCCo .::cocoooCOCOOOOOOOOO88O88888888888888888888888888O888OOOOOOOOOOOCCCCCCCCCCcc....
oocCCooooooCCoCoCCCOCCoCo . .:coccCCCCOOOOOOOO8OO8O8O888888888888888888888OOOOOOOOOOOOOOOOOCCCCCCCoCoo:. ..
oocCocooCCoCCoooCCCCCCoCo ...:cCccCCCCOOOOO8O8888888888888888888888888888O8O8OOOOOOOOOOOOOOOCCCCCCCCoc:: ..
ocoCcoooCoCCoCoooOCoCCCCc ... . .:ccccCoCCOOOO888O8888888888888888888888888888O8O8OOOOOOOOOOOOOCCCCCCoCooc:...
ocoocooCooCooCoCCCCCCCCo: .. .ccc:cCoOOOOOO88O88888888888888888O888888888888888OOOOOOOOOOOOOCCCCCCCCoc::... .
ooCoccCooCooCCCCCCCoCCCo: ..:c::oCOOOOOO88888888888888888888888888888888O888OOOOOOOOOCOOOOCCCCCooooc::.. ..
coocooCooCoCoCCoCCCCOCCC: ..::.coCOOOO8O8O8888888888888888888888888888888O888OOOOOOOOOOOCOCCCCCCoccc.:.
coocoooooCcCoCoCCCOoCCcC: .::.:oCOOOO88888888888888888888888888888888888888888OOOOOOOOOOOCCCCCCooccc.:. ..
cooooCccooCocoCCCOCCCooo: . .:o:.COOcoCCOOOOO88888888888@88888888888888888888888O8OOOOOOOOOCCCCCCCCoc::... .
cocoCocoocoocCoCCCoCooooc .. .cc:c8C:coCCCOOO8888888888888@@8@8888888888888888888O888OOOOOCOOCCCOCCCc::.... .
oocoocoooooccCoCCooCoCCoc. .. .:cc::c. occoCOCOOOOO888888888@@8@@8888@88@888888888888O88OOOCOCCCCCOCCoc.c. . ..
cooCo:oocCocoCCCCoCCoCCc. . .:c:....ccCoccoCCocCCO88@888@@888@88@888888888888888888888OOOOOCCCCCCCoCc:: .: .
ocooocoooCcoooCCCoCoooCc .:::..:o::ocoCcooooooOO888888@8888888888@8888888888888O8888OOOOCCCCCCCoo::. . . .
coCoooocooooooCCCoCocoo: .. .:c: ::..:ccCcc:ccccoooCC8O@88888888888888O8@8888888888OOOOOOOOCCCCCCoCo::. . .
coocooocCccooCCCCCOcoCo: .:: .cc ::::::.::.Cc.c:::oocOOC888888888OO8COooO8OOCCCOOCOOCCooCOOOCCCCCoo:c.. :..
ooooocccocoCoCCCoCCcCCc:... ccc . . ...:
ocococooccoooCCCoCooCoc: :oCo :o: :ccCCc.. . .. .ccooCCoOO88888888COC::COc.ccoCocoooooCocoO8OCoCoccc:. ...
coococcoooccoCCoCCooooo. :::o :c:.cocoo.. :O8cc::co:o:cCCCOOOOO8888OOOOcoCc.coc::cccccCooccocCOOoCoccc:.. . .
ooocccccoocooCooCCoCooo.. . ::: :c.:ccccc.cCC@@.: ::.o:coooOOC88OOOOCOOOCocc:ccoccCoocoocccc:coCcooocc:. .
cocoocccocooooooCCoooo: o: .:c .:c:ocoooc:oCC88c. @: Coco.coCOO88888OOOOCCooc:..cccco::cccoccccccocooccc::.. .
cccooccccoooC:oooooooo:. oo:ccc. . cccCooCoo:oCCO8::. o@@8ooccoOO8888OOOCCoc:cocCc: .::c::.c:c:c:cccccccco.. ... . .
ccccccoccooooocCCccococ: .CC.cCo. ::ocCoCoooc:cooCCo.coo.@8@ooC:oO88O88OOCooocCCoo.8C:o::..:c::Co:c:::occccC. .:. ...
ccccccoccoooocoCoccoocc. cOC.cC8. .cc:CCCcoCoccooooCCooccococoOccO8OO888OooCcOOo::C@:o. ....ocoCoooc:oocccC.. ... ..
ccooccoccoooocoCocooccc. oCocco@ .cccCCoCCCCocoCoCoCOCoOoocoCOcoO888888CoOCoOocOO8Cc: ooCo8..ccCCCCc:ccccoo. .. .
cocccccccoooooooocooccc. CcCoooc :occCoCCCoooooCCCoCCCCOCCCOCOcoOO888OOCCOoOo:C88@oc COo:@@ :ooCCCCc:cocc. .. .c:
ccocccccccooccoooooocc:c O:CCoCo. :ocoCCoCCCCCCCCCOCOOCCCoCCOoc:CCOOO8OOCCocOCCo:C8O:o. :o88CcccoCoCCoccooc. . ...:ccc.
occcccccocCcoooooooCc:cc OO88OCO..oo:oooCCCCCCCCOCOOCCCCCCCCcoccCOO8OOOCoCooOOCCCOCoCc:::OOCoCc:oCCooCoccCC:. ....oCocoC
ccccccccccoccooooCooccco oC888O8..cocCCCCCOCCCCOOOOOOOOCCCCoooo:COOOOOOCooooCCoCoCoCCCoooCOCoocoooCCCCoocoo:. ..:oc:cCo
cccccccccooccCccoocoocco oO8888@..occooCCCCCCOOOOOOOOOOOOCCCooccCOOOOOCCoCoCoCCCoCCCOC8OCoCCoo:ooooCCCoocoo:... .occCoCC
ccccccoccocccoccoococcoc c888888 :ocoCCCOCOOOOOOOOOOOOOOCCCoo:oOOOOOOCCCCoCCCOCCCCOOO8OCCCCooCCooCCCCCCoCo:....:ccooC88
cccccccoccocccoococCococ: OcCOOO .oocoCCOOOOO88888O88OOOOoooccCCOOCOCCCCCOCCOOO888OOOO88OOOOOOOCOCCCCCCoooC::oO@OC88OC8o
c:cccccccoocccocooooooooo 8CoO88 :ccccCOOOOOO8888888OOOOOooocoCCOOOOOCoCCOCCOOOO888OO888OOOOOOOOOCCCCCCCCoCc.oO@8O88OOOC
cccccccccooccccccooooCcoo 8OoO8O .::coCOCOOOO888888888O88cocoCCOOOOOCCoCCCOOOOO88888888O8OOOOOOCCCCCCCoCooC:.CO@@8888OC8
cccccccccooccocooooooCooC 8CcOOC .::coCOOOOOO88O8O8888888cocCOCOO8OOCCoCCOCCOOO8O888888O8OOO8OOOCOCCCCCoooo..CO8@8888Cc@
c:cccccccocccccoooCooocoC:cCO88:. .:coCOOOO888888888OOOCoooCOOO8O8OOOCooCCCCO888O88888888OOOOOOOOCCCoooooo:.:88888OOOc@@
::cccccccccccocccoooooCCCcc8OCOc ..::oCCOOO88888888OOOOCooCCOCOO8OOOOOooCCCoO888888888888OOOOOOCCOCCCCooC:.:c8888CCCCC@@
:::c:ccccccoccoccCooooooCCoOCOOc ...:oOCOO888888O88OOOCoooCOOOOO8OOOOOCoCCCCoO888888888888OOOOOOOOOCCCooC:..cO88OCOOoC@
::c:cccccccocccccocoooooCocOOOOo. ..:oCOOOO88888O88OOCoooCCOOO8888OOOOCoCCOCoOOOO88888O88888OOOOOOCCoooccc..COOOoo8CcO@
::c:c::occcccccccoooooooCo:OCO8C ..:cCCO88888888OOOOOoCoCCOO8@888OOOOCCCCOCoOOOO888888888OOOOOOOCCoCoCc::. CCCCCCCCc@8
:cc:ccccccccccccoccccooooC :888c ...:ooCCOOOOOOOOOOCOCcCCoCCO88888OOOOCOCOOCoCOOOOO888888888OOOOCCCooocc:.: O88OCo8oC8@
:ccc::ccccocccccocccocoooC :8O . .:.:cOCOOOOOOOOCOCOCcoCcoCOOO88OOOCCCCOOOOoOO88OOO888OO8O88OOOOCoooo:c:. 888OOC8:888
c::c:ccccccccccoccocoooooC .::.:oCOOCO8OOOOCCCCo:coocCOOOOOOOCOCCOOCOOoOOOOOOO888O888OOOOOOCcooo:c:.. 888OCCC:@@88
c::ccccccccccccccccoooooooc .::.:CoCOCCOOCocooCo:c::c:cCOOOOCOCoCCCCCOCoCOOOOOO888888OOOOOCoCCccc::c.. @8O8CC:C@888
c::::cccccccccoccococoooocCCc.. . :ccCoCoOc:.oOo:..c::.::cOOOOOCcoooooCccooCOOOOOO888888OOOOOooCccc..c.. 888OOC:@@888
ccc::cc:ccoccccocccoccoococoCc: .::ooCOCo:.coc:...:...:ccCOCOocoCCoooccCcoCCCOOOO888OO8OCCOOC:occ:: .. .888O8Co@8888
::c:ccccccccccccccocccoccoccc:.. .. oOOOO8C@8888@
c:::cccccccccoccccoccoccccc:c.. oCOOOOo88O888
:::c:c:cccccccc:ccoccoccc:.... OOCOOCo88888C
::cccc:cccccccccccoccoc:::::.: . ..::::...::o:.:::o ::c..CCcc.:oc:c::..:c:: :o.:cco:ooCOCCCCoc:::. c .. :OOOOO.c888OOC
c::ccc::cccccoc:coccoo::::::. . :.:c.::::c.:..:..:::::oo:c::::cccc:.:c:..:o..cocc:oOCooooco::... . :8O88: O8888OC
::::::c:cccc:c:ccocco:::::.. . ::c:cc:::.coccoc....:::c:.coooccoCCcCcC::...: .:.. c8O. C88O8OOO
::::c:cc:ccc:cccoc:::..::. ... ...::.::cCc::oc::.::.:.Ccc::.cccco.:.: :..:c::cccc::oCccco.:...c.:... C8O8OOOOO
c::c:cc:c:ccccc::..... .. .::co:.:C::.cccC::o.:ooccocccOc:c:c::.:.:::::ccc::::cccc:::.:.:. . . .OCo8@8CCOO8COC
::c::cc:c::cccc::.: .. . ..::::. :::oCc:co.cocccc:oocccCc:co:::c.::c:.:cCc::Oc.:o:::: ..:. . :@8@OOOOOC8OOOO
::c:::cc:ccccc:.... . ... c@OOOOCCOCOOCCO
:c:::::cc:c:::.... .. . :. .. o8OOOCOCOOCCCCO
::::::::::::::... .:...... .:co.o::cCoCCCoooooo:coCoCoOcoCoooCoCoc:c:cccccc::c:.:.c..c: .: . CO8OOCCCO8CCCOO
c::::::::::....:. .:::.. .::::.:coc:oOCCoooCococoooCooOOCooo:::ccoCo:cc::.o::c:.:.:c: .. COOCCOCOOOCCCCC
:::::::...... .:: ...:c:.::coCCCOCCoooooCooooocoooooooOooooOOCoco:c:.o::::.:::..:. .. oOOCCOCCOCCCCCCC
::::::..... . .oc . ... ::o ..ccoCoCCCCCCooooOCCCooCoooCooooooCOCOOc.:c..o:.c: ..: .... OCCOOCCCCCCCCCCC
c:::......... :c. : :.c ...:cooCCOCCCCoooCCoCoCCooCoCoCoooOOCoCc::c:cc:..::..: . . . cCCOOCCCCCCOCCCCC
:::.. ..:.. .o: : :::.....cooCoCCCCCOCooCCCCCCCCCoooooCOOCOooc::oc.:::.o:.: ... . CCCOCCCCOCCCCCCoo
::... .:.. :. .: ... o:cooCCoCCCOCCoCCCCCCoCooCoCCCOCOOocCo.:c.:.: ...c .. . :COCCCCCCCCCCCCCoC
......:.. ..: .c. .:: :o::ccoooCCoCCCOCCCCCCCoCOOOOOOCCCoccCc.:::..: .... .. CCCCCCCCoCCCCCCoCC
.. .... ::.. :Cc .. .. ..ooccoOccoococoCoooCOCCCOCCCCCooo::oo.:::::. .... . CCCCCCCoCCoCooooCo
... ::.. . . cC: ...o .: :::CoccCcoo:coooCcCCCCCoCOCoCooc:cc .:..:.. . . .oCCCCCCoCoCooCoooo
.. . ... .. oCc .. ..... : :ccccc:cc:cCooccooCcocooooo:co.c: ..:... . oCCCCCCCCoCCCoooooo
. ... .. .... .oCo. . .: .... c:c:cc:coc:c:cccccccoccccc:c:::c.. :: .. . .cCCCCoooCooCCCoCoooc
...:.. .... .... .:oCC. .:... .c.c:.:c:o::co.cco:ccccccccoc:.::: : :o . cCoOooCoooCoCoooooocc
.:.... ..... .. .:... .C.coCc . ..: . :: o. ...:. .: . . . cOoCCooCCoCoCCooooooo
........:::..::.:. :@8:oCCC:. .. .. ..:. ... .. .. .. ..::..:..::.:..:...... . :.cooooooooooooCccoococc
. . ...:cc.::c.. . @C:ooCCo. . : :: ... ...:. :. .... ....:. ..::: .. cC.oCooooooocCooocCoooooo
. ...::C:.:.:c... .8@@C:oCCCC. . . .. .. . co: o: c.: .... .:. : ... :. Oo:ooooccoooooooocooocooo
...:cc::.:c::... @88OcCooCC. .. . . . . :::cc:.: c..c:............ :. cC:cooocooCooooccooooCcooo
. ....::.:::.. @888coooCCc. . .... . cC:: : .... .:... . .. .COo:oCccoooooooooooooocccco
:. .:.:. . C8@8o:ooCCOo .... :.:.::cCcoo.C:c.:c.: c:.. ...:. : cCCo:occoocococoooooccccccoc
. ... .. .88O8CoCoCCCo:. . . .:ccoccC::o:.c: .:::o ......... COCCo:cCcoCoocooccccccococcccc
.. c@88OooOCCCCO:. . . .. . ...... . . cOCCCo:coccoocooccccccocccccccc
8@8OO@oCCCCCCCo.. . .... . .:..o:c:..::o. oc.. :. .. .. OCCCCo:ccoocoocccoooccccccccccc
. .. o88C8@ooCOOoCCOc. .. . :o:.o:: o. :... :cOCCooC:cccoccccccooococcocccccc
... @@88o@OoCCOOCCCCOc . . . ... ..... . :C8CCoCoCccocccccoccccococcccccccc
... :@88COOCCCOOOCCCCC: . . . :: :.:cc .:.:o ..c.::. . : .oOOCCCoOcoccccccccccococcccccccccc
. 8@88C8@CoOOOCOOCCCoCc:.. .. ... ..:c::.:.::...:.:.... . OOOCCCCoC.occcccccccccccocccccccccc
. . . .. 888@O@@oCOOOOOOOCCCocoo: .. : :.:.:::: ::.:. : . COCCOCoCCOc .occccccccccccccccccccccc
. . .. . .. c@88@O@oCOOCOOOOoCooooCCc. ..:. .. ..::..:.......: . : cOCCOCOCOCC: .occcoccccccccccccccccccc
.. ..:. .. C@888@8@8oOCOOOOOOoCoooCCCOC .: :.... :...... .. .. ... cOCOCOCoCCoC. oococcc:cccocccccccccccc
... ... ... @@@@88@@8oOOOOOOOOCoCooCCCC8C:. . :.....:.. .. . . .ccoOCOOOCCCooCC :ococccccccccccccccccccc
.... ... . ..c@@8@8@@8COOOOOOOOOooCoooOCO88Oo: . . :o..:: . . .. :oOOCCCOOCCOCCCCC. occccccoocccccccccccccc
.... .. .. ... @@@@@O@@8oOOOOOOOOOCoCoCoCOOOO8OOOC:. .. :. .. ...:COCCoOOOCOOOCCCoC. cocccccccccccc:ccccc:cc
... . . . . .... @@@@8@O@8OOOOOOOOOCCCcCCoOOOOO8888888888C:.:.:::::COCCOOOOOOOOOOOOOCCCco8 occccocc:c::::cc::c:cc
. :. ..... .. .@@@@@8O@OO8O8OO8OOOCCCCCCCOOO8O888888888888O88OOOOOOOOCOOOOOOOOOOOCCCoc8O . .occcc:cc:c::::c:cc:c:
. . . .... .... C@@@@@88@OO88888OOOOOOCooCCOOO88O88O88O8OO8OO8OOOCOOOOOOOOOCOO8OCOOOCC:o8C :c:ooccc:c:::c:cc::::
. . ... .. @@@@8@8@@@CO8O8OO8OOOCCCCoCOOOO88888O88O8OO8O8OOOOOOCOCOOOCOO88OOOOOCCOoC8: occcccc:ccc:c::::cc:
. ... ... .. o@@@@@@8@@@OO8888888OOOOCOCCCCOOOO8OO8OOO8O8OOOOOOCCOCCOOCOO888COOOOCCOoOC8 :oc::cc:cc:cc:::::::
. ..... ...... @@@@@@@8@@@CO8888888OOOCCOOCCCOOOOOO8OO8OOOOOOOOOOCCOOOOCOOOOOOOOOOOOOCCCOC . :ccc:::::cc::::::::
. . ... .... C@@@@@@8O@@OO88888888OOOCCCOooCOOOOOOOCCOOOOCO8OOOOCoOOOOOOOOOOOOOOOOC@@CO c:c:cc:c::::::::::
.: .... .. @@@@@@888OOO888888888OOOCCOCoC88OOOOOOOOCOCO8OOCOCOOOO88OOOOOOOOOOoOOOc . cc:::c::::::::::::
.c ... ...... :@@@@@@8@@COO888888888OOOOOOCCoOOOOOOOOOOO8OOCOOOCOOOOOOOOOO8OOOOOCC8OO. .oc:::::::::::::::
.c... .. ... @@@@@@O@@@@OO88888888888OOOOOOOCoCCCCCCOOOOOOOOOOOOOOOOOOOOO8OOOOOCO@@COc .c:::c::::::::::
Oo . ...... C@@@@@@88@@OO88888888888OOOOOOOOCCCCOOOOOOOCOOOOOOOOOOOOOOOOOOO8OOO@CC8 .c:::::::::::::
oc .. . .....@@@@@@@88@@@O8888888888O8OO8OOOOOOCCOCOOOOOOOOOOOOOOOO8OOO8O88888OC@@CO88 .c::::::::::::

Made with soft by Håkon Nessjøen from

Saturday, September 26, 2009

Is a CISO an expert generalist?

CISO = Chief Information Security Officer
The title "Responsible for the Security of the Information System" is prefered in Romance languages. The common abbreviation is RSSI.
Both titles relate to a quite new position in a company: the guy who cares about the security of the information system. Has to organize the work, set up objectives and, most of the time, provide technical knowledge to other IT teams. Has to know a lot about a lot of things to apprehend all situations in the information system. Kind of a generalist guy.

As this is a position I have much respect for (mine!), I was a little puzzled by Anton Chuvakin's post about the myth of an expert generalist, where it is argued that being someone who knows a little about everything is not a good career choice. Later on, Richard Bejtlich also questioned security careers and I came to ask me a fundamental question:
  • Am I becoming an expert generalist?
However, I reassured myself quite soon. Yes, the CISO works in all fields of IT security + physical security + management... but there is indeed a speciality in all this. The CISO has to know the information system of the company well enough to be able to answer whether a security practice/project/product is worth it.

In a company, the whole thing security is about is exchanging costly uncertainties for cheaper certainties. And the transition from one to the other has a price. The CISO has his primary skill in examining the benefits and implementing such changes.

While this may seem related to risk management, I think there is a real difference: risk management focuses on producing scenarios and estimations of risks. That is: speculating on the unknown*. This has been largely criticized recently in security blogs.
I prefer to see security as decisions made on known facts: costs, lost hours of work, customers' satisfaction, etc.

So to the question "Am I becoming an expert generalist?" my answer is no. My role is more on management, choices and strategies. And I love it. And I can still technically specialize on whatever field I like better.

*What do you actually know about the probability of a hacker intruding your databases? What do you actually know about the probability of HR data being leaked by mistake? What do you know about the probability of a server hardware crash? Now how do you calculate risks and prioritize them?

EDIT 10/01/2009: See also Richard Bejtlich's article "Risk-Based Security is the Emperor's New Clothes".

When I don't have a DNS

It just happened to me that the DNS of my ISP was down. Under a Ubuntu Intrepid Ibex (8.10) in a place where I damn needed the web.
In this case, you just have to ensure that you have a replacement DNS server, for instance, the public, which works very well so far. Edit the config file /etc/ and add the following lines:

nameserver my.usual.dns.ip

After that, restart the networking service by:

# /etc/init.d/networking restart

and the web works again.

Thursday, July 30, 2009

Yahoo! and Microsoft

Yesterday, Microsoft released GPL code, and we now know that there was nothing altruistic in that. Today, they ally with Yahoo! What now?


Search on the web is a wicked problem, so one typical methodology is to build multiple attempts of solution to the problem and let them evolve, compare... That was the case with multiple search engines.
Now we will have only two major ones: Google and Microsoft. I don't know if I should rejoice because the evolution has come to an end, or if I should cry because monopoly problems get in the way of solving the websearch problem.


Anyway, if Yahoo! ditch BSDs to favor Redmond technologies, they get onto my list of companies to avoid as much as possible.

Friday, July 10, 2009

Virus free OSes and Google Chrome OS

It's been buzzing all around about Google Chrome OS. Google announced they would create a new Linux-based OS called Google Chrome OS and they said "[they would make it] so that users don't have to deal with viruses, malware and security updates".

A lot of articles have reacted to the news, and to the claim. Bruce Schneier was quoted saying that it was an idiotic claim to pretend it would be a virus free OS. And he explained later that it was an answer on the phone, to a journalist, and that he hadn't read the news in the original text by then.

Indeed, Google didn't claim they would produce a virus free OS, and they did well. If I am not mistaken, it is always possible to create a virus on a Turing machine or equivalent. And, as Schneier quotes from Fred Cohen (1986), it's never possible to create a perfect antivirus program.

Google's claim is much more subtle and quite interesting. They said that the user would not have to deal with viruses, malware and security updates. And that seems quite possible to me, or at least quite feasible to improve on, compared to the current situation.
In my imagination, Google wants to silently push all that's needed from the web directly onto their OS. OS patches, antivirus definition files, and why not also manual patches when needed?

Take the example of the handling of spam by Gmail. They have a set of rules, which they can modify very quickly, and even modify "by hand" for a singular point. In comparison, at the workstation level:
  • in a typical open source environment, you would need an update command. Even if that's quick, that would require something like:
    # apt-get update; apt-get install last-spam-filter
  • in a typical closed source environment, it would require an update by hand.

Here, the rules, updates, patches, and even new versions of the soft immediately come through the browser. Even if the system makes no breakthrough in terms of fundamental security, you will get an excellent increase in overall security from the regular update of software. No more unpatched OS, unpatched browser, unpatched AV...

So far as I can tell, that would save companies big heaps of money on exploitation.

PS: That uncovers a lot of questions for me, such as: How will MS react? Why didn't MS try to do the same? How can competitors get a foot into the same market? Won't Google become a new empire of evil? Will Google's business survive to DoS attacks? How can any evil competitor prevent Google from getting into that market? How will the Google Chrome OS get onto the PCs in the first place, will it be shipped with PCs, or will users need to install it? Where do you set the limit between what Google remotely do and what they don't do? How will governments react? What about privacy of information? What about national spying issues?

Questioning marketshares of webservers

Nothing developed here, just a question: aren't the statistics about the market shares of the various servers obfuscated by the use of front-end technologies such as reverse proxies, web accelerators, load balancers, etc?

Saturday, June 27, 2009

Microsoft fallacious IE8 campaign

Is the market of browsers so opaque, obscure, for non-technical people, that Microsoft think they can fool them with a simple table?

To summarize the history of facts, Microsoft once had a monopoly in web browsers because the software shipped with their operating system, Windows, which is ubiquitous. They then sat on their laurels for a while (roughly from the end of the nineties to 2006) and lost a part of their market shares to more secure, faster, more flexible browsers, such as Mozilla's Firefox. They finally reacted and released Internet Explorer 7 and Internet Explorer 8, fixing a lot, but, to many eyes, not climbing to the level of quality of their rivals.

And now, they try to get their market shares back by a marketing campaign, with an awfully simplified and fallacious comparison table.

Now, let's return to normal. Below is their table, with my remarks or modifications in orange.

I do not comment on Chrome, because I have used it too little.

Internet Explorer 8

Firefox 3.0

Google Chrome 2.0



Internet Explorer 8 takes the cake with better phishing and malware protection, as well as protection from emerging threats.

And so can say anyone. But with intimate relations between the operating system and the browser, Internet Explorer puts the system at a greater risk against malware.


The time to fix vulnerabilities once they are public is the shortest in Firefox. Internet Explorer has got the worst record of critical vulnerabilities, sometimes not patched long after they are public.


InPrivate Browsing and InPrivate Filtering help Internet Explorer 8 claim privacy victory.

Ease of Use

Features like Accelerators, Web Slices and Visual Search Suggestions make Internet Explorer 8 easiest to use.

Some might say it's a question of taste. I feel like Internet Explorer is rigid while Firefox is flexible.

Web Standards

Firefox and Chrome have more support for emerging standards like HTML5 and CSS3, but Internet Explorer 8 invested heavily in having world-class, consistent support for the entire CSS2.1 specification.

I don't deny Microsoft made big improvements, but almost any web developer still frowns the eye at the very name of Internet Explorer. Yet, they did improve.

Developer Tools

Internet Explorer 8 has the most comprehensive developer tools built in, including HTML, CSS and JavaScript editing, but also JavaScript profiling; other browsers have developer tools available, but either require you to download them separately, or aren't as complete.

You could also argue that the simplicity of XUL, Firefox's development language, is one reason it's been such a success.


Only Internet Explorer 8 has both tab isolation and crash recovery features; Firefox and Chrome have one or the other.

Only Internet Explorer crashes when too many pages are open at the same time.


Sure, Firefox may win in sheer number of add-ons, but many of the customizations you'd want to download for Firefox are already a part of Internet Explorer 8 – right out of the box.

I have never found for Internet Explorer precisely the equivalent of what I use in Firefox.


Internet Explorer 8 is more compatible with more sites on the Internet than any other browser.

That's certainly true because of Microsoft long record of purposeful incompatibility which, in the past, encouraged developers to not develop for other browsers. However, I do not know one of the sites that I use today that is not compatible with Firefox.


Neither Firefox nor Chrome provide guidance or enterprise tools.

That's not true. With the tools provided by Frontmotion, you can achieve a similar manageability (for instance, centrally from an Active Directory server) and I would say you get a more precise customizability of what's managed.


Knowing the top speed of a car doesn't tell you how fast you can drive in rush hour. To actually see the difference in page loads between all three browsers, you need slow-motion video. This one’s also a tie.

Whatever recent benchmark shows Internet Explorer as the last of the last browsers in matters of speed.

I was not the only one to notice that :-)
Some comments are worth reading.

EDIT 06/29/2009:
They're going to some extremities for their marketing... in my natal region, they advertise on pizza boxes, and also have a look at this one in the US:

EDIT 07/28/2009:
I have found some pictures of those IE pizza boxes here and here.

Friday, June 26, 2009

Raw unrefined suggestion about firewall rules

Since now we see attacks from inside intranets, using zombie networks, I think it could be a good idea to turn on the firewalls on each machine in the network (including on Windows stations, which I know is sometimes a problem) and to set up a detailed set of rules for them.

My problem was: how to figure out which rules for such a complex problem, so many machines?
My suggestion: why not propose a standard for a single file giving the positive rules necessary for a software to operate?

One file per application, that would come shipped with the application, and would describe all the things that need be open, for the application to work. The file would not describe what set of rules to put on which firewall, but simply what needs to be open.

If we have a look at the TCP/IP layers
TCP/IP layersThis picture from Wikipedia under the GFDL license.
we see that simple firewalls operate on the Internet and Transport layers. Modern firewalls and proxies also operate on the Application layer.
I guess a simple XML dialect could be created to describe which things need be let in and out, on which layer. If this gets standardized or at least RFC'ed, there is a good chance to see opensource software adopt it, both on the application and on the firewall sides. On which case, since opensource is biggest marketshare on infrastructure, others should follow.
(All that raw and unrefined.)

SEO game - Jeu référencement SEO

This article relates to a website only available in French. If you can't read French, sorry this time, I will not translate the many pages into English. All that follows herebelow is in French.

Un jeu en français sur le référencement (l'optimisation de la position d'un site dans les résultats de recherche d'un moteur de recherche, typiquement Google) vient de commencer à l'adresse Il s'agit de 15 petites épreuves à franchir, chacune utilisant une technique liée au référencement. Je ne vous donnerai que deux indices :
  • Si vous tombez sur une erreur 404, c'est que vous devez continuer à chercher, pas abandonner.
  • L'épreuve 14 bugge avec certaines configurations logicielles, n'hésitez donc pas à la forcer de toutes les manières possibles, c'est le résultat qui compte.
Il m'a fallu à peu près une journée pour terminer les 15 épreuves (pas 24h de suite collé contre l'écran ! juste quelques heures en fait). Et je suis assez content, j'ai appris quelques trucs que je ne connaissais pas.

Tribute to Fravia

I learnt yesterday that Fravia has died. He was a talented hacker and a jack-of-all-trades in IT, almost a master-of-all-trades I should say. He administered a site referencing a lot of resources for people to learn about computers, software and information systems. There you could find learning material from the beginner's tutorial to the master's last discovery.

I learnt a lot thanks to Fravia. I was studying on resources from his site when I first disassembled a binary piece of software to shift its behaviour, almost thirteen years ago. I found my way through WinDASM or SoftICE by following tutorials from his site.

I owe Fravia a lot and, though I never met him in person, I will not forget him. His site is still up, alas I can only hope for it to be continued, there is no certainty.

Fravia's logo

Monday, June 22, 2009

Geekonomics - Incentives for the States NOT to invest in opensource

Third of the series of articles inspired by David Rice's Geekonomics. This article is not directly related with matters from the book, yet I got the idea while reading the book.

FLOSS = Free/Libre Open Source Software (as abbreviated by the European Union)

If you're like me and enjoy, use and promote FLOSS, you might be wondering why some States do not favour FLOSS in the public infrastructure.

Well, they do use FLOSS, as a matter of fact, because you can't build a whole infrastructure made only of proprietary software and if you tried, it would be extremely expensive [and potentially disastrous for compatibility issues]. So, you might be wondering why some States do not favour FLOSS more than they do, in the public infrastructure.

So far as I can understand it, most States are running a race to be in the first positions of wealth, military strength and fame. Things can be different for the top one, which would only want not to lose its rank. And things can be different for the bottom ones, who simply have too many matters to address before they will concentrate on a worldwide competition.

So, let's assume we speak about the countries in the top thirty of this world, except the very first ones. This group is made of countries like France, Italy, Germany, Russia, Brazil, India, South Africa... Why do these countries not publicly favour FLOSS more than they do?

To favour it more, they could:
  • Ask for documented, free to implement, data formats. This way, wars fought by software makers on purposeful incompatibility would be avoided.
  • Ask for more FLOSS inside all public agencies.
  • Ask for more education in FLOSS in the public education system.
  • Invest directly into FLOSS development, or make a policy that some public developments will be made FLOSS after some time.
All this would favour FLOSS, but all this would not necessarily favour the race of the State to wealth, military strength and fame. It would, of course, improve wealth, military strength and fame. But my point is: FLOSS does not improve the rank of a State in the international competition, because every improvement is available to all competitors as well.

  • By asking for documented, open, data formats, or by asking for FLOSS inside public agencies, the State would agree to spend money on a shift, that would probably be beneficial, yes, but the economic developments involved (more developers, maintenance contracts, etc) could be beneficial to people or companies located anywhere on Earth, because of the very nature of FLOSS. On the contrary, when a State signs with a precise, well-known, software maker, it knows where the profits will go.
  • By asking for more education geared toward FLOSS, a State agrees to turn its youth to an uncertain future. While the future is obviously uncertain, there is more certainty in teaching the youth how to use what's majority and paying than in teaching them what's still minority and looks like not-so-well rewarding. So, short-sighted politicians might see education in FLOSS as a bad investment for youth.
  • By investing into FLOSS developments, the State agrees to spend money on its own, while the fruit of this investment can be eaten by all. In a competition, it's bad invested money. It is more interesting, as a State, to invest in a proprietary development by a local company and see the licenses be paid by other countries.
All of these seem good reasons for a politician not to favour FLOSS when they seemingly can. Of course, on the long run, that's detrimental to us all :-(

Geekonomics - Criticism of Chapter 6 on opensource software

Second of the series of articles inspired by David Rice's Geekonomics.

I am not totally satisfied with David Rice's take on opensource software in his Chapter 6: Open Source Software: Free, But at What Cost?

While he definitely has good points as a whole, and while I see his description of some of the hidden defects of opensource projects as accurate, I am sad that he forgets to mention about real big companies taking a part in opensource developments. Companies like IBM, Sun (now Oracle) or Apple all make some opensource developments, and you cannot tell that they act as beginners or non-professionals in their development methodologies.

And I am also a little surprised to see that the author compares opensource development projects to an "idealized" proprietary development project. For instance, he says it is possible that a part of an opensource software will go unmaintained because of a lack of interested people and forgets to say that even in big proprietary developments, such things also happen, because of mediocre management or because of periods of deep stress.

I would say that Chapter 6 holds some good points but my conclusion be:
  • Opensource software is not a radical change from proprietary software in the methodologies.
  • Opensource software is not radically more secure or of better quality than proprietary software by essence.
  • The "given enough eyeballs, all bugs are shallow" argument is valid, and those opensource software which have a high number of both users and developers actually get an improvement of their quality and security.

Geekonomics - Incentives for the States NOT to fix software quality problems

First of the series of articles inspired by David Rice's Geekonomics.

As an introduction I would like to give two figures from the first chapters of the book.
  • An estimate of the US losses coming from software failures (both quality or security) at the scale of the whole country: $180 bn a year. (yes billion, not million)
  • Deaths occur from software failures. Multiple times per year, if they are not numerous enough to make statistics [yet].

David Rice's point
In the beginning of the book, David Rice argues that software developers have no incentives to make a better work. In chapter 5, Absolute Immunity: You Couldn't Sue Us Even If You Wanted To, David Rice shows that the US government is not making anything against software failures. On the contrary, the US gov gives developers the free hands and no responsibilities of any kind if they should get sued over damages resulting from the use of their software.

And he goes for a short explanation that the US system waits for citizens to become plaintiffs and sue software developers before any public authority will react. He quotes the typical reaction that you would get if you tried to make a law about software quality, through Ronald Reagan's words:
Government is not the solution, government is the problem.

My point
I quite agree with the author on the observation. The US gov does nothing, or goes against any initiative geared towards better software. But I don't agree with the far too simple explanation he gives. I guess a $180 bn issue would get a law if there were no incentives for not making a law. And I can see three reasons a country like the US wouldn't want to improve software quality.

  1. "Don't worry, be crappy". This maxim by Guy Kawasaki summarizes well the way software companies get into the subject. They try to output something they can sell, whatever the quality. But this reasoning also goes for countries. Software is a global trade good, and a big software maker as the US doesn't want to slow down the sales by making quality restrictions. If a law were passed, it would probably impact the economy of the country. Same goes for other developed countries.
    In the same train of thoughts, if a law were passed, maybe some development companies would offshore developments.
  2. We are still in an early phase of software deployment. Though it is recognized that a big company now has to do better IT rather than more IT, it is still important for many countries, including the US, to do more IT, even at the cost of not doing it better. I mean, a country like the US gets a competitive advantage from doing more IT, getting more automated stuff in its services, agencies, its companies, etc. and would "competitively speaking" lose time by concentrating on the improvement of quality and security.
  3. As is long argued in the book, there is an underground market for security vulnerabilities. This market is the fact of underground hackers, but if the underground does it, there are good reasons to believe that the "official" intelligence services do the same. If so, it is rather possible that intelligence services from the typical countries such as the US, France, Israel, Russia or China (which are coincidentally the biggest software developers) have good interest in keeping a high level of not public, unpatched vulnerabilities. They want to know the vulnerabilities themselves, be able to penetrate a lot of places, especially for industrial eavesdropping, and they absolutely do not want software makers to patch the vulnerabilities.
All of these seem better explanations to me for the lack of reaction of developed countries against bad software quality and security.

Sunday, June 21, 2009

Articles about Geekonomics to come

Following the return of my copy of Geekonomics: The Real Cost of Insecure Software, by David Rice, I am in the process of writing a few articles about the ideas from the book.

Go read the book if you're interested in understanding the phenomena around and beneath software insecurity and bad quality.

Since I do not want to plunder the author's content by making a detailed summary or quoting the most interesting excerpts, I am selecting a few subjects and trying to explore them a little further than the book. Which will be very hard since I do not have all the investigation sources that Rice may have had, nor patience, skills and experience. For short: I will give some opinions from my understanding of matters in or around the book.

Friday, June 19, 2009

Friday liberty blogging - Assaults on the neutrality of the network

The Internet as we know it: a place almost free of control, with sites rewarded by audience proportional to their qualities, with a good anonymity protecting political dissidents, this place is under high fire from governments and ISPs.
While we might have thought this kind of attacks would come from very liberty killing countries such as China or Iran, they are now in the headlines even in most liberal countries such as France or Germany. To give just a few examples:
  • In France, giving as a pretext the fight against illegal downloaders of music and movies, the government is trying to install spywares on all citizens' computers.
  • In Germany, giving as a pretext the fight against child pornography, the government gets a law voted for a censorship policy, and stars building an architecture able to filtrate the web's content.
  • In England, judges rule that there should be no anonymity for authors of texts made public on the Internet.
  • In England, an ISP starts using bandwidth modulation to discriminate against sites helping its competitors' businesses.
As far as I know, most of my readers are probably aware of some of these problems. So, instead of commenting on each of these assaults separately, I decided that from now on I would keep a list up-to-date gathering all articles that I would read about this matter. Most should be in English, yet there could be articles in any of the languages I can speak (French, German, Romanian and variants).
The web page of the list is at this address.
You can also find an RSS feed at that address.
I support individual rights

Wednesday, June 10, 2009

Small yet eternal lesson from a successful SQL injection attack

I just conduced a penetration attempt on behalf of a site's owner. The site is the kind you use for home-grown, not critical matters. I wanted to try SQL injections first, because since I read Security Warrior, by Cyrus Peikari and Anton Chuvakin, I felt a kind of inner vacuum for never having done that. Here is how I proceeded:

My goal was to change an existing data of the site to add the mention "hacked". The site was a typical interface to a database, with the notions of "new item", "update item" and "view item" clearly visible.
  • From that, I deduced it worked with a database.
Looking at a targetable data, one that I would want to target and mark as "hacked", I saw that the URL contained a GET parameter ?id=20
  • From that, I made the assumption that there would be a database table with the field id equal to 20 for the element I wanted to mark as "hacked".
Looking at the main connection page to the site, I saw another GET parameter in which I tried to input a single quote. The server answered me with an error message including the path to a library file, with the extension .php, with an identifiable name. I typed that name into a Google box and found it was a fairly well known free software underlying library.
  • From the fact that this library was free software, and that the files were named .php, I made the assumption that the database would be a MySQL one, as is most often the case.
I used the normal way to create an element inside the software of the same kind as that of the element I wanted to change. Then I went to the modification page for this element and gave a single quote in one of the text field values of the element. The server returned me an error message with the faulty SQL request.
  • From this I learnt the names of the table and some of its fields inside the database.
  • From this, I validated that id was actually a field inside the same table, which I only assumed earlier.
  • From there, I guessed it would be piece of cake :-)
I crafted a request, using id='20', value of the targeted element instead of that of my legally owned element. I looked on the Internet to find that the comment marker for MySQL was hyphen-hyphen-space and not hyphen-hyphen. And I changed the name field of the attacked element from "dummy title" to "dummy title hacked". And I pressed the button and everything went well. I then used the normal way to visualize data and found the victim element to be called "dummy title hacked".

So, from all that, I conclude that it's important to hide programmer's data from the eye of the user. Especially, GET parameters should not be used unthoughtfully and the error messages from server or middleware should not be displayed to the user. A good polite "We encountered an internal error." is fair enough.

So, next time the webservers' admin or the web dev tells you such small details are not important, just kick him in the balls. I take complaints at cpradier _at_

Tuesday, June 9, 2009

Larry Page's law also for mobile phones and gaming consoles?

Larry Page once said his thought that "software is going twice slower every 18 months". This became known as Page's law, and I suddenly wondered if the same was not true of mobile phones content and gaming consoles when I had to change my cellphone.

I asked a cousin working in the field of mobile phones and he gave me a spare good old Nokia 1600, saying it's one of the you-cant-find-them-anymore-nor-nothing-as-good.

When I first turned it on, I was overwhelmed by a feeling of quiet efficiency. It's not doing MMS, doesn't take pictures, doesn't allow you to surf the web, but damnit! it's fast. Well, indeed, I just don't notice that I am using a cellphone at all. It's just become plain transparent. Take your directory entry, push the button and that's all. A plain good old feeling of Fire-and-Forget.

And it reminded me how frustrated I got when friends invited me to play the new Street Fighter game on a Xbox 360. It's beautiful, it's respecting the design principles of the series, yet it's no way the same fun as in the old ones on the SNES.

I'd seem bitter if I concluded on a law like "every software or platform evolves to the point where usability suffers a lot from the number of functions, then evolves to the point where it's not usable at all anymore" or another Zawinsky-like law, yet I see no other conclusion.

PS: thx, couz'

ITsec in healthcare - ISO 27799

I recently ordered a copy of the ISO 27799 "Information security management in health using ISO/IEC 27002" because I was curious of the content and I applied to some positions in health organisms. I am fully happy with it and I'll tell you why: it's going further than the ISO 27001 and 27002 norms, but it's also giving examples and diagrams around these norms. So, I think it would be a good read even for someone outside the field of healthcare.

Let me summarize it my own way. The big parts I would make:
  1. Introduction on healthcare
  2. Lexicon of concepts around ITsec and around healthcare
  3. What's specific in the ITsec of healthcare?
  4. An action plan for an ISMS "How to be concrete [and successful] in ISO 27001?"
  5. A review of ISO 27002 control points and what's specific for them in healthcare.
Once that little summary done, here are my reading notes on what's so specific about healthcare:
  • Because hospitals and clinics are open places, because of mobility constraints, and because medical hardware is expensive, there is a high risk in threats related to physical security of the IS.
  • There is a very low level of homogeneity both in hardware and in practices for using the hardware.
  • There is a devoted and experienced staff, both in IT and in medics, making insider threats lower and making cooperation easier between IT and non-IT people.
  • As a good health diagnosis includes various types of data about the patient, the databases about patients are huge and thus, an extremely valuable target.
  • Because of the broad interdependency of functions, necessary for the good handling of health issues and making the IS and IT processes extremely complex, it's almost impossible to consider a security initiative on the whole of the IS at once. Or at least it's impossible to have it succeed.
  • Thus, definition of good domains of application for a security initiative are needed. Examples are given of adequate sizes for domains of application:
    • 2 or 3 remote sites
    • 50 employees
    • 10 processes
  • Because of the importance of health itself and that of the public's opinion, cost in money of a project is rarely the first decision factor.
(I can't wait to get started.)

Friday, May 29, 2009

Friday liberty blogging - Time for European Civil Society

By reading the news these days, I can't stop asking myself "Why don't they discuss those questions at a more European level?"

Problems of unemployment could be discussed better at a bigger scale. Problems of milk price should be discussed on multiple countries that produce milk. Problems of European universities versus giant universities from China or the US should be discussed among a council of university managers...

Indeed, Europe has working institutions, working agencies, awfully efficient lobbies, working-so-far agricultural policies... but we don't have a working civil society.

You could count famous European-wide NGOs, labour unions, newspapers, political forums... on the fingers of one hand! Few exist and most are unknown to Europeans.

OK, there are some problems to solve: languages, different definitions of words (like the English "liberal" very different from the French "libéral")... but I think those problems can be solved. I think the real problem is the hidden agenda of people with national interests and no transnational interests.

For this reason, I think it would be wise to encourage initiatives like "transnational regions", administrative regions that spread on two or more countries, for instance a region that includes parts of France and Spain, across the Pyrénées. The possibility to have a quantity of political power on transnational scale will help a new civil society emerge.

It's time for a European Civil Society!

Sunday, May 24, 2009

Javascript and PDF

Have a look at Google's answer when both "PDF" and "Javascript" are in the search box. When I did, I got 4 results out of 10 concerned with security faults.
So, here is my initial question: Why should Javascript be put inside PDF files?
Answer: it's in the ISO norm defining PDF 1.7, with no precise details, but at least references to more detailed documents.

It's long known to web developers that Javascript is a nest for problems, especially when it's not correctly documented. Yet Adobe looks to develop forward the possibilities of its software, its file formats and that's normal. However I would wish they did it differently. First, that they did not melt innovations under a unique "PDF" name, which refers to a format that users choose primarily because it's supposed to be portable, simple and solid like rock. Then, that they did not activate Javascript by default. Few users really require it and even they recommend to deactivate it.

Wednesday, May 6, 2009

Can new MS Office format replace correctly old MS Office format?

A few friends of mine are concerned that the new MS Office format OOXML (discutably standardized as ISO/IEC 29500) might not replace correctly the previous one. Should they change their organizations' practices to the new OOXML or stay put with the old .doc, .xls, .ppt and so forth?

One assumption was that Microsoft would write the file format to allow for a correct representation of all the previous content. This was in their interest because they then could say to their customers that the transition would be seamless.

However they were criticized for including say "direct representation of old formats" rather than "complete representation" of the same data. Or more simply, they made OOXML represent the mechanisms of the old .doc and .xls, rather than provide something to represent the same information in a unique, coherent new architecture. This means that the OOXML format inherits a lot of the complexity and some bugz and patchz of the previous formats. But it's not my point today.

My point is that when doing this, they forgot things (due to the high complexity of the previous formats I suppose), which made a subcomitee of the ISO say that it is "impossible to fully represent some of the corpus of existing documents in [OOXML] ISO/IEC 29500". So to the questions of my friends about switching to OOXML, my answer is: wait and see.

If there is one thing I am sure about, it's that we have a lot to see from MS competitors: IBM has its own branch of office suite linked to, Oracle has just bought Sun's and Google will not let go of online edition.

If there is one thing I am convinced about, it's that OOXML is not a mandatory shift so far.

Saturday, May 2, 2009

A rant against podcasts

I'm fed up with the news articles that give you content in the form of podcasts*. I want text back.
* equals "recorded voice", for simple

Here is why:
  1. The only advantage I get over text is the voice of the reader or the interviewed guy. It's not an advantage at all.
  2. Text underlines what's most important. Voice gives me all, interesting and uninteresting. It's the sign of a lazy news reporter.
  3. With text, I can rewind or go fast forward in a blink, without even a mouse click. I can read the same sentence three times if I don't get its meaning easily.
  4. When I get a text, many paragraphs appear on my screen at once, so I can just take a two-seconds-look and tell whether the article is about a matter of my interest or not. With a podcast, I have to listen to it during thirty seconds or more to be sure.
  5. If I am looking for a precise subject, I can press Ctrl+F and look for a word in a text. The same is not possible in a podcast. In most cases, I can search the content of the text directly from my search engine. The podcast is not integrated with search engines.
  6. I am a fast reader, I can read and understand a text three times faster than a good speaker speaks it. (And if he spoke it so fast, I would probably not understand him...)
  7. When I read news, I have ten tabs open at the same time, a RSS reader, a few PDFs loading... Podcasts are using my bandwidth for something that could be done in a few hundred bytes! I call it abusing my bandwidth.
I hope the fashion of reporting news in podcasts will decrease with time. Who knows?

Wednesday, April 29, 2009

Acrobat Reader blocks my audio system, WTF?

I wanted to play a song (yes I have a legally bought copy from which I made the mp3) in mplayer and got the following result:
$ mplayer "01 - Adiemus - Karl Jenkins.mp3"


open /dev/dsp: Device or resource busy
After a few researches, I found:
# lsof /dev


acroread 32723 christophe 61r CHR 116,33 11606 /dev/snd/timer

acroread 32723 christophe 62u CHR 116,16 12023 /dev/snd/pcmC0D0p
An open document in Acrobat Reader was blocking my sound system. Why? No idea. I closed Acrobat Reader and opened it anew: no problem anymore.

For reference, it's a Ubuntu 8.04 on a PC, with a typical AC97 integrated chip. Package alsa-base is 1.0.16-0ubuntu4 and Acrobat Reader itself is 7.0.

EDIT1 30/04: I should say Adobe Reader, not Acrobat Reader, the former name.
EDIT2 30/04: The package acroread is version 7.0.9-0.0.ubuntu0.7.04+medibuntu2

Friday, April 24, 2009

Acrobat Reader dangerous target

Acrobat Reader, the most common PDF viewer, is a lot targeted by attackers, in the form of specifically crafted PDF files. Through such attacks, access can be gained into the infected system and other threats such as botnets can occur. The security company F-Secure recommends to replace it with an alternative viewer. (the news from slashdot)

I remember foretelling this to colleagues six months ago.

Thursday, April 16, 2009

Shredding files [4/4]: Additional details on shredding

A link to the three previous bills, please read them first:
  1. Why it's useless to "shred" files, most of the time
  2. Shredding empty space
  3. Please shred the hard drive
Then the matters I wanted to speak about.

First, the choice of the shredding software. Given the high number of vendors for that and the increasing number of rogue security software, I advise to take only software from a well-known vendor (from its official site or from a reseller) or opensource software.
I would bet that among all the software that claim to shred files, one quarter are rogue software.

Second, the views I gave in the three previous bills only take in consideration a part of the complexity of the question. For instance, different media (RAIDed hard drives, Flash memory...) may not follow the same behaviors as hard drives. Another example: filesystems are not considered. If the setup includes a rollback system at the filesystem level, then shredding empty space might not be efficient.

Third and final: let's think practical. There is no need to buy expensive software when you don't have a need for expensive functionalities. Most of the functionalities are covered by the tools included in a basic Linux distribution (thanks ketherius (RO) for the example). There is no need to shred everything everyday if you don't handle extremely valuable information (and even then...)

EDIT 22/06/09: If you can speak French, there has been an eXCellent discussion thread on the matter on

Thursday, April 9, 2009

Discussing failures

Excellent bill by Michael Krigsman arguing that we should discuss failures of IT projects and show them as examples of what not to follow.
If I should sum up, here are the five factors that I saw as the root of failures of IT security projects in organizations (companies + public sector), along the years. The examples are invented.
  1. "Political" interests priming over "intelligent" choices. Such as buying a solution from one vendor because the salesperson is Mr Bigboss's friend or the vendor is Mr Bigboss's favorite brand.
  2. Bad top-down communication of the goals and objectives, which results in the implementation of a solution that solves problem B instead of problem A. For instance, Mr Bigboss decides that the crucial point is to protect the integrity of the central databases, but doesn't communicate it well and Mr Smallboss implements a solution that protects the confidentiality of the data going out of the central database. (This one seems simple to avoid once explained, but if you look back, I guess you can find a real example pretty easily.)
  3. Relying on/Trusting too much service providers, thinking that getting the hands dirty is not necessary. This one results in entire sides of the project being forgotten, because the consultants only do what they are asked to.
  4. Bad theory training of the administrators who will use the security solution. They know how to manipulate it but they don't understand the principles and they make bad interpretations of results. They are also not able to react when something goes out of the plan. This is particularly true of "all integrated" products with a shining graphical interface, where some people only retain the location of buttons and screens, and not their actual meaning/behaviour.
  5. Allowing exceptions for top executives of the organization. Once a plan has been decided, everyone must follow it, including them.